Found em... last years questionnaire with tests.
-------- Original Message --------
Control 1: Inventory of Authorized and Unauthorized Devices
Questions:
Do you have a current inventory of authorized and unauthorized devices
on your network?
if yes, Does the inventory include all IT resources on campus?
Do you have a control in place to detect new devices on the network?
if yes, What controls are in place?
if yes, What areas of your network have this control in place?
if yes, Do the controls in place require that a device
authenticate itself before being allowed access?
if no, how is device authentication handled or managed?
Tests:
Obtain a copy of all authorized device IP's on the network. Perform
a network scan to verify against the same authorized devices and
show/score discrepancies.
Attach an unauthorized device onto an important subnet and show
verification that this device would be detected and tracked down.
Randomly generate spoofed mac-addresses and/or ip addresses on the
important subnet to try and bypass arp watching capabilities.
Designate a sample segment
Obtain logical inventory of sample segment
Physical audit sample of asset inventory
Logical/Network audit of sample of asset inventory
Control 2: Inventory of Authorized and Unauthorized Software
Questions:
Do you have a list of authorized software that is required in the
enterprise for each type of system, including servers, workstations, and
laptops of various kinds and uses?
Do you have software an inventory tool that monitors for unauthorized
software installed on each machine?
Tests:
Place an unauthorized, benign program on a managed machine.
Evaluate whether an alert is generated and acted upon.
Control 3: Secure Configurations for Hardware and Software on Laptops,
Workstations, and Servers
Questions:
Does the institution use a secure base configuration for hardware and
software in one or more of the following categories: Institution owned
Laptops, Workstations, Servers?
If Yes, What resources or references do you use to establish the
baseline security configurations? (e.g. Websites, Organizations,
Internal Recommendations)
What are the top security mechanisms employed in these configurations
for each device type? (e.g. Anti-virus, Host based Firewall, etc.)
Is the process of deploying secure configurations automatic and/or
enforced centrally?
How often are the secure configurations updated?
Tests:
Provide a workstation with a standard security configuration for review.
Provide a security with a standard security configuration for review.
Examine configuration for vulnerabilities and mis-configuration,
inconsistent with industry standards.
Validate all software is patched.
Validate OS is securely configured.
Validate a number of deployed sample machines for compliance with
standard configuration.
Control 4: Continuous Vulnerability Assessment and Remediation
Questions:
Do you have a vulnerability assessment scanning process?
if yes, what tools are used to perform this process?
if yes, what percentage of the institution owned devices are
scanned?
Do you have a policy in place to remediate the scan results?
if yes, how are remediation processes handled? (Vulnerability
based, network/devices based, etc)
if yes, are their time constraints associated with the severity
of the need to remediate?
if yes, are the remediated devices documented and tracked?
if no, how are vulnerabilities managed/contained within the
organization?
Tests:
Perform an external vulnerability scan on all of the campus public
routed networks.
Perform an internal vulnerability scan of a sample of campus networks
from an internal network.
If a scanning network is in place scans should be performed from
this network.
Otherwise scan from a reasonable, readily accessible vantage point.
Control 5: Malware Defenses
Questions:
Do you have a malware management solution deployed?
Is the solution mandatory for all machines?
Is the solution centrally managed?
Do you have a procedure for addressing malware incident?
Test:
Deploy a piece of test malware, follow the detection and response chain.
Control 6: Application Software Security
Scope:
Web facing applications
Questions:
Do you perform monthly/quarterly application vulnerability scans?
Do you utilize Web Application Firewalls/Proxies?
Tests:
Validate scan results, using similar scanning tool.
Verify that WAF is installed between applications and users.
Control 7: Wireless Device Control
Questions:
Do you detect rogue access points? How?
Tests:
Stand up AP with unrelated SSID, follow detection chain.
Stand up AP with related SSID, follow detection chain.
Control 8: Data Recovery Capability
Questions:
Are backups created on a regular basis of critical systems?
Do these backups include the operating systems, aplication software, and
data components of these sytems?
What media is used?
Is this media have appropriate physical protection and encryption?
Tests:
Select a sample of critical systems identified by the institution as
being backed up. Verify backups are taking place at a reasonable
interval, are restorable, and protected appropriately.
Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
Questions:
Do you have a security training or awareness program?
if yes, is this program a mandatory requirement for all faculty,
staff and students?
Do you perform any periodic exercises to sample the effectiveness of
security awareness?
if yes, how are these exercises performed? (phishing, social
engineering, etc)
if yes, are the exercises and results tracked and documented for
reference?
Test:
Perform various social engineering exercises such as phishing, leaving
out USB sticks with malicious files, etc.
Control 10: Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
Questions:
Do you centrally manage network infrastructure configurations?
if yes, do you monitor for authorized or unauthorized changes?
Do the device configurations follow a security best practices template?
Do have IPv6 enabled on networking infrastructure?
if yes, do the IPv6 controls follow the same controls as IPv4?
Test:
Obtain network device config and audit for compliance with industry best
practices.
Demonstrate a network device change and audit the resulting documentation.
Control 11: Limitation and Control of Network Ports, Protocols, and Services
Questions:
Are host-based firewalls or an equivalent control in place for all
critical servers and where appropriate, critical end-user / workstation
network segments?
Do the host-based firewalls log traffic? To a central log repository?
Do you have a system or process to check for unauthorized services
opened on critical servers and workstations?
Test:
Select a sample of critical servers and workstations and verify that a
host-based firewall or equivalent is in place and configured
appropriately to only allow access to authorized services.
Compare assessment vulnerability scans against an authorized service
list for critical servers and workstations?
Control 12: Controlled Use of Administrative Privileges
Questions:
A. Do you have automated tools to inventory all administrative accounts
and validate that each person with administrative privileges on
desktops, laptops, and servers?
B. Do you have an enforcible password policy?
C. Before deploying any new devices to the network, do you change all
default passwords for applications, operating systems, routers,
firewalls, wireless access points, and other systems to a
difficult-to-guess value?
D. Do you configure all administrative-level accounts to require regular
password changes? How often?
E. Do you ensure that all service accounts have long and
difficult-to-guess passwords that are changed on a periodic basis, as is
done for traditional user and administrator passwords, at a frequent
interval?
F. Are Passwords for all systems stored in a well-hashed or encrypted
format, with weaker formats such as Windows LANMAN hashes eliminated
from the environment?
G. Do files containing these encrypted or hashed passwords required for
systems to authenticate users readable only with superuser privileges?
H. Do you ensure that administrator accounts are used only for system
administration activities, and not for reading e-mail, composing
documents, or surfing the Internet - web browsers and e-mail clients are
configured to never run as administrator?
I. Through policy and user awareness, do you require that administrators
establish unique, different passwords for their administrator and
nonadministrative accounts?
J. Do you configure passwords so that they cannot be re-used within a
certain timeframe, such as six months?
K. Do you audit the use of administrative privileges for anomalous behavior?
L. Do you use two-factor authentication for high level administration
activities, such as Domain administration?
Test:
Create a temporary, disabled, limited privilege test account on a sample
of systems and then attempt to change the password on the account.
Add a temporary disabled test account to a superuser group (such as a
domain administrator group) to verify review auditing and reporting on
this account.
Run a script that determines which browser and e-mail client programs
are running on a sample of systems, including clients and servers. Any
browsers or mail client software running with Windows administrator or
Linux/Unix UID 0 privileges must be identified.
If the institution claims that all stored passwords conform to the
password policy, audit a statistically significant sample of password
hashes.
Control 13: Boundary Defense
Questions:
Do you maintain a firewall at your network border?
Is any additional network segmentation in place once past the network
perimeter (i.e. how are you squishy on the inside?)
Have you implemented URPF or other mechanisms at your network perimeter
to prevent spoofing on ingress and egress network traffic?
Have you deployed an IDS/IDP at your border?
Do you collect network flows or logging of network traffic at your
perimeter? How long do you retain logs?
Test:
Attempt to send an internal-source spoofed icmp/udp packets from an
external network source to the strike package. Verify that the packets
are blocked. Attempted to send a internal-spoofed icmp/udp packet from
another segment of the internal network to the strike package. Verify
whether the packet arrives.
Attempt to send a bogon sourced packet from outside the institution
network border.
Generate traffic or an attack against a live host/service that should
fire an alert or a block on a reasonably configured IDS/IDP system.
Verify that traffic is blocked at the time of the attack or provide
ISO/network staff with a time stamp and attack source and ask them to
provide a copy of any alerts generated by the IDS system.
Generate traffic that should be blocked by a network border firewall or
an internal network segement boundary. Verify that these packets are
being blocked, and that netflows and/or firewall logs are being generated.
Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs
Questions:
Are all critical host and infrastructure logging appropriately to a
remote host?
Test:
Verify a sample of the historical logs.
Control 15: Controlled Access Based on the Need to Know
Questions:
A. Do you have a policy on classifying data based on the impact of
exposure of the data?
B. Do your file shares have defined controls (such as Windows share
access control lists) that specify at least that only “authenticated
users” can access the share?
C. Is your network segmented based on the trust levels of the
information stored on the servers?
Test:
Create two test accounts each on sample systems, both client and server
systems.
- For each system evaluated, one account must have limited privileges,
while the other must have privileges necessary to create files on the
systems.
- Evaluate whether the nonprivileged account is unable to access the
files created for the other account on the system.
- Verify if this generates any alerts are generated.
Control 16: Account Monitoring and Control
Questions:
A. Do you review system accounts and disable any account that cannot be
associated with a business process and owner?
B. Do you have an automated report that includes a list of locked-out
accounts, disabled accounts, accounts with passwords that exceed the
maximum password age, and accounts with passwords that never expire?
C. Do you have a process for revoking system access by disabling
accounts immediately upon termination of an employee or contractor?
D. Do you regularly monitor the use of accounts, automatically logging
off users after a standard period of inactivity?
E. Do you monitor account usage to determine dormant accounts that have
not been used for a given period?
F. When a dormant account is disabled, do files associated with that
account get encrypted and moved to a secure file server for analysis by
security or management personnel?
G. Are nonadministrator accounts required to have a minimum length of 12
characters, contain letters, numbers, and special characters, and
periodically changed, have a minimal age of one day, and not be allowed
to use the previous 15 passwords as a new password?
H. After eight failed log-on attempts within a ___-minute period, do
your accounts lock out for a period of time? How long?
I. Do you monitor attempts to access deactivated accounts?
Test:
Verify that the list of locked-out accounts, disabled accounts, accounts
with passwords that exceed the maximum password age, and accounts with
passwords that never expire has successfully been completed on a daily
basis for the previous 30 days by reviewing archived alerts and reports
to ensure that the lists were completed.
In addition, a comparison of a baseline of allowed accounts must be
compared to the accounts that are active in all systems. The report of
all differences must be created based on this comparison.
Control 17: Data Loss Prevention
Questions:
A. Do you deploy approved hard drive encryption software to mobile
machines that hold sensitive data?
B. Do you analyze outbound traffic looking for anomalies?
C. Do you monitor perimeters for certain sensitive information (i.e.,
personally identifiable information), keywords for unauthorized attempts
to exfiltrate data across network boundaries?
D. Do you conduct periodic scans of server machines using automated
tools to determine whether sensitive data (i.e., personally identity,
health, credit card, and classified information) is present on systems
in clear text?
E. Do you use secure, authenticated, and encrypted mechanisms to move
data between networks?
F. Is data stored on removable and easily transported storage media such
as USB tokens (i.e., “thumb drives”), USB portable hard drives, and
CDs/DVDs encrypted automatically without user intervention?
Test:
Attempt to transfer large data sets across network boundaries from an
internal system.
Attempt to transfer test data sets of personally identifiable
information (that trigger DLP systems but do not contain sensitive data)
across network boundaries from an internal system (using multiple
keywords specific to the business).
Attempt to maintain a persistent network connection for at least 10
hours across network boundaries between an internal and external system,
even though little data may be exchanged.
Attempt to maintain a network connection across network boundaries using
an anomalous service port number between an internal and external system.
Insert a USB token into an organization system and attempt to transfer
example test data to the USB device.
Control 18: Incident Response Capability
Questions:
Do you have an incident response plan?
Has it been documented and tested?
Test:
Examine incident response plan against incident standards.
Examine documentation of a previous incident response.
Control 19: Secure Network Engineering
Questions:
Do you have proper network maps?
Are your network segmented based on use and sensitivity?
Are your sensitive or regulated network segmented from the general
network? (PCI, HIPPA)
Test:
Review the external vulnerability scan and review access to a sample of
internal networks.
Review Network maps for proper segmentation
Control 20: Penetration Tests and Red Team Exercises
Questions:
Do you perform monthly/quarterly penetration tests on your systems.
Test:
Examine previous pen-test results and compare against industry standards.
Spot check pen-test results for accuracy.
