Company’s networks share information and communicate in insecure environment, which are vulnerable to different attacks. Generally, information is shared on networks via email, attachment, network drives, which pose dangers as well. Not only outsiders but also insiders in organizations are responsible for exposed information. Attackers can easily exploit the networks if proper security is not available in organization. To reduce such exploits, company has to mull over unauthorized access, penetrate the vulnerability, and patch them.
A proper arrangement of network servers can bound access to the company data and observation or auditing of such access will promise about the data security. Auditing is an essential part to expose loopholes in the network and it should be performed in timely manner.
What is Security Audit?
Security audit is a system evaluation of a company’s information security and ensures that the company is following set of criteria for maintaining security of the data. Security audit of a company analyze software, data processors, user practice, system configuration. The audit process is an ongoing process of determining and preserving operative security policies and involves every resource of an organization. Security audit offers a measurable way to examine the security level of an organization. Security auditors perform their tasks with vulnerability scanner, OS (operating system) examination, network sharing analysis, and personal interviews to be ensured about the way in which the security strategies and policies are used.
Objectives:
Many businesses are connected to internet and have implemented policies and systems to safeguard themselves against unauthorized access. Hackers always take easier route and find vulnerability in software, system, or website. Security audit can help a lot in this regard by ensuring about organization’s security systems are working according to fixed standards. The audit also makes sure about compliance of regulatory laws & legislation and identifies the loopholes in current security defenses.
Types of Security Audit:
There are two types of security audit in an organization: External audit and internal audit. External audit includes collection of public information and external penetration. While internal audit contains collection of sensitive information, internal penetration, review of security policy, information system & infrastructure, personal interview, and physical security.
Hire an Auditor:
Technical audit checks for policies, processes, and network configurations. So if organizations are in search of security auditor then they should check below points before hiring the auditor.
- Look at the competence of an auditor instead of certification letters.
- Check whether the auditor has actual experience in the relevant field and has knowledge of modern technology.
- Auditor should have real world experience that will give him insight into security issues.
- Check any published work of auditor for further assurance.
- Ask your network people about prospective auditing firms.
- Get in touch with clients who have taken service of the firms in past.
- Get to know methods of auditors like research, testing, or analysis and allow input from organization’s employees.
- Once the audit firm is confirmed, check for payment plan for example, based on number of days or flat rate. If the scope of an organization is limited then flexible rate is ideal while in case of complicated audit of a company, flat rate would be good.
Standard Techniques:
IT security auditing requires below standard techniques to know the security level of systems and networks in organizations.
Network Scanning: Network scanning tool scans port to verify the connectivity between the host and organization’s network. Thereby it provides complete list of all active hosts, printers, switches and routers. By network scanning, organization can verify the unauthorized network connectivity, vulnerable service, and collect forensic evidence.
Vulnerability Scanning: Vulnerability scanning distinguishes open ports and the data of associated vulnerability. It also guide on mitigation of detected vulnerabilities. Vulnerability scanner also provides active tools that help to find vulnerabilities before the attackers find it. In addition, organization can easily gauge about the level of its security and chances of being exposed to external vulnerabilities. Moreover, vulnerability scanning identifies applications and banner grabbing, OS, mis-configured settings, active hosts on networks, outdated software versions.
Password Cracking: Password cracking software used to find weak passwords, and grab password hashes. Once the hashes are found, password cracker generates hashes until a right password is matched.
Log Review: Log reviews give idea about the difference in system logs compared to prescribed organization’s security policy. The logs includes firewall logs, IDS logs, server logs, these logs provides a real image of ongoing activities that can be matched with defined security policy. After reviewing log reviews, organization can change firewall policy to minimize the access to susceptible system.
Virus Detection: Organizations are prone to virus, worms, malware, which result into deletion of files, pop up screen message or destruction of sensitive information. Virus Detection program identifies current virus in systems and can be installed on network infrastructure and mail servers in organization. Virus detection detects virus before it enters into the network besides, it detects virus in emails, USB drive, hard disk, documents and local host, websites. To get rid of virus and other malwares, organization should have antivirus software and the virus definition should be updated regularly.
Penetration Testing: Penetration testing refers to circumvention of system’s security features based on the system implementation and structure. Such testing identifies the method of gaining the system access using tools and techniques. It needs expertise to run penetration testing. It may happen that while running penetration testing, the network response time may be slow. While carrying testing few details like IP addresses, restricted hosts, testing techniques, testing time, points of contact should be considered.
Conclusion:
The security structure also depends upon the organization infrastructure. Therefore, IT security audit is not a onetime task but a continuous process. The audit examines the effectiveness of organization’s security policy. IT security audit does correct the deficiencies found in audit process and improve the policy.
