IT Security Assessment

INTRODUCTION

This is a service for a security assessment of your organisation's servers, network and security infrastructure.

An assessment such as the proposed should precede any change to an existing environment to accurately ascertain its strengths and weaknesses.
Any computer connected to an Internet connected network will be exposed to attacks from external sources in addition to internal sources.
There are likely to be many cases of unauthorised access such as disgruntled internal personnel and more commonly malware (malicious software - viruses, Trojans, spyware) infiltrating the organization as email attachments.

The engineering practices and technology used by system providers are often not sufficient to prevent the fielding of systems vulnerable to attack.
Network and system operators do not always follow best practices that would prevent such attacks or minimize damage.
Network security is an arms race between the attackers and the defenders.
The attackers have the initiative, a wide range of tools and the advantage of the element of surprise.
In contrast the defender's countermeasures are almost purely reactive.
As such, it is impossible to guarantee security for Internet connected systems and networks from all possible sources.

However, the threats can be mitigated to an acceptable level on such systems and networks by implementing as many of the following technologies and practices as possible:

Some of these can be implemented with little or no cost to the organization but typically technological solutions have a price.
How much expenditure is required depends on the threat level. A risk assessment will help determine an acceptable level of expenditure.
Systems for Military and Internet banking are naturally high risk due to their nature and no expense should be spared in securing such systems.
However, corporate informational web sites have a lower risk, depending on the corporation with high profile companies having correspondingly higher risk.

Security measures need to be implemented and more importantly maintained by a technically strong systems and network administration team and in almost all most cases, it is critical to create a dedicated security team to work full time on securing the systems and networks.

The security of a system is time dependent. At the time of implementation of a security system a network may be considered reasonably secure but its security degrades over time and constantly needs to be upgraded.
System administration and operations teams rarely have the resources (know-how, manpower and time) to do the job adequately.
Most security incidents are not due to sophisticated attackers using cutting-edge tools but casual attackers using freely available tools to exploit well-known and long-standing vulnerabilities in systems and networks which should have been preventable with simple measures.

These measures should deter casual attackers, but there is still no guarantee of security against a sophisticated, persistent or patient attacker.

These security measures are in place to detect such an intruder (intrusion detection), observe his actions (audit trails and logging) and slow him down enough (multi layered defense) to react effectively to him (incident management and recovery) and prevent him from doing any real damage (damage control).

PRE-REQUISITES

Before an assessment can begin a number of resources will need to be furnished to the auditors.
If possible, this information should be provided before the audit begins otherwise the information gathering would delay the audit process.
These are:

  1. An Inventory of network (routers, hubs, switches, etc.) and systems (personal computers, workstations, laptops and servers). As much detail as possible is required, for example operating system versions and patch levels, IP addresses.
  2. A Network diagram showing location of systems (servers, workstations, laptops and personal computers) and network equipment and Internet connections.
  3. Any procedure and policy documents for security and systems operations.

SCOPE

The assessment will cover various aspects such as systems, network, procedures and policies and includes the following: