Professional Documents
Culture Documents
SP 800-42
Guideline on
Network Security
Testing
NTS435 Final Project
DANIEL HOWELL
[COMPANY NAME]
Table of Contents
Introduction ................................................................................................................................................... 2
Section 1: Purpose......................................................................................................................................... 3
Section 2: Concerns and Constraints ............................................................................................................ 3
2.1: Concerns List ...................................................................................................................................... 3
Section 3: Equipment and Personnel ............................................................................................................ 4
3.1 Equipment ........................................................................................................................................... 5
3.2 Personnel ............................................................................................................................................ 5
Section 4: System Evaluation ....................................................................................................................... 6
Section 5: Testing ......................................................................................................................................... 6
5.1: Pre Assessment .................................................................................................................................. 7
5.2: System Testing ................................................................................................................................... 7
5.3: Post Assessment ................................................................................................................................ 7
Section 6: Budget .......................................................................................................................................... 7
Section 7: Implementation Time Line .......................................................................................................... 8
Section 8: Benefits ........................................................................................................................................ 8
Section 9: Conclusion ................................................................................................................................... 9
Reference .................................................................................................................................................... 10
Introduction
As computer system continue to advance and become more ingrained in everyday life strong
cyber security measures need reinforced. Malicious hackers are always on the look for a way into
a system. Once they are inside they can steal any information that is there. To counteract this
companies have develop cyber security tools and techniques to detect and stop attackers. This
was not a fix all solution because new exploits and vulnerabilities are discovered/created each
day. In order to provide continued security for a system organization test their security measures
by attacking it themselves and using specially developed tools to search for known
vulnerabilities. Measures such as these are implemented in security testing plans.
The implementation of the plan is simple. It well not require much in the means of hardware. All
the programs that are suggested in this document are open source. There are paid version of
many of the programs but for document we are only focusing on the open source programs.
There is a requirement for skilled personnel who are capable of operating the programs and
hardware need for testing purposes. The implementation the security plan is outline in section 8
of this document.
The security plan itself is involves a combination of multiple security testing tools and
techniques that are covered in section 5. Many of the tools and techniques accomplish the same
task but are required to insure accurate results. Section 2 includes the list of possible concerns
and restricted that should be observed during the testing phase of the security plan. Parts of the
NSA assessment methodology well be used to assess and document testing phases.
Section 1: Purpose
The purpose of this document is to outline the implementation of an INFOSEC system security
testing policy. The policy is meant to insure that mission critical systems are properly secured at
all times. This includes the implementation of security measures as well as a testing plan for the
systems. The security implementation plan that is meant to set up the security of the system. The
security testing plan is meant to insure future protection against malicious individuals or
organizations by testing the security measures put in place by the implementation plan. The
guidelines in this document are intended to show the security testing tools and techniques that
are used by industry professionals. This does not mean that the tools and technics listed are the
only ones that can be used. As long as diverse set of tools and techniques are used the security
testing plan use be affective. This document does not list the minimum security standards that are
set in the Federal Information Processing (FIPS). It only covers the possible implementation of a
security testing protocol for a standard business network.
Section 2: Concerns and Constraints
This section covers the concerns and constraints that may occur during a security system test.
Before beginning a test of the system security rules need to be worked out with the owner of the
systems. A business cannot have an outage that would result in a loss of profit. The owner of the
system should provide a list of restrictions so the testers can work out a schedule.
The list is made by the owner of the system being tested. Boundaries need to be set for the
testers. They need to know exactly what systems they are testing and what systems to leave
alone. In the event they are testing every system there should be a list of restricted addresses/host
that are left alone. Legal documentation should be on record to protect both the owners of the
system being tested and the testers. The owners of the system should also provide a list of
acceptable testing techniques and tools as well as a list of unacceptable testing techniques and
tools. A list of contacts should in the key users of the systems being testing. This is to insure that
in the event of an incident the testers report the issues.
Section 3: Equipment and Personnel
This section outlines the equipment and personnel that well be needed in order to conduct a
quality test. The cost of the equipment and personnel well be covered in section 6 of this
document. The equipment used for the testing is mostly software based tools. Testing a system
does not require a great amount of physical equipment.
3.1 Equipment
The equipment needed to do the testing is primarily software tools. The only physical equipment
needed is a laptop computer with at least four gigabytes of ram, a quad core processor, and a 500
Gigabyte hard drive. The software that well be used is the most important part. Table 2 has a
brief list of possible tools. The tools should include at three types of vulnerability scanners,
network scanner, penetration testing tools, and application scanners. A documentation tool is
also recommended.
Table 2: Useful Tools
Equipment
Description
Laptop
Nessus
Vulnerability Scanner
OpenVas
Vulnerability Scanner
Ophcrack
Password Cracker
Hashcat
Password Cracker
Metasploit
3.2 Personnel
The personnel needed depends on whether the system is being tested by an internal team or a
third party organization. A third party company could charge several thousand however this
depends on the size and scope of the system being tested. It is best to involve a team of testers
not just one person. The personnel should be trained on how to use the tools and equipment as
well as generate a report with the result.
Section 4: System Evaluation
Before scanning and testing a system the testing team needs to have details about the system in
question. Table 3 contains a list of some of the key information that should be given to the team.
Based on this information the team will be able to plan out their time line and establish the
scope. The evaluation information is similar to the concerns and constraints list. This should
follow the NSA assessment methodology when gather information on the system.
Table 3: Evaluation Information
Devices on the network
What is on the servers
Concerns and constraint list
Operating systems
List of users
Current software on system
Section 5: Testing
This section covers the testing method and tools used during the testing. The system testing is
broken up into three parts the pre assessment phase, system testing, and post assessment phase.
What happens before and after the test of the system is just as important as the actual test itself.
Each step taken during each part of the test needs to be documented for legal purposes.
Section 6: Budget
The cost of implementing network security testing can be next to nothing or cost several thousand
dollar depending on the scope of the test. The system owners can save some money and test it with an
internal team or could pay a third party team to perform the test. It is recommend that both are done to
insure thorough testing of the system. Regular testing is a necessary expense as an actual data breach
could destroy a company.
Estimate Time
1 2 weeks
Pre assessment
1 2 weeks
Begin testing
3 4 weeks
Post assessment
1 2 weeks
Fix vulnerabilities
1 2 weeks
Section 8: Benefits
This section covers the benefits that come with regular system security testing. Regular testing of a
system can keep a company secure against the numerous threats that arise every day. It should be
noted that there is no such then as 100% secure.
Section 9: Conclusion
In conclusion the implementation of a regular network security testing plan is a worthwhile investment.
Many tools are available for free and the equipment needed is inexpensive. Having multiple teams or
people working on the testing at different times can insure a thorough test. The testing team needs to
follow a set methodology such as the NSA assessment methodology.
Reference
Evans, D. L., Bond, P. J., & Bement, A. L. (2003, October). Guideline on Network Security
Testing. Retrieved April 27, 2016, from http://www.iwar.org.uk/comsec/resources/netsectesting/sp800-42.pdf
: NSA IAM and IEM Summary
http://taosecurity.blogspot.com/2007/09/nsa-iam-and-iem-summary.html