Results Summary Survey on IT Security Tools and Techniques

1
Results SummarySurvey on IT Security Tools and
Techniques

• Robert W. Cobb
• and Staff
• National Aeronautics and Space Administration
• IT Roundtable
• 25 March 2003

2
Survey Questionnaire Developed to

• Gain an understanding of how various OIGs are
  assessing their IT vulnerabilities
• Collect information on successful IT tools and
  techniques
• Facilitate the exchange of ideas and experiences
  regarding IT security/vulnerability audits and
  evaluations

3
About the Respondents

• Questionnaires were sent to PCIE/ECIE members.
• We received 26 responses from a variety of OIGs.

4
Results Assessing Vulnerability

• Vulnerability Assessments as Performed by OIGs
• 25 OIGs performed some level of vulnerability
  assessment, with the level varying widely.
• 22 used contractors for at least some level of
  assistance.
• 3 performed all the work in-house.

5
Results Assessing Vulnerability (cont.)

• Penetration Tests as Performed by Agencies or
  Departments
• 19 perform penetration tests.
• 15 contracted this work out.
• OIGs oversaw the work of 18 Agencies or
  Departments performing penetration testing.

6
Results Assessing Vulnerability (cont.)

• Most OIG offices reported no major resistance
  to vulnerabilities assessments being conducted,
  although the potential for disruption of
  operations was the most common objection.
• Many noted that rules of engagement were
  established prior to the initiation of tests.

7
Results Assessing Vulnerability (cont.)

• Best Practices
• Share your assessment plan.
• Be sensitive to operational concerns.
• Invite auditees as observers.
• Share assessment results.

8
Results Successful Assessment Tools

• ISS Internet Scanner, Nessus, NMAP, Superscan,
  and Solarwinds (dozens more cited).
• ISS Internet Scanner touted for its excellent
  reporting capabilities, ranks vulnerabilities,
  and provides mitigation techniques.

9
Results COTS Products Versus In-house
Proprietary Tools

• OIGs reported heavy use of commercial
  off-the-shelf (COTS) products.
• Many used freeware and shareware as well as COTS
  products.
• Few used in-house proprietary tools.

10
Results Other Successful Tools and Techniques

• Interviews are used extensively to facilitate
  system reviews. Discussions often foster close
  rapport and honest discussion, which helps point
  to weaknesses and vulnerabilities for which to
  test.
• Many report using guidance provided by the
  National Institute of Standards and Technology.

11
Results OIG Vulnerability Assessment Working
Trends

• Several have staff devoted exclusively to
  conducting vulnerability assessments or to
  overseeing contractors.
• Most have staff who spend at least some of their
  time working on vulnerability assessments.
• While a few OIGs are hiring vulnerability
  assessment employees, staff size is generally
  expected to remaining static, with contractors
  being added as needed for penetration testing.

12
Results OIG Personnel Utilized for Vulnerability
Assessments

• Most used a combination of the personnel listed
  below.
• A large majority employ GS-511 Auditors.
• Over half use Information Technology Specialists
  (GS-2210).
• A few utilize Management Analysts (GS-343).

13
Results Most Recommended/Attended Vulnerability
Assessment Training

• The SANS Institute
• MIS Training Institute
• IGATI
• USDA Graduate School
• Learning Tree
• Canaudit

14
Contacts for This Survey

• David M.Cushing
• (202) 358-2572
• David.M.Cushing_at_nasa.gov
• Dana Mellerio
• (202) 358-0271
• Dana.M.Mellerio_at_nasa.gov