Security Assessment Case Studies for Implementing the NSA IAM
by Miles, Greg, Russ Rogers, Ed Fuller, Matthew Hoagberg and Ted Dykstra

Syngress 2004.
ISBN 1-932266-96-8, 429 pages. $69.95 Index, appendix.

Reviewed by  Robert Bruen   March 12, 2004 

Security Assessment is a specific approach to security assessment, that of the National Security Agency's Information Assurance Methodology. The NSA created the INFOSEC Assurance Training and Rating Program (IATRP). The courses are taught to anyone who wants to learn the methodology, with an certifying examination at the end for those who want to be providers. Government employees can take the course without cost, but do not get certified. The authors are all from Security Horizon, Inc. The readers who have taken the NSA IAM training course will benefit most. The book augments it with items like staffing and contracts.

The book covers the methods in detail. It starts with the customer, certainly not what the hacker books put first. The methodology which the NSA has developed for the government and extends to the business world is less concerned with hacking and viruses than it is with reproducible results built on policy. When an assessment is conducted, it is not a vulnerability assessment or a coverage test. It all starts with policy, but then you look at procedures, the organization and architecture. The questions are about how is it all set up, but keep in mind it stems from bureaucrats, so it will be more detailed the project plans used by researchers.

The second step is the evaluation. This step includes analysis of the network security hardware, such as firewalls, IDSs, routers, etc. This is more of what the technical folks are probably used to. This step is documentation with an eye to the future. It is always a good idea to have every device on the network completely documented and evaluated, but all too often, it gets left out as things move forward.

The third step is called Red Teaming, a procedure in which a team attacks and tries to penetrate the organization. Not all the difficult attacks will be undertaken, but at least some of the more obvious will be. The technical problems are not as important as the security posture of the organization.

Much of the actual implementation of the process involves the legal side of the house, even more than the technical. Generally the introductory courses to the law involve contracts, and it is the same here. Over the past few months, the pen test lists have seen discussions about legal implications of pen test. The contract is basic document that will govern what happens if an error is made or the outcome is not what the organization's managers were expecting. Miles and company spend time on the contract. Nothing will replace a good lawyer in this situation, but it can only help if you are familiar with how the contract should be set up.

Conducting the assessment will naturally involve talking to people in an interview setting, where you are the interviewer. There are some very good tips on how to conduct the interview, probably extra helpful if you are a geek with no social skills, but lots of tech savvy. In addition to the process, there are cases which mirror a real setting for context. The case approach is common for management work, as are the plans, the schedules and the reports.

This book is recommended for the techies who need to expand their horizons and for those who might be thinking about taking the course. Security assessment is only going to become more popular.