Documente Academic
Documente Profesional
Documente Cultură
How To Conduct A
Security Audit
Information security encompasses more than just IT systems - people who use the systems
can also inadvertently open security loopholes. A security audit aims to detect and highlight
any problem areas within the IT infrastructure and staff behaviours.
By Justin Kapp
identifying possible lapses that could of attack for the audit of the IT systems. You must decide which platform to
allow this is just as important as pre- During the audit you may need to re- use for your audit. The best choice will
venting external attack. strict access to some of the systems have a high level of security. It should
under test; these tests should be per- not run any network services, and
Risk Analysis formed out of business hours to mini- should be configured as if the machine
mise impact on day-to-day operations. was to be used as a firewall or other
During the audit you will need to You will also need to schedule time form of secure host. Another impor-
understand a little about Risk Analysis with a selection of staff members to tant factor is that physical access is
and Risk Management - a security assess how they operate within the se- required to use the machine.
audit is all about assessing the risks of curity policy. You need to prepare a The ideal hardware platform is a
loss, compromise or damage to infor- series of questions to use during the notebook computer, with a good dis-
mation. discussions with staff members. play, 64 MB of RAM and a large hard
Risk analysis is the process of iden- Before you begin you need to verify disk (4 GB plus). It is also important to
tifying and assessing the risk of some- your audit tools and environment. have network connectivity (usually
thing happening. Space does not allow This includes the golden rule of all via a PC Card); in order to provide
us to cover risk management and security auditing - you must verify filtering and logging, in fact, it is useful
analysis in detail, but its principles are that all tools used for the audit are to have more than one network con-
summarised here: untampered with; if the results of the nection. There are many brands of
auditing tools cannot be trusted, the notebook available which would fit
The establishment of mechanisms audit is useless. the bill - for instance, the HP Omni-
to keep risks under review and to You many suffer from a chicken book 4150. Sometimes discreet moni-
make sure they are being addressed and egg problem when it comes to toring may be required, so machines
A means of identifying the poten- verifying your audit tools. In order to such as the sub-notebook, which can
tial risks to the business verify your audit tools you need to use easily be hidden, are often useful.
An assessment of the likelihood of the audit tools. So how do you estab- On the audit platform a suitable op-
each risk materialising lish the trust in your audit tools? You erating system (OS) should be chosen.
An assessment of the probable im- could write them yourself or find a The operating system considered
pact of each risk trusted source such as a person or com- should be able to be secured, have suit-
The formulation of measures to pany. The easiest solution is to use a able audit tools available, have various
avoid each risk occurring tool such as md5sum to create a check- development tools available such as
The development and deployment sum of the file, which can be used to Perl and a C/C++ compiler. It is also a
of fallback measures to mitigate the verify the tool later - or to use a digital large advantage to have the OS source
risks if avoidance actions fail signature of the tool created with PGP. code to prove the security of the oper-
The determination of the urgency ating system. Another important fea-
of the risk and of taking appropri- What Tools? ture for the audit platform operating
ate counter measures. system is that, once put into a network
Over the last few years a number of to be audited, the operating system
It is recommended that those who tools have been developed to aid the doesnt alter the normal operation of
will be carrying out the security audit system administrator. These tools run the environment to be tested.
familiarise themselves further with on a number of platforms including If you are choosing a Unix, then you
risk management and analysis theory Win32 (Windows NT/9x), Linux, So- have a number of choices including
before commencing. laris and FreeBSD. There are a number Linux, FreeBSD, Solaris and SunOS.
of types of tool - those that detect Choosing the right one depends on the
Preparation changes in system configuration, tools hardware you are planning to use and
that test for known security issues and
During your preparation for the a class of tools that are used to monitor
audit you have to decide how you are systems in real time, such as network Stage % Of Total Time
going to bias your audit. You need to sniffers.
decide in what depth you are going to Figure 2 shows a small selection of Preparation 10
audit the systems. the audit tools that are available today. Reviewing Policy/Docs 10
IT systems comprise a number of Tools that run on Windows platforms Talking/Interviewing 10
components, including hosts, servers, tend to be commercial in nature. A Technical Investigation 15
firewalls and the network; you must large number of the tools available for Reviewing Data 20
Writing Up 20
decide how deep you plan to delve the various types on Unix are non-
Report Presentation 5
into each of these components. Some commercial and can be obtained at no Post Audit Actions 10
systems, by their nature, require a charge from the Internet. Unix tools
greater level of scrutiny to determine are often supplied in source code, so
the security issues that may be present. testing the authenticity of the tool is Figure 1 - Summary of the stages
It is also important to plan the angle easier. of a security audit.
Security Audit
should be considering more or less attention to details that have a security little user intervention, thus saving
every staff member; you should not bias. You need to review your hard- you a large amount of time in the proc-
only talk to technical staff but also ware and software inventory, the net- ess. These tools should be run in a
normal system users, managers and work topology, key personnel and reconnaissance mode, thus not per-
even cleaning staff. Anyone who has contact details for emergencies. You forming invasive or DoS-style tests.
access to the site and as a result the need to look at documentation for You need to review the system logs
computer systems should be included. emergency procedures and reporting for all systems being audited; look for
You need to determine usage pat- incidents. usage patterns, sites which disallow or
terns, and whether users have seen restrict user access, and possible suspi-
and read the security policy. Find out Technical Investigations cious use. It is important to check sys-
what they can and cant do, in their Your technical investigations tems against know vulnerability
own words. Are they able to obtain should include performing scans with advisories from groups such as CERT,
root or system admin privileges? Find various static audit tools such as ISS, bugtraq, NTBugtraq and other alterna-
out what the systems are used for, and CyberCop or SATAN. These tools tive groups such as L0pht (see box be-
which are the critical systems. Finally gather a vast amount of information low). Groups like L0pht are the
you need to determine how the users based on what the tools have pre-pro- so-called white hat hacker groups;
view the security audit. grammed into them; they automate these people spend an awfully large
You must review all the documen- the processes of gathering information amount of time investigating common
tation that exists already for the sys- and are extremely useful, as they can systems to look for vulnerabilities and
tems in place, paying particular be set off running and usually require publish this information on the In-
ternet.
You should also spend time looking
Resources at the startup processes of the systems
being audited. You need to look for
It is important when conducting a security audit that you have as much processes that arent supposed to be
information as possible in order to better assess security issues. Remember there, and compare the startup with
that there are both Black Hat and White Hat Web sites that contain the applications that are supposed to
security information, and they are both equally useful. Some of the more be installed on the machine or have
useful starting points are detailed below: been previously documented. You
need to examine the static items of the
packetstorm.security.com systems to check for alteration and to
PacketStorm Security is a very good source of the latest security issues. determine if they include unnecessary
www.rootshell.com or dangerous commands.
Rootshell is another source of security issue information. This site hasnt It is important to search the systems
been updated in a while - however, the information provided is useful. for applications and programs that run
in a privileged state - anything that
www.securityfocus.com
runs as root. You need to examine the
Bugtraq is a mailing list for the discussion and announcement of computer
environment, execution and configu-
security vulnerabilities. Details of how to subscribe and archive for the
ration files for these applications.
mailing list can be found at the above Web site.
Check for network services that are
www.ntbugtraq.com surplus to requirements, such as Web
NTBugtraq is the Windows platform version of the Bugtraq mailing list. and Usenet servers. Also check for re-
www.cs.purdue.edu/coast/coast.html placement programs such as TCP
COAST (Computer Operations, Audit and Security Technology) is a re- wrappers and wu-ftpd. Check for pro-
search project into computer security at the Computer Sciences Department grams that are disguised as legitimate
at Purdue University. COAST also boasts a large catalog of security and services, such as Back Orifice, NetBus
audit-related applications in their ftp archive. and even the SETI@Home client. Look
for services that are not supposed to be
www.ciac.org/ciac/ running - for example, a user may have
CIAC (Computer Incident Advisory Capability) provides tools and advi- installed the Windows DUN server on
sory information. their machine with a modem con-
www.cert.org nected, which would pose a serious
CERT (Computer Emergency Response Team) provides information re- security risk as this is not a sanctioned
garding many security issues, including advisory information. network service.
You should examine the trust rela-
www.l0pht.com tionships between the components of
L0pht is a Black Hat group that performs testing of commonly used tools the network, such as your Windows
for security issues. L0pht also produces a number of useful tools for testing NT domain trust relationships and
system security. replication of your servers. There are
Security Audit