Loading ...
Most Security regulations like HIPAA, SOX, GLBA and PCI (which is an industry standard Not a regulation), all call for a risk analysis audit. To many this is an unknown or difficult process, so I thought I would present the common goals for a Risk-based Analysis Audit
GOAL 1: The network defined
We need to know what is being looked at or reviewed. Things like what devices are there? Is the network segmented? Is there additional controls or filters between different areas? What network areas exist? etc.. This has to be done carefully. Not done right and the whole audit process will be off balance.
GOAL 2: Gather non-technical Information
Ask the staff to complete a questionnaire, three types 1) technical questionnaire for the technical staff , 2) management questionnaire for management staff , and 3) general questionnaire for general staff. You will be amazed that you can ask the same question to all three groups and get more than three responses? Yes hear what technical has to say, but do NOT just accept their answer as fact. This will give you a very good understanding of the corporate climate towards security.
GOAL 3: Assess the boundary
A boundary is obviously the internal to external point. But also include internal boundaries. For example: if the DMZ is declared it’s own segment on the network check the boundaries between the internal and DMZ and the external and DMZ. If sales is a different segment from marketing, check the boundaries between these also. Protecting the border or boundary between external and internal is NOT enough. Ask yourself what if the attacker gains access inside the border, then what?
GOAL 4: Password strength checks
Check password strengths, check each user has their own unique user name and password. Shout, scream if users share access. There is NO reason whatsoever for users to share access.
GOAL 5: Investigate the devices
Actually check the devices. I remember one audit where the client had previously had problems with their router access, which after a while got resolved by their ISP. The solution, was to simply bypass the firewall and connect straight from the router to the network. Solved their problem! The firewall was powered and on, but had no traffic going through it. Check for these things.
GOAL 6: Check for wireless
Actually check for wireless, especially if the company policy has a NO wireless allowed policy. Recently they found just how easy it was to tap into keystrokes from wireless keyboard (Read Here). Think about that when we say wireless from now on. It is amazing how many audits are conducted and at least one rogue (unauthorized) access point is detected or discovered.
GOAL 7: Check actual vs documented firewall rules
Actually read the firewall rules direct from the device(s) and compare them to what is documented they should be. With proper change management there should be NO difference. But, even then you may be surprised.
GOAL 8: Aim, Attack, Fire
Test, test, test. Actually run a complete penetration test, and vary the type from white , gray to black. (If you are not sure what this means drop me an email I would love to discuss it further.) Test from the outside and the inside. Not all attacks take place by Mr. Evil from far far away. More often than not, they are local or ex-employees.
GOAL 9: Compare results and review Policies and Procedures
Compare the results from your tests and investigations to what Policy and Procedures actually say. Policies with NO enforcement are wasted paper. Procedures not followed are events doomed to failure.
GOAL 10: Lessons learned and improve
Learn!!. Actually take the results and plan an improvement strategy. It is very seldom that an audit will come back with NO findings. If you have had one let me know, and go back a really conduct a real audit this time. Take the findings big, small or otherwise and plan how to remedy them and get them resolved.
Just a short overview of what should be done when completing a Full Risk based Analysis Audit of any organization’s IT security posture.
My 2c from small town America
