IT security auditing- Grayhats Best practices for conducting audits

by | May 11, 2018 | Cyber Security, Grayhats | 0 comments

“Even if you hate security audits, it’s in your best interest to make sure they’re done right.”  –  Ameen Khan

Cyber Security Audit

The ever changing cyber-security landscape requires info-sec professionals to stay abreast of new best practices on how to conduct information security assessments. Read www.grayhats.in/blog here for updated security assessment strategies you can apply to your own organization.

None of us relishes an audit–outsiders poking around for the holes in my system? When someone says “audit,” you probably think of the surprise inspections your company’s auditors pull to try to expose IT weaknesses.

Information security assessments can be effective for identifying and fixing issues in your enterprise’s policies. Which are highly sensitive for an organisation.

But you’re the one on the hot seat if your organization gets hacked. Dont worry, call Grayhats for a an audit. If you’re responsible for information security, you should want–you should insist–on thorough annual audits. In some cases, you may have no choice. Financial institutions, for example, are required to have external auditors certify compliance with regulations such as the Gramm-Leach-Bliley Act (GLBA). Your own organization’s audit department may require it. Or potential partners or customers may insist on seeing the results of a security audit before they do business with your company and put their own assets at risk.

we at grayhats can help you with such audits.

So you bring the auditors in. But what if the auditors fail to do their job correctly? You’re still the one feeling the heat after an attacker brings your Web site down or steals your customers’ financial information.

How to manage a successful audit

Establish a security baseline through annual audits.
Spell out your objectives.
Choose auditors with “real” security experience.
Involve business unit managers early.
Make sure auditors rely on experience, not just checklists.
Insist that the auditor’s report reflects your organization’s risks.
Don’t let this happen to you.

And it won’t, if you know how to:

Choose a good auditor.
Spell out your requirements.
Make sure the audit is conducted properly.
Intelligently evaluate the ultimate deliverable–the auditor’s report. An audit can be anything from a full-scale analysis of business practices to a sysadmin monitoring log files. The scope of an audit depends on the goals. The basic approach to performing a security assessment is to gather information about the targeted organization, research security recommendations and alerts for the platform, test to confirm exposures and write a risk analysis report. Sounds pretty simple, but it can become quite complex.

 

Establish a Security Baseline

Your security policies are your foundation. Without established policies and standards, there’s no guideline to determine the level of risk. But technology changes much more rapidly than business policies and must be reviewed more often. Software vulnerabilities are discovered daily. A yearly security assessment by an objective third party is necessary to ensure that security guidelines are followed.

Security audits aren’t a one-shot deal. Don’t wait until a successful attack forces your company to hire an auditor. Annual audits establish a security baseline against which you can measure progress and evaluate the auditor’s professional advice. An established security posture will also help measure the effectiveness of the audit team. Even if you use different auditors every year, the level of risk discovered should be consistent or even decline over time. Unless there’s been a dramatic overhaul of your infrastructure, the sudden appearance of critical security exposures after years of good reports casts a deep shadow of doubt over previous audits.

If you don’t have years of internal and external security reviews to serve as a baseline, consider using two or more auditors working separately to confirm findings. It’s expensive, but not nearly as expensive as following bad advice. If it isn’t practical to engage parallel audit teams, at least seek a second opinion on audit findings that require extensive work.
Objectives: Know What You Want
Spell out what you’re looking for before you start interviewing audit firms. If there’s a security breach in a system that was outside the scope of the audit, it could mean you did a poor or incomplete job defining your objectives.

Let’s take a very limited audit as an example of how detailed your objectives should be. Let’s say you want an auditor to review a new Check Point firewall deployment on a Red Hat Linux platform. You would want to make sure the auditor plans to:

Review and document the security mechanisms configured on the Check Point firewall and the Check Point Management Station.
Review the Check Point firewall configuration to evaluate possible exposures to unauthorized network connections.
Review the Red Hat Linux OS configuration to harden it against security exposures.
Review router configuration and logging procedures.
From a security perspective, certify the firewall and OS for production.
Document disaster recovery procedures for the firewall and OS and “good housekeeping” procedures for Check Point’s Object Management.
Perform a penetration test once the firewall and OS are in production.
Hiring an Auditor
You may be tempted to rely on an audit by internal staff. Don’t be. Keeping up with patches, making sure OSes and applications are securely configured, and monitoring your defense systems is already more than a full-time job. And no matter how diligent you are, outsiders may well spot problems you’ve missed.

The Audit Report

The audit’s done, and you look at the report. Did you get your money’s worth? If the findings follow some standard checklist that could apply to any organization, the answer is “no.” If you see pages of reports generated by a vulnerability scanner, but no independent analysis, the answer is, again, “no.”

However, it should be clear that the audited system’s security health is good and not dependent on the recommendations. Remember, the purpose of the audit is to get an accurate snapshot of your organization’s security posture and provide a road map for improving it. Do it right, and do it regularly, and your systems will be more secure with each passing year.

Read more at www.grayhats.in/blog

Contact us for an Network Security Audit – www.grayhats.in 

Email – care@grayhats.in 

Submit a Comment

WhatsApp chat