Step 1: Conduct a Security Analysis Baseline
In the first step of the project, you will conduct a security analysis baseline of the IT systems, which will include a data-flow diagram of connections and endpoints, and all types of access points, including wireless. The baseline report will be part of the overall security assessment report (SAR).
Get your information from this data-flow diagram and report, which is generated by the Microsoft Threat Modeling Tool 2016. The scope should include network IT security for the whole organization.
Include the following areas in this portion of the SAR:
• Security requirements and goals for the preliminary security baseline activity.
• Typical attacks to enterprise networks and their descriptions. Include Trojans, viruses, worms, denial of service, session hijacking, and social engineering. Include the impacts these attacks have on an organization.
• Network infrastructure and diagram, including configuration and connections. Describe the security posture with respect to these components and the security employed: local area network (LAN), metropolitan area network (MAN), wide area network (WAN), enterprise. Use these questions to guide you:
o What are the security risks and concerns?
o What are ways to get real-time understanding of the security posture at any time?
o How regularly should the security of the enterprise network be tested, and what type of tests should be used?
o What are the processes in play, or to be established to respond to an incident?
o Workforce skill is a critical success factor in any security program, and any security assessment must also review this component.
o Is there an adequate professional development roadmap in place to maintain and/or improve the skill set as needed?
o Describe the ways to detect these malicious codes and what tactics bad actors use for evading detection.
• Public and private access areas, web access points. Include in the network diagram the delineation between open and closed networks, where they coexist, and show the connections to the internet.
• Physical hardware components. Include routers and switches. What security weaknesses or vulnerabilities are within these devices?
• Operating systems, servers, network management systems as they relate to data in transit vulnerabilities:
o endpoint access vulnerabilities
o external storage vulnerabilities
o media access control and Ethernet vulnerabilities
o virtual private network vulnerabilities
• Possible applications. This network will incorporate a BYOD (bring your own device) policy in the future. The IT auditing team and leadership need to understand current mobile applications and possible future applications and other wireless integrations.
Step 2: Determine a Network Defense Strategy
Now it’s time to determine the best defenses for your network.
Identify how you will assess the effectiveness of these controls and write test procedures that could be used to test for effectiveness. Write them in a manner to allow a future information systems security officer to use them in preparing for an IT security audit or IT certification and accreditation. Within this portion of the SAR, explain the different testing types (black, white, and gray box testing).
Include these test plans in the SAR. The strategy should take up at least two of the 12 pages of the overall report.
Step 3: Plan the Penetration Testing Engagement
Now that you’ve completed your test plans, it’s time to define your penetration testing process. Include all involved processes, people, and time frame. Develop a letter of intent to the organization, and within the letter, include some formal rules of engagement (ROE). The process and any documents can be notional or can refer to actual use cases.