ACP 122 (F) - Multilateral Planners Conference
ACP 122 (F) - Multilateral Planners Conference
ACP 122 (F) - Multilateral Planners Conference
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
UNCLASSIFIED<br />
<strong>ACP</strong> <strong>122</strong>(F)<br />
VA ACTIVITY LEVELS<br />
606. Within the CCEB context, VA activities are categorised into four incremental levels of<br />
effort:<br />
a. VA Level 1 – Primary Investigation. Identify and validate all system and<br />
connected network elements, analyse topology and locate obvious vulnerabilities<br />
and/or initial entry points;<br />
b. VA Level 2 - Vulnerability Sweep. Exploit vulnerabilities discovered during VA<br />
Level 1, gaining basic access to accounts, and attempt to crack passwords;<br />
c. VA Level 3 - Security Sweep. Exploit vulnerabilities for greater access, exploit<br />
trusted relationships, exploit new vulnerabilities; and<br />
d. VA Level 4 – Stress Testing. Test the system to ensure resilience to denial of<br />
service (DoS) attacks. VA4 must be authorised by the Security Authority (SA), in<br />
consultation with the operational and business sponsors, and will normally only be<br />
appropriate for Mission Critical systems.<br />
ACTIVE VULNERABILITY ASSESSMENT<br />
607. In addition to vulnerability analysis to identify and correct CIS vulnerabilities, there is<br />
also a requirement to provide an independent capability to assess vulnerabilities and improve<br />
defences.<br />
608. The main aim of the assessment is to help system administrators and ISSOs ensure the<br />
security of their networks. It may involve penetration testing and instruction of relevant staff on<br />
how to recognise CIS events and determine the appropriate actions required to respond to those<br />
events. To ensure the validity of these assessments, it may be desirable to exclude system<br />
administrators and ISSOs from prior knowledge of the exercise.<br />
609. Each nation will conduct the assessment on their own systems in accordance with their<br />
own national policies and procedures and undertake to remediate any detected vulnerabilities as<br />
soon as practicable.<br />
610. In the multinational environment, assessments may be conducted at the request of the<br />
operational authority for the multinational environment. Policies and procedures with respect to<br />
VA in multinational environments will be delineated in the applicable System Security Policy<br />
(SSP).<br />
VULNERABILITY ASSESSMENT<br />
611. Vulnerability assessment shall not be limited to technical vulnerability analysis.<br />
Vulnerability assessment shall be part of an operational evaluation of a unit/formation and<br />
should include (but not be limited to):<br />
6-5 Original<br />
UNCLASSIFIED<br />
(Reverse Blank)