Professional Documents
Culture Documents
0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Created by Keith A. Watson, CISSP on March 1, 2005
The information contained within this report is considered proprietary and confidential to the {CLIENT ORGANIZATION}. Inappropriate and unauthorized disclosure of this report or portions of it could result in significant damage or loss to the {CLIENT ORGANIZATION}. This report should be distributed to individuals on a Need-to-Know basis only. Paper copies should be locked up when not in use. Electronic copies should be stored offline and protected appropriately.
{CLIENT ORGANIZATION}
EXECUTIVE SUMMARY........................................................................................5
In the last quarter the ABC Company started to give extra focus for the security of the network and production services. Many measures have been taken to protect valuable assets, especially the database server as it contain the valuable customer information. ............................................................5 Top-Ten List....................................................................................................................................................5 1. Information Security Policy.....................................................................................................................5 2. {Using Telnet for remote administration}...............................................................................................5 3. {Week passwords}...................................................................................................................................5 4. {Security Issue #4}...................................................................................................................................6 5. {Security Issue #5}...................................................................................................................................6 6. {Security Issue #6}...................................................................................................................................6 7. {Security Issue #7}...................................................................................................................................6 8. {Security Issue #8}...................................................................................................................................6 9. {Security Issue #9}...................................................................................................................................6 10. {Security Issue #10}...............................................................................................................................6
INTRODUCTION.....................................................................................................7
Scope................................................................................................................................................................7 Project Scope................................................................................................................................................7 In Scope........................................................................................................................................................7 Out of Scope.................................................................................................................................................7 Site Activities Schedule...................................................................................................................................7 First Day.......................................................................................................................................................7 Second Day..................................................................................................................................................7 Third Day.....................................................................................................................................................7
BACKGROUND INFORMATION...........................................................................8
{CLIENT ORGANIZATION}.......................................................................................................................8
ASSET IDENTIFICATION......................................................................................9
Assets of the {CLIENT ORGANIZATION} ...............................................................................................9
THREAT ASSESSMENT........................................................................................9
Threats to the {CLIENT ORGANIZATION}..............................................................................................9
Security Assessment Report Vulnerabilities...............................................................................................................................................10 The {CLIENT ORGANIZATION} has no information security policy...................................................10 {State the Vulnerability}............................................................................................................................10
PERSONNEL........................................................................................................11
Management..................................................................................................................................................11 Operations.....................................................................................................................................................11 Development..................................................................................................................................................11 Vulnerabilities...............................................................................................................................................11 There is no information security officer.....................................................................................................11 {State the Vulnerability}............................................................................................................................11
NETWORK SECURITY........................................................................................12
Vulnerabilities...............................................................................................................................................12 The {CLIENT ORGANIZATION} systems are not protected by a network firewall..............................12 {State the Vulnerability}............................................................................................................................13
SYSTEM SECURITY............................................................................................13
Vulnerabilities...............................................................................................................................................13 Users can install unsafe software...............................................................................................................13 {State the Vulnerability}............................................................................................................................14
APPLICATION SECURITY..................................................................................14
Vulnerabilities...............................................................................................................................................14 Sensitive information within the database is not encrypted.......................................................................14 {State the Vulnerability}............................................................................................................................14
OPERATIONAL SECURITY.................................................................................15
Vulnerabilities...............................................................................................................................................15 There is no standard for security management...........................................................................................15 {State the Vulnerability}............................................................................................................................15
PHYSICAL SECURITY.........................................................................................15
Vulnerabilities...............................................................................................................................................15 Building Vulnerabilities.............................................................................................................................16 Several key doors within the building are unlocked or can be forced open...............................................16 {State the Vulnerability}............................................................................................................................16 Security Perimeter Vulnerabilities.............................................................................................................16 There is no entryway access control system..............................................................................................16 {State the Vulnerability}............................................................................................................................17 Server Area Vulnerabilities........................................................................................................................17 The backup media are not protected from fire, theft, or damage...............................................................17
SUMMARY............................................................................................................18
Action Plan....................................................................................................................................................18
REFERENCES......................................................................................................18
Executive Summary
In the last quarter the ABC Company started to give extra focus for the security of the network and production services. Many measures have been taken to protect valuable assets, especially the database server as it contain the valuable customer information. Then it was a wise decision to hire security assessment team to assess the effectiveness of the under taken measures. After the security assessment we found some issues in the DB system. As an example Week password policy Using unsecured remote administration methods No patch management policy.
Top-Ten List
A top-ten list is used to highlight the ten most urgent issues discovered during an assessment. Clients unfamiliar with security may be overwhelmed by a long list of problems. Putting the major issues together may allow the client to easily focus efforts on these problems first. The list below contains the top ten findings, weaknesses, or vulnerabilities discovered during the site security assessment. Some of the issues listed here are coalesced from more than one section of the assessment report findings. Additional information about each is provided elsewhere in the report. It is recommended that these be evaluated and addressed as soon as possible. These should be considered significant and may impact the operations of the {ABC corp.}
3. {Week passwords}
We found that has administrator account with very week passwords that can be guessed easily, which my allow unauthorized user to access the system Confidential and Proprietary Information: Need to Know Page 5
{CLIENT ORGANIZATION}
Introduction
Provide an overview of the report.
Scope
The scope is the boundaries of the project. It is used to describe the on-site activities.
Out of Scope
The following activities are NOT part of this security assessment: Penetration Testing of systems, networks, buildings, laboratories or facilities. Social Engineering to acquire sensitive information from staff members. Testing Disaster Recovery Plans, Business Continuity Plans, or Emergency Response Plans.
{CLIENT ORGANIZATION}
Background Information
Use this section to talk about any relevant background information.
{CLIENT ORGANIZATION}
Describe the client organization.
Asset Identification
Describe the process of asset identification.
Each item on these lists also has value associated with it. Each items relative value changes over time. In order to determine the current value, it is often best to think in terms of recovery costs. What would it cost to restore or replace this asset in terms of time, effort, and money?
Threat Assessment
Describe the process of threat assessment.
{CLIENT ORGANIZATION}
Vulnerabilities
Listed below are the vulnerabilities discovered during the assessment relating to law, regulation, and policy. These are considered significant and steps should be taken to address them.
Recommendations
Personnel
Describe the personnel at the client organization. Organize them into related groups. In this example, we have Management, Operations, and Development.
Management
Describe the management group.
Operations
Describe the operations team.
Development
Describe the development team.
Vulnerabilities
Listed below are the staff vulnerabilities discovered during the interviews with the {CLIENT ORGANIZATION} staff. These are considered significant and steps should be taken to address them.
{CLIENT ORGANIZATION}
Risk There are several risks in not having {this vulnerability}. {Provide a list of risks.} {Provide a list of recommendations}. Recommendations
Network Security
Describe the state of network security at the client organization. List public network resources and sites. List partner connections and extranets.
Vulnerabilities
Listed below are the network security vulnerabilities discovered during the assessment. These are considered significant and steps should be taken to address them.
Recommendations
System Security
Describe the state of system security at the client organization.
Vulnerabilities
Listed below are the system security vulnerabilities discovered during the assessment. These are considered significant and steps should be taken to address them.
Recommendations The operations team should Remove user privileges to install software. Remove unsafe software from workstations. Reinstall systems as needed. Establish a process for the evaluation and installation of new software. Confidential and Proprietary Information: Need to Know Page 13
{CLIENT ORGANIZATION}
Application Security
Describe the state of application security at the client organization.
Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These are considered significant and steps should be taken to address them.
Operational Security
Describe the state of operational security at the client organization.
Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These are considered significant and steps should be taken to address them.
Physical Security
Describe the state of operational security at the client organization. Specifically, list the building, security perimeter, and server room vulnerabilities.
Vulnerabilities
Listed below are the physical security vulnerabilities discovered during the assessment. These are considered significant and steps should be taken to address them. The list is divided into a list of vulnerabilities that relate to the building, the security perimeter, and the server rooms. The Confidential and Proprietary Information: Need to Know Page 15
{CLIENT ORGANIZATION}
building group contains vulnerabilities within the {CLIENT ORGANIZATION} office. The security perimeter group includes the exterior office windows, doors, alarm system, and the surrounding area. The server room are specific to rooms containing server equipment.
Building Vulnerabilities Several key doors within the building are unlocked or can be forced open
Explanation There are several important doors in the interior {CLIENT ORGANIZATION} office area that are normally unlocked or can be forced open even when locked. The door to the utility room is a hollow core wooden door with no lock. The utility room contains the wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system box. The room containing the modem pool is normally open and unlocked. The system administrators office containing the office file and web server is usually unlocked and open. Risk These doors protect valuable assets of the {CLIENT ORGANIZATION}. A determined attacker, thief, or disgruntled employee could get through these important doors with minimal effort to steal and/or destroy. Recommendations Replace current doors with stronger fire doors. Replace existing door hardware with high security locks. Weld exterior hinge pins in place.
unique access card (contact or contactless) for each person to enter. Advanced systems provide log information each time personnel enter the secure area. Risk There are several risks in not having an entryway access control system. Unauthorized people can enter secure areas unescorted. There is no record of personnel entries into secure areas. It is not possible to disable access for a specific person. Evaluate available and suitable entryway access systems. Develop appropriate procedures for assigning and removing access. Install an appropriate system and assign access rights.
Recommendations
Server Area Vulnerabilities The backup media are not protected from fire, theft, or damage
Explanation The backup media are stored near the backup system on an open shelf in the server area. The media could be stolen, misplaced, accidentally erased, dropped, or destroyed in a fire. If a system or data must be recovered, the media may not be available or functional when needed. Risk The operation of the {CLIENT ORGANIZATION} can be impacted if the backup media are not available due to theft, damage, or fire. Recommendations Purchase and install a lockable, fireproof media safe. Secure it to the floor and/or wall.
{CLIENT ORGANIZATION}
{Explain the vulnerability.} Risk There are several risks in not having {this vulnerability}. {Provide a list of risks.} {Provide a list of recommendations}. Recommendations
Summary
Summarize the report findings.
Action Plan
Provide an action plan that lists steps to be taken to improve security at the client organization.
References
Anderson, R. Security Engineering: A Guide to Building Dependable Distributed Systems. Indianapolis: John Wiley & Sons, 2001. Archer, Tom and Whitechapel. Andrew. Inside C#. Redmond: Microsoft Press, 2002. Deraison, Renaud. The Nessus Security Scanner. http://www.nessus.com/ Garfinkel, Simson, Spafford, Eugene H., and Schwartz Alan. Practical Unix & Internet Security, 3rd Edition. Sebastapol: OReilly, 2003. Gordon, Lawrence, Loeb, Martin, Lucyshyn, William and Richardson, Robert. 2004 CSI/FBI Computer Crime and Security Survey, San Francisco: Computer Security Institute, 2004. International Standards Organization, International Electrotechnical Commission. Information technology Code of practice for information security management. ISO/IEC 17799:2000(E). Switzerland: ISO/IEC, 2001. Open Web Application Security Project. The Ten Most Critical Web Application Security Vulnerabilities 2004 Update. OWASP, 2004. http://www.wasp.org/documentation/topten.html Peltier, Thomas R. Information Security Risk Analysis. Boca Raton: CRC Press, 2001. Public Law No. 100-235. The Computer Security Act of 1987. Stoneburner, Gary, Goguen, Alice, and Feringa, Alexis. Risk Management Guide for Information Technology Systems. NIST Special Publication 800-30. National Institute of Standards and Technology, 2001. Stoneburner, Gary, Hayden, Clark, and Feringa, Alexis. Engineering Principles for Information Technology Security (A Baseline for Achieving Security). NIST Special Publication 800-27 Rev A. National Institute of Standards and Technology, 2004. Swiderski, Frank and Snyder, Window. Threat Modeling. Redmond: Microsoft Press, 2004. United States Department of Agriculture. USDA Information Systems Security Policy. USDA 3140-001. Washington: USDA, 1996. Confidential and Proprietary Information: Need to Know Page 18
Viega, John and McGraw, Gary. Building Secure Software. Indianapolis: Addison-Wesley, 2002. Wood, Charles C., Banks, William W., Guarro, Sergio B., Garcia, Abel A., Hampel, Victor E., and Sartorio, Henry P. Computer Security. New York: Wiley, 1987. Zwicky, Elizabeth D., Cooper, Simon, and Chapman, D. Brent. Building Internet Firewalls, 2nd Edition. Sebastapol: OReilly, 2000.