The book describes how the methodology evolved and how to define the proper scope of an evaluation, including the consideration of legal issues that may arise during the evaluation. More detailed information is given in later chapters about the core technical processes that need to occur to ensure a comprehensive understanding of the network's security posture. Ten baseline areas for evaluation are covered in detail.
- Water Logic (Elemental Logic, Book 3);
- NSA INFOSEC Assessment Methodology;
- Mining Complex Data: ECML/PKDD 2007 Third International Workshop, MCD 2007, Warsaw, Poland, September 17-21, 2007, Revised Selected Papers;
- Basic Helicopter Aerodynamics: An Account of First Principles in the Fluid Mechanics and Flight Dynamics of the Single Rotor Helicopter;
The tools and examples detailed within this book include both Freeware and Commercial tools that provide a detailed analysis of security vulnerabilities on the target network. The book ends with guidance on the creation of customer roadmaps to better security and recommendations on the format and delivery of the final report. Exploring Professionalism Bryan Cunningham.
METHODOLOGIES - Securitytools
The IAM is often called a white team activity. The assessment is looking for vulnerabilities that exist within the organizational structure. Where are the policies in place at the organization not meeting federal requirements? Where are these policies not being enforced or utilized? ISO , www. National Strategy to Secure Cyberspace , www.
Most technical people are left wondering how any of this applies to what they do in respect to information security. I just hack things. But the truth is that the information derived during the assessment process is very important to the evaluation process and the final deliverables that we provide to the customer.
Download Product Flyer
The more I work in both of these areas, the assessment piece and the evaluation piece, the more relevance I find. How many times have you watched helplessly as a so-called security expert ran one of those off-the-shelf vulnerability tools on a customer network, printed out the results, changed the logo on the report, and handed it to the customer as his or her own work? This information is used to customize the findings to the customer organization.
That means that every customer receives a final deliverable that is actually valid for their environment and mission. The IAM process sounds very much like a program designed to involve the entire enterprise in security. IBM did some work on this recently; empowering every employee to do their part in company security.
I also agree with the comments about not needing a firewall or antivirus on every machine.
- Metal nanoparticles: synthesis, characterization, and applications!
- Integrating Geographic Information Systems into Library Services: A Guide for Academic Libraries;
- Targeting Civilians in War?
- The Handbook of Narrative Analysis!
- Oracle Database 11g Release 2 High Availability: Maximize Your Availability with Grid Infrastructure, RAC and Data Guard;
- Information Assurance and Cyber-security – Paragon Research Corporation.
Each network requires different methods to secure it and the biggest exploit is the people inside the fence. Just remember, those "students" are given a fire hose of knowledge in one or two days worth of training. The instructors are quite limited in what they can teach during those few hours. They might as well teach the students the basics and let them learn from there.
Expertise is only gained through experience and experience is only gained through doing it wrong until you get it right. I am disappointed that none of the links work anymore. I was hoping to gather some great information on these ideas but the blog was done a few years back so everything seems to have changed.
Thanks for the basic information though. I took both classes and found them to be beneficial to our organization. The idea of security for everyone was a good concept, and while some of the areas were "weak" the instructor advised this was on purpose as this is for the organization to build their own ideas and methods to test and implement the practices. It was emphasized that this is a structure, not a one size fits all solution. I wish they had more of these to offer, it was a unique set of classes.pierreducalvet.ca/150980.php
Network Security Evaluation Using the NSA IEM
Post a Comment. That post is still in the top ten Google search results for NSA IAM, which is sad because that means there isn't much about the program online. The Syngress sample chapter nicely summarizes the IAM purpose and compares it to alternatives. It was made available commercially in NSA developed the IAM to give organizations that provide INFOSEC assessments a repeatable framework for conducting organizational types of assessments as well as provide assessment consumers appropriate information on what to look for in an assessment provider.
- Books & Videos.
- How Do You Know Its True?: Discovering the Difference Between Science and Superstition;
- Stretch: The Unlikely Making of a Yoga Dude.
The IAM is also intended to raise awareness of the need for organizational types of assessment versus the purely technical type of assessment.