Specifications include, but are not limited to: 1. External Vulnerability Assessment a. Conduct port scanning of all externally accessible IP addresses b. Attempt password cracking at any externally accessible application entry points c. Initial work should utilize a “black box” approach 2. Internal Vulnerability Assessment a. Conduct a network survey b. Evaluate security host machines, servers, etc. on the internal networks c. Identify unapplied patches d. Identify configurations that may present organizational vulnerabilities 3. Web-Based Application Vulnerability Assessment a. Review all web-based financial applications for internal and external access controls b. Identify any administrative access capabilities outside the defined accesses intended for web-based application support/administration
