The article discusses NIST Special Publication 800–115, an internationally recognized security standard that outlines how to plan and conduct technical security assessments, analyze findings, and develop mitigation strategies. It covers practical security techniques to measure and enhance the security of systems and networks, offering guidance for effective network security audits.

What are technical security assessments?

A good explanation of technical security assessments should highlight the key purpose and benefits in simple, relatable terms while emphasizing their practical importance. It should feel approachable and practical, focusing on real-world applications.

Security assessments help organizations understand where their systems are vulnerable and suggest ways to improve. They're not a replacement for security controls, but rather a way to ensure those controls are working properly. Regular checkups, whether quarterly or annually, give valuable insights into the current security status and help track progress in fixing issues. By consistently conducting these assessments, organizations can stay ahead of potential threats and improve their overall security.

Who this article is for

This article is perfect for anyone responsible for understanding the security of their systems and networks

whether you're a

1. security analyst,
2. consultant,
3. engineer,
4. manager,
5. IT administrator, or
6. program manager.

If you're preparing for a security audit and want to be fully prepared, you'll find it helpful. While some technical details are covered, having a basic understanding of system and network security will make things easier.

Familiarity with concepts like TCP/IP, IP addressing, subnetting, and how devices like switches, routers, and firewalls work will help you get the most out of it.

Develop a Technical Security Assessment Methodology

Having a clear, well-documented security assessment methodology is key to staying organized and consistent. It helps ensure you're testing thoroughly, without missing anything important, and makes it easier to track improvements over time. A good methodology covers planning, execution, and post-assessment activities, from gathering information about assets and vulnerabilities to analyzing findings and planning mitigation.

Regularly updating your approach keeps it relevant, and using trained staff and familiar tools can save time and reduce costs.

Referencing established frameworks like NIST 800–115 and 800–53A is a great way to build a solid foundation.

Overview of Technical Security Assessment Techniques

Security assessments can be broken down into three main techniques: review, target identification and analysis, and target vulnerability validation. Review techniques involve manual checks of systems, networks, and policies to ensure they meet security standards, like reviewing configurations and network documentation. Target identification and analysis use tools to discover vulnerabilities through network scanning and other automated methods. Finally, target vulnerability validation confirms identified weaknesses through methods like password cracking and penetration testing. Each technique plays a crucial role in thoroughly assessing the security of systems and networks.

Select your Testing Viewpoint

When conducting technical security assessments, it's important to choose the right perspective for testing, as this impacts the methods and techniques used. You can approach assessments from an external viewpoint, simulating attacks from outside your network, or from an internal one, mimicking the actions of a malicious insider. Testing can also be overt, where IT staff are aware and can learn from the process, or covert, done in secret to simulate a real attack. Each perspective has its pros and cons, so selecting the right one depends on your security goals and needs.

Pick the right technical security assessment

Let's put your knowledge to the test with two scenarios.

In the first scenario, your boss wants you to assess how vulnerable your organization is to an internet-based hacker attack, but you need to simulate the attack without alerting IT or security staff.

For this, you'd choose an external and covert security assessment. In the first scenario, where you're assessing your vulnerability to an internet-based hacker attack, the best approach is to conduct an external assessment. This means you'll be testing your organization's perimeter defenses without alerting IT or security staff, making it a covert test.

In the second scenario, you're worried about unauthorized access from a malicious insider. Here, you plan to work with the IT and incident response teams and give them a heads-up about the test.

In this case, you'd go for an internal and overt security assessment. In the second scenario, where you're simulating a potential malicious insider, an internal security assessment is the way to go. This focuses on identifying vulnerabilities within your internal systems, and since you're notifying your IT and incident response teams in advance, it qualifies as an overt test.

Next time you plan a security assessment, you can refer back to these scenarios to help you choose the right type of assessment for your needs.

Technical Security Reviews

Technical security reviews play a crucial role in identifying potential security gaps and gathering necessary information for upcoming security tests.

we'll explore six essential techniques: document review, log review, ruleset review, system configuration review, network sniffing, and file integrity checking.

Each technique requires specific skills. For instance, assessors need a solid understanding of security principles for document reviews, familiarity with log formats for analyzing logs, and an in-depth knowledge of firewall rules for ruleset reviews.

They should also be adept at securing system configurations, analyzing network traffic, and verifying file integrity. With these skills in hand, assessors can effectively pinpoint vulnerabilities and strengthen their organization's security posture.

Conduct Documentation Reviews

Documentation reviews are essential for ensuring that security documents are up-to-date, accurate, and comprehensive. Although this part of the security assessment process might not be as exciting as technical testing, it plays a critical role in a robust security program. Gaps or poorly crafted documents can indicate weak security controls.

At the start of an assessment, one of your first tasks should be to request relevant documentation. Delays in receiving these documents may suggest they're not easily accessible to the IT or security teams. Important documents to review include security policies, standards, procedures, system security plans, network diagrams, incident response plans, and proof of third-party testing.

During the review, assessors will look for outdated, missing, or incorrect information, documenting any findings for the final report. However, just because a document appears accurate doesn't mean it's being followed; compliance checks typically happen later. Thus, early documentation reviews are vital, serving as a foundation for effective security assessments.

Conduct Log Reviews

Audit logs are essential for all systems, as they provide a historical record of activities that can be invaluable for security assessments. The primary goal of log reviews is to determine whether systems are logging important security events effectively and if the organization adheres to its logging policies. For example, if an organization's policy states that both successful and failed authentication attempts must be logged, but a system only captures successful attempts, that's a significant finding.

Log reviews can uncover configuration issues or even unauthorized activities. A famous case highlighting the importance of log reviews is Cliff Stoll's "Cuckoo's Egg," where systematic log analysis helped trace a hacker stealing sensitive military information. During assessments, logs are checked for unauthorized account changes, suspicious activities, and failures in systems like firewalls and anti-malware. Missing logs in these areas can raise red flags.

While examining logs manually can be tedious, tools like Graylog Open make the process more manageable by filtering and querying log data quickly. Some of these tools can even generate visual reports, making it easier to digest the information. Ultimately, log reviews are a critical component of technical security assessments, revealing vital insights into the security posture of systems and networks.

Conduct Ruleset Reviews

A firewall serves as a crucial shield between your computer network and the vast expanse of the internet, equipped with rulesets that determine how traffic is managed. These rules dictate whether to allow or deny incoming and outgoing packets, log traffic activities, or trigger alerts. During a security assessment, reviewing these rulesets is vital for pinpointing security gaps caused by missing or poorly constructed rules. It's also wise to periodically revisit these rules to ensure they don't hinder the firewall's performance.

Firewalls come in various forms — network firewalls, host-based firewalls, routers, and intrusion detection systems — so it's important to assess the rulesets for each type accordingly. Organizations like SANS emphasize the importance of following a structured approach during ruleset reviews, starting with the order of filter rules, then permit rules, and finally deny rules. Key checks include ensuring that every policy requirement has a corresponding rule, unnecessary open ports are closed, traffic doesn't evade other security measures, and rules enforce the principle of least privilege.

Given the complexity of firewall configurations, often numbering in the thousands, it's beneficial to involve assessors with expertise in this area.

Automated tools like AlgoSec's Firewall Analyzer or Tufin's analysis software can also simplify this process. Remember to incorporate ruleset reviews into your technical security assessments, as they are essential for ensuring proper authorization and management of network traffic.

Conduct System Configuration Reviews

System configuration reviews are essential for spotting incorrect or missing settings that could expose security vulnerabilities. A well-hardened system adheres to robust security standards, and these reviews help assess compliance.

Common issues include systems without screen lock activation, weak passwords, unnecessary services running, and inadequate logging practices.

To conduct a review, assessors should create a checklist based on the organization's security policies and confirm that each requirement aligns with the system's settings.

For instance, if the policy mandates passwords of at least eight characters, the authentication server must enforce this rule.

While manual reviews using checklists from sources like NIST or the Center for Internet Security can be effective, they can also be tedious and prone to errors. Automated tools like the CIS-CAT Lite can streamline the process, though assessors may need administrative access to thoroughly evaluate all systems. Including system configuration reviews in your security assessments is vital for determining how well-protected an organization's systems are against potential compromises.

Conduct Network Sniffing

Network sniffing is a technique for capturing and analyzing network traffic to gather valuable insights, such as identifying active devices, operating systems, and potential security vulnerabilities.

By using software tools like Wireshark or tcpdump, individuals can passively monitor traffic with minimal impact on the network. This often involves connecting a sniffer to a hub or switch to copy all traffic to a single port, making it easier to spot unencrypted user credentials and other sensitive information.

Network sniffing tool Demo: Wireshark

I'll be using Wireshark, installed on Kali Linux, to capture and analyze network traffic. First, I'll launch Wireshark on a system that will generate the traffic we want to monitor.

By double-clicking on the ethernet zero interface, Wireshark enters capture mode. Next, I'll visit the DVWA website, known for not encrypting user credentials, and log in with the username "Admin" and password "Password." After stopping the capture,

I'll sift through the 159 packets collected over just 52 seconds. To narrow down the results,

I'll apply an HTTP filter, revealing only the relevant HTTP packets. In the POST packet, I can see the unencrypted username and password — this represents a significant security vulnerability, as these credentials could be exploited elsewhere.

This example demonstrates how network sniffing, when executed skillfully, can uncover sensitive information lurking in network traffic.

Conduct File Integrity Checking

Certain files should only be modified under authorized circumstances. For example, sensitive medical records can only be updated by authorized healthcare professionals. Unfortunately, malicious alterations can occur due to data manipulation, malware infections, or even human error. To protect against unauthorized changes, file integrity checks are essential. One effective method is hashing, which creates a unique digital fingerprint for each file.

If a file is altered, its hash will differ from the original, signaling a change. Assessors can maintain a hash list for critical files and use tools like Windows PowerShell's Get-FileHash command to verify their integrity. Other tools such as AIDE, Rootkit Hunter, and Tripwire can help monitor files for unauthorized changes.

Organizations should focus on protecting critical system files, sensitive data, and rarely changed files.

File Integrity Checking Tool Demo

To demonstrate file integrity checking, I'll use the Hash Tool, a free utility from DigitalVolcano.

First, I'll select a file to generate its hash, which gives us a unique string representing its contents. This will serve as our baseline hash.

Next, I'll make a minor change by deleting a comma and save the file. When I run the hash validation again, the new hash is completely different, showing how sensitive file integrity is to even small alterations. After restoring the comma and re-running the hash, it matches the baseline again, confirming the file's integrity.

This demonstration highlights the core principle behind file integrity checks, even if you won't use hashing tools in exactly this manner during security assessments.

Pick the Right Reviews

When assessing your organization's vulnerability to data loss in database systems due to human error, it's essential to focus on key security controls like least privilege, access authorization, and backup frequency.

Ensuring that access to database servers is limited minimizes accidental data loss, while clear rules around who can access these systems are crucial for enforcing restrictions. Regular backups are vital for recovering data when incidents occur.

In this context, various review techniques can be applied:

Documentation reviews are critical for identifying policies on least privilege and backups; log reviews help track access and flag unauthorized entries; and ruleset reviews ensure proper network segmentation around critical systems. A system configuration review verifies compliance with security standards, while database integrity checks are necessary for maintaining data structure. While network sniffing isn't applicable here, focusing on these targeted reviews will provide a comprehensive picture of your organization's data loss vulnerability.

Identification and Analysis Targets

Identifying and analyzing targets is all about determining which systems and devices are available for testing and conducting initial vulnerability assessments.

This process builds on information like asset inventories and network diagrams from earlier stages, which guide the way forward.

Four key techniques are essential: network discovery, identifying open ports and services, scanning for vulnerabilities, and scanning wireless networks.

Each requires specific skills, such as understanding TCP/IP networking, recognizing common ports and services, and using tools like OpenVAS for vulnerability scanning.

Assessors also need to be familiar with Wi-Fi technologies and protocols to scan wireless networks effectively. These skills help assessors pinpoint critical systems and vulnerabilities, laying the groundwork for deeper testing in the next phase of security assessments.

Conduct network discovery

Network discovery is the first step in identifying and analyzing targets during a security assessment. It involves finding devices within a network's address range, either actively or passively. Active discovery sends probes, like ping sweeps, to detect responses from live devices. It's fast but can disrupt traffic.

On the other hand, passive discovery uses tools like Wireshark to monitor network traffic without sending out any packets, making it quieter but slower and potentially missing inactive devices. Both methods help uncover rogue or unauthorized devices, such as spotting a Linux system in a network meant for Windows. These findings should be noted in the final assessment report.

Network Discovery Tool Demo

I used a virtual machine running a demo version of Windows to show the differences between passive and active network discovery.

Using NetworkMiner, a passive tool that doesn't send any packets, I captured data on active devices in the network by simply observing network traffic. This method is quieter but only identifies devices that were transmitting during the scan.

Then, I demonstrated active discovery using Legion from Kali Linux, which utilizes Nmap to actively probe the network for devices. Although faster and more thorough, active scans are more noticeable to network monitoring tools.

Both methods provide valuable data for identifying and analyzing devices on a network, which can guide further security assessments.

Install and run Nmap

I used Zenmap, the graphical interface for Nmap, to scan my local system and show how Nmap identifies open and closed ports, operating systems, and network relationships. By setting the target as the loopback address (127.0.0.1),

I ran a default scan that quickly returned detailed results. The scan's output showed information about detected ports, the operating system, and a visual of how systems are connected in the network.

Although this was a simple example, Nmap can be used on larger networks to analyze multiple systems at once. Always ensure you have permission to scan any network that isn't your own, and keep practicing to enhance your network assessment skills.

Identify Network Ports and Services

After identifying the devices on a network, the next step is to scan each one to gather more detailed information.

Tools like Nmap are commonly used to scan for open ports and active services, which help identify the device's function and potential vulnerabilities.

For example, a device with port 80 open and an HTTP service running is likely a web server. This process also aids in identifying the operating system, known as OS fingerprinting, though factors like firewalls or non-default ports can affect accuracy.

To avoid disruptions, assessors should coordinate scans with system owners. Once the OS is identified, assessors can then conduct targeted vulnerability testing.

Network ports and services discovery tool demo

We'll use Legion on Kali Linux, as we did for network discovery, to run an Nmap scan on all 65,535 ports of any device on a network.

Legion breaks this large task into stages, allowing assessors to see results as they come in instead of waiting for the entire scan to finish. The most common ports, like HTTP, HTTPS, and Microsoft OS ports, are scanned early on, while lesser-used ports come in later stages.

As Legion scans, it automatically checks if the expected service is running on an open port — like confirming Apache is active if port 80 is open. By the end of stage two, Legion can often identify operating systems, though accuracy can be affected by firewalls. Once the full scan completes, the results allow assessors to begin testing for vulnerabilities.

Scan for vulnerabilities

After identifying network devices and their ports and services, the next step is scanning for vulnerabilities. This process helps detect outdated software, missing patches, or misconfigurations that could pose security risks.

Vulnerability scanners, like OpenVAS, cross-reference known vulnerabilities from databases and assess systems for compliance with security standards. While these scanners can perform network discovery and port scanning, it's often more efficient to run these steps separately.

This allows assessors to focus on systems with suspicious services. For thorough results, vulnerability scans usually require system credentials, and dedicated accounts ensure that activities are traceable. Scanners assign severity ratings to potential issues, but it's important to validate findings with further testing, as false positives can occur.

Vulnerability scanning can be disruptive, so it's crucial to coordinate with system owners beforehand. Finally, scanners often recommend fixes, aiding assessors in compiling remediation strategies for final reports.

Vulnerability Scanning Tool Demo

I'll show how to use OpenVAS for vulnerability scanning during a security assessment. After logging into OpenVAS on Kali Purple, it's important to first update the vulnerability feeds to ensure you're working with the latest signatures.

Once the feeds are current, I create a new target for scanning by entering the address range identified during network discovery. Next, I start a new task, selecting the "Full and Fast" scan config to balance thoroughness with speed.

Once the scan completes, OpenVAS organizes the results by severity, offering remediation steps like disabling vulnerable services. Reports can be exported in various formats, which helps when preparing the final assessment. Critical vulnerabilities should be validated during penetration testing.

Scan Wireless Networks

Wireless technologies like cellular networks, Wi-Fi, and Bluetooth are everywhere, but they're also vulnerable to attacks.

As wireless devices proliferate, organizations must prioritize testing and securing their wireless local area networks (WLANs). Poorly managed WLANs can lead to issues such as weak security controls, unauthorized access, and rogue access points.

When scanning wireless networks, assessors need to consider factors like the density of surrounding networks, device connection frequencies, and the sensitivity of the data being transmitted.

The primary goal is to detect rogue devices, unauthorized access points, and weaknesses like open Wi-Fi networks or outdated encryption methods. Wireless scanning can be complex due to various protocols and mobile devices, so tools like the Chanalyzer spectrum analyzer can aid in thorough assessments.

Using a laptop with a wireless card allows assessors to maximize detection as they navigate the organization. After scanning, tools like Aircrack-ng on Kali Linux can help test the security of discovered devices. Overall, wireless scanning is an essential part of a robust security evaluation for any organization utilizing wireless networks.

📖 Part 2 :- Understanding Technical Security Audits and Assessments (NIST Publication 800–115)