Vulnerability Analysis Methodology
Companies interested in our pre-incident Information Security Analysis appropriately inquire as to the depth of our methodology. M2000/IS welcomes the question and has provided the answer here. Although all such projects are customized to the client company, the following is a description of the scope of services performed by the InfoSec Team in implementing a typical information security analysis/evaluation.
Overview: Our survey will adopt a top-level systems approach, integrating our knowledge and experience in the myriad of techniques being used to compromise information systems. Our objective, of course, is to identify and quantify the weakest link in the IT system, be it physical or technical. This necessitates our investigation into every aspect of the handling and transfer of information. We will attempt to minimize the disruptive impact of our investigations, but recognize that some inconvenience is inevitable.
System Level Investigations: We will collect system morphology, operational, and configuration data using automated IT scanning tools, your provided documentation (if any), and physical investigations to develop as-practiced system hardware, software and communications morphologies. Concurrently, we will perform an analysis of your InfoSec-related policies and procedures and empirically verify levels of compliance with a Monte Carlo statistical process. We will then examine any existing audit functions for completeness and integrity.
Technical Investigations: Once the system parameters are defined, we will do more specific investigations of individual, high vulnerability devices, guided by:
- Interim results from a number of automated IT security scanners,
- Point tests by our investigators against currently available published exploits,
- Published vulnerabilities and your software patch histories, and
- The experience of our investigators.
These investigations will review the configurations for typical network devices (Internet router, Core routers, edge switches) and also review all of the appropriate protocols (OSPF, BGP, RIP, SNMP, HSRP, IPX, multicast).
The results of the automated scanning processes and the point tests will be integrated into a security vulnerability analysis for the client’s operations identified in the materials provided by the client. This analysis will provide a prioritized list of the IT systems' exposures which will be used to recommend hardware and software solutions to enhance network security for all client administrative departments and services.
Physical Investigations: Physical access to an information system lowers the barriers to theft by an order of magnitude. We will perform an analysis of the physical barriers to theft of the media, or theft of information that will give access to the media, upon which your information resides, by outsiders, contractors, and employees. This will include an empirical investigation into campus security, building security for appropriate buildings, trash handling, office notes and memos, and potential compromise by less common physical tools (laser microphones, Van Eck antennae, etc.).
Final Product & Deliverables: The results of the technical and physical investigations will then be compared and combined into a prioritized security vulnerability matrix. Each identified vulnerability will be evaluated for impact, probability, and ease of exploitation, taking into account known inherent problems in the client’s industry. We will then develop integrated solutions to address the appropriate level of security for each vulnerability.
The deliverable Information Security Report will include:
- Key points from our automated and point test investigations, highlighting the highest priority vulnerabilities,
- Recommendations for remediation of existing systems,
- Recommendations for in-house staffing levels and competencies to maintain network security on an ongoing basis, and
- Design and delineation of integrated security solutions for the new systems to be designed for the client.
Our Requirements: To perform these investigations, we will obviously require both physical and electronic access, both during and after normal business hours. We have developed our processes to minimize the disruption to your staff, but you are welcome to have a staff member observe any and all activities of our investigative team. Our automated InfoSec scanning tools are sometimes rather intrusive, consuming a large share of the internal LAN bandwidth, but we generally run these scans after hours to minimize this impact. We will identify, but will not execute (unless requested), potential Denial of Service (DoS) attacks.
Implementation of Resultant Solutions: It is not until the vulnerability analysis and report is completed that M2000/IS and the client can discuss any additional assignment pertaining to implementation of recommended solutions. It is the goal of M2000/IS to see client IT personnel carry the bulk of this phase, if appropriate. To that point M2000/IS has developed the following practice:
Once the analysis and solutions identification (report) phase is completed, M2000/IS will develop a new proposal for the implementation of solutions recommended in the analysis report. This is done in close coordination with you and your team and considers not only the number of personnel in the IT department but their core competencies as well. To make effective use of the client’s in-house staff, M2000/IS has developed an implementation program consisting of three methodologies into which each approved solution is assigned:
- Solutions which the in-house IT staff can and should handle on their own with none or limited oversight assistance from M2000/IS;
- Solutions for which M2000/IS will assist and train the in-house IT staff in implementing. These are solutions which require knowledge or skills not inherent in the staff’s daily functions; and,
- Solutions which M2000/IS should exclusively implement for security reasons and should be on a need-to-know basis by senior IT management and senior executives/administration.