281
Index
A
Abuse database check, 120
Access control
logs, 168, 169
methodologies, 236, 255
policy, 85
Account administration, 35
Address space scan, 251
Air Snort
Analysis report, 17
Anonymous proxy service, 105
Antivirus product, 105
Application(s)
design, 71
development, threat analysis and,
63
discovery tools, 128
examination, 25, 27
security, 244
servers, 71
tools, 109, 146
Assessment tasks
bottom-up, 24, 49, 50
top-down, 22
Asset(s)
classification policy, 78, 84
inventory of, 53
protection management, 66
Astalavista Web site, 95
Attack(s)
denial-of-service, 36, 38, 253
hack, 40
Land, 177
password, 41
signatures, sniffing for, 156
sniffing, 41
splicing, 41
spoofing, 41
zero-information-based, 251
Attrition, 96
attrition.org Web site, 97
Auction site, online, 39
Audit, 70
local system, 148
logs, 169, 174
threat analysis and, 63
Authentication, 178
Authorization software, 179
Availability, ISO 17799 definition of, 49
B
Backup recovery guidelines, 166
BCP, see Business continuity planning
BIA, see Business impact analysis
BidBay, 39
Bottom-up methodology, see Technical
methodology
Brute-force password cracker, 140
Brutus, 146, 147
Bug tracking information, online, 76
Business
continuity
management process, 57
planning (BCP), 84, 174, 184, 255
-critical data, protection of, 162
harm, 43
impact analysis (BIA), 73
unit management, 14
282 Managing Network Vulnerability Assessment
C
Cabling security, 53
Capacity planning, 56
Career-limiting move, 92
CBK, see Common Body of Knowledge
Cerberus Internet Scanner (CIS), 143,
144
CERT Coordination Center, 33, 40
Certified Information Systems Security
Professional (CISSP), 51
CheckPoint’s Firewall-1 product, 180
Cheops, 132
Chinese wall, 89, 108
CIAC, see Computer Incident Advisory
Capability
CIS, see Cerberus Internet Scanner
Cisco
devices, 155
management tools, 125
Secure Scanner, 137
CISSP, see Certified Information Systems
Security Professional
Cleartext, passwords in, 176
Client liaison, 59
Clock synchronization, 56
Code Red, 7, 37, 93
Cold Fusion, 246
Common Body of Knowledge (CBK), 106
Common Criteria standards, 106
Communication control, 44
Company documents, 160
Compliance, 83
Computer
breaches, financial losses due to, 36
Incident Advisory Capability (CIAC), 33,
40
incident response team, 181
systems, threats to, 35
Computer Security Institute (CSI), 35, 46
Confidentiality, ISO 17799 definition of,
49
Configuration audit, 25, 26
Connection time, limitation of, 57
Consulting companies, abused offerings from,
11
Cookies, 105, 146
Copernic Basic, 112
Coroner’s Toolkit, 150
Countermeasure, definition of, 184
Crackers, 38
Critical data, definition of, 184
Cryptography, 25, 27, 255
CSI, see Computer Security Institute
CyberCop, 135
D
Data
classification, definition of, 184
collection, 59, 165
confidentiality, 178
critical, definition of, 184
management, 71
protection, 257
sensitive, definition of, 184
storage
assessment of, 182
secure, 70
Decision-making process, due diligence
performed during, 1
Decoy scanning, 127
Denial-of-service (DoS)
attack, 36, 38, 39, 245, 253
testing, 155
Desktop deployment, 35
Development Web server, 247
Dial-in customers, 172
Dial-in process, securing of, 177
Dig commands, 118
Directory service map, 169
Disaster
network recovery from, 163
recovery, 181, 252, 255
recovery planning (DRP), 84, 184
DMZ, definition of, 243
DNS server
dig command on, 118
record, single point of failure in, 110
Document
collation, 77
handling process, security issues involving,
65
DoS, see Denial-of-service
Draft Report, 74, 164, 165
generation of, 61
Sponsor Review of, 77
DRP, see Disaster recovery planning
E
Eavesdropping, remote, 1
Electronic commerce, 36
E-mail
HTML version of, 113
mistakes, 39
security, 54, 85
systems, inappropriate use of, 36
Employee(s)
directory, 166
frustrated, 110
Index 283
network access of, 171
productivity, security procedures and, 67
termination, human resources procedures
for, 68
Encryption policy, 231
Enforced path, 54, 85
Enterprise
network, review of, 51
Security Manager, 149
Equipment security, off-premises, 45
Errors
company, 62
security, 68
Essential Net Tools 3, 140, 142
Ethernet LANs, 122
European Union, 40
Event logging, 56, 86
Excel spreadsheet, 157
F
Facilitated Risk Analysis Process (FRAP), 160
Facilities management, 14, 19, 23, 35
Fault logging, 56
FBI, see Federal Bureau of Investigation
FDDI, see Fiber Distributed Data Interface
Federal Bureau of Investigation (FBI), 35–36
Federal Information Processing Standards
Publications, 40
Fiber Distributed Data Interface (FDDI), 91
File servers, 71
Final Report, 164
Financial losses, threats and, 43
FingerBomb, 245
Fireball, 150
Fire hazards, 173
Firewall(s), 243
administration, 72
auditing tools, 108, 138
design on, 180
intra-company, 180
personal, 105
probing, 41
security, 72
threat analysis and, 63
Floodnet, 39
Fragmentation, 41
FRAP, see Facilitated Risk Analysis Process
Fu**Edcompany.Com Web site, 111
G
GASSP, see Generally Accepted System Security
Principles
Gateways, 71
Generally Accepted System Security Principles
(GASSP), 51
GIAC, see Global Information Assurance
Certification
Global Information Assurance Certification
(GIAC), 41
Global policies, 82
Grinder, 142, 143
H
Hacker(s)
assets stolen by, 40
mind-set, 37
Trojan horse programs installed by,
42
Hackers Choice, 153
Hands-on investigation, 59, 60, 160, 165,
168
Hard vulnerabilities, 7
Health Insurance Portability Accountability Act
(HIPAA), 106
Help desk supervisor, 167
HIPAA, see Health Insurance Portability
Accountability Act
Host-based tools, 92, 148
HTML format, 121
HTTP protocol, 243
I
ICMP, see Internet Control Messaging Protocol
Identification and Authentication Service
(I&A), 227, 228
IDS, see Intrusion detection system
IEC, see International Electrotechnical
Commission
Impact, definition of, 42
Incident
handling, 65, 77, 174
management procedures, 56, 85, 233
Industrial spying, 40
Information
classification, 74, 77, 231
loss, 43, 62
protection, 35
model, standard, 257
oversight, 181
policy, lack of enterprisewide, 172
strategies, 182
reviews, 59, 165
security
awareness, 181
concept flow, 262
definition of, 84
284 Managing Network Vulnerability Assessment
life cycle, 1–2
policy, 53
technology (IT), 19, 23, 51
Information Security Reference Guide (ISRG)
Information Security Steering Committee
(ISSC), 175
Integrity
company loss of, 62
ISO 17799 definition of, 49
Internal audit, 14, 23
International Electrotechnical Commission
(IEC), 79
International Information Systems Security
Certification Consortium (ISC
2
), 106
International Organization for Standardization
(ISO), 79
Internet
checking for new vulnerabilities on, 94
Control Messaging Protocol (ICMP), 124
electronic commerce over, 36
employee abuse of, 36
Packet Exchange (IPX), 3, 92
Protocol (IP), 3
addresses, 25, 26
network browser, SolarWinds, 124
service provider (ISP), 100
sources, protection from, 100
Interview(s), 59, 60
follow-up, 76
list, interviewees, 23
process, subject areas discussed during, 60
skills, 11
Intrusion
detection system (IDS), 227, 232, 237, 244
SecurityAnalyst, 149
Intrusion Detection’s KANE products, 179
IP, see Internet Protocol
IPX, see Internet Packet Exchange
Iris, 152
ISC
2
, see International Information Systems
Security Certification Consortium
ISO, see International Organization for
Standardization
ISO 17799, 256
definitions, 49
NVA evaluation areas, 53–55
policy content guidelines, 83
security handbook, 64
self-assessment checklist, 187–204
ISP, see Internet service provider
ISRG, see Information Security Reference
Guide
ISS
Internet Scanner 6, 134
SAFE-suite products, 179
ISSC, see Information Security Steering
Committee
IT, see Information technology
J
John the Ripper, 145
K
Kerberos, 178
L
LAN, see Local area network
Land Attack, 177
Law enforcement, intrusions to, 36
LC4, 144, 145
LDAP, 247
Legal liability, 73
Legion, 140, 141
Linux
enterprise-scale vulnerability assessment
product for, 149
Nmap for, 127
security, 99
Local area network
Ethernet, 122
optical fiber, 175
Local system audit, 148
Log files, ignored, 9
Lotus Notes, 166
M
Mail server, 110, 246
Mainframe environment, security of old, 1, 47
Management report, 17
Man-made disaster, network recovery from,
163
McAfee Security, 135
Message authentication, 86
Microsoft Windows networking, security of,
139
Modems, dial-up capacity, 175
MTE, see Multi-test environment
Multi-port router, 91
Multi-test environment (MTE), 9, 133, 156
N
NAT, see NetBIOS Auditing Tool
National Fire Prevention Association code, 173
Natural disaster, network recovery from, 163
Nessus, 136, 155
Index 285
NetBIOS
Auditing Tool (NAT), 140, 141
environment, 122
tools, 108, 138, 139
NetFormx, 120, 122
NetFormx Enterprise AutoDiscovery,
121
NetIQ’s Security Analyzer, 149
NetProwler, 150, 151
NetRecon, 134, 135
NetSonar, see Cisco Secure Scanner
Netstumbler, 151
NetWare, 169, 175, 248
Network(s)
access, 61
administration, 107, 174
architect, 167
auditing logs, 166
controls, 44, 53, 56, 72
diagram, 166
enumeration tools, 108, 122
facility security, 181
file systems (NFS), 41
flooded, 38
management, 35
operating systems, 175
partitioned, 71
public telecommunications, 44
routing control, 54, 86
security
breach of, 43
concerns priority matrix, 43
controls, 77
segments, monitoring of for traffic, 152
segregation, 54
sending of usernames across, 238
services, policy on use of, 54
sniffing, 91, 109, 139, 155
system
administrator, 168
identification, 137
topography
documentation, 18
information, 17, 18
Network concerns, assessment of, 33–46
additional threats, 40–42
checklists, 44–45
network vulnerability assessment team, 35
network vulnerability assessment timeline,
34
other concerns, 37–40
computer hackers, 37–38
computer viruses, 37
denial-of-service attacks, 38–39
disgruntled employees, 40
e-mail mistakes, 39
industrial spying, 40
other considerations, 43–44
prioritizing risks and threats, 42–43
threats to computer systems, 35–37
Network Inspector (NI), 120 122, 123
Network vulnerability assessment (NVA), 2–3,
13
checklist, 209–213
cycle, 52
documentation, 23, 157
effective, 47
evaluation areas, ISO 17799, 53–55
hardware requirements for conducting, 10
plain sight method, 107
project definition, 17
sample schedule, 58
skills needed, 3
specific aspects of, 33–34
stealth mode, 107
steps, 89
task list, 19, 22
team (NVAT), 35, 162, 185
Team Lead, 51
technical expert, 3
timeline, 34
ways to perform, 107
Network vulnerability assessment
methodology, 47–79
bottom-up examination, 50–51
definitions, 48
example schedule, 52
justification, 48–49
methodology purpose, 47–48
NVA process, step-by-step, 58–78
analysis, 61–63
data collection, 59
draft report, 74–78
final report and presentation, 78
interviews, information reviews, and
hands-on investigation, 59–61
post project, 78
project initiation, 59
security policy, 63–74
threat analysis, 63
philosophy, 49
team members, 52–58
top-down examination, 49–50
Network vulnerability assessment sample
report, 159–184, see also NVA
report, sample
analysis, 170–178
miscellaneous, 178
network architecture and connectivity,
175
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.65.247