242 A Practical Guide to Security Assessments
• Security Policies — e.g., value of security policies
• Architecture — e.g., network, firewalls
• Security Services and Procedures — e.g., authentication, access, confi-
dentiality
• Security Incident Handling — e.g., preparing and handling an incident,
roles and responsibilities
• Tools — a list of tools that might be useful for security purposes
In each of the areas listed above, RFC 2196 provides best-practice requirements
that can be incorporated into an information security program. The requirements
range from high-level to fairly technical areas. For example, there are nontechnical
sections such as legal considerations related to collection of audit data or the use of
one-time passwords.
USE IN A SECURITY ASSESSMENT
RFC 2196 is a good resource for understanding some of the technical aspects of
security architecture and key security processes without getting into the specifics of
any one vendor’s technology. As most security assessments have a technical com-
ponent, some elements of RFC 2196 can be particularly useful when developing
questions and actually conducting a security assessment. The RFC 2196 is a good
complement to standards such as the ISO 17799 and the ITIL Security Management
standards to achieve a good mix between technical and nontechnical aspects of
security.
OTHER RESOURCES
Besides the standards discussed in this chapter, some other resources are worth
consulting during the course of a security assessment. Although these are not nec-
essarily standards, they provide good current information and are worth taking into
account when conducting a security assessment.
SANS (SYSADMIN, AUDIT, NETWORK, SECURITY)/FBI
(F
EDERAL BUREAU OF INVESTIGATION) TOP 20 LIST
SANS, a premier provider of security training for security professionals, collaborates
with the Federal Bureau of Investigation (FBI) to develop and maintain a list of the
top 20 vulnerabilities based on information these organizations receive from a
number of resources. This list, located at http://www.sans.org/top20/ on the Internet
and updated on a regular basis, contains the top 10 vulnerabilities for both Windows
and Unix systems that can be deemed critical, requiring that they be addressed
immediately. The list includes information about the nature of the vulnerabilities
and step-by-step instructions on how to fix them. The step-by-step instructions
contain actual commands as well as links to other Web sites where relevant service
packs and patches might be located.
AU1706_book.fm Page 242 Tuesday, August 17, 2004 11:02 AM