180
A Practical Guide to Security Assessments
the firewall. Unless the company is a small or mid-size company where
the rule base is relatively simple, security or IT personnel will not gen-
erally know the rules that exist. In both examples, personnel are usually
not familiar with the details, and therefore detailed testing is required. In
the case of the firewall, it is probably a key component of the network
security architecture. Without reviewing the rule base, it is very difficult
to get a clear picture of what the actual rules are. The client might know
some of the rules but not know other, more obscure, rules that present
significant security risks. In fact, there are rules that the client might not
even be aware of. You would not know about this unless you look at the
details.
Test Planning and Related Considerations
As you test any type of technology, you should have some plan of what you are
testing for. In planning the test, you should consider these issues:
•
Impact on the production environment —
Much of the hands-on testing
will be conducted in a client’s production environment, which will under-
standably make some clients very nervous. They do not want their envi-
ronment to go down because of the security assessment. In consideration
of the production environment, you should properly analyze what is going
to happen on the network if you run your tests. The impacts could include
slowing down the network or generating traffic on an intrusion detection
system. Your testing might also have no impact. If an impact on the
network’s speed is expected, consider conducting the testing during off
hours if appropriate. Other considerations related to the production envi-
ronment include whether or not any agents or similar software will have
to be loaded into the production environment. Finally, when testing in the
production environment, you may have some type of administrator-type
access that allows you access to sensitive information. If the client is
nervous about this, you should encourage the client to look over your
shoulder as you perform the tests.
•
Sign-off or release from the client —
If you are working in the production
environment, you should have the client acknowledge and approve it. This
can be done via a separate form or can be covered when the initial security
assessment is signed. This process will differ if internal employees are
conducting the assessment. There might also be an internal policy that
covers this process of auditing production systems. If such a policy exists,
it should be adhered to. With the dependency on systems today, you must
protect yourself, and the client should also be aware of the responsibility
involved in making the right judgment as it relates to any testing being
done on the production system.
•
Access requirements —
Many of the tools that are used for testing require
administrator-type access on systems to run the test. With proper planning,
the client can set up temporary access for you to use. If the client knows
of this requirement in advance, the approvals required to set up this access
AU1706_book.fm Page 180 Tuesday, August 17, 2004 11:02 AM