Our Approach and Methodology
SecureState provides a comprehensive assessment of organizations’
Certification and Accreditation (C&A) packages with specific emphasis on
requirements. During this phase, the team will complete the following tasks:
- Assessment of C&A packages for application systems
- Preparation of C&A supporting documents including program assessment
report that meets FISMA compliance
- Provide recommendations for improvements to the IT security program,
including specific actions that will result in successful implementation
of those recommendations, and as needed, implementation of those
recommendations/actions from the previous task
- Identify existing and/or potential IT security weaknesses
SecureState specializes in providing comprehensive assessments of C&A
packages. Depending on the control, the team will perform a variety of the
following types of assessments:
- Internal and External Penetration Test
- Vulnerability Scans
- Documentation Review
- Observations
- Interviews
Penetration Testing:
Our Penetration Testing Methodology has four phases. It is based on NIST
Special Publication 800-115 “Technical Guide to Information Security Testing
and Assessment. (September 2008).” The four phases are as follows:
- Planning phase:
Rules are identified, management approval is finalized, and the testing
goals are set. No actual testing occurs in the planning phase. The
planning phase is one week long. A kickoff meeting will be conducted
with the PSC management and system/network administration personnel and
the Penetration Test Team. In the planning phase, rules of engagement,
test plans, and written permission are developed and signed. If desired,
The client may prioritize highest valued assets or trophies which
SecureState can focus its efforts.
- Discovery phase:
Vulnerability analysis of services, applications, and operating systems
of scanned hosts are compared against vulnerability databases (for
vulnerability scanners this process is automatic).
- Attack phase:
Previously identified potential vulnerabilities are verified by
attempting to exploit them. If an attack is successful, the
vulnerability assessment is verified and safeguards are identified to
mitigate the associated security exposure. Additional analysis or
testing is required to determine the true level of risk for the network.
- Reporting Phase:
The reporting phase occurs simultaneously with the other three phases of
the Penetration Test. In the discovery and attack phase, written logs
are usually kept and periodic reports are made to system administrators
and/or management, as appropriate. At the end of the test an overall
testing report is developed to describe the identified vulnerabilities,
provide a risk rating, and to give guidance on the mitigation of the
discovered weaknesses.
Toolset:
SecureState leverages hundreds of tools throughout the course of our
Penetration Test. From custom developed exploitation tools, to open source
tools such as the Back-Track distribution, and market leading scanning
tools, such as Qualys, SecureState looks to leverage the right blend of
automated tools and manual expertise to identify and exploit known and
unknown vulnerabilities within your client’s systems. A sample of tools that
could be leveraged through the testing may include:
- Metasploit
- Burp-Pro
- NMAP
- FastTrack (The Fast-Track tool set within Back-Track was by
SecureState security consultants).
- FOCA
- Maltego
- A variety of tools from the Back-Track Suite
Vulnerability Assessment:
SecureState’s Vulnerability Assessment combines the latest industry
leading scanning engines for networks, operating systems, web servers, and
web applications and combines them into one overall cost effective solution
for our customers.
The vulnerability is a focused and controlled vulnerability analysis of
the client’s internal and external presence. The analysis consists of
deploying multiple vulnerability scanning engines to identify potential
security exposures within internet facing systems. Vulnerability Assessments
are typically “health checks” for most organizations to ensure that a mature
security program is being maintained and continuously updated.
Most organizations that have current Vulnerability Assessment solutions
completely miss multiple layers of security, mostly from the web application
security aspect. SecureState focuses heavily on all aspects of your external
perimeter to ensure all layers are covered. It is estimated that over eighty
percent of all breaches are occurring from the web application layer, yet it
is often overlooked and not assessed.
Vulnerability scanners are notorious for outputting numerous false
positives that are not applicable to a given environment. SecureState
engineers manually review most scanner outputs and customize a detailed
report that is applicable only to your environment.
Lastly, SecureState does not perform Denial of Service activities unless
specifically requested. All SecureState External Vulnerability Assessments
ensure that Denial of Service activities are not performed. However,
Vulnerability Assessments can increase internet based traffic and bandwidth
usage. SecureState generally recommends that these Assessments be performed
off hours although the impact on performance is generally low.
Documentation Review:
SecureState will review of the documented policies, procedures and plans
that are currently in place. These documents will be reviewed in accordance
with NIST 800-53 Rev. 2 and Rev. 3.
Observations:
SecureState will perform a visual test/exam of policies, procedures and
plans that are in operation to determine its compliance. This test will
ensure that the policies, plans, and procedures can be completed in
compliance with NIST 800-53 Rev. 2 and Rev. 3.
Interviews:
SecureState will have discussions with key system owners and
administrators to determine their day-to-day activities and ensure they are
in compliance with both the requirements and policies in place.