With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and
Cisco study guides in print, we continue to look for ways we can better
serve the information needs of our readers. One way we do that is by
listening.
Readers like yourself have been telling us they want an Internet-based
service that would extend and enhance the value of our books. Based
on reader feedback and our own strategic plan, we have created a
Web site that we hope will exceed your expectations.
is an interactive treasure trove of useful
information focusing on our book topics and related technologies.
The site offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any
affected chapters.
■
“Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers
to reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors
for readers desiring additional reliable information on key
topics.
Best of all, the book you’re now holding is your key to this amazing
site. Just go to www.syngress.com/solutions, and keep this book
handy when you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be

sure to let us know if there’s anything else we can do to help you get
the maximum value from your investment. We’re listening.
www.syngress.com/solutions
286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page i
286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page ii
Security
Assessment
Case Studies for
Implementing
the NSA IAM
Russ Rogers
Greg Miles
Ed Fuller
Ted Dykstra
Matthew Hoagberg
286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc-
tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to
state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The

Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is
to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned
in this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 FGH73IP1LM
002 59MVZC6H9Q
003 4XFQIP4MCX
004 GLEQ71P9NC
005 7JHJ8FWEX2
006 VBP9EFC6K9
007 TYN8MF3TYH
008 64YTFXSQ9P
009 H8K3BN4GTV
010 IYGTE37V6N
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Security Assessment: Case Studies for Implementing the NSA IAM
Copyright © 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro-
duced or distributed in any form or by any means, or stored in a database or retrieval system, without the
prior written permission of the publisher, with the exception that the program listings may be entered,
stored, and executed in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-932266-96-8
Acquisitions Editor: Catherine B. Nolan Cover Designer: Michael Kavish
Page Layout and Art: Patricia Lupien Copy Editor: Darlene Bordwell
Indexer: Nara Wood

Distributed by O’Reilly & Associates in the United States and Jaguar Book Group in Canada.
286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page iv
Acknowledgments
v
We would like to acknowledge the following people for their kindness and support in
making this book possible.
Syngress books are now distributed in the United States by O’Reilly & Associates, Inc.
The enthusiasm and work ethic at ORA is incredible and we would like to thank
everyone there for their time and efforts to bring Syngress books to market:Tim
O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie
Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve
Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle
Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina
Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier,
Sue Willing, Mark Jacobsen and to all the others who work with us, but whose names
we do not know (yet)!
The incredibly hard working team at Elsevier Science, including Jonathan Bunkell,
AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert
Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our
vision remains worldwide in scope.
David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,
Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which
they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene
Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for
all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar
Book Group for their help with distribution of Syngress books in Canada.
David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis,

Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout
Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook
Islands.
Winston Lim of Global Publishing for his help and support with distribution of Syngress
books in the Philippines.
A special thanks to all the folks at Malloy who have made things easy for us and espe-
cially to Beth Drake and Joe Upton.
286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page v
286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page vi
vii
Contributors
Greg Miles (CISSP, CISM, IAM) is a Co-Founder, President, and
Principle Security Consultant for Security Horizon, Inc., a
Colorado-based professional security services and training provider.
Greg is a key contributor not only to Security Horizon’s manage-
ment, but also in the assessment, information security policy, and
incident response areas. Greg is a United States Air Force Veteran
and has served in military and contract support for the National
Security Agency, Defense Information Systems Agency, Air Force
Space Command, and NASA supporting worldwide security efforts.
Greg has been a featured speaker at the Black Hat Briefings series of
security conferences and APCO conferences and is a frequent con-
tributor to “The Security Journal.” Greg holds a bachelor’s degree in
electrical engineering from the University of Cincinnati, a master’s
degree in management from Central Michigan University in
Management, and a Ph.D. in engineering management from
Kennedy-Western University. Greg is a member of the Information
System Security Association (ISSA) and the Information System
Audit and Control Association (ISACA).
Russ Rogers (CISSP, CISM, IAM) is a Co-Founder, Chief

Executive Officer, Chief Technology Officer, and Principle Security
Consultant for Security Horizon, Inc., a Colorado-based profes-
sional security services and training provider. Russ is a key contrib-
utor to Security Horizon’s technology efforts and leads the technical
security practice and the services business development efforts. Russ
is a United States Air Force Veteran and has served in military and
contract support for the National Security Agency and the Defense
Information Systems Agency. Russ is also the editor-in-chief of
“The Security Journal” and a staff member for the Black Hat
Briefings series of security conferences. Russ holds a bachelor’s
degree in computer science from the University of Maryland and a
master’s degree in computer systems management also from the
286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page vii
viii
University of Maryland. Russ is a member of the Information
System Security Association (ISSA), the Information System Audit
and Control Association (ISACA), and the Association of Certified
Fraud Examiners. Russ was recently awarded The National
Republican Congressional Committee’s National Leadership Award
for 2003.
Ed Fuller (CISSP, GSEC, IAM) is Senior Vice President and
Principle Security Consultant for Security Horizon, Inc., a
Colorado-based professional security services and training provider.
Ed is the lead for Security Training and Assessments for Security
Horizon’s offerings. Ed is a retired United States Navy Veteran and
was a key participant on the development of Systems Security
Engineering Capability Maturity Model (SSE-CMM). Ed has also
been involved in the development of the Information Assurance
Capability Maturity Model (IA-CMM). Ed serves as a Lead
Instructor for the National Security Agency (NSA) Information

Assurance Methodology (IAM) and has served in military and con-
tract support for the National Security Agency and the Defense
Information Systems Agency. Ed is a frequent contributor to “The
Security Journal.” Ed holds a bachelor’s degree from the University
of Maryland in information systems management and is a member
of the Center for Information Security and the Information Systems
Security Engineering Association.
Matthew Paul Hoagberg is a Security Consultant for Security
Horizon, Inc., a Colorado-based professional security services and
training provider. Matt contributes to the security training, assess-
ments, and evaluations that Security Horizon offers. Matt’s experi-
ence includes personnel management, business development,
analysis, recruiting, and corporate training. He has been responsible
for implementing a pilot 3-factor authentication effort for Security
286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page viii
ix
Horizon and managing the technical input for the project back to
the vendor. Matt holds a bachelor’s degree in psychology from
Northwestern College and is a member of the Information System
Security Association (ISSA).
Ted Dykstra (CISSP, CCNP, MCSE, IAM) is a Security
Consultant for Security Horizon, Inc., a Colorado-based profes-
sional security services and training provider.Ted is a key contrib-
utor in the technical security efforts and service offerings for
Security Horizon, and an instructor for the National Security
Agency (NSA) Information Assurance Methodology (IAM).Ted’s
background is in both commercial and government support efforts,
focusing on secure architecture development and deployment,
INFOSEC assessments and audits, as well as attack and penetration
testing. His areas of specialty are Cisco networking products, Check

Point and Symantec Enterprise Security Products, Sun Solaris,
Microsoft, and Linux systems.Ted is a regular contributor to “The
Security Journal,” as well as a member of the Information System
Security Association (ISSA) and a leading supporter of the Colorado
Springs, Colorado technical security group: dc719.
286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page ix
286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page x
xi
Contents
Introduction xxv
Chapter 1 Laying the Foundation for Your Assessment 1
Introduction 2
Determining Contract Requirements 3
What Does the Customer Expect? 4
Customer Definition of an Assessment 4
Sources for Assessment Work 7
Contract Composition 7
What Does the Work Call For? 11
What Are the Timelines? 16
Understand the Pricing Options 18
Understanding Scoping Pitfalls 20
Common Areas of Concern 21
Customer Concerns 21
Customer Constraints 21
“Scope Creep” and Timelines 22
Uneducated Salespeople 23
Bad Assumptions 24
Poorly Written Contracts 25
Staffing Your Project 27
Job Requirements 27

Networking and Operating Systems 27
Hardware Knowledge 28
Picking the Right People 28
Adequately Understanding Customer Expectations 30
The Power of Expectations 30
What Does the Customer Expect for Delivery? 30
Adjusting Customer Expectations 30
286_NSA_IAM_TOC.qxd 12/16/03 2:12 PM Page xi