Electronic Security Initiative 2005 Security Assessment Email Security

Electronic Security Initiative 2005 Security Assessment Email & Security Services 20 July 2005

2005 Security Assessment Goal: Assess the security of the IEEE Internet facing systems and applications and take steps to mitigate/remediate exposures.

2005 Security Assessment Scope: Perform non-intrusive attack and penetration testing (real-world risk analysis) • Internet • Analog Phones Dial-Up (War Dialing) • Wireless • Web Applications (Renewal, Catalog & Xplore) Locations: NY, NJ, DC and CA

2005 Security Assessment Selected Vendor: Ernst & Young, LLP Giuliani Advanced Security Center Reason: Ernst & Young methodology and vulnerability tests combined with their staff skills are designed to provide a broad understanding of the potential security issues that could affect the security of the IEEE systems and services.

2005 Security Assessment start date: 3 May 2005 l Completed Tasks: ü Internet Penetration Testing ü Dial-up Security ü Wireless Security ü Applications Penetration Testing: Renewal, Catalog & Xplore • Preliminary Assessment report delivered by E&Y on 27 June 2005 l

2005 Security Assessment Results of the Internet Assessment discovered a total of 44 vulnerabilities ü 2 High Risk ü 11 Med Risk ü 31 Low Risk • High risk exposures were corrected by IEEE IT Staff as soon as they were found. l

2005 Security Assessment Results of the Wireless & Dialup Assessment discovered a total of 23 vulnerabilities ü 9 High Risk ü 5 Med Risk ü 9 Low Risk • High risk exposures were corrected by IEEE IT Staff as soon as they were found. • E&Y did not identify any rouge data carriers on IEEE’s dial-up infrastructure. l

2005 Security Assessment l Results of the Web Applications Assessment discovered a total of 39 vulnerabilities Application Catalog Xplore Renewal High 1 1 3 Med 3 9 4 Low 5 9 4 • The development staff responsible for these applications is working to remediate these security issues.

2005 Security Assessment Status l l All High Risk Issues (Internet and Wireless) were remediated as soon as they were found. There are some High Risk issues affecting Web applications and remediation planning is underway. IEEE Staff have already developed remediation plans to address “Medium & Low” Issues. IEEE Computer Society & IEEE USA ü Most security issues remediated. There are some “low risk” security issues that will be remediated at a later date as part of infrastructure upgrades.

2005 Security Assessment Next Steps l l l The IEEE staff is engaged in remediating outstanding security issues. This effort is scheduled to be completed by 25 July 2005 After completing the initial remediation effort, E&Y will re-test the environment to verify completeness. Any outstanding complex security issues will be prioritized and implemented in a timely manner.

2005 Security Assessment (Plan) Tasks Start Date End Date Status Pre-Engagement Planning/Kick-off - Internet Testing Tue 5/3/05 Completed Internet Penetration Assessment - Field Work Tue 5/3/05 Wed 5/18/05 Completed Internet Penetration Testing - Reporting Wed 5/18/05 Wed 5/25/05 Completed Deliver Draft Report - Internet Penetration Testing Wed 5/25/05 Completed Pre-Engagement Planning/Kick-off - Dial-up & Wireless Tue 5/10/05 Completed Dial-Up Field Work Mon 5/16/05 Thu 5/19/05 Completed Wireless Field Work Mon 5/16/05 Fri 5/27/05 Completed Dial-up and Wireless - Reporting Mon 5/30/05 Thu 6/2/05 Completed Deliver Draft Report - Dial-up & Wireless Thu 6/2/05 Completed Pre-Engagement Planning/Kick-off - Application Testing Thu 6/2/05 Completed Application Testing - Field Work Thu 6/2/05 Tue 6/21/05 Completed Application Testing - Reporting Tue 6/21/05 Tue 6/28/05 Completed Deliver Draft Report - Application Testing Tue 6/28/05 Completed Remediation Regression Testing & Final Report Tue 6/28/05 Fri 8/12/05** ** Date revised based on findings