209
Appendix A-3
Network Vulnerability
Assessment Checklist
Security Checklist
Security Requirement
Y, N,
or N/A
Description of How the
Requirement Is or Will
Be Met, or Why It
Cannot Be Met
1. Unique user ID and confidential password
required
2. Additional identification required for remote
access
3. “Help” screen access available to logged-on
users only
4. Last session date and time message back to
user at sign-on time
5. Exception reports for disruptions in either
input or output
6. Session numbers for users/processors that
are not constantly logged in
7. Notification to users of possible duplicate
messages
8. Threshold of errors and consequential re-
transmission on the network related to
management via automatic alarms
210 Managing Network Vulnerability Assessment
9. Encryption requirements
10. Encryption key management controls
11. Message Authentication Code requirements
for nonencrypted sensitive data transmission
12. System authentication at session start-up
(wiretap controls)
13. Confirmation of host log-off to prevent line
grabbing
14. Downloading controls for connected
intelligent workstations
15. User priority designation process
16. Transaction handling for classified
communications
17. Trace and snapshot facilities requirements
18. Log requirements for sensitive messages
19. Alternate path requirements between nodes
20. Contingency plans for hardware as well as all
usual system requirements
21. Storage of critical messages in redundant
locations
22. Packet recovery requirements
23. Physical access for workstations when units
are not in use
24. Control units, hubs, routers, cabinets
secured
25. Environmental control critical requirements
26. Segregation for sections of the network that
are deemed “untrustworthy”
27. Gateway identification for authorized nodes
28. Automatic disable of a user/account, line or
port if evidence an attack is underway
29. Naming convention to distinguish test
messages from production
30. User switching application controls
31. Time-out reauthorization requirements
32. Password changes (time/length/history)
requirements
Network Vulnerability Assessment Checklist 211
33. Encryption requirements for passwords,
security parameters, encryption keys, tables,
etc.
34. Shielding requirements for fiber-optic lines
35. Controls to prevent wiretapping
36. Reporting procedures for all interrupted
telecommunication sessions
37. Identification requirements for station/
terminal access connection to network
38. Printer control requirements for classified
information
39. Appropriate “welcome” connection screens
40. Dial-up access control procedures
41. Anti-daemon dialer controls
42. Standards for equipment, applications,
protocols, operating environment
43. Help desk procedures and telephone
numbers
44. Protocol converters and access method
converters dynamic change control
requirements
45. LAN administrator responsibilities
46. Control requirements to add nodes to the
network
47. Telephone number change requirements
48. Automatic sign-on controls
49. Telephone trace requirements
50. FTP access controlled
51. Are patches tested and applied?
52. Software distribution current
53. Employee policy awareness
54. Emergency incident response plan/
procedure
55. Internal applications control
56. Proper control of the development
environment
212 Managing Network Vulnerability Assessment
57. Software licensing compliance review
58. Portable device (laptop/notebook/PDA)
handling procedures
59. Storage and disposal of sensitive data/
information
60. Default password controls and settings
61. Review of off-site storage for disaster
recovery resources
62. Unnecessary services disabled
63. Client server data transfer analyzed and
secured
64. Restrict telnet and r-commands (rlogin, rsh,
etc.)
65. Configuration management procedures
66. Tracking port scans
67. Review monitoring responsibilities
68. Separation between test and production
environment
69. Strong dial-in authentication
70. System administrator training
71. Voice system protection procedures
72. Tunneling for all remote access (inbound or
outbound)
73. Encryption of laptops
74. Management awareness
75. Program and system change control
procedures
76. Open “inbound” modem access for vendor
support
77. Modem usage policy
78. Incident event coordination (procedures)
79. Intrusion detection system (IDS)
implementation and monitoring
80. Monitoring Web site from attack (internal
and external)
Network Vulnerability Assessment Checklist 213
81. Domain Name Server monitoring
82. Hardware maintenance requirements
83. Hard drive repair, maintenance, and disposal
procedures
84. BIOS (Basic Input/Output System) boot order
85. E-mail content policy and monitoring
86. E-mail forwarding policy (hopping)
87. Spamming controls and testing procedures
88. Employee termination and credential
disablement
89. After-hours sign-in logs
90. Network sniffer policy, procedures, and
monitoring
91. Validity of e-mail accounts
92. Background checks before hiring
93. Administrator accounts and password
controls
94. Time synchronization procedures
95. Establishment of a Security Committee
96. Testing process for LAN applications
97. Business unit security person designated
98. Log and review of all Administrator changes
99. Review and resolution of past audit
comments
100. Audit logs secured
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.