Inside Network Security Assessment: Guarding Your IT Infrastructure
暫譯: 網路安全評估實務：保護您的IT基礎設施

Table of Contents 

Introduction.

 

1. Introduction to Assessing Network Vulnerabilities.

    What Security Is and Isn’t.

    Process for Assessing Risk.

    Four Ways in Which You Can Respond to Risk.

    Network Vulnerability Assessment.

      Types of Network Vulnerability Assessments.

      What Procedures Govern the Vulnerability Assessment?

      The Role of Policies in the Vulnerability Assessment.

      What Drives the Assessment?

      Managing a Vulnerability Assessment.

      Building Cooperation with Other Departments.

      Importance of Setting and Maintaining a Schedule for Assessments.

    Summary.

    Key Terms.

 

2. Foundations and Principles of Security.

    Basic Security Principles.

    Security Requires Information Classification.

      Governmental Information Classification System.

      Commercial Information Classification System.

      Classification Criteria.

    The Policy Framework.

      Types of Policies.

      Defining Appropriate Policy.

      Deploying Policy.

      Policy Life Cycle.

    The Role Authentication, Authorization, and Accountability Play in a Secure Organization.

      Authentication.

      Authorization.

      Accountability.

    Encryption.

    Security and the Employee (Social Engineering).

    Summary.

    Key Terms.

 

3. Why Risk Assessment.

    Risk Terminology.

    Laws, Mandates, and Regulations.

      Health Insurance Portability and Accountability Act (HIPAA).

      Gramm-Leach-Bliley-Act (GLBA).

      Federal Information Security Management Act (FISMA).

      Sarbanes-Oxley Act (SOX).

    Risk Assessment Best Practices.

    Understanding the IT Security Process.

    The Goals and Objectives of a Risk Assessment.

      Security Process Definition.

      Goals and Objectives of a Risk and Vulnerability Assessment.

    Summary.

    Key Terms.

 

4. Risk-Assessment Methodologies.

    Risk-Assessment Terminology.

      Risk-Management and Risk-Assessment Requirements.

      Defense-in-Depth Approach for Risk Assessments.

      Risk Analysis Approach for Risk Assessments.

      Asset Valuation Approach for Risk Assessments.

    Quantitative and Qualitative Risk-Assessment Approaches.

      Quantitative Risk-Assessment Approach.

      Qualitative Risk-Assessment Approach.

    Best Practices for Quantitative and Qualitative Risk Assessment.

      Quantitative Risk-Assessment Best Practices.

      Qualitative Risk-Assessment Best Practices.

    Choosing the Best Risk-Assessment Approach.

    Common Risk-Assessment Methodologies and Templates.

    Summary.

    Key Terms.

 

5. Scoping the Project.

    Defining the Scope of the Assessment.

      Driving Events.

      Initial Meeting.

      Becoming the Project Manager.

      Staffing the Assessment Team.

      Kickoff Meeting .

      Building the Assessment Timeline.

    Reviewing Critical Systems and Information.

      Information Criticality Matrix.

      Systems Criticality Matrix.

    Compiling the Needed Documentation.

    Making Sure You Are Ready to Begin.

    Summary.

    Key Terms.

 

6. Understanding the Attacker.

    Who Are the Attackers?

      Attacker Types and Their Characteristics.

      Who Are the Greatest Threat?

      Insecure Computing Habits Are a Threat.

      Disgruntled Employees Are a Threat.

    What Do Attackers Do?

      Four Kinds of Attacks.

      Things That Attackers Attack.

      Goals and Motivations of the Attacker.

      Attackers Conduct Their Own Risk Analysis.

      How Do Attackers Attack?

      Tools That Attackers Use During the Stages of an Attack.

    Reducing the Risk of an Attack.

    How to Respond to an Attack.

    Summary.

    Key Terms.

 

7. Performing the Assessment.

    Introducing the Assessment Process.

    Level I Assessments.

      Reviewing the Documentation.

      Interviewing Process Owners and Employees.

      System Demonstrations.

    Level II Assessments.

      Vulnerability Scans.

      Level II Assessment Caveats.

    Level III Assessments.

      Vulnerability Exploitation.

    Summary.

    Key Terms.

 

8. Tools Used for Assessments and Evaluations.

    A Brief History of Security Tools.

    Putting Together a Toolkit.

      Information-Gathering Tools and Techniques.

      Scanning Tools.

      Enumeration Tools.

      Wireless Tools.

      Password Auditing Tools.

      Vulnerability Scanning Tools.

      Automated Exploit and Assessment Tools.

    Determining What Tools to Use.

      What’s the Best Platform to Install Your Tools On.

      Additional Items for the Toolkit.

    Summary.

    Key Terms.

 

9. Preparing the Final Report.

    Preparing for Analysis.

    Ranking Your Findings.

      Impact Rating.

      Probability Scale.

      Determining Raw Risk.

      Control Level.

      Calculating the Risk Score.

    Building the Final Report.

    Contents of a Good Report.

      Notice.

      Executive Summary.

      Introduction.

      Statement of Work.

      Analysis.

      Findings.

      Conclusions.

    Determining the Next Step.

    Audit and Compliance.

    Summary.

    Key Terms.

 

10. Post-Assessment Activities.

    IT Security Architecture and Framework.

      Goals and Objectives.

      Terminology.

      Defining the Structure and Hierarchy.

      Hierarchical IT Security Architecture and Framework.

      Sample IT Security Architecture and Framework.

    Roles, Responsibilities, and Accountabilities.

      Seven Areas of Information Security Responsibility.

    Security Incident Response Team (SIRT).

      SIRT Response Procedures.

      Security Workflow Definitions.

      Security Workflow Procedures.

    Vulnerability Management.

      Enterprise Vulnerability Management.

    Training IT Staff and End Users.

    Summary.

    Key Terms.

 

A. Security Assessment Resources.

    Security Standards.

      Common Criteria (CC) for IT Security Evaluation.

      FIPS PUB 140-1 and 140-2.

      ISO17799.

      GAO Risk Assessment Process.

      OSSTMM.

      DoD Rainbow Series.

      NIST.

    General Security Websites.

    Security Tool Websites.

 

B. Security Assessment Forms.

    Information Request Form.

    Document Tracking Form.

    Critical Systems and Information Forms.

    Level II Assessment Forms.

 

C. Security Assessment Sample Report.

    Notice.

    Executive Summary.

    Introduction.

    Statement of Work.

    Analysis.

    Recommendations.

    Conclusions.

 

D. Dealing with Consultants and Outside Vendors.

    Procurement Terminology.

    Typical RFP Procurement Steps.

    Procurement Best Practices.

 

E. SIRT Team Report Format Template.

    SIRT Incident Report.

 

Index.