120 - How to conduct a security audit

Vufuk - Justin Kapp

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

7 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Informations

Publié par	Vufuk
Nombre de lectures	29
Langue	English

Extrait

Tutorial:Overview
How To Conduct A
Security Audit
Information security encompasses more than just IT systems - people who use the systems
can also inadvertently open security loopholes. A security audit aims to detect and highlight
any problem areas within the IT infrastructure and staff behaviours.
By Justin Kapp
efore you can assess what you rity audit comprises a number of pertise and ability to communicate the
are securing or about to audit it stages, summarised in Figure 1. These findings of the audit.Bis important to understand stages will be covered in more detail It is also important that the auditor
what it is you are protecting. Your final later. has an understanding of the organisa-
goal is to have your information se- You can choose to focus the audit on tion under review. When auditing sys-
cured and to minimise the risk of los- different areas, such as the firewall, tems that hold data which requires
ing this information. host or network. However, a security security clearance from government,
Firstly we should define what infor- audit will address issues with your IT then the auditor must have the re-
mation security is. Information is an systems, including software and hard- quired clearances in order to access the
asset; like other important business as- ware, your infrastructure (such as systems holding the data.
sets it has a value to an organisation mains power, telecomms), your proce- When you perform a security audit
and consequently it needs to be pro- dures and business processes and your it is important to look beyond the IT
tected. Information security protects people. systems and consider also the human
this business asset from a wide range Information is key. Once the audit interface to your IT. Your IT system
of threats in order to preserve business has been completed you will have in- may be perfectly secure, but your users
continuity, maximise return on invest- formation on the compliance level of may be involved in practices that com-
ment and reduce damage to business. the users and systems under your con- promise the security of the IT systems
Information exists in many forms. It trol, with an idea of the risk exposure in place.
can be printed or written on paper, and security level of these systems. As a result any audit must attempt
stored electronically, transmitted by You will also have an idea of the po- to identify all the possible risks. Your
post or email. Whatever form the in- tential damage that could occur if the IT systems are at risk from compro-
formation takes and however it is worst came to the worst - this enables mise from a number of sources, includ-
stored, it’s important to protect it ap- you to plan and develop a strategy to ing poorly-managed or badly-con-
propriately. ensure minimal damage. figured systems, internal users, exter-
Information security is charac- You can choose to carry out an audit nal users and external attackers (some-
terised as the preservation of confiden- internally or to use an external contrac- times known as crackers or hackers).
tiality, integrity and availability of the tor. Whoever carries out the audit Even authorised system users can
information under your control. Infor- should have the relevant technical ex- be the source of a security breach, so
mation security is achieved by imple-
menting a suitable set of controls -
policies, practices, procedures, organ-
isational structures and software func- “When performing your audit you
tions. Information security is not just
about your IT measures but also about will use any security policy that your
the human interface to the information.
organisation has as a basis for the work
The Security Audit you are undertaking. You need to treat
A security audit is a policy-based
assessment of the procedures and the policy initially as a threat.”
practices of a site, assessing the level of
risk created by these actions. A secu-
PC Network AdvisorIssue 120 (July 2000) Page 3 File: T04123.1
www.itp-journals.coml
l
l
l
l
l
l
Tutorial:Overview
identifying possible lapses that could of attack for the audit of the IT systems. You must decide which platform to
allow this is just as important as pre- During the audit you may need to re- use for your audit. The best choice will
venting external attack. strict access to some of the systems have a high level of security. It should
under test; these tests should be per- not run any network services, and
formed out of business hours to mini- should be configured as if the machineRisk Analysis
mise impact on day-to-day operations. was to be used as a firewall or other
During the audit you will need to You will also need to schedule time form of secure host. Another impor-
understand a little about Risk Analysis with a selection of staff members to tant factor is that physical access is
and Risk Management - a security assess how they operate within the se- required to use the machine.
audit is all about assessing the risks of curity policy. You need to prepare a The ideal hardware platform is a
loss,compromiseordamagetoinfor- series of questions to use during the notebook computer, with a good dis-
mation. discussions with staff members. play, 64 MB of RAM and a large hard
Risk analysis is the process of iden- Before you begin you need to verify disk (4 GB plus). It is also important to
tifying and assessing the risk of some- your audit tools and environment. have network connectivity (usually
thing happening. Space does not allow This includes the golden rule of all via a PC Card); in order to provide
us to cover risk management and security auditing - you must verify filtering and logging, in fact, it is useful
analysis in detail, but its principles are that all tools used for the audit are to have more than one network con-
summarised here: untampered with; if the results of the nection. There are many brands of
auditing tools cannot be trusted, the notebook available which would fit
The establishment of mechanisms audit is useless. the bill - for instance, the HP Omni-
to keep risks under review and to You many suffer from a “chicken book 4150. Sometimes discreet moni-
make sure they are being addressed andegg”problemwhenitcomesto toring may be required, so machines
A means of identifying the poten- verifying your audit tools. In order to such as the sub-notebook, which can
tial risks to the business verify your audit tools you need to use easily be hidden, are often useful.
An assessment of the likelihood of the audit tools. So how do you estab- On the audit platform a suitable op-
each risk materialising lish the trust in your audit tools? You erating system (OS) should be chosen.
An assessment of the probable im- could write them yourself or find a The operating system considered
pact of each risk trusted source such as a person or com- should be able to be secured, have suit-
The formulation of measures to pany. The easiest solution is to use a able audit tools available, have various
avoid each risk occurring tool such as md5sum to create a check- development tools available such as
The development and deployment sum of the file, which can be used to Perl and a C/C++ compiler. It is also a
of fallback measures to mitigate the verify the tool later - or to use a digital large advantage to have the OS source
risks if avoidance actions fail signature of the tool created with PGP. code to prove the security of the oper-
The determination of the urgency ating system. Another important fea-
of the risk and of taking appropri- ture for the audit platform operatingWhat Tools?
ate counter measures. system is that, once put into a network
Over the last few years a number of to be audited, the operating system
It is recommended that those who tools have been developed to aid the doesn’t alter the normal operation of
will be carrying out the security audit system administrator. These tools run the environment to be tested.
familiarise themselves further with on a number of platforms including If you are choosing a Unix, then you
risk management and analysis theory Win32 (Windows NT/9x), Linux, So- have a number of choices including
before commencing. laris and FreeBSD. There are a number Linux, FreeBSD, Solaris and SunOS.
of types of tool - those that detect Choosing the right one depends on the
changes in system configuration, tools hardware you are planning to use andPreparation
that test for known security issues and
During your preparation for the a class of tools that are used to monitor
audit you have to decide how you are systems in real time, such as network Stage % Of Total Time
going to bias your audit. You need to sniffers.
Preparation 10decide in what depth you are going to Figure 2 shows a small selection of
Reviewing Policy/Docs 10audit the systems. the audit tools that are available today.
Talking/Interviewing 10IT systems comprise a number of Tools that run on Windows platforms
Technical Investigation 15components, including hosts, servers, tend to be commercial in nature. A
Reviewing Data 20firewalls and the network; you must large number of the tools available for
Writing Up 20decide how deep you plan to delve the various types on Unix are non-
Report Presentation 5
into each of these components. Some commercial and can be obtained at no
Post Audit Actions 10
systems, by their nature, require a charge from the Internet. Unix tools
greater level of scrutiny to determine are