Developing the Project Scope (2/2)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

24 Managing Network Vulnerability Assessment

industry may have one or two ofﬁce locations where staff must be interviewed

but may also have a number of reﬁnery and distribution plants where the

company feels there is not a strong need to interview staff. (We make no

comment here on whether that decision is right or wrong.) In another industry

— perhaps healthcare — the organization’s management may decide that staff

at each location must be interviewed. The healthcare organization may have

its headquarters in one city and hospitals and doctors’ ofﬁces in many cities

located many miles apart.

In each case, we will need to know how many ofﬁces are to be visited

and their location. We will document that in a table such as the one shown

in Exhibit 6.

If an organization — at the stage of the project when the scope is being

developed — cannot fully answer the questions needed to complete the above

tables (i.e., those in Exhibits 4 through 6), it is still necessary to enter some

values for each of the three areas discussed above. It is acceptable, instead

of entering speciﬁc values in each of the three tables above, to enter more

vague descriptions such as “Interview ﬁve key personnel to be named” or

“Spend ten hours collecting and reviewing documents” — as long as speciﬁc

values are substituted for these vague descriptions before project kickoff. If

the vague details turn out to be too small to accommodate the speciﬁc values

(for example, if eight speciﬁc individuals need to be interviewed instead of

just ﬁve), then a scope change must be initiated. Scope change is discussed

at the end of this chapter.

When these three tables are complete (even temporarily, with vague

descriptions), we have the scope of the top-down assessment and can move

on to developing the scope of the bottom-up assessment.

Scope of the Bottom-Up Assessment Tasks

As we will see later in the book, the bottom-up examination concentrates on

hardware and software implementations of network security by assessing the

network as a discrete entity and by assessing the security of individual

components.

Exhibit 6. Physical Location List

Location Description City/State

To Be Included in Interview Schedule?

Project Scoping 25

To deﬁne the scope of the bottom-up assessment part of the overall network

vulnerability assessment, we need to understand what network components

will be involved in the test and what types of tests we are going to run. This

information can be broken into seven elements for the purpose of developing

the scope and, as with the tables in Exhibits 4, 5, and 6, combined to make

an attachment to the Project Scope Document. The seven elements in the

scope of a bottom-up assessment are:

1. Testing parameters

2. IP addresses

3. Conﬁguration audit

4. Cryptographic analysis

5. Password cracking

6. Application examination

7. War dialing

For each of these seven elements, the information needed to deﬁne the scope

of the project can be gathered in a questionnaire. Exhibit 7 shows an example

of the questionnaire.

Exhibit 7. Bottom-Up Scope Questionnaire

Testing Parameters

The following are speciﬁc test parameters agreed upon by the assessment project manager and

(project sponsor):

Systems being tested are [production/development/both production and development] sys-

tems.

The test team [has/has not] been granted permission to install ESM agents for conﬁguration

audits. Note: ESM is discussed in Chapter 6.

[The assessment project manager/client/both] will choose the devices for point scans.

[The assessment project manager/client/both] will choose the devices for conﬁguration audits.

Client [has/has not] authorized the assessment project manager to perform denial-of-service

testing.

A physical security assessment [was/was not] requested.

Social engineering [was/was not] requested.

The assessment project manager [has/has not] been requested to evaluate the following, if

present:

The test team is restricted to after-hours testing as follows:

Light network scans [Yes/No] [Time range]

Heavy network scans [Yes/No] [Time range]

Point scan testing [Yes/No] [Time range]

Denial-of-service testing [Yes/No] [Time range]

Conﬁguration audits [Yes/No] [Time range]

War dialing [Yes/No] [Time range]

The test team has been requested to follow additional guidelines while testing:

[Specify any additional guidelines]

26 Managing Network Vulnerability Assessment

Exhibit 7. Bottom-Up Scope Questionnaire (continued)

IP Addresses

List of IP addresses to be tested:

[List IP addresses and ranges to be tested]

Speciﬁc IP addresses targeted for point scans

Chosen by client:

[List IP addresses and ranges to be tested]

Chosen by the test team:

[List IP addresses and ranges to be tested]

Speciﬁc IP addresses to be used for the ESM (Enterprise Security Manager) conﬁguration audit

Chosen by client:

[List IP addresses and ranges to be tested]

Chosen by the test team:

[List IP addresses and ranges to be tested]

Conﬁguration Audit

Number of SysLog Servers: [x]

Windows NT

Number of servers: [x]

Percentage of servers to be tested: [x]

Number of workstations: [x]