User Device Assessment
Summary
This component allows the auditor to assess the security of the individual devices on the network. This component consists of interviews, surveys, and inspection of devices.
Purpose
Compromised devices have the ability to undermine nearly any other organizational attempt at securing information. Knowing if devices receive basic software and security upgrades and what core protections against unauthorized access exist is vital to designing a strategy to make the host more secure.
The Flow Of Information
Guiding Questions
- What work and personal devices do staff use to accomplish their work, store work related files, or engage in work communications?
- What organizational and external/personal services do staff use to accomplish their work, store work related files, or engage in work communications?
- What are the organizational processes that staff take part in and the tools and communication channels that are used in those process'?
- What are the existing in/formal security practices that the participants use to address risks.
Approaches
- Conduct a Hands on Device Interview/Audit: Inspect and record information on user devices (work & personal) for security concerns (patch levels, user privileges, drive encryption, ports/services running, anti-virus capabilities)
- Password User Survey: Have staff take the password use survey for ALL devices used for work. 1,2
- A Day In the Life: Have staff walk you through a usual "day in their life" showing you what devices they use, how they use them, and what data they have to interact with to conduct their work.
Outputs
- List of all assets in the organization and whom they belong to.
- List of software running on staff devices.
- List of known vulnerabilities, and identifiable malware, that the office is vulnerable to.
- List of malware found by running updated anti-virus on office computers (if anti-virus installed during device inspection.)
Operational Security
- Treat device assessment data as well as any additional service information learned with the utmost security
Preparation
Baseline Skills
- Basic systems administration experience for common operating systems
Resources
Guidelines: "Guidelines on Firewalls and Firewall Policy" (NIST 800-41)
Benchmarks: "Security Configuration Benchmarks" (CIS Security Benchmarks)
Repository: "National Checklist Program Repository - Prose security checklists" (National Vulnerability Database)
Security Guidance: "Operating Systems Security Guidance" (NSA)
Password Security
Guide: "How to Teach Humans to Remember Really Complex Passwords" (Wired)
Guide: "Security on Passwords and User Awareness" (HashTag Security)
Video: "What’s wrong with your pa$$w0rd?" (TED)
Article: "Password Security: Why the horse battery staple is not correct" (Diogo Mónica)
Organization: "Passwords Research" (The CyLab Usable Privacy and Security Laboratory (CUPS))
Privilege Separation Across OS
- identify what privileges services are running as
- identify is the admin user is called admin or root
- Identify if users are logging in and installing software as admin.
Examining Firewalls Across OS
- Checklist: "Firewall Configuration Checklist." (NetSPI)
Identifying Software Versions
Device Encryption By OS
- Identifying if a device is using encryption by OS
- Encryption availablility by OS
- Encryption Guides
Anti-Virus Updates
Identifying Odd/One-Off Services
Activities
undefined
