Security Audit

1
Security Audit
2
Security Audit

• Controls
• Security logs
• Risk assessment

3
Steps in Audit

• Starts with policies and procedures in place
• Initially the policy is treated as threat and
  audit focuses on how people and systems address
  the threat
• Interview employees and administrators
• Evaluate technical aspects for security
• Review all data logs

4
What to look for in audit?

• Are passwords difficult to crack?
• Are there access control lists (ACLs) in place on
  network devices to control who has access to
  shared data?
• Are there audit logs to record who accesses data?
  
• Are the audit logs reviewed?
• Are the security settings for operating systems
  in accordance with accepted industry security
  practices?
• Have all unnecessary applications and computer
  services been eliminated for each system?
• Are these operating systems and commercial
  applications patched to current levels?
• How is backup media stored? Who has access to it?
  Is it up-to-date?
• Is there a disaster recovery plan? Have the
  participants and stakeholders ever rehearsed the
  disaster recovery plan?

5
What to look for in audit?

• Are there adequate cryptographic tools in place
  to govern data encryption, and have these tools
  been properly configured?
• Have custom-built applications been written with
  security in mind?
• How have these custom applications been tested
  for security flaws?
• How are configuration and code changes documented
  at every level? How are these records reviewed
  and who conducts the review?

6
Why do security audit?

• Assess compliance aspects of policy
• Assess risk
• Assess level of security
• Evaluate security incident response

7
Items to check in an audit
Source See references
8
Security Tools
9
Audit components

• Preparation 10
• Reviewing Policy/Docs 10
• Talking/Interviewing 10
• Technical Investigation 15
• Reviewing Data 20
• Writing Up 20
• Report Presentation 5
• Post Audit Actions 10
• Source Tech Support Alert website (see
  references)

10
Audit Process

• Security audit team reports directly to CEO or
  the Board of Directors
• Types of security audits
• Firewall (every 6 months)
• Network (every year)

11
Auditors

• Usually third party companies specializing in
  security audit
• For internal audit, people with necessary
  security access privileges
• Technical expertise is a must

12
References

• Security Audit http//www.porcupine.org/auditing/
• Security Audit http//www.securityfocus.com/infocu
  s/1697
• How to perform security audit? http//www.techsupp
  ortalert.com/search/t04123.pdf
• Site Security Handbook. RFC 2196

13
References

• packetstorm.security.com
• PacketStorm Security is a very good source of the
  latest security issues.
• www.rootshell.com
• Rootshell is another source of security issue
  information. This site hasnt been updated in a
  while - however, the information provided is
  useful.
• www.l0pht.com
• L0pht is a Black Hat group that performs
  testing of commonly used tools for security
  issues. L0pht also produces a number of useful
  tools for testing system security.

14
References

• www.securityfocus.com
• Bugtraq is a mailing list for the discussion and
  announcement of computer security
  vulnerabilities. Details of how to subscribe and
  archive for the mailing list can be found at the
  above website
• www.ntbugtraq.com
• NTBugtraq is the Windows platform version of the
  Bugtraq mailing list
• www.ciac.org/ciac
• CIAC (Computer Incident Advisory Capability)
  provides tools and advisory information.

15
References

• www.cs.purdue.edu/coast/coast.html
• COAST (Computer Operations, Audit and Security
  Technology) is a research project into computer
  security at the Computer Sciences Department at
  Purdue University. COAST also boasts a large
  catalog of security and audit-related
  applications in their ftp archive.
• Security audit http//www.insecure.org/nmap