DELIVERABLES:1. SCOPE OF WORK- 1 page SOW report 2. WORK BREAKDOWN STRUCTURE- WBS 3. THREATS AND VULNERABILITES REPORT- 2 or 3page report 4. NETWORK ANALYSIS TOOLS REPORT- 1 OR 2 page report 5. VULNER
Vulnerability AssessmentA vulnerability is a "weakness in any information system, security production, internal controls, or implementation that could be exposed by a threat source" (NIST, 2012, p. 9). Vulnerabilities may result from an improperly configured system (weak passwords, unnecessary ports and protocols, etc.), as well as from missing software patches.
Vulnerability assessments involve the use of tools and processes to identify vulnerabilities present in the systems for which an organization is responsible. A vulnerability assessment identifies errors which could be used for nefarious activities by hackers.
Vulnerability assessment is an important part of an organization's overall risk management strategy. Such assessments are conducted to meet governmental regulations and requirements, and to help guide organizational IT security practices, stay on top of emerging security threats, ensure that staff members are using appropriate measures, and to demonstrate to customers that your organization is vigilant on security issues.
One commonly used assessment tool is a vulnerability scanner, which is used to create a network map or inventory that identifies systems that are functional on a network, as well as their open ports, running services, and operating systems (such as Microsoft Windows 7, Linux, etc.). Once a map has been created, the vulnerability scanner has the ability to assess systems with a database of known vulnerabilities.
Other tools and processes used to identify, quantify, and prioritize a system's vulnerabilities include network discovery, network port and service identification, documentation and log review, integrity checking, or a combination of several methods.
Penetration Test
Penetration tests are an integral part of any security and risk management enterprise. Therefore, cybersecurity professionals should have a basic understanding of key concepts and terminologies regarding penetration testing. Whereas a vulnerability assessment identifies vulnerabilities within a system, a penetration test attempts to exploit those vulnerabilities to gain access to sensitive information.
A penetration test is an attempt to gather information to determine whether vulnerabilities exist in security components, networks, and applications of an organization. The intent of a penetration test is to "attack" the system in the same manner as would a hacker.
Performing a penetration test gives an organization a much more realistic appreciation of the types of vulnerabilities it may be hosting. Further, it provides the organization with a holistic and comprehensive picture of its true exposure to hackers. For instance, a vulnerability assessment may reveal that multiple systems in an organization are exhibiting vulnerabilities. A penetration test will attempt to use these vulnerabilities to allow the tester to potentially compromise the organization's most sensitive information.
If an organization intends to perform a penetration test, or to have a third party perform a penetration test, it is imperative that rules of engagement be defined before the activity begins. Rules of engagement lay out acceptable methodologies and guidelines for the penetration testing process. Without these rules, a penetration test could inadvertently expose sensitive data or cause system interruptions unacceptable to the organization's management.
Depending on the perimeters of an investigation or assessment, a penetration test may extend beyond virtual connections into physical aspects of how the organization protects data. Testers may be permitted to do the following:
Look for written passwords—The penetration tester may look for passwords written down and stored on a user's desk, under his or her keyboard, or on a whiteboard. Written passwords are common security hazards that contribute to an organization's overall exposure to attackers.
Go dumpster diving—Dumpster diving refers to the act of combing through an organization's trash in search of sensitive information. Sensitive information may be personal information, such as data records containing medical or credit card information, or it may be data records containing organizational information, such as charts or employee phone numbers that can be used for social engineering attacks.
Engage in social engineering—Social engineering describes methods employed by hackers and penetration testers to use people's social dispositions against them. For instance, if a tester called a military organization and claimed to be a senior officer, the junior person receiving the call would possibly be too intimidated to follow proper procedure and screen the caller appropriately before disclosing sensitive information.
Piggyback into a secure facility—Piggybacking occurs when an unauthorized user gains access to a facility by following closely behind an authorized employee who has used his or her credentials to enter the facility. The piggybacker may facilitate entrance by dressing like a member of a maintenance crew or in attire that leads the victim to believe the attacker is actually a senior executive. From a penetration-testing perspective, gaining physical access to a sensitive computing device represents a significant breach of an organization's physical security controls.
An asset is a possession (item or object) that has value and must be protected against harm or loss. Information and information systems are assets. Information is an asset because the organization must spend money to obtain it so that the information can be used to produce goods and services. Examples of valuable information assets include formulas, customer and vendor lists, sales plans, and marketing strategies. An information system is an asset because each component of the system costs money to purchase or replace.
Asset security is an integral party of cybersecurity. The cybersecurity measures required to protect business assets are determined by identifying the assets that require protection and then assessing the specific threats and vulnerabilities (for each asset or type of asset) that are present in the organization's operating environment.
Critical infrastructure assets are those assets that are essential for the functioning of the organization. Examples of critical infrastructure assets include interrupted power supply to facilities, data backups, physical access control to buildings, etc.
Baseline analysis is based on the idea that a company must establish a minimum set of safeguards to protect its critical infrastructure assets. This baseline provides the CIO or the organization's main stakeholders with a benchmark to ensure that their systems provide a minimum level of security across multiple applications and products.
System LoggingAnalyzing system logs is a method of tracking vulnerabilities and preventing future attacks. Log system analysis provides a snapshot of files that have been accessed, and each log contains information related to a specific activity.
The analysis should include investigating user rights (who can access data and what type of data), to ensure that the separation of duties and least privilege standards are applied. Analysis should also check for logging anomalies. Incongruities in log settings, configurations, and processes might indicate malicious activity, system flaws, or failure to follow set security procedures.
System logs can also give insight into the systems data-loss prevention strategies, which identify and protect sensitive information. Data loss prevention measures reduce the chance of a breach of sensitive data.
