Process 4: Technical Perspective - Technical Analysis

Step 1: Identify key technology components of critical assets for technical evaluation.

Identify the technical components associated with the assets identified in Phase 0. Select specific components for evaluation. Examples of technical components that should be considered include:

  • Servers
  • Desktops
  • Home computers
  • Storage media such as NAS, ...
  • Laptops, PDAs, smartphones, and other portable devices
  • USB drives, cdroms, and other portable storage media
  • Software
  • Networks
  • Infrastructure and facilities

#Top of page

Process 4: Technical Perspective - Technical Analysis

Step 2: Determine evaluation approach.

Decide how the technical components will be evaluated. Selection of tools will be based on technical staff's experience and expertise, budget and resource available to support. Consider tools that are compatible with the list of Common Vulnerabilities and Exposures (CVE, http://cve.mitre.org/. Types of technical analysis that should be considered include:

  • Port scans
  • Vulnerability scans
  • Software audits
  • Penetration tests
  • Social engineering
  • Data discovery

See Technical Vulnerability Scanning for more information.

#Top of page

Process 4: Technical Perspective - Technical Analysis

Step 3: Run evaluation tool(s) on selected technology components.

Coordinate with management to schedule running evaluation tools on selected components. Two major considerations, pre-notification and timing, should be carefully evaluated first:

  1. Pre-notification: Carefully weigh the advantages and disadvantages of running any unannounced technical analyses. While unannounced scans, for example, might elicit more information than announced scans, there can often be undesirable consequences (like a diligent systems administrator seeing the scan, believing the host is under attack, and wasting considerable time and effort to mitigate it). Pre-announcing scans may be the better decision for a given institution.
  2. Timing: Select the technology window for running the evaluation tool that best fits the institution's needs and the goal(s) of the testing. Consideration should be given to high and low usage periods, criticality of component to be evaluated and need for the system to be online. If after hours testing can not be avoided, ensure that systems will be online and that appropriate personnel are available to assist in problem resolution.
    Remember, technical evaluations can be disruptive and even damaging! It is strongly recommended that all those who have a need to know about evaluation tests that are to take place, be informed. It is also strongly recommended that permission to run the selected evaluation tool(s) be documented. Both of these steps need to occur prior to the start of the evaluation test.

#Top of page

Process 4: Technical Perspective - Technical Analysis

Step 4: Summarize results.

Technical analyzes have the potential to produce volumes of data. The results should be summarized addressing the vulnerabilities that are most likely to be exploited by the threats with the largest impact. The report documented in this step will be considered in Phase 2 of the risk assessment along with data collected in the steps above in Phase 1.

#Top of page

Previous process, last step: Phase 1, Process 3, Step 3

Next process, first step: Phase 2, Process 1, Step 1

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).