Information Security		More on Information Security: Security Resources & Info Remote Access Tools Tutorials Secure Software Policies Copyright Info News Archive External Links Security Services Incident Response Alert Mailing List Firewalls Vulnerability Analysis Presentations Projects & Events Contact Information Vulnerability Analysis What is it? CSRT offers security analysis services for administrators and end-users of resources on the DePaul network. If you are a department head and are curious to know what an attacker can do to your department's computers, we can help. Likewise, if you are an end user and would like a specific analysis of your workstation, we can help. Our analysis covers both published and unpublished vulnerabilities and attempts to identify the level of exposure the resources import to the environment and university as a whole. We approach the analysis as an attacker would. Getting Started To get started, you will need the following information prior to contacting CSRT. Hostname and/or IP address of the target(s) to analyze. Prior authorization from, and contact information of, the approving manager, department chair or dean. A time frame to perform the test; please be flexible and have two to three options open over the course of two weeks. Type, intensity and scope of analysis desired. Please see below for more information. Once you have this information, e-mail security@depaul.edu we will begin the process as detailed below. Time Frame Performing an analysis requires ample time to test for vulnerabilities. Often it may take an extraordinarily long time to perform an assessment on a single host if "brute force" attacks are requested to guess username/password combinations. As a general rule of thumb, you should allow approximately 20 minutes per host to accomplish a successful test; we only perform thorough tests to provide useful information. Process Flow Send a completed scan request form to us. This form can be found here. If possible, digitally sign the message with your PGP key and encrypt the message with our public key. After verification of the information you send us, we will contact you with an exact time and date of the analysis. You will be responsible for notifying all involved parties. Confirm that all parties involved have been notified. In the event that you choose the analysis to be covert, this should be communicated to the analysis team. The analysis team will notify you via PGP signed email before the analysis begins. We will also notify you when the analysis ends. When analysis of the resources is complete, the data will be compiled into an analysis report. This report will be distributed in Portable Document Format (PDF) or Postscript (PS), and be emailed to you, encrypted and signed with our PGP key. Grading Scale Once the results have been compiled, a composite grade will be given to the overall report. Additionally, each resource will be given an individual grade. Caveats The analysis process may seem to be more difficult than need be. We feel these steps are necessary in order to verify a test is authorized by the proper chain of command. Further, you should require CSRT to implement PGP during all communications during our tests. This step will ensure the communications are not intercepted or modified. The analysis report will not include detailed recommendations for patching vulnerabilities. Only if a critical vulnerability is found will the analysis team contact you during the analysis period. Further recommendations for increasing the security of your particular resources can be obtained, on request, from CSRT.
		© 2001-2004 | DePaul University | Disclaimer | Webmaster 1 E. Jackson Chicago IL 60604 | 312-362-8000