Security problems are on the rise—but that's not news. What is newsworthy, however, is the exponential nature of this increase. The Computer Emergency Response Team (CERT) says there has been an annual twofold increase in the number of vulnerabilities and security incidents reported. These numbers signify quite clearly the necessity of security management for all IT decision makers.
Knowing where your company stands currently on security practices is the first step in proactive security management, and a full security audit is the best way to achieve this goal. A security audit is a systematic way to test for vulnerabilities or weaknesses in your IT systems, policies, and procedures. When completed, an audit will provide you with a comprehensive picture of your security status. This will help you to assess your current level of compliance or risk, and compare these levels with where you need or want your security to be.
What you will likely find as the result of your audit is that the most common audit failure points aren't grounded in poor technology. Most failures can be attributed to poor compliance with practices and procedures. A recent audit of federal government agencies found that the major failing points were poor password control, end-user security practices and policies, and access controls. This article will introduce you to the primary steps involved in conducting a security audit, so you can assess the areas your organization needs to do a better job of securing.
Step 1: Conduct a Risk Analysis
A risk analysis helps you prioritize your company's IT assets and decide the level of “toughness” required to protect it adequately. A risk analysis isn't considered part of the audit because it generally occurs before the actual audit. However, conducting a risk analysis is essential because it defines the reasons for your audit and the overall scope of your auditing activities. It will help you determine which assets your security measures are trying to protect (such as data and systems), the value of the assets you're trying to protect, all potential threats to these assets, and the impact of threats, in terms of losses, should they be realized.
Understanding the relative “value” of systems and data will help you decide the level of scrutiny to apply to each audit subject. For example, two sets of data files might have the same levels of security applied, but one might pass the audit and the other might not because one is more sensitive and requires tighter security than currently afforded. A risk analysis will help you set the line between security success and failure.
Step 2: Get Prepared
Audits are systematic in nature. Therefore, you must plan carefully to ensure seamless execution and comprehensive coverage. In the preparation stage of the audit you must prioritize audit targets; decide on the objectives, depth, and scope of your audit, identify and verify the resources (time, people, tools, information) you'll need to conduct your audit, plan your audit procedure, and communicate your plans to others in your organization.
Based on your risk analysis, you should have a good idea of your audit priorities concerning systems and data. However, you'll need to approach each asset from several angles. These include the virtual security of the asset, the physical security of the asset, and security maintenance procedures for that asset. Given the size of a full-scale audit, you might choose to focus on one or two areas at a time. However, most systems are interrelated. Be sure to include assessment of the interconnections between these systems in your plans.
When planning your audit, start by identifying the systems you'll need to restrict access to during your tests. Then, pick appropriate times for performing your audit, such as after regular business hours, to minimize disruptions to the business. You need to identify key personnel—data owners, department managers, security administrators, tech support workers, and typical business users—for information-gathering interviews. If necessary, use an organizational chart to help you target the appropriate people.
Once you know who you want to interview, prepare a series of questions to ask staff, end users, and other individuals who are exposed to your systems. Focus your questioning on how personnel interact with the system, what they can gain access to, and how they perform security procedures (if at all).
Next, take a look at the security technology you use currently. Collect and review the manuals for all security packages. They might contain helpful auditing checklists or even an audit program that you can use. You should also assess and acquire established automated audit and utility programs. Conducting an audit manually can be a painstaking process, and might lead to errors.
As you pick and prepare your auditing platform, the operating system you choose will affect the auditing tools you can use, and vice versa. Choose wisely. You might also want to opt for a notebook computer for your auditing command center given its portability. Also, ensure your auditing platform runs no network services and is configured much like any other secure host, such as a firewall.
Verify your audit and testing environments to ensure that they have not been tampered with. Burn a copy of your secure platform to a CD and store it in a secure location to ensure that you have a “tamperproofed” version at hand.
Your next step: Develop a prioritized plan. This plan should itemize all tests, evaluations, and inquiries you intend to make. It should also list timelines and all resources required to perform your evaluations. Attach step-by-step procedures for all tests you intend to perform. When setting timelines, leave adequate room for contingencies—you might run across unexpected elements or problems, or might have an insight into a new way to approach a specific test.
Finally, communicate your plans to perform an audit to whoever needs to know. This includes executives, department heads, your staff, and others who you wish to interview. Explain why an audit is necessary, and specify the times and dates of any required system downtimes. Remember that the quality of your findings is important because it will form a comparative benchmark for future audits. If you don't have the appropriate training for conducting a security audit, or haven't experienced one firsthand, it might be wise to get some training through self-education or a course.
Another alternative is to outsource to a professional auditing firm. This approach can ensure an unbiased approach. In-house staff members might have their pride (or perhaps something more sinister) to protect, or might be unable to approach the system being audited with an objective eye.
Step 3: Review Policy Documents and Reports
The audit should answer a fundamental question: Are your systems and procedures in compliance with your policy? Without a clear and comprehensive policy, you can't be entirely sure of which security problems you're looking for. A policy provides an important baseline your IT systems and practices will be measured against.
If you don't have a security policy in place prior to conducting an audit, you should make some effort to build one that addresses the overall security goals of your IT installation, and the scope of security protection your department offers currently. It should also identify who has ownership over various IT resources, including systems and data, as well as who is responsibility for the integrity of these resources. Establish the requirements to access resources (passwords, permissions), and include descriptions of all security system access rules. You'll also need to categorize according to sensitivity.
Include descriptions of all security procedures, including security maintenance, password handling, violation handling, backup and recovery, and emergency and troubleshooting. Note user rights and accountabilities, remote access procedures, and account protection requirements. Make sure to establish who's responsible for supporting and enforcing the security direction (for example, the rights and accountabilities of the security administrator). Finally, set consequences for non-compliance with the policy.
Having a security policy isn't enough. An unclear, out-of-date, unenforceable, or meager policy is a security problem in itself and you should treat it as a threat. The security policy is also a threat if it hasn't been disseminated and explained to end users properly. Consider your policy an extension of your risk management practices.
Step 4: Gather “People” Information
People, not technologies, are the number one barrier to effective enterprise security. In a recent survey, conducted jointly by the Federal Bureau of Investigation and Computer Security Institute, 81 percent of respondents said the most likely source of a security attack was from within a company.
Conducting both formal and informal interviews with those who have access to your systems is an often overlooked, but a critical, step in your security audit. Interviews will help you discover how well personnel understand and adhere to security policies and procedures, as well as uncover what access people actually have to systems beyond what is documented or “sanctioned.”
Start by talking to your IT staff. Find out how they actually go about handling security procedures. Next, quiz them about their understanding of documented security procedure, controls, and responsibilities. Compare what they actually do with what is documented, and itemize the gaps.
Next, interview end users. Start with data owners and department heads, but also talk to general end users. Find out what they can and can't do (such as accessing certain resources). Get a take on their understanding of security practices and loopholes. Ask them to show you their copies of security policies and procedures, or have them point out where they can be found (for example, online, in a centralized binder). This will help you determine if they've ever even seen the security policies and procedures in the first place.
Finally, talk to any other workers that have access to your physical building, such as maintenance and janitorial staff. They have access to more than you might think, including passwords (written on sticky notes), desktop computers, and servers. They also have a good idea of the general “comings and goings” of staff, what sensitive material ends up in the garbage instead of the shredder, and the overall physical security of the building.
Conduct your interviews with caution: Many interviewees might be concerned about getting themselves, or someone else, into trouble, and might not wish to fully disclose what they know. You might want to ensure them that your conversation is confidential and that their names won't be mentioned in your report. Also, reinforce the idea that your questions are addressing the security of IT systems and data, not their job performance.
Step 5: Conduct Testing
Running a full battery of tests on your network might be too time consuming to be practical. Prioritize the components that you'd like to test, and choose the most important areas. These could include major routers and servers, platforms, applications, data files, and interconnects. Be very cautious in pursuing active testing of live applications using real data—you could inadvertently cause damage. Such tests could include mock denial of service attacks or exploits. If you decide to run active tests, do a full backup of the system to be tested and run your tests after hours. If you're not completely familiar with the testing tools and can't implement full controls, consider not doing these types of tests at all.
Step 6: Evaluate Your Data
The testing phase will generate a lot of data and observations. Be sure you leave yourself enough time to organize and assess your results adequately. Analyze all data collected by the automated tools you used, and look for trends and irregularities. Then, separate and analyze your findings by system. You'll also want to itemize all application backdoors and loopholes, as well as all areas where security practice does not comply with policy or procedure. A good dividing line to impose is by staff type and/or levels (for example, separate IT staff procedures from general end user procedures). Label each of your security components (systems, procedures, and so on) by their level of security compliance and the urgency required to bring non-compliant components into compliance.
Next, create a prioritized list of fixes to be made. Systems or procedures labeled red for both compliance and urgency should be at the top of the list, followed in order by other high-ranking problems. Finally, assess the time and resources it will take to make each required change. You can then put the information gleaned here into a final report, which will serve as the basis for your ultimate action list and work plan.
Step 7: Report Your Findings
The reporting phase will take the most time in your audit. Not only do you have to assemble your findings and build a clear report, but also you need to meet with the appropriate people to review and explain your findings, decide on a course of action, and develop a work plan.
The purpose of your report is to drive business decisions to invest in securing your IT assets. Aim to create a report that is clear, jargon-free, and speaks to business objectives. In your report, be sure to include an executive summary stating the purpose of the audit and high priority action recommendations. Also provide an explanation of the scope of the audit, and details on any changes from the last audit (if prior audits have been conducted). The report should also have a statement of overall compliance of current security with policies, including an overall grade of total system security, and an explanation of what wasn't tested and why.
Finally, include a detailed, prioritized list of recommended actions, with full justifications and costs to make each fix. Once you've completed your report, book time to discuss your findings with key executives and decision makers. The outcome of this meeting should be decisions on final prioritized action items.
Step 8: Take Post-Audit Action
Once your audit is complete, your report is in, and the recommendations on fixes to be made have been approved by senior management, you're ready to take the final steps. First, follow up with your IT staff to discuss your course of action, resources required, and appropriate due dates for all fixes and changes. This will form the basis for your work plan.
Then make copies of all your test data for future reference. Store these copies securely—they qualify as sensitive information about your company's vulnerabilities and should be kept away from prying eyes. Preferably, store encrypted copies off-site, as you would with any other important company data.
You'll also want to consider redrafting your security policy and procedures in light of your findings. Make sure any changes to the security policy and procedures are well communicated to end users and your staff. For better results in your next audit, ensure your new policies and procedures can be monitored and enforced.
Finally, assess your audit tools and procedures. Write a debriefing report that includes answers to these questions:
- Did you engage in too many manual processes that could have been sped up by using automated tools?
- What automated tools did you use and why?
- How effective and easy to use were the tools you selected?
- Which tools would you use again, which would you replace, and why?
- Did you have any problems in getting affected parties to comply with your audit requirements, such as participating in interviews or disclosing information?
- Did you allocate sufficient time and resources to performing your audit?
- What were the major challenges of conducting your audit?
- What were the major surprises that surfaced in conducting your audit?
- What do you plan to audit next time that you didn't audit this time?
- What changes would you make to future audit procedures?
At this point, the only thing that remains is making the actual fixes. Plan to repeat your audit on at least an annual basis.
Performing a full security audit of your systems, practices, and policies is an essential first step in managing your organization's overall security infrastructure. Without an audit, you are simply guessing at your organization's security weaknesses and the appropriate fixes.
Jennifer Perrier is a network security analyst in London, Canada. She is currently Web Publications Manager at Info-Tech Research Group, a research and professional services firm focused on mid-sized companies. Ms. Perrier graduated from the University of Western Ontario with a Masters in Library and Information Science. You can reach her at firstname.lastname@example.org.