A Checklist for Developing Defenses

Consider security vs. functionality.

Determine to what degree security and functionality are affected by decisions made regarding the IT infrastructure in your organization.

Create a business justification.

Justify vulnerability assessments from a business perspective within your organization to achieve management "buy-in."

Use standards.

Methodology standards should be determined to ensure assessments are conducted in a thorough manner. These standards ensure assessments are consistent but do not limit the assessor's creativity in security auditing.

Gather information/conduct reconnaissance.

Information available publicly pertaining to your organization should be analyzed to determine all potential avenues of attack.

Map your organization's theatre of war.

Use data found while gathering information to map the focus areas of the assessment. Create and validate initial topology maps for use while planning attacks. Set boundaries for follow-on attacks.

Qualify targets.

Through port scanning and other search tools, determine live hosts within the theatre of war. These may include hosts containing public applications or services, packet filters, load balancers, and other devices. Update map(s) to reflect new findings.

Create attack profiles.

Plan and optimize attack vectors for each system, host, or application. Attack vectors should be surgical and directed. Each should be based on protocol, platform, and network variables determined in earlier stages. Tools should be used to plan attack vectors but human interpretation is paramount for a successful audit.

Beware of online vulnerability scanners and services.

Human factors allow diversity and change midstream through assessments. Online scanners limit creativity and ability to "dig deeper" to find additional data. Assessment accuracy and thoroughness is severely limited.

Attack using VA tools (validate and prioritize results).

Use VA tools to conduct mock attacks, validate the results (don't forget to fix configurations causing false positives vs. removing false positives from the reports ), document results, prioritize using a standard matrix, and make a determination of when to stop (VA vs. penetration testing). Remember, DoS tests should be used to find infrastructure design shortcomings. Any service/application or infrastructure will "fall over" if enough packets are directed at it, but DoS tests can be used to find legitimate design concerns.

Defend your organization after attacking: determine options, prioritize remediation , develop plan, and retest.

A plan to defend your organization's infrastructure must include remediation of known problems as well as methods to retest to ensure you are not still vulnerable. Don't forget to document accepted vulnerabilities (vulnerabilities for which the risk does not outweigh the gain and simply will not be remediated).

Use security sources to determine defense tactics.

Use well-known sources for vulnerability information research (CERT/CC, CVE, SecurityFocus, OSVDB).

Determine assessment frequency.

How often is enough for your organization? The correct answer is more than once and never too frequently.

Conduct assessments with internal staff.

Internal staff should conduct vulnerability assessments any time changes are made to the infrastructure and more often if deemed necessary by the organization.

Outsource assessments to a security partner.

Weigh the advantages and disadvantages of outsourcing security assessments. Ask yourself and your organization (and eventually your security partner) the ten questions to ensure you have chosen the right partner.