On a network, a security audit is a comprehensive assessment of the safety of a company’s information assets. A security audit will help identify any gaps in compliance.
- [Instructor] Auditing is ensuring something is as it should be. For example, if the bowling club checkbook is to have a 92 dollar balance, auditing assures that when I check the balance, it is, indeed, 92 dollars. On a network, a security audit is a comprehensive assessment of the safety of a company's information assets. Auditing, generally, follows a structured plan, or set of criteria, such as PCI compliance. Auditing a network can be a complex undertaking.
Today's networks have many attack surfaces, or areas of exposure. Attack surfaces can include software, hardware, network, and users. Auditing the attack surface identifies potential vulnerabilities. Auditing can be done voluntarily, but in most cases, auditing is required as part of a compliance regulation. When faced with an audit, managers fear what weaknesses they might find.
Auditing is required for many regulations including Gramm–Leach–Bliley Act, HIPAA, PCI, or Sarbanes Oxley. In addition, customers might request the results of your security audit before entering into a business partnership. A general auditing plan includes investigating, and then testing, vulnerabilities. Each company, or auditor, has a complete set of guidelines as to what they want to audit, and can include the following: software, network, and users.
A software assessment might include the system software, such as the directory, logging used, and authentication protocols used for network services such as DNS Security. And application software, specifically web and mobile platform testing, and a network assessment. We check the devices such as firewalls, intrusion detection systems, intrusion prevention, and logging and alert capabilities, along with configuration and authentication methods and visible network services, and check the users.
Using social engineering techniques, we see if we can gain access into the building. Such as, tailgating or piggybacking, and phishing attacks using email, instant messaging, and social media to get employees to click on a link to release malware or download a rootkit. Auditing, generally, follows a predefined plan. Reconnaissance, scanning, gaining access, and exploitation. Before, actually, launching any attacks or using advanced tools, the penetration tester must complete a thorough information gathering exercise and obtain as much information about the target as possible, to see what is visible to a would-be attacker.
This is time consuming. It could, possibly, take weeks to complete. However, to save some time, some information can be provided, such as, IP address ranges or user names and passwords. After footprinting and reconnaissance, scanning is the second phase, of information gathering, that hackers use to size up a network. Scanning is where they dive deeper into the system and look for valuable data and services in a specific IP address range.
After scanning the network and obtaining a blueprint, gaining access is next. Once in, the key is to maintain access and continually escalate the privileges to the administrator level. With the knowledge of the vulnerabilities, the ethical hacker can launch exploits, such as web server attacks including buffer overflow and cross-site scripting. And we can do other possible exploits and, possibly, install a rootkit so that the ethical hacker can access the target at any time.
Auditing is not a spot check. It's a complete evaluation of a security posture of an organization. In today's organizations, everyone is responsible for the security of an organization. Instead of waiting to be compelled to have an audit, or worse yet, finding you have weaknesses by being the victim of a hack, an organization should, proactively, go through annual audits.
- Auditing security mechanisms
- Locating vulnerabilities
- Exploring types of penetration testing
- Pen testing techniques
- Following a pen-testing blueprint
- Testing physical, wireless, website, database, and email security
- Outsourcing penetration testing