Audit Assessments and Reports

Vulnerability Assessments

Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. Vulnerability assessments use the technology concerned with scanning computer systems and networks in order to find security vulnerabilities.

Penetration tests

The portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.

A penetration test is similar in scope to a vulnerability assessment but is usually more aggressive in its efforts to simulate an attack. Vulnerability tests can be thought of as directed toward a single vulnerability, or a group of related vulnerabilities. A penetration test is expected (at least initially) to take place from a vantage point that is external to the network. Vulnerability assessments and analyses are assumed to be covering particular areas. These areas may be either external or internal, and either host based or network based.

Rules of Engagement

Frequently, during penetration tests, certain things might be discovered that affect the continuing assessment. The customer and assessment team should have agreed in advance on various issues so that this questions will not have to be answered in the heat of the moment. These rules should include the following questions:

How long is the test supposed to last?

If the test is of limited length, or is nearing a close, you would probably want to wait until after it is over.

Is it limited in some way, or inclusive of the entire enterprise?

Not all tests cover the enterprise. It may be that the area you are testing is small enough that the exploited vulnerability is not likely to affect much of the enterprise.

What will the business cost be (approximately) if the particular machine or application is compromised before the completion of the test?

If the vulnerability you found means that the web page can be defaced, unless it's CNN you're doing the test for, ignore it. That is, of course, unless the web server is not located in a DMZ, or provides other services than just http/https.

How easy is it to exploit the vulnerability you've found?

Is it a variety of statd? Is it yet another IIS exploit? You might want to actually use the exploit, lock down the machine, and continue on. If not, and the standard script monster can get in before you finish your tests, you should try to get the worst cases locked down before you contine.

Is it already exploited?

This is the most difficult. If you find a machine that already appears to have been violated, you really must notify your employer (defined here as the person who you are testing), and stop the test at once. It is now a case for forensics, not further testing.

Threat Analysis

The process of formally evaluating the degree of threat to an information system. It describes the nature of the threat, and may provide specific suggestions for countermeasure to the threat, if countermeasures exist.

Audit Reports

Audit reports supply information as to potential areas to examine for security concerns, but care must still be taken to perform the necessary steps to secure your network.

Report Organization ¹

An executive summary provides a high level overview of the status of the system and the key recommendations of the report.

Following this, a broad overview of the scope of the system is presented and discussed.

Next, general issues of environment, IT management, and key roles are discussed.

The network has been broken up into key functional segments. Each segment is then examined in detail for flaws. Each segment comprises a section containing a discussion of the following topics:

• The Current Situation is an overall summary of the system as implemented at present
• The Risk Assessment discusses potential exposures that result from the present situation
• Recommendations provide a summary of the desired position and strategies for how to proceed towards that goal.
• The Corrective Action is a list of individual actions to be performed on the system, without regard to priority or scheduling.

The Corrective Actions presented throughout the body text are organized by priority, and presented in an appendix.

1. Site Audit Version 01.20, Geoff Halprin, The SysAdmin Group