Security Assessment Service: Analyze Network Security Performance

by John Chan
 

You may be aware of the heightened alerts for computer security measures from recent press reports. Hackers are using all sorts of sophisticated means in order to illegally gain access to computer systems, to capture electronic ID and passwords, to steal electronic data, and/or launch denial of service attacks on a particular system. In our University, extensive services and information are now available electronically. It is thus of paramount importance that effective security measures and practice must be applied regularly, and a holistic approach to the problem must be taken, taking into consideration of all kinds of threats, both established and novel, and all the defenses, whether technical, organizational, or human. It must be emphasized that security is the responsibility of the organization as a whole, not just a single department or individual staff. It requires coordination from the whole community, and everyone must follow well defined security processes.

Risks arise from threats, vulnerabilities and their potential impact upon the organization. Security threats can come from a variety of sources - criminals, hackers and users are the obvious ones. In general, there are five kinds of threats: Improper behavior, fraud and theft of information, damage to systems and data, access control, and legal threats. To address these threats and mitigate the risks they represent to the organization, an effective and robust security program is needed.

As part of this security program, the Computing Services Centre (CSC) will proactively and periodically review and assess the CityU IT infrastructure, the security policies and processes, and the configurations of the systems and networking equipments that are connecting to our campus network, CTNET. This Security Assessment Service (the "Service") will evaluate the effectiveness of technical controls in protecting the information assets of the whole organization as well as individual departments.

The Service will comprise of an overall and complete low-level security assessment of the current technical environment, including the perimeter and internet environment and the internal network and systems in order to identify potential vulnerabilities that would allow an unauthorized attacker to gain access to the systems or otherwise cause financial or reputable damage to the University. In general, the following Security Areas will be dealt with: security documentation, physical security, IT infrastructure design, authentication, authorization, auditing, data privacy, change management, and people management. To effectively collect information on these areas, the following approaches will be taken throughout the Service:

  1. Physical site visit
  2. Infrastructure design review
  3. Network-based assessment which will include names servers/network equipment scanning and cross-network segment scanning
  4. Host-based assessment which deals with the baseline configuration of the servers
  5. Network devices assessment which deals with the baseline configuration of the routers and/or switches
  6. Wireless LAN test which includes the detection of unauthorized access points and the analysis of the encrypted key strength
  7. Web application security assessment
     

To minimize impact to all running systems, all data collection will be carried out using non-interruptive scanning and tests, and no software installation of agents on systems will be enforced as far as possible. Upon analysis of the data collected, the main deliverables will include a statement on the baseline of risks resulting from possible threats, and/or a listing of all the vulnerabilities discovered, and recommendations regarding the overall assessment.

To effectively manage the data being collected, the CSC will conduct the Service in stages, normally with a single department or a group of departments based on the network segments. We will announce in due course the exact schedule and your cooperation is much appreciated during the data collection stages.