Information Systems

Audit
&
Information Security
Audit
• Information System Audit and Information Security Audit are two tools that are used to
ensure safety and integrity of information and sensitive data.
Information Security Audit

The three main types of security diagnostics:

• Information security audits
• Vulnerability assessments
• Penetration testing

Security audits are a formal process, carried out by certified auditing professionals to
measure an information system's performance against a list of criteria.

Computer security auditors perform their work though personal interviews, reviewing
policies, vulnerability scans, examination of operating system settings, analyses of network
shares, and historical data and logs.
Some of the purposes of audits are listed
a. Build awareness of current practices and risks
b. Reducing risk, by evaluating, planning and supplementing security efforts
c. Strengthening controls including both automated and human
d. Compliance with customer and regulatory requirements and expectations
e. Building awareness and interaction between technology and business teams
f. Improving overall IT governance in the organization
Scope of the Audit

The scope of the audit depends upon:

a. Site business plan
b. Type of data assets to be protected
c. Value of importance of the data and relative priority
d. Previous security incidents
e. Time available
f. Auditors experience and expertise
To be covered in audits
Key questions that security audits attempt to answer

• Are passwords secure and difficult to crack?

• Are access control lists (ACLs) in place on network devices to control who
has access to shared data?
• Are there audit logs to record to identify who accesses data?
• Are the audit logs reviewed effectively and how are they reviewed?
• Are the security settings for operating systems in accordance with
accepted industry security practices?
• How are unnecessary applications and computer services managed? Are
they eliminated in a timely and effective manner for each system?
• Are these operating systems and commercial applications patched? How and when did the
patching take place?
• How is backup media stored? What is the backup policy and is it followed? Who has access
to the backup media and is it up-to-date?
• Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed
the disaster recovery plan? Does it have gaps in its construct?
• Are there adequate cryptographic tools in place to govern data encryption, and have these
tools been properly configured?
• What security considerations were used while writing custom-built applications, are these
adequate and well documented?
• How have these custom applications been tested for security flaws?
• How are configuration and code changes documented at every level? How are these
records reviewed and who conducts the review?
The selection of the level of complexity of an organization
according to the following criteria

• What does the system landscape look like (number of systems and level of
heterogeneity
of the systems used)?
• How many network gateways are there?
• Which and how many IT applications are used in the organization? Are they used to
support critical business processes?
• Are higher-level procedures used that may affect realms outside of the organization?
• How high is the protection requirement for the infrastructure, systems, and IT
applications?
Is the organization active in areas critical to security (for example, is it a security
agency)?
What makes a good security audit?

The development and dissemination of the IS Auditing Standards

by Information Systems Audit and Control Association (ISACA)
A good security audit may likely include the following:

•  Clearly defined objectives

•  Coverage of security is comprehensive and cross-cutting audit across
the entire organization. Partial audits may be done for specific purposes.
•  Audit team is experienced, independent and objective. Every audit team
should consist of at least two auditors to guarantee the independence and
objectivity of the audit (” two -person rule”). There credentials should be
verifiable.
•  There is unrestricted right to obtain and view information.
•  Important IS audit meetings such as the opening and the closing
meetings as well as the interviews should be conducted as a team. This
procedure ensures objectivity, thoroughness, and impartiality.
•  No member of the audit team, for reasons of independence and objectivity, should
have participated directly in supporting or managing the areas to be audited, e.g.
they must not have been involved in the development of concepts or the
configuration of the IT systems.
•  It should be ensured that actual operations in the organization are not significantly
disrupted by the audit when initiating the audit. The auditors never actively intervene
in systems, and therefore should not provide any instructions for making changes to
the objects being audited.
•  Management responsibility for supporting the conduct of a fair and
comprehensive audit.
•  Appropriate communication and appointment of central point of contact and other
support for the auditors.
•  The execution is planned and carried out in a phase wise manner
Functions in an Audit

A. Define the security perimeter – what is being examined?

B. Describe the components – and be detailed about it.
C. Determine threats – what kinds of damage could be done to the systems
D. Delineate the available tools – what documents and tools are in use or need to be
created?
E. Reporting mechanism – how will you show progress and achieve validation in all areas?
F. Review history – is there institutional knowledge about existing threats?
G. Determine Network Access Control list – who really needs access to this?
H. Prioritize risk – calculate risk as Risk = probability * harm
I. Delineate mitigation plan – what are the exact steps required to minimize the threats?
J. Implement procedures – start making changes.
K. Review results – perform an After Action Review (AAR) on the audit process
Types of Security Audit

• Internal Audit :
• conducted by experts linked to the organization,
• it involves a feedback process where the auditor may not only audit the system but also
potentially provide advice in a limited fashion.
• External audit
• conducted by independent, certified parties in an objective manner
• identifying and reporting any implementation and control gaps based on stated policies and
standards such as the COBIT
• to lead the client to a source of accepted principles and sometimes correlated to current best
practices
• audit types based on standards followed : include SSAE 16 audits (Type I or II), audits of ISO
9001, ISO/IEC 17799, ISO/IEC 27001, ISO 27018 cloud security standard and audits of Industry
specific standards such as HIPPA controls.
Some of the specific audits
• Penetration Test
• Vulnerability Audit
• Web Application Security Audit
• Mobile Application Security Audit
• Audit Overall Concept
• IT-Risk Analyses
• Audit Access Control / Social Engineering
• Architecture, Design and Code Review
• Wireless Systems Audit
• Embedded Systems Audit
• Information Protection Audit
• Roles and Rights Audit
• Endpoint Audit (clients)
• Digital Guard Service
• Configuration Audit (firewalls, servers, etc.)
Phases of Information Security Audit

• Pre-audit agreement stage

• Initiation and Planning stage
• Data collection and fieldwork (Test phase)
• Analysis
• Reporting
• Follow-through
Information Security Audit Methodology

• Need for a Methodology

• Audits need to be planned and have a certain methodology to cover the total material risks of
an organization
• Audit methodologies
• overall view of the corporate structure
• drill down to the minutiae
• Audit methods may also be classified according to type of activity
• Testing
• Examination and Review
• Interviews and Discussion
Auditing techniques
• Examination Techniques
• conducted manually to evaluate systems, applications, networks, policies, and procedures to
discover vulnerabilities
• Techniques:
• Documentation review
• Log review
• Ruleset and system configuration review
• Network sniffing
• File integrity checking
• Target Identification and Analysis Techniques
• performed using automated tools used to identify systems, ports, services, and potential
vulnerabilities
• Techniques:
• Network discovery
• Network port and service identification
• Vulnerability scanning
• Wireless scanning o
• Application security examination
• Target Vulnerability Validation Techniques: corroborate the existence of vulnerabilities,
these may be performed manually or with automated tools
• Techniques include
• Password cracking
• Penetration testing
• Social engineering
• Application security testin
Security Testing Frameworks

• security testing methodologies being used today by security auditors for technical control
assessment.
• Four of the most common are as follows:
•  Open Source Security Testing Methodology Manual (OSSTMM)
•  Information Systems Security Assessment Framework (ISSAF)
•  NIST 800-115
•  Open Web Application Security Project (OWASP
OSSTMM

• OSSTMM manual highlights the systems approach to security testing by dividing

assessment areas into six interconnected modules
• Information Security: Competitive intelligence, data leakage, and privacy review
• Process Security: Access granting processes and social engineering testing
• Internet Technologies Security: Network mapping, port scanning, service and operating system
(OS) identification, vulnerability scanning, Internet app testing, router/firewall testing, IDS
testing, malicious code detection, password cracking, denial of service, and policy review
• Communications Security: Private branch exchange (PBX)/phone fraud, voicemail, fax, and
modem
• Wireless Security: 802.11, Bluetooth, handheld scanning, surveillance, radio frequency
identification (RFID), and infrared  Physical Security: Perimeter, monitoring, access control,
alarm systems, and environmen
ISSAF
• one of the largest free-assessment methodologies available
• split into two primary documents :One is focused on the business aspect of security, and
the other is designed as a penetration test framework.

NIST 800-115
provides guidance and a methodology for reviewing security that is required for the U.S.
government's various departments to follow
not as detailed as the ISSAF or OSSTMM, but it does provide a repeatable process for the
conduction of security reviews
Document includes guidance of the following:
• Security testing policies
• Management's role in security testing
• Testing methods  Security review techniques
• Identification and analysis of systems
• Scanning and vulnerability assessments
• Vulnerability validation (pen testing)
• Information security test planning
• Security test execution
• Post-test activities
OWASP
• created to assist web developers and security practitioners to better secure web
applications.
• created to assist web developers and security practitioners to better secure web
applications.
• The OWASP testing methodology is split as follows:
• Information gathering
• Configuration management
• Authentication testing
• Session management
• Authorization testing
• Business logic testing
• Data validation testing
• Denial of service testing
• Web services testing
• AJAX testing
Audit Process

• 1. Establish a prioritized list of risks to an organization.

• 2. Delineate a plan to alleviate those risks.
• 3. Validate that the risks have been mitigated.
• 4. Develop an ongoing process to minimize risk.
• 5. Establish a cycle of reviews to validate the process on a perpetual basis
Auditing Security Practices

• to examine the organization’s policies, security governance structure, and security

objectives
• easiest to start with the organization’s policies and build your security auditing plan from
there
• Some criteria you can use to compare the service of security against are:
•  Evaluation against the organization’s own security policy and security baselines
•  Regulatory/industry compliance—Health Insurance Portability and Accountability Act
(HIPAA), Sarbanes-Oxley Act (SOX), Grahmm-Leach-Bliley Act (GLBA), and Payment Card
Industry (PCI)
•  Evaluation against standards such as NIST 800 or ISO 27002
•  Governance frameworks such as COBIT or Coso
• types of assessments that might be performed to test security controls
• Risk assessments:
• Policy assessment:
• Social engineering:
• Security design review
• Security process review:
• Interviews:
• Observation:
• Document review:
• Technical review:
Testing Security Technology

• two distinct levels of security testing commonly performed today

• Vulnerability assessment:
• Penetration test:
• Security control testing : certain type of individual and mind-set to figure out new
vulnerabilities and exploits
• four classes of penetration tests can be conducted
• Red Team/Blue Team assessment
•  White-Box
•  Black-Box
• Gray-box
• Red Team/Blue Team assessment:
• combat teams are tested to determine operational readiness
• war game, where the organization being tested is put to the test in as real a scenario as
possible.
• Red Team assessments are intended to show all of the various methods an attacker can use to
gain entry
• tests policy and procedures, detection, incident handling, physical security, security awareness, and
other areas that can be exploited
• used to simulate attacks and test the ability to develop defences for these attacks.
• Red team designate as the attacker and the Blue team as the defence mechanism builder.
• Black box testing
• This assumes no prior knowledge of the infrastructure to be tested. The testers must first
determine the location and extent of the systems before commencing their analysis.
• White box testing
• This provides the testers with complete knowledge of the infrastructure to be tested, often
including network diagrams, source code, and IP addressing information.
• Grey box testing
• These are the several variations in between the white and the black box, where the testers
have partial information. Penetration tests can also be described as "full disclosure" (white box),
"partial disclosure" (grey box), or "blind" (black box) tests based on the amount of information
provided to the testing party