 |
|
|
        
• Contact us today to further discuss this most
important first step in assessing your company's vulnerabilities and the
steps to take to mitigate your risks.
|
|
Why have a Network Security Audit (NSA)? In this age of distributed computing and of client-server and Internet-enabled information access, computer security consistently rises to the top of most “important issues” lists. This is a difficult question to answer, because it depends on your organization’s ability to manage the proliferation of company systems and the interactions between them. Many times, more systems and/or more interconnections (access) are added to your network, without fully testing how these additions might compromise overall system security. This can be an entry point for the enemy. To answer this question properly, you will need to have a comprehensive network security audit performed.
NSA Overview To get the best overall picture of a network, security must be assessed from several points of view. These perspectives range from the physical security of systems, to the configuration of the firewalls, to the trustworthiness of workers. The history of industrial espionage has been part of the physical world and thus numerous practices have been developed to handle this traditional portion of security problems. The age of network-based industrial espionage has had a brief history and thus has less developed security assessment practices.
The security profile of a network of systems can be assessed from three principal vantage points.
Each of these perspectives will reveal unique security vulnerabilities. Removing the vulnerabilities as seen from outside the enterprise is the first step to halt the efforts of the casual hacker in the industrial espionage age. Removing the vulnerabilities as they appear from behind the firewall accomplishes two goals. It creates a second line of defense should the firewall become compromised. It also creates a defense for the “blitzkrieg” attack around the firewall through a modem or other non-protected entryway.
Finally evaluating security from the systems themselves will close vulnerabilities that could be exploited through a firewall or from other systems on the network. It also hardens the security of the network, restricting the avenues of attack for the disgruntled employee or contractor.
The Perimeter The above-mentioned vantage points are what CCI refers to as the Perimeter. To further delineate the perimeter, the following specifies target areas of the NSA.
Firewall Many enterprises erect a firewall as the first and often only line of defense for their information systems. A firewall is a device that controls the flow of communication between internal networks and external networks, such as the Internet.
Many corporations assume that, once they have installed a firewall, they have reduced all their network security risks.
A firewall must be configured to allow appropriate traffic and to deny or restrict inappropriate traffic. The configuration process can be highly susceptible to human error. In a dynamically changing environment, system managers routinely reconfigure firewalls without regard to security implications. Access control lists on a firewall can be numerous and confusing. You must be sure that the firewall has been set up correctly and that it is performing well.
Hosts (Servers) Servers, in many cases, are a company’s crown jewel. While threats and misuse of network segments and expensive communication links are high in the food chain of security, servers contain a company’s most valuable asset. Attacks on these servers can result in theft of intellectual property, loss of revenue, and an astronomical recovery cost.
Network Segments Sometimes, it's what we don’t know that can hurt us. At any given time there could be hostile content moving about our network segments. We work toward a lockdown of our servers and gateways, but if we overlook the wire itself, then we have lost the war. An example of this is a disgruntled employee who launches an attack against corporate mission critical servers or when an enterprising employee sets up a self-profiting website on a server of his own or even worse, one of the corporate production machines. While all segments in a large enterprise network are vulnerable, history has shown the largest amount of hostile activity has been focused on the network segments surrounding the firewall and where the production servers reside.
Combines data from various “best of class” security tools into one database producing meaningful “high level” reports that management can use to better understand the vulnerabilities within their information enterprise. The Detail Reports create a “scope of work” for the IT staff or outside firm to address vulnerabilities on the network.
Information Testing Protection The host-based and network-based auditing tools used by CCI do not affect or remove any enterprise data. Information is collected about the state of systems and networks designated in the scope of an audit. Resources are enumerated, and vulnerabilities are revealed and reported on, but no systems will be actively exploited.
All information will be maintained on the CCI collector server in an encrypted format. Delivery of the final security document, which will contain information about compromised system information and vulnerabilities, will be restricted to pre-designated company officers.
CCI uses an assortment of progressive scanning technologies. These technologies correlate vulnerability information and uses information from one part of the scan to search deeper for weaknesses in the network, allowing information obtained from one break-in technique to be used by another. This provides an “exterior”, unprivileged, network assessment view – essentially reporting security weaknesses that may be visible to hackers. All possible TCP and UDP ports (1 – 65,536) are scanned quickly (hundreds of ports on each system of a class-C network per hour) — for improved performance and execution time. Each network is automatically enumerated and scanned for over 450 individual vulnerabilities. The scan is conducted as follows: 1. Identify network resources, including computer names, IP addresses, alias information, operating system, version, etc. 2. Look for problems that are simple to detect, using a selective scan for services known to have vulnerabilities, such as SMTP. 3. Perform a complete TCP and UDP port scan and looks for a broad range of vulnerabilities in common service protocols, such as NIS, HTTP, FTP, NFS, SMB, IRC, SMTP, SNMP, BIND, etc. 4. Check for vulnerable Windows registry keys. 5. Uses the system and services information to exploit high-risk vulnerabilities. 6. Cracks passwords. 7. Attempts to login to systems with privileged level access.
CCI will utilize host-based and remote Vulnerability Assessment tools that proactively identifies security vulnerabilities before they are exploited. A host-based assessment means deeper, more accurate scans, high efficiency, and minimal false positives. It permits the systematic planning, management, and control of your security policy and risks from a single location.
These tools report security compliance from enterprise-wide view down to individual security settings. The agents installed on each host utilize encrypted communications and databases. This design protects enterprise data from being compromised during or after an audit. During an actual policy run, the agent and associated processes run at the lowest possible execution priority, avoiding interference with other running applications or services.
Our security audit tools supports most operating systems and integrates easily into your existing security applications and processes.
By having an agent on the machines to be assessed, CCI is able to review settings that are not capable of being reviewed from a network scan, such as patch levels and policy settings for password aging, and only reports back the items that fail or are not compliant with the checks that are preformed. This greatly reduces network traffic.
Security vulnerabilities assessed include:
CCI has defined the perimeter as three target areas: Firewall, Hosts and Network Segments surrounding the firewall. With the high cost of consulting engagements and the plethora of security assessment offerings on the horizon, companies are faced with a daunting task of choosing the right partner to assist in addressing their security needs. CCI has simplified the process by narrowing the focus to the highest risk areas within the network.
The following solutions are incorporated in a NSA, with more detailed information available in the subsequent Preliminary Scope of Work:
1. Detailed Q&A with customer’s IT staff In order to successfully complete the discovery and analysis, CCI will require the customer’s IT staff to complete several questionaires and technical forms that will greatly assist CCI during the discovery phase .
2. Firewall Configuration Analysis The CCI Security Engineer (SE) will arrive onsite and meet with security administrator. An interview with this customer resource will reveal the router configuration, the current firewall configuration and rule-base. This will be documented by the SE and entered into our automated data collection system for presentation in the final report. A detailed diagram of the network segments surrounding the firewall will be produced from this information.
Vulnerability assessment through firewall to specific targets The SE will perform a vulnerability assessment through the firewall from multiple vantage points. This process will target specific segments and look for both violations of access and denial policy. The exam will include, but not be limited to snooping, scanning and password cracking attempts to machines sitting in all zones surrounding the firewall. In addition, this exam will attempt to enumerate operating system versions and patch levels, applications and services, users and connections. CCI will introduce assessment software(s) into the Customer’s data center and attach to the corporate network in order to perform the scans.
4. Host (Server) OS Assessment The SE will establish a working set (group of servers) for which assessments are to be performed. Once the working set has been selected, the SE will perform a vulnerability assessment on each of the servers in the working set. This examination is prepared using a policy-based approach. The policy is a set of platform specific checks approximately 1500 known and unknown vulnerabilities within the OS. CCI will conduct audits on the hosts selected by the customer:
5. Vulnerability assessment of private network – selected segments SE will perform a vulnerability assessment on specific internal segments and will look for both violations of access and denial policy. The exam will include but not be limited to snooping, scanning and password cracking attempts to machines sitting in all zones surrounding the firewall. In addition, this exam will attempt to enumerate operating system versions and patch levels, applications and services, users and connections.
Assumptions The discovery, assessment and reporting phases of the project is estimated to take approximately three weeks. It is assumed that:
NSA Deliverable and Presentation When all audits have been completed, CCI will remove the collection tools from the Customer data center. The collected data will then be analyzed and assembled into the final report. The full NSA includes: NSA Definition Scope of Work Executive Overview with Graphical Reports Penetration Test Detail Reports Host (Server) OS Assessment Detail Reports Private Segment Scan Detail Executive summary overview report with recommendations
Conclusion The security of your information enterprise is an ongoing effort. Performing the NSA is just the first step. Our methodology is designed to identify a strategy that addresses a responsible approach to maintaining the integrity of your Security Enterprise.
The following steps are recommended best practices:
According to the current information provided to us, by the client, we can calculate the approximate man-hours it will take to complete the NSA project (site visit, local/remote discovery, analysis, report preparation with recommendations, final consultation and review of findings with client). The actual total time will vary, depending on the accuracy and depth of the information provided to us by the customer’s IT staff, as well as the level of access granted to the entire network infrastructure. All labor rates will be billed according to the customer’s current service plan or prepaid block time (BT) plan.
Agreement: In order to complete this network security audit in the most timely and effective manner, the customer must agree to, and authorize Courtesy Computers full access to all necessary members of the customer's staff, vendors, network, documentation, software, licensing data, and ancillaries associated with their network infrastructure. Courtesy Computers, Inc. will abide to a confidentiality agreement regarding the customer’s private information. |
|
|
|
 |
CourtesyComputers.Com © 2005 | Privacy Policy | Terms Of Use |