Chapter 13: Auditing: Performing a Security Review

Overview

So you have read the first 12 chapters and have implemented the changes on your network. You fought political battles over your security policy, fought technical battles trying to configure your equipment in a manner that hardens your network, and are thinking, Boy, am I glad that is done. Unfortunately, I have some bad news for you you aren t done. In fact, truth be told, you will never be done with the systematic hardening process on your network.

Remember when I said that your security policy needs to be updated and reviewed periodically? This is where that comes into play. We are going to take a look in Chapter 13 at how you should review not only your security policy but your overall security posture . We will also look at how you should go about auditing your networks and discuss some tools and options available to assist you in this endeavor.

One of the nice things about security is that as soon as you have finished hardening your systems and protecting your resources, they aren t protected anymore. What s that you say? Did Wes just lead me in an exercise in futility? Well, not quite. The problem is that new exploits and threats are constantly being developed for your network equipment. This means that you can t update your systems once and expect them to be protected. Instead, you have to have a policy and procedure in place for patching and upgrading systems both to address security issues and to simply upgrade or enhance functionality. So now that you have the bad news ”that you will have to periodically change, update, and upgrade your systems as part of the systematic hardening process ”we need to take a look at how you can safely plan and execute those changes. This is where Chapter 14 comes into play. Chapter 14 will look at how to implement a patch and upgrade policy including defining a change control policy that allows you to update your systems without outdating your documentation, policies, and procedures.

If you recall, in Chapter 2 I stated that it should become habit for you to design and implement technologies and processes on your network using the guidelines defined in your security policy. Reviewing your security policy and posture is a part of those habits.

The threats that exist against your network infrastructure are constantly changing and evolving. As a result, your security policy and posture must change and evolve to account for those new and different threats. At the same time, you have to ensure that your security policy is functioning as intended and providing the kind of protection you expect from it. From policies that aren t being followed to policies that don t adequately address their security issues, you have to verify that your overall security policy addresses the threats it was intended to address.

One of the most effective methods to ensure that your security policy is performing as expected and that new threats are being adequately addressed is to implement an audit policy. A good audit policy will cover a spectrum of issues, including verifying technical, procedural, functional, and personnel issues to ensure that your security policy and posture are functioning as intended. This chapter covers the following aspects of security policy and posture review:

• Reviewing your security policy

• Reviewing your security posture

• Auditing your environment