As much as I would like to say that a single formulaic process could solve all auditing needs, there are other factors that must also be considered. The process discussed in the previous section simplifies 90% of the audit work and gives us accurate, consistent, and measurable results that can be obtained without a great deal of security experience. Some organizations have based their entire audit methodology on this type of process since it provides the greatest impact and requires the fewest security resources. After this process is completed, however, it is important to take a look at the aspects of security beyond the objects. What we need to do is examine at the organization as a whole, in light of the rules of security. This next part of an audit cannot be placed into any linear formula. I can, however, guide you through some recommended processes and provide key areas for organizations to consider. It is advised that these processes be completed by someone with a good deal of security expertise. Organizations that do not have the proper expertise should look to outside consultants for assistance. Perimeter Architecture AuditBefore conducting a perimeter audit, be sure you are familiar with the concepts presented in the section titled, Perimeter Defenses, in Chapter 11, Practical Security Assessments, and the section in Chapter 5, Developing a Higher Security Mind, titled Thinking in Zones. Examine your perimeter and how access flows to and from all parties. Look at how services are accessed in both directions and determine if the current architecture corresponds to the most secure zoning architecture possible. Also look closely at the rules highlighted in the section titled, Perimeter Defenses, to see if your organization's perimeter is adhering to them. When looking at the perimeter, be sure to test all externally accessible devices for vulnerabilities. This normally will include routers, firewalls, and externally accessible services such as DNS, email, the Web, and others. Run vulnerability scans from an external address and see how much you can access and learn about the environment. Look at the results and think back to the Rule of Least Privilege, comparing what can be seen and accessed to what is really required to be seen and accessed. Also, be sure to examine the rules applied at the firewall and other perimeter security devices to make sure they adhere to the Rule of Least Privilege, that there are no weaknesses, and that they are up-to-date. It is often helpful when performing a perimeter assessment to run through each rule of security and compare it against your perimeter architecture. Look to each concept to ensure you are creating stillness, working in layers, and following the other concepts of a security mind. It will be quite useful when evaluating the perimeter to look for weaknesses commonly found in other organizations. I have included a list of these weaknesses in Appendix C. Internal Architecture Security AuditBefore conducing an internal audit, be sure you are familiar with the concepts in the upcoming section titled, Internal Defenses, in Chapter 11, as well as the rules of security described in Chapter 4, The Eight Rules of Security (Components of All Security Decisions). The world of internal security can be immense and the higher practices are going to be the best guide. Check on the change management process, emergence response mechanisms, separation of services and responsibilities, and three-fold processes, and always be on the lookout for the weakest link. We have already performed a tactical assessment and a vulnerability scan of the internal network, which will be of great help. A good approach for taking the internal audit further is to think of yourself as a hacker on the internal network. See what level of access you can obtain, and to what degree you can affect the operations of the internal environment. While you perform such tasks, check to see which attempts for access show up in your logging and monitoring processes. Also, be sure to consider tactics like social engineering. Again, it is helpful when evaluating internal security to look for weaknesses commonly found in other organizations. I have included a list of these weaknesses in Appendix C. Auditing ApplicationsAuditing applications and their implementation within the organization are key components of performing an internal audit. This does not mean that we are auditing the internal structure of an application, or its code. Rather, we are auditing the application's ability to conform to security policies, and whether or not local implementations are in compliance. Application security audits usually come down to three primary checks:
Auditing AdministrationPart of ensuring that security policies are being enforced is to perform an audit of system administration practices within the organization. Administrators, help desk staff, and other IT personnel are commonly charged with the distribution and management of user accounts, as well as the building, maintaining, and monitoring of workstations and servers. With this in mind, it is easy to see how many security practices are left in the hands of these individuals. To audit administration is to audit the common tasks performed within the organization. An administration audit can include:
|