A well-designed internal security audit can help you uncover soft spots in your system before an outsider points them out. Put on a trench coat, grab a clipboard, and start roaming the halls.

Survive Your Own Audit

A well-designed internal security audit can help you uncover soft spots in your system before an outsider points them out. Put on a trench coat, grab a clipboard, and start roaming the halls.

The purpose of a computer system security audit is to evaluate how well the current security policy has been implemented. Auditing lets you know if things are going according to plan.

What? You don’t have a current security plan? That’s an even better reason to perform an audit. Judging your systems against some commonly agreed-upon security areas can be enlightening. It can also help you develop your own security policy, since it exposes weaknesses you might not know you have, as well as reasons for incorporating security into your overall systems design.

An audit compares proposed security features against the reality of implementation. It compares current security to generally accepted security measures, given the anticipated security risks in the given situation. A good audit tests the current system with both non-invasive and invasive means.

It doesn’t certify a system as secure; it merely judges the relative strength of security measures in effect against possible intrusion methods. A good audit will expose weaknesses, add a measure of accountability, and offer corrective measures. As a result, you can prevent intrusions, or at least detect them quickly and correct them.

A security audit promotes the model of allowing your users a range of access to computer systems, while still monitoring their activities.

In a small system, a formal audit may be unnecessary. It’s possible to see if policy is working by simple observation and informal review. In a large network composed of many different OSs in many locations, a formal audit using audit tools is necessary. Every system, however, can benefit from some sort of security audit; pick the level that fits your organization.

You can conduct a computer system security audit by either external or internal personnel, or a combination of both. Many independent consulting firms offer this type of audit, as do major accounting firms. Many companies consider this function to be a part of their internal audit and control organization. You can even get certified in it, as a Certified Information System Auditor.

In this article I provide a methodology for conducting an internal audit. Such an audit isn’t meant to reduce the need for possible outside intervention. (See “Additional Information” for leads on companies and organizations that can work with you on that.)

As a preliminary step, rate your computer systems by taking the audit survey (click here to view the Security Self-Audit). and strengthen your security prior to audit by external personnel. Only company management can determine if you should engage outside resources for future audits.

Where Do You Start?

An audit should consider not only your programs and hardware but also the facilities, data, and people involved. A good audit should judge each area by the level of confidentiality, integrity, availability, and reliability of information maintained. It should judge each system relative to the actual risk (not the perceived risk) of fraud, error, business interruption, and data compromise.

The size of the company as well as the confidentiality of the information will determine the need and frequency of the audit. If you’ve never conducted an audit, you should do it now and set a periodic time for follow-ups. Audit again after any changes to security policy and after the implementation of major changes or additions to data systems.

Types of Audits

Auditing can be a lengthy process. Listed below are different techniques you can use to audit your computer systems. A good security audit uses techniques from all areas. The proposed point system described in the Audit Survey is merely a way to judge your system’s security against some typical scenarios. Your system may not fit this typical model.

Auditing by Questioning

With this method, you and staff members roam about with a standard questionnaire, asking questions relevant to security policy and implementation. Probe for details and consider attitudes, but accept answers as gospel at this point. Like a good detective, your job will be to compare these answers. By questioning numerous people who do the same thing, you’ll have a better idea of reality. You’ll want to try to avoid asking questions that tip off what the answer should be.

Rather than having people fill out a survey, use direct face-to-face association for the questioning process. Some of the best questions to ask are those that might come up during the normal working day. Ask whether you can use another password, or whether another user can work at a station that’s already logged on. Another big question to ask: When the door to the server room should be locked. Ask about building hours and how that’s enforced. Determine who has keys.

Auditing by Walking

A basic method of the security auditor should be walking around. Information about the security of the physical domain, the attitude and security awareness of workers, and the effectiveness of the current policy can often be gathered by observation. Force yourself to react to what you’re seeing and hearing as if you were an outsider. Look for obvious physical issues and listen to casual conversation. If people know who you are, you may want to enlist other knowledgeable people in your company to assist in this process. However, most people can’t quickly respond to unexpected questions with anything other than the truth. In other words, most people are crummy actors.

During this process, be sure to check your building after hours. Who’s entering and exiting? Do they have that authority? Are doors propped open during breaks? Is anyone paying attention to whether equipment comes and goes?

Auditing by Documentation

The entire configuration of your network should be documented. Do this by physical inspection (some of which can be accomplished via software), not by user survey. After examining each server and workstation, you should have:

  • A list of installed software and appropriate licensing information.
  • Configuration information, such as installed and enabled services, protocols, and bindings.
  • Attached printers or managed network printers.
  • Configuration of services, utilities, transports, and ports.
  • A list of users and their permissions and rights on this system.

Document the network architecture. Where are routers, hubs, and switches, and how are they protected? Which servers and workstations are in which subnet?

Auditing By Checking

With security policy in hand, verify system components and configurations against policy directives. In this case, the results aren’t subjective unless the policy is. That is, either the policy is followed or it’s not. Note the exceptions and any circumstances. Also note inconsistencies, and weaknesses in policy and in implementation. (Read my October 1998 article, “Hardening NT,” for a proposed configuration policy for Windows NT Server.)

Invasive Auditing

Thus far we’ve concentrated on non-invasive means. We’ve audited by observation, inspection, comparison to policy, and discussion. Security audits also include invasive tactics. What good is a perfect score after observation if a simple gesture by a hacker can penetrate your system or shut it down? A good security audit uses the same techniques available to hackers and crackers to probe for holes in the security system.

Like the heart specialist who prefers diet, exercise, and medication to open-heart surgery, I must caution you about invasive techniques. As important as they are in auditing security, there are two potential problems.

First, using these techniques without a defined policy and procedure for their use could result in your termination and even arrest. This is a policy and procedure that needs to be approved at the highest levels. Don’t use these techniques without this approval, in writing, and don’t use these techniques against another companies’ networks.

Second, by initiating improper attacks on your company’s computer information systems, you could destroy data , cripple the systems, and risk the exposure of confidential information.

That said, properly approved and used invasive attacks can assist the security professional in building appropriate defenses. The topic is far more extensive than I can cover here, so see  “Hacker Tools for Auditing” for specific references to types of programs you’ll need to defend against. I also list some tools you can obtain to test current defenses. The sites I mention will lead you to other sites and other tools. Educate and protect yourself thoroughly before you even begin to plan this type of system surgery.

Hacker Tools for Auditing
Scanners

Scanners detect security weaknesses in remote or local hosts by attacking TCP/IP ports and services (telnet, FTP, etc.). They gather responses from these ports or services including information such as what ports are open, and whether anonymous users can log in.

Operating system utilities can be used to probe for information. Windows NT’s performance monitor and registry editing tools can be used to find information about other NT computers, as well as to penetrate unprotected systems. Traceroute, originally a Unix utility, is available with NT as Tracert.exe. Use Tracert to identify the location of a machine.

You can locate public domain scanners at www.giga.or.at/pub/hacker/unix. (Many of these scanners are written for Unix boxes but can be used to probe other types of hosts, including NT.) These include:

  • Security Administrator’s Tool for Analyzing Networks (SATAN)
  • Network Security Scanner (NSS)
  • Jakal
  • IdentTCPscan

Commercial scanners include:

  • The Internet Scanner and SAFEsuite from Internet Security Systems at www.iss.net.
Password Crackers

Password crackers usually work by comparing encrypted word and letter combinations against the password file. This brute-force method works on the premise that most people don’t use strong passwords.

Public domain password crackers include:

Trojans

Any unauthorized program or code contained within a legitimate program is a Trojan. Since these programs masquerade as something known or desirable, the user is tricked into installing them, with unexpected results. The Trojan may be destructive or annoying or may collect information and deliver it to unauthorized people. Previous examples include PC CYBORG, which deletes files and encrypted file names, and AOLGOLD, which purports to be an enhanced program for accessing America Online, but actually deletes important files and attempts to run other destructive programs. A current Trojan is Back Orifice.

In the security audit, you can make an attempt to introduce Trojans. If users have been appropriately trained not to accept or install unauthorized software, you’ll be unable to initiate this. (Obviously, you shouldn’t attempt to get a user to install a known destructive Trojan. An information-collecting Trojan, however, can test your vulnerability to this type of attack.)

Sniffers

Sniffers are devices (software or hardware) that capture and archive information while it’s traveling along the network. This information is later inspected and may reveal passwords or other confidential or proprietary information. If a sniffer can be attached to your local network, any data could potentially be compromised. On the Internet a sniffer might be used to capture authentication information and procedures between networks.

Windows NT comes with a limited version of a software sniffer (Network Monitor) that can capture only packets coming to or originating from the local server. A full-blown version of this product comes with Microsoft Systems Management Server. Network Monitor can be used to detect other copies of Network Monitor running on your system, but it can’t detect the presence of other sniffers. Most sniffers don’t leave a trace on your system; they’re largely passive applications.

Protection against sniffer attacks is accomplished by employing a strong password policy and a safe topology. A safe topology is one that limits the exposure of information on the network by grouping computers that need a trust relationship and then subnetting so that packets can only be sniffed within that segment. Use a sniffer on your network to detect its vulnerability to this type of attack.

Potential sniffers include:

—Roberta Bragg

Evaluating Results

Once you’ve performed your audit, what next? You’re likely to find many things that need attending to. Your first job is to evaluate these newly discovered weaknesses against the actual risk of encountering attacks in the real world. If you’ve properly designed the audit, you may have eliminated some unreal risks already. Next, you must develop a strategy for improving security so that these newly found holes aren’t exploited. Put together a checklist of items to address and assess the cost and appropriateness of each action. If you have a stated policy in place, items that violate this policy should be addressed first. If you’ve found new areas or areas that require a change of policy, solutions to those may have to wait.

Reporting and Recommending

Make the results of your security audit available to management, along with what it means. Share this information with an emphasis on three key items.

  • Vulnerabilities: Where are system weaknesses? Are they relevant? What is the cost of effecting remedies? What is the potential cost of doing nothing? Are there alternatives?
  • Strengths: How strong are current defenses? If password crackers were unable to crack passwords on the network, let’s hear about it. If current policy directives are being carried out, make it be known. If server configurations match policy, sure to reward administrators by indicating this.
  • Recommendations: As the most knowledgeable person on computer security implementation, what are your recommendations? Be sure to include a timetable, implementation costs, and appropriate media for signoffs. After all, if you’ve found problems, you’ll want to correct them. Since your report will heighten management’s security awareness, this is a good time to obtain approval to move forward with plans for improvement.
Additional Information
For information on formal auditing and control, as well as organizations that perform security audits, contact the following resources:
  • Information Systems Audit and Control Association and Foundation (ISACF) at www.isaca.org. This same organization offers the Certified Information System Auditor (CISA) program.
  • The Institute of Internal Auditors at www.itaudit.org. This site is publishing a multi-part series on auditing Windows NT security.
  • AuditNT, a network of resources available for auditors, at www.auditnet.org

To find an auditor to do an external security audit, try:

Plenty of tools are available to conduct your own auditing. You can implement an audit policy on NT Server and Workstation using the tools in User Manager for Domain and in Printer Manager, Windows Explorer, and regedt32.exe.

Also, consider one of the following commercial auditing programs:

Concrete Ideas

Whatever the results of your security audit, you should have some concrete ideas of how to improve network security when you’re done. You should also have a better sense of the amoebic structure of your network, the attitudes of personnel toward their equipment and software, and a better security awareness on the part of management and personnel. Don’t drop the ball here. Use that information to promote and ensure security in your network. The health you save may be your own.

comments powered by Disqus
Most   Popular