Network Vulnerability Assessment Methodology 73
Risk Aversion
Network vulnerability assessment and the formation of security-related plans
do not result in risk-free systems. Perfect security and integrity are unattainable.
People build and operate the technology used in systems; the inevitable result
is errors and oversights. An organization cannot even approach zero risk;
rather, it needs to find the balance between acceptable cost and acceptable
risk that has been defined as practical and appropriate for this organization
to meet its business needs.
Business Impact Analysis (BIA)
The principal objective of the business impact analysis (BIA) is to determine
the effect of mission-critical information system failures on the viability and
operations of enterprise core business processes. Using a standard assessment
methodology, the enterprise should have a process in place to determine the
relative criticality of all applications, systems, or other assets. This process
should be employed as part of the normal business process and its results
should be reviewed as part of the NVA. Once the critical resources are scored,
the organization can then identify appropriate controls to ensure that the
business continues to meet its business objectives or mission.
Direct Costs
Direct costs are out-of-pocket expenses. Monetary cost is the outright replace-
ment cost of the asset. Insurance is used to balance such potential asset losses.
Legal liability is a value assigned by the actual mechanisms of insurance
carriers or assessments made by the legal department of an organization.
Injuries are accounted for with measurements that are similar to those of legal
liability, for example, workers compensation. Loss of life and limb are handled
in the same way as legal liability and injuries.
Indirect Costs
Indirect costs are difficult to quantify because evaluating the basis for these
losses is a subjective effort. One of the most devastating losses of this type
is loss of trust. The importance of being able to trust the infrastructure should
not be underestimated. Loss of the ability to trust an infrastructure is disruptive.
Even more disturbing is having to trust an infrastructure that an organization
suspects has been compromised.
Loss of trust is related to the loss of system, network, or data integrity.
Technical report MTR-8201 (Trusted Computer Systems Glossary, The Mitre
Corporation, March 1987) defines integrity as “the assurance, under all con-
ditions, that a system will reflect the logical correctness and reliability of the
operating system; the logical completeness of the hardware and software that
implement the protection mechanisms; and the consistency of data structures
and the accuracy of the stored data.” People generally trust their systems,
74 Managing Network Vulnerability Assessment
networks, and data unthinkingly and assume that they are producing correct
results. Proving that integrity has been maintained is difficult because you are
trying to prove a negative.
Loss of personal privacy is a subset of trust — if an organization cannot
trust the infrastructure, it does not know who is looking at its data.
3
In an
employer–employee relationship, privacy is usually not an issue because most
organizations claim rights to employee data and communications. However,
issues of privacy and loss of privacy can arise. Supervisors who abuse their
authority to look at users’ electronic mail may be violating their employees’
privacy, depending on the organization and the rules that have been estab-
lished for the use of its communications. This underscores the importance of
clearly articulate personnel policies and procedures.
Opportunity Costs
Opportunity cost is the most difficult to quantify and the least understood
result of risk management. One of the organization’s most important assets is
its infrastructure. It is the combined actions of the people, computing capa-
bility, networks, and data of an organization’s infrastructure that enables it to
take advantage of opportunities that arise. Reducing the opportunity costs
associated with an infrastructure means that the infrastructure should be
protected, so that its resources are available when needed.
Phase IV: Draft Report
The results of your investigations and analysis should be documented in a
Draft Report. The sponsor will review this report; and if any major changes
or further investigations are required, a second draft can be generated and
reviewed again. Management must understand and agree to all of the analysis
before the Final Report and presentation (if required) are generated. Nothing
in the Final Report should come as a surprise to the sponsor.
The Draft Report template is available in the PSO directory on the admin-
server, and a sample Draft Report (for the Bogus Corporation) is included in
Chapter 7 and Appendix C of this book. Rather than duplicate the entire report
here, you can review the report attached in Chapter 7 and Appendix C. Below
are descriptions, comments, and guidelines for each of the main report sections.
Title Page
Using the sample title page found in Appendix C, ensure that the company
name and sponsor are correctly entered.
Information Classification
The information contained in a vulnerability assessment is normally classified
as Confidential, and the sponsor is normally identified as the Owner.
Network Vulnerability Assessment Methodology 75
Table of Contents
Refer to the sample report for a Table of Contents.
Executive Summary
This section should be no longer than two pages. It introduces the assessment
methodology, overviews the critical findings, and summarizes the recommenda-
tions. This section should be generated last, after all the following sections have
been completed (or at least clearly outlined). Bear in mind that busy executives
will unlikely read much beyond these two pages, so they must be clear and
concise, and convey the recommendations accurately and completely.
Methodology Overview
The Overview introduces the tour philosophy and approach to the NVA. It
defines terms and outlines methodology, both in general and specifically, for
the client. While some of the material will be “boiler-plate” as noted in the
example, you need to read it carefully to make sure that all the information
is appropriate for this particular NVA. The sources for making specific com-
ments are company documentation, Statement of Work for the NVA, and results
of the initial planning meetings with client management.
Security Profile
This section contains a basic profile of the client company’s security environ-
ment. This information is based on documents and data collected during Phase
I and Phase II of the assessment process. This includes background information
on the network and its environment, a list of company documents (policy,
procedures, and network topology), summaries of interview results, and
reports from the actual hands-on investigation of the company’s environment.
Relevant company documents are collected together in the Appendices. The
determination of which company documents should be included is somewhat
difficult, especially because you will be reviewing, in some cases, a mass of
information. Security-related documents should be included but other docu-
ments, unless they specifically cite an area of concern, should not.
The goal of this section is to summarize the client’s network environment
and existing security infrastructure, in preparation for the detailed identification
of vulnerabilities.
Analysis
This section details vulnerabilities and risks discovered in the organization’s
environment (Phase III: Analysis). This analysis is divided into functional areas
of policy, management, architecture, and safeguards. Emphasis is placed on
the impact that these problems, vulnerabilities, and unmitigated risks have (or
76 Managing Network Vulnerability Assessment
could have) on the organization’s ability to do business. In addition to
vulnerability identification and risk evaluation, the NVA team also provides
recommendations to mitigate the risks. These recommendations (software,
hardware, policy, and practice) should be nonjudgmental. Suggested products
are usually included in the Appendices.
Example subsections are provided in the Draft Report template, and com-
pleted examples are available in the Sample report for the Bogus Corporation
(see the Appendices). You may find that other subsections need to be included
for the particular client.
Resources for completing your Analysis section will include all of the profile
reports (documents, interviews, and hands-on investigation) known vulnera-
bilities reports and bulletins (see Appendices), online bug tracking information
and known threats (see Appendices), follow-up interviews, and additional site
visits, if they occur.
Because this is the largest section of the report, and requires the most
amount of work, it is best divided among the appropriate NVA team members.
For example, those NVA team members with strong skill sets in UNIX controls
and NT security should generate the Analysis sections pertaining to those
systems, NVA team members with a strong skill set in security policy analysis
should be responsible for generating that subsection of Analysis, and so on.
It is important to remember that an NVA is not a security audit. The level
of detail in technical analysis (i.e., system configuration, account permissions)
should remain fairly high level and point out only the most critical issues. It
should be made clear to the sponsor that this is not an audit, but it does
provide a foundation of and justification for performing an audit.
Conclusions
This section reviews the nonjudgmental recommendations for minimizing
vulnerabilities and mitigating risks detailed in the previous section (Analysis).
These recommendations are ranked in order of their critical importance. This
section concludes with a summary table listing all recommendations in order
of importance (risk levels).
This section is essentially a summary of the previous section with emphasis
placed on recommended mitigation and countermeasures. The subsections
are limited to the areas of security that most critically need attention. The
recommendations offered in the Executive Summary should map to the rec-
ommendations in this summary.
Summary Table of Risks
This table presents brief summaries of all the reported vulnerabilities, associ-
ated risk, and your recommendations in a conveniently organized table. These
items are organized into the three main sections of risk: high, medium, and
low. Within each risk section, the items are roughly organized in order of
criticality, with the item at the top of each category being the most important.
Network Vulnerability Assessment Methodology 77
Appendices
Each appendix is a freestanding document with its own page numbering. The
Appendices should be prefaced with a complete list of the attached Appen-
dices. The contents of the Appendices should be reflected in the Draft Report
Table of Contents. Each appendix should be referenced in the text of the
Draft Report, cited as follows:
The Appendices should contain, at a minimum, the following documents:
Bogus Corporation Documentation Checklist
Bogus Corporation Security Policy and Procedures
Bogus Corporation Personnel Policies and Procedures
Bogus Corporation Employee Security Training Materials
Bogus Corporation Network Architecture/Network Topology
Firewall Survey
Information Classification
Network Security Controls
Known Vulnerabilities for Customer Systems
Recommended Products
Incident Handling Guidelines
Information Security Reference Guide (ISRG)
To limit the size of this report, the appendix items should only contain
document sections that are directly relevant to the NVA. For example, if the
company offers a security class as part of its employee education program,
then only the relevant sections of the class catalog need be included (not the
entire class-offering catalog).
Document Collation
The Team Lead should designate a central collection point for all of the
documentation as it is produced or assembled. This collection point could be
either a designated person or a designated location (such as a directory with
limited access on the server). The Team Lead can take on the responsibility
for putting the report together, or he can delegate that task to an assigned
documentation person. In either case, all the information that has been
gathered by the team needs to be reviewed for completeness, integrated into
the report, checked for accuracy and contradictions, and edited for grammatical
correctness and rhetorical suitability. At some point, all members of the team
should proofread the Draft Report.
Sponsor Review of the Draft Report
Once completed, the Team Lead submits the Draft Report to the sponsor,
usually to the group that has contracted for the NVA. This group reviews the
Draft Report and usually meets with the Team Lead to discuss the findings.
The Team Lead works with the sponsor to make sure that they understand
the report, the results, and the recommendations.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.58.132.97