This book is written in line with the most important assessment standards, USA NSA IAM and UK CESG CHECK, which the United States and the United Kingdom use for government and critical national infrastructure testing and assurance. NSA IAMThe United States National Security Agency (NSA) has provided an INFOSEC Assessment Methodology (IAM) framework to help consultants and security professionals outside the NSA provide assessment services to clients in line with a recognized standard. The NSA IAM homepage is http://www.nsa.gov/isso/iam/index.htm. The IAM framework defines three levels of assessment related to testing of IP-based computer networks:
This book covers only the technical network scanning and assessment techniques used within Levels 2 (Evaluation) and 3 (Red Team) of the IAM framework, since Level 1 assessment involves high-level cooperative gathering of information, such as security policies. CESG CHECKThe Government Communications Headquarters (GCHQ) in the United Kingdom has an information assurance arm known as the Communications and Electronics Security Group (CESG). In the same way that the NSA IAM framework allows security consultants outside the NSA to provide assessment services, CESG operates a program known as CHECK to evaluate and accredit security testing teams within the United Kingdom to undertake government assessment work. The CESG CHECK homepage is accessible at http://www.cesg.gov.uk/site/check/index.cfm. Unlike the NSA IAM, which covers many aspects of information security (including review of security policy, anti-virus, backups, and disaster recovery), CHECK squarely tackles the area of network security assessment. A second program is the CESG Listed Adviser Scheme (CLAS), which covers information security in a broader sense and tackles areas such as BS7799, security policy creation, and auditing. To correctly accredit CHECK consultants, CESG runs an assault course to test the attack and penetration techniques and methods demonstrated by attendees. The unclassified CESG CHECK assault course notes list the areas of technical competence relating to network security assessment:
The following are Unix -specific competencies:
Here are Windows NT-specific competencies:
This book clearly documents assessment in all these listed areas, along with background information to help you gain a sound understanding of the vulnerabilities presented. Although the CESG CHECK program assesses the methodologies of consultants who wish to perform U.K. government security testing work, internal security teams of organizations and companies outside the United Kingdom should be aware of its framework and common body of knowledge. |