Information technology security audit

As an IT Security Audit (English IT security audit, from Latin audit: " he / she hears"; something like: " he / she checks " ) are in the information technology (IT) measures for risk and vulnerability analysis (English Vulnerability Scan ) of a IT system or computer program called. Safety audits usually take place in the context of quality management and serve to reduce vulnerabilities and the introduction of best practices in an organization (public administration, companies). IT security audits are part of the field of network and information security, although the limit for LAN analysis in local area networks or to network analysis is fluid.

Based on the English-language terms and Security Test Security Scan instead of safety audit concepts like security check or safety inspection are used in German literature. In most cases only partial aspects of a complete audits are meant here. The process of audits is often referred to as auditing, while the person carrying out the Auditor means.

Survey

Regular IT security audits are an indispensable part of the German IT baseline protection. International management standards for IT security audits in ISO / IEC 27001 ISO are fixed. In addition, there are a number of other international security policies. These are used for planning, documentation and continuous development of the information security management system of a company ( ISMS, see also IT service management). The audits are usually of external experts - also known as Chief Audit Executives (CAE ) - carried out in consultation with the management. The catalog of measures created thereby forms the basis for further action by the administrators of in-house IT department. You are responsible for the ongoing comparison of target and actual and maintenance of the system in accordance with the security policy of the company responsible. Systems can include personal computers, servers, mainframe computers ( mainframes ), routers or switches. Applications as web servers such as Apache, database systems such as Oracle or MySQL and mail servers include.

After taking stock of the IT structure analysis, held the respective tests. This is usually followed by the assessment of protection needs, as well as a selection of measures, which are recorded in a catalog of measures. Implementation of the measures is usually not performed even for reasons of internal security by the auditor, as this is very familiar with the vulnerabilities of the company by conducting an audit. By signing a Non-Disclosure Agreements (NDA ) to the auditor sworn to secrecy. An auditor must be sufficient to bring experience in networking and be able to put yourself in an attacker inside. Grounds for and objectives of a potential attack, decide on the method used.

Manual measures of a safety analysis here include:

• The questioning of a company's workforce (see Social engineering )
• Security scans using port scanners like Nmap, sniffers like Wireshark, vulnerability scanners (English for " vulnerability examiner" ) as Nessus and other tools, namely Vulnerability Assessment (VA) products
• The verification of access control in applications and operating systems
• The analysis of the physical access to the system.

Another method to determine security vulnerabilities, are penetration tests. They form an essential part of a full IT security audits. These attacks from the outside (Internet) as well as simulated within the corporate network. This process is often referred to as friendly hacking and the auditor as white-hat hacker (see hacker ethic )

The BSI IT Security Guide makes the following distinction:

• Information base (black box, white box )
• Aggressiveness (passive, careful pondering, aggressive)
• Scope (full, limited, focused)
• Procedure (obviously, hidden)
• Technology ( network access, other communication, physical access, social engineering )
• Starting point ( from the outside, from the inside)

A popular inconspicuous (passive ) method with manual audits is the Google hacking. While to roughly estimate the IT infrastructure of a company is often sufficient to look into public job postings, confidential and sensitive data can be spied unnoticed using complex search queries on Google, Live Search, Yahoo Search, and similar search engines. The range of " Security Nuggets " (English for " security chunks " ) ranges from private information like credit card numbers, social security numbers and passwords and stored files such as internal auditing reports, password hashes or log files ( Nessus, sniffer) over insecure open services such as OWA, VPN and RDP to the disclosure of numerous exploits and vulnerabilities of the relevant websites. This specific search engine filters and operators are used. With the Google hacking database ( GHDB ) There is a separate collection of familiar tactics and capabilities. Several vendors of automated vulnerability scanners for Web services have this database integrated into their products. Detection of a " Google hacking attack" can be set up own honeypots. Frequently found in the source code of websites comments with useful information for attackers. If this data is deleted by the provider of a website, they are in most cases about the cache of a search engine or through archives such as the Wayback Machine to the public still available.

As an alternative or supplement to the manual auditing measures computer assisted auditing techniques (English Computer Assisted Auditing Techniques, CAAT ) can be used. Such automatic auditing measures are part of the audit standards, which are published by the American Institute of Certified Public Accountants ( AICPA ) and the United States for the management are mandatory (see Sarbanes -Oxley Act ). They include system-generated audit reports and the use of monitoring software, which reports changes to files or settings on a system. A Checklist of the AICPA is to facilitate this work administrators. free software solutions in this field are the auditing and reporting software TIGER and Tripwire and Nagios monitoring software. Main purpose of these products is to document and warning of changes to the system.

Policies and measures

The proposed security expert guidelines and action plans in the field of IT security are very extensive. Thus, besides the ISO / IEC 27001 also the ISO / IEC 17799 as well as those underlying British BS 7799th Furthermore, the security architecture of existing X.800, the IT Baseline Protection Catalogs (formerly IT Baseline Protection Manual ) of the BSI, the library ITIL process as well as the ITSEC criteria. The recognized audit manual Open Source Security Testing Methodology Manual ( OSSTMM ) of the Institute for Security and Open Methodologies ( ISECOM ) differs according to the possible Angriffsmöglicheiten five categories of security interaction, called channels:

• Physical interaction
• Telecommunications ( analog communications )
• Data networks ( packet communication )
• Wireless interaction
• Human interaction

Basically, a company must decide between different risk analysis strategies and, based on the objectives of auditing set. Since conducting a detailed risk analysis of an entire organization is expensive and complex, a combination of basic protective measures ( Baseline Security Controls) and protection requirements (High Level Risk Analysis ) is usually selected. All systems whose risk is above the low to medium, ie at high to very high, are subjected to a detailed risk analysis. Depending on the possible extent of damage ( the value of endangered objects ) and relevance results in a different risk assessment and thus a different protection requirements.

The bandwidth of the proposed measures ranging from setting up a DMZ for external services and the separation of the network into different segments using VLANs ( for example, a separate VLAN for network printers, one for WiFi, Division A, Division B, management and so on ) and the limitation of authorization of access from outside the network via VPN over the use of encryption mechanisms, the establishment and maintenance of firewalls, IDS / IPS, antivirus, device or endpoint control and identity management, and evaluation of existing user profiles and access control lists (ACLs) on both the workstations and the network up to the establishment of a centralized update server for all operating systems ( see, eg, Windows Update Server).

Security experts have the opportunity to demonstrate their knowledge potential customers over through recognized certification. This includes, inter alia, the CISSP by the International Information Systems Security Certification Consortium, CISA and CISM by ISACA, the OSSTMM Professional Security Tester ( OPST ) and the OSSTMM Professional Security Analyst ( OPSA ) ISECOM, one of the numerous ITIL or LPI certifications, as well as those of the APO -IT or IT security sector respected companies such as Cisco. In Austria there is also the award of the IT civil engineer for an IT consultant. These and other certificates can be purchased in special courses.

The end of an audit

Audits are substantially the same pattern as malicious attacks. Hacker attacks can be roughly divided into three different types according to the method and purpose:

• Passive
• Active
• Aggressive

Goal of a passive, automated attack by scripts and bots can be for example the extension of a botnet. In particular worms are used for automated exploitation of vulnerabilities. Other malicious computer programs for the dissemination of such bots are viruses and Trojans. Upon submission of a compromise ( as a zombie designated ) computer can be this used to send spam, as data storage for black copies, to perform DDoS attacks and the like. Through an active, manual attack sensitive data can be read or spied upon installation of backdoors users and applications controlled by the attacker. Aggressive attacks are mostly politically motivated and intended to provide system failure in the rule. The boundaries of the types of attacks are fluid.

An audit thus consists of several phases. Were not given information such as the scanned IP address range ( IP Range) notified by the customer, it is a black-box test. Here may be the first step, a footprinting for the auditor useful to design an approximate network topology. This step is omitted when a white-box test. Creating a network topology is also called " Network Mapping" (English for " network mapping "). In the next step, the computer network is checked with an automated vulnerability scanner for potential vulnerabilities. To eliminate false positives, an accurate evaluation of the results is necessary. Another phase of an audit can be a penetration test ( PenTest ) based on the findings in the vulnerability assessment. The results are finally summarized in a detailed report, which is to be supplemented by a series of measures to minimize risk or decimation.

Before an audit questions need to be clarified such as the scope, duration and methods. Can the operation will not be disturbed in a company by auditing, for example, must on the exploitation of any program errors (bugs ) or security holes such as buffer overflows in software - called Exploit - be dispensed with. Widespread here are DoS attacks. Filtering out potential vulnerabilities in a system is called " Vulnerability Mapping". Here, the auditor shall list all running services together with known bugs. These can be scanned, for example, on Bugtraq, the CVE list or the US-CERT.

Among the most common vulnerabilities include loud McAfee:

• Default settings (default settings) with no configuration routers, firewalls, web servers
• Simple, unencrypted and / or default passwords ( factory setting)
• Lack of safety, maintenance and programming skills in staff
• Lack of security concepts such as security through obscurity, negligent handling of confidential data, susceptibility to social engineering
• Lack of maintenance concepts, such as rare updates and password changes, or lack of monitoring
• Bad programming concepts such as lack of QA and code reviews as well as neglect of the safety aspect
• Use unsafe services like telnet, SNMP, RDP, X, SMB, MSRPC, Web Gui as OWA
• Bad ( usually in a hurry) applications developed with buffer overflows, format string vulnerabilities, integer overflows, and / or lack of input validation

To run exploits usually serve ready-made scripts as they are for example used by script kiddies in their attacks. A collection of exploits for many popular operating systems provides Metasploit, a framework for building and testing of exploits for vulnerabilities. It is one of the most common tools for PenTests.

The port scanner Nmap can be used to provide information about the timeliness of the applications running on the target system applications ( version and patch level ) as well as for the detection of the operating system OS fingerprinting. The graphical frontend nmapfe Network Mapper has now been replaced by zenmap, which in turn emerged from Umit. Banner grabbing and port scanning can be alternatively performed with Netcat. An efficient and fast alternative to the widespread Nmap may offer Port Bunny. However, Nmap is one of the most powerful and widely used tools in the field.

Well-known vulnerabilities can be identified with the Vulerabilty scanner Nessus. Also, a manual check of exploits in web applications such as SQL injection or cross-site scripting is possible with Nessus. Related attacks in this area are: session fixation, cross-site cooking, cross-site request forgery ( XSRF ), URL spoofing, phishing, email spoofing, session poisoning, cross-site tracing ( XST ).

After Nessus a very " loud" tool, its use is so easy to determine in a network are often " silent " (usually passive ) tools like firewalk ( packet filtering enumerator ), hping3 (TCP / IP packet analysis with traceroute mode ) or nmap preferred. For testing of web applications also exists the Nikto Web Scanner, which can be operated alone or integrated into Nessus.

Common ( in consultation with the IT department ) tried in IT security audits, to deliver viruses, worms and trojans and other malware into a system. This usually happens through social engineering by the auditor as an "important security update " e-mail, such as sending to all users, or personally handed. In this way, existing anti -virus software, personal firewall, packet filtering, Intrusion Prevention System and the like timeliness and effectiveness are checked. However, more important is the question of how users react and whether they follow the security policy of the company.

With tools like John the Ripper can try to crack passwords in the system. This can be read, for example, from a mixture obtained by sniffers like Wireshark or tcpdump hash. For this purpose are also available plug-ins for Nessus. Hidden Rootkits can be discovered with Chkrootkit. Even ordinary Unix -board such as lsof ( list open files ) or top for process management can help here. Under Microsoft Windows using the Sysinternals Suite by Mark Russinovich is recommended.

Most of the tools described can be found among others in the following based on GNU / Linux live systems: BSI OSS Security Suite ( BOSS ), BackTrack (formerly: Auditor Security Collection), Knoppix STD ( Security Tools Distribution), Network Security Toolkit ( NST), nUbuntu (or Network Ubuntu ) helix. BackTrack has been elected in March 2006 by darknet for Best Security Live CD.

In addition to the numerous free FOSS tools there are a number of widely used closed-source products such as packet analysis platform OmniPeek by WildPackets, the Web Application Security Scanner N- Stalker, the automatic vulnerability scanners Qualys, SecPoint Penetrator Vulnerability Scanner Retina eEye Digital Security, the automatic Vulnerability scanners Quatrashield, IBM Internet Scanner (formerly Internet Security Scanner ), Shadow Security Scanner and GFI LANguard Network Security Scanner as well as the packet sniffer Cain & Abel and others. Paid tools to create security policies based on the IT baseline protection are GSTOOL of BSI and SecuMax. However, in contrast to most of the free tools, most of these products work only on Windows. A free and across operating systems alternative to GSTOOL provides the Java- based ISMS tool verinice.