Is it just me or does the word audit make you think of a very unpleasant time with the government's tax officials? Fear not though! In this article we will cover just what it means to have a computer security network audited, vice your personal finances.
Auditing your network
Alright now! Who amongst you has ever been audited by your respective country's tax department? Not a pleasant time that would be I am sure. Funny though how relational thinking works. For me, whenever I hear the word audit, I immediately start thinking of a tax audit, vice a computer security audit. Strange really as I am a contractor in the computer security world. Back to the matter at hand though. This article on auditing is a follow-on to my earlier article on compliance. This article in turn will be followed by another one based on event log/monitoring consolidation. All topics worthy of discussion really, as they can greatly aid you in your day to day goal of keeping your networks secure.
I alluded to earlier in my compliance article that the whole compliance issue can be a tad vague as to exactly what it is that needs to be done. Well if you are confused at the compliance stage then I imagine things don't really get a whole lot better at the auditing one. When it is literally your butt on the line, you want to make sure that you are doing exactly what it is that needs to be done. Well as luck would have it, auditing for legislative acts such as SOX and HIPAA are not really all that different from mainstream pen-tests and vulnerability testing that I do for clients. So with that in mind we know then that traditional security testing methodologies are still sound. You just need to tailor them to your specific environment.
Let's take a SOX audit for example:
It really is rather difficult to be given a set of guidelines or steps to take if you can't relate them to something in your environment. There is nothing worse really then to be given a lot of empty words when all you want to hear is "just how do I relate this to my network". That is a very valid concern. So, on that note, what I shall do is give an example scenario whereby you will be shown some steps that could be used in a SOX audit. Cold, hard information is very much the preferred currency in the IT security world.
So imagine that you are the head IT security person in charge of a corporate network. The boss comes down to you and says they want to be sure that they are compliant with SOX. What the boss wants from you is a game plan that will show them just how the company will be compliant via a series of tests. Well that in turn means that you now have to get cracking and come up with an auditing strategy. Not really as hard as you may think for again, as stipulated above, sound computer network security principles come to the fore.
First thing to do is commit to paper what your game plan is. Nothing better then having a good old hard copy of what it is you are implementing. Follow this up with an email of the same document. It is always a good idea to have a paper trail as it were, for after all, it was the lack of a paper trail that in part led to SOX being enacted. What I would do first is perhaps the most boring and mundane of all. Develop a sound and doable password policy for your network. Not as easy as it sounds though. Most employees in the corporate network are guilty of using ridiculously easy passwords for their accounts. Coming up with a sane policy will help alleviate this first hurdle to SOX compliance. After you have promulgated your new password policy to the network users, ensure that you then in turn enforce it. Just as important as choosing difficult to crack passwords is the need to change them on a frequent basis. The normal tried and true method of handling this via your PDC or AD server is likely the best one. Give the screenshot below a quick look for some good advice from Microsoft on the subject.
It is important to try and keep your security as simple as possible, or else the users in your network may try to bypass it. Now for some concrete steps as promised. One big issue for almost every network and also one that is typically poorly implemented, is file shares. Rest assured that, when you are audited for SOX compliance, the auditors will be going over the file shares with a fine tooth comb. Going over who had access to what may not be the sexiest part of a security professional's job, but it is a vital one. You would be well advised to likely start from the ground up if you don't like what you see and devise an entirely new way to govern file access. File access can quickly become an ungainly beast if you don't keep a tight control over it and keep it organized logically. Don't forget that there is also a bevy of command line tools that you can use also. Please see the screenshot below.
You can well imagine, I am sure, that due to the almost weekly disclosure of another database breach, auditors will be crawling all over your databases for security and compliance. There is a very good reason for that. Most malicious hackers will almost certainly attempt to break into your database and steal all the information contained therein. That makes it a pretty big target and one that is in need of tight security. This is where you will realistically need the services of an outside pen-tester to verify the integrity of your database. It is best to not only go with the advice and assurances of your in-house staff as they may have lost perspective. That does not mean your staff is incompetent. It is rather easy though to develop tunnel vision and not spot something a new set of eyes will see. I really cannot stress enough to have your database looked at professionally.
Well we have seen over the course of the article that auditing really is a natural and in reality a mandated follow on to compliance. After all it is rather important to make sure that the steps you have put into place to be compliant are indeed working. Anything short of that and you are asking for serious trouble. While taking care of these steps is vitally important you should also think of having issues such as auditing contracted out. While it does cost you money it will also give you the comfort factor of having had your network posture verified by a professional. That will certainly help you when it the time comes to be audited for real as it impacts say SOX or other legislation.
The whole idea of compliance and auditing really just boils down to common sense in my opinion. Common sense meaning, that you use a proactive approach when it comes to network security. You will of course have to comply with specific legislative requirements, however that really is not that hard to do if you are organized and take an aggressive approach to remaining compliant. That includes getting outside consultants involved in the process. By engaging the services of professionals you also add to the transparency of your organization. That is one key issue that caused the whole process of government involvement. I sincerely hope this article was of help to you, and as always welcome your feedback. Till next time!