Checklist for Vulnerability Assessment

Transcription

1 Checklist for Vulnerability Assessment

2 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. YES NO Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices. Examine policies and procedures to verify processes are defined for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis. Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following: WLAN cards inserted into system components Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.) Wireless devices attached to a network port or network device. Examine output from recent wireless scans to verify that: Authorized and unauthorized wireless access points are identified, and The scan is performed at least quarterly for all system components and facilities. If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to notify personnel. Maintain an inventory of authorized wireless access points including a documented business justification. Examine documented records to verify that an inventory of authorized wireless access points is maintained and a business justification is documented for all authorized wireless access points. Implement incident response procedures in the event Copyright. All rights reserved. ecfirst

3 unauthorized wireless access points are detected. Examine the organization s incident response plan to verify it defines and requires a response in the event that an unauthorized wireless access point is detected. Interview responsible personnel and/or inspect recent wireless scans and related responses to verify action is taken when unauthorized wireless access points are found. Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed. Examine scan reports and supporting documentation to verify that internal and external vulnerability scans are performed as follows: Perform quarterly internal vulnerability scans and rescans as needed, until all high and medium risk vulnerabilities are resolved. Scans must be performed by qualified personnel. Review the scan reports and verify that four quarterly internal scans occurred in the most recent 12-month period. Review the scan reports and verify that the scan process includes rescans until all high and medium risk vulnerabilities identified are resolved. Interview personnel to verify that the scan was performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists. Perform quarterly external vulnerability scans. Perform rescans as needed, until passing scans are achieved. Copyright. All rights reserved. ecfirst

4 Review output from the four most recent quarters of external vulnerability scans and verify that four quarterly external vulnerability scans occurred in the most recent 12-month period. Review the results of each quarterly scan and rescan to verify that the remediation activities have been performed and successfully completed. Review the scan reports to verify that the scans were completed as per defined scope. Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. Inspect and correlate change control documentation and scan reports to verify that system components subject to any significant change were scanned. Review scan reports and verify that the scan process includes rescans until: For external scans, no vulnerabilities exist that are high or medium risk. For internal scans, all high and medium risk vulnerabilities are resolved. Validate that the scan was performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists. Implement a methodology for penetration testing that includes the following: Is based on industry-accepted penetration testing approaches Includes coverage for the entire perimeter that supports systems processing sensitive information and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope-reduction controls Defines application-layer penetration tests Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and consideration of threats and vulnerabilities experienced in the last 12 months Copyright. All rights reserved. ecfirst

5 Specifies retention of penetration testing results and remediation activities results. Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented that includes the following: Is based on industry-accepted penetration testing approaches (for example, NIST SP ) Includes coverage for the entire perimeter that supports systems processing sensitive information and critical systems Testing from both inside and outside the network Includes testing to validate any segmentation and scope-reduction controls Defines application-layer penetration tests Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and consideration of threats and vulnerabilities experienced in the last 12 months Specifies retention of penetration testing results and remediation activities results. Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). Examine the scope of work and results from the most recent external penetration test to verify that penetration testing is performed as follows: Per the defined methodology At least annually After any significant changes to the environment Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists. Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). Copyright. All rights reserved. ecfirst

6 Examine the scope of work and results from the most recent internal penetration test to verify that penetration testing is performed at least annually and after any significant changes to the environment. Per the defined methodology At least annually After any significant changes to the environment Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists. Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. Examine penetration testing results to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed the vulnerability was corrected. If segmentation is used to isolate segments with confidential information from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems. Examine segmentation controls and review penetration-testing methodology to verify that penetration-testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems. Examine the results from the most recent penetration test to verify that penetration testing to verify segmentation controls: Is performed at least annually and after any changes to segmentation controls/methods. Covers all segmentation controls/methods in use. Verifies that segmentation methods are operational and effective, and isolate all out-ofscope systems from in-scope systems. Figure 1: Checklist for Vulnerability Assessment. Copyright. All rights reserved. ecfirst

7 Corporate Office 295 NE Venture Drive Waukee, IA United States Toll Free: x17 Phone: x17 Fax: Copyright. All rights reserved. ecfirst