Code of Connection (CoCo)
Navigating the GCSx IT HealthCHECK
The Government Connect Secure Extranet (GCSx) is a key enabler in the drive to transform services via solutions that provide secure communication capabilities. GCSx empowers local government to work easily with other government departments and agencies that are already part of a “community of trust”, e.g. the Government Secure Intranet for Central Government Departments, the Criminal Justice Extranet for the police and criminal justice and the network for the NHS.
Local authorities will be able to join this community and will help deliver secure electronic services to the public. In order to assure integrity of the network, the GCSx Code of Connection requires penetration testing and suggests vulnerability scanning as part of an IT HealthCHECK. As protectively marked material is not always present, testing by a CHECK accredited company is not mandated, though it is recommended in the Code.
IT HealthCHECKs can provide valuable information on the risks to IT assets and how they are being managed. They can also deliver a lot more than a ‘tick in the box’ and can support many aspects of GCSX CoCo assurance.
Our IT HealthCHECK
Our experienced CESG CHECK accredited penetration testing team will work with you to plan and carry out your required IT HealthCHECK. The risks and threats facing the integrity of the GCSx help to shape the content and process of the HealthCHECK itself. However, the exact details of what should be tested is not made available by Government Connect, it only provides an overview of the typical scope of an IT HealthCheck.
Using our extensive experience of working with Government secure networks such as GCSx, GSx, GSi and GCJx, we start with a high level Risk Assessment to identify the threats where uncertainty exists and determine what areas of the network and boundaries should be tested, taking into consideration:
■ Attack from the GCSx itself
■ Attack from the Internet
■ Mobile data theft and loss
■ Attack from the internal user
We will then work with you to specify the Rules of Engagement and work out the scope definition.
Typically, testers would need the following information:
■ Overall network diagram showing security domains and network connections
■ Number and types of servers in each subnet/domain
■ An understanding of the physical locations that will need to be visited
■ Number of desktop/laptop/PDAs/server builds to be reviewed
■ Any wireless components likely to be encountered
■ Any third party service providers with whom agreements will be needed
■ What policies are in place regarding use of USB ports
■ How do remote clients connect?
■ Is application accessed via a browser or via a dedicated client?
■ Brief description of the application and some idea of the information being protected
■ How many user types/roles are there?
■ Which roles need testing?
In accordance with the GCSx minimum ITHC scope, our accredited consultants will carry out:
■ External gateway penetration testing
■ Network analysis - looking at exploitable switches, gateways and firewall rules
■ Vulnerability analysis
■ Patch levels
■ Passwords
■ Services used
This will include, but is not limited to:
■ Internal testing (LAN) - A LAN test is an extension of an internet perimeter penetration test, determining if an attacker with physical access privileges to the LAN could compromise the targets. We test in two high level scenarios; first by testing a large number of servers to a lesser degree, then we focus our efforts against critical servers.
■ Remote access - We explore the security risks created by your employees remote and home working e.g. laptop and PDA security (including Bluetooth testing), home and remote worker security, VPN security and access to remote servers.
■ Server build checking - Build testing is a method of ensuring that any system being built from new has the correct security configuration and administration settings for its environment and purpose. Build testing usually results in improvements to standard builds. We can supply build standard documents customised to your requirements, based on the results of the testing. We deal with most operating systems e.g. Windows- 2000 Professional, 2000 Server, XP, 2003 Server & *NIX- AIX, HP-UX, Nokia, Solaris, SuSE.
■ Firewall rule review - Firewalls operate by acting on the commands they are given. These rulesets defi ne how it handles information, and therefore how effective it is. Generally, too much access is given to a particular system. A thorough analysis will provide a detailed report, stating exactly what access is granted, what is denied and most importantly what is logged and to where.
■ Laptop/PDA/Blackberry - We assess the risk presented by theft of a unit: in many cases the device stores offline copies of email. Even though PIN based authentication is required to access the device, a little ‘shoulder surfi ng’ on a train or in a coffee shop is enough to steal the credentials. We ask that a PIN is supplied in order that we can investigate email & content security. We also look at revocation procedures in the case of a theft.
Following the IT HealthCHECK you will receive a summary report with recommendations along with more comprehensive details so you can make well informed business decisions based on our findings.