Security Assessment: Case Studies for Implementing NSA IAM

At this point, we need to discuss what to do with the information that we have discovered. Throughout the process, the assessment team has been collecting information and identifying possible vulnerabilities or weaknesses of the customer s system. Now is the time to begin validating the information. Validation is not a process of taking the word of every interviewee or believing that what the documentation says is actually occurring within an organization. What is more important is to be able to show proof or hard evidence of what is actually occurring within the organization. To do that, we have two options:
Demonstration
Evaluation
Demonstrations are meant to validate what the customer does through observation of their activities. This over-the-shoulder viewing of activities clarifies what was identified during the interviews that may be in conflict with the documentation that was reviewed. Evaluations are meant to provide documented evidence of findings. This is done through the use of tools or scripts or by manually checking systems. The range of tools available to do this is quite large; therefore, we only discuss the use of some of the more popular network scanners and password crackers. Scripts and manually checking systems are individually specific, and expertise in using them is dependent on the assessor. For this reason, we do not provide detailed information regarding the utilization of scripts or manual checks in this book.
Once you have validated the information, what should be left are the findings. Not all...