Network Vulnerability Assessment Checklist

Assessor:
Date:
Location:

No Control Status
(Yes/No/N/A)
1 Unique user ID and confidential password required
2 Additional identification required for remote access
3 Help screen access available to logged-on users only
4 Last session date and time message back to user at sign-on time
5 Exception reports for disruptions in either input or output
Session numbers for users/processors that are not constantly
6 logged in
7 Notification to users of possible duplicate messages
Threshold of errors and consequential retransmission on the
8 network related to management via automatic alarms
9 Encryption requirements
10 Encryption key management controls
Message Authentication Code requirements for nonencrypted
11 sensitive data transmission
12 System authentication at session start-up (wiretap controls)
13 Confirmation of host log-off to prevent line grabbing
14 Downloading controls for connected intelligent workstations
15 User priority designation process
16 Transaction handling for classified communications
17 Trace and snapshot facilities requirements
18 Log requirements for sensitive messages
19 Alternate path requirements between nodes
Contingency plans for hardware as well as all usual system
20 requirements
21 Storage of critical messages in redundant locations
22 Packet recovery requirements
23 Physical access for workstations when units are not in use
24 Control units, hubs, routers, cabinets secured
25 Environmental control critical requirements
Segregation for sections of the network that are deemed
26 "untrustworthy"
27 Gateway identification for authorized nodes
Automatic disable of a user/account, line or port if evidence an
28 attack is underway
29 Naming convention to distinguish test messages from production
30 User switching application controls
31 Time-out reauthorization requirements
32 Password changes (time/length/history) requirements
Encryption requirements for passwords, security parameters,
33 encryption keys, tables, etc.
34 Shielding requirements for fiber-optic lines
35 Controls to prevent wiretapping
Reporting procedures for all interrupted telecommunication
36 sessions
Identification requirements for station/ terminal access
37 connection to network
38 Printer control requirements for classified information
39 Appropriate "welcome" connection screens
40 Dial-up access control procedures
41 Anti-daemon dialer controls
Standards for equipment, applications, protocols, operating
42 environment
43 Help desk procedures and telephone numbers
Protocol converters and access method converters dynamic
44 change control requirements
45 LAN administrator responsibilities
46 Control requirements to add nodes to the network
47 Telephone number change requirements
48 Automatic sign-on controls
49 Telephone trace requirements
50 FTP access controlled
51 Are patches tested and applied?
52 Software distribution current
53 Employee policy awareness
54 Emergency incident response plan/procedure
55 Internal applications control
56 Proper control of the development environment
57 Software licensing compliance review
58 Portable device (laptop/notebook/PDA) handling procedures
59 Storage and disposal of sensitive data/information
60 Default password controls and settings
61 Review of off-site storage for disaster recovery resources
62 Unnecessary services disabled
63 Client server data transfer analyzed and secured
64 Restrict telnet and r-commands (rlogin, rsh, etc.)
65 Configuration management procedures
66 Tracking port scans
67 Review monitoring responsibilities
68 Separation between test and production environment
69 Strong dial-in authentication
70 System administrator training
71 Voice system protection procedures
72 Tunneling for all remote access (inbound or outbound)
73 Encryption of laptops
74 Management awareness
75 Program and system change control procedures
76 Open "inbound" modem access for vendor support
77 Modem usage policy
78 Incident event coordination (procedures)
79 Intrusion detection system (IDS) implementation and monitoring
80 Monitoring Web site from attack (internal and external)
81 Domain Name Server monitoring
 82 Hardware maintenance requirements
83 Hard drive repair, maintenance, and disposal procedures
84 BIOS (Basic Input/Output System) boot order
85 E-mail content policy and monitoring
86 E-mail forwarding policy (hopping)
87 Spamming controls and testing procedures
88 Employee termination and credential disablement
89 After-hours sign-in logs
90 Network sniffer policy, procedures, and monitoring
91 Validity of e-mail accounts
92 Background checks before hiring
93 Administrator accounts and password controls
94 Time synchronization procedures
95 Establishment of a Security Committee
96 Testing process for LAN applications
97 Business unit security person designated
98 Log and review of all Administrator changes
99 Review and resolution of past audit comments
100 Audit logs secured

Managing a Network Vulnerability Assessment

Thomas R. Peltier, Justin 2003
Notes