Level II Assessments
Congratulations, you've done most of the work needed for a level I assessment. Level II assessments rely heavily on vulnerability scans and more intrusive forms of technical testing. Although many organizations are quick to want to jump directly to level II assessments, to do so overlooks the entire administrative and operational side of security. Vulnerability scans are important, but they deal mainly with the technical side of the organization. Up to this point of the assessment, what you should really have been trying to do is to figure out the core mission of the organization, what processes it takes to accomplish the core mission, and how well policies map up to real life activities. If you've done a thorough job, you will already be able to see if the policy structure is sufficient or whether changes need to be made to better protect key assets. With this done, you can focus your activities on technology.
Tip
Chapter 8, "Tools Used for Assessments and Evaluations," will go into detail on the various technical assessment tools and the guidelines and standards that are available. ISO 17799 and The Open Source Security Testing Methodology Manual (OSSTMM) are two examples. The OSSTMM focuses on the technical details of what should be tested, what to do before, during, and after a security test, and how to measure technical test results. The OSSTMM is divided into sections that collectively test the following:
- Information and data controls
- Personnel security-awareness levels
- Fraud and social-engineering control levels
- Computer and telecommunications networks, wireless devices, and mobile devices
- Physical security access controls, security processes, and physical locations
Vulnerability Scans
Vulnerability scanners are one of the primary tools used for a level II technical assessment. Vulnerability scanners can probe the network, evaluating firewall rule sets, network configurations, vulnerable systems, unpatched services, and more. If you discover critical vulnerabilities, you should inform others immediately; otherwise, general findings should be noted for the final report. Some common vulnerability scanners and assessment tools are
- Nessus
- SAINT
- ISS Internet Scanner
- NetRecon
- Retina
- SARA
It is important to stay focused on key systems and information types you identified while scoping what are most critical. Performing a level II assessment has much more value after you have verified that the needed policies and procedures are in place and that overall compliance with these documents is acceptable.
Level II Assessment Caveats
A major caveat of level II assessments is that individuals sometime think that you can just stroll in, run a vulnerability assessment tool, and then you have secured the network against all possible threats. First, these results need to be correlated against the administrative and operational findings discussed earlier. Second, vulnerability scanners typically produce tons of paperwork. Most networks are quite large, and a blind scan against all possible devices will produce a lot of data that will need to be processed and analyzed. It may be necessary to have the supporting infrastructure groups assist in running these tests and analyzing the results. Vulnerability scanners are good at identifying foundational security issues but require substantial input to analyze how the results map to bigger organizational issues. In the end, some organizations are so large that it may not be possible to audit all network devices. You may be able only to do a sampling in various sections of the network and indicate that in the report.