Module-4

Information Security Audit

Preparation
Information Security Audit Methodology

• Need for a Methodology

– Audits need to be planned and have a certain
methodology to cover the total material risks of an
organization.
– A planned methodology is also important as this
clarifies the way forward to all in the organization
and the audit teams.
– Which methodology and technique is used is less
important than having all the participants within the
audit approach the subject in the same manner.
Information Security Audit Methodology

• Audit methodologies
– There are two primary methods by which audits
are performed.
– Start with the overall view of the corporate
structure and drill down to the minutiae; or begin
with a discovery process that builds up a view of
the organization.
Information Security Audit Methodology

• Audit methodologies
• a. Testing
– Pen tests and other testing methodologies are used to explore
vulnerabilities. In other words, exercising one or more
assessment objects to compare actual and expected
behaviors.
• b. Examination and Review
– This include reviewing policies, processes, logs, other
documents, practices, briefings, situation handling, etc. In
other words, checking, inspecting, reviewing, observing,
studying, or analyzing assessment objects
• c. Interviews and Discussion
– This involves group discussions, individual interviews, etc.
Information Security Audit Methodology

• Auditing techniques:
1. Examination Techniques
2. Target Identification and Analysis Techniques
3. Target Vulnerability Validation Techniques
Information Security Audit Methodology

• Auditing techniques:
1. Examination Techniques
• Examination techniques, generally conducted manually
to evaluate systems, applications, networks, policies,
and procedures to discover vulnerabilities
• Techniques include
– o Documentation review
– o Log review
– o Rule set and system configuration review
– o Network sniffing
– o File integrity checking
Information Security Audit Methodology

• Auditing techniques:
2. Target Identification and Analysis Techniques
• Testing techniques, generally performed using
automated tools used to identify systems, ports,
services, and potential vulnerabilities
• Techniques include
– o Network discovery
– o Network port and service identification
– o Vulnerability scanning
– o Wireless scanning
– o Application security examination
Information Security Audit Methodology

• Auditing techniques:
3. Target Vulnerability Validation Techniques
• Testing techniques that corroborate the existence of
vulnerabilities, these may be performed manually or
with automated tools
• Techniques include
– o Password cracking
– o Penetration testing
– o Social engineering
– o Application security testing
Audit Process
 Auditing Security Practices
• Evaluation against the organization’s own security policy
and security baselines
• Regulatory/industry compliance—Health Insurance
Portability and Accountability Act
• (HIPAA), Sarbanes-Oxley Act (SOX), Grahmm-Leach-Bliley
Act (GLBA), and Payment Card
Industry (PCI)
• Evaluation against standards such as NIST 800 or ISO
27002
• Governance frameworks such as COBIT or Coso
 Auditing Security Practices
• The following are types of assessments that might
be performed to test security controls:
– Risk assessments
– Policy assessment
– Social engineering
– Security design review
– Security process review
– Interviews
– Observation
– Document review
– Technical review
 Checklists and Templates
• It is important to develop and use standard checklists for
audits as this ensures that data is collected in a uniform
manner.
• It also ensures that no data point or activity critical to be
covered is omitted.
• One must ensure the templates and checklists are agreed
upon prior to use and from recognized sources.
• These should be understood commonly by all participating in
the audit.
• It is important that those carrying out the audit understand
the importance of capturing information in detail.
 Information Security Audit
Tasks
• Pre-audit tasks
• Information gathering
• External Security Audit
• Internal Network Security Auditing
• Firewall Security Auditing
• IDS Security Auditing
• Social Engineering Audit
 Information Security Audit
Tasks
• Pre-audit tasks
– During this phase, the auditors determine the
main area/s of focus for the audit and any areas
that are explicitly out-of-scope, based normally on
an initial risk-based assessment plus discussion
with those who commissioned the audit.
– Information sources include general research on
the industry and the organization, previous and
perhaps other audit reports, and documents such
as the Statement of Applicability, Risk Treatment
Plan and Security Policy.
 Information Security Audit
Tasks
• Pre-audit tasks
– During the pre-audit survey, the ISMS auditors identify and
ideally make contact with the main stakeholders in the
ISMS such as the ISM manager/s, security architects, ISMS
developers, ISMS implementers and other influential
figures such as the CIO and CEO, taking the opportunity to
request pertinent documentation etc. that will be reviewed
during the audit.
– The organization normally nominates one or more audit
"escorts", individuals who are responsible for ensuring that
the auditors can move freely about the organization and
rapidly find the people, information etc. necessary to
conduct their work, and act as management liaison points.
 Information Security Audit
Tasks
• Information Gathering
– Information gathering is essentially using the
Internet to find all the information you can about
the target (company and/or person) using both
technical (DNS/WHOIS) and non-technical (search
engines, news groups, mailing lists etc.) methods.
 Information Security Audit
Tasks
• Information Gathering
– Information gathering does not require that the
assessor establishes contact with the target system.
– Information is collected (mainly) from public
sources on the Internet and organizations that hold
public information (e.g. tax agencies, libraries, etc.)
Information gathering section of the penetration
test is important for the penetration tester.
– Assessments are generally limited in time and
resources.
 Information Security Audit
Tasks
• Information Gathering
– 1. Spiders, Robots and Crawlers:
• This phase of the Information Gathering process
consists of browsing and capturing resources related to
the application being tested.
– 2. Search Engine Discovery/Reconnaissance:
• Search engines, such as Google, can be used to discover
issues related to the web application structure or error
pages produced by the application that have been
publicly exposed.
 Information Security Audit
Tasks
• Information Gathering
– 3. Identify application entry points:
• Enumerating the application and its attack surface is a key
precursor before any attack should commence. This section
will help you identify and map out every area within the
application that should be investigated once your
enumeration and mapping phase has been completed.
– 4. Testing Web Application Fingerprint:
• Application fingerprint is the first step of the Information
Gathering process; knowing the version and type of a
running web server allows testers to determine known
vulnerabilities and the appropriate exploits to use during
testing.
 Information Security Audit
Tasks
• Information Gathering
– 5. Application Discovery:
• Application discovery is an activity oriented to the
identification of the web applications hosted on a web
server/application server.
• This analysis is important because often there is no direct
link connecting the main application backend.
• Discovery analysis can be useful in revealing details such as
web applications used for administrative purposes.
• In addition, it can reveal old versions of files or artifacts
such as undeleted, obsolete scripts, crafted during the
test/development phase or as the result of maintenance.
 Information Security Audit
Tasks
• Information Gathering
6. Analysis of Error Codes:
– During a penetration test, web applications may divulge
information that is not intended to be seen by an end user.
– Information such as error codes can inform the tester about
technologies and products being used by the application.
 Information Security Audit
Tasks
• Information Gathering Methodology
– Phase One
• Network survey
– Phase Two
• OS Identification (sometimes referred as TCP/IP stack
fingerprinting)
– Phase Three
• Port scanning
– Phase Four
• Services identification
 Audit Report
• The document report includes:
– • Summary of the test execution.
– • Scope of the project
– • Result analysis.
– • Recommendations.
– • Appendixes.
 Audit Report
• The summary should provide a short, high-level
overview of the test.
• It should contain the client’s name, testing firm, date
of test, and so on.
• Information about the targeted systems and
applications.
• End-user test results. Examine all exploits performed.
• The summary should include details of discovered
vulnerabilities.
 Audit Report
• Scope of the project should include the IP
address ranges that are tested and mentioned
in the contract.
– • Examining whether social engineering was
employed or not.
– • Examining whether public or private networks
are tested or not.
– • Examining whether Trojans and backdoor
software applications are permitted or not.
 Audit Report
• The results analyzed should include:
– • Domain name and IP address of the host
– • TCP and UDP ports
– • Description of the service
– • Details of the test performed
– • Vulnerability analysis
 Audit Report
• Recommendations to their security is very
important for the report to be accepted by the
customer.
• Appendices should include:
– • Contact information
– • Screen shots
– • Log output
 Disaster Recovery Plan
• Disaster recovery plans (DRP) seek to quickly redirect
available resources into restoring data and information
systems following a disaster.
• A disaster can be classified as a sudden event, including
an accident or natural disaster, that creates wide
scoping, detrimental damage.
• In information management, DRPs are considered a
critical subset of an entity's larger business continuity
plan (BCP), which seeks to prepare for, prevent, and
recover from potential threats affecting an organization.
 Disaster Recovery Plan
• While BCPs address all facets of an organization,
DRPs specifically focus on technology.
• DRPs provide instructions to follow when
responding to various disasters, including both
cyber and environment-related events.
• DRPs differ from incident response plans that
focus on information gathering and coordinated
decision making to understand and address a
specific event.
 Disaster Recovery Plan
1. Create a disaster recovery team.
2. Identify and assess disaster risks
3. Determine critical applications, documents,
and resources
4. Specify backup and off-site storage
procedures
5. Test and maintain the DRP
 Disaster Recovery Plan
1. Create a disaster recovery team. 
– The team will be responsible for developing,
implementing, and maintaining the DRP.
– A DRP should identify the team members, define
each member’s responsibilities, and provide their
contact information.
– The DRP should also identify who should be
contacted in the event of a disaster or emergency.
– All employees should be informed of and
understand the DRP and their responsibility if a
disaster occurs.
 Disaster Recovery Plan
2. Identify and assess disaster risks. 
– Your disaster recovery team should identify and
assess the risks to your organization.
– This step should include items related to natural
disasters, man-made emergencies, and technology
related incidents.
– This will assist the team in identifying the recovery
strategies and resources required to recover from
disasters within a predetermined and acceptable
timeframe.
 Disaster Recovery Plan
3. Determine critical applications, documents, and
resources. 
– The organization must evaluate its business processes to
determine which are critical to the operations of the
organization.
– The plan should focus on short-term survivability, such as
generating cash flows and revenues, rather than on a long
term solution of restoring the organization’s full functioning
capacity.
– However, the organization must recognize that there are
some processes that should not be delayed if possible.
– One example of a critical process is the processing of
payroll.
 Disaster Recovery Plan
4. Specify backup and off-site storage procedures. 
– These procedures should identify what to back up, by
whom, how to perform the backup, location of backup and
how frequently backups should occur.
– All critical applications, equipment, and documents should
be backed up.
– Documents that you should consider backing up are the
latest financial statements, tax returns, a current list of
employees and their contact information, inventory
records, customer and vendor listings.
– Critical supplies required for daily operations, such as
checks and purchase orders, as well as a copy of the DRP,
should be stored at an off-site location.
 Disaster Recovery Plan
5. Test and maintain the DRP. 
– Disaster recovery planning is a continual process
as risks of disasters and emergencies are always
changing.
– It is recommended that the organization routinely
test the DRP to evaluate the procedures
documented in the plan for effectiveness and
appropriateness.
– The recovery team should regularly update the
DRP to accommodate for changes in business
processes, technology, and evolving disaster risks.