Analytical Audit Measures

As much as I would like to say that a single formulaic process could solve all auditing needs, there are other factors that must also be considered. The process discussed in the previous section simplifies 90% of the audit work and gives us accurate, consistent, and measurable results that can be obtained without a great deal of security experience. Some organizations have based their entire audit methodology on this type of process since it provides the greatest impact and requires the fewest security resources. After this process is completed, however, it is important to take a look at the aspects of security beyond the objects. What we need to do is examine at the organization as a whole, in light of the rules of security.

This next part of an audit cannot be placed into any linear formula. I can, however, guide you through some recommended processes and provide key areas for organizations to consider. It is advised that these processes be completed by someone with a good deal of security expertise. Organizations that do not have the proper expertise should look to outside consultants for assistance.

Perimeter Architecture Audit

Before conducting a perimeter audit, be sure you are familiar with the concepts presented in the section titled, Perimeter Defenses, in Chapter 11, Practical Security Assessments, and the section in Chapter 5, Developing a Higher Security Mind, titled Thinking in Zones. Examine your perimeter and how access flows to and from all parties. Look at how services are accessed in both directions and determine if the current architecture corresponds to the most secure zoning architecture possible. Also look closely at the rules highlighted in the section titled, Perimeter Defenses, to see if your organization's perimeter is adhering to them.

When looking at the perimeter, be sure to test all externally accessible devices for vulnerabilities. This normally will include routers, firewalls, and externally accessible services such as DNS, email, the Web, and others. Run vulnerability scans from an external address and see how much you can access and learn about the environment. Look at the results and think back to the Rule of Least Privilege, comparing what can be seen and accessed to what is really required to be seen and accessed. Also, be sure to examine the rules applied at the firewall and other perimeter security devices to make sure they adhere to the Rule of Least Privilege, that there are no weaknesses, and that they are up-to-date.

It is often helpful when performing a perimeter assessment to run through each rule of security and compare it against your perimeter architecture. Look to each concept to ensure you are creating stillness, working in layers, and following the other concepts of a security mind. It will be quite useful when evaluating the perimeter to look for weaknesses commonly found in other organizations. I have included a list of these weaknesses in Appendix C.

Internal Architecture Security Audit

Before conducing an internal audit, be sure you are familiar with the concepts in the upcoming section titled, Internal Defenses, in Chapter 11, as well as the rules of security described in Chapter 4, The Eight Rules of Security (Components of All Security Decisions). The world of internal security can be immense and the higher practices are going to be the best guide. Check on the change management process, emergence response mechanisms, separation of services and responsibilities, and three-fold processes, and always be on the lookout for the weakest link.

We have already performed a tactical assessment and a vulnerability scan of the internal network, which will be of great help. A good approach for taking the internal audit further is to think of yourself as a hacker on the internal network. See what level of access you can obtain, and to what degree you can affect the operations of the internal environment. While you perform such tasks, check to see which attempts for access show up in your logging and monitoring processes. Also, be sure to consider tactics like social engineering.

Again, it is helpful when evaluating internal security to look for weaknesses commonly found in other organizations. I have included a list of these weaknesses in Appendix C.

Auditing Applications

Auditing applications and their implementation within the organization are key components of performing an internal audit. This does not mean that we are auditing the internal structure of an application, or its code. Rather, we are auditing the application's ability to conform to security policies, and whether or not local implementations are in compliance. Application security audits usually come down to three primary checks:

• Compliance with the Rule of Least Privilege Applications that provide access to services or data should be secured against unauthorized access. Applications should be configured to enforce the Rule of Least Privilege, allowing access to those that require it and can handle it. Where appropriate, applications should include authentication and authorization mechanisms as well as any other applicable means of limiting access. Applications should also have some defensive mechanisms to help enforce this rule. Common mechanisms to check for include:

  • Account locking due to excessive violations

  • Access violation logging and monitoring

  • Password administration:

    • Minimum password lengths

    • Aging passwords

    • Password sanity checking (for simple passwords)

• Compliance with the Rule of the Three-Fold Process Major applications should be continually maintained to ensure security patches and updates are implemented. Check to see if the vendor is keeping on top of security patches and if administrators are applying them. Applications should also include some form of logging and monitoring capabilities for security-related events. See what forms of logging have been enabled, and how the local staff goes about monitoring them.

• Consideration of zones Earlier, we discussed several possible zoning scenarios, ranging from the weakest to the strongest level of protection. An application should conform to the most secure zoning scenario possible for its functionality. Frequently, vital applications that are accessible from external entities should store sensitive data on a separate, protected server. Many times, the different zones on applications are definable by the end-user, who chooses where specific data and services should exist. Look to your own implementations of these applications and make sure they reflect the best possible zoning practices.

Auditing Administration

Part of ensuring that security policies are being enforced is to perform an audit of system administration practices within the organization. Administrators, help desk staff, and other IT personnel are commonly charged with the distribution and management of user accounts, as well as the building, maintaining, and monitoring of workstations and servers. With this in mind, it is easy to see how many security practices are left in the hands of these individuals.

To audit administration is to audit the common tasks performed within the organization. An administration audit can include:

• Interviewing administrators to see if their procedures conform to the security policy. This is especially important with the processes of creating new accounts, modifying access privileges, and resetting passwords.

• Checking for system-based password management policies (during the hands-on process).

• Checking for easily cracked passwords and those that do not conform to policy (during the hands-on assessment).

• Checking the process by which administrative logs are monitored and reviewed.

• Checking for unhardened systems and those that are not regularly maintained.