The only real material about IAM (beyond the public slides used to teach the classes appears in Security Assessment: Case Studies for Implementing the NSA IAM by Russ Rogers, Greg Miles, Ed Fuller, Ted Dykstra. The Syngress sample chapter nicely summarizes the IAM purpose and compares it to alternatives.
The National Security Agency (NSA) Information Security (INFOSEC) Assessment Methodology (IAM) is a detailed and systematic method for examining security vulnerabilities from an organizational perspective as opposed to a only a technical perspective. Often overlooked are the processes, procedures, documentation, and informal activities that directly impact an organization’s overall security posture but that might not necessarily be technical in nature. The IAM was developed by experienced NSA and commercial INFOSEC assessors and has been in practice within the U.S. government since 1997. It was made available commercially in 2001.
NSA developed the IAM to give organizations that provide INFOSEC assessments a repeatable framework for conducting organizational types of assessments as well as provide assessment consumers appropriate information on what to look for in an assessment provider. The IAM is also intended to raise awareness of the need for organizational types of assessment versus the purely technical type of assessment. In addition to assisting the government and private sectors, an important result of supplying baseline standards for INFOSEC assessments is fostering a commitment to improve an organization’s security posture.
The following chart from the sample chapter explains how NSA differentiates security activities:
So what are the general steps proposed by NSA IAM? There are three general phases:
- Determine and manage the customer’s expectations
- Gain an understanding of the organization’s information criticality
- Determine customer’s goals and objectives
- Determine the system boundaries
- Coordinate with customer
- Request documentation
- Conduct opening meeting
- Gather and validate system information (via interview, system demonstration, and document review)
- Analyze assessment information
- Develop initial recommendations
- Present out-brief
- Additional review of documentation
- Additional expertise (get help understanding what you learned)
- Report coordination (and writing)
NSA IAM emphasizes creating a Technical Assessment Plan (TAP) which includes the following:
- Point of Contact
- Organizational Information Criticality
- System Information Criticality
- Customer Concerns and Constraints
- System Configuration
- Timeline of Events
In brief, the NSA IAM is a giant interview, demonstration, and documentation review that preceeds any kind of technical review. The IAM spends a good chunk of time determining Organizational Information Criticality and System Information Criticality via brainstorming and customer interviews. The idea is to narrow the scope of the assessment to something that customers care about. IAM (and IEM) sources clearly point out that their methodologies are not audits, inspections, or risk assessments. One of the course slides provides this (sort of) summary:
That's the IAM. What is the IEM [INFOSEC Evaluation Methodology]? Again, the best resource is a Syngress book -- Network Security Evaluation Using the NSA IEM by Russ Rogers, Ed Fuller, Greg Miles, Matthew Hoagberg, Travis Schack, Chuck Little, Ted Dykstra, and Bryan Cunningham. Quoting from the first chapter:
The IEM is a follow-on methodology to the NSA IAM. It provides the technical evaluation processes that were intentionally missing from the IAM. The IEM is a hands-on methodology, meaning you'll be actively interacting with the customer's technical environment. As such, the NSA intended for the IAM and IEM processes to work hand in hand...
Whereas the IAM provides us with an understanding of organizational security as it relates to policies and procedures, the IEM offers a comprehensive look into the actual technical security at the organization.
The IEM is divided into phases as well:
- Pre-Evaluation Phase
- Pull information from IAM Pre-Assessment
- Coordination with the customer to determine acceptable Rules of Engagement (ROE)
- Give the team an understanding of the perceived system components
- Define customer expectations
- Define customer constraints or concerns
- Legal Requirements
- Develop the Technical Evaluation Plan (TEP)
- Evaluation In-Brief
- Tool Introduction and System Evaluation
- Port Scanning
- SNMP Scanning
- Enumeration & Banner Grabbing
- Wireless Enumeration
- Vulnerability Scanning
- Host Evaluation
- Network Device Analysis
- Password Compliance Testing
- Application Specific Scanning
- Network Sniffing
- Evaluation Out Brief
- Analyze the evaluation raw data
- Conduct additional vulnerability research
- If necessary, seek additional expertise
- Develop recommendations
- Coordinate final report authoring with team members
- Deliver final report to customer
Like the IAM's TAP, the IEM directs creation of a Technical Evaluation Plan, or TEP:
- Points of Contact
- Methodology Overview
- Purpose of the IEM
- Description of the IEM
- Evaluation Tools to Be Used
- Level of Detail of Recommendations
- List of Agreed-On Deliverables
- The Coordination Agreements Section: A Catchall
There's more to the IEM but those are the parts I want to have available for personal reference.
The following shows how the IAM and IEM can work together.
Is this rocket science? Of course not. Are the 10 "evaluation" activities naive and incomplete? Yes. The idea is you can build on this sort of methodology with your own approaches. I actually liked the IAM class and the structure of the IEM TEP, but I found the IEM class itself laughable.
If you want more details on really conducting evaluations, then a review of the latest Open Source Security Testing Methodology Manual (OSSTMM) is probably worthwhile.