Vulnerability Classification Deciding on the level of threat to or vulnerability of a customer is a somewhat subjective process.This is another place in the IAM process that the assessors’ INFOSEC experience is critical. Whether the vulnerability is a High, Medium, or Low depends greatly on the overall risk the vulnerability creates for the orga- nization. For example, if a vulnerability exists but there is no threat of exploita- tion of that vulnerability, the overall risk is Low. If a vulnerability exists, a threat exists to exploit that vulnerability, and if it is on a critical system, a High level rating should be considered for the finding. Other designations may be consid- ered depending on the criticality of the systems, the likelihood and ease of exploiting the vulnerability, and the type of threat involved.All the information gathered in the organizational information and system criticality processes directly tie to the overall risk factor determination for the organization. Positive Findings Every finding during an assessment does not have to involve a negative vulnera- bility.The assessment team should identify good security practices in addition to the negative vulnerabilities, to give the customer a sense of what they are cur- rently doing correctly.This gives the customer a sense that they at least have some foundation on which to build their security program. If you present only negative findings, the customer will possibly develop a negative attitude toward any suggestions you make. Here are examples of acceptable and unacceptable positive findings: ■ Acceptable positive finding Customer ABC has demonstrated a resolve to provide a secure work environment through the use of a managed firewall and intrusion detection systems that provide quick reporting of anomalies to the security administrator.The security administrator responds to the notification within two hours unless a higher priority is placed on the identified incident. ■ Unacceptable positive finding The customer break room has excellent coffee. Negative Findings The reality of the assessment process is that most findings will be negative in nature.This is due to the fact that the purpose of the assessment is to identify www.syngress.com 342 Chapter 10 • Final Reporting 286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 342 vulnerabilities and make recommendations to improve an organization’s security posture. Findings and associated discussion should be clear on the finding’s impact on the customer. Common negative findings often seen during assess- ments are managerial, technical, or operations related. Common Managerial-Related Findings The common vulnerabilities seen from a managerial perspective include, but are certainly not limited to, the following: ■ Lack of a comprehensive security policy ■ Lack of or out-of-date disaster recovery or business continuity plan ■ Lack of policy enforcement by the organization’s staff ■ Lack of senior management support for the security program ■ No defined roles and responsibilities for staff ■ No configuration management process ■ Security not a member of the configuration control board (CCB) Common Technical-Related Findings The common vulnerabilities seen from a technical perspective include, but are certainly not limited to, the following: ■ Network architecture not secure ■ Firewalls improperly configured ■ No intrusion detection/intrusion prevention implemented ■ No redundancy on critical components Common Operations-Related Findings The common vulnerabilities seen from an operational perspective include, but are certainly not limited to, the following: ■ No effective security training and awareness program in place ■ No initial security training on new hires ■ No background checks conducted on new hires www.syngress.com Final Reporting • Chapter 10 343 286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 343 ■ Critical systems not physically secured ■ Limited challenge of unbadged personnel ■ No identification required to be displayed when on site Negative Finding Examples The following are good and bad examples of negative findings, giving considera- tion to the usefulness and level of detail of the finding: ■ Acceptable negative finding The firewall configurations for cus- tomer ABC should be reexamined to address the need for separation of network access to the various departments of ABC.The areas ABC should consider separating are the Research and Development Lab, Human Resources, and the Technology Training Room.This separation, along with good firewall rules, will help reduce the visibility of critical areas of the network. ■ Unacceptable negative finding Firewalls need to be reconfigured to provide better security. Multiple Recommendations for Each Finding Providing a customer with multiple recommendations to mitigate vulnerability allows them to choose the level of protection and cost point for each vulnera- bility.The assessment team cannot determine the final constraints on a customer, especially when it comes to cost and politics. If you provide multiple recommen- dations to mitigate a single vulnerability, the customer can select the level of solution they ant to implement. Providing multiple levels of recommendations also gives the customer a sense that they have some control over the security that will be implemented and the risk management process that ensues. If the assess- ment team only provides the perceived “best” solution, the customer may not be able to implement the solution due to cost or other constraints that impact the organization.There may also be times when there is only one solution available, and this should be indicated in the final report. www.syngress.com 344 Chapter 10 • Final Reporting 286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 344 Creating and Formatting the Final Report Everybody (well, maybe not everybody) hates documentation, but it is a critical part of the assessment process.The final report presents the customer with the formal documented results that are needed to show due diligence and their progress for implementing their security program.The final report provides the means to convey all findings, document the process, and provide a road map for improving security. A well-organized final report provides the best way to present the assessment results. www.syngress.com Final Reporting • Chapter 10 345 Yugo, Ford, and Cadillac Anyone who has taken a Security Horizon IAM Training Course will remember the references to the Yugo, the Ford, and the Cadillac recom- mendations for mitigating vulnerabilities for a customer. This presenta- tion provides a customer with options for implementation. The following are general definitions for each level: ■ Yugo The low-end, low-cost solution that can be imple- mented quickly and/or with minimal cost to provide a client with some level of protection. Sometimes referred to as the “Band-Aid” solution. ■ Ford The mid-level, mid-cost solution that requires more planning and implementation than a Yugo solution but will provide a greater level of protection against threats to an existing vulnerability. ■ Cadillac The top-of-the-line solution that will provide the greatest level of protection for the customer, but often at a high cost and/or high administration requirement to implement. From the Trenches… 286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 345 TERMINOLOGY ALERT Due diligence is the process an organization goes through to ensure that they are taking the appropriate and necessary steps to protect the assets of the company or organization. From a security perspective, due diligence involves taking the necessary steps to protect the operations and informa- tion from electronic theft, destruction, or alteration. When a company is sued over a security incident, the courts look at whether that company took reasonable responsibility and steps to protect the resources from known threats through identifying and mitigating vulnerabilities. In creating the final report, your primary purpose is to create a formal docu- ment that provides details about the entire assessment process. It identifies the purpose of the assessment, the process used to conduct the assessment, the identi- fication of critical information, the identification of critical systems and system configuration, the identification of vulnerabilities, and recommendations to improve the organization’s security posture.The final report also takes care of contractual requirements for documenting the assessment and its results. NSA provides a recommended format for the final report; however, there is flexibility in how the final report is presented.The NSA outline incorporates a good set of minimum requirements to include in the final report. Let’s look at those requirements. Executive Summary The executive summary serves as a high-level introduction to the assessment results. It should be clear that the executive summary will not be at the level of detail of the final report. However, the executive summary is intended to stand alone as a summary of the assessment to be readable by the customer management staff. Executive Summary Content The executive summary is meant to be a quick summary of the assessment and its findings.There should be enough information that it makes sense, but it should be short enough that an executive can read it in 5 minutes or less to understand the results.The executive summary should include the following types of information: www.syngress.com 346 Chapter 10 • Final Reporting 286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 346 ■ A brief description of the customer, mission, organizational structure, and number of employees. ■ A brief description of the assessment process and the purpose of the assessment. Include the dates of the assessment.This might be a good place to reiterate that the assessment was not an inspection, audit, certifi- cation, or risk analysis. ■ A statement about why the customer requested the assessment to be performed. ■ A statement that implementation of any recommendations contained in the final report is strictly voluntary on the part of the customer’s man- agement. ■ A brief description of the system or systems that were assessed to include sensitivity of the information. ■ Major findings and recommendations found during the assessment. Detail will be included in the INFOSEC analysis section of the main final report document. ■ Highlight support provided and positive aspects of the customer’s organization. NOTE The executive summary should be used to reiterate major findings, high- light the significant vulnerabilities identified, and highlight actions the customer is already taking to mitigate those vulnerabilities. Introduction The Introduction section should contain a detailed description and overview of the assessment.This information is more detailed than the executive summary and is intended to give the reader a complete picture of the assessment process and the scope of the assessment. It should include the following elements: ■ Information about the customer and the assessment company www.syngress.com Final Reporting • Chapter 10 347 286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 347 ■ A description of the assessment process ■ The purpose of the assessment Customer and Assessment Company Information The Introduction should include information about the mission and operations of the customer being assessed.This information includes company name, oper- ating locations of the customer, operating locations covered by the assessment, number of employees, and so forth.The information should be complete enough to show why the customer is in business and has the organization and systems they do for operations. It is also good to highlight who conducted the assessment and the expertise of the assessment team so that readers know the assessment was accomplished by a professional security company. For example, highlighting that the assessment team is trained in the NSA IAM and other credentials, along with the types and number of assessments previously conducted, will provide a sense of credibility to the cus- tomer as well as identifying the benefit of the IAM assessment to the customer. Assessment Process Description The Introduction should include a description of the process used to conduct the assessment. In our case, we describe the NSA IAM as the methodology used to conduct the assessment and the basis for the assessment process. Since this is the main document, the assessment team can go into detail about the process used.These standard descriptions of the IAM process can be used with minor variations in future IAMs. Important note: The IAM is a detailed and systematic way of examining cyber vulnerabilities and was developed by experienced NSA and commercial INFOSEC assessors. NSA provided the IAM to assist both INFOSEC assessment suppliers and consumers requiring assessments with a framework for conducting effective organizational security assessments.The IAM assessment provides orga- nizations with a comprehensive overview of their security posture for purposes of implementing security countermeasures and improving their organizations’ overall security. In addition to assisting the governmental and private sectors, an important result of supplying baseline standards for INFOSEC assessments is fos- tering a commitment to improve organizations’ security postures. www.syngress.com 348 Chapter 10 • Final Reporting 286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 348 Purpose of the Assessment The Introduction should include a description of the reason that the customer requested the assessment and the identified usage of the assessment results.This again is a good place to identify that the assessment was not an inspection, audit, or certification. We also recommend that you identify how the assessment process met the customer goals for the assessment. System Description The System Description section should actually be a combination of information about the organization’s critical information and critical systems along with an actual description of the customer’s system(s). In this section, you should include the following elements: ■ The importance of the customer mission ■ Identified critical information ■ Identified critical system information ■ A verbal description of the system being assessed ■ System diagrams The Customer’s Mission Is Important The System Description section should include discussion of the importance of the customer’s mission and the services or products the customer provides.This information is important to gain an understanding of why the customer’s critical information is critical and why their critical systems are critical. Information Criticality The System Description section should include a list of identified critical infor- mation, the associated impact definitions, and the information criticality matrix. Detailed discussion should include information that will help the customer understand what the information means. (Information criticality is discussed in detail in Chapter 3 of this book.) www.syngress.com Final Reporting • Chapter 10 349 286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 349 WARNING The final report writers need to remember that the IAM results will be reviewed at a future date, and they should include enough detail in the description so that it can be understood by anyone reading the report. Don’t assume that the matrix will be understood without a description. System Criticality Carry forward the system criticality information described in detail in Chapter 4 of this book.The writer should be able to refer to the definitions and critical information elements described previously so that duplication is limited. It may be useful to describe why the subset of systems was selected and the overall usage of each system. Actual System Description A detailed description of the system or network is needed, including the config- uration of the system/network, number of workstations, number of servers, the types of hardware platforms, software and applications being utilized on the sys- tems, and the types of services (FTP,Telnet, and so forth) that are in use. Also include in the description any firewalls, IDSs, and VPNs in use. WARNING Don’t forget interconnections with third parties, connectivity, modem connections, wireless communications and networking, and so forth. Be as detailed as possible in this section to give the reader the greatest understanding of the configuration. A Picture Is Worth a Thousand Words It seems cliché, but it is true—a picture is worth a thousand words. For our pur- poses, a system diagram goes a long way toward providing a better and clearer understanding of the system configuration. Be sure to identify whether the dia- gram was created by the customer or by the assessment team.This is important, www.syngress.com 350 Chapter 10 • Final Reporting 286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 350 because a diagram created by the assessment team is an understanding of the net- work, whereas one created by the customer should be indisputably accurate. INFOSEC Analysis The INFOSEC Analysis section identifies the organization’s security posture by identifying vulnerabilities and the impact of those vulnerabilities on the organi- zation.There is flexibility in how the vulnerabilities are presented to the cus- tomer in the final report.Two commonly used options are: ■ Specifically use the 18 Baseline INFOSEC Classes and Categories, as discussed in Chapter 7 of this book. ■ Organize the vulnerabilities by their impact to the customer, typically as High, Medium, or Low, while still noting from which of the INFOSEC Classes and Categories the finding is derived. N OTE Either way of listing the vulnerabilities is acceptable. You may even find a better way to list them. In any case, the vulnerability listings must make some logical sense. The downside of using the topic areas as the primary listing method is the fact that many findings cross over multiple topic areas. If you organize them by impact and then list the topic areas from which the vulnerability came, the customer can already see the pri- oritization of the areas that need to be addressed. A single vulnerability can address more than one topic area. Topic Areas The topic areas that are to be addressed in the final report include the 18 Baseline INFOSEC Classes and Categories, discussed in Chapter 7, and any agreed-on changes discussed with and approved by the customer.Table 10.1 pro- vides a recap of the 18 Baseline INFOSEC Classes and Categories. www.syngress.com Final Reporting • Chapter 10 351 286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 351 [...]... Recommendations for Improving Security Posture The Recommendations section is a detailed description of the recommendations for the customer to improve their security posture for that specific finding Hopefully, the assessment team is able to identify multiple recommendations for each finding to provide the customer with options for improving their security posture www.syngress.com 286 _NSA_ IAM_ 10.qxd 12/16/03 12: 59. .. debate in the security world Should sensitive customer information be held by the assessing agency, even if the customer requests these services? Information from IAM assessments should be considered proprietary due to the sensitive nature of the information .The NSA IAM course does not go into the details of document retention but instead simply states that all documents used during the IAM assessment. .. information security assessment was conducted, at the request of IISP, to document the current state of security (the security posture) in the IISP responsible networks, to give a basis for addressing vulnerabilities, and to gain SLT visibility into the information security issues that are affecting the IISP environment The assessment was conducted from May 1–June 28, 2002 .The assessment was an analysis of the. .. drive (or should drive) the security program for the customer At times this information was unknown to the customer at the beginning of the assessment process As the assessment progressed, the assessment team and the customer both become aware of standards and regulations that impacted the organization’s security posture.These can include any standards or regulations that govern the organization or industry... organization’s security posture The final report is the key deliverable for the entire process .The report should include detailed information about the assessment process, the purpose of the assessment, information criticality, system information and criticality, actual detail about vulnerabilities, positive findings, and an overall determination of the customer’s security posture As a formal document,... of risk does the customer have the most control over? A: Vulnerabilities .The customer has very little control over the threats and the impact to the organization, but they can do things to mitigate the vulnerabilities and therefore reduce the risk Q: Why are positive findings important to identify? I thought the purpose of the assessment was to find vulnerabilities A: The purpose of the assessment is... understanding the results If the assessment team has been working the IAM process correctly, there should have been no surprises to the customer When a report is rejected, it’s likely that it was not in the right format or a new player got involved who did not understand why the assessment was conducted and the benefit the assessment will provide to the customer Once you understand the reason behind the rejection,... current state of security with the goal of improving security within the IISP environment It was not an inspection, certification, or risk analysis Security Horizon utilized the National Security Agency (NSA) Information Security Assessment Methodology (IAM) to conduct the organizational portion of the assessment Security Horizon utilized its extensive commercial and government experience and formal processes... recommendations for the customer to consider implementing Begin the analysis process as soon as you return from the onsite visit .The longer the assessment team waits to begin analysis, the more that can be forgotten Taking the steps to prepare for conducting analysis helps get the assessment team focused on the required tasks and assists in providing an organized environment in which to work.These efforts include... still has a major impact on the organization’s ability to address the issues related to security Security Horizon would like to thank all the IISP staff for their support and openness during the assessment process.Their openness and insight were critical to helping Security Horizon gain the information needed to complete the assessment We would also like to thank Susie Shell for her assistance in locating . of the IAM assessment to the customer. Assessment Process Description The Introduction should include a description of the process used to conduct the assessment. In our case, we describe the NSA. the NSA IAM as the methodology used to conduct the assessment and the basis for the assessment process. Since this is the main document, the assessment team can go into detail about the process used.These. Chapter 10 347 286 _NSA_ IAM_ 10.qxd 12/16/03 12: 59 PM Page 347 ■ A description of the assessment process ■ The purpose of the assessment Customer and Assessment Company Information The Introduction