Assessing Current Network Concerns 45
Three checklists are provided in Appendix A:
1. ISO 17799 Self-Assessment Questionnaire
2. Network Vulnerability Assessment Checklist
3. Window NT Server 4.0
3
When developing your checklist, it might be helpful to establish categories
to review. In ISO 17799, the Communications and Operations Management
section 8.5, Network Management, identifies “network controls” and a topic
to be covered. Section 9, Access Controls, is subdivided into 9.4, Network
Access Controls; 9.7, Event Monitoring; and 9.8, Mobile Computing and Tele-
working (Telecommuting). Use these as a starting point for categories or use
the following:
Environmental hazards
Power supplies
Cabling security
Equipment maintenance
Off-premises equipment security
Disposal of equipment
Summary
To be successful, the NVA team must identify what network security concerns
have the highest priority. This allows the team to focus on those threats and
risks that can cause the enterprise the most damage. Understanding that the
security concerns include personnel and physical as well as technical issues
will ensure the most comprehensive assessment prospect.
Establishing a team that represents the enterprise also adds to the credit-
ability of the assessment results. Using enterprise personnel will ensure that
those individuals with the most intimate knowledge of how the network works
and how it is supposed to work will have input into the report. Be sure to
include representatives from the user community. Some of the best and most
knowledgeable network users come from the business units.
Use all of the resources available to plot what threats will be addressed. Do
your research to gather significant issues and then prioritize these risks based
on probability of occurrence and impact to the enterprise or network. Concentrate
on those issues that will bring the biggest impact to your organization. Use your
team to identify additional items and measure their specific impact.
Developing a checklist will assist the NVA team in ensuring that basic
security controls are examined. Do not just use the checklist. Listen and ask
questions, and be ready to include additional information into the examination
process.
46 Managing Network Vulnerability Assessment
An NVA can take a considerable amount of time to complete. Divide the
total mission into manageable chunks and then begin the process. Complete
one phase before moving on to the next. Be sure to get support from the
infrastructure groups; this will make the task easier. Remember that it is not
your NVA; it is the NVA of the organization.
Notes
1. The Computer Security Institute (CSI) is the world’s leading membership organiza-
tion specifically dedicated to serving and training the information, computer, and
network security professional. Since 1974, the CSI has been providing education
and aggressively advocating the critical importance of protecting information assets.
The CSI sponsors two conference and exhibitions each year (NetSec in June and
the CSI Annual in November), as well as seminars on encryption, intrusion man-
agement, the Internet, firewalls, awareness, Windows, and more. CSI membership
benefits include the ALERT newsletter, the quarterly Journal, and the Buyers Guide.
2. The Computer Crime and Security Survey is available for no charge from the CSI
by accessing its Web site at www.gocsi.com.
3. Window NT Server 4.0 was developed by Bob Cartwright, CISSP, of ESAAG,
Concord, Calfornia, and is presented here with his permission.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.