security assessment case studies for implementing the nsa iam phần 7 doc

Many people arguethat a group interview will silence the less outgoing but important members ofthe technical team.The group interview does provide a good opportunity tohear the opinions

Group Interviews

There is some debate about the value of group interviews Many people arguethat a group interview will silence the less outgoing but important members ofthe technical team.The group interview does provide a good opportunity tohear the opinions of the more outgoing personnel.Through observation,

watching body language, and listening to the people involved in the group view, the assessment team can see those people who have a difference of opinionfrom the dominant personality.The assessment team will want to be sure tointerview those people individually

inter-■ Allow at least 1 hour for each senior management-level interview staff, president, and so on) Senior management-level interviews willgenerally be the shortest due to time constraints of people at this level,but they are also the most unpredictable and therefore need allocatedtime

(C-■ Allow 30 to 45 minutes for each user-level interview, but remain ible so that the interviewees do not feel slighted

flex-■ Allow at least 15 to 20 minutes between interviews to allow relocationtime and for jotting down final notes before transitioning to the nextinterview

■ Try to group interviews by physical location where possible to avoidrunning across campus or across town to conduct interviews

■ Leave room in the schedule for additional interviews

Interview Environment

Make sure that the location in which the interviews are conducted is

comfort-turf Remove any obstacles to the interviewee’s comfort, and try to avoid putting

a table between the interviewee and the interviewer.This will help remove both

physical and psychological barriers between the interviewee and interviewer,

allowing the interviewee to feel comfortable and hopefully allowing for the free

flow of information

Attributes of a Successful Interviewer

Interviews are supposed to gain accurate information about the customer’s

formal and informal processes.To effectively accomplish this goal, the interviewer

must be able to break down barriers and gain trust, ask the right questions, and

gain the information needed

Breaking the Barriers

The person conducting the interview should not be a novice at interviewing

The interviewer cannot appear like an inquisitor from the Dark Ages.They must

be personable, compassionate, and able to freely communicate Effective

inter-viewing has several characteristics that directly impact the effectiveness of the

interview.The NSA IAM training course identifies several of these

characteris-tics, as listed in Table 7.4

It might also be useful to walk around the office area and get a glance at thework areas of the people to be interviewed.You might find indicators of individual

and even group interests that could help break down communications barriers and

Expect the Unexpected

Remain flexible, and be prepared for just about anything The ment team will be required to comply with all fire drills, tornado alert procedures, earthquake drills, and other customer emergency proce- dures while onsite Be respectful of the customer and their procedures

assess-to ensure both the safety of the assessment team and returned respect from the customer The customer will also need to be able to adjust the schedule in the event that someone must cancel or reschedule

From the Trenches…

serve as an indicator of interests that can be used to “break the ice.”You can tell agreat deal about people by what is on their desks or on their walls.

Table 7.4Interview Characteristics

Interview Characteristic Description

Empathy Demonstrating an understanding of what the

interviewee is stating through restating answers, clarifying meaning, and doing it with feeling Stay involved.

Warmth Being friendly, compassionate, and personable in

the interview Showing you truly care about the subject being talking about.

Positive regard and respect Being open with the person about your

experi-ences to help get them to open up to the interviewer Showing faith in the person and accepting the information they are providing Ask open-ended questions Ask questions that require more than just a Yes

or No answer to get the interviewee to provide additional information We need the interviewee

to say what is on their mind; open-ended

Breaking the Ice

I used to work as a government contractor in a program management position and had to spend a great deal of time interfacing with the divi- sion chief of the government group we were working with On his office walls were pictures of his kids and himself with a bunch of fish they’d obviously caught—not just one picture, but at least 20 There was an immediate ice breaker: being able to talk about fishing or family Another possible approach is to look for indicators of favorite football, baseball, or other sports teams Look for common interests to help open the interviewee up during the discussions.

From the Trenches…

Table 7.4Interview Characteristics

Interview Characteristic Description

Keep discussions on track Allow the interviewee to express opinions, but

also try to keep the interview focused on security-related issues.

Use tailored questions Utilize questions that are tailored to the type of

business area that the interviewee is part of This helps to ensure understanding of terminology.

Good listener The interviewer needs to have good listening

skills, including the ability to show interest in what the interviewee is saying He or she should also able to read body language.

Be consistent in response Provide a consistent response to answers Try to

to answers avoid showing over-interest or excitement about

specific answers.

Record something for Take notes for all answers to avoid the

appear-all answers ance of overexcitement for specific answers

Interviewees get nervous if the interview team has taken no notes up to that point and then begin scribbling notes franticly when they begin speaking about a particular topic.

Allow the interviewee Give the interviewee a final chance to speak his

a final open opportunity or her mind before closing the interview This is

to express thoughts the interviewee’s chance to mention anything

that might have been missed in the question pool or discussions and your opportunity to learn of any internal issues that might be unknown to this point.

Be on time Arrive for the interview on time The

interviewee’s time is valuable, so please respect it.

End on time Finish the interview within the allotted time If

you run out of time with this individual, schedule a time to try continuing the interview process In some situations, particular individuals have a great deal of valuable information to share, and the assessment team will need to be flexible during these times Don’t be late for the next appointment

Be careful not to be intrusive during the interview process If the viewer influences the interview through his or her own personal views, it can taint the results In this case the interviewee may tell the interviewer what the interviewer wants to hear, or the exact opposite of what the interviewer wants to hear What you really want out of this process is the truth.

inter-Gaining Needed Information

The interview process is intended to help the assessment team gain informationabout the customer’s actual security practices so that they can complete an anal-ysis of the customer security posture.This is accomplished through asking ques-tions and taking good notes that can then be reviewed during the analysis

process

Taking Notes

Notes are an important part of the interview process.The assessment team needs

to keep some reference from the interviews for review during the analysis cess Generally it is beneficial to have a second person in the interview takingextensive and constant notes so that the primary interviewer can concentrate eyecontact, discussion, and clarification with the person being interviewed

pro-Recording the Interview

Interview recording is another debated subject Recording an interview can vide the assessment team with an easily referenced source and doesn’t requirethat extensive notes be taken.The negative side of recording the interview is that

pro-it may make the interviewee uncomfortable and may eliminate the tion aspects of the interview, since the recorded interview could be subpoenaed

nonattribu-in a court case NSA generally does not recommend tapnonattribu-ing nonattribu-interviews due tohow uncomfortable it may make the interviewee and the fact that a recordedinterview can be directly attributable to an individual, which violates the nonat-tribution “promise” of the IAM assessment

Interview Questions to Ask

A predetermined set of questions is helpful, but such a list should only be used as

a guide, not an absolute set of questions or the only questions that are asked

Answers to some questions will lead to additional questions that are not on thequestion list Knowing when to ask these nonpredetermined questions will bebased on the interviewer’s experience and expertise

NSA recommends no set of standard questions for conducting the views However, a few resources are useful in formulating the set of questionsthat will help the assessment team gain the needed information and identify theorganization’s vulnerabilities.The first resource for questions comes from thesecurity expertise of the assessment team.This can be a compilation of experi-

inter-ence from the multiple team members.The second resource is the NIST 800-26 Security Self Assessment Guide It provides a series of management, technical, and

operational questions that help pull out the security information of the tion.This resource can be located through www.nist.gov.The third resource isthe NSA IAM itself.The 18 areas that are identified by NSA in the management,technical, and operational areas provide an excellent guide on which to base aquestion set.These and other resources, combined with the IAM framework,make it fairly easy to create question sets that are industry-specific and provides

organiza-an excellent starting point for the interviews

The Bad Interview

From time to time, the assessment team will experience a bad interview.

Either the personalities will clash or there was no success in getting the interviewee to open up Don’t let this failure discourage the assessment team Just accept it and move on.

From the Trenches…

Case Study: Interviews

With University Staff

The interview schedule was finally set, at least for the first week of the onsitephase of the Red Rover University assessment.Through discussions during thepre-assessment site visit, we determined that the college was most concernedabout liability for systems used to initiate attacks on other systems and FamilyEducation Rights and Privacy Act (FERPA) regulations FERPA addresses theprivacy protection responsibilities for educational institutions

The university has four colleges along with the associated support staff Eachcollege has its own technology staff responsible for systems administration andsecurity for that particular college.The administrative functions of the college aresupported by the university’s Information Technology (IT) department.Table 7.5identifies the Week 1 schedule of interviews

Week 1 On Site Monday Tuesday Wednesday Thursday Friday

0730 Arrive on site Arrive on site Arrive on site Arrive on site Arrive on site

0800 Opening meeting Tour of new Meeting with Interview with Meeting with

cus-technology customer repres- server support tomer representative center entative

0900 Tour of campus Interview with Interview with Continued Interview with

facili-food services manager of ties management director technical services

repres-entative

1100 Continued Interview with Lunch with Interview with Interview with dean of

dean of engin- campus security business college liberal arts eering director systems admin-

istrators

administrators (group)

technology staff interview (group)

1400 Continued Reserved for Interview with Interview with Lunch

unscheduled desktop support computer science

Continued

Week 1 On Site Monday Tuesday Wednesday Thursday Friday

1600 Continued Assessment Reserved for Assessment team and

team meeting analysis customer rep meeting

for next week’s preparation

representative update

team dinner and night school janitorial staff

technician

1900 Continued Assessment team Assessment team Assessment team

meeting and meeting and meeting and

The assessment team utilized NSA’s 18 Baseline INFOSEC Classes and Categories as the high-level guide for conducting the interviews, real- izing that some sections of the 18 categories will not apply to all cus- tomer personnel being interviewed

The first set of interviews on Monday at 1200 and 1300 hours, with the eral arts systems administrators and the computer technology staff, were both

lib-group interviews During these interviews a common name was brought up that

was not part of either staff Fred Kingsly had been a systems administrator

origi-nally with the Liberal Arts College and after a year had moved over to the

Computer Technology College and was responsible for all lab networks Fred

graduated with his Master’s degree last year and was not working as a faculty

member in the undergraduate Computer Technology program while working on

his Ph.D Fred was identified by the university staff we interviewed as being the

“brain” behind most of the security tools and policies in place at the university

Fred was not yet on the interview list, so we made a note to get Fred on the

schedule if at all possible

During these interviews, we also noticed that there were a few dominantpersonalities, and in the case of the Liberal Arts College systems administrator

staff, a very quiet administrator disagreed with them (noticed through body

lan-guage) but didn’t say anything We added this person to the list of people to be

interviewed During these interviews, we also picked up several additions to our

documentation list, including a Draft Security Policy from three years previous,

two e-mail directives on the password policy for the college (the only known

place it was published), and a security incident report on the ILOVEU virus

Currently there are three after-hours interviews we know must be ducted: the night school computer support technician, janitorial staff, and the

con-night shift campus security manager It will be important to gather their

perspec-tives on the college’s security posture We also warned the customer

representa-tive handling the schedule to try to avoid forcing the assessment team to run

back and forth across campus several times a day It is approximately 1 mile from

one end of campus to the other.The assessment team found that meeting with

the customer representative on a daily basis helped resolve conflicts and issues

before they got too difficult

The update to the chancellor was a smart idea and helped our cause greatly.The chancellor received feedback from the departments that the assessment wasgoing better than they expected and that they found value in the informationthat was being collected.They also said they felt that the assessment team wastruly listening to their opinions and are hopeful that the university addresses thefindings with the greatest urgency.

The Management Interview

John Smith is the director of operations for Red Rover University and is sible for all networking and computer operations for the nonteaching staff at theuniversity John has been working with the university for the last 3.5 years afterbeing vice president of operations for a small local financial services firm Prior

respon-to this interview, members of the team were able respon-to determine that John wasvery much “into” the Washington Redskins professional football team and

enjoyed playing golf Luckily, one of the assessment team members was from theWashington, D.C., area and was also an avid golfer (although a little rusty fromworking so hard on the assessment)

At the start of the interview, the team discussed football and golf for 5 utes or so to try to relax John into openly sharing his thoughts and concerns.After a few laughs and “war stories,” the interview leader discussed the purpose

min-of the assessment and what John could expect from the interview process Johndid express some concern about the lack of communication from the university

as to the purpose of the assessment and some of his staff ’s fears that they werebeing considered for downsizing.The interview leader described the purpose ofthe assessment and reiterated what the university said the results would be usedfor and the plans for delivering the results Red Rover University had identifiedthe purpose of the assessment as looking at how the university stands in meetingthe FERPA requirements and how the university rates against best practices Johnwas aware of several security incidents that he feels may have pushed the univer-sity to finally take a look at its networks’ security

The interview team started by gathering information with questions based

on the 18 areas We won’t go through every question, but here are just a few ofthe relevant ones and John’s answers:

Q What security-related documentation are you aware of and/or use for your

or your staff ’s job?

A We have a security policy that applies only to the university support staff We

tried to push for a university-level policy, but the colleges pushed back sayingthey want to control their own environment Unfortunately, the colleges have

a great deal of autonomy and were able to avoid the university-level policy

Q Do the colleges have their own policies?

A.The colleges are supposed to be working on their own policies, but no one is

monitoring the development or implementation

Q.What other documents do you use?

A We created a few e-mail type guidance memos, but that is pretty much it

Most security is implemented ad hoc and is due to the self-initiative of some

of our systems administrators

Q.What types of documentation do you think you need?

A.A university-level security policy, incident response plan, disaster

recovery/business continuity plan, and maybe some security training andawareness information

Q.Who at the university has primary responsibility for security-related issues?

A.Well, campus security has all physical security responsibilities, but no one is

designated for technical security types of issues for the entire university Eachcollege is responsible for its own technical security.There was discussion toinclude that in campus security as well, but they don’t have the right kind ofexpertise I believe part of what the university is looking for is a recommen-dation from the assessment team where it should be placed

Q.What do you think the university should do to address security responsibilities?

A. I think the university needs to have a Campus Technical Security Working

Group that includes representatives from the colleges and university staff port and a designated university security leader to lead the effort We needtechnical security leadership at the university to coordinate and keep thingsmoving forward Otherwise, everyone is doing their own thing

sup-Q What do you think the greatest challenge(s) are for the university from asecurity perspective?

A (Speaking up very quickly) Lack of leadership, lack of education, lack ofenforced security standards!

When asked about contingency planning and configuration managementareas, John responded that they have no consistent practices implemented, but hefelt strongly they were needed When asked about the technical areas, he referred

us to his technical staff as the best source of information for those areas He feltthat his staff had a relatively good grasp of technical security issues within hisdepartment, but he couldn’t comment on the rest of the university

The Technical Interview

Red Rover University and the assessment team decided to conduct both groupand individual interviews to try to gain the greatest knowledge from the universitystaff.The following is sampling of information gained during those interviews.Group Interview with

Computer Science Systems Administrators

This technical interview was actually a group interview with the systems trators from the College of Computer Science.The four people in the interviewwere Joan Heartfelt (Sun Solaris administrator), John Highonlife (Windows admin-istrator), Byron Brownnose (Windows administrator), and Marcia Grady (Linuxadministrator).The assessment team attempted to find out as much about the sys-tems administrators as possible prior to the interview Other than the fact that theyare all systems administrators, they have very little in common, so we had to breakthe ice rather carefully.The best approach we found was through introductions andgeneral discussion.The administrators seemed to get along fairly well with eachother, with the exception of Marcia, who was extremely quiet

adminis-The interview started with gaining an understanding of each person’s roleand responsibilities within the group.They stated there was no separate securityadministrator Each systems administrator was responsible for the security of theirrespective system Here is an excerpt of answers from the “management” stylequestions asked in the interview:

Q What security-related documentation are you aware of and/or use for your job?

A Everybody answered user manuals and Web searches; none was aware of any

university- or college-level policies that should be guiding them

Q Do the colleges have their own policies?

A.None that they are aware of

Q What types of documentation do you think you need?

A (from Byron) Maybe some guidance further locking down our respective

operating systems (Marcia rolls her eyes.)

Q Who at the university has primary responsibility for security-related issues?

A No university-level contacts known Each administrator is responsible for the

security of his or her own systems

Q What do you think the greatest challenge(s) are for the university from a

security perspective?

A (From Byron) People not knowing what they are doing (Marcia rolls her

eyes again.)

Q Do you have a firewall?

A Yes, we do It’s a Checkpoint FireWall-1 on a Nokia Solution

Q Who manages it?

A ( Joan answers) John

A (Marcia answers) I do (rolls her eyes again)

Q Who really manages it?

A ( John answers looking very politically correct) Well, we both do I’m the

pri-mary and Marcia is my backup Due to some recent projects, Marcia has had

to back me up quite a bit

Q Can I get a copy of the firewall rule sets to review?

A (Byron answers) Sure, Marcia will get those for you (Marcia rolls her eyes yet

again)

The interview continued like this through a series of technical-related tions It was clear that Marcia had a differing opinion from the other three sys-tems administrators on the state of security and how things should be run withinthe group But she did not say what her opinion truly was or why she seemedfrustrated either with the process or the individuals After the interview, theinterview team decided that it would be wise to have a separate interview withMarcia to try to understand where her difference of opinion is coming from.Individual Interview with Marcia

ques-Since it was clear that Marcia had a difference of opinion about operations andsecurity with the rest of the staff, a separate individual interview was arrangedwith Marcia to address her concerns:

Q Marcia, you seemed to not agree with Joan, John, and Byron on the answersduring the group interview Is there anything you can share with us that willhelp our assessment effort to be more accurate?

A It’s not so much that I disagree, it’s just that I am very frustrated with RedRover University policies and procedures I have been here for over threeyears, the longest of any of the four of us I have been saying over and overagain that we need to address security and do things to improve our securityposture Of course, there is no money and no management support to dothis It took a FERPA violation and someone hacking one of our systems andusing it as a zombie to attack other systems to cause them to pay attention.Plus, I am the one that got blamed for the zombie machine because it was aLinux box on our side of the network Unfortunately, it was a graduate assis-tant who put the unpatched box online without anyone’s knowledge I used

to have primary responsibility for the firewall at that point, then John got itbecause of the problems I wasn’t formally reprimanded, but everyone stillblames me for the problem

Q Did the student who put the box online get reprimanded?

A No, the university said they couldn’t because there were no policies to defineallowed activities and associated punishments

Q Is there a code of conduct or acceptable-use policy now?

A Not that I am aware of.They said they wanted to see the recommendations

from this assessment first But they told me never to let that problem happenagain

Q What are you doing to try to prevent it?

A I run network discovery tools once a week to try to find new boxes and send

out a note to everyone I can think of to address the prohibition of puttingsystems on the network without my knowledge If they put something up Idon’t know about, then I block them I have ticked off a couple of professors

in recent weeks doing this

Q What do you see as the biggest obstacle for you to be able to do your job?

A Lack of university leadership and listening to the employees who have to live in

the trenches every day Until the two incidents I mentioned, there has not been

a great deal of consideration given to security here Now, due to the FERPAfine and the bad press, the university is finally paying attention I’m glad theyare now, but I think we could have prevented it had they paid attention to me

to begin with I have always been a firm believer in prevention

Q. Is there any kind of rift between you and other systems administrators?

A No, I apologized to them after the group interview We are all friends, it just

has been extremely frustrating for me I hope you really can help

Based on the combined information, we were able to get a better picture ofthe past and present of the university from a security perspective.This informa-

tion was verified through further discussions and helps identify the basis for

assessment and how the security road map will need to be laid out to accomplish

improving the university’s overall posture

Once the preparation is complete, it is important to think about the flow ofthe onsite phase of the IAM.The important first step is the opening meeting,which is the first opportunity to make a positive impression during the onsitephase.The opening meeting should reiterate the agreed-on assessment plan, iden-tify the current schedule, show the benefits of the assessment process, and helpestablish expectations for the remainder of the assessment A positive first impres-sion is essential to assessment success During the assessment process, understandthe importance of keeping both the customer and the assessment team informed

of progress and remaining actions

The NSA 18 Baseline INFOSEC Classes and Categories provides an lent framework to focus the onsite information collection activities.These 18 cat-egories capture the majority of security-related concerns for assessment purposesbut are flexible enough to allow the addition or alteration of the list as required

excel-In many cases, the 18 categories can be used to formulate the set of assessmentquestions to be asked during the interviews with the customer

The interview is the process of collecting information about the customer’ssecurity posture by asking questions related to security matters within the cus-tomer’s organization.The assessment team members’ positive interviewing skillsare important in gaining the information from the client Unsuccessful interviewswill result in poor security posture information being obtained Make sure thatthe lead interviewer has the skills to pull information out of the interviewees Inspite of the skills of the assessment team, sometimes an interview will not gowell In this case, learn from the process and move on

Getting focused on preparing for and starting the onsite phase activities will

Best Practices Checklist

Preparing for the Onsite Phase

Ensure continuous communication with the assessment team

Ensure continuous communication with the customer

Don’t forget about the comfort needs of the assessment team

Work with the customer to create a manageable schedule for the onsiteinterviews

Setting the Onsite Tone

Utilize the opening meeting to establish a positive tone for theassessment

Reiterate the agreed-on assessment plan during the opening meeting sothat everyone understands the scope of the effort

Review the assessment process and its benefits in the opening meeting

Keep the customer involved and informed throughout the entireassessment process

Be prepared to not only assess but to educate the customer throughoutthe assessment process

The 18 NSA INFOSEC Baseline

Classes and Categories

The 18 categories focus on management, technical, and operationalcontrols to address the customer’s security posture

The 18 categories can be used as a guide to help focus the questions to

be asked during the interview process

Common themes of documentation and education training andawareness apply across all 18 categories

All 18 categories must be addressed to be officially compliant with theNSA IAM, but additional areas may be added at the customer’s request

The Fine Art of the Interview

Interviewer must be dynamic and able to facilitate conversation with theinterviewee

Limit the number of people in the interview to just the necessities.Generally this will be two or three people, with one person designated

to take good notes

Try to understand how security is really implemented within theorganization vs the formal policies

Q: Can I add or take away from NSA’s 18 Baseline INFOSEC Classes and

Categories and still be compliant with the IAM methodology?

A: The IAM is intended to be a flexible methodology that you can either adopt

in full or integrate into your own assessment process.You can add to the 18baseline categories without an issue If you take away from the required set,just document the fact and you will still be in compliance with the IAM

Q: What are the most common classes and categories beyond the basic 18

defined by the NSA IAM?

A: Additions to the baseline categories vary greatly by customer Many tomers have asked us to specifically address certain topics, even though theyare embedded in the primary 18 baseline categories We have seen specifictopics of:

cus-EncryptionWireless networking

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your questions about this chapter answered by the author, browse to

www.syngress.com/solutions and click on the “Ask the Author” form You will

also gain access to thousands of other FAQs at ITFAQnet.com.

Q: What are the greatest obstacles to a good interview?

A: The greatest obstacle is to get the interviewee to relax enough to speak

openly about the security practices of the organization When the viewer is able to get the interviewees to speak openly, the interviews gener-ally go well

inter-Q: What are pros and cons of group interviews?

A: Pros: Gain views of many people in one sitting Able to watch the interaction

between the group members and look for dominant personalities and thosewho differ in opinions

Cons: Interview can be dominated by dominant personalities Some peoplemay not be willing to speak up because of who is in the room

Q: Which part of the organization typically gives the most information about

the organization’s security posture?

A: Typically, operations personnel give the greatest insight into the security

pos-ture of the organization.This group includes the systems and security istrators Management gives the view of how it should be, and users give theview of how security affects them Operations staff gives the view of howsecurity is implemented

admin-Q: Should the interviewer stick to a rigid set of prepared questions?

A: Flexibility is key to success Prepared questions have their place as a guide to

cover topic areas, but the flexibility needs to be there to allow additionalquestions to be asked based on the answers given to questions

Managing the Findings

Solutions in this Chapter:

■ Demonstration Versus Evaluation

■ Findings and Dependencies

■ Mapping Findings to Requirements and Constraints

■ Creating Recommendation Road Maps

■ Case Study: Medical Management

Chapter 8

269

Summary Frequently Asked Questions

At this point, we need to discuss what to do with the information that we havediscovered.Throughout the process, the assessment team has been collectinginformation and identifying possible vulnerabilities or weaknesses of the cus-

tomer’s system Now is the time to begin validating the information Validation is

not a process of taking the word of every interviewee or believing that what thedocumentation says is actually occurring within an organization What is more

important is to be able to show proof or hard evidence of what is actually

occur-ring within the organization.To do that, we have two options:

■ Demonstration

■ Evaluation

Demonstrations are meant to validate what the customer does through

obser-vation of their activities.This over-the-shoulder viewing of activities clarifieswhat was identified during the interviews that may be in conflict with the docu-

mentation that was reviewed Evaluations are meant to provide documented

evi-dence of findings.This is done through the use of tools or scripts or by manuallychecking systems.The range of tools available to do this is quite large; therefore,

we only discuss the use of some of the more popular network scanners and word crackers Scripts and manually checking systems are individually specific,and expertise in using them is dependent on the assessor For this reason, we donot provide detailed information regarding the utilization of scripts or manualchecks in this book

pass-Once you have validated the information, what should be left are the findings.

Not all findings should or will be negative In this chapter, we discuss how ings can be positive or negative As an assessor you should always have your eyeopen to positive findings and be willing to point out the good things that aregoing on in an organization We believe that if you can find only negative thingswhile doing an assessment, you have the wrong attitude toward the customer.There is always something good being done within an organization.You shouldrecognize and promote these pockets of “good security” to help institutionalizethose good practices throughout the organization

find-With findings there is always the case of dependencies and determining ifone finding is dependent on another or if resolving one finding can resolve mul-