Defining the scope of the assessment is one of the most important parts of the assessment project. At some point, you are going to be meeting with management to start the discussions of the "how" and "why" of the assessment. Before this meeting ever begins, you're probably going to have some idea as to what is driving this event. Vulnerability assessments usually don't happen in a vacuum, so it's important to understand the business reasons behind it. These can include due diligence, compliance with state or federal laws, a breach in security, or other factors.
Knowing why this assessment is occurring is going to help you get a much better idea of what management is looking for and how much support there is going to be for this project. Much of this can be gauged after you have the initial meeting with management. You'll also have to consider that they may not fully have these answers and to a large part, that's why they are looking to you and your expertise in this matter.
Armed with the proper information, you'll be much better prepared when you initially meet with management to discuss this project. You're going to want to gather up as much documentation as possible about the network, the technologies, and the overall structure of the documents that are presently being used to manage the security process.
During this initial meeting, you are going to want to spend some time ironing out what is critical. The best way to make this determination is by looking at what products your organization offers and how they are delivered to the customer. Then determine the key technologies that support this effort and identify the critical pieces of information that the organization possesses.
With the initial meeting out of the way, you should have some idea of what management is expecting the assessment to accomplish. Now that you have some idea as to the scope and direction of the assessment, you can begin to build your team. After your team is assembled, you will be ready to again meet with management. This formal kickoff meeting is where you will work out the final details of the assessment plan and get the information needed to build an assessment timeline. The important events that occur during the scope include the following:
The events driving the assessment will affect the scope and the depth of the project. Not all organizations look at security in the same way. Some organizations work in business sectors that deal with a considerable amount of risk, whereas others are situated in lower-risk sectors. The way organizations handle risk is just as varied. As an example, look at how your organization has set up its firewall policies. Many organizations use the "allow all that hasn't been specifically denied" policy. Although this works, it's not the best method. A better approach would be to take the "deny all" route. This method denies everything and explicitly allows only services that have been determined to be a business requirement. This approach is not only much more secure, but also recommended by most security experts and by documents such as NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy. Organizations that take the latter approach are going to be much more likely to have a developed policy infrastructure and to take your recommendations much more seriously.
Due diligence is one of the potential forces that may be driving the assessment. If your organization is serious about security, there will be some assessment work performed during mergers and acquisitions. This can occur before an actual purchase or after the event. These assessments are usually held to a very strict timeline. There is only a limited amount of time before the purchase and if the assessment is performed afterward, the organization will probably be in a hurry to integrate the two networks as soon as possible. In either situation, you have a host of issues to deal with, including the following:
Compliance with state, provincial, or federal laws is another event that might be driving the assessment. Companies can face huge fines and, potentially, jail time if they fail to comply with state, provincial, and federal laws. The Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX), and the Health Insurance Portability and Accountability Act (HIPAA) are three such laws. HIPAA requires organizations to perform a vulnerability assessment. If this is the type of event driving the assessment, management is going to be concerned that the policies, procedures, guidelines, and training have been put in place. They will be interested to see that a good structure for security has been developed and is being followed.
Those dealing with compliance issues such as HIPAA and SOX need to have a good understanding of what is required to meet compliance, or have someone on the team who does. Many laws mandate civil and criminal penalties for lack of compliance. For example, Title VII of SOX requires that auditors maintain "all audit or review work papers" for five years.
A Breach in Security
A breach in security will bring about different concerns and driving factors than the ones previously listed for due diligence or compliance with state or local laws. Look for these assessments to be much more technical.
Although you may think that the majority of these events are driven by external factors, that's simply not true. The largest percentage of this type of assessment results from events initiated by insiders. This includes current and former employees. Anytime an employee is unhappy or disgruntled, the organization has a potential problem. This is especially true if this individual has a large amount of knowledge about the internal workings of the network. In these instances, you will be looking at access controls, password policies, system defenses, and system hardening.
If the event is driven by an external attack, management will again want to know if systems have been sufficiently hardened. Are there other holes or technical vulnerabilities an attacker can exploit to gain access? These events may not have resulted in a significant loss of revenue. It's possible that only a website was defaced or a brief outage of a service occurred; nevertheless, people will want answers quickly. Management will be looking for technical solutions to secure the infrastructure as soon as possible.
The best time to deal with incident response is before the event. Your organization should have a well defined incident response plan that details who responds, how they respond, and who will be notified.
With some knowledge of what's driving the event, you are now much more prepared for your initial meeting with management. To deal effectively with their questions and start to get a real handle on how much work this is going to be, you are going to want to compile some information to take in the meeting with you. It's best to contact the appropriate personnel before the meeting and let them know what you need to make an appropriate analysis of the situation. By developing a standardized form, you can gather much of the information you'll need to take into the initial meeting.
The information request form will need to provide information that helps define the size and scope of the assessment. If you can't gather all this information before the initial meeting, that's okay, because after management has given the project the green light, you'll quickly get most of the information you need to compile. Following is a list of some of the items you will want to have on your information request form. They can be broadly divided into four categories:
Becoming the Project Manager
If you are one of the individuals scoping the project, you are most like going to be the team leader or key member of the assessment process. If you are going to be the lead in this assessment, you will need some project management skills. You'll need technical and administrative skills to make this a success. Keep in mind the old saying: "Managing people is like herding cats." By this I mean that a successful team leader is both a manager and a leader. Leaders command respect, are able to inspire and motivate others, and can adapt to different leadership styles as circumstances dictate. As the team leader of the assessment, you are going to be tasked with the following:
You are the one who is ultimately responsible for the assessment. You must make sure that all team members understand their roles and their importance. If schedules cannot be met, it will be up to you to communicate this fact to management and facilitate a resolution.
Staffing the Assessment Team
Depending on the size of the assessment, you will need a capable team to get the job done. You are going to be looking for individuals with a variety of skills. From a technical standpoint, team members will need the following skills:
You will also need team members who can fulfill various roles in the project. If you have spent time managing people, probably you already recognize these traits. These various personalities types can help build a successful assessment team:
The specific skills needed, as previously mentioned, depend on what level of assessment is going to be performed. Whereas level I assessments are primarily policy based, level II assessments have much more of a hands-on technical feel. These assessments will require you to add individuals to the team who have sufficient technical skills to set up and run vulnerability scanners, review results from vulnerability scanners, examine firewall rulesets, and perform other hands-on types of activities. If you determine that a level III assessment is going to be performed, you'll need team members with in-depth security skills. You may find that for a penetration test, you are better off contracting out those duties. Be aware that no matter who is on your team, all teams typically go through four stages:
As you assign duties to each team member, you will want to establish times for each activity. When assigning duties to team members try using the SMART process:
After you staff the assessment team, a team directory should be assembled. This directory should include
The kickoff meeting is the real beginning of the assessment. For the first time, you have a team assembled and you get the opportunity to meet with senior management and the key stakeholders of the assessment. This is the opportunity to develop an overall plan for the assessment. It is also an opportunity for everyone present to ask questions and work out any problems that may come up. For this project to be successful, now is the time to work out the key issues. Therefore, the following items are some of the key issues that should be discussed:
Building the Assessment Timeline
The timeline establishes guidelines for the completion of the assessment. It also helps establish the scope and duration of the entire project. It will require monitoring on your part to keep the project on schedule. One of the biggest problems you will face is scope creep.
Scope creep occurs when you fall under pressure to expand the assessment beyond what it was originally planned to be. It usually results from a failure to define what the assessment will or will not include. The number one way to prevent scope creep is to clearly define the boundaries of the assessment. This should be locked down during the kickoff meeting and defined in the assessment protocol that has been approved by management.
If you are not alert to scope creep, it can destroy the assessment. Little things add up and before long, the assessment can slip way behind schedule. These are not the events that will make you a management all-star.
As Everett Dirksen said: "A billion here and a billion there and pretty soon, we are talking big money." Organizations do not have unlimited funds; therefore, it's critical that you develop good cost estimates during the preassessment. Time is money and if the schedule begins to slip, costs will increase. As the team leader for the assessment, expect to be held responsible for achieving technical and scheduled goals, but also for the financial costs of the assessment. The cost of the labor will be one of the biggest expenses of a project. As project manager, you must rely on time estimates you develop to predict the cost of the labor to complete the projected assignment on schedule. In addition, the cost of the equipment and materials needed to complete the projected work must be factored into the project's expenses. The relation between the project cost and the project scope is direct: You get what you pay for! Think about it; is it possible to buy a Lexus at a Ford Focus price? That is probably not going to happen. If the project scope expands, expect costs to go up, so plan accordingly.
If you can avoid this and effectively monitor the information as it flows in from the assessment team, you will be on your way toward meeting your projected goals. You will also need an adequate amount of time communicating with the team. They, too, need to know the progress, what tasks have been completed, and what's yet to be done. Just these few simple things can help keep the project on schedule. Overall, there are three clearly defined pieces to the assessment process as seen in Figure 5.1. These include scoping the project, performing the assessment, and post-assessment activities.
Figure 5.1. Assessment timeline.
The average time for an assessment is 12 weeks. This is only an average, but it should give you some idea of how much time it will take to complete the process. During the scoping process, you'll need to complete seven critical steps before you can actually get started. These are shown in Figure 5.2 and listed next:
Determine driving events.
Hold the initial meeting.
Establish the team.
Hold the kickoff meeting.
Determine critical items.
Create a timeline.
Develop a written protocol that details what is going to be done.
Figure 5.2. Scoping tasks.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template