Timely Security Issues
Service Offerings
Products and Partners
Internet Security Corporation
|
|
|
Statement of Work
Prepared For
< Your Company >
by
Internet Security Corporation
|
| 1) Our Understanding |
The network certification process is composed of two distinct phases:
data collection or research, and report preparation. There is some
prefatory work that must be done before the research phase such as
deciding on the network to certify, domain name service contents and
context, etc. Typically we, Internet Security Corporation, are
provided these details, sometimes we are invited to discover them for
ourselves as part of the work. There are two prerequisites to be met
before the research phase can commence. We must have A) written
authority to probe the client network (a signed contract with this
statement of work as an appendix) and B)
waiver of liability for any disruption caused
by situations or equipment that we are not aware of. It is seldom,
but not unheard of, for our research probes to overload network
equipment in a disruptive fashion. We make every effort to avoid
this, but we can not anticipate local conditions or the consequences
they may cause. An example of the kind of this might be
a file system filling up due to swollen security logs aggravated by
our probes. We, therefore, urge the client to have an administrator
either present or readily available to assist if needed.
A network that is certified to meet generally accepted standards should not
be thought to be invulnerable. As our report spells out, a determined vandal
or criminal has virtually unlimited time to conduct surveillance and
discover latent flaws in the network defenses. Our research is only a few
hours of surveillance, so we can not be expected to discover what would
occupy a capable intruder for several weeks or months. The client may,
however, expect that our skill and expertise is such that the network
defenses have been evaluated in sufficient depth and detail to provide
confidence that they are effective against any but the most determined and
accomplished miscreant. The best analogy to this is protecting a residence
from burglars. A home can not be completely immune to burglary if it is to
be usable as a home. On the other hand, every practical precaution can be
taken to deter all but the most determined and proficient criminal.
|
| 2) Research Activities |
The research phase consists of rapid scans of the client network to
ascertain what services it offers and whether or not any services
discovered represent an unacceptable security risk. The scans are
conducted with tools of our choosing, best fitted to the nature of the
network defenses we are evaluating. One such tool is the SAINT
toolset, but we have several others we would employ if the network
defenses are effective against SAINT. In addition to the port and
service scans, we make directed attacks on common services to discover
any vulnerabilities that are known to exist. Examples of common services
are the Mail Transfer Agent (often sendmail), domain name
service (DNS), uucp, NFS, NIS, etc. When we are able to determine what
operating systems are installed on unprotected machines, we will
confirm that the known patches to correct vulnerabilities have been
applied. If we are able to discover any vulnerability to the network,
we will pursue it and determine the severity of the risk it presents.
If the exposure is severe, we will immediately notify the client
system administrator with suggestions for immediate action. The
research phase is typically done late at night or over a weekend to
avoid disruption of network services during normal business hours.
Since the research is conducted over the Internet, those times are
also best for lower overall traffic congestion. The data collection
research normally takes three to four hours. We may revisit the
network following that period, but the traffic burden will be minimal.
|
| 3) Analysis Activities |
Following the data collection and preliminary analysis we will examine the
results and ascertain whether or not there are any vulnerabilities that we
did not detect while collecting the data. If there are any additional
discoveries, we will attempt to exploit them and develop an estimate of the
risk they present. Again, if the risk is significant, the client administrator
will be notifed promptly by telephone or facsimile, and the certification report
prepared from the reduced research data.
|
| 4) Deliverables: The Certification Report |
The certification report spells out what was done, when it was done, by whom
it was done, and what was found. While it is largely factual in nature, with
the pertinent data observations used to illustrate the facts, we reserve the
right to critique and extrapolate based on our network security experience.
The report
clearly differentiates among what is clearly developed from evidence, what is
a matter of policy, and what is our opinion. The report will make specific
recommendations regarding remedies for situations we discover. We will also
offer advice regarding things that we think should be done whether there are
data to support the recommendation(s) or not.
The purpose of the certification report is to provide management, (technical
and non-technical), as well as security practitioners with an evaluation of
your network defenses and suggested remedies for things we think require
attention. Some of the evaluated items may not be within the direct control
of the client organization. The Internet Service Provider may restrict access
to routing equipment that is more permissive than we believe is prudent. The
report will make recommendations for ways to work around situations like that.
The work product of the certification, in addition to the report, is our
certificate to client management that the network is defended within the
generally accepted principles of network security. The certificate is very
similar to an auditor's report in a corporation's annual report and should be
interpreted as such.
|
| 5) ISC Responsibilities |
|
Following the presentation of the report, our personnel remain available to
consult with client staff regarding the report, its recommendations, and the
associated risks or consequences of things we found. Virtually all of our
certification clients request a recertification at some later date to confirm
that their remedial efforts have been effective. Some of our clients
engage us for periodic ``check up'' certifications to ensure that no new
vulnerabilities have crept in unnoticed. Internet Security Corporation is
committed to the ongoing process of ensuring secure networks for all of our
clients. We are eager to assist in whatever ways are deemed appropriate.
|
|
