4/26/2016

SP 800-42
Guideline on
Network Security
Testing
NTS435 Final Project

DANIEL HOWELL
[COMPANY NAME]

Table of Contents
Introduction ................................................................................................................................................... 2
Section 1: Purpose......................................................................................................................................... 3
Section 2: Concerns and Constraints ............................................................................................................ 3
2.1: Concerns List ...................................................................................................................................... 3
Section 3: Equipment and Personnel ............................................................................................................ 4
3.1 Equipment ........................................................................................................................................... 5
3.2 Personnel ............................................................................................................................................ 5
Section 4: System Evaluation ....................................................................................................................... 6
Section 5: Testing ......................................................................................................................................... 6
5.1: Pre Assessment .................................................................................................................................. 7
5.2: System Testing ................................................................................................................................... 7
5.3: Post Assessment ................................................................................................................................ 7
Section 6: Budget .......................................................................................................................................... 7
Section 7: Implementation Time Line .......................................................................................................... 8
Section 8: Benefits ........................................................................................................................................ 8
Section 9: Conclusion ................................................................................................................................... 9
Reference .................................................................................................................................................... 10

Introduction
As computer system continue to advance and become more ingrained in everyday life strong
cyber security measures need reinforced. Malicious hackers are always on the look for a way into
a system. Once they are inside they can steal any information that is there. To counteract this
companies have develop cyber security tools and techniques to detect and stop attackers. This
was not a fix all solution because new exploits and vulnerabilities are discovered/created each
day. In order to provide continued security for a system organization test their security measures
by attacking it themselves and using specially developed tools to search for known
vulnerabilities. Measures such as these are implemented in security testing plans.

The implementation of the plan is simple. It well not require much in the means of hardware. All
the programs that are suggested in this document are open source. There are paid version of
many of the programs but for document we are only focusing on the open source programs.
There is a requirement for skilled personnel who are capable of operating the programs and
hardware need for testing purposes. The implementation the security plan is outline in section 8
of this document.

The security plan itself is involves a combination of multiple security testing tools and
techniques that are covered in section 5. Many of the tools and techniques accomplish the same
task but are required to insure accurate results. Section 2 includes the list of possible concerns
and restricted that should be observed during the testing phase of the security plan. Parts of the
NSA assessment methodology well be used to assess and document testing phases.

Section 1: Purpose
The purpose of this document is to outline the implementation of an INFOSEC system security
testing policy. The policy is meant to insure that mission critical systems are properly secured at
all times. This includes the implementation of security measures as well as a testing plan for the
systems. The security implementation plan that is meant to set up the security of the system. The
security testing plan is meant to insure future protection against malicious individuals or
organizations by testing the security measures put in place by the implementation plan. The
guidelines in this document are intended to show the security testing tools and techniques that
are used by industry professionals. This does not mean that the tools and technics listed are the
only ones that can be used. As long as diverse set of tools and techniques are used the security
testing plan use be affective. This document does not list the minimum security standards that are
set in the Federal Information Processing (FIPS). It only covers the possible implementation of a
security testing protocol for a standard business network.
Section 2: Concerns and Constraints
This section covers the concerns and constraints that may occur during a security system test.
Before beginning a test of the system security rules need to be worked out with the owner of the
systems. A business cannot have an outage that would result in a loss of profit. The owner of the
system should provide a list of restrictions so the testers can work out a schedule.

2.1: Concerns List

The system needs to be test to insure the new security measures are up to day however the
system needs to remain operational for daily business operations. There is a list of concerns and
constraints that need to be observed while testing the system. The following is a general lists of
concerns that may be presented during a test:

Table 1: list of concerns

Systems being tested
Systems not being tested
Restricted addresses/hosts
Legal documents
Acceptable testing techniques
Unacceptable testing techniques
Points of contact

The list is made by the owner of the system being tested. Boundaries need to be set for the
testers. They need to know exactly what systems they are testing and what systems to leave
alone. In the event they are testing every system there should be a list of restricted addresses/host
that are left alone. Legal documentation should be on record to protect both the owners of the
system being tested and the testers. The owners of the system should also provide a list of
acceptable testing techniques and tools as well as a list of unacceptable testing techniques and
tools. A list of contacts should in the key users of the systems being testing. This is to insure that
in the event of an incident the testers report the issues.
Section 3: Equipment and Personnel
This section outlines the equipment and personnel that well be needed in order to conduct a
quality test. The cost of the equipment and personnel well be covered in section 6 of this
document. The equipment used for the testing is mostly software based tools. Testing a system
does not require a great amount of physical equipment.

3.1 Equipment
The equipment needed to do the testing is primarily software tools. The only physical equipment
needed is a laptop computer with at least four gigabytes of ram, a quad core processor, and a 500
Gigabyte hard drive. The software that well be used is the most important part. Table 2 has a
brief list of possible tools. The tools should include at three types of vulnerability scanners,
network scanner, penetration testing tools, and application scanners. A documentation tool is
also recommended.
Table 2: Useful Tools
Equipment

Description

Laptop

four gigabytes of ram, a quad core processor,

and a 500 Gigabyte hard drive

Nessus

Vulnerability Scanner

OpenVas

Vulnerability Scanner

Ophcrack

Password Cracker

Hashcat

Password Cracker

Metasploit

Penetration testing tool

Social engineering tool kit

Penetration testing tool

3.2 Personnel
The personnel needed depends on whether the system is being tested by an internal team or a
third party organization. A third party company could charge several thousand however this
depends on the size and scope of the system being tested. It is best to involve a team of testers

not just one person. The personnel should be trained on how to use the tools and equipment as
well as generate a report with the result.
Section 4: System Evaluation
Before scanning and testing a system the testing team needs to have details about the system in
question. Table 3 contains a list of some of the key information that should be given to the team.
Based on this information the team will be able to plan out their time line and establish the
scope. The evaluation information is similar to the concerns and constraints list. This should
follow the NSA assessment methodology when gather information on the system.
Table 3: Evaluation Information
Devices on the network
What is on the servers
Concerns and constraint list
Operating systems
List of users
Current software on system

Section 5: Testing
This section covers the testing method and tools used during the testing. The system testing is
broken up into three parts the pre assessment phase, system testing, and post assessment phase.
What happens before and after the test of the system is just as important as the actual test itself.
Each step taken during each part of the test needs to be documented for legal purposes.

5.1: Pre Assessment

The pre assessment phase is similar to the system evaluation covered in section 4. The pre assessment
should also include a list of actions that the team wants to take during the testing phase and the tools
that are going to be used. The team should plan out the entire testing phase in the pre assessment
phase. This should all be documented and given to the owner of the system to review and approve.
Once it is approved the team can begin the testing phase.

5.2: System Testing

This phase is where the actual testing of the system is done. The testing should only be done on
approved systems with approved tools. All testing should occur during schedule hours. During this phase
documentation of all actions is critical even if the actions failed. In the event a vulnerability is found and
exploit successfully the team needs to document every step taken preform the exploit. The use of the
tools should be documented as well. If the tool is capable of generating a report based on the results of
the scan it needs to be included in the documentation.

5.3: Post Assessment

The post assessment takes place after all tests on the system are completed. The team well review all
the data collected during the testing and compile it all into a final report. The report should include a
copy information from the pre assessment phase and the testing phase. At the end of the report the
team should include recommendation to fix or improve the system. It should be noted that the
recommendation are only give as an opinion from the testers and are not the only option available or a
sure fix for an issue.

Section 6: Budget
The cost of implementing network security testing can be next to nothing or cost several thousand
dollar depending on the scope of the test. The system owners can save some money and test it with an

internal team or could pay a third party team to perform the test. It is recommend that both are done to
insure thorough testing of the system. Regular testing is a necessary expense as an actual data breach
could destroy a company.

Section 7: Implementation Time Line

A time line with estimate completion dates should also be created before testing commences. The tester
well have an idea of how long it will take to perform an accurate test of the systems. The testers need to
schedule some action so they do not interrupt critical services on the system. The pre assessment,
testing, post assessment, recommendations are covered in detail in section 5. The amount of time each
phase on the time line takes well depend on the size of the network and the scope of the test. The times
listed in Table 3 are just examples.

Table 4: Time Line

Task

Estimate Time

Create time line for security test

1 2 weeks

Pre assessment

1 2 weeks

Begin testing

3 4 weeks

Post assessment

1 2 weeks

Fix vulnerabilities

1 2 weeks

Section 8: Benefits
This section covers the benefits that come with regular system security testing. Regular testing of a
system can keep a company secure against the numerous threats that arise every day. It should be
noted that there is no such then as 100% secure.

Section 9: Conclusion
In conclusion the implementation of a regular network security testing plan is a worthwhile investment.
Many tools are available for free and the equipment needed is inexpensive. Having multiple teams or
people working on the testing at different times can insure a thorough test. The testing team needs to
follow a set methodology such as the NSA assessment methodology.

Reference
Evans, D. L., Bond, P. J., & Bement, A. L. (2003, October). Guideline on Network Security
Testing. Retrieved April 27, 2016, from http://www.iwar.org.uk/comsec/resources/netsectesting/sp800-42.pdf
: NSA IAM and IEM Summary
http://taosecurity.blogspot.com/2007/09/nsa-iam-and-iem-summary.html