CC7178

Cyber Security Management

Lecture 8

IT Security Audit

CC7178 Cyber Security Management

 Learning Objectives
• IT Audit Overview
• IT Audit Process
• IT Auditing Techniques
• IT/IS Security Audit
• IT/IS Security Audit Tools
• Security Management Audit (Guest
Lecture)

CC7178 Cyber Security Management Slide 2

 IT Audit Overview
• Potential auditing subject areas

CC7178 Cyber Security Management Slide 3

 Auditing Subject Areas
• Data Centre Facilities -- physical building
and data centre housing the computer
equipment on which the system in
question resides
• Networks -- this layer include basic
devices such as firewalls, switches,
routers, etc.
• System Platforms – basic operating
environment on which the higher level
application runs
CC7178 Cyber Security Management Slide 4
 Auditing Subject Areas (cont.)
• Databases -- organizes and provides
access to the data being run by the end
applications
• Applications – they are seen and
accessed by the end users, which could
be enterprise resource planning (ERP)
application providing basic business
functions, an email application, or a
system that allows conference rooms to
be scheduled.
CC7178 Cyber Security Management Slide 5
 IT Audit Process
• Internal Controls – mechanisms that
ensure proper functioning of processes
within the company.
• Every system and process within a
company exists for some specific
business purpose.
• The auditor must look for the existence of
risks to those purpose and ensure that
internal controls are in place to mitigate
those risks.
CC7178 Cyber Security Management
IT Audit Process Overview

CC7178 Cyber Security Management Slide 7

 Six Major Audit Phases
• Planning – to determine the objectives and
scopes of the audit
• Fieldwork and Documentation – to acquire
data and perform interviews, which will help
team members to analyze the potential risks
and the risks which have not been mitigated
appropriately
• Issue Discovery and Validation – to develop
a list of potential concerns and discuss them
with the customers (validation)
CC7178 Cyber Security Management Slide 8
 Six Major Audit Phases (cont.)
• Solution Development – to develop (with
your customer) an action plan for
addressing each issue
• Report Drafting and Issuance – to draft
the audit report
• Issue Tracking – to follow up on the points
from the audit with the responsible
customers as the due date for each point
approaches
CC7178 Cyber Security Management Slide 9
 IT Auditing Techniques
For further details, please refer to chapters 3 - 14 from “IT Auditing, using
controls to protect information assets”, 2/E, Chris Davis and Mike Schiller with
Kevin Wheeler, McGraw Hill, ISBN 978-0-07-174238-2, 2011
• Auditing Entity-Level Controls
• Auditing Data Centers and Disaster Recovery
• Auditing Router, Switches, and Firewalls
• Auditing Windows Operating Systems
• Auditing Unix and Linux Operating Systems
• Auditing Web Servers and Web Applications
• Auditing Databases
• Auditing Storage
• Auditing Virtualized Environment
• Auditing WLAN and Mobil Devices
• Auditing Applications
• Auditing Cloud Computing and Outsourced Operations
CC7178 Cyber Security Management
 IT/IS Security Audit
• An IS Security Audit or IT Security Audit - a
specified process designed to assess the
security risks facing an organisation and the
controls or countermeasures adopted by the
organisation to mitigate those risks.
• The IS/IT Security Audit - the assessment of
security of an organisation's networked
infrastructure comprising of computer systems,
networks, operating system software, application
software, etc.

CC7178 Cyber Security Management

 IT/IS Security Audit (cont.)
• A typical process by a human having technical and
business knowledge of the company's information
technology assets and business processes
• As a part of any audit, the auditors will interview
key personnel, conduct vulnerability assessments
& penetration testing, catalogue existing security
policies and controls, and examine IT assets
• The auditors rely heavily on technology, manual
efforts & tools to perform the audit.

CC7178 Cyber Security Management

 IT Security Audit Tools
12. Backtrack Live CD - Exploitation
Freeware Tools: framework.
1. NMAP - Port Scanning. 13. Nikto - Network Vulnerability Scanner.
2. Super Scan - Port Scanning 14. BlackWidow - Website Profiling Tool.
3. Netcat - Network Utility. 15. Wget - Network Utility
4. Telnet Client - Network Utility. 16. Paros - HTTP Interceptor.
5. Putty - Network Utility 17. Burp Suite - HTTP Interceptor.
6. SNMPWalk - SNMP Scanner 18. Brutus - Brute Force Password Attack
7. User2SID & SID2User - Look up 19. WFetch - HTTP Raw Methods
Windows service identifiers. Debugging
8. John The Ripper - Unix and NT 20. AnEc Cookie Editor (Firefox Plug-in) -
password Cracker Cookie Editor
9. WireShark - Wireshark is a 21. Netstumbler - Detection of Wireless
network protocol analyzer for Unix LANs
and Windows. 22. Kismet - 802.11 wireless network
10. Snort - A free lightweight detector, sniffer, and intrusion detection
network intrusion detection system system.
for UNIX and Windows. 23. MYSQL Administration Tool - MYSQL
11. MetaSpoilt - Exploitation Administration.
Framework 24. GoCR Decoder - OCR reader.
CC7178 Cyber Security Management
 IT Security Audit Tools (cont.)
Commercial Tools:
1. Acunetix - Web Vulnerability Scanning Tool.
2. CodeSecure – Code Review Tool
3. Nessus – Network Vulnerability Scanner

Proprietary Tools:
1. PHP Security Audit Script : This script checks for
insecure web configurations.

CC7178 Cyber Security Management

 Main Reference
• IT Auditing, using controls to protect information assets,
2/E, Chris Davis and Mike Schiller with Kevin Wheeler,
McGraw Hill, ISBN 978-0-07-174238-2, 2011

CC7178 Cyber Security Management

Security Management Audit
“Auditing for Security Management”
by Cyril Onwubiko
Guest Lecture at
London Metropolitan University
17th April, 2007

CC7178 Cyber Security Management

 Overview
 Background
 Practice
 Audit Trail Analysis

CC7178 Cyber Security Management

 Background

CC7178 Cyber Security Management

 Problem Statement
 To asses the effectiveness of an organisation ability to protect its
valued/critical asset
Context

 To Evaluate/Examine
 Policy
 Processes and Procedures
 Operations

 Security Audit is performed to ensure:

Why

 Compliance with Standards & Laws

 Valued Assets are Protected
 To Recommend:
 Improvement and Enforce Controls

CC7178 Cyber Security Management

 Practice

CC7178 Cyber Security Management

 General Concept

System and Disaster

Physical
Network Protection Recovery Access

Backup Logging &

Compliance Data
controls Monitoring Protection

Web Usage Security Business Security

& Filtering Vulnerability Continuity Threats

Security Policy

Auditing

CC7178 Cyber Security Management

 Things to Consider Before an Audit
 Who to Use:
 Internal Auditor
 External Auditor
 Type of Audit:
 IS/IT Technical - Minimise Loss/Failure
 IS/IT Efficiency - Minimise Costs and Increase Return On
Investment (ROI)
 IS/IT Assessment - Certification & Compliance
 Software Assessment - Inventory/People/Performance
 Information Security - Verify Compliance/Best Practices.
 Guarantee:
 Due Care

CC7178 Cyber Security Management

 Guidelines
Authority/Certificates:
 ISACA: Information Security Audit & Control Association
(https://www.isaca.org/Pages/default.aspx)
 Recommend Computer Systems Audit and controls.
 Example: COBIT - Control Objectives for Information &
related Technology (IT Governance Institute)
 GIAC (Global Information Assurance Certification)
GIAC Systems and Network Auditor (GSNA)
(http://www.giac.org/certification/systems-network-auditor-gsna)
 GIAC Security Leadership (GSLC)
 GIAC Information Security Professional (GISP)
 GIAC Certified ISO-27000 Specialist (G2700)
 GIAC Certified Project Manager (GCPM)
CC7178 Cyber Security Management
 Guidelines (cont.)
• Laws:
– HIPAA: Health Insurance Portability &
Accountability Act (1996)
(http://www.hhs.gov/ocr/privacy/hipaa/enforcem
ent/audit/)
• Responsible for ensuring health information are
protected and secured.
• Protected Health Information (PHI)

CC7178 Cyber Security Management

 Guidelines (cont.)
Laws:
 GLBA: Gramm-Leach-Bliley Act (1999)
 Financial Section guideline for IS Controls
 Provides Risk Management Controls
 CISAA: Corporate Information Security Accountability Act (2003)
 Information Security Accountability Controls
 All publicly-traded companies to conduct independent computer
security assessments and report the results yearly
 CSBIA: California Security Breach Information Act (2003)
 Disclosure of security breaches
 Responsible to: Shareholders, Customers & 3rd parties
 etc.

CC7178 Cyber Security Management

 Audit Trail Analysis

CC7178 Cyber Security Management

 Security Audit

How?

Which? Who?

Audit

Where? What?

When?

CC7178 Cyber Security Management

 Audit Trail Analysis
Audit Trail:
 A collection of logged Computer/Network Events:
 Comprising of
 Operating System
 Application
 User Activities
 Example: Syslog, Sulog, Lastlog, Eventlog, etc.

CC7178 Cyber Security Management

 Audit Policy

Fig. 1: Event Viewer Fig. 2: Audit Policy

Further information:
http://www.sans.org/security-resources/idfaq/logging-windows.php

CC7178 Cyber Security Management

 Controls
Data Analysers
 Intrusion Detection Systems

 Integrity Checks – example: Tripwire (a security and data

integrity tool useful for monitoring and alerting on specific file change(s) on a
range of systems)
 Security Information Management Systems – example
Arcsight & SEC (SEC is a tool for accomplishing event correlation
tasks in the domains of log analysis, system monitoring, network and
security management, etc. Event correlation is a procedure where a
stream of events is processed, in order to detect (and act on) certain
event groups that occur within predefined time windows.)
 Accountability Tools – example RADIUS & Loglogic
 Investigation – Security Forensic

 Recovery – Business Continuity, Backup

CC7178 Cyber Security Management

 Sample Event Log – Anonymity~ised

more ./messages | grep backupuser

Mar 20 05:21:00 10.0.0.2 Mar 20 2008 04:40:04: %PIX-5-611103: User logged in: Uname: backupuser
Mar 20 05:21:22 10.0.0.1 Mar 20 2008 04:45:56: %PIX-6-315011: SSH session from 10.0.0.3 on interface
testbackup-mgmt for user "backupuser"
Mar 20 05:21:24 10.0.0.2 Mar 20 2008 04:59:59: %PIX-6-109005: Authentication succeeded for user 'backupuser'
from 10.0.0.3/24936 to 10.0.0.2/22 on interface testbackup-mgmt
Mar 20 05:21:24 10.0.0.2 Mar 20 2008 04:59:59: %PIX-6-605005: Login permitted from 10.0.0.3/24936 to
testbackup-mgmt:10.0.0.2/ssh for user "backupuser"

CC7178 Cyber Security Management

 Correlation
Event 1 Event 2
Incident

Event 3

Fig. 3: Events correlated to an incident

h2

h3

h1
h4

h5
Fig. 4: Example of a Port scan incident

CC7178 Cyber Security Management

 Open Source Initiatives
 Software
 PreventSys – McAfee PreventSys Risk and Compliance Audit
 QualysGuard Consultant
 Proactive Monitoring Technique:
 SEC (Simple Event Correlator)
 OS-SIM (Open Source Security Information Management)
 PADS (Passive Asset Detection Systems)
 SNORT – Open Source IDS
 BASE (Basic Analysis Security Engine), E.g. Alert
Management

CC7178 Cyber Security Management

 Conclusion
 Audit for Security Management aims to evaluate:
 Policies, practices and operations
 For compliance, detection, protection and
forensic.
 Requires Tools and Techniques
 Recommendations:
 Periodic security audit to assess if security needs
are satisfied
 Make contingency, business continuity and
disaster recovery plans in case controls fail.
CC7178 Cyber Security Management
 Resources/References
1. CEE: Common Event Expression http://cee.mitre.org/
2. PreventSys -
http://www.mcafee.com/us/enterprise/products/risk_management/in
dex.html
3. QualysGuard Consultant - http://www.qualys.com/partners/qgcon/
4. CAPEC: Common Attack Pattern Enumeration and Classification
http://capec.mitre.org/data/index.html
5. ATFG: Audit Trails Format Group
http://www.cerias.purdue.edu/about/history/coast/projects/audit-
trails-format.html
6. SEC: Simple Event Correlator - http://kodu.neti.ee/~risto/sec/
7. BASE: Basic Analysis and Security Engine -
http://base.secureideas.net/screens.php
8. ISACA – www.isaca.org
9. COBIT – www.isaca.org/cobit
10. HIPAA - http://www.hipaa.org/

CC7178 Cyber Security Management