Auditing Virtualized Environments, Auditing

End-User Computing Devices & Application

Pertemuan 11
Auditing Virtualized Environments
• Virtualization describes the implementation of
an abstraction layer to represent or emulate
computing resources for access by other
elements of the environment.
• Virtualization can be applied to hardware or to
various operating system or application
components.
Auditing Virtualized Environments
• the physical hardware of a system is isolated
and managed by a layer called a hypervisor or
host operating system (OS).
• The hypervisor then allows one or more guest
OS instances to be installed, providing virtual
hardware resources to each and facilitating
communication to and from each guest.
Auditing Virtualized Environments
• The physical hardware of a system is isolated
and managed by a layer called a hypervisor or
host operating system (OS).
• The hypervisor then allows one or more guest
OS instances to be installed, providing virtual
hardware resources to each and facilitating
communication to and from each guest.
 Auditing Virtualized Environments
• Virtualization also provides the ability to easily
move a guest OS to another physical system in
the event of a problem or upgrade.
• Since the storage hardware can also be
virtualized, the storage needs of hundreds of
guests can be managed with a single storage
array, simplifying backup/restore and business
continuity needs.
 Auditing Virtualized Environments
• The virtualization audit covered here is
designed to review key controls that protect
the confidentiality, integrity, or availability of
the environment for the supported operating
systems and users that rely on the
environment.
 TEST STEPS FOR AUDITING
VIRTUALIZATION
1. Document the overall virtualization management
architecture, including the hardware and supporting
network infrastructure.
• The team responsible for managing virtualization
should maintain documentation illustrating the
virtualization architecture and how it interfaces
with the rest of the environment.
• Documentation should include supported systems,
management systems, and the connecting network
infrastructure.
 TEST STEPS FOR AUDITING
VIRTUALIZATION
2. Obtain the software version of the hypervisor and
compare with policy requirements.
• Review the software version to ensure that the
hypervisor is in compliance with policy.

3. Determine what services and features are enabled on

the system and validate their necessity with the
system administrator.
• Unnecessary services and features increase risk of
exposure to misconfigurations, vulnerabilities, and
performance issues and complicate
troubleshooting efforts.
 TEST STEPS FOR AUDITING
VIRTUALIZATION
4. Review and evaluate procedures for creating accounts
and ensure that accounts are created only when a
legitimate business need has been identified.
• review and evaluate processes for ensuring that
accounts are removed or disabled in a timely
fashion in the event of termination or job change.
• Effective controls should govern account creation
and deletion.
• Inappropriate or inadequate controls could result
in unnecessary access to system resources, placing
the integrity and availability of sensitive data at
risk.
 TEST STEPS FOR AUDITING
VIRTUALIZATION
5. Verify the appropriate management of
provisioning and deprovisioning new virtual
machines, including appropriate operating
system and application licenses.
• Written policies should govern the process
used to create new virtual machines,
manage users, and allocate software
licenses.
 TEST STEPS FOR AUDITING
VIRTUALIZATION
6. Evaluate how hardware capacity is managed for the
virtualized environment to support existing and future
business requirements.
• Business and technical requirements for
virtualization can change quickly and frequently,
driven by changes in infrastructure, business
relationships, customer needs, and regulatory
requirements.
• The virtualization hardware and infrastructure
must be managed to support both existing
business needs and immediate anticipated growth.
 TEST STEPS FOR AUDITING
VIRTUALIZATION
7. Evaluate how performance is managed and monitored for
the virtualization environment to support existing and
anticipated business requirements.
• Virtualization performance of the infrastructure as a
whole and for each virtual machine is driven by several
factors, including the physical virtualization media,
communication protocols, network, data size, CPU,
memory, storage architecture, and a host of other
factors.
• An inadequate virtualization infrastructure places the
business at risk of losing access to critical business
applications.
 TEST STEPS FOR AUDITING
VIRTUALIZATION
8. Evaluate the policies, processes, and controls for
data backup frequency, handling, and offsite
management.
• Processes and controls should meet policy
requirements, support business
continuity/disaster recovery (BC/DR)
objectives, and protect sensitive information.
• Data backups present complex challenges for
organizations, particularly when it comes to
virtualization platforms and other large,
central systems
 TEST STEPS FOR AUDITING
VIRTUALIZATION
9. Review and evaluate the security of your remote
hypervisor management,
• Secure remote hypervisor management
protects the hypervisor from remote attacks
that might otherwise disrupt the hypervisor
or hosted virtual machines.
• Each of the hypervisor products has its own
management tools designed to allow remote
administration of the hypervisor and virtual
machines.
 TEST STEPS FOR AUDITING
VIRTUALIZATION
10.Review and evaluate system administrator
procedures for monitoring and maintaining
the state of security on the system.
• System security must also be maintained.
• The world of security vulnerabilities is an
ever-changing one, and it is unrealistic to
believe that a static audit program can
provide assurance of system security on a
daily basis
 TEST STEPS FOR AUDITING
VIRTUALIZATION
11.Verify that policies and procedures are in place
to identify when patches are available and to
evaluate and apply applicable patches.
• Ensure that all approved patches are installed
per your policy requirements.
• Most virtualization vendors have regularly
scheduled patch releases.
• Your business should be aware of the release
schedule and should have plans in place for
testing and installing patches.
 TEST STEPS FOR AUDITING
VIRTUALIZATION
12.Review and evaluate the security around the
storage of virtual machine data.
• Virtual machines are stored and
manipulated as files that are easily
transported, copied, and viewed.
• Shared storage for virtual machines should
have controls in place to isolate sensitive
virtual machines and content from the rest
of the environment
 TEST STEPS FOR AUDITING
VIRTUALIZATION
13.Verify that network encryption of data-
inmotion is implemented where appropriate.
• Policy requirements may require that
traffic be encrypted for applications that
contain sensitive information or for
backing up some virtualized hosts to
another location.
 TEST STEPS FOR AUDITING
VIRTUALIZATION
14.Evaluate the low-level and technical controls in
place to segregate or firewall highly sensitive
data on critical virtual machines from the rest of
the virtualization environment.
• Controls should exist that restrict access
between virtual machines to protect sensitive
information such as cardholder data (CD),
personally identifiable information (PII),
source code, and other types of proprietary
data, including administrative rights to the
host
 TEST STEPS FOR AUDITING
VIRTUALIZATION
15.Evaluate the use of baseline templates and
the security of guest virtual machines as
appropriate to the scope of the audit.
• Baseline templates allow you to provision
configured virtual machines quickly.
• One of the best ways to propagate security
throughout an environment is to ensure
that new systems are built correctly before
moving into testing or production.
 Auditing Applications
• Each application is unique, whether it supports
financial or operational functions, and therefore each
has its own unique set of control requirements.
• Business applications systems, or applications for
short, are computer systems that are used to perform
and support specific business processes.
• Your company likely has dozens of applications, each
used to perform a particular business function, such
as accounts receivable, purchasing, manufacturing,
customer and contact management.
 TEST STEPS FOR AUDITING
APPLICATIONS
1. Review and evaluate controls built into
system transactions over the input of data.
• Online transactions should perform up-
front validation and editing to ensure the
integrity of data before it is entered into
the system’s files and databases.
• Invalid data in the system can result in
costly errors.
 TEST STEPS FOR AUDITING
APPLICATIONS
2. Determine the need for error/exception
reports related to data integrity and evaluate
whether this need has been filled.
• Error or exception reports allow any
potential dataintegrity problems to be
reviewed and corrected when it’s not
feasible or practical to use input controls
to perform up-front validation of data
entered into the system.
 TEST STEPS FOR AUDITING
APPLICATIONS
3. Review and evaluate the controls in place over
data feeds to and from interfacing systems.
• When an application passes and/or receives
data to or from other applications, controls
need to be employed to ensure that the data
is transmitted completely and accurately.
• Failure to do so can result in costly errors and
system disruption.
 TEST STEPS FOR AUDITING
APPLICATIONS
4. If the same data is kept in multiple databases
and/or systems, ensure that periodic sync
processes are executed to detect any
inconsistencies in the data.
• Storing the same data in multiple places can
lead to outof-sync conditions that result in
system errors.
• It can also have a negative impact on business
decisions, as erroneous conclusions can be
reached using inaccurate data.
 TEST STEPS FOR AUDITING
APPLICATIONS
5. Review and evaluate the audit trails present in
the system and the controls over those audit
trails.
• Audit trails (or audit logs) are useful for
troubleshooting and helping to track down
possible breaches of your application.
• Review the application with the developer or
administrator to ensure that information is
captured when key data elements are
changed and key activities are performed.
 TEST STEPS FOR AUDITING
APPLICATIONS
6. Ensure that the system provides a means of
tracing a transaction or piece of data from
the beginning to the end of the process
enabled by the system.
• This is important to verify that the
transaction was fully processed and to
pinpoint any errors or irregularities in the
processing of that data.
 TEST STEPS FOR AUDITING
APPLICATIONS
7. Review and evaluate processes for
monitoring and maintaining the state of
security on the system.
• If processes don’t exist for security
monitoring and maintenance, security
holes could exist, and security incidents
could occur without anyone’s knowledge.
 TEST STEPS FOR AUDITING
APPLICATIONS
8. Ensure that the application provides a
mechanism that authenticates users based,
at a minimum, on a unique identifier for each
user and a confidential password.
• Failure to authenticate users or just having
a poor authentication scheme presents an
open opportunity for curious users and
malicious attackers to access your system.
 TEST STEPS FOR AUDITING
APPLICATIONS
9. Review and evaluate the application’s
authorization mechanism to ensure that users
are not allowed to access any sensitive
transactions or data without first being
authorized by the system’s security mechanism.
• The system’s security mechanism should
allow for each system user to be given a
specific level of access to the application’s
data and transactions.
 TEST STEPS FOR AUDITING
APPLICATIONS
10.Ensure that the system’s security / authorization
mechanism has an administrator function with
appropriate controls and functionality.
• The administrator user function should exist
to help administer users, data, and processes.
• This account or functionality should be tightly
controlled in the application to prevent
compromise and disruption of services to
other users.
 TEST STEPS FOR AUDITING
APPLICATIONS
11.Determine whether the security mechanism
enables any applicable approval processes.
• The application’s security mechanism should
support granular controls over who can
perform what approval processes and then
lock data that has been formally approved
from modification by a lower authority.
• Otherwise, a lower-authority or malicious
user could modify or corrupt data in the
system.
 TEST STEPS FOR AUDITING
APPLICATIONS
12. Review and evaluate processes for granting access to
users. Ensure that access is granted only when there
is a legitimate business need.
• Users should have access granted and governed by
the application administrator(s) to prevent
unauthorized access to areas outside the user’s
intended scope.
• The application should have controls in place, and
the administrator(s) should have processes in place
to prevent users from having more access than is
required for their roles.
 TEST STEPS FOR AUDITING
APPLICATIONS
13.Review processes for removing user access
when it is no longer needed.
• Ensure that a mechanism or process is in
place that suspends user access on
termination from the company or on a
change of jobs within the company.
 TEST STEPS FOR AUDITING
APPLICATIONS
14.Verify that the application has appropriate
password controls.
• Determine whether default application
account passwords have been changed.
• The appropriateness of the password controls
depends on the sensitivity of the data used
within the application.
• Overly weak passwords make the application
easier to compromise, and overly strong
passwords could place unnecessary overhead
on usage of the system.
 TEST STEPS FOR AUDITING
APPLICATIONS
15. Ensure that users are automatically logged
off from the application after a certain period
of inactivity.
• Without timeout controls, an unauthorized
user could obtain access to the application
by accessing a logged-in workstation
where the legitimate user didn’t log off
and the application is still active.
 TEST STEPS FOR AUDITING
APPLICATIONS
16.Evaluate the use of encryption techniques to
protect application data.
• The need for encryption is determined
most often by either policy, regulation, the
sensitivity of the network, or the
sensitivity of the data in the application.
• Encryption techniques should be used for
passwords and other confidential data that
is sent across the network.
 TEST STEPS FOR AUDITING
APPLICATIONS
17.Evaluate application developer access to alter
production data.
• System developers should not be given
access to alter production data in order to
establish appropriate segregation of
duties.
• Data entry and alteration should generally
be performed by business users.
 TEST STEPS FOR AUDITING
APPLICATIONS
18.Ensure that the application software cannot
be changed without going through a
standard checkout/staging/testing/approval
process after it is placed into production.
• It should not be possible for developers to
update production code directly.
• Your production code is your application,
and it should be strictly controlled.
 TEST STEPS FOR AUDITING
APPLICATIONS
19.Evaluate controls regarding code checkout
and versioning.
• Strong software controls regarding code
checkout and versioning provide
accountability, protect the integrity of the
code, and have been shown to improve
maintenance and reliability.
 TEST STEPS FOR AUDITING
APPLICATIONS
20.Evaluate controls regarding the testing of
application code before it is placed into a
production environment.
• Improperly tested code may have serious
performance or vulnerability issues when
placed into production with live data.
 TEST STEPS FOR AUDITING
APPLICATIONS
21.Evaluate controls regarding batch scheduling.
• Many applications execute programs in batch
(offline) mode.
 TEST STEPS FOR AUDITING
APPLICATIONS
22.Determine whether a business impact
analysis (BIA) has been performed on the
application to establish backup and recovery
needs.
• A BIA is performed to obtain input from
the application’s business users regarding
the impact to the business in the event of
an extended outage of the application
(such as in the event of a disaster).
 TEST STEPS FOR AUDITING
APPLICATIONS
23.Ensure that appropriate backup controls are
in place.
• Failure to back up critical application data
may severely disrupt business operations
in the event of a disaster, resulting in total
loss of the application and its data with no
ability to recover it.
 TEST STEPS FOR AUDITING
APPLICATIONS
24.Ensure that appropriate recovery controls are
in place.
• Recovery procedures and testing are
necessary to ensure that the recovery
process is understood and that it functions
operationally as intended.
 TEST STEPS FOR AUDITING
APPLICATIONS
25.Evaluate controls regarding the application’s
data retention.
• Data should be archived and retained in
accordance with business, tax, and legal
requirements.
• Failure to do so could result in penalties
and operational issues caused by the
inability to obtain needed data.
 TEST STEPS FOR AUDITING
APPLICATIONS
26.Evaluate the controls regarding data
classification within the application.
• All application data should be assigned a
business owner, and this owner should
classify the data (for example, public,
internal use only, or confidential).
• This provides assurance that the data is
being protected in alignment with its
sensitivity.
 TEST STEPS FOR AUDITING
APPLICATIONS
27.Evaluate overall user involvement and
support for the application.
• Without appropriate user involvement and
support, the application may not
adequately provide for user needs or
appropriately support the business.