This excerpt is from Chapter 1, Laying the Foundation for Your Assessment in Security Assessment: Case Studies for Implementing the NSA IAM written by Russ Rogers, Greg Miles, Ted Dykstra and Ed Fuller, and published by Syngress Publishing. You can download the entire chapter for free here.
What Does the Customer Expect?
Meeting expectations is critical in completing a successful assessment. Understanding customer expectations from the beginning of the process will be of tremendous assistance in defining the project's scope, making estimates to complete the work, and finalizing the effort. Which expectations are you as the assessor concerned about? The expectations you need to address include:
- Customer definition of an assessment
- Customers'"other" needs for the assessment
- Qualifications of the assessment team
- Customer timeline requirements
- Customer contracting process
- Customer cost limitations
Customer Definition of an Assessment
A critical first step for an assessment project is to come to a common understanding on what composes an assessment. Often you have to spend a great deal of time with potential customers just defining what they are looking to accomplish with the "assessment" process. The term assessment has been used loosely for years to describe everything from an audit to "attack and penetration" testing. NSA has broken up what has been traditionally called assessments into a three phase, top-down approach:
1. Assessment The assessment is an organizational-level process that focuses on the non-technical security functions within an organization. In the assessment, we examine the security policies, procedures, architectures, and organizational structure that are in place to support the organization. Although there is no hands-on testing (such as scans) in an assessment, it is a very hands-on process, with the customer working to gain an understanding of critical information, critical systems, and how the organization wants to focus the future of security.
2. Evaluation The evaluation is a hands-on technical process that looks specifically at the organization from a system/network level to identify security vulnerabilities that exist in those systems and can be mitigated through technical, managerial, or operational means. Evaluations are often confused with assessments. The IAM specifically focuses on the assessment, but elements of evaluations can be included in the IAM process. NSA calls this a Level 1+ assessment. This includes doing technical analysis of the firewalls, intrusion detection systems, guards, and routers. It may also include some basic vulnerability scans of the customer's networks. In addition, the IAM process provides excellent information that leads into future evaluations.
3. Red teaming Red teaming, often called attack and penetration testing, is a process whereby someone imitates an adversary looking for security vulnerabilities to make it easy to break into a system or network.This is often called the low-hanging fruit because these vulnerabilities are the easiest means into the customer network.
NSA's Triad is a top-down approach that starts with a high-level overview of the target organization's security posture. The approach then focuses specifically on critical systems that carry the organization's critical information. The final step is testing what has been implemented as part of the assessment and evaluation processes by taking a look from the "hacker's eye" view.
In days of old (and even today), security was addressed (when it was addressed at all) by first locking down a critical system, then locking down the network around the system, then documenting what had been done. Almost as an afterthought, it was decided that some policy was needed to enforce the security in the future. This process is completely opposite of what the IAM prescribes as a top-down approach. The IAM prescribes an approach of identifying critical information and critical systems, putting in place the policies and procedures to protect the critical information and systems, then addressing the technical security of the network. Figure 1.1 shows Level 1, Level 2, and Level 3 in the top-down approach model.
You can download the entire chapter for free here.
This was first published in April 2004