A well-designed internal security audit can help you uncover soft spots in your system before an outsider points them out. Put on a trench coat, grab a clipboard, and start roaming the halls.
Survive Your Own Audit
A well-designed internal security audit can help you uncover soft spots in your system before an outsider points them out. Put on a trench coat, grab a clipboard, and start roaming the halls.
- By Roberta Bragg
- 02/01/1999
The purpose of a computer system security audit is to
evaluate how well the current security policy has been
implemented. Auditing lets you know if things are going
according to plan.
What? You don’t have a current security plan? That’s
an even better reason to perform an audit. Judging your
systems against some commonly agreed-upon security areas
can be enlightening. It can also help you develop your
own security policy, since it exposes weaknesses you might
not know you have, as well as reasons for incorporating
security into your overall systems design.
An audit compares proposed security features against
the reality of implementation. It compares current security
to generally accepted security measures, given the anticipated
security risks in the given situation. A good audit tests
the current system with both non-invasive and invasive
means.
It doesn’t certify a system as secure; it merely
judges the relative strength of security measures in effect
against possible intrusion methods. A good audit will
expose weaknesses, add a measure of accountability, and
offer corrective measures. As a result, you can prevent
intrusions, or at least detect them quickly and correct
them.
A security audit promotes the model of allowing your
users a range of access to computer systems, while still
monitoring their activities.
In a small system, a formal audit may be unnecessary.
It’s possible to see if policy is working by simple
observation and informal review. In a large network composed
of many different OSs in many locations, a formal audit
using audit tools is necessary. Every system, however,
can benefit from some sort of security audit; pick the
level that fits your organization.
You can conduct a computer system security audit by either
external or internal personnel, or a combination of both.
Many independent consulting firms offer this type of audit,
as do major accounting firms. Many companies consider
this function to be a part of their internal audit and
control organization. You can even get certified in it,
as a Certified Information System Auditor.
In this article I provide a methodology for conducting
an internal audit. Such an audit isn’t meant to reduce
the need for possible outside intervention. (See “Additional
Information” for leads on companies and organizations
that can work with you on that.)
As a preliminary step, rate your computer systems by
taking the audit survey (click
here to view the Security Self-Audit). and strengthen
your security prior to audit by external personnel. Only
company management can determine if you should engage
outside resources for future audits.
Where Do You Start?
An audit should consider not only your programs and hardware
but also the facilities, data, and people involved. A
good audit should judge each area by the level of confidentiality,
integrity, availability, and reliability of information
maintained. It should judge each system relative to the
actual risk (not the perceived risk) of fraud, error,
business interruption, and data compromise.
The size of the company as well as the confidentiality
of the information will determine the need and frequency
of the audit. If you’ve never conducted an audit,
you should do it now and set a periodic time for follow-ups.
Audit again after any changes to security policy and after
the implementation of major changes or additions to data
systems.
Types of Audits
Auditing can be a lengthy process. Listed below are different
techniques you can use to audit your computer systems.
A good security audit uses techniques from all areas.
The proposed point system described in the Audit Survey
is merely a way to judge your system’s security against
some typical scenarios. Your system may not fit this typical
model.
Auditing by Questioning
With this method, you and staff members roam about with
a standard questionnaire, asking questions relevant to
security policy and implementation. Probe for details
and consider attitudes, but accept answers as gospel at
this point. Like a good detective, your job will be to
compare these answers. By questioning numerous people
who do the same thing, you’ll have a better idea
of reality. You’ll want to try to avoid asking questions
that tip off what the answer should be.
Rather than having people fill out a survey, use direct
face-to-face association for the questioning process.
Some of the best questions to ask are those that might
come up during the normal working day. Ask whether you
can use another password, or whether another user can
work at a station that’s already logged on. Another
big question to ask: When the door to the server room
should be locked. Ask about building hours and how that’s
enforced. Determine who has keys.
Auditing by Walking
A basic method of the security auditor should be walking
around. Information about the security of the physical
domain, the attitude and security awareness of workers,
and the effectiveness of the current policy can often
be gathered by observation. Force yourself to react to
what you’re seeing and hearing as if you were an
outsider. Look for obvious physical issues and listen
to casual conversation. If people know who you are, you
may want to enlist other knowledgeable people in your
company to assist in this process. However, most people
can’t quickly respond to unexpected questions with
anything other than the truth. In other words, most people
are crummy actors.
During this process, be sure to check your building after
hours. Who’s entering and exiting? Do they have that
authority? Are doors propped open during breaks? Is anyone
paying attention to whether equipment comes and goes?
Auditing by Documentation
The entire configuration of your network should be documented.
Do this by physical inspection (some of which can be accomplished
via software), not by user survey. After examining each
server and workstation, you should have:
- A list of installed software and appropriate licensing
information.
- Configuration information, such as installed and
enabled services, protocols, and bindings.
- Attached printers or managed network printers.
- Configuration of services, utilities, transports,
and ports.
- A list of users and their permissions and rights
on this system.
Document the network architecture. Where are routers,
hubs, and switches, and how are they protected? Which
servers and workstations are in which subnet?
Auditing By Checking
With security policy in hand, verify system components
and configurations against policy directives. In this
case, the results aren’t subjective unless the policy
is. That is, either the policy is followed or it’s
not. Note the exceptions and any circumstances. Also note
inconsistencies, and weaknesses in policy and in implementation.
(Read my October 1998 article, “Hardening NT,”
for a proposed configuration policy for Windows NT Server.)
Invasive Auditing
Thus far we’ve concentrated on non-invasive means.
We’ve audited by observation, inspection, comparison
to policy, and discussion. Security audits also include
invasive tactics. What good is a perfect score after observation
if a simple gesture by a hacker can penetrate your system
or shut it down? A good security audit uses the same techniques
available to hackers and crackers to probe for holes in
the security system.
Like the heart specialist who prefers diet, exercise,
and medication to open-heart surgery, I must caution you
about invasive techniques. As important as they are in
auditing security, there are two potential problems.
First, using these techniques without a defined policy
and procedure for their use could result in your termination
and even arrest. This is a policy and procedure that needs
to be approved at the highest levels. Don’t use these
techniques without this approval, in writing, and don’t
use these techniques against another companies’ networks.
Second, by initiating improper attacks on your company’s
computer information systems, you could destroy data ,
cripple the systems, and risk the exposure of confidential
information.
That said, properly approved and used invasive attacks
can assist the security professional in building appropriate
defenses. The topic is far more extensive than I can cover
here, so see “Hacker
Tools for Auditing” for specific references to
types of programs you’ll need to defend against.
I also list some tools you can obtain to test current
defenses. The sites I mention will lead you to other sites
and other tools. Educate and protect yourself thoroughly
before you even begin to plan this type of system surgery.
| Hacker
Tools for Auditing |
| Scanners
Scanners detect security weaknesses
in remote or local hosts by attacking
TCP/IP ports and services (telnet, FTP,
etc.). They gather responses from these
ports or services including information
such as what ports are open, and whether
anonymous users can log in.
Operating system utilities can be used
to probe for information. Windows NT’s
performance monitor and registry editing
tools can be used to find information
about other NT computers, as well as
to penetrate unprotected systems. Traceroute,
originally a Unix utility, is available
with NT as Tracert.exe. Use Tracert
to identify the location of a machine.
You can locate public domain scanners
at www.giga.or.at/pub/hacker/unix. (Many
of these scanners are written for Unix
boxes but can be used to probe other
types of hosts, including NT.) These
include:
- Security Administrator’s Tool
for Analyzing Networks (SATAN)
- Network Security Scanner (NSS)
- Jakal
- IdentTCPscan
Commercial scanners include:
- The Internet Scanner and SAFEsuite
from Internet Security Systems at
www.iss.net.
Password Crackers
Password crackers usually work by comparing
encrypted word and letter combinations
against the password file. This brute-force
method works on the premise that most
people don’t use strong passwords.
Public domain password crackers include:
Trojans
Any unauthorized program or code contained
within a legitimate program is a Trojan.
Since these programs masquerade as something
known or desirable, the user is tricked
into installing them, with unexpected
results. The Trojan may be destructive
or annoying or may collect information
and deliver it to unauthorized people.
Previous examples include PC CYBORG,
which deletes files and encrypted file
names, and AOLGOLD, which purports to
be an enhanced program for accessing
America Online, but actually deletes
important files and attempts to run
other destructive programs. A current
Trojan is Back Orifice.
In the security audit, you can make
an attempt to introduce Trojans. If
users have been appropriately trained
not to accept or install unauthorized
software, you’ll be unable to initiate
this. (Obviously, you shouldn’t
attempt to get a user to install a known
destructive Trojan. An information-collecting
Trojan, however, can test your vulnerability
to this type of attack.)
Sniffers
Sniffers are devices (software or hardware)
that capture and archive information
while it’s traveling along the
network. This information is later inspected
and may reveal passwords or other confidential
or proprietary information. If a sniffer
can be attached to your local network,
any data could potentially be compromised.
On the Internet a sniffer might be used
to capture authentication information
and procedures between networks.
Windows NT comes with a limited version
of a software sniffer (Network Monitor)
that can capture only packets coming
to or originating from the local server.
A full-blown version of this product
comes with Microsoft Systems Management
Server. Network Monitor can be used
to detect other copies of Network Monitor
running on your system, but it can’t
detect the presence of other sniffers.
Most sniffers don’t leave a trace
on your system; they’re largely
passive applications.
Protection against sniffer attacks
is accomplished by employing a strong
password policy and a safe topology.
A safe topology is one that limits the
exposure of information on the network
by grouping computers that need a trust
relationship and then subnetting so
that packets can only be sniffed within
that segment. Use a sniffer on your
network to detect its vulnerability
to this type of attack.
Potential sniffers include:
—Roberta Bragg
|
|
|
Evaluating Results
Once you’ve performed your audit, what next? You’re
likely to find many things that need attending to. Your
first job is to evaluate these newly discovered weaknesses
against the actual risk of encountering attacks in the
real world. If you’ve properly designed the audit,
you may have eliminated some unreal risks already. Next,
you must develop a strategy for improving security so
that these newly found holes aren’t exploited. Put
together a checklist of items to address and assess the
cost and appropriateness of each action. If you have a
stated policy in place, items that violate this policy
should be addressed first. If you’ve found new areas
or areas that require a change of policy, solutions to
those may have to wait.
Reporting and Recommending
Make the results of your security audit available to
management, along with what it means. Share this information
with an emphasis on three key items.
- Vulnerabilities: Where
are system weaknesses? Are they relevant? What is the
cost of effecting remedies? What is the potential cost
of doing nothing? Are there alternatives?
- Strengths: How strong are
current defenses? If password crackers were unable to
crack passwords on the network, let’s hear about
it. If current policy directives are being carried out,
make it be known. If server configurations match policy,
sure to reward administrators by indicating this.
- Recommendations: As the
most knowledgeable person on computer security implementation,
what are your recommendations? Be sure to include a
timetable, implementation costs, and appropriate media
for signoffs. After all, if you’ve found problems,
you’ll want to correct them. Since your report
will heighten management’s security awareness,
this is a good time to obtain approval to move forward
with plans for improvement.
| Additional
Information |
For information on formal
auditing and control, as well as organizations
that perform security audits, contact
the following resources:
- Information Systems Audit and Control
Association and Foundation (ISACF)
at www.isaca.org.
This same organization offers the
Certified Information System Auditor
(CISA) program.
- The Institute of Internal Auditors
at www.itaudit.org.
This site is publishing a multi-part
series on auditing Windows NT security.
- AuditNT, a network of resources
available for auditors, at www.auditnet.org.
To find an auditor to do an external
security audit, try:
Plenty of tools are available to conduct
your own auditing. You can implement
an audit policy on NT Server and Workstation
using the tools in User Manager for
Domain and in Printer Manager, Windows
Explorer, and regedt32.exe.
Also, consider one of the following
commercial auditing programs:
|
|
|
Concrete Ideas
Whatever the results of your security audit, you should
have some concrete ideas of how to improve network security
when you’re done. You should also have a better sense
of the amoebic structure of your network, the attitudes
of personnel toward their equipment and software, and
a better security awareness on the part of management
and personnel. Don’t drop the ball here. Use that
information to promote and ensure security in your network.
The health you save may be your own.