Table 8.1 A Sample of Findings from the SA for Medical ManagementFinding Threat Impact Vulnerability # Source Rating Consequence No software 45 Human error/Low This could allow for in a
Trang 1Table 8.1 A Sample of Findings from the SA for Medical Management
Finding Threat Impact Vulnerability # Source Rating Consequence
Lack of 33 Intentional High System administrators,
of data for holding users responsible
for their actions Due to a lack of resources, a decision has been made to allow the system administrators to audit their own activity This could result in a loss of integrity.
.JSPServlet 34 Unauthor- Low An attacker can use this
enumeration ized access vulnerability to enumerate
webroot This could result in
a loss of confidentiality, integrity, and availability if the attacker is able to use this information to compro- mise the system.
Web server 35 Unauthor- Low Allows attackers to
enumeration ized access identify specific version
attacks This could result in
a loss of confidentiality, integrity, and availability if the attacker is able to use this information to compro- mise the system.
Cold Fusion 36 Unauthor- Low It is possible to anonymously
sensi-tive data such as template path or server version This could result in a loss of con- fidentiality, integrity, and availability if the attacker is able to use this information
to compromise the system.
www.syngress.com Managing the Findings • Chapter 8 295
Continued
Trang 2Table 8.1 A Sample of Findings from the SA for Medical Management
Finding Threat Impact Vulnerability # Source Rating Consequence
Security alerts 37 Administra- Low Without documented
Management to errors in human judgment This could result in a loss of confiden- tiality or integrity if an inci- dent goes unnoticed.
Contingency 38 Administra- Low Current contingency
and should be centralized in one document that all loca- tions utilize This could result in a loss of availability Process to 39 Administra- Low Currently being done ad modify incident tive error hoc, which could result
not having procedures to incorporate lessons learned This could result in a loss of confidentiality, integrity, and availability.
Risk assess- 40 Human error/ Low Inconsistent application of
cor-rected This could result in a loss of confidentiality, integrity, and availability if the vulnerabilities are not identified and resolved.
296 Chapter 8 • Managing the Findings
Continued
Trang 3Table 8.1 A Sample of Findings from the SA for Medical Management
Finding Threat Impact Vulnerability # Source Rating Consequence
Rules of 41 Disgruntled Low Rules of behavior define to
behavior are employee the user what is acceptable
not consistent or citizen behavior and the
there may be an issue with proving the user was ade- quately warned This could result in a loss of integrity and management having no legal recourse available.
Termination 42 Disgruntled Low Current procedures would
not address or citizen system to continue after an
in a loss of confidentiality, integrity, and availability.
Access to 43 Intentional Low Inconsistent screening of
performed This could result
in a loss of confidentiality and integrity.
distribution error/omission leads to inconsistent
loss of confidentiality, integrity, and availability due
to poor configurations.
www.syngress.com Managing the Findings • Chapter 8 297
Continued
Trang 4Table 8.1 A Sample of Findings from the SA for Medical Management
Finding Threat Impact Vulnerability # Source Rating Consequence
No software 45 Human error/Low This could allow for
in a loss of confidentiality, integrity, and availability if poor configurations are introduced to the system.
Recommendation Road Map
Table 8.2 provides the assessment team recommendations, referenced by finding
numbers presented in Table 8.1
Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
1 IDA ISAPI Install appropriate
buffer overflow MS patch (Q317815).
present
Unmap the IDA extension and any other unused ISAPI extensions if they are not required.
2 dvwssr.dll Delete this file if
available not needed.
If this file is required, restrict access to authen- ticated user only.
3 Newdsn.exe Delete this file if not
available needed.
If this file is required, restrict access to authenticated user only.
298 Chapter 8 • Managing the Findings
Continued
Trang 5Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
4 Msadcs.dll Install latest patch;
available see MS99-025 for
information.
5 Unauthen- Edit the ubroker.
ticated Web properties file as Script follows:
WSMAdmin AllowMsngrCmds = 1 available
Change to AllowMsngrCmds = 0
6 Allaire JRun Modify the following in
3.0/3.1 accepts the JRun console:
JRun Default Server/
Web Applications/
JRun Demo/ File Settings/Directory Browsing Allowed set to FALSE.
7 Allaire Cold Remove HTML login
Fusion DOS file if not required.
If HTML login file is required, implement HTTP basic authenti- cation to restrict access to this page.
8 Internet Printer Unmap the printer
Protocol (IPP) extension.
buffer overflow present
www.syngress.com Managing the Findings • Chapter 8 299
Continued
Trang 6Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
user repost directory.
Restrict anonymous access.
10 Remote file Disable this service
system viewing if it is not needed.
Restrict anonymous access if this service
is required.
11 CompaqDiag Disable this service if
remote man- it is not needed.
agement services active
Restrict anonymous access if this service
is required.
12 Oracle account Assign a password to
password the TNSLSNR.
missing
13 Old TNSLSNR If possible, upgrade to
Version version 9.0 or later.
Trang 7Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
19 SNMP default Disable SNMP if not
Change the SNMP community string.
20 SMTP server Disable mail relay if
relaying not required.
allowed
21 Cisco SNMP Implement controls
to block access to the ILMI community and to SNMP if possible.
22 Antivirus Require and have users
detection and sign an elimination is ment requiring they inconsistent have installed an up-
acknowledg-to-date antivirus software on any machine that they will
be using for remote access.
Implement scripts to auto-update antivirus software for all remote users when they connect to the WAN.
23 Inadequately Provide formal training
trained for equipment prior to personnel installation.
Hire trained and certified contractors
to operate equipment.
24 Cross-site Install available patches
scripting or comply with vendor
recommendations where possible.
www.syngress.com Managing the Findings • Chapter 8 301
Continued
Trang 8Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
25 NULL session Ensure that NULL/
enabled anonymous sessions
are disabled if not needed See MS Q143474 or Q246261.
26 Cross-site Deny HTTP TRACE requests.
tracing nerability exists Permit only the methods
vul-required by authorized individuals.
27 Java cross-site Disable the Java service
tracing vul- if not needed.
nerability exists Update the Java service
WASCAdmin IAW Medical password does agement policy.
Man-not expire
29 Remote Migrate to MS terminal
terminal services or Citrix, or services allows some other product bypassing of that can follow/
security protocols enforce Medical
Man-agement password and audit requirements.
30 Echo, Chargen, Disable these services if
Ootd enabled not needed.
If these services are required, restrict them
to administrators only.
31 Data integrity Implement Tripwire or
and validation other integrity and controls are validation controls.
not consistently applied
302 Chapter 8 • Managing the Findings
Continued
Trang 9Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
32 Audit trail Implement
chain-of-cannot support custody and storage after-the-fact IAW solicitor investigations requirements.
33 Lack of Hire personnel to
separation of handle security duties.
duties
34 JSPServlet Set a global error
enumeration page for the vulnerability ServletExec Virtual
Server.
35 Web server Modify the reported
enumeration Web server vulnerability cation with urlscan
appli-to misdirect the attacker.
36 Cold Fusion Enter an IP address
Debug (e.g 127.0.0.1) in Enumeration the Debug Settings
within the Cold Fusion Admin.
37 Security alerts Incorporate
docu-and incident mented procedures handling pro- and distribute to cedures are all locations.
not documented
Schedule and document testing
of procedures.
38 Contingency Develop, document,
plan does not implement, and exist distribute a contin-
gency plan.
39 Process to Develop, document,
modify incident implement, and handling does distribute lessons- not exist learned procedures.
www.syngress.com Managing the Findings • Chapter 8 303
Continued
Trang 10Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
40 Risk assessment Develop, document,
implementation and implement
is not consistent security tools
utilization procedures with written auth- orization for who can use the tools and when.
41 Rules of Standardize Medical
behavior are Management medical not consistent system rules of and are not behavior and have all signed by users users sign acknow-
ledgment.
42 Termination Update current
process does procedures to not address address all short-notice situations.
quitting
43 Access to Standardize and
system is enforce granted without screening process appropriate for employees and background contractors.
background-screening
Require contractor
to provide cation of screening.
distribution distribute procedures implementation for software
is inconsistent distribution and
implementation.
45 No software Document the
or hardware required test testing pro- procedures and cedures are in retain test reports.
place
304 Chapter 8 • Managing the Findings
Trang 11Throughout this chapter we covered specific areas that you as the assessor need
to understand to identify and validate findings that affect your customer.You
have learned about system demonstrations and evaluations and when to use
them.You have learned to look at the findings for dependencies and possible
interdependencies With your newfound understanding the dependencies of the
findings, you now understand how to map the findings to the customer
require-ments and constraints.You now understand how to create a justification that is
usable and valid for you customer.You can now create a road map for the
cus-tomer to improve their security posture We ended this chapter with a look at a
case study to give you an example of how this information fits into the real
world of INFOSEC assessments We hope that you found this discussion
enlight-ening and informative
Best Practices Checklist
Demonstration Versus Evaluation
Validate or clarify interviews with demonstrations
Validate or clarify documentation with demonstrations
Measure operational controls with evaluations
Measure technical controls with evaluations
Findings and Dependencies
Findings can be positive or negative
If there are no negative findings for an area, there should be a positive one
Is a finding related to another finding?
How many findings can be resolved with one solution?
Does a positive finding help mitigate a negative finding?
www.syngress.com Managing the Findings • Chapter 8 305
Trang 12Mapping Findings to Requirements and Constraints
What is the impact to the customer?
What critical information impact attribute is attributable to eachfinding?
Is there enough information in the justification for the decision maker
to understand and make a good risk management decision after you aregone?
What is the threat vector that can exploit each finding?
Are customer concerns or constraints included in the justification?Creating Recommendation Road Maps
Does the recommendation address cost effectiveness?
Does the recommendation address applicability to the customerenvironment?
Does the recommendation address the importance of the finding to thecritical information?
Does the recommendation address the users who have to implement therecommendation?
Does the recommendation give the customer options?
306 Chapter 8 • Managing the Findings
Trang 13Q: Can you really do an assessment of any value to the customer without using
tools?
A: Yes, if you are only validating the policies and procedures.You will have to
note a caveat in the report that there is insufficient assurance that criticaldevices are functioning as required, since you have not had the opportunity
to technically assess these components using tools
Q: Can you just use the evaluation tools and skip the system demonstrations?
A: Not if you want to get a complete picture of how things are actually done
There is always the case where some administrators will prepare for yourassessment by coaching, and demonstrations are a good way to see the reality
of how things are normally done
Q: Have you ever used demonstrations for something besides account
manage-ment?
A: Yes, we use it for audit and almost anything you can think of that requires
daily or weekly repetition.They are also good for learning what the customer
is trying to accomplish with a specific configuration
Q: Do you always have to map the finding to the OICM, or can you just map it
to the SICM?
A: As you have already learned, the impact definitions are the same for both the
OICM and the SICM.Therefore, the findings and recommendations that youare mapping to a matrix would be similar and applicable to both the OICMand the SICM
www.syngress.com
Managing the Findings • Chapter 8 307
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book,
are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To
have your questions about this chapter answered by the author, browse to
www.syngress.com/solutions and click on the “Ask the Author” form You will
also gain access to thousands of other FAQs at ITFAQnet.com.
Trang 14Q: Do you list all the possible findings for the customer individually, or do yougroup them?
A: We try to merge the findings to a common solution.This provides the tomer with a simpler road map
cus-308 Chapter 8 • Managing the Findings
Trang 15Leaving No Surprises
Solutions in this Chapter:
■ Determining the Audience for the Close Out Meeting
■ Organizing Closeout Meeting
■ Understanding the Meeting Agenda
■ We Came, We Saw, Now What?
Chapter 9
309
Summary Solutions Fast Track Frequently Asked Questions
Trang 16In this chapter we will be discussing the closeout meeting and the remaining line.This meeting is important because we do not want to leave our client withany surprises We have completed all of the work that needs to be done on-site and
time-we are getting ready to head back to our office to review the information anddocumentation, and prepare a final report We need to set up the closeout meeting
to ensure that we have all the information we need, address any questions from theclient, and inform our customer of any critical vulnerabilities before we leave theclient site One of the more important aspects of the closeout meeting is to makesure that the appropriate people attend and participate in this meeting
We have just spent the last two weeks at the client site doing interviews andcollecting information where we have obtained a thorough understanding of ourcustomers network as well as what the roles and concerns of the individuals Wehave reviewed the critical information as well as the systems that store, process, andtransmit this information We have seen a demonstration of the systems and wehave reviewed the documentation We have defined what is meant by a low,
medium, and high criticality We want to review this information one last time and
we want our client to understand what has been done and give them a chance tovoice any questions or concerns that they may have Our client will want to seethat the goal, the purpose, and the scope of the assessment have been met
If there are any critical vulnerabilities that have been discovered thus far weneed to inform our clients so they can act on these vulnerabilities quickly Letthe client know what might be a critical issue and work with them through rec-ommendations that will help secure their network
Finally we will discuss not only what has been done but what they canexpect to happen next What kind of timeline can our client expect? What indi-viduals might be needed to complete the rest of the assessment? At this time wewill also let our client know when they can expect a final report.The goal of thecloseout meeting is to leave the client site without leaving behind any surprises
Determining the Audience
for the Closeout Meeting
Before you start preparing for the closeout meeting, it is important to determinewho will be attending the meeting and what type of information will be impor-tant to them
310 Chapter 9 • Leaving No Surprises
Trang 17Who Is Your Audience?
You and your team have just spent a few weeks working side by side with these
individuals in the organization.You know how they work and a little about who
they are and what makes them tick.You should now be familiar with the culture
of the people that will be in the closeout meeting
Are they formal or casual? Do they like to joke around or are they all ness all the time? Has there just been a merger, a take over, or a reduction in the
busi-workforce? What are some of the cultural differences with the group? These
things are important in the way you present your material
By now you have also picked up on the personalities within the customer’sorganization Are they glad you came to do the assessment? Do they feel you are
intruding on their space? Did you get a favorable welcome or an unfavorable
welcome when you arrived? What have you done to increase favorability while
you have been on site?
Who Should Attend?
It is now time for the closeout meeting We need to get everyone involved that
might be able to contribute to the meeting We know that this is not always
pos-sible due to scheduling and other work related issues, but we should do our best
to get the people involved that have the greatest impact.You want to have your
point of contact (POC) at the meeting as well as your assessment team.You want
to include upper level management, systems managers, and the senior security
manager as well as any customer team members
These individuals should be involved with the closeout meeting to ensurethat the assessment is done and that there are no surprises at the end of the day
Your POC needs to be there as your connection to the customer.The
manage-www.syngress.com Leaving No Surprises • Chapter 9 311
Trang 18ment team will need to be there to make the final decisions regarding your ommendations.The senior security manager is the person that will be heading
rec-up the network security and any implementation that is recommended
These are the people that invited us into their organization.These are thepeople that set the goals and told us what information and systems were critical.These people are the customer and they will be taking our recommendationsand applying them to their systems to protect them from vulnerabilities.The mis-sion of the company rests with these individuals It is the concerns of thesepeople that we are here to give recommendations
Organizing the Closeout Meeting
Organizing the closeout meeting is very similar to the organization and tion of other types of business meetings.You want to take the time and reviewthe information that you are going to cover in the meeting How do you want
prepara-to start the meeting? What direction do you want the meeting prepara-to take? Takesome time and think about the meeting and how you would like things tounfold What information is important to you and your team? What do you want
to impress upon your audience? What information is important to your tomer, and what is their expectation of the closeout meeting? Always be mindfulthat the purpose of the closeout meeting is to give the customer the informationthat you have gathered over the last few weeks, and to ensure that there will not
cus-be any surprises at the end of the assessment
Determining Time and Location
There are many things to consider when choosing the time and location for thismeeting.The objective when scheduling the meeting is to accommodate theschedules of as many of the important attendees as possible.These people would
be the decision makers that are going to influence how the customer resolvesany vulnerability issues discovered during the assessment Are there people in theorganization that will be coming in from out of town? Do some of the
employees work from home on specific days of the week? Pick a day and timethat most of these people will be in the office The location of the meetingshould be where it is most convenient for the major players Have your customerrepresentative recommend the best location
312 Chapter 9 • Leaving No Surprises
Trang 19Time of Meeting
When we determine the time of the closeout meeting we want to consider
get-ting as many people involved with the assessment as possible to attend Check
with your POC and other leaders in the organization to determine the best time
for this.The length of meeting needed will depend on the size of the
organiza-tion and the number of vulnerabilities found in the systems.Typically this
meeting is one or two hours in length
Day of Week
Picking the day of the week again depends on the schedules of the people in the
organization Usually the meeting is set when the on-site assessment has been
completed or when you expect the on-site assessment to be completed If you
schedule the meeting on a Monday and your team has traveled out of town for
the assessment, you will have to spend another weekend on the road just to
come in Monday and have the Closeout Meeting I like to schedule my Closeout
Meeting Tuesday, Wednesday, or Thursday Once you get to Friday and something
unexpected comes up, you’re staying another weekend
Meeting Room
Where will you have the Closeout Meeting? If you are going to use a conference
room, remember that most companies will have you reserve a conference room in
advance.This could be something that your POC can handle for you How many
people are going to attend? Does this organization have a conference room big
enough for the meeting, or will you need a larger location within the company? Is
the meeting room that you have selected set up for your type of meeting?
Consider your technical needs and if the location can accommodate them
Determining Supply List for the Closeout Meeting
Now that you have selected a time and a place to meet, you and your team need
to make sure the room is ready for the meeting Plan to be there at least an hour
in advance to make sure all equipment works, handouts are ready, the laptop is
charged, etc.You will need the following items for most Closeout Meetings:
■ Whiteboard Whiteboards are a great tool in meetings to keep interestpiqued as you write each critical assessment point
■ Overhead projector These are ideal for presenting to a larger audience
www.syngress.com Leaving No Surprises • Chapter 9 313
Trang 20■ Laptop Depending on the culture of the customer, you may need alaptop for a PowerPoint presentation.
■ Handouts these can help people follow along during the meeting, andallow people to take the information with them in the event they arecalled away during the meeting
Other Concerns about the Meeting
The Closeout meeting is scheduled, and you and your team are ready to presentyour information to the customer It is a good idea at this time to consider anyother concerns that you might have about the meeting.These meetings can takequite a while depending on what you have to cover, so remember to plan forbreaks depending on how long your presentation runs If you don’t, those inattendance may begin to lose focus Some food for thought:
■ Plan for breaks, and if possible supply coffee, snacks, and other colddrinks Again, you can ask your POC to assist you with these details
■ Supply the customer with materials for taking notes A great idea is tohand out pens or pencils with your company logo on them
■ Lastly, is there anyone in the organization that will be attending thecloseout meeting who has a special need? Your POC will be able to letyou know if there is anyone who is hearing impaired, visually impaired,etc Again your POC will be able to help here as well Just be mindful ofthe needs of the customer
Understanding the Meeting Agenda
No matter what type of meeting you are having it is a good idea to have a clearagenda Let your customer know what you intend to cover, and how long youexpect the meeting to last Remember the customer might have some concernsthat take you away from your agenda Be flexible when it comes to the cus-tomers needs The agenda activities include:
■ Reviewing the final agreed upon Assessment Plan
■ Reviewing Critical Vulnerabilities
■ Reviewing the Process and Looking Forward
314 Chapter 9 • Leaving No Surprises
Trang 21Review of the Assessment Plan
It is now time to review the assessment plan First, we will cover the organization
information criticality We have already decided with our client how we will
determine Low, Medium, and High criticality For some companies High
criti-cality will be protecting information that could shut down the business For
others it could be a loss of contracts, or legal action taken against them Still
others might consider the protection of customer information as high impact
criticality.The high criticality will be different for each client; it is your job to
learn what is of utmost importance for your client.
Review of Organization Information Criticality
The organization information criticality is a matrix of that information deemed
critical by the customer, which is then rated Low, Medium, or High depending
on the impact level.The three attributes that we use to determine the impact
value are; confidentiality, integrity, and availability Organization Information
Criticality was addressed in the Pre-Assessment Phase.This is only a review that
would be included in the closeout meeting
Review the information that you have gathered over the last few weeks withthe customer.This is just the information, not the systems, platforms, or applica-
tions It is information that has been deemed critical through the discussions and
interviews with the customer What additional organizational information have
you found through your assessment to be critical?
The attributes that are used during the assessment process; are confidentiality,integrity, and availability.These are the minimum attributes recommended, you
could add more attributes if you or your customer thinks it is necessary, now that
you have established what would happen if the information were released,
tam-pered with, or inaccessible
You have worked with your customer to develop definitions of criticality,which will define a High, Medium, and low impact value Let’s use a law
enforcement agency as our customer Review with them what they have defined
as a High, Medium, and Low impact value In this example a high impact might
be a loss of life or infringement of personal liberties A Medium impact value
might be endangerment of a law enforcement officer, embarrassment to the
organization, or delay of an arrest A Low impact might be an inconvenience in
performance of duties
www.syngress.com Leaving No Surprises • Chapter 9 315
Trang 22Present your information criticality matrix whether it is on a handout, whiteboard, or PowerPoint presentation In this example of a law enforcement agency,the information that they see as critical is the criminal records, informants, inves-tigations, and warrants Using the table below as an example, show your customerhow they related there information according to the confidentiality, integrity, andavailability attributes using their High, Medium, and Low impact values.TheOrganization Information Criticality Matrix (OICM) is a list of the most impor-tant information within the IT operations defined by the customer.The matrixalso defines the impact value of this information according to confidentiality,integrity, and availability:
Organization
Information Confidentiality Integrity Availability
After going over the information criticality matrix, show the customer howyou determined the final value of the Organizations Information Criticality.Explain that you simply take the highest impact value from each of the columns;confidentiality, integrity, and availability In this case it would look like this:
Organization
Information Confidentiality Integrity Availability
Criticality
Systems Information Criticality
To continue the Assessment Plan review, you now have to discuss the system icality information After you review the organization’s critical information anddetermine the final value of the organizations information criticality, it’s time toreview the organization’s systems information criticality Some individuals have adifficult time separating the information from the systems Make sure everyoneunderstands the difference before discussion of the organization’s systems criti-cality begins.The system is where the information we just reviewed is processed,stored, and transferred Just as we previously reviewed the critical information, we
crit-316 Chapter 9 • Leaving No Surprises
Trang 23will now review the organization’s systems criticality Continuing to use our
example of the law enforcement agency, we would talk about its specific systems
The systems they are concerned with are the Federal Agents’ Comprehensive
Tracking systems (FACTS) and the Secret Network of Operational Program
(SNOOP).These are the two systems within the law enforcement agency that
store, process, and transmit information about criminal records, informants,
inves-tigations, and warrants Walk your customer through the information on their
systems information criticality matrix.The following table will show the impact
value of the systems that contain the critical information.The first table is the
FACTS systems, which contains the criminal records, investigations, and warrants
The second table is the SNOOP systems that contain the informant’s
informa-tion As you can see we have taken the highest impact from each column to
come up with the final impact value of each system
Federal Agents Comprehensive Tracking Systems (TACTS)
Organization
Information Confidentiality Integrity Availability
Federal Agents Comprehensive Tracking Systems Final Value
Systems
Information Confidentiality Integrity Availability
Secret Network of Operational Programs (SNOOP)
Organization
Information Confidentiality Integrity Availability
www.syngress.com Leaving No Surprises • Chapter 9 317