Course Outline

Hands-on In-Class Labs and Case Studies

Seminar attendees will participate in learning activities and case study labs to reinforce the concepts learned in classroom lecture. Group interactive case studies will allow for “real-world” problem solving and sharing. These problem-solving processes can be implemented immediately within your own IT environment as you embark on conducting an internal enterprise vulnerability assessment. Students must bring their laptop to participate in the hands-on labs during this course.

In class you will work with assessment templates, checklists and information resources which you can take with you and incorporate into your company's procedures.

Lab 1: Risk Assessment by the Numbers
Overview: Perform the calculations required to complete a SLE, ARO, and ALE. This information will be used to determine the most effective means to secure critical resources and systems.

Lab 2: Another Approach to Risk Assessment
Overview: Create an OICM and SICM based on the analysis of real-world data. Teams will be established to review sample company documentation.

Lab 3: Pre-Assessment Scope
Overview: Building on the information in Lab 2. Each team will develop an acceptable plan of action for its case study company.

Lab 4: Develop Assessment From the Ground Up
Overview: Record and report your initial findings. Teams will be given network documentation and network diagrams that detail their organization's configuration. The team will then be tasked with reviewing this information and reporting an assessment plan.

Lab 5: Assessment Tools
Overview: Review popular tools used in the assessment process. Watch while the instructor demonstrates and reviews scanners, port mappers, vulnerability assessment tools, etc. Nmap, Nessus, N-Stealth, and Core Impact will be reviewed.

Lab 6: Reporting the Results
Overview: Determine the best way to analyze and report your results. This capstone lab will require the teams to complete the vulnerability assessment. Each group will take all the information they have gathered, plus additional documentation, and use it to prepare the final report and recommendations. These formal reports will be presented.

Course Outline

Chapter I: Why Risk Assessment?

Risk assessments are a critical part of IT security, as they allow an organization to build a secure infrastructure. Depending on what sector your organization is in, you may even be required by law to perform some type of risk assessment.

A. Terminology

• Risk, Threats, and Vulnerabilities
  

B. The Goals of Security

• Confidentiality, Integrity, Availability
  
• Security as a Process
  
• Prevention, Detection, and Response
  

C. Rules and Regulation

• Cyber laws - US Code 1029 & 1030
  
• Government Mandates
  
• Health Insurance Portability and Accountability Act
  
• Gramm-Leach-Bliley Act
  
• Sarbanes-Oxley
  

D. Good Practices

• Warning Banners
  
• Acceptable Use Policies
  

E. Understanding the Process

• The role of an assessment
  
• Assessments vs. Audits
  
• Goals of the Assessment
  
• Steps of the Assessment
  

F. The Goal of the Course

• Teach a man to fish!
  

Chapter 2: Risk Assessment Methodologies

A risk assessment can be performed as either a top-down or bottom-up process. This module discusses both types and looks at ways you can determine what is right for your organization. This module also introduces quantitative and qualitative risk assessment methodologies which will give you a good idea of what's involved in planning these types of risk assessments. While the goal of both quantitative and qualitative risk assessments is to estimate an organization's real risk and rank the severity of each, this module will explain the advantages and disadvantages of each.

A. Understanding Risk

• Physical
  
• Human Error
  
• Application Error
  
• Loss of Data
  
• Attacks Internal / External
  
• Equipment Malfunction
  

B. Risk Assessment Methodologies

• Bottom-Up Approach
  
• Top-Down Approach
  

C. Choosing the Best Method

D. Introduction to Quantitative Risk Assessment

• Single Loss Expectancy
  
• Annualized Rate of Occurrence
  
• Annualized Loss Expectancy
  

E. Introduction to Qualitative Risk Assessment

• Information Criticality
  
• System Identification
  

F. Resources and Documentation

• ISO17799
  
• OSSTMM
  
• NIST Special Publication 800-26
  

You will perform Lab #1, Risk Assessment by the Numbers, and Lab #2, Another Approach to Risk Assessment, after this section

Chapter 3: Scoping the Project

In this section, you will examine ways you can scope and define your project. You will explore all the activities that must occur before you begin the assessment. Reviewing the timeline of events, defining the scope of the project, and determining what you'll need to get started will be the focus of this module. By the time you finish, you should be prepared to develop a plan of action.

A. IT Infrastructure Assessment Timeline

B. Defining the Scope of Assessment

• Level 1, Assessment
  
• Level 2, Evaluation
  
• Level 3, Red Teaming
  

C. Requesting the Needed Documentation

• IT Security Policies, Standards, Procedures and Guidelines
  
• Physical IT Infrastructure Documentation
  
• Administrative Operations and Procedural Manuals
  

D. Reviewing Critical Information and Systems

• Hardware Maintenance and Warranties
  
• Software Maintenance and Warranties
  
• Software and Patch Management Procedures
  
• IT Infrastructure Software Vulnerability Mappings
  

E. Staffing the Team

F. Completing the Assessment Questionnaire

G. Preparing the Assessment Plan

• Timeline
  
• Budget
  
• Staff
  
• Schedule
  
• Documentation Request
  
• Individual Schedules
  

H. Putting it all Together

You will perform Lab #3, Pre-Assessment Scope, after this section

Chapter 4: Performing the Assessment

In this chapter, you will review the items that are performed during an actual assessment. You will review methods used to identify weaknesses or vulnerabilities in the system and operations that could potentially be exploited by an attacker or malicious user. This is a critical period in that the team's main focus will be to perform data gathering and validation.

A. Assessment Timeline

B. Interviews

• Techniques
  
• Non-Attribution
  

C System Demonstrations

D. Relationship with other Departments

• Communication
  
• Understanding the View of other Organizational Units
  

E. Threat Analysis

• Internal Scanning
  
• External Scanning
  
• Network Mapping
  

F. Physical, Technical, Administrative Control Analysis

G. Developing Recommendations

• Finding the Proper Balance
  

H. Preparing the Out Briefing

You will perform Lab #4, Develop Assessment From the Ground Up, after this section

Chapter 5: Tools used for Assessments and Evaluations

The objective of this chapter is to review the tools that are commonly used by security professionals.
A. What are Vulnerability Assessment Tools?
B. Vulnerability Assessment Tools
C. Assessing What Security Tools to Use
D. Finding What's Right for Your IT Infrastructure
E. Examples

You will perform Lab #5, Assessment Tools, after this section

Chapter 6: Preparing the Final Report

This chapter's objective is to expand on out-briefing information and to provide recommendations and options for network vulnerabilities that were discovered during the assessment process.

A. Developing the Report

B. Contents of a Good Report

• Executive Summary
  
• Introduction
  
• System Description
  
• Analysis
  
• Findings
  
• Discussion
  
• Recommendations
  
• Conclusions
  

C. Determining the Next Step

D. Making recommendations that work within the organizational framework

• Security as a Process
  

E. It's not the end

• Summary

You will perform Lab #6, Reporting the Results, after this section