Auditing Conceptual Overview
Security auditing involves performing tests on an enterprise network to discover vulnerabilities, evaluate the network's security posture, or produce auditing metrics needed for regulatory compliance.
One source of audit data includes interviews conducted with organization personnel who have security or system administration responsibility on the network. Additionally, auditors will want to request and then examine documents provided to the audit team, to get a sense of network architecture as well as policy and procedure. Vulnerability analysis software will be used during the audit, and hands-on examination of the network will be performed. Results will be verified, and then analyzed to determine vulnerability, risk level, and conformance to regulatory guidelines or industry standards. Audits are often conducted with the goal of, or having as a desirable byproduct, the stimulation of independent thought and critical thinking on the part of the in-house technology staff about network security.
Auditing Price-Point Considerations
Third party security audits are a purchase where the keen service procurer should be able to consider saving some money. One way to do this is to determine all needed audit points for multiple assessment efforts, to collect all data at once. For example, if senior management has requested an independent briefing pertaining to risk, security management should consider obtaining audit data that can be reused for PCI compliance efforts or regulatory compliance needs. Avoiding frequent duplication of effort will save time and money. Furthermore, much of the documentation needed for an audit can be performed in house, presenting another opportunity to save. Lastly, any security manager is well advised to determine if there are considerable gaps in the network security posture before commissioning an audit. Audits, after all, are performed on networks where there is a reasonable expectation of good security posture and regulatory compliance. If this is not the case, effort and resources would be better spent achieving these two goals.
Iron Shields Auditing Innovations
Iron Shields has a proprietary analysis method for examining which components of an audit can be reused during normal business process, and which components of a normal business process can become part of the audit. Besides conserving company resources, this helps to make sure that the audit is minimally invasive.
Iron Shields has developed proprietary software useful for developing audit report templates to suit customer needs, often very quickly. This is helpful for clients who may not have an existing company audit report template or may not have a precise concept in mind of what sort of report they would want.
Iron Shields has access to "Tiger Team" resources and a trade secret process that allows us to seemingly achieve the impossible—to perform an advanced rapid audit in cases of emergency where you might risk missing an important deadline if a rapid audit is not performed. Although not for everyone, this audit is able to produce reliable results, and has in the past won Iron Shields accolades and given some customers the impression that we are miracle workers. We're not miracle workers—we're innovative.
Auditing Service Offerings
On many enterprise networks, computer engineers, and to a lesser extent, regular users, will enjoy some autonomy to install equipment on the network, especially where there is a belief that installed equipment will help them work better. Even if regulations exist to discourage the connection of arbitrary devices, and those policies are enforced, users often feel that the rules don't apply to them. In many cases, engineers are able to sneak technology through the change management process, or circumvent change management entirely. Regardless of approval, technology will need to undergo hardening in order to be resilient against the efforts of hackers. Typically, when Iron Shields audits a network, we will participate in the development of a patching strategy as well.
FISMA regulations apply not only to computer systems operated by the United States federal government, but to networks operated on the government's behalf by third parties, and to networks contracted by the government to hold public data. Iron Shields is the Department of Commerce's top provider of NIST-800 auditing and advice for regulatory compliance. We have experience with High rated systems, including High-Sensitivity, High-Availability, High-Value systems as well as network applications deemed of National Critical importance.
Probably the most important service we offer is vulnerability analysis. With the possible exception of anti-malware efforts, no other single security service has such a substantial cost-benefit return.
Application administrators often welcome feedback related to the security of the equipment that they maintain. The ability to assess impact appropriately is, of course, key to making sure that vulnerability audit results are well received. Usually, when we perform a vulnerability analysis for you, we can accommodate requests for an overall security "health checkup." Customers who elect to receive vulnerability analysis are often quite pleased with audit results, when combined with risk assessments. During the audit, Iron Shields engineers will point out straightforward opportunities for improvements to your network security posture, and will be on hand to answer questions and participate in the development of a patching strategy.
Risk Assessments are a good way for you to receive valuable information about how to best protect your network. They are also a good way for Iron Shields to demonstrate our considerable security capabilities, as well as to make sure that your security efforts are in line with a strategy to reduce your overall risk. Risk is the language that management will speak with security officers, so you will want to be well-informed so that you make a good impression when briefing senior management. The most dangerous risk to your network is the risk that you have not yet identified.
After you have received a risk assessment report, you will want advice on how best to reduce your risk and to make sure that changes to your network technology and changes to your threat level are balanced with your prevention efforts. Franklin's maxim, "an ounce of prevention is worth a pound of cure," certainly applies to network security. You should receive advice and assistance from consultants who understand security architecture and vulnerability assessment, to better prepare you to navigate the change management process.
Iron Shields is the number one provider of penetration assessments for Protiviti. We have performed hundreds of penetration tests on thousands of applications over the years, and our team represents a combined skill level including hundreds of years of experience with penetration tests. No approach to cracking your network shall be deemed too sneaky—we staff our penetration testing team with creative thinkers who will provide you with the best information about how criminals will attempt to access your data or disrupt your operations. We continually profile the criminal underground and are thus able to consider the latest and most advanced techniques available to spies and criminals.
Structure of an Audit
During the first stage of an audit, auditors will interview the personnel associated with the operation, management, and security of applications and of the network. Ideally, these interviews are done with an informal atmosphere to contribute to the comfort of the interview subjects. Interview subjects might have a bit of anxiety regarding the questions that they will be answering, and it is important to put them at ease. It is part of the Iron Shields philosophy that interviews will yield more complete and accurate data if the subjects are sufficiently relaxed. Focus will be given toward keeping the exchange of information in an even flow, with an almost conversational tone. Although a meeting schedule will almost certainly be used to initiate the interview process, it is likely that additional personnel will need to be brought in to address gaps in knowledge or availability.
During or after the interviews, auditors will collect documents, often termed "artifacts," pertaining to the applications or the network. These artifacts may include network diagrams, system descriptions, policies, procedures, manuals, strategy guides, user subject materials, wikis, test results, logs, and the results of previous audit efforts. In short, a bulk of information can be helpful to the auditors.
After the auditors gain access to the artifacts, they will develop and then propose an assessment plan. Because some networks are largely unique in their layout and character, assessment plans will necessarily require some tailoring in most cases. Subsequently, security management should review and discuss the auditing plan with the auditors.
Once the plan has been ratified, auditors will begin executing the plan. Network and application hands-on and automated testing will take place.
Testing will produce a volume of test data and scanner output, sometimes quite a large volume. This data must be compiled, verified, and then analyzed. Handing a spreadsheet of data over to a client without discussion or formatting is inconsistent with the Iron Shields auditing policy; rather, significant analysis will take place in order to deliver test results in the proper context.
Following analysis, the auditors will sometimes provide a preliminary briefing. Interview subjects and security managers alike will usually be anxious for some feedback. This preliminary briefing will be central to giving you a good feeling about the auditing process overall. Security personnel, from technical, to analysts, operational, or managerial typically want something of a "heads up" before senior management sees the audit results.
After the interview, a report will be prepared detailing the audit results and their associated analysis. While most security personnel will get more out of the briefings than they do out of a written report, a written report is provided for completeness. The audit report may prove useful if security managers need to brief senior management at a later point in time, or if there is a "change of the guard" in terms of security or management. Otherwise, audit reports are an important component of regulatory compliance, or will form a core component of a system security plan or risk assessment report.
After the report has been prepared and distributed only to approved personnel, computers will be purged of unneeded data and superfluous copies of documents will be shredded. As a final step, the auditors will conduct an exit interview with any personnel interested in attending. This brings closure to the audit process and gives the audit team the chance to thank the audit participants for their effort.