Enterprise Blue Team Assessment
Internet / Internal / Dial-Up
Phase 1 - The On-site Audit/Assessment
• Check the design and implementation of the client's intrusion detection system, if implemented.
• Review firewall design, configuration, alert generation and resolution and log analysis and management.
• Review web page design, configuration and security.
• Review release level of all machines in the Internet cluster and determine if required patches have been implemented.
• Review network diagram and confirm through network scanning and other techniques.
• Review the Internet access policies and procedures in place to ensure that the Internet policies are consistently enforced.
• Review the Internet incident response procedures and documentation of prior Internet incidents.
• Review management control and oversight of the Internet connections.
• Analyze web content management including regular management review and approval.
• Identify any unauthorized wireless access points to the network.
• Review change control procedures.
• Prepare a report segment for the final report outlining the successful exploits and additional control requirements.
Phase 2 – Internal Threat Assessment
• Members of the Team will connect to the client's internal network we will connect using an account provided by the client. Then a member of the Team will navigate the network to see the damage that can be done with a normal account.
• Using compromised accounts or, if we are unable to gain access to the internal network, a normal account provided by the client, we will use a series of exploits to gain root or administrative access to servers, network equipment and other machines in the network. We will identify the damage that can be done (place files, harvest files, etc.) once root is captured on any of these machines.
• Once we capture root on one machine, we will use this machine as a firebase to leverage other machines in the network within the scope of the project. We will catalog all machines we are able to access, the type of capabilities we have, and harvest some files to prove access.
Prepare and Issue the Report
• During each audit segment, we will document the tests we performed along with the results of these tests. We will catalog any data harvested and the location of any harmless text files we place on the machines.
• We will prepare a report identifying the issues arising from the assessment along with suggested actions to mitigate the risks.
• We will conduct an exit interview to explain the results of the assessment and to answer any questions management may have
• We highly recommend that the client observe all phases thereby enabling up to three members of the client's staff to learn our techniques so they can re-perform internal tests on a periodic basis. Another option is to attend Information Warfare Center's Technical Training:
Our Enterprise Audit/Assessment the focus is 50% technical and 50% on process and procedures. If required for your industry, InfoSec Professionals Services also has developed requirement assessments to review your compliance to regulatory requirements such as those set by Sarbanes Oxley, GLBA, HIPAA, FISMA.
A typical review includes a review of policies, procedures and a technical analysis of the Windows, Linux and BSD Families. The first step in this audit is the completion of a question and answer self-assessment or checklist. This will reduce the number of billable interview hours required and provide a foundation for the focus of the audit.
1. Prepare the audit checklists and send them to the client for completion
2. Review the completed checklists and prepare supplemental questions
3. Document, spot check and analyze controls over carrier related network components
o critical process analysis
o multi-pathing capability
o cost containment and reduction opportunities
o business continuance
o disaster preparedness
o network contracts
o Document and analyze controls over circuit related network components
o wire line circuits
o broadcast circuits
o packet networks
o frame relay
4. Perform a demon dial attack on the network using numbers provided by the client, perform a limited dial attack to identify and test the modems. (Up to 5000 numbers free of charge, more than 5000 numbers for an additional fee) exercise any unsecured modems while we ensure that we do no harm
5. Review and assess controls over the Internet and other public networks external, non invasive, penetration test performed by the InfoSec Professionals Services Team
o public network connections
o network isolation
o traffic analysis security
6. Document and analyze controls over interconnected networks
o wire line circuits
o client / server and LAN connections
o WAN connections
o trading partner and vendor connections
o temporary connections
o undocumented connectivity
o security and connectivity contracts
7. Verify network and server connectivity and traffic
o run a series of scanners on the network to identify and catalog the hardware configuration
o run port scanners to identify poorly secured ports
o perform an unusual traffic analysis
o perform an internal penetration test of the network
8. Document and analyze controls over switching equipment
o identification of switching equipment and devices
o bridges and gateways
o filter analysis
o hacker prevention techniques
o penetration detection techniques
o monitoring capability
9. Catalog the network and review network access controls
10. Review and assess controls over network operations and management
o network management
o load management
o network utilization and exception reporting
o problem reporting and resolution
11. Review and assess controls over network segmentation
o determine if the internal network is segmented
o identify and audit any internal firewalls
12. Review the disaster preparedness, network continuity plan
13. Prepare a single point of failure analysis
o external carriers and circuits
o internal circuits
o routers, hubs and mux's
o critical data circuit equipment
14. Perform a technical UNIX security analysis on systems within scope of the project.
o run the UNIX audit scripts on several servers and review the results
o perform an inode analysis to identify unusual files and file permissions
15. Perform a security review of the NT servers
o perform a series of automated audit tests and review the results
o review the security and audit settings
o identify the major risks in the NT environment
o determine the patch level of the NT operating systems and review procedures to ensure that the systems are up to current release level
16. Prepare a risk assessment and develop risk mitigation techniques
o consolidate results of checklists and risk assessments & prepare network risk assessment
o identify required controls & implementation options
o Prepare and Issue Final Report
During each review segment, we will document the tests that we performed along with the results of these tests. We will catalog any data harvested and the location of any harmless text files we place on the machines. We will prepare a network vulnerability analysis documenting the risks and include suggested actions to mitigate the risks. We will conduct an exit interview to explain the risks we identified and answer any questions management may have.
We highly recommend that the client observe all phases thereby enabling members of the client's staff to learn our techniques so they can re-perform internal audits on a periodic basis.