A network security assessment is a comprehensive analysis of an organization’s computing infrastructure performed by an IT security specialist to loca...
A network security assessment is a comprehensive analysis of an organization’s computing infrastructure performed by an IT security specialist to locate vulnerabilities and risks. In order to conduct a proper assessment, a diverse set of scanning tools and common techniques are used to gather information about operating systems, applications and network devices. The security specialist assigned to the assessment performs a scheduled attack upon the designated organization attempting to attain administrative control of servers and other devices without being detected.
The objective of a network security assessment is to expose vulnerabilities and determine the organizations overall security rating. Within the security rating matrix, there are five ratings that can be attributed to an organizations overall security posture. A high-risk rating exposes serious vulnerabilities that are easily exploitable and significant deficiencies in design, implementation or management. A medium-high risk rating exposes vulnerabilities with a moderate likelihood of being exploited, and multiple deficiencies in design, implementation or management. A moderate risk rating exposes vulnerabilities with a moderate likelihood of being exploited and at least one deficiency in design, implementation or management. An elevated risk rating exposes vulnerabilities with a low likelihood of exploitation, and minor deficiencies in design, implementation or management. A low risk rating determines that no vulnerabilities or deficiencies in design, implementation or management were found and that all patches and service packs were applied properly.
The assessment focuses on several key areas; I will briefly define each of the 19 components.
A physical security review focuses primarily on IT assets such as server rooms, wire closets, communication rooms and public areas. Network management and monitoring focuses upon the management and monitoring of the tools required to maintain a secure network. Firewall review requires the IT security specialist to investigate firewall implementation, including rules, monitoring and ongoing assessment of vulnerabilities.
Authentication focuses on the access control mechanisms that secure the network such as usernames and passwords. A file system review focuses on the structure of network shares and the mechanisms in place to ensure the integrity and confidentiality of information stored on these devices.
A quick review of remote access to the corporate network is essential along with reviewing virtual private networks (VPN). The network security or protocols that are used to enable communication on the network must also be reviewed, such as an IP protocol that enables computers to communicate over the Internet. This component also deals with the local area network switches, VLANs and routers.
Host security focuses on the server and workstation operating systems, while content inspection reviews content controls and inspection mechanisms. This component covers URL blocking, ActiveX blocking, malicious code inspection and end-user auditing.
A scan is performed to detect and verify the security of any wireless computer networks. Antivirus and malicious code systems are reviewed; including desktop PC’s, servers, email, web, and FTP systems. Intrusion detection/prevention systems are also analyzed.
A vulnerability assessment reviews the vulnerability management processes and tools, followed by an inspection and scan of both the wide area network (WAN) and the local area network (LAN).
An internet traffic analysis is generated using a network sniffer to analyze traffic passing to and from the internet and finally, documentation of the processes and procedures related to network configuration, management and security are reviewed, and policies related to the computing environment are also reviewed and recorded.
Once the essential components of the network security assessment are completed, three documents are compiled and presented to their designated audience. The first document is an executive summary which is written for senior management, this section briefly describes the assessment process, key findings and a prioritized list of action items. The second document is a technical executive summary which contains technical details; this section summarizes findings and assigns a rating from the rating matrix for each key assessment area. A management response section is included for each area and is intended for the IT Staff to respond to the findings. The last document presents detailed findings; this is where observations, implications and recommendations are documented for each of the key assessment areas. Typically, diagrams, tables, scanning tool output, procedures and detailed technical instructions are also located in this section.
