Have you heard the old saying, "If you fail to plan, you plan to fail"? This saying rings true when you perform a security assessment. You must choose the appropriate time to execute the assessment, evaluate possible risks, determine costs, and obtain management's approval. That sounds like a lot of preparation to determine the strength of your defenses, but remember, hindsight is 20-20.
The first issue that needs to be addressed at the beginning of an assessment is determining your scope. This should include developing a list of the target computer systems and network devices that you will include in the assessment and what techniques are you allowed to use against them during the assessment. Listing valid targets may be as simple as stating that all computer systems that are part of your organization are in scope, but be careful. Are there any other organizations that have equipment attached to your network? Do you have agreements in place that allow you to audit their computer systems? You will need to determine that you have the right to include these systems in your assessment prior to firing packets at them! There may be other systems that are part of your network that you are not authorized to test. All these systems should be identified and placed in a do-not-test list.
The other issue to address for scope is to determine which test techniques will be used during the assessment. Some assessment activities are safer than others. You should be clear which techniques you will be using and what controls you will employ to reduce the organizational risk for the more dangerous techniques. Table 22.1 shows a list of common assessment techniques and the level of risk generally associated with each.
As part of this step, you will also need to plan the logistics of the assessment, including determining what the valid test hours of operation are, the start and end dates for the assessment, and the administrative and management points of contact for in-scope systems. Keep in mind that performing a vulnerability assessment carries with it the inherent risk of disrupting service through crashing target systems or generating excessive network traffic. Therefore, administrators should be available during your assessment to deal with any issues that might arise. Because of this, access to the appropriate administrators will be an important consideration as you decide what your hours of operation will be.
When deciding on a time to perform the assessment, be sure to account for differences in time zones across the organization.
Finally, all the planning decisions need to be documented in a written rules-of-engagement document that must be signed by management before the assessment commences. Written approval has saved the careers of many people when critical systems went down as a result of simple scanning. In general, communication is one of the most important aspects of planning the assessment. You need to verify that all parties involved in supporting the targeted systems, as well as management, have been informed (as appropriate) of your activities. Keep communication and risk awareness in your thoughts as you plan and perform the assessment.
Once you have your scope determined and have gained approval to proceed, you will need to make sure you've got the test resources assembled to complete all the tests you have agreed to perform. Often this will require creating more than one test system, each running a different operating system and configured with test tools appropriate for that operating system. At a minimum, you will probably want to have both Windows and UNIX systems available to utilize the plethora of OS-dependent utilities each contains. Later in the chapter we will be discussing specific utilities you may want to use.
If you do not have extra computers lying around to run multiple operating systems, check out VMware (http://www.vmware.com/). VMware software enables you to run an OS within another OS. For example, if you use Windows 2000 Professional, you could use VMware Workstation on it, which would enable you to run Red Hat Linux at the same time on the same machine. Note that you might have to increase your system's RAM or disk space for proper performance.
Assuming you've determined your scope, gained written approval, and assembled your test systems, you can now move on to the reconnaissance step of your assessment.