Electronic Security Initiative 2005 Security Assessment Email Security
- Slides: 11
Electronic Security Initiative 2005 Security Assessment Email & Security Services 20 July 2005
2005 Security Assessment Goal: Assess the security of the IEEE Internet facing systems and applications and take steps to mitigate/remediate exposures.
2005 Security Assessment Scope: Perform non-intrusive attack and penetration testing (real-world risk analysis) • Internet • Analog Phones Dial-Up (War Dialing) • Wireless • Web Applications (Renewal, Catalog & Xplore) Locations: NY, NJ, DC and CA
2005 Security Assessment Selected Vendor: Ernst & Young, LLP Giuliani Advanced Security Center Reason: Ernst & Young methodology and vulnerability tests combined with their staff skills are designed to provide a broad understanding of the potential security issues that could affect the security of the IEEE systems and services.
2005 Security Assessment start date: 3 May 2005 l Completed Tasks: ü Internet Penetration Testing ü Dial-up Security ü Wireless Security ü Applications Penetration Testing: Renewal, Catalog & Xplore • Preliminary Assessment report delivered by E&Y on 27 June 2005 l
2005 Security Assessment Results of the Internet Assessment discovered a total of 44 vulnerabilities ü 2 High Risk ü 11 Med Risk ü 31 Low Risk • High risk exposures were corrected by IEEE IT Staff as soon as they were found. l
2005 Security Assessment Results of the Wireless & Dialup Assessment discovered a total of 23 vulnerabilities ü 9 High Risk ü 5 Med Risk ü 9 Low Risk • High risk exposures were corrected by IEEE IT Staff as soon as they were found. • E&Y did not identify any rouge data carriers on IEEE’s dial-up infrastructure. l
2005 Security Assessment l Results of the Web Applications Assessment discovered a total of 39 vulnerabilities Application Catalog Xplore Renewal High 1 1 3 Med 3 9 4 Low 5 9 4 • The development staff responsible for these applications is working to remediate these security issues.
2005 Security Assessment Status l l All High Risk Issues (Internet and Wireless) were remediated as soon as they were found. There are some High Risk issues affecting Web applications and remediation planning is underway. IEEE Staff have already developed remediation plans to address “Medium & Low” Issues. IEEE Computer Society & IEEE USA ü Most security issues remediated. There are some “low risk” security issues that will be remediated at a later date as part of infrastructure upgrades.
2005 Security Assessment Next Steps l l l The IEEE staff is engaged in remediating outstanding security issues. This effort is scheduled to be completed by 25 July 2005 After completing the initial remediation effort, E&Y will re-test the environment to verify completeness. Any outstanding complex security issues will be prioritized and implemented in a timely manner.
2005 Security Assessment (Plan) Tasks Start Date End Date Status Pre-Engagement Planning/Kick-off - Internet Testing Tue 5/3/05 Completed Internet Penetration Assessment - Field Work Tue 5/3/05 Wed 5/18/05 Completed Internet Penetration Testing - Reporting Wed 5/18/05 Wed 5/25/05 Completed Deliver Draft Report - Internet Penetration Testing Wed 5/25/05 Completed Pre-Engagement Planning/Kick-off - Dial-up & Wireless Tue 5/10/05 Completed Dial-Up Field Work Mon 5/16/05 Thu 5/19/05 Completed Wireless Field Work Mon 5/16/05 Fri 5/27/05 Completed Dial-up and Wireless - Reporting Mon 5/30/05 Thu 6/2/05 Completed Deliver Draft Report - Dial-up & Wireless Thu 6/2/05 Completed Pre-Engagement Planning/Kick-off - Application Testing Thu 6/2/05 Completed Application Testing - Field Work Thu 6/2/05 Tue 6/21/05 Completed Application Testing - Reporting Tue 6/21/05 Tue 6/28/05 Completed Deliver Draft Report - Application Testing Tue 6/28/05 Completed Remediation Regression Testing & Final Report Tue 6/28/05 Fri 8/12/05** ** Date revised based on findings
- Email security assessment
- Electronic mail security in network security
- Is the electronic exchange of money or scrip
- Electronic field production
- Structure of informal email
- Global security initiative
- E sat survey
- Private secruity
- Sonitrol chicagoland west
- Security electronic transaction
- Electronic mail security
- Electronic mail security