Complete Network Vulnerability Assessment Process Step-by-Step

Download Free Complete Network Vulnerability Assessment Process Step-by-Step. This 12 pages checklist for Network Vulnerability Assessment is could be used to support your PCI DSS Security Assessment or Sarbanes Oxley Security Assessment Requirement. This checklist also made based on ISO 27001/ISO17799 Information System Security Management System.

- Project Initiation
- The NVA Team is assembled; team roles are tentatively assigned.
- The NVA Team Lead develops detailed project plan.
- Hold a kick-off meeting with the sponsor and the Pre-NVA Checklist
- Project process, client expectations, project calendar established.
- A detailed project plan is approved by the sponsor.

- Data Collection
- The NVA team draws up list of required documents and submits to client liaison (point-of-contact, POC)
- Review applicable state and federal laws affecting this particular client.
- Review available documentation; note areas of concern.
- Draw up a list of known bugs and security vulnerabilities to test for in the client environment.

- Interviews, Information Reviews, and Hands-On Investigation
- The steps that the NVA team should perform during this phase of the process include:
- The NVA team defines roles or functions about which it wants to gather information.
- The Team Lead and POC develop an interview schedule.
- The client POC arranges interviews with appropriate client staff members and provides office space for the NVA team
- Appropriate members of the NVA team interview identified appropriate staff members and other identified personnel.
- The NVA team (usually) requests additional documents (that were not provided in Phase I).
- The NVA team requests additional interviews, as needed.
- The Team Lead requests facility and network clearance and passwords for team members from the client POC, as required.
- The NVA team tours computing facilities and conducts tests of operating systems, hardware, network devices, and software.
- The NVA team tours facilities and performs physical plant inspection.

- Interviews
- The people who should be interviewed include those employees who are in charge of System design and architecture, Support services (customer support, technical support, help desk support), System management and administration, Security policy design System installation
- The NVA team should try to make the interview as nonthreatening as possible to the employee being interviewed. The interviewee should be informed that an assessment — not an audit — is being conducted. Additionally, the interviewee is not the specific focus of an investigation. It is the objective of the interview to get the interviewee to view this process as an opportunity to share comments regarding security and to make recommendations as to what needs to be changed without fearing any repercussions.
- The key subject areas that need to be discussed during the interview process include:
- Who the employee is and his or her relationship to the network
- What data the employee accesses, how this is done, and what applications are made available to the employee, and for what purposes
- What the employee perceives to be critical or sensitive data and resources
- What the employee's understanding is of company security policies and procedures
- What security vulnerabilities the employee is aware of
- What changes or solutions the employee would recommend to improve corporate security practices

- Analysis
- The process of analysis actually begins with the acquisition of the first document and only ends in the generation of the Draft Report during Phase IV. Analysis spans most of the NVA process and generates the majority of content in the report. The initial and ongoing analysis shapes and directs further data collection and interviews. In the analysis phase, the objective is to identify threats and vulnerabilities, and make recommendations to mitigate the risks by implementing countermeasures. The ideal result of any analysis is a workable and cost-effective balance among the parts of the risk equation. During this phase, the NVA team will:
- Review, interview, and inspect results and analyze data for security vulnerabilities; identify risks to client's computing assets.
- Evaluate vulnerabilities for possible controls or safeguards that can be applied.
- High risk levels may result from threats or vulnerabilities that are severe, or from countermeasures that are weak. The key is to balance the threats and vulnerabilities with affordable countermeasures. It is not possible to achieve an environment in which there are zero threats and zero vulnerabilities, and it is not possible for an organization to achieve low risk without some investment in countermeasures.

- Risk Analysis
- Practically speaking, evaluating threats and vulnerabilities is best done by trying to ascertain what types of damage can result from the failure of countermeasures. Once these basic investigations are performed, risk analysis looks at ways of dealing with these threats in a cost-effective manner. In fact, the primary goal of risk analysis is to provide data for making informed decisions about cost-effective safeguards. The NVA is not, properly speaking, a risk analysis study, but we do use some of the same assumptions and follow similar protocols in the course of the NVA. A true risk analysis would attempt to assign a risk priority to each threat (as previously discussed) by determining the probability of occurrence and the possible impact. (Note: Information Security Risk Analysis is available through CRC Press.)
- Determining the damage that can result from the failure of countermeasures is difficult. That is, it is difficult to quantify the potential or probable monetary loss when a company loses intangibles, such as the following:
- System configurations. An accurate, up-to-date network map or system configuration list could be a critical resource in the hands of an attacker.
- Passwords. What does it mean to have a privileged password compromised? How does an organization value it — at the level of the damage caused?
- Information loss. What does it mean to have the Coca-Cola Company lose its secret formula? How does the organization value the damage — at the net worth of the company?
- Errors. How could a particular database error affect an organization's business?
- Integrity. What does it mean to lack the ability to detect unauthorized deletion, modification, duplication, or forgery of data?
- CPU cycles and bandwidth. What does it mean to lose the ability to do some activity because an unauthorized activity is taking place (denial-of-service)?
- Determining the actual risk in terms of real potential loss to a particular asset requires a clear understanding of what is sensitive and critical to the enterprise. This is why careful interviewing of staff in Phase II and close collaboration with top management and network administrators throughout the NVA process are so important.

- Threat Analysis
- Listed below are the critical areas related to threats and vulnerabilities that you should be sure to cover in your analysis. When you begin, you should use these to guide the inspection and analysis processes. Be sure and familiarize yourself with these issues before you begin Phase II; knowledge of these areas will assist you in gathering the information you need to perform a thorough analysis. Areas of investigation include:
- Application development
- Auditing
- Firewalls
- Organizational suitability
- Personnel
- Physical plant and facilities
- Standards and practices
- Technical safeguards
- Training

- Security Policy
- A security policy is the basis of any coordinated security effort and provides a framework from which to assess the security practices of the organization. Therefore, it is the starting point for an NVA. If the organization does not currently have a security policy, you will need to assess what is currently being done to provide security and make recommendations about writing a security policy. (Note: Information Security Policies, Procedures and Standards is available through Auerbach Publications.)
- When analyzing security issues involving the company's security policies, the NVA team should consider the following:
- Does it explicitly state what is and is not permissible (e.g., employees can hold outside jobs, but employees cannot work for a competitor)?
- Does it cover all security-related factors in the company, from network security to physical security to noncompete agreements?
- Is the policy distributed to and understood by the company's workforce?
- Have actions ever been taken as a result of violations of the policy?

- Security Handbook
- ISO 17799 and industry practice recommend that every organization have a security handbook targeted to all employees. This handbook translates the company's security policy into specific practices for its employees, demonstrating how the security policy applies to them.
- If the company has a security handbook, the NVA team should consider the following:
- Does it ensure that users can implement the security policy correctly?
- How specific is the security handbook? Does it address issues in generalities, or does it give specific examples?
- Does it show users how the company security policy affects the business objectives or mission?
- Does it make clear the consequences to the employee of not following the security policy?
- Does it give users an understanding of their responsibilities and stress the degree of personal accountability?
- Does it show users how to apply the security policy and procedures in their specific working environment?
- Does it cover security policies for remote users and "on-the-road" staff?
- Does it provide a method for reporting suspected security violations and explicitly support "whistle-blowers"?
- It is imperative that employees receive these messages from their security handbook and their managers. The risk of ignorance is employees who are unsure about security and their role in upholding the organization's security practices. Experience shows that employees will assume they can do something rather than that they cannot do something (e.g., download public-domain software).

- Standards and Practices
- Standards and practices are the means by which a security policy is implemented throughout an organization. They help translate the high-level concepts of the policy into the day-to-day practice.
- When assessing the security issues involving standards and procedures, the NVA team should consider the following:
- Does the company have the procedures in place to implement its security policy?
- Do the practices clearly reflect the goals of the security policy and how that policy supports the business objectives or mission of the enterprise?
- Does the company have a procedure for continually evaluating its current systems, security, and practices against new computing implementations and processes?
- Do project managers and senior management support security practices?
- Are the company's practices and standards intrusive? Do they hinder productivity?

- Document Handling
- Standards and practices should include document handling. Procedures for document creation, storage, backup, archival, retrieval, use, protection, tracking, and disposal need to be specified.
- When assessing the security issues involving the document handling process, the NVA team should consider the following:
- Does the company have a reasonable and usable asset classification scheme for enterprise information, both hard copy and online documentation? Asset classification is the process by which an organization categorizes information and implements controls based on its level of sensitivity. Note that it is particularly important that proprietary information is classified as such, and personnel information is classified as confidential with appropriate controls.
- Is confidential material stored in a secure location (locked cabinets for hard copies; directories with limited access for online documents)? U.S. courts have determined that proprietary information (trade secrets) may not be considered proprietary if it can be demonstrated that the information was freely available to all employees.
- Is the classification scheme followed? You should have a copy of the asset classification standards; check to see if you can find sensitive documents left in insecure locations in violation of the stated standards.
- Is confidential material printed in an insecure area? Are printouts left overnight on the printer or in the photocopy machine?
- Are confidential materials disposed of in a wastebasket, rather than a shredder?
- Are confidential materials destroyed properly? Is the removal and destruction of confidential materials monitored by a trusted employee?
- Are backup media in a secure location with monitored access?
- How is the information record inventory managed and controlled?
- How accessible are sensitive documents? Are they easily accessible to those who have the authority to view them?
- Are practices in place that allow detection of unauthorized changes to documents?

- Incident Handling
- A security incident is commonly defined as any unwanted change in the security status quo of an infrastructure. Examples include a key resource that crashed due to an operating system bug, virus problems in office PCs, or an attack on the infrastructure by a malicious person (an insider or outsider) (Note: Critical Incident Management is available through Auerbach Publications.)
- When assessing the company's incident handling procedures, the NVA team should consider the following:
- Has the company defined what constitutes a security incident?
- Are procedures in place to follow during a security incident?
- Are standards established on when to pursue an incident?
- Is there a process to determine when to prosecute an incident?
- Has the organization formed a computer incident response team (e.g., CIRT)?
- Are procedures in place to handle public relations during a security event?
- Is the organization actively monitoring the network infrastructure for security violations?
- If the enterprise is not prepared for a security event, it is much less likely to recognize when an incident has occurred. For example, if system events are not logged, it may be impossible to recognize a system anomaly that indicates someone is trying to obtain illegitimate access to the system.

- Asset Protection Management and Awareness
- Have levels of trust been established within and outside the organization? In this case, "trust" can be defined as the ability of the system to perform data actions with integrity, to keep confidential information private, and to perform without interruption. The amount of trust you have in the system is partly a function of the quality of the protection of corporate assets.
- Are there business continuity and technology disaster recovery procedures in place? Have the plans been tested? It is always a good idea to test the procedures; just like fire drills, the results provide useful data about flaws in the disaster recovery process.
- Has the backup media been tested to ensure that they contain retrievable data?
- How is access determined and monitored?
- Is access revoked in a timely manner?
- What incidents have occurred recently? How were they handled?
- What were the employees' reactions to the incident handling?
- Could the incidents reoccur?

- Organizational Suitability
- When there is a mismatch between an organization's security policy and procedures and its corporate goals and environment, inevitably the security policy will not be honored in practice. If they do not work in that particular environment, they will not be implemented consistently or accurately. Security policy and procedures are only as strong as management's commitment to their practice. When assessing the organizational suitability of a security policy and procedures, the NVA team should consider the following:
- Is senior management openly supportive of the information security program?
- Do managers observe the security policy in their business practices? Employees will value that which their managers and senior management value.
- Are the employees able to perform their duties efficiently and effectively while following security procedures? Highly intrusive security procedures can stifle employee productivity. Either employees will spend more time worrying about following procedures than actually getting the job done, or they will use "short-cuts" to limit the irritation of doing the procedures properly.
- Does the company have the resources to adequately fund and staff its security efforts? For example, if the organization has a policy that states that no public-domain software can be run before a system administrator clears it, does the organization have the employees to support this? If the resources do not exist, then the result is that employees will run unapproved software, in contravention of the established policy.
- Does the enterprise enforce security policy throughout the organization? This goes along with clearly visible management support. If employees perceive that management support for security enforcement is weak, they will not be motivated to observe security practices.

- Personnel Issues
- An organization's security policy and procedures should be followed by all categories of staff (e.g., full-and part-time employees, contractors, temps, and interns). To work effectively, employees need to know what is expected of them and have the management and resource support they need to do their jobs.
- When assessing the security issues involving employees, the NVA team should consider the following:
- Are there enough employees to support current business goals? Security errors and "short-cuts" are more likely to occur in highly stressed environments. If people are under pressure to produce under tight deadlines, careful observance of security practices is likely to be the first casualty.
- Do employees and project managers know their roles and responsibilities? Are current employees performing necessary and sufficient tasks, or could any of their tasks be considered wasteful? Ensuring that only necessary jobs are being done helps employees focus on keeping the essentials well organized. Ensuring that a sufficient job is being done ensures that time is not wasted in correcting problems caused by incomplete solutions. Efforts past sufficiency in a resource-poor environment are wasteful.
- Are employees performing their tasks efficiently and effectively? Ensuring that work is efficiently and effectively performed saves time and energy, allowing employees to complete tasks to a sufficient performance level.
- Are employees properly trained? Do they have the necessary expertise to implement security practices identified by the assessment process? Employees cannot implement that which they do not understand. Also, the organization needs to be sure that technology expertise is not concentrated in any single employee. What happens if key employees are disabled or unavailable? It is a good idea to spread critical knowledge around so that the loss of one critical employee does not precipitate a security incident.
- Does the organization need to acquire additional security expertise? Can current employees acquire additional expertise from training? From an employee skill assessment, the organization can determine where its employees lack qualifications and experience. Increased security may require additional, specialized expertise, which may be obtained by training employees.
- Does the organization need to hire outside expertise (consultant)? What are the security issues associated with outsourcing? Before adding outside expertise, the organization should evaluate the risks associated with outsourcing such activities.
- Does the organization handle employee terminations in such a way that data and physical security are maintained? Human resources procedures for employee termination need to be documented. For example, system administrators need to be formally notified by HR in a timely manner when someone leaves the company. System administrators need to know that employees and contractors are legitimate and what level of access they should have to company information.

- Physical Plant and Facilities
- The security of company equipment and facilities is just as important as the security of the network infrastructure. Inadequate physical security may allow theft or sabotage of information, and compromise the network. Once the network is compromised, the expectation of trust has been violated.
- When assessing physical and facility security, the NVA team should consider the following:
- How is access to the buildings and computing facilities controlled?
- Who and how many have access to computing facilities? Computing facilities should be accessible to only staff members who have a demonstrated need for access. Automatic doors can be a security risk because they often close slowly, allowing "tailgaters" to gain access. Movement sensors that unlock doors also represent a risk.
- How is after-hours access controlled? Who has access to the building after hours?
- Are systems and other hardware adequately protected from theft?
- Are systems and hardware adequately protected from physical tampering? For example, are critical systems or communications links adequately protected? All the security employed across a network will be useless if an intruder can get at the network cabling or connections and sabotage them.
- How is trash disposed of? Are the members of the cleaning crew bonded?
- Are packages checked when carried into or out of the facilities?
- Does the security policy conflict with the corporate culture? If the organization reposes complete confidence in its employees, then certain security practices may not be acceptable. For example, it may not be "culturally" possible to monitor building access after hours, although it is certainly technically feasible.

- After-Hours Review
- Part of assessing physical security includes an after-hours review. The purpose of this review is to see how well security is implemented during off-hours. Even if security is enforced during working hours, the organization is at risk if sensitive or critical information and systems are accessible after hours.
- The NVA team should consider the following:
- Is confidential information found in publicly accessible dumpsters? Yes, you will need to do some "dumpster-diving" to determine the answer to this question. You can also check wastebaskets after people have left but before the cleaning crew has arrived.
- Is confidential information left visible in unlocked offices and work areas?
- Does the cleaning crew have access to locked offices?
- Are workstations and servers left unlocked? Does the cleaning crew have access?
- Are keys left in accessible areas? Are passwords posted visibly?
- Is the building completely locked?
- What procedures does the cleaning crew follow (e.g., do they prop doors open)?

- Training
- The risk of not providing appropriate training for all employees is employees believing they have all the skills and knowledge necessary to perform their jobs. Employees may have the necessary job skills but they can be ignorant of the security procedures they are expected to follow. Training translates the policy and procedures given in the corporate security handbook and makes them applicable to each employee's job functions.
- When assessing the security training at an organization, the NVA team should consider the following:
- Do employees know the business direction and goals?
- Do employees receive security-related training specific to their responsibilities?
- Are employees receiving both positive and negative feedback related to security on their performance evaluations?
- Are employees aware of the security-related risks of their jobs?
- Are system administrators given additional security training specific to their jobs? Security-specific training will make system administrators aware of new developments in security, new threats that emerge, and the technical advances that give hackers new methods for breaching an organization's security.

- Auditing and Oversight
- Security controls must be managed, tested, and enforced once they are in place. When assessing the oversight of the company's security policy and procedures, the NVA team should consider the following:
- Who is responsible for performing security audits? This could be a political "hot potato." Most organizations have an internal audit role or department. It makes sense that security auditing should be a responsibility of this group, but it does not always happen that way. Regardless of who is doing the auditing, be sure to evaluate whether that person(s) has the training to perform an adequate security audit. The process and responsibilities of the security audit function should be documented. Approach this issue with caution. Auditors know their job and perform it very well. Make sure that this topic is handled correctly.
- Are the security policy and procedures routinely tested? Are audits performed on a regular basis?
- Are exceptions to the security policy justified and documented?
- Are reporting mechanisms in place on the systems (e.g., system logging, monitoring, and assessment tools)?
- Who controls these and the data reported by them?
- Is the data stored in a secure location? How often are the logs reviewed?
- Are appropriate system, machine, and user parameters checked (configuration, management, file system, version numbers, traffic, etc.)?
- Are errors and failures tracked? Are anomalies defined and flagged?
- Are recurrences of these errors and failures prevented?
- When operator or user error or oversight is detected, is appropriate training or disciplinary action taken?
- Is a security incident response capability alerted when a security incident occurs?
- Who reviews the audit results?

- Application Design, Development, Deployment, and Management
- It is recommended that all organizations formalize their application development process, which includes architecture, design, implementation, testing, deployment, and security issues.
- When assessing the security issues involving the application development process, the NVA team should consider the following:
- Is testing performed in an isolated environment?
- Is there a documented promotion-to-production procedure in place?
- How is the deployment of new applications approached? Is it phased into the production environment?
- How is data management handled? Is the data master stored securely?
- How is labeled data processed, transported, stored, and disposed of? The risk of not examining and securing separate steps of the application development process leaves the organization vulnerable to attack from within by disgruntled employees.

- Technical Safeguards
- Technical safeguards enforce security policy and procedures throughout the network infrastructure. The NVA team should assess the organization's technical safeguards by network type (e.g., LANs and WANs), network connections (e.g., bridges, routers, and gateways), and platform (e.g., desktop systems, file servers, and application servers). The assessment of technical safeguards makes up the greater part of the NVA.
- When assessing the technical safeguards of the network infrastructure, the NVA team should consider the following:
- How is the network partitioned?
- How are desktop platforms secured?
- How are host systems and servers, as well as application servers, secured? Is the security commensurate with the trust level and risk?
- Are passwords and accounts shared? Are passwords managed securely?
- Are there unsecured user accounts in use (e.g., guest)?
- Is network management robust? Do network and system administrators have adequate experience and training to implement security correctly?
- What reporting mechanisms are used? Who reviews the reports?
- Are permissions set securely? How are permissions determined?
- Are administrators using the appropriate tools to perform their jobs?
- Is there a complete network diagram available? How current is it?
- How is access controlled?
- What network controls are being used?
- How is connectivity controlled?
- How is remote access controlled?
- Are critical systems protected with appropriate access controls?
- What vulnerabilities are inherent (known bugs) in the systems and applications in use?
- Have all systems and applications been brought up-to-date with appropriate patches and fixes (against known bugs and vulnerabilities)?
- Are critical systems adequately protected (e.g., are they backed up or replicated)? Are the backup media securely stored?
- What security auditing and assessing is being performed?
- How are backups scheduled and implemented?
- Is the data stored on laptops subject to more stringent security controls?

- Firewalls
- Assessing the security of a firewall begins with the organization's network security policy, which defines exactly what protocols are allowed to penetrate a security perimeter and under what conditions those penetrations are allowed. If such a policy does not exist, the NVA team should examine the internal infrastructure and its requirements and then report its determination of what this policy might be like and what it would need to contain.
- When assessing the security of an organization's firewall, the NVA team should consider the following:
- What protocols are allowed to go across the firewall, and under what conditions? Typically, a common rule is used, such as: everything not explicitly disallowed is allowed. However, industry experts and NIST Special Publication 800-41 "Guidelines on Firewalls and Firewall Policy" recommend using the opposite of this rule by explicitly identifying connectivity: everything not explicitly allowed is disallowed.
- Is the approach used appropriate, given the economics of the organization, administration requirements, security control requirements, and any other factors the company has specified?
- Are the firewall and its role sufficient for the task of securing the organization from outside penetration?
- What products are used to implement the firewall? Are the firewalls the most effective for this operating environment? Have the products been rigorously tested in this environment?
- How is the firewall administered? Are audit logs maintained and reviewed?
- What services are offered across the firewall? How can existing services be operated better? Are there other services that can be offered to meet corporate goals?
- What is the internal structure of the network? What is the network construction of the firewall? Where is it located in the network? How is the connection made and administered?
- What practices exist to apply patches as soon as they become available?