1. Security Assessment Report (12 pages)
Conduct a Security Analysis Baseline (3 of 12 ages)
Security requirements and goals for the preliminary security baseline activity.
Typical attacks to enterprise networks and their descriptions. Include Trojans, viruses, worms, denial of service, session hijacking, and social engineering.
Include the impacts these attacks have on an organization.
Network infrastructure and diagram, including configuration and connections
Describe the security posture with respect to LAN, MAN, WAN, enterprise.
Network infrastructure and diagram, including configuration and connections and endpoints.
What are the security risks and concerns?
What are ways to get real-time understanding of the security posture at any time?
How regularly should the security of the enterprise network be tested, and what type of tests should be used?
What are the processes in play, or to be established to respond to an incident?
Does the security workforce have the requisite technical skills and command of the necessary toolsets to do the job required?
Is there an adequate professional development roadmap in place to maintain and/or improve the skill set as needed?
Describe the ways to detect these malicious code and what tactics bad actors use for evading detection.
In the network diagram: include the delineation of open and closed networks, where they co-exist.
In the open network and closed network portion, show the connections to the Internet
Physical hardware components. Include routers and switches. What security weaknesses or vulnerabilities are within these devices?
Discuss operating systems, servers, network management systems.data in transit vulnerabilities
endpoint access vulnerabilities
external storage vulnerabilities
virtual private network vulnerabilities
media access control vulnerabilities
Possible applications. Current and future mobile applications and possible future Bring Your Own Device policy.
Provide the methods used to provide the protections and defenses.
From the identification of risk factors in the risk model, identify the appropriate security controls from NIST SP 800-53A and determine their applicability to the risks identified.
Determine a Network Defense Strategy 2/12 pages
Outline how you would test violations.
Identify how you will assess the effectiveness of these controls and write test procedures that could be used to test for effectiveness.
Write them in a manner to allow a future information systems security officer to use them in preparing for an IT security audit or IT certification and accreditation.
Explain the different testing types (black box testing, white box testing).
Plan the Penetration Testing Engagement 2/12 pages
Include all involved processes, people, and timeframe.
Develop a letter of intent to the organization, and within the letter, include some formal rules of engagement (ROE)
Conduct a Network Penetration Test 4/12 pages
After finding the security issues within the network, define which control families from the NIST 800-53 are violated by these issues.
Explain in the SAR why each is a violation, support your arguments with a copy of your evidence
Provide suggestions on improving the security posture of these violations.
Complete a Risk Management Cost Benefit Analysis 1/12 pages
Complete your SAR with a risk management cost benefit analysis. Think about the cost of violations and other areas if you do not add the controls. Then add in the cost for implementing your controls.