12 Steps for a Security Audit

      1.     Make Asset list (Inventory): detailed list of all hardware and software owned by business, and review any Security Plan or Policy that the company has.
      2.     Make Threats list: software unpatched or updated, Trojans, worms, audit logging not enabled,  Windows updates not kept up to date, no passwords, and unsecured passwords (ex.  employees post-it note taped on computer or desk with password written on it)
      3.     Prioritize Assets and Vulnerabilities: (RISK=Probability X Harm) which assets need to be secured and protected the most? Assets listed in order of importance or value to business.
     4.   Is the business implementing NACs? (ex. ACLs) ACLs (Access Control Lists) not used or kept up to date, no users that are educated in how to use and monitor ACLs in Active Directory.
      5.     Is the business implementing IPSs? (ex. Firewalls) firewalls not on or used, Anti-virus/Anti-Spyware/Anti-Malware programs not on and updated regularly.
      6.     Are there Audit logs to review and identify attempts to access the network?  ex. Audit logs from Event Viewer) Past incidences and how to prevent future events.
      7.     Is the business implementing IAM (Information Assurance Management)? Using STIGs (Security Technical Implementation Guides) for the business, not being adhered to, or not educating users how to prevent data breaches)
      8.      Are there Back-ups policies? (ex. no back-ups being done, not being done often enough, or not placing back-ups in secure area, using only one tape and the tape gets corrupted or lost) Back up, your back-ups!
      9.     Are email communications being protected and filtered? Emails and their attachments are the number one way that Trojans, and worms gain access to the network, educate users to not open any emails or attachments from people that they don’t know. When in doubt, DON’T!
      10 .  Is the business using intrusion detection systems on their network? (ex. IDS or HIDS)
      11.  Are key personnel whom are responsible for security of the network educated regarding DoDs policies and guidelines? Interview with employees to access their level of understanding of company Security Policies and whether they adhere to them, and to what degree do they follow the policies.
      12. Is physical access to assets and resources being protected by Intrusion Prevention System (IPS)? There are companies like ADT offer intrusion detection and prevention, including video surveillance systems. But ADT costs money, and even more important is protecting physical access by using locks and having employees that will adhere to the Security Plan. If the locks aren’t used they are useless!  
      So, to me user education is the number one preventative to Security breaches! A business can spend an exorbitant amount of money on purchasing all the newest gadgets and software, but if the people don’t know how to use them; then they are wasted revenue. The purpose of a Security Audit is not to access or corrupt sensitive data, but to document and identify files at risk and expose the truth about a network’s potential problems, and to suggest solutions. 
      Review businesses Security Policy, if they have one, and access whether it is being adhered to, and to what degree.
The company that we audited was for some doctors and their clinics, Doctors Alonzo and Zamora, the AZI, Incorporation, which have five offices with one of their offices as their Central Office, where their Servers are kept. There are also the North, South, West, and East offices, which are located around the Houston area.
 We used the Who, What, When, Where and How analogy:
 Who= 1 auditor, 5 offices, 2 doctors, 10 nurses, 5 medical records/receptionists, and 1 office    manager located at the Central Office
 What= procedures that needed to be done, auditing logs reviewed, interviewed personnel, list  of assets inventoried-all hardware and software=25 workstations, 5 servers, 2 laptops for doctors, routers, switches, and 5 printers.
 When= clinics open in daytime hours, auditing done after hours or on weekend, in order to not disrupt business.
 How= the audit will be done with Laptop/Notebook computer with at least 4 GB memory with dual-boot operating systems, 1 auditor, auditing tools such as: CyberCop Security Scanner which is a port scanner, password cracker, and network information. Nessus which is an exploit tester. Also, NETSTAT can be used to provide a dynamic view of currently open or active network connections on the machine, and is useful for locating network services that are running on the machine.
 Why= Identify security risks that may occur in future=Problem and suggest Solutions or alternatives and consequences of not applying changes or improvements. Alternatives could be to:
a.    Do nothing! Leave the door open for your network to be hacked or compromised.
b.    Educate users on how to secure their data=People
c.    Purchase or obtain new tools=Products
d.    Make Security Plan or Policy=Procedures
The objective of the Security Audit is to identify potential Problems and suggest steps to prevent as many security Problems as possible, and outline Solutions for the issues.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s