IAM Assessment

  • Click here to download the original properly formatted document.
  • There are many methods out there to properly assess a network.  One of the more popular choices is the IAM (Information Assessment Method) which follows a strict set of rules to follow in order to properly assess a company and its network structure.  When we think of network security, we tend to only think of the technology, but there is far more that goes into that.  In this piece I assume the role of the team leader and assess the NEWT organization by following the three phases of the IAM (pre-assessment, onsite, and post-assessment).  The point of this piece is to show my knowledge in creating a proper and rigorous assessment.

February 8, 2012

Mike Nesbit – Team Leader






Table of Contents


Point of Contact………………………………….4

Mission Statement……………………………….4

Organizational Information Criticality…………..5

System Information Criticality……………………6

Customer Concerns………………………………8

Detailed Data Analysis…………………………..10

System Configuration……………………………13

Individuals to be Interviewed..…………………..13

Reviewed Documents……………………………14


Estimated Assessment Timeline………………….16



The following document contains the entire assessment information from our work with the NEWT organization.  The NEWT organization hired us to provide a thorough assessment of their organization which contains important practices and data.  Our team set out to achieve not only our goals, but the goals of the customer.  We have taken lessons learned from previous experiences and applied them to our work with NEWT.  This assessment included three phases: Pre-Assessment, Onsite, and Post-Assessment.  During these phases, various types of work were done including interviews, scoping, meetings, Q&A, onsite investigating, determining high valued areas, amongst numerous other practices.  All the work has been included here.

Important Point of Contact:

Kevin McLaughlin



The Mission Statement:

National Electronic Weapons Technology is a research and development organization which specializes in the development and creation of IT warfare tools.  Their main goals with these tools are to prevent different methods of attacks such as viruses, electronic flooding techniques, worms, and logic bombs.  They are a private organization due to the nature of their business and construct tools with contracts for the U.S Government.  It is vital that their information be kept under controlled circumstances.

Organizational Information Criticality:

  • High – Stolen data, compromised network, personal information
  • Medium – Communication, obligations, reputation
  • Low – Support, knowledge
Confidentiality Integrity Availability Authorization
Tools H H M L
Contracts M M M H
Customer Satisfaction L M H M
Information Leak H H L M
Employee Records H H M M
Network Infrastructure M H H H

Organizational Information Criticality Scores:

  • Confidentiality – H
  • Integrity -  H
  • Availability – H
  • Authorization – H

System Information Criticality:

  • High: Compromised information, Data, Privacy
  • Medium: Network usage, uptime, security
  • Low: Users, behavior

Corporate LAN Matrix:

Confidentiality Integrity Availability Authorization
Routers M L H M
WinNT 4 Server H H H H
WinNT 3.6 & 4 (non-server) M M M M
Chief Scientist Unix Workstation H H H H

System Information Criticality Corporate Scores:

  • Confidentiality – H
  • Integrity – H
  • Availability – H
  • Authorization – H

Laboratory LAN Matrix:

Confidentiality Integrity Availability Authorization
Chief Scientist Unix Workstation H H H H
Filtering Router L L M M
VAX Minicomputer H H H H
Unix/WinNT 4/Linux systems M H H H

System Information Criticality Laboratory Scores:

  • Confidentiality – H
  • Integrity – H
  • Availability – H
  • Authorization – H

Customer Concerns:

  1. 1. Identification & Authentication
  • Finding: Password and Auditing systems are weak
  • Discussion: You have two networks (Corporate & Laboratory) that accomplish different tasks.  The password and auditing ideas in place are rather weak for this type of environment.  The current passwords in use are not complex and relatively weak.  This can allow an outsider easy access and compromise a user’s computer.

The other danger here is that since the two networks are connected, having access to one could allow access to the other.  Corporate information could be stolen along with vital research data and tools.

  • Recommendation: Passwords should be changed for every user at least once a month.  Our findings would suggest that passwords should have a minimum length of 10 characters with at least one capital and one lowercase letter along with numerical values.  It may be more difficult for each user to accept that their password will be changed (should be created by the administrators) far more frequently and because the passwords will not be easy to remember, but the point is to make it more difficult for outsiders to gain access.  To make this easier on the user, it might be suggested for them to write down their new password and hide it in a safe place.

The systems should also have a limited number of login attempts per user.  After three attempts the user should be locked out until the administrators review the activity.

  1. 2. Maintenance
  • Finding: Systems are not up to date on current patches as well as computers are loaded with old and excess data.
  • Discussion: A valuable part of any system and the programs/hardware that they run are the constant updates, drivers, and patches that are released.  Many of these updates fix bugs, close security issues, and allow hardware to perform better.  It is always good practice to keep everything updated.

Also, there is a lot of “garbage” data left behind on many of the computers.  Garbage data is unnecessary programs, out of date files, and other lingering artifacts that can slow down a computer, take up unnecessary space, and cause security problems.  The security issues come when files are lying around that could still contain old, but important information that a would-be attacker could use.

  • Recommendation:  It is key to have scheduled maintenance deployments for the various operating systems, programs, and hardware.  These should not be left up to the user as the administrators can send these out over the network.  There are different computers in use operating different programs and operating systems.  Organizing a list per network would be a wise decision to create a smooth process.

Cleaning out computers from excess data can be a daunting task, but it should not be entirely left up to the user.  Create a list of what is currently in use and what data is needed as this will allow a quicker sweep of the networks.  A team could then be sent in to get rid of older programs, and wipe out any excess data.

  1. 3. Training and Awareness:
  • Finding: Users are not very aware of what they should do under certain circumstances.
  • Discussion: When it comes to security, people are usually the number one reason for security issues.  While the staff is trained well in their own job, they don’t have the awareness levels of what they should and should not do.  This can be a problem as they could easily be fooled into giving out vital information such as products and passwords.
  • Recommendation: The staff should go through a training program that helps them understand their roles, what to watch for, and how to react to certain circumstances.  All it takes is a very good hacker to perform social engineering to get important data from staff members who do not know better.  They should go through training to understand what the risks are and how to combat it.  It may also be a good idea to train them on certain aspects of maintenance with their computers (such as getting rid of excess data).

Detailed Data Analysis (concerns-in-depth)

Identification and authentication are usually key problem areas that must always be addressed.  After our assessment, we learned that the layout consists of several networks that involve different tasks/environments.  The issue here is that since they are interconnected, for good reasons, there is double the risk of a hack occurring which could lead to infiltration of the other network.  After reviewing the current requirements for passwords and audits, we absolutely knew that this could be perceived as a potential threat.  Therefore we recommended these changes:

  • Passwords should be changed a minimum of once a month and include a minimum of 10 characters with at least one capital and one lowercase letter while also including numerical values.  This creates a strong password.
  • There must be a limit to how many login attempts a user can have.  Everyone mistakes their passwords at times, so allowing 3-5 login attempts before being shutout is a good idea.  After the max attempts, the administrators can be alerted to this and involve themselves.

We feel that implementing these ideas will result in far more secured environment.  There will probably be some users who will resist the idea due to numerous reasons such as having to remember complicated passwords and the worry of being investigated if they max out their login attempts.  However, it is best to assure them that this is not out to make their lives worse or to scare them, but to simply keep higher security practices.  After some time, it will be common practice.

To implement these ideas, we feel it would only take a few days to a week.  Changing the login audits and passwords are easy enough, but preparation for the changeover is what needs to be done.  Ease everyone into it and explain the new policies.  Have the information organized as to what the passwords are for each user, and how they will be changed later on.

In terms of Maintenance, having up to date patches and programs is another essential element to any environment.  Out of date or operating systems/programs left without proper updates could result in security holes that could easily launch an attack on the systems.  Having excess data and leftover files could slow computers down and waste needed space.

  • Schedule maintenance updates for the various hardware, operating systems, and programs via the administrators.
  • “Clean” out computers at least once a year or a yearly format.

It can be difficult to keep up with the various operating systems that are being used.  However, organizing is an often overused, but valued term here.  Once the mapping of the networks are laid out via the systems, it can be easy to deploy such updates and patches.  It would be preferred that most computers are running the same hardware as to make updating easier, but not necessary.  Administrators should keep up with the latest updates and patches via the manufacturers websites.  They can then deploy these throughout the network for automatic updating.  This should be scheduled after hours as to not interrupt daily work, plus if problems arise it wouldn’t interfere and cause for more delay.  This idea does not take long to implement – maybe a few days to a week to organize and set everything up.  Once that is completed, the updates can easily be deployed after hours at the administrators consent.

Cleaning up or formatting computers is another issue.  Considering the amount of users/computers involved, and the amount of research to make sure the right data is cleaned out, this task can be considered a bit daunting.  This must be done after hours or on a weekend and could take several weeks due to the time involvement and the time limits given.  Standardizing the data and programs on the various computers can speed this up for future reference.

The final issue here is training and awareness.  After the assessment, we have learned that many staff members were ill-equipped with the knowledge they should have to prevent security risks, and also to understand scenarios better.  Staff members may be resistant to the idea because “it is not their job”.  The wise approach here is to make them feel a part of something bigger and that protecting information not only ensures company success, but also job success (do not make this sound threatening to the employees.)

  • Training programs should be set up for staff members so they can understand their roles better, identify common security risks, and how to react in certain conditions.

There are various programs out there to research in terms of staff training.  You should not have to do this every week or even every month, but at least once a year would help not only train the staff, but alert them to new policies and risks.  Remember, it is not their job to be security professionals, but they can help prevent risks that would affect them.

System Configuration:

The system configuration is based on two separate entities that are connected via a UNIX Workstation and filtering router.  The Corporate LAN is the business side of the network where they have access to the Web, along with firewalls and routers in place.  The Laboratory LAN is the development part of the network where much of the development on the tools occurs.  This should be, along with the UNIX Workstation, prioritized slightly higher.

Individuals To Be Interviewed:

  • CEO

-John Spetter



  • NSO

-Richard Cast



  • System Administrator

-Brian Morrow



  • Security Administrators

-James Pax



-Heather Barnaby



  • Development Staff

-Sarah Jones



-Carl Henderson



-Thomas Myers



Documents To Review:

  • Security Plans
  • Contingency Plans
  • Business Continuity Plans
  • Job Rules (could be different for each set of personnel)
  • Past incident documents
  • Network layout

In-Briefing/Onsite Interviews/Closeout Information

The in-briefing went very well.  The team and I went into thorough explanation of the assessment process.  We wanted to let the customers be aware of how the process works in most cases.  So the in-depth discussion of the overall process and what we’re planning to look for really made it much clearer to them. After this, we discussed our goals and objectives for their organization as how we feel we can make it a better place from the top to the bottom.  Topics included security awareness, methods of organizing, and the procedures involved in changes.  We wanted to further increase our trusting relationship with them during this initial briefing, and we feel that we have accomplished this.  We also fielded all questions and concerns to the appropriate individuals.  We ended the meeting by making sure that everyone was on the same page and that all agreements were still in place before we continued onto the onsite phase.

During the onsite visit, we needed to strategically consider who we should interview that would give us the best information and opinions for our assessment research.  Doing this can be a daunting task due to there being many people to interview.  When it came down to it, we felt that interviewing these individuals were best for our projected needs:

Interview with CEO John Spetter:

We interviewed the CEO while onsite to get more general information about the business and to make sure he still has similar expectations to what we discussed.  We wanted to test his comfort levels while we were actually onsite.  It went quite well as not much hesitation was shown.

Interview with System Administrator Brian Morrow:

We interviewed Brian to get information about the systems and the layout of their structure.  We wanted to get a firm grasp of what we were dealing with and Brian was more than willing to show us around and answer all questions we needed pertaining to this setup.

Interview with Security Administrator Heather Barnaby:

We interviewed Heather to gain a better understanding of their current security measures.  One thing we really wanted to know was what type of problems they have had in the past in terms of security – whether it was from the outside or within the company.  We also wanted to see what she was personally looking to gain from our assessments.

The team prepared quite carefully for our closeout meeting and chose a proper date and time to ensure all the necessary personnel would be attending.  During this meeting we discussed our findings from our onsite visits, what we have learned, what we have determined as critical, and what we feel needs to be changed.  Of course we went into very detailed explanation of the current issues and how they needed to be addressed.  While the meeting was long and there was some confusion throughout our report, we answered all questions and continued our trusting relationship with NEWT.

Our Estimated Timeline Of The Assessment Process:

  • Pre-assessment: 2/06/12 – 2/15/12
  • On-Site assessment: 2/20/12 – 3/14/12
  • Post-Assessment – 3-21-12 – 4/16/12


Throughout the course of working with the NEWT organization, we managed to successfully create a trusting and competent relationship.  Along the way, many questions were raised and all were answered.  The NEWT organization was very pleased with the work we put in to create a better and more solid workplace and infrastructure.

During the pre-assessment, we were able to successfully detail the critical aspects of their organization and systems.  We found that there were many attributes that were high risk via our criticality research.  These needed to be addressed and were.

We learned a few key security risks that were in need of changing.  The passwords and auditing ideas were weak, computers were not up to date, overcrowded, and users were not aware of problems due to lack of training.  We have established a plan to fix all of these issues as long as NEWT is willing to accept it.  We feel our advice will push NEWT into a better direction especially considering the valued nature of their information.

The estimated time for our complete assessment took a little over two months from start to completion.  During that time we created a business relationship, established ourselves further within the security field, talked to and interviewed many personnel within the company, and solved many key issues.  Our work was thorough and well considered.  It was a pleasure to work with NEWT and hope the best for their future endeavors.

Comments are closed.