Network Vulnerability Assessment Sample Report 171
Exhibit 4. Analysis (Continued)
important that employees receive ongoing training in proper security practices,
including proper disposal of hardcopy sensitive and critical material. System
and network administrators also need additional specialized training in system
and network security. They need to know your systems better than a hacker,
and this level of knowledge requires training. Currently, such advanced training
is optional — it should be mandatory.
Personnel
Bogus Corporation’s system administrators provide the management behind
access to data. It is important that all staff members have a consistent
understanding of what data is critical (ISO 17799, 5.2.1), what data is sensitive,
and how the overall administration of access to data is managed. This under-
standing does not appear to be consistent; variances in practice exist concern-
ing password management and administration, auditing and logging, network
access of temporary and permanent employees, and access to data based on
job function alone. Overall, each individual charged with the management or
administration of access to information needs to be aware of established policy,
the principles of information security, and how to implement information
security effectively.
Furthermore, all practices need to be documented (ISO 17799, 6.1.1). At
present, too much essential system knowledge is in the heads of employees.
If a senior system administrator were to leave or become unexpectedly
disabled, you would not be able to easily replace his or her knowledge of
your systems, and system functioning could be severely impacted.
Technical Management and Network Practices
Reporting Structure
Risk = medium. Some system administrators report to managers within the
IT organization; others report to the manager of the functional group
to which they provide systems support. Such an arrangement tends to
provide better service to IT customers but often fails to provide consis-
tent administration of security practices.
Recommendation. Matrixed reporting might provide for more consistency
in network security administration A permanent Information Security
Steering Committee (ISSC) (ISO 17799, 4.1.1) should be established,
with members drawn from IT and major user groups. This group’s
charter would be to approve and support the vision and goals of Bogus
Corporation’s information protection program. The members of this
group should provide guidance in the consistent implementation of
security throughout the organization, ensure that the resources are
adequate for the successful implementation and maintenance of this
program, and provide training for all users in security practices.
172 Managing Network Vulnerability Assessment
Exhibit 4. Analysis (Continued)
Policies and Procedures
Risk = high. Few of the policies and procedures that we reviewed covered
information security. Policies are usually mandated to make them effec-
tive and universally applied. It will be a challenge for Bogus Corporation
to mandate stringent security practices throughout the organization.
We believe that the lack of an enterprisewide information protection policy
hinders Bogus’ ability to make effective and secure use of its networks
and systems. Explicit security policies and procedures must be imple-
mented. This is the first step in providing secure information systems.
Without such explicit policies and practices, it is difficult to choose the
appropriate security functions to provide cost-effective protection to
your critical and sensitive data.
Recommendation. A set of comprehensive policies, standards, procedures,
and guidelines mapped to the International Standard for Information
Security (ISO 17799) must be developed and implemented (see ISO
17799, 3.1.1).
System Administrators
Risk = medium. There is currently no one person appointed to the task of
assisting management to develop, implement, and maintain an informa-
tion protection program consistent with Bogus objectives.
Recommendation. An Information Protection Coordinator (ISO 17799, 4.1.4)
should be appointed by management to assist in the creation of security
policy documents, working in concert with the ISSC. This person should
report directly to senior management and should be responsible for the
day-to-day oversight of information protection practices at Bogus Cor-
poration.
Physical Controls
Risk = high. Physical access controls restrict the entry and exit of personnel
(and often equipment and media) for an area, such as an office building,
suite, data center, or a room containing system equipment (e.g., modem
banks for dial-in customers). Unlocked doors and cabinets, of course,
are not secure, and automatic doors that close slowly (such as the main
entrance to the central computer services room) can offer opportunities
for unauthorized access. Unmarked keys in an unlocked key safe are
especially vulnerable. Without an inventory, there is no way to determine
if keys have been taken.
Network Vulnerability Assessment Sample Report 173
Exhibit 4. Analysis (Continued)
Recommendation. Access to computing facilities should be strictly con-
trolled (ISO 17799, 7.1). Only authorized personnel should be able to
enter the computing facilities, and entrance and exit should be moni-
tored. Automatic doors are a bad idea, unless they can be modified to
close quickly. Access to cables, routers, and other network devices
should be limited as well. Doors to the outside should not be propped
open. These exits should be wired so that an alarm sounds in the
security office when the door is held open for a specified length of
time. Employees should have to request new key cards in person, and
positive identification should be required. It is also good practice to
check the employee’s name against a list of recently terminated employ-
ees provided on a daily basis by the HR department.
Any publicly posted material that indicates employee names, build-
ing addresses, job titles, or phone numbers should be removed (ISO
17799, 5.2.2). This kind of information can be used by a hacker to spoof
one of the employees. For the same reason, information about your
systems, system identifiers, IP addresses, network configuration, and
network architecture should never be stored where an unauthorized
person can view it. Critical and sensitive design documents should also
be kept under lock and key, and access should be monitored.
Fire Safety Factors
Risk = high. Building fires represent a serious threat to security because of
the potential for complete destruction of hardware and software, the
risk to human life, and widespread damage, even from a localized fire.
Smoke, toxic and corrosive gases, and high humidity from even a
localized fire can damage systems throughout the building.
We noticed several fire hazards in our inspection of your central computing
services facility. There were no smoke detectors, and we saw only one
fire extinguisher. Several stacks of old magazines were haphazardly
stored in the back of the facility, along with foam computer packing
material (highly toxic when burned).
Recommendation. We recommend that computing facilities throughout the
organization be carefully evaluated for fire hazards (National Fire Pre-
vention Association code [NFPA 75]). Your local fire department can
help you to identify existing fire hazards and ensure that you are in
compliance with existing fire protection standards.
174 Managing Network Vulnerability Assessment
Exhibit 4. Analysis (Continued)
Contingencies and Disasters
Risk = high. Contingency planning directly supports an organization’s goal
of continued operations. Bogus Corporation has no comprehensive
contingency plan for the data center or the network. Although backup
tapes are stored off-site, no plans exist for obtaining these materials in
the event of a disaster.
Recommendation. Bogus Corporation should implement a Business Conti-
nuity Plan with all possible speed (ISO 17799, 11.1.1). The first task
should be to develop a data center recovery plan in which critical
business processes are identified. It is critically important that Bogus
Corporation knows what its critical business processes are and how to
reestablish them elsewhere in the event of a serious business interruption.
Computer Incident Response Team
Risk = medium. Computer incidents are defined as unauthorized intrusions
into one or more of your network services. The most commonly reported
incidents are Web site vandalism, viruses, and theft of financial infor-
mation. In reality, many more incidents occur than are actually reported.
Most organizations prefer to keep their vulnerabilities as quiet as pos-
sible. Bogus Corporation currently does not have a designated incident
response coordinator, and what incidents that have occurred have been
handled in an ad hoc fashion.
Recommendation. Because most incidents involve several management
domains (i.e., security, public relations, IT, operations), it is important
to have a coordinated response to any incidents (ISO 17799, 6.3).
Whether or not your organization chooses to inform the authorities (the
police) of an attempted or successful intrusion, you need to be sure
that you know how you are going to respond to different levels of
damage, who is responsible for media relations, and how you will
ensure that such a vulnerability is not exploited by others. If you do
decide to charge a perpetrator, you will need to have documentation
of the alleged system events (i.e., audit logs). The NVA has provided
our “Incident Handling Guidelines” in the Appendix to assist you in
developing your own computer incident response guidelines.
Network Administration
Risk = medium. System administrators are the backbone of your skilled
computing security resource. At present, although they know a lot about
your network and a lot about maintaining it and keeping it available
for your users, they know very little about the technical practice of
Network Vulnerability Assessment Sample Report 175
Exhibit 4. Analysis (Continued)
information security. The help-desk personnel possess significant author-
ity to set up and terminate user accounts and “reset” passwords but
these activities are not logged or audited. Most system administrator
activities on the network are not logged either.
Recommendation. Although these individuals are “trusted” to protect the
interests of Bogus Corporation, their activities should be monitored and
logged (ISO 17799, 9.7). These employees have a broad view of the
network and its capabilities, so it makes good business sense to monitor
all or most of their change activities. Currently available logging tools
should be enabled, and new monitoring tools should be deployed as
needed. Your Internal Audit department should be responsible for
monitoring compliance.
Network Architecture and Connectivity
Network Topology
Bogus Corporation’s network consists of several optical fiber local area net-
works (LANs) that serve the Houston and Galveston networks. The wide area
network (WAN) that connects the two sites has high-speed connections (T1
and T3). Dial-up capacity to modems connected to the corporate network
provides connectivity for regional sales staff.
Partitioning and Administration
The partitioning and administration of the network is primarily based on oper-
ational divisions. Because there is no central oversight, equipment can be added
to a particular segment without clearance from the IT group. Security is often
not considered when decisions about hardware and network upgrades are made.
We believe that a more coordinated approach to network management
would provide the oversight that is critical to maintaining secure network
operations. Changes to the network should be reviewed by the Information
Security Steering Committee (ISSC) (ISO 17799, 4.1.1) to make sure that
arbitrary network additions and deletions do not jeopardize system security.
Network Operating Systems
Novell NetWare
Risk = high. Novell NetWare is the primary network operating system.
Version 3.xx is the deployed version. This version has many known
bugs that affect overall system security. These bugs were fixed in v4.xx.
It is highly recommended that you upgrade to 4.xx or higher as soon
as possible.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.