Methodology

#

The following section describes the methodology and testing used during the review. m3ip uses the commercial tool suite NeXpose Vulnerability Management and Metasploit Professional (developed by Rapid7 - the leader in threat and vulnerability management and penetration testing software) to test external or Internet facing hosts (accessible to the Public) hosts.

The NeXpose service tests the external hosts against a comprehensive vulnerability knowledgebase that incorporates over that conducts over 75,000 vulnerability checks for more than 22,000 vulnerabilities across physical and virtual networks, operating systems, databases and web applications. Metasplot Professional, the market leader in commercial intrusion and penetration testing, was used to verify any exploitable issues that were found in the institutions internal or external infrastructure; We also use several open source tools to scan and interrogate internal and external hosts.

We use a methodology for the risk ratings which uses a 5 point scale for rating risk that incorporates consideration of three factors:

1. The threat that an attack or event will occur (global attack trends, general awareness of the potential exploit involved, industry specific threat factors, etc.)

2. The nature of the vulnerability (the relative ease of exploiting the vulnerability, the type of results expected (e.g., remote control, full system access, information disclosure, etc.)

3. How attractive the asset is to potential attackers (how valuable is it, how easily can it be converted into value, etc.)

Each of these factors has an incremental impact on the final rating, and is rated on a 1 to 5 scale from low too high for each category.  The net result is that the lowest risk factor that can be achieved is a "3" and the highest is a "15".

The scale has (5) values of risk: Critical, Elevated, High, Moderate and Low.

Critical - requires immediate attention. It indicates that either a very high security risk exists like potential hacker attack or compromise in confidentiality/integrity or availability of data. In either case, highest priority is to be given to such categories.

Elevated - requires attention within a 1-2 week time frame. It indicates that elevated and potential high security risk exists like attack or compromise in confidentiality/integrity or availability of data. In either case, elevated priority is to be given to such categories.

High - requires attention within a 30 day time frame. It indicates that either a security risk exists or availability of data. In either case, prioritized priority is to be given to such categories.

Moderate - requires short term attention. It indicates a security risk like all users have access to resources. Projects need to be developed within a period of 2-4 months to mitigate this category of risk.

Low - requires long term attention. It does not indicate a major or minor security risk, but something that requires correction to avoid escalation into a major or minor security risk. Projects need to be developed within a period of 6-12 months to mitigate this category of risk.

The core stages of any compliance/intrusion testing/security assessment include:

Testing

TCP/UDP services detection - Once the ports have been found open, the scanner will try to identify which services are running on all the identified ports. We do not intend to just rely on the open port finding in order to identify the service that is running on that port. We would prefer to perform an active discovery, this way we can confirm which port has what service running on it;

Rapid7 Nexpose Security Console Vulnerability Assessment & Metasploit Professional Penetration Testing Suite - Once our suite has been able to identify the specific services running on each of the open port, it will perform the actual assessment. The suite will first try to check the version of the service in order to detect only vulnerabilities that affect this specific service. A good example of this is when an http service has been found running, the scanner will try to identify if it is an Apache, IIS or Domino server and that it has any other http services running in order to select only the vulnerabilities that are known for these service. Every vulnerability detection is non-intrusive, meaning that the scanner will never try to exploit the vulnerability if this exploit could affect your servers responsiveness, integrity and availability;

1. Network ping sweeps using Zenmap and NexPose to check for active hosts;
2. Port or service scanning (TCP/UDP);
3. Firewall or Security appliance detection;
4. Operating System (OS) detection.

Enumeration

Enumeration testing involves the active connections to systems and its directed queries. The type of enumeration used by hackers can be classified as follows:
 Applications and Banners
 IOS herald and banners
 Application banners include the type of server hardware and web server software
 
 Network Resources and Shares
 Microsoft Windows network and domains
 Cisco IOS and SIOS router enumeration
 SNMP enumeration
 BGP enumeration
 User Accounts and Groups
 Unix user accounts and groups
 Windows user accounts

All test results will be compared and analyzed against the NIST Special Publication 800-42, Guideline on Network Security testing standards. Finally, the results of the analysis were formulated into recommendations and are provided in this document. The recommendations are made by m3ip in this report, are based on industry experience and best current industry security practices. We are closely associated with the recommendations made by industry leaders like NSA (National Security Agency), SANS Institute (SysAdmin, Audit, Network, and Security), CERT (Computer Emergency Response Team) and NIST (National Institute of Standards Technology).