Org/User Device Assessment Method

[joncamfield]

We currently have a User Device Assessment method, a Network Mapping method, and a Vulnerability Scanning method. As has been discussed in a few fora, part of the "MVA" process @kakron has been working on, and visible as a need from @hackatom 's work -- this is a bit of a mess.

I think we either broaden User Device Assessment evolves to an "organizational device assessment" to not limit it to user devices, OR to create a parallel org device assessment method which is scoped to look for both other devices the org is using, both internal to their network and hosted. This would allow us to still expand user device assessment and better cover home networks, BYODs, personal devices with org data, etc. Some activities are inevitably going to overlap (nmapping works well for public-facing services and for org network exploration/mapping), but we should aim to scope as clearly as possible.

Org Device Assessment

• Mapping of internal org networks (if exist)
• Scanning of hosted services/public facing IPs (heavily caveated)
• Web vulnerability scanning (a more focused approach)
• Server patch/configs/hardening
• Vulnerability scanners (re-work existing method?)

User Device assessment

• Also using mapping to cross-verify user devices on the work network
• Existing exercises to explore and verify user practices - installed programs, common uses
• Expanding to also support remote workers, decentralized offices, community-level security, BYOD?
• Network traffic analysis (from mapping method)

[hackatom]

I think moving "device assessment" method into Org/system analysis method, along with "network mapping", "vulnerability scanning", is a more straight forward approach rather than having another device assessment method. Since we currently have "network mapping" and "vulnerability assessment", we can move all this into Org/System analysis method. These 3 methods, "network mapping", "vulnerability scanning" and "org/user device assessment" are all part of the 1st and 2nd stage of penetration testing (Planning and recon, and scanning) ref: https://www.incapsula.com/web-application-security/penetration-testing.html, in which, makes a single flow of method, which then results can used for either for pentesting stage, or for risk assessment.

[joncamfield]

I want to balance between having things which go together actually go together, without overloading any one method.

I think a more nuanced and constrained user device assessment may still be useful -- maybe more aimed at user behavior outside the control of IT systems (e.g. not upgrades, covered in org device assessment, but browser plugins, self-installed apps/applets, user password management, etc.

I do think network mapping is folded in, as it becomes irrelevant for decentralized organization and less relevant for multi-office organizations. Alternatively, we could merge the network-focused pieces into one optional network method and cross-reference the useful bits from other methods

Similarly, vuln scanning may be another mostly-cross-referenced method. As hosted infrastructures are increasingly common, fewer orgs have internet-reachable servers they are responsible for. While a good defense in depth would still double-check internal servers and public IPs of an org's offices, is this something every -- or even most -- SAFETAG audits will get in to?

[hackatom]

Having one "assessment" for that type of area, and the type of organization that fall into the "multi-office" and those category might be perfect. (The one-time scan-all in-house assessment won't work in these kind of setup, plus, vuln-scans it won't get through all the details of the users, such as plugins, applets etc) From my recent assessment, I ended up sending them links (most of the staff works remotely) from Belarc Advisor: https://www.belarc.com/products_belarc_advisor Which only works with Windows OS.

With other systems, Like Linux, I use Lynis: https://cisofy.com/lynis

And for browsers: https://browsercheck.qualys.com

Still though wasn't able to "catch" all plugin details.

[blazman]

Came to this issue independently then did a search of past issues to see if it had already been discussed! I agree with the need to re-organize, but as it stands the Org Device Usage and User Device Assessment are almost identical methods and activities. I'm inclined to just hide the User Device Assessment until a clearer solution is found.