Pre-site Inspection Checklist

Author: Toggmeister (a.k.a Kev Orrey)

hidePre-site Inspection
hideIntroduction
leafTesting organisation history and background.
leafAuthority to test i.e. Request from company, corporate headquarters or potential buyer of company.
leafDetailed Proposal of test and services that are proposed to be carried out.
leafCapability Statement of the testing organisation i.e Core competencies/ limitations/ timescales etc.
leafTools to be utilised if requested.
hideAccreditation Status
leafInterim
leafRe-accreditation
leafFull
hideScope of Test
hideStage of Lifecyle
leafInterim Operating Capability i.e. Development build/ beta stage.
leafFinal Operating Capability i.e. Project at customer acceptance stage.
leafMajor upgrade i.e. Software/ hardware update.
hideTest Type
hideCompliance Test
hideBasically an audit of a system carried out against a known criterion. A compliance test may come in many different forms dependant on the request received but basically can be broken down into several different types: Operating Systems and Applications: A verification that an operating system and/or applications are configured appropriately to the companies needs and lockdown requirements, thus providing adequate and robust controls to ensure that the Confidentiality, Integrity and Availability of the system will not be affected in its normal day to day operation. Systems in development: A verification that the intended system under development meets the configuration and lockdown standards requested by the customer. Management of IT and Enterprise Architecture: A verification that the in-place IT management infrastructure encompassing all aspects of system support has been put in place. This is to ensure effective change control, audit, business continuity and security procedures etc. have been formulated, documented and put in place. Interconnection Policy: A verification that adequate security and business continuity controls governing the connection to other systems, be they Telecommunications, Intranets, Extranets and Internet etc. have been put in place, have been fully documented and correspond to the stated customer requirements.
leafFull credentials Supplied
leafFull access to Network diagrams and schematics
leafFull access to Configuration scripts and files
hideCompliant with:
leafCustomer Defined
leafGovernment Assurance Pack
leafHIPAA
leafISO27001
leafMicrosoft Lockdown
leafNSA Lockdown
leafSorbanes Oxley
leafEtc.
hideVulnerability Assessment
hideVulnerability assessment is a process of identifying and analysing a system or network for any potential vulnerabilties, flaws or weaknesses that could leave it open to exploitation.
leafFull credentials Supplied or limited to basic user credntials dependant on level of test
leafFull access to Network diagrams and schematics
leafFull access to Configuration scripts and files
hidePenetration Test
hideA Penetration Test is essentially an evaluation of a system or networks current state of security and its likelihood to be susceptible to a successful attack by a malicious hacker or nefarious user. The process involves enumeration and scanning for any technical flaws or vulnerabilities. After such flaws are found, attempts are then made to penetrate inside the network and gain a foothold. Once this has been established, attempts are then made to utilise trusts and relationships to gain further ingress into the domain.
hideType of Test
hideWhite-Box
leafThe testing team has complete carte blanche access to the testing network and has been supplied with network diagrams, hardware, operating system and application details etc, prior to a test being carried out. This does not equate to a truly blind test but can speed up the process a great deal and leads to a more accurate results being obtained. The amount of prior knowledge leads to a test targeting specific operating systems, applications and network devices that reside on the network rather than spending time enumerating what could possibly be on the network. This type of test equates to a situation whereby an attacker may have complete knowledge of the internal network.
hideBlack-Box
leafNo prior knowledge of a company network is known. In essence an example of this is when an external web based test is to be carried out and only the details of a website URL or IP address is supplied to the testing team. It would be their role to attempt to break into the company website/ network. This would equate to an external attack carried out by a malicious hacker.
hideGrey-Box
leafThe testing team would simulate an attack that could be carried out by a disgruntled, disaffected staff member. The testing team would be supplied with appropriate user level privileges and a user account and access permitted to the internal network by relaxation of specific security policies present on the network i.e. port level security.
hideExclusions
leafSocial Engineering Attacks
leafDenial of Service Attacks etc.
leafSee also Exemptions from test section.
hidePurpose of Test
leafDeployment of new software release etc.
leafSecurity assurance for the Code of Connection
leafInterconnectivity issues.
leafDeployment of wireless networks on wired LAN.
leafISO27001/HIPAA etc. Compliance
hideObtain appropriate Network details (dependant on level of test.)
leafPeer to Peer, Client-Server, Domain Model, Active Directory integrated
leafNumber of Servers and workstations
leafOperating System Details
leafMajor Software Applications
leafHardware configuration and setup
leafInterconnectivity and by what means i.e. T1, Satelite, Wide Area Network, Lease Line Dial up etc.
leafEncryption/ VPN's utilised etc.
leafRole of the network or system
hideObtained signed Authority to Test
leafCEO
leafRisk Manager
leafSystem Manager
leafData Owners
leafSecurity Officer
leafRelevant ISP
hideNon-Disclosure Agreement
leafFull i.e. All information in relation to this task cannot be distributed/ used in research, training, marketing etc.
leafLimited i.e. Certain information can be used in marketing/ training and research scenarios after agreement has been sort from the customer.
leafNone i.e. All information is freely distributable and not under any restrictions whatsoever.
hideSpecial Clearances required
leaf Government vetting
leafCHECK Team qualified
leafMastercard certified
hideKnown waivers/exemptions
leafKnown to Risk Manager
leafRisk Assessments completed
hideExemptions from test
leafDevelopment builds
leafJoint-owned equipment
leafLaptops
leafTrial Applications
leafUnstable Hosts
leafSupplied Network infrastructure for the test only
hideContractural constraints
leafAre there any Service Level Agreement in place that may affect the scope of the test
leafWaiver letter required for test from contractural partners (this document is required in conjunction with Authority to test above.)
hideLocal equipment requirement
leafCAT5 taps and speed
leafFibre taps/converter requirement
hideLocal Internet access
leafFiltered
leafUnfiltered
leafDownloads/exports allowed
leafOffice space
leafPower available
leafRefreshments
hideLocal manpower requirement
leafApplication administrators
leafDatabase administrators
leafNetwork administrators
leafOperating System administrators
hidePoints of Contact
leafRisk Manager
leafDatabase Administrator
leafLocal Security Officer
leafSystem Administrator
leafNetworking Administrator
leafISP
hideReporting Timescales
leafNormal timescale
leafLocal requested timescale
leafPrivacy/Commercial Protective Marking required
leafDistribution List
hideAccess to Previous tests & reports
hideCompliance Test
leafReason for test
leafWho carried out
leafWhen carried out and if any rectification work was completed.
hideRelease timescale
leafStart of test - This is important for a Compliance test as previous failings can immediately be re-tested and verified as secured or still vulnerable to exploit etc.
leafDuring test
leafEnd of test
hideVulnerability Assessments
leafReason for test
leafWho carried out
leafWhen carried out and if any rectification work was completed.
hideRelease timescale
leafStart of test
leafDuring test
leafEnd of test
leafThis can be important during a vulnerability assessment as it can be used as a guide of how the network has progressed during the time of the last test to the current period. Release of this by the customer may not be in there best interests as it is best to have an independant team to assess all vulnerabilties. The customer can then also assess the overall performance of the testing team and thus its value for money in conducting the test.
hidePenetration Tests
leafReason for test
leafWho carried out
leafWhen carried out and if any rectification work was completed.
hideRelease timescale
leafStart of test
leafDuring test
leafEnd of test
leafAppropriate comment to be made in final report reference receipt of these documents and at what point during the test. This provides mitigation points as the information gained is privileged and was used to gain an unfair advantage in potentially accessing the network. Obviously if the documents were made available after the test, the less weight would be stressed in the final report as they would only be used for reference. This can severly disadvantage the customer as they are potentially disclosing exploitable holes within their network infrastructure. An opposite point of view is the fact that the testing team will verify any fixes that have taken place or that the exploitable hole still exists and still needs attention to mitigate or close. From the customer perspective if an exploitable hole is not discovered it can give an indication that the exploit could possibly be risk assessed and managed.
hidePhysical inspection
leafMajor work areas where the majority of users would utilise the equipment.
leafNetwork equipment room where all routing infrastructure is housed and secured.
leafServer room if different from the Network equipment room.
leafTesting teams planned area of work.