130 likes | 319 Views
Internet And Network Vulnerability Scanning With ISS. Part 2: Engagement Planning, Preparation, and Reporting. FAE/NYSSCPA June 11, 2002 Tom McDermott Cohn Consulting Group A division of J.H. Cohn, LLP. Introduction. Planning for a Network Security Evaluation. Topics of Discussion.
E N D
Internet And Network Vulnerability Scanning With ISS Part 2: Engagement Planning, Preparation, and Reporting FAE/NYSSCPA June 11, 2002 Tom McDermott Cohn Consulting Group A division of J.H. Cohn, LLP
Introduction • Planning for a Network Security Evaluation
Topics of Discussion • Gain an understanding of clients operations • Identify all of the network devices • Determine which devices will be scanned • Features of ISS Internet and System scanners and the differences between the them • Benefits of using ISS • Pitfalls – what to watch out for • Interpreting the ISS Internet & System Scanner vulnerability reports • Interpreting the technical data into a format that is more accessible to the client’s management.
Identifying Network Devices • Client’s IT Team should provide an IT asset inventory including: • Host names • Type of device • Router • Firewall • Server • Business function • IP addresses • Operating system and version • Physical location • Management and IT should sign-off on this list after reviewing it for completeness and accuracy.
Developing a methodology • Management should identify the critical devices. • Determine with management which devices will be scanned with Internet Scanner and System Scanner • Develop a written plan for running the scans and correcting the vulnerabilities. • Specify who will be responsible for running the scans (we will assume it will be you as the auditor) • When will they be run? • What levels of each scan will be used for both Internet Scanner and for System Scanner?
Developing a methodology (cont.) • What vulnerability levels will be addressed (High, Medium, Low)?
Installation of software • If IT is responsible for installing the software, ask for a timetable for completion. • Be sure that IT has included ALL IP addresses when the original key is being cut. (If one is omitted a new key must be cut.) • Be sure the System Scanner agents are installed on all of the devices to be scanned.
Pitfalls • Running an L1 inventory on an IP range that is too broad may create a denial of service situation. • Get application owners to sign-off on running the scans and when they will be run. • Keep a hardcopy offline record of the hostname and IP address of the system scanner consoles. If the console is taken offline and the hostname and IP address are lost then the system scanner agents will have to be installed.
Resultant Vulnerability Reports • Choose the type of ISS report you will use. • Executive reports • Line Management reports • Technician reports • Choose the format of the ISS report you will use. (Internet Scanner). • Provide a copy of each scanner report to IT. • Use an IT Asset Inventory worksheet to keep track of which IP addresses have been scanned.
Interpret the results • Assemble all of the vulnerability data into an organized form. (ex. a vulnerability matrix). • Review the scanner reports and identify any false positives. • Re-scan after vulnerabilities have been corrected. • Use the final scans to update any matrices that you have created. • Use the final scans to create a report for Management based on any remaining vulnerabilities.