[unisog] Network security auditing

Paul Schmehl pauls at utdallas.edu
Tue Jun 4 20:09:37 GMT 2002

Make sure the contract clearly spells out what the vendor 
will do and what reports they will provide.  IOW, what the 
deliverables are.  They should be willing to specify what 
tools they use (by name) and what methods they employ to do 
their testing.

There are three areas of analysis:
1) Infosec posture
  a) policies and procedures
  b) general "status" of equipment (patching, etc.)
  c) security awareness of the "community" in general
  d) network design parameters
  e) labor intensive and time consuming
  f) expensive

2) Vulnerability analysis
  a) patch levels
  b) unnecessary services
  c) "unknown" weaknesses
  d) mostly automated and short-term, intense
  e) expense depends on the depth of testing (how many 

3) Penetration testing
  a) attempted breakins
  b) highly focused - critical nodes and services
  c) very expensive

You don't want a vendor to tell you that you need a 
firewall.  Duh!!  You want one that can tell you what 
present policies and procedures are counterproductive to 
security and why.  What present methods of system 
administration are lacking and why.  Where the weaknesses 
are and what your options are for strengthening them.

Ask them for a sample report so you can see what they 
produce.  And definitely ask for references.

--On Monday, June 03, 2002 9:35 AM -0400 Erik Ball 
<Ball at xavier.edu> wrote:

> We are throwing around the idea of having a outside
> company perform an all inclusive network security audit.
> We are still collecting information.  I was wondering if
> there were any organizations that you have dealt with and
> how impressed/unimpressed you were with them?  Did you
> see it as being worthwhile?  Would you recommend one
> company over another?
> Thanks,
> Erik Ball
> --------------------------------
> Xavier University
> Network Security Engineer

Paul Schmehl (pauls at utdallas.edu)
Supervisor of Support Services
The University of Texas at Dallas
AVIEN Founding Member

More information about the unisog mailing list