The word "audit" can send shivers down the spine of the most battle-hardened executive. It means that an outside organization is going to conduct a formal written examination of one or more crucial components of the organization. Financial audits are the most common examinations a business manager encounters. This is a familiar area for most executives: they know that financial auditors are going to examine the financial records and how those records are used. They may even be familiar with physical security audits. However, they are unlikely to be acquainted with information security audits; that is, an audit of how the confidentiality, availability and integrity of an organization's information is assured. They should be. An information security audit is one of the best ways to determine the security of an organization's information without incurring the cost and other associated damages of a security incident.
What is a Security Audit?
You may see the phrase "penetration test" used interchangeably with the phrase "computer security audit". They are not the same thing. A penetration test (also known as a pen-test) is a very narrowly focused attempt to look for security holes in a critical resource, such as a firewall or Web server. Penetration testers may only be looking at one service on a network resource. They usually operate from outside the firewall with minimal inside information in order to more realistically simulate the means by which a hacker would attack the site.
On the other hand, a computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited.
Security audits do not take place in a vacuum; they are part of the on-going process of defining and maintaining effective security policies. This is not just a conference room activity. It involves everyone who uses any computer resources throughout the organization. Given the dynamic nature of computer configurations and information storage, some managers may wonder if there is truly any way to check the security ledgers, so to speak. Security audits provide such a tool, a fair and measurable way to examine how secure a site really is.
Computer security auditors perform their work though personal interviews, vulnerability scans, examination of operating system settings, analyses of network shares, and historical data. They are concerned primarily with how security policies - the foundation of any effective organizational security strategy - are actually used. There are a number of key questions that security audits should attempt to answer:
- Are passwords difficult to crack?
- Are there access control lists (ACLs) in place on network devices to control who has access to shared data?
- Are there audit logs to record who accesses data?
- Are the audit logs reviewed?
- Are the security settings for operating systems in accordance with accepted industry security practices?
- Have all unnecessary applications and computer services been eliminated for each system?
- Are these operating systems and commercial applications patched to current levels?
- How is backup media stored? Who has access to it? Is it up-to-date?
- Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
- Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?
- Have custom-built applications been written with security in mind?
- How have these custom applications been tested for security flaws?
- How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?
These are just a few of the kind of questions that can and should be assessed in a security audit. In answering these questions honestly and rigorously, an organization can realistically assess how secure its vital information is.
Security Policy Defined
As stated, a security audit is essentially an assessment of how effectively the organization's security policy is being implemented. Of course, this assumes that the organization has a security policiy in place which, unfortunately, is not always the case. Even today, it is possible to find a number of organizations where a written security policy does not exist. Security policies are a means of standardizing security practices by having them codified (in writing) and agreed to by employees who read them and sign off on them. When security practices are unwritten or informal, they may not be generally understood and practiced by all employees in the organization. Furthermore, until all employees have read and signed off on the security policy, compliance of the policy cannot be enforced. Written security policies are not about questioning the integrity and competency of employees; rather, they ensure that everyone at every level understands how to protect company data and agrees to fulfill their obligations in order to do so.
Natural tensions frequently exist between workplace culture and security policy. Even with the best of intentions, employees often choose convenience over security. For example, users may know that they should choose difficult-to-guess passwords, but they may also want those passwords to be close at hand. So every fledgling auditor knows to check for sticky notes on the monitor and to pick up the keyboard and look under it for passwords. IT staff may know that every local administrator account should have a password; yet, in the haste to build a system, they may just bypass that step, intending to set the password later, and therefore place an insecure system on the network.
The security audit should seek to measure security policy compliance and recommend solutions to deficiencies in compliance. The policy should also be subject to scrutiny. Is it a living document, accurately reflecting how the organization protects IT assets on a daily basis? Does the policy reflect industry standards for the type of IT resources in use throughout the organization?
Before the computer security auditors even begin an organizational audit, there's a fair amount of homework that should be done. Auditors need to know what they're auditing. In addition to reviewing the results of any previous audits that may have been conducted, there may be several tools they will use or refer to before. The first is a site survey. This is a technical description of the system's hosts. It also includes management and user demographics. This information may be out of date, but it can still provide a general framework. Security questionnaires may be used as to follow up the site survey. These questionnaires are, by nature, subjective measurements, but they are useful because they provide a framework of agreed-upon security practices. The respondents are usually asked to rate the controls used to govern access to IT assets. These controls include: management controls, authentication/access controls, physical security, outsider access to systems, system administration controls and procedures, connections to external networks, remote access, incident response, and contingency planning.
Site surveys and security questionnaires should be clearly written with quantifiable responses of specific requirements. They should offer a numerical scale from least desired (does not meet requirements) to most desired (meets requirements and has supporting documentation). Both should include electronic commerce considerations if appropriate to the client organization. For instance, credit card companies have compliance templates listing specific security considerations for their products. These measure network, operating system, and application security as well as physical security.
Auditors, especially internal auditors, should review previous security incidents at the client organization to gain an idea of historical weak points in the organization's security profile. It should also examine current conditions to ensure that repeat incidents cannot occur. If auditors are asked to examine a system that allows Internet connections, they may also want to know about IDS/Firewall log trends. Do these logs show any trends in attempts to exploit weaknesses? Could there be an underlying reason (such as faulty firewall rules) that such attempts are taking place on an ongoing basis. How can this be tested?
Because of the breadth of data to be examined, auditors will want to work with the client to determine the scope of the audit. Factors to consider include: the site business plan, the type of data being protected and the value/importance of that data to the client organization, previous security incidents, the time available to complete the audit and the talent/expertise of the auditors. Good auditors will want to have the scope of the audit clearly defined, understood and agreed to by the client.
Next, the auditors will develop audit plan. This plan will cover how will audit be executed, with which personnel, and using what tools. They will then discuss the plan with the requesting agency. Next they discuss the objective of the audit with site personnel along with some of the logistical details, such as the time of the audit, which site staff may be involved and how the audit will affect daily operations. Next, the auditors should ensure audit objectives are understood.
At the Audit Site
When the auditors arrive at the site, their aim is to not to adversely affect business transactions during the audit. They should conduct an entry briefing where they again outline the scope of the audit and what they are going to accomplish. Any questions that site management may have should be addressed and last minute requests considered within the framework of the original audit proposal.
The auditors should be thorough and fair, applying consistent standards and procedures throughout the audit. During the audit, they will collect data about the physical security of computer assets and perform interviews of site staff. They may perform network vulnerability assessments, operating system and application security assessments, access controls assessment, and other evaluations. Throughout this process, the auditors should follow their checklists, but also keep eyes open for unexpected problems. Here they get their noses off the checklist and start to sniff the air. They should look beyond any preconceived notions or expectations of what they should find and see what is actually there.
Conduct Outgoing Briefing
After the audit is complete, the auditors will conduct an outgoing briefing, ensuring that management is aware of any problems that need immediate correction. Questions from management are answered in a general manner so as not to create a false impression of the audit's outcome. It should be stressed that the auditors may not be in a position to provide definitive answers at this point in time. Any final answers will be provided following the final analysis of the audit results.
Back in the Office
Once back in the home office, the auditors will begin to comb their checklists and analyze data discovered through vulnerability assessment tools. There should be an initial meeting to help focus the outcome of the audit results. During this meeting, the auditors can identify problem areas and possible solutions. The audit report can be prepared in a number of formats, but auditors should keep the report simple and direct, containing concrete findings with measurable ways to correct the discovered deficiencies.
The audit report can follow a general format of executive summary, detailed findings and supporting data, such as scan reports as report appendices. When you write the report, develop executive summary first, as you may have to brief management soon after return. It's important to realize that strengths as well as deficiencies can be addressed in the executive summary to help give an overall balance to the audit report. Next, the auditors can provide detailed report based on audit checklists. The audit findings should be organized in a simple and logical manner on one-page worksheets for each discovered problem. This worksheet outlines the problem, its implications, and how it can be corrected. Space should be left on the worksheet to allow the site to document corrective steps and a comment block to dispute the finding if appropriate.
Don't Keep Them Waiting
Finally, the audit staff should prepare the report as speedily as accuracy allows so that the site staff can correct the problems discovered during the audit. Depending on company policy, auditors should be ready to guide the audited site staff in correcting deficiencies and help them measure the success of these efforts. Management should continually supervise deficiencies that are turned up by the audit until they are completely corrected. The motto for higher management armed with the audit report should be, "follow up, follow up, follow up."
The Audit - Not an Event but a Process
It must be kept in mind that as organizations evolve, their security structures will change as well. With this in mind, the computer security audit is not a one-time task, but a continual effort to improve data protection. The audit measures the organization's security policy and provides an analysis of the effectiveness of that policy within the context of the organization's structure, objectives and activities. The audit should build on previous audit efforts to help refine the policy and correct deficiencies that are discovered through the audit process. Whereas tools are an important part of the audit process, the audit is less about the use of the latest and greatest vulnerability assessment tool, and more about the use of organized, consistent, accurate, data collection and analysis to produce findings that can be measurably corrected.