Defining the Scope of the Assessment

Defining the scope of the assessment is one of the most important parts of the assessment project. At some point, you are going to be meeting with management to start the discussions of the "how" and "why" of the assessment. Before this meeting ever begins, you're probably going to have some idea as to what is driving this event. Vulnerability assessments usually don't happen in a vacuum, so it's important to understand the business reasons behind it. These can include due diligence, compliance with state or federal laws, a breach in security, or other factors.

Knowing why this assessment is occurring is going to help you get a much better idea of what management is looking for and how much support there is going to be for this project. Much of this can be gauged after you have the initial meeting with management. You'll also have to consider that they may not fully have these answers and to a large part, that's why they are looking to you and your expertise in this matter.

Armed with the proper information, you'll be much better prepared when you initially meet with management to discuss this project. You're going to want to gather up as much documentation as possible about the network, the technologies, and the overall structure of the documents that are presently being used to manage the security process.

During this initial meeting, you are going to want to spend some time ironing out what is critical. The best way to make this determination is by looking at what products your organization offers and how they are delivered to the customer. Then determine the key technologies that support this effort and identify the critical pieces of information that the organization possesses.

With the initial meeting out of the way, you should have some idea of what management is expecting the assessment to accomplish. Now that you have some idea as to the scope and direction of the assessment, you can begin to build your team. After your team is assembled, you will be ready to again meet with management. This formal kickoff meeting is where you will work out the final details of the assessment plan and get the information needed to build an assessment timeline. The important events that occur during the scope include the following:

• Driving events
• Initial meeting
• Becoming the project manager
• Staffing the assessment team
• Kick off meeting
• Building the assessment timeline

Driving Events

The events driving the assessment will affect the scope and the depth of the project. Not all organizations look at security in the same way. Some organizations work in business sectors that deal with a considerable amount of risk, whereas others are situated in lower-risk sectors. The way organizations handle risk is just as varied. As an example, look at how your organization has set up its firewall policies. Many organizations use the "allow all that hasn't been specifically denied" policy. Although this works, it's not the best method. A better approach would be to take the "deny all" route. This method denies everything and explicitly allows only services that have been determined to be a business requirement. This approach is not only much more secure, but also recommended by most security experts and by documents such as NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy. Organizations that take the latter approach are going to be much more likely to have a developed policy infrastructure and to take your recommendations much more seriously.

Due Diligence

Due diligence is one of the potential forces that may be driving the assessment. If your organization is serious about security, there will be some assessment work performed during mergers and acquisitions. This can occur before an actual purchase or after the event. These assessments are usually held to a very strict timeline. There is only a limited amount of time before the purchase and if the assessment is performed afterward, the organization will probably be in a hurry to integrate the two networks as soon as possible. In either situation, you have a host of issues to deal with, including the following:

• Technology
• Integration
• Business processes
• Roles and responsibilities
• Training and awareness

Compliance

Compliance with state, provincial, or federal laws is another event that might be driving the assessment. Companies can face huge fines and, potentially, jail time if they fail to comply with state, provincial, and federal laws. The Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX), and the Health Insurance Portability and Accountability Act (HIPAA) are three such laws. HIPAA requires organizations to perform a vulnerability assessment. If this is the type of event driving the assessment, management is going to be concerned that the policies, procedures, guidelines, and training have been put in place. They will be interested to see that a good structure for security has been developed and is being followed.

Caution

Those dealing with compliance issues such as HIPAA and SOX need to have a good understanding of what is required to meet compliance, or have someone on the team who does. Many laws mandate civil and criminal penalties for lack of compliance. For example, Title VII of SOX requires that auditors maintain "all audit or review work papers" for five years.

A Breach in Security

A breach in security will bring about different concerns and driving factors than the ones previously listed for due diligence or compliance with state or local laws. Look for these assessments to be much more technical.

Although you may think that the majority of these events are driven by external factors, that's simply not true. The largest percentage of this type of assessment results from events initiated by insiders. This includes current and former employees. Anytime an employee is unhappy or disgruntled, the organization has a potential problem. This is especially true if this individual has a large amount of knowledge about the internal workings of the network. In these instances, you will be looking at access controls, password policies, system defenses, and system hardening.

If the event is driven by an external attack, management will again want to know if systems have been sufficiently hardened. Are there other holes or technical vulnerabilities an attacker can exploit to gain access? These events may not have resulted in a significant loss of revenue. It's possible that only a website was defaced or a brief outage of a service occurred; nevertheless, people will want answers quickly. Management will be looking for technical solutions to secure the infrastructure as soon as possible.

Tip

The best time to deal with incident response is before the event. Your organization should have a well defined incident response plan that details who responds, how they respond, and who will be notified.

Initial Meeting

With some knowledge of what's driving the event, you are now much more prepared for your initial meeting with management. To deal effectively with their questions and start to get a real handle on how much work this is going to be, you are going to want to compile some information to take in the meeting with you. It's best to contact the appropriate personnel before the meeting and let them know what you need to make an appropriate analysis of the situation. By developing a standardized form, you can gather much of the information you'll need to take into the initial meeting.

The information request form will need to provide information that helps define the size and scope of the assessment. If you can't gather all this information before the initial meeting, that's okay, because after management has given the project the green light, you'll quickly get most of the information you need to compile. Following is a list of some of the items you will want to have on your information request form. They can be broadly divided into four categories:

1. Administrative
   • What is the core mission of the organization?
   • How many locations does the organization have?
   • What is the total number of locations?
   • Does the assessment encompass all locations, a limited number of sites, or a sampling across all sites?
   • What event is driving this assessment?
   • Does the organization have existing security policies and procedures?
   • Does the organization have physical controls in place to control the movement of employees and visitors?
   • Do any vendors or corporate partners have access to the network?
   • Are IT services outsourced, and if so, which ones?

2. Technical
   • How many servers are located at each site?
   • What OSs are in place for these servers?
   • How many workstations are located at each site?
   • What OSs are in place for these workstations?
   • What networking protocols are used?
   • Are there any mainframes?
   • How many connections are there to the Internet?
   • What services are made available externally?
   • What services are made available internally?
   • Are wireless technologies used?
   • Is VoIP used?
   • What types of redundant systems are in place?

3. Security
   • What type of encryption technologies are used?
   • Is there a VPN?
   • Is authentication centralized?
   • What type of authentication systems are used?
   • How is access controlled?
   • What type of firewalls are used?
   • Is there an IDS in place?

4. Legal
   • What state, provincial, and federal laws must the organizations comply with?
   • HIPAA
   • GLB
   • SOX
   • Family Education Rights and Privacy Act
   • National Institute of Standards and Technologies
   • Management of Information Technology Security (MITS)

Becoming the Project Manager

If you are one of the individuals scoping the project, you are most like going to be the team leader or key member of the assessment process. If you are going to be the lead in this assessment, you will need some project management skills. You'll need technical and administrative skills to make this a success. Keep in mind the old saying: "Managing people is like herding cats." By this I mean that a successful team leader is both a manager and a leader. Leaders command respect, are able to inspire and motivate others, and can adapt to different leadership styles as circumstances dictate. As the team leader of the assessment, you are going to be tasked with the following:

• Selecting team members
• Defining the scope of the assessment
• Launching the assessment
• Motivating and focusing the team on its objectives
• Time management
• Organizing the results
• Communicating the findings

You are the one who is ultimately responsible for the assessment. You must make sure that all team members understand their roles and their importance. If schedules cannot be met, it will be up to you to communicate this fact to management and facilitate a resolution.

Staffing the Assessment Team

Depending on the size of the assessment, you will need a capable team to get the job done. You are going to be looking for individuals with a variety of skills. From a technical standpoint, team members will need the following skills:

• Computer expert adept at technical domains
• Knowledge about target platforms (Windows, Unix, Linux)
• Exemplary knowledge in networking and related hardware and software
• Knowledge about security areas and related issues

You will also need team members who can fulfill various roles in the project. If you have spent time managing people, probably you already recognize these traits. These various personalities types can help build a successful assessment team:

• Inspectors Demand high standards
• Team Builders Work toward unity and attempt to pull the team together
• Idea People Encourage diverse thinking
• Critics Analysts, concerned about the team's effectiveness

The specific skills needed, as previously mentioned, depend on what level of assessment is going to be performed. Whereas level I assessments are primarily policy based, level II assessments have much more of a hands-on technical feel. These assessments will require you to add individuals to the team who have sufficient technical skills to set up and run vulnerability scanners, review results from vulnerability scanners, examine firewall rulesets, and perform other hands-on types of activities. If you determine that a level III assessment is going to be performed, you'll need team members with in-depth security skills. You may find that for a penetration test, you are better off contracting out those duties. Be aware that no matter who is on your team, all teams typically go through four stages:

• Form
• Storm
• Norm
• Perform

As you assign duties to each team member, you will want to establish times for each activity. When assigning duties to team members try using the SMART process:

• Specific Goals
• Measurable Outcomes
• Achievable Results
• Realistic Skill set
• Time limited Budget

Tip

After you staff the assessment team, a team directory should be assembled. This directory should include

• Assessment team members' names
• Phone numbers
• Email addresses
• Mailing addresses
• Contact information for key stakeholders

Kickoff Meeting

The kickoff meeting is the real beginning of the assessment. For the first time, you have a team assembled and you get the opportunity to meet with senior management and the key stakeholders of the assessment. This is the opportunity to develop an overall plan for the assessment. It is also an opportunity for everyone present to ask questions and work out any problems that may come up. For this project to be successful, now is the time to work out the key issues. Therefore, the following items are some of the key issues that should be discussed:

• Introductions You have probably heard this a million times, but introductions serve a useful purpose. They loosen people up, get everyone talking, and help break the ice. Not only do introductions help everyone feel comfortable, but they also ensure that everyone knows everyone else's role.
• Mission statement This is to get everyone on the same page. As project leader, you will want to spend some time talking about what the mission of the business is. If management has input here, listen. Remember that your real role in this assessment is that of a facilitator. Your job is to get the facts from the people who know.
• Identify critical information and systems You may already have this information. If you do not, one quick way to determine critical systems is by using the NSA's information criticality system. More information about the methodology can be found at www.iatrp.com/iam.cfm.
• Discuss the assessment process Now is a good time to review the three levels of assessments and what they entail. Level I assessments look at the controls implemented to protect information in storage, transmission, or being processed. It involves no hands-on testing. It is a review of the process and procedures in place and focuses on interviews and demonstrations. Level II assessments are more in depth. Level II assessments include vulnerability scans and hands-on testing. Level III assessments are adversarial in nature. This form of assessment is also called a penetration test, as that is what it is. It is an attempt to find and exploit vulnerabilities. Penetration tests may be performed by ethical hackers. The penetration test seeks to determine what a malicious user or outsider could do if determined to damage the organization. It is our belief that organizations performing level II or level III assessments need to have performed a level I assessment because it does little good to find, exploit, and report vulnerabilities that don't have an adequate system in place to manage the remediation.
• Review the scope By this time, you should have a pretty good handle on what the scope of this assessment is going to be. You need to lock in the boundaries of what you are going to do. For example, if this is clearly a level I assessment, you don't need to find out at a later point that management expected you to attempt to hack into the corporate web server. You also want to clarify what type of deliverables that management can expect.
• Identify candidates and key personnel The quality and amount of information you receive from key individuals in the organization will play a large part in the success in the assessment. You probably have a good idea who these individuals are already; if not, you will want to spend some time identifying them. In large corporations or multinationals, these individuals may be scattered across geographically diverse locations. If so, you want to make sure you can schedule time with these individuals by conference call or other means. The risk of not identifying these people or being able to get their input can mean the difference between a successful assessment and a failed one. Schedule time with these individuals as needed.
• Determine logistics If possible, you should seek to arrange a central location for your team to work from. This location will serve as the base location of the operation. Access to phones, computers, and the network are essential. When you're ready to interview employees, having this established location makes life much easier. Otherwise, you will constantly be searching for a conference room to meet in, and these may have booked up well in advance. You don't want to be holding interviews in the lunchroom or other "make do" locations, because it gives an unorganized, haphazard appearance to those you are speaking with and can have a real impact on the type of information gathered.
• Get written approval This is most important. You want to be 100% sure that what has been approved in this meeting is put into writing and signed by management as part of the contract. You don't what to get called on the carpet two weeks later when a team member runs a Nessus scan that brings down a server that was not approved. This is no small point. Not only should you have the scope of the assessment in writing, you should also have the legal department of the company approve its verbiage. If you have brought in external vendors for portions of the assessment, you will want to consider having them sign off on separate legal agreements; don't forget to include the appropriate NDAs.

Building the Assessment Timeline

The timeline establishes guidelines for the completion of the assessment. It also helps establish the scope and duration of the entire project. It will require monitoring on your part to keep the project on schedule. One of the biggest problems you will face is scope creep.

Scope creep occurs when you fall under pressure to expand the assessment beyond what it was originally planned to be. It usually results from a failure to define what the assessment will or will not include. The number one way to prevent scope creep is to clearly define the boundaries of the assessment. This should be locked down during the kickoff meeting and defined in the assessment protocol that has been approved by management.

Caution

If you are not alert to scope creep, it can destroy the assessment. Little things add up and before long, the assessment can slip way behind schedule. These are not the events that will make you a management all-star.

As Everett Dirksen said: "A billion here and a billion there and pretty soon, we are talking big money." Organizations do not have unlimited funds; therefore, it's critical that you develop good cost estimates during the preassessment. Time is money and if the schedule begins to slip, costs will increase. As the team leader for the assessment, expect to be held responsible for achieving technical and scheduled goals, but also for the financial costs of the assessment. The cost of the labor will be one of the biggest expenses of a project. As project manager, you must rely on time estimates you develop to predict the cost of the labor to complete the projected assignment on schedule. In addition, the cost of the equipment and materials needed to complete the projected work must be factored into the project's expenses. The relation between the project cost and the project scope is direct: You get what you pay for! Think about it; is it possible to buy a Lexus at a Ford Focus price? That is probably not going to happen. If the project scope expands, expect costs to go up, so plan accordingly.

If you can avoid this and effectively monitor the information as it flows in from the assessment team, you will be on your way toward meeting your projected goals. You will also need an adequate amount of time communicating with the team. They, too, need to know the progress, what tasks have been completed, and what's yet to be done. Just these few simple things can help keep the project on schedule. Overall, there are three clearly defined pieces to the assessment process as seen in Figure 5.1. These include scoping the project, performing the assessment, and post-assessment activities.

Figure 5.1. Assessment timeline.

The average time for an assessment is 12 weeks. This is only an average, but it should give you some idea of how much time it will take to complete the process. During the scoping process, you'll need to complete seven critical steps before you can actually get started. These are shown in Figure 5.2 and listed next:

Figure 5.2. Scoping tasks.