Category Archives: Vulnerabilities

Sentrix – Defending Your Web Presence

Sentrix

What is Sentrix ? – Sentrix is a company that provides defense for your web presence on their hardware and not yours. This includes database backend protection from having a hardened front end. In addition they provide DoS, DDoS, and web application protection. I am sure I am missing a few others but you get the point. What really makes me think this company has a sound cloud based solution is that its context aware. This is akin to being application aware like with Palo Alto firewalls.

Sentrix reviews the site and based off the context it builds a replica of the site. Proof of conepts can be built in 24 hrs for testing with no impact to production servers. It’s really worth it to go for a test drive and watch how this works. That leads us to the next topic of how it works. When Sentrix scans and reviews your site it creates two categories in which the presentation and functionality resides. One bucket is called the presentation bucket and the other bucket is called the business transaction bucket. It also builds whitelist rules that allows some transactions to go back to the original server (your server) like username/passwords and authentication. Everything else stays right there on the replica.

When a site is built you have access to a dashboard where you can start working on your field validation for what characters and actions are allowed in each field. each replica automatically provides rules for you to start with becuse its context aware. Here going forward you can edit them as well as network settings. You can also use human validation settings like captcha to help ensure people are viewing and not scripts or bots.

DoS and DDoS protection is done by creating rules for a queue if connections increase rapidly. It will also spin up more gateways as needed to service the load of connections. Also, you can just deny connection rates over a certain rate to ensure that your site stays up. So yes web application, Application DoS, and other threats can be mitigated with Sentrix. I am very impressed with the technology. Now they just need some Superbowl commercials and I think everyone will get the message.

Benghazi – Interview with Dr. Steve Pieczenik and Alex Jones

Here are some notes from the following video. My two cents are in *between stars*

I can only type so fast….

Dr. Steve Pieczenik: Pieczenik was deputy assistant secretary of state under Henry Kissinger, Cyrus Vance and James Baker. [3] His expertise includes foreign policy, international crisis management and psychological warfare.[7] He served the presidential administrations of Gerald Ford, Jimmy Carter, Ronald Reagan and George H.W. Bush in the capacity of deputy assistant secretary.[8] Former State Dept Rep from the Carter administration with 20 years’ experience.

Dr. Steve Pieczenik:
Benghazi was an illegal operation from the get go. Just like the wars in Afghanistan and Pakistan.
There was no congressional approval for these wars. It was signed off by President only. The father and
Mother of Obama was CIA and so he is trained as CIA. Amb Stevens and the others were killed at the hands of Hillary Clinton whom has let others die before in other incidents. They have been letting go Generals because of their will to act.

General Ham and Admiral Gaouette should never have stood down and just kept going. The CIA operatives had the place seized up. However, the military we have now is a nonfunctioning military. All they want is positions and money but no heart and are war mongering but no concept of it. There is a war going on among various functions of government in Washington. *A divided house cannot stand.* Benghazi CIA was made to happen by Panetta and Patraeus. Now they are mercenaries using drones
for attacks on select targets. Illegal as the consulate is not a place for this type of work of detaining prisoners and extracting information from these people. We have been running a lot of secret wars under Obama. We have a culture clash going on. Civilian leaders that lead the US into wars in Vietnam, Iraq Afghanistan have to step down.

The Generals watched while their own men were killed that need to come forward have been given cover stories. Martin Dempsey is a coward and so is Panetta. These guys are idea people and have no solution on how to handle things. Benghazi was the final place where the civilian and the military had a clash on who was in charge. It was a place where the Civilians could get rid of all the generals that have no merit and are backing the whitehouse to be in the places they are now. The military stepped down and should not have. 14 military people have been discharged since this incident. This was a coup
attempt by the military but they backed down and they are going to pay a price for this.

The person that is missing in all of this is Bob Mueller, head of the FBI. He has a dangerous history and took part in the cover up of 9/11. John O. Brennan is another bad apple. All a part of a cover up. Mueller now has to be investigated again for this recent 9/11/2012 incident. In addition, Muller has illegal monitored elected officials. *This kind of goes along with Glen Beck’s story that “we have many people watching you Patraeus…resign please”.*

Now the government is going towards drones and reducing the size of the army. *Why deal with people when computers do what you say without any disobedience or failure.* So now we are heading for a cyber-war and cyber security theater as we move forward. This environment is changing. Obama is going towards impeachment with these illegal wars. It is not just the President but others have helped in this. His ways of operating as a CIA operative in the executive office are numbered.

*Are we going to go in another major war? No. What they are trying to do is take the weapons away from people to get us ready for being monitored electronically and by drones. There are now 50 states with petitions to secede.*

Alex Jones: Does the federal gov’t have legitimacy not to allow states to secede?

Dr. Steve Pieczenik: No, they have lost all that and now the people of America are on to what is going on with government. The greatest problem in the US for national Security is our national debt.

Actions to fix the problems:

1) There should be a Bob Mueller investigation and have him locked up.
2) CIA should be investigated and should be eliminated.
3) Generals in the military should be dismissed right away.
4) Everyone above the Benghazi attack should be impeached and indicted, Clinton, Obama, Chairman of DNI
5) GENERAL DEMPSEY should be court marshaled

Dr. Steve Pieczenik Congress is dead, and the people see the cover up from the first 9/11/2001 in this 9/11/2012. Revolution is needed but not a violent one but a complete swap out of the elected to the unelected.

Verizon Case Study on a Hacking Event

The following case study provided by Verizon shows a great deal of competence and intelligence from their Computer Forensics Services. Read that link, intriguing.

Since the retailer had some attitude of posturing and that “nothing” bad can happen to our PCI data processing machines; things turned for the worse. The event captures what bad things insiders can do to a network. In this case study all client data was being stolen. Imagine you bought something at the store, the retailer has been around for years, and you think your credit card information is safe. Think again!

The case study points out that someone on the inside was using the VPN device to get in. Now you are thinking if they have access to the VPN, it must be OK and they are approved. Yes and no is the answer. Yes, they were approved for VPN access but no, they were not approved to steal customer credit card information. This is where someone at a 3rd party provider of services went rogue.

They eventually caught the person because they tracked it down to their IP address in Eastern Europe. Obviously this hacker got lazy because there is a way around this as well. He used his real IP address and went across Verizon ISP hand-off to the retailer at one particular store. The law enforcement drafted up a prosecution letter and had him indicted on the charges of credit card theft and possible identity theft. Now they would have to extradite the individual to the US for prosecution and that will take some time.

The take-away from this is to stop and think. “Are my computer and information systems really secured?” You have to ask yourself this question. There are external threats and internal threats. if a VPN connection gets compromised from the outside device than tracking the event down will be difficult but not impossible. You have to look for odd access logs and write/modification times on files for clues.

People, please do not go this alone. Your company, way of life, and your reputation cost far more than the cost to ensure your devices and processes. Please seek out help today from a knowledgeable Information Security Assurance professional.

Thank you,

Kevin Pescatello
Network Security Engineer
Netwerk Guardian LLC
CCNA Security #11488924
Certified Ethical Hacker v6
Computer Hacking Forensic Investigator v4
V (860) 556-3001
F (855) 864-5500

Explosive findings about DHS operations in Congressional Report

Explosive findings about DHS operations in congressional report
Thank you Hagmann and Hagmann for this report. Doug and Joe Hagmann are a father and son team bringing investigative reports that have teeth and take a bite out of the mystery we see in many events in the media today. Seen below is the table of contents that is just the beginning of the research used to measure how well the DHS is operating That one big agency that swallowed up other agencies in hopes to do what, run better?

It is reported that the DHS has two chains of command, most likely one where stuff gets done and one where they pretend stuff gets done and correctly Like Bizarro Superman under charge of the lovely (edited so many times), Janet Napolitano Reading the following table of contents alone, will blow your mind.

DHS Investigative Report by Senate Sub Committee

FEDERAL SUPPORT FOR AND INVOLVEMENT
IN STATE AND LOCAL FUSION CENTERS
TABLE OF CONTENTS
I EXECUTIVE SUMMARY 1
II SUBCOMMITTEE INVESTIGATION 5
III BACKGROUND 10
A History 10
B DHS Intelligence and Analysis (I&A) 17
(1) Homeland Intelligence Reports (HIRs) 18
(2) I&A Personnel 20
(3) Drafting Fusion Center HIRs 22
(4) DHS Enhanced Review of HIRs 23
C Funding State and Local Fusion Centers 24
IV DHS’ SUPPORT FOR AND INVOLVEMENT IN STATE AND LOCAL FUSION
CENTERS DOES NOT GENERATE TIMELY, USEFUL INTELLIGENCE FOR
FEDERAL COUNTERTERRORISM EFFORTS 26
A Overview 26
B Reporting from Fusion Centers was Often Flawed, Unrelated to Terrorism 31
(1) Some Reports Had “Nothing of Value” 32
(2) If Published, Some Drafting Reporting Could Have Violated the Privacy Act 35
(3) Most Fusion Center Reporting Related to Drug Smuggling, Alien Smuggling,
or Other Criminal Activity 39
C Terrorism-Related Reporting was Often Outdated, Duplicative, and
Uninformative 40
(1) Some Terrorism-Related Reports Were Based on Older Published Accounts 40
(2) Many Terrorism-Related HIRs from Fusion Centers Appeared to Duplicate a
Faster, More Efficient Information-Sharing Process 42
D DHS Intelligence Reporting Officials Who Repeatedly Violated Guidelines
Faced No Sanction 45
E DHS Did Not Sufficiently Train Its Fusion Center Detailees to Legally and
Effectively Collect and Report Intelligence 47
F “Two Different Chains of Command” 51
G Short-Staffing and Reliance on Underqualified, Underperforming Contract
Employees Hampered Reporting Efforts 52
H Reporting Officials Aren’t Evaluated on the Quality of Their Reporting 54
I A Hastily-Implemented and Poorly Coordinated Review Process Delayed
Reporting by Months 55
ii
J Retaining Inappropriate Records is Contrary to DHS Policies and the
Privacy Act 57
K Problems with DHS Reporting Acknowledged, But Unresolved 59
V DHS DOES NOT ADEQUATELY OVERSEE ITS FINANCIAL SUPPORT
FOR FUSION CENTERS 61
A Overview 61
B DHS Does Not Know How Much It Has Spent to Support Fusion Centers 62
C DHS Does Not Exercise Effective Oversight of Grant Funds Intended for
Fusion Centers 64
(1) FEMA Monitoring Reports 65
(2) A-133 Audits 70
D DHS Grant Requirements Do Not Ensure States Spend Fusion Center Funds
Effectively 71
(1) Using Fusion Center Funds on Chevrolet Tahoes 73
(2) Using Fusion Center Funds on Rent 75
(3) Using Fusion Center Funds on Wiretap Room 77
(4) Using Fusion Center Funds on Computers for County Medical Examiner 78
(5) Using Fusion Center Funds for Surveillance Equipment, Computers,
Televisions 79
(6) Using Fusion Center Funds for Shifting Information Technology Needs 80
VI FUSION CENTERS HAVE BEEN UNABLE TO MEANINGFULLY
CONTRIBUTE TO FEDERAL COUNTERTERRORISM EFFORTS 83
A Overview 83
B Two Federal Assessments Found Fusion Centers Lack Basic Counterterrorism
Capabilities 85
(1) 2010 Assessment 85
(2) 2011 Assessment 88
C Despite Promises, DHS Has Not Assessed Fusion Center Performance 89
D Some DHS-Recognized Fusion Centers Do Not Exist 90
(1) Wyoming 91
(2) Philadelphia Fusion Center 92
E Many Fusion Centers Do Not Prioritize Counterterrorism Efforts 93
F DHS “Success Stories” Do Not Demonstrate Centers’ Value to Counterterrorism
Efforts 96
(1) Najubullah Zazi Case 96
(2) Faisal Shahzad Case – NYSIC 98
(3) Florida Fusion Center 99
(4) Francis “Schaeffer” Cox Case 99
iii
Fusion Centers May Have Hindered, Not Aided, Federal Counterterrorism
Efforts 101
(1) Russian “Cyberattack” in Illinois 101
(2) Shooting of Representative Giffords and 18 Others 103
(3) Missouri MIAC Militia Report 104
VII RECOMMENDATIONS 106

Hypothetical DDoS (Part 2 of 2)

Recently a DDoS attack was carried out on the University’s network preventing legitimate users from enrolling or managing classes. The forensic analysis was able to determine what service and agents were causing the attack with Wireshark sniffer. The results showed that there were a multitude of infected computers operating in a botnet to initiate this DDoS.

In order to safe guard against future attacks Netwerk Guardian LLC has outlined and provided detailed application of security measures. These security countermeasures will help secure devices and remove attack vectors leaving only zero day and human related risks. The first step is to secure the devices that operate and manage the network. This would be devices like routers and switches that provide network access from inside to outside the University. Steps taken here will be to eliminate half open TCP SYN connections where a device sends SYN or SYN ACK requests and then leaves the session open not responding to ACK sent by the target. Eventually the router or switch becomes overwhelmed and starts to fail or crash. Adjustments to avoid this can be made on routers and switches. Moving on to routing vulnerabilities in routers out of the box would be to turn off CDP enable globally and remove directed broadcasts. Furthermore, the source routing feature should also be turned off as this can be used by attackers to tell packets how to route by strict or loose source routing. Proxy arp and gratuitous arp should be disabled. Proxy arp is when a device answers a request on behalf of the sending device. Gratuitous arp is associated with answering responses to arp requests not initiated by the router. Some vendors that schools use is 3com or now HP since their devices are plug and play. However, the gratuitous arp settings in here have been turned on so that the switch knows when it drops from a layer three device to a layer two device.

The new generation of switches is now more than just layer two as they are referred to as layer three switches. This means they can switch and route like routers. There are many similar features that need to be turned off and disabled like in routers. Gratuitous arp is one of those features. Another procedure that would be good to practice is access control lists (ACLs) for interfaces and interface vlans. These ACLs can stop traffic before it gets to a destination. Advanced configurations on the enterprise class of switches is to use private vlans and community vlans as well as Vlan Access Control List (VACLs). Looking at these configuration items a network administrator could have blocked the DDoS attack by hiding the server in a private or community vlans. Private vlans can be broken down into primary and secondary vlans. According to Wikipedia the following is true; “Primary vlans usually communicate with only an upstream port for all their requests. This is good for the ISP internet drops to a house or if the university wanted to drop an uplink to a computer lab. All the routing and rules would take place upstream. Secondary vlans come in two types isolated and community. The hosts in isolated vlans are only allowed to communicate with primary vlan and not with each other and the devices in the community vlans are only allowed to communicate amongst themselves and the primary vlan and not any other vlan” (Wikipedia, 2012). Had the University applied this type of topology to their local area network (LAN), they would have avoided this with the addition of a virtual IP address appliance (VIP). Using private vlans along with a virtual IP address appliance would have provided the protection from a flood of packets. The switches would have only allowed certain traffic to come from inside and multiplexed over to the server from the VIP. Multiplexed means creating a connection from an IP address based off of ports only that meet the protocol type and sequence. This would show a demonstration of secondary isolated vlan communication to a device upstream in the primary vlan for the requests and then out to the LAN.

The close look at device configurations in the preceding section has covered a lot of detail of what comes out of the box and what must be configured to secure the device and the network. We are now going to step back and discover a defense in depth architecture. Defense in depth means more than to patch our devices, use strong passwords, and control who or what interfaces with the device but also to have a series of defense mechanisms. One would be the firewall that might be a router or come in line after the router. These devices are good at stopping DoS, and DDoS attacks. This is akin to a steel fire proof front door in other words doing the heavy work. Next thing to place on the network are two switches to redistribute the uplink connection to the core of the network but only after passing through an intrusion protection system (IPS). The IPS sits in line with traffic and passes it along to the network after it has reviewed what is coming in. Then the traffic can go to the core devices and allow the LAN traffic to interact with the outside world. Taking security a step further one can use and Intrusion Detection System (IDS) and this can scan traffic to determine if it is safe or not but it does not stop offending traffic. In most cases these devices are setup to pass traffic through but record what types of attacks are being demonstrated. IDS device can sit in DMZ zones in a honey pot network to attract and learn from attackers as well as sit in on a LAN. The next step is to bring all the data calculations and protective method together to an appliance like Cisco MARS that processes the events and makes correlations for useful information for Information Security Personnel. Then the security professional makes an informed decision on what should be done.

Security is not just a purchase but a plan and it must be built into a network and not attached to a network. Using application layer firewalls and deep packet inspection firewalls allows for more granular approach at security. Packets are just packet and if they are sequenced right they can get around security devices pretty easily. The network administrators have to start reviewing not only sequence but size of packet and in some cases what’s in the packet. Application layer gateways or proxy devices can do that. The University could have used a proxy server to broker the requests from authenticated users before allowing access to the server. This can provide accountability plus assurance that the traffic is legitimate.

In conclusion the best security is built into a network with monitoring occurring at all locations. The University needs to implement this topology so they can receive intelligent information that will allow them to act in a moment’s notice. A DDoS will be much harder to accomplish with this preceding infrastructure.

Hypothetical DDoS – (Part 1 of 2)

The Yourtown University campus had on site computer labs to offer the local attending students. The University offer many supporting services for their students as they progress towards their degree. During the 2011 spring enrollment the web based class registration system had suffered a DDoS attack. The University network team found that the attack originated from the inside. The following explains how the attack occurred and the countermeasures required to circumvent this in the future.

Early in spring 2011 enrollment for the new term, Yourtown University online class registration system was not available during business hours and often into the evening hours. The IT Dept. had investigated the first week and determined that the web server kept crashing. Every few hours they had to restart the web server to recover the web services for online registration. An investigation had begun to see if the IIS server was failing from a bug or a patch. In the next week to follow the web server started crashing more and more and the outages started to increase. The network administrators had been capturing traffic during the first occurrence and noticed that there was a sniffer on the network in promiscuous mode listening to all traffic. They not only noticed one sniffer but multiple sniffers in different Computer Lab networks across campus. A decision was finally reached that someone had placed software based sniffers on different lab computers and was using an email relay service to send captures to a cryptic labeled email address.

During the next phase of the investigation the network administrators had tracked down the computers with the sniffers and removed them from service for analysis. The forensics team had discovered that the computers had as netcat installation on each box in the default admin share that allowed remote control of that computer. The attacker had gained access to the administrator username and password. The netcat server acted as the terminal server allowing more scripts for DNS poisoning and programs to be dumped on the offending machines. They also found a stripped down packet capture program that captured traffic and emailed text files in increments of 1.5 megabytes. Once the attacker could load files on the computer he had sent bots out that would send smurf attacks with the return answer to the class registration server. Also they discovered remnants of the Low Orbit Ion Cannon used for stress testing network devices.

Yourtown University called on the help of their super star student Kevin Pescatello to assist in providing countermeasures to safe guard against this threat from occurring. Kevin’s experience with the Trustwave NAC device came to mind and suggested the purchase will return the investment in up time and reputation of the school. It will allow the students to sign and purchase and pay for classes more consistently. This device performs network admission control and can be used on both hardwire and wireless networks. The device capitalizes on some unique processes that are under patent. The setup is to place the device on one the core switches and have it managed by one port while monitoring all the vlans in another port. Preferably two ports for monitoring that also allows mirroring and being inline like an IPS (Intrusion Protection System). One of the key features of the device is its ability to counter network traffic with a man in the middle attack (Trustwave, 2012). When a user joins the network they have to sign in and get scanned for compliance for antivirus and that updates are turned on. Once they meet those requirements and they can successfully log on. This allows the policing of the internal networks and reduces internal threats. The network administrator can customize the logged in profile to monitor each machine for more than twenty connections and for the number of devices they are scanning to be no more than ten. When these thresholds are met and exceeded the network admission control device steps in and moves the user to the underverse. In the underverse there is no Ethernet or internet. The violating user remains isolated for a period before being allowed to authenticate and play nicely. Notably, there is a feature called deception. Once deception is turned on the end user that scans addresses has his requests intercepted by Trustwave NAC and there is no response. The attacker’s goal is thwarted.

Yourtown University has contracted out with Netwerk Guardian LLC to install and train the network staff how to use such a device. This cost will be budgeted for in the next fiscal year. The return on investment as stated prior is continued uptime for network resources, reputation, and the lower administrative cost for IT and bursar’s office. This device will authenticate each student and make known who is coming from where. There are many features that are rather technical that describe what attack vectors can be thwarted. Among include DDoS, smurf attacks, IP spoofing, man in the middle, port scanning, and sniffing. Most of the aforementioned attack vectors or a variant was used in this incident.

Vulnerability Assessment – Should it be Done in House?

When it comes to a security assessment of your businesses IT assets and infrastructure, who does it? You or the other guy?

Outsourcing Vulnerability Assessment

Outsourcing Vulnerability Assessment

Difference between Vulnerability Assessment and a Pentest?
The difference between the vulnerability assessment and a pentest is that a vulnerability assessment just finds the holes and does not exploit them. In the penetration test, security professionals think like hackers and try ways to use vulnerabilities to get inside the network. When conducting the vulnerability assessment you want to pay attention to scanning the assets with the right software and try to find the vulnerabilities that the hackers will find. The penetration test is where the vulnerability is exploited and a server is owned or a network is compromised with data flowing out to a hacker. In either scenario, the company must define its assets so that they know what they are going to test and assign ownership. While trying to test for weaknesses you might as well prepare for ISO 27001/2 audit.

A good example would be to take GFI LAN Scanner and scan a network with current definitions of known vulnerabilities loaded. The results should show that there are systems that need to be patched. The same goes with Microsoft Baseline Security Analyzer. This will find the difference in levels of a Windows operating system of where it is and what level it needs to be for patching. Taking a closer look at penetration testing would be for a hacker to play the bad person and enumerate the network from logged in credentials. Then using meterpreter packaged in a game, the unsuspecting user downloaded. Now the attacker can escalate to a system account privilege to change the user account to an admin account on the box. This type of test is the essence of a penetration test where the hackers has inserted themselves and are gaining a foothold and escalating privileges to do more harm.
 
Vulnerability Assessment
In order to conduct a vulnerability assessment correctly you have to define your assets and organize them. Know what you have and know what you want to test. This could mean assigning ownership of the asset being defined, and analyzed. Next you should get a few tools to help with the assessment. Pick up a tool or two that measures risks on software like operating systems and one that does networks. Next before doing any work on the infrastructure put in place a communication tree between the CIO and the outsourced vendor. This way if something does impact production network someone can stop it or inform the staff that it is expected today if need be. Later, after the outsourced vulnerability assessment is conducted the company IT department may want to have some policy and procedures out lining a scheduled assessment.

The next thing you want to do is calculate the risk. Most often it is the quantitative assessment then qualitative. However, here are the two assessments presented by the two formulas; Calculate Risk = Vulnerability X Attacks X Threat X Exposure (Snedaker, 2007). This will definitely get you a dollar amount but there is some subjective evaluation of the attack and exposure. Again, this qualitative weight in the quantitative formula is like a hybrid. Unless you are benchmarking from proven studies to extrapolate your numbers, it will have some subjective input. The latter formula could be more qualitative, as the reference to the frequency will be subjective in the first year run. The next subsequent years can more easily defined as quantitative. A historic record will assist you in the following years.

When the company gets to writing a policy for their own quarterly scanning and assessment, they should have it written as a policy. The policy will state when and by who the vulnerability assessment should be done. There will be an accompanying procedure outlining the exact steps to take that have been proven and approved. This will aid them in becoming closer to an ISO 27001/2 compliance as well as safeguard their assets.

Decision Point over Dilemma
The company has a dilemma either to proceed with their own assessment or hire out to third party. Realistically you should stick to what you are good at. This means if your IT department has the history of performing such analysis then proceed. However, this small company doesn’t have the manpower. Knowledge of is not the same as working knowledge. What is important to the company IT department in the assessment. Is it the scan type, assets, demonstrated effective use of vulnerability assessment, and industry experience. Industry experience is going to account for a lot of what the company IT department is lacking in this disciplined practice. You need to have focus and experience to know what is going to work and what will not. The company IT department does not have the luxury of time for honing their skills. Another inherent risk is complacency of the environment. This doesn’t mean the IT department is tired of the place it works in it just means that not all assets are going to come to mind when some devices or do not get used all the time.

What are we looking for in the assessment? In a normal vulnerability assessment the professional team will look for systems, server, and networks that have not patched to a protected level or hardened systems. Hardened systems are systems that are running with only the services they really need to run and have some protection whether a trusted computer system or firewall. Systems that are patched to the right level and have no known vulnerabilities are the goal of any assessment. Getting to that secured level and preserving it through continuous monitoring. The company IT department may not have such knowledge and therefore not the best selection for running the assessment.

Company Action Items
The IT Security Professional is designated technical lead for the assessment. The action items are to find and catalog all assets both hardware and software for the assessment. What the technical lead will do is group together all network subnets unto themselves if more than one. They will also find the different types of operating systems and group those together. The next step is to find the different software that is used as a service with in the company for the assessment. This means servers that share out software and services all must be identified and listed for versions and type. An example would be a list of all database servers. Out of the database servers you will list the ones using MS SQL, Oracle, and which use a web front end with html. In addition, the technical lead will find the database servers whose front end is driven by SOAP, or AJAX and any other like java. This list will be exhaustive but it will declare the assets and the exposure type they possess. Also this will be used for the outsourced company performing the scan.

Risk from Internal Vulnerability Assessment
The risk you have to conducting an assessment on your own is knowing enough to be dangerous but not enough to be effective. The expertise of security consultants is then drawn upon to do the assessment. While performing your assessment you may omit to test certain other parts of the network or devices you don’t use or manage. You might even fail to test a security objective that is a major flaw from a vendor or technology implemented. This would require special attention because some businesses have contracts with other companies based on an ISO rating. This means that the company either knows how to produce consistent results or hires a company to assist in providing the infrastructure for consistent results. A consultant would either find the requirements for the vulnerability assessment. This is very important to make the assessment a valid one.

Teaming up with 3rd Party Security Experts
The company has realized that while their Information Security professional is quite well versed in their profession that they will be seeking outside vendor to assist in the vulnerability assessment. The first thing the company needs to do is get legal advice from an attorney that has knowledge of technological testing where intellectual property, assets, and risks operate in the same arena. The lawyer has to be knowledgeable about USC 18 Section 1029 & 1030, PCI, Sarbanes Oxley, as well as other laws about privacy and disclosure. The company will coordinate with the lawyer to make sure that the vendor they choose to go with operates under an agreement.

Now the company has to find a reputable company to perform this assessment. This agreement will be the legal document that authorizes and binds the two parties to operate professionally with the client’s interest as a focal point. The company providing the service will provide names of the team members that will be coming onsite or offsite to perform the test. They will have to comply with company policy that the participants all have to be US citizens and have a clean criminal record or one that has been made right provided by documented testimony of character and a signature of said individual recommending them for this service.

The two companies design an agreement/contract that details what is and what is not to be scanned as stated in slides 6 and 9. The agreement also has to include that there is liability coverage and the 3rd party has errors and omissions insurance. The contract will further read that if anything happens outside the scope of the test both parties will attempt at mutually agreeing to a course of action verbally to rectify the situation. No fault clauses can be agreed upon but rarely is that allowed and is contrary to getting legal direction. Later, the course of action taken will be written as an addendum to the agreement and signed by the officer of each company legally able to form agreements. Once this document is done and the vulnerability assessing company has written consent to perform the test, then they can begin on the agreed upon date.

In the agreement the technical lead (Information Security Professional Employee) will have the entire topology mapped and each test area scheduled for testing. All the details about what is to be tested can also be outlined in here. This is where the Information Security Professional can make known what devices or types of scans are allowed and not allowed. Most scans are noninvasive or unable to interrupt production. It is an approach that is over the top but when you are talking about intellectual property, data privacy of people, and the general operating capacity of a business, there are no short cuts. The agreement has to state what will be tested, how, when, and the objective. There will be a schedule to follow and a communication tree to call if things go out of focus or assets are becoming unusable.
 
Vulnerability Assessment
After the vulnerability assessment has been conducted a report of such results should be created. The results could be matches to the ones found on the publically known Mitre CVE list. Also, the company can proactively start looking ahead at the CVE site for more vulnerabilities in software that they currently use. When the third party vendor finds these vulnerabilities they are held to the contract for not disclosing their findings. In the process of doing the assessment they found ways into the citizen personal records database allowing them to have free range of the data therein. Again, the agreement states that no matter what they find in the course of the assessment they are not allowed to disseminate the information.

The vendor now has an accumulation of vulnerabilities and configuration settings and dependencies that need to be reported and presented for review. The report can be created by any software that they have chosen going into the assessment but the report must be hand delivered and not emailed. The report needs to make it to the desk of the Information Security Professional, CISO, and the CEO’s office. What happens after that is all the responsibility of the company. The reports should be reviewed with the company who provided the assessment to show what vulnerabilities were discovered and with what tools. They will show what needs to be done to correct this and then empower the company through council or outsourcing their assessments to create a schedule.

Report Details
Once the assessment is done the team has a report they give to the company. In it this report it will include all the assets as they were before the scan. This include the configurations and patch levels provided by the Information Security Professional and verified by the assessment team. The assessment team had given some indication of how the assessment was going to be conducted in the agreement but not at the detail provided in the report. In the report that follows the team tells how each group and in some case individual items were scanned. The results of the scans now need to be addressed. The assessment team provides a link to vendor specific pages for the upkeep of the software and it includes releases addressing security concerns. Also, the team provides an independent vulnerability site that provides a list of outstanding and recorded vulnerabilities for many vendors and advises the Information Security Professional to sign up for updates on the items they host.

The assessment team then provides steps for remediation that they can provide. These will include testing before patching by imaging the company servers and emulating their network architecture. This is an additional service the assessment team can provide for a price or the company can manage their own.

Routine Assessments
The schedule will be a routine check of the systems both hardware and software to see if there are any vulnerabilities not discovered and the ones that are patched are taken affect at protecting the asset. The Information Security Professional will then create a policy under the guidance of senior management and the CEO, that provides details of what actions have to take place in a quarterly scanning of the devices.

The scans should occur quarterly and at the last two weeks of the first month in the new quarter. This way any new vulnerabilities and published exploits get published. This give the company’s IT group time to test patches and deploy. The assessment gets processed the same every month as the initial assessment with reports being created in the third week. Executive reports get delivered to the CISO and CEO by 2nd week of the 2nd month for review.

The executive review can consist of the employees of the company or here the Information Security Professional reviewing the reports are on target for an ISO certification and accreditation. Any notes provided by the assessment team can be interpreted as a strategic vision for the IT department in the up and coming years.