Security-Audit

 Technical Security Audit and Assessments

DISCLAIMER

  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
  • The author reserve the right to update or change the information contained in this document at any time without prior notice.
  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

References

  • ISO standards
  • Performing a Technical Security Audit and Assessment - LinkedIn 

Contents:

  • Overview
  • Security Assessment reviews
  • Identifying and analyzing Targets 
  • Planning Technical Security Assessments 
  • Executing the Technical security 
  • Post testing activities 
************************************************************************************************

Audit Life Cycle:

Audit = Reasonable assurance never 100%

Finding evidence, show effectiveness, assurance 
  • Audit Planning:
    • Audit Charter 
      • Objective
      • Expected outcomes 
  • Audit Plan 
      • The scope of the audit
      • The periodicity of the audit
    • Audit Selection
    • Audit Scheduling
  • Audit Execution:
    • Performing Audit
  • Audit Closure:
    • Reporting
  • Continual Improvement. 
    • Tracking non-conformance 
********************

Audit planning:

  • Scope selection:
    • Risk based approach: 

      • audit scope based on identified risk areas.

    • Project Phase Alignment: 

      • The audit scope aligns with the current project phase (e.g., initiation, execution, closure).

    • Addressing Past NC's: 

      • Based on the previous non-conformances and weaknesses

    • Meeting External Certification Requirements: 

      • The audit scope ensures compliance with external certification standards.

  • Audit Plan communication and review
    • Clear Communication: 

      • The finalized audit plan is effectively communicated to all stakeholders for review.

    • Approval Process: 

      • The audit plan undergoes a formal approval process.

    • Scheduling and Confirmation: 

      • Audit dates and auditee availability are reviewed and confirmed.

    • Finalized Schedule Published: 

      • The final audit schedule is published to all relevant parties.

Conducting Audit :

  • Pre-Audit Preparation
    • Status of previous Non-conformances, weakness and observations.
    • Offline data analysis, if required.
  • Conducting Audit
    • Interacting with Auditee
    • Gathering evidence based on the scope of the audit.
    •  Using defined checklist, processes 
  • Nc’s Communications
    • Agreeing with auditee the Non-conformances, weakness and observations if any.
    • If any, non agreement. Having internal meetings with relevant stakeholders, to arrive at a decision.
  • Audit Reporting 
    • Publishing the agreed upon NC’s, weakness and observations 
    • Publishing with the expected date of closure and responsible person for closure.
  • Risk tracker
    • Updating the risk tracker, based on the Audit findings  for any potential risks.
  • Continual Improvement
    • Tracking the NC’s, weakness and observations to closure.
    • Root cause analysis for the audit findings. 
    • Identifying any training, improvement plans based on the Audit findings. 
***************

Audit Preparation for external certification: 

(Timeline 6 months):
  • Assigning Single Points of Contact (SPOCs): 

    • Identify SPOCs for each project to ensure clear lines of communication and ownership.

  • Resource Risk Assessment: 

    • Evaluate the risk of key personnel leaving the organization before the audit.
    • Succession Planning: 
    • Identify backup resources to mitigate the risk of SPOC departure.

  • Tailored Project Training: 

    • Provide targeted training to team members based on their specific project roles and responsibilities.

  • Audit Gap Analysis and Readiness Review:
    • Conduct Gap Analysis: 

      • Identify any discrepancies between current practices and the external certification standards.

    • Develop RAG Status Report: 

      • Clearly communicate the findings of the gap analysis using a Red-Amber-Green (RAG) status system to indicate the severity of each gap.

    • Track Remediation Progress: 

      • Monitor the progress of closing identified gaps until all issues are resolved.
***************************************************************************

Technical Security Audit and Assessments Notes:

Overview:

  • To find security weakness and technical vulnerabilities
  • Determining the compliance with standards
  • Security assessment when conducted periodically - will give valuable insights on current security posture.
  • Periodic assessment will give results to compare and arrive at trends on security gaps.
Phases involved
Phases involved


Documentation:

  • Facilitates consistency
  • Reduces risk
  • Facilitated continual improvement
  • Helps new staff come up to speed
  • Security assessment is a living document

Conducting

  • reuse resources ,
  • spend less time scrambling,
  • reduce overall cost

Phases:-

  • Planning

    • Assets
    • Potential threats
    • Security controls in scope
    • Assessment viewpoint

      • External and Internal
      • External = outside org network

  • Execution

    • Identify and validate vulnerabilities

  • Post Execution

    • Identify root cause
    • Develop mitigation plan
    • Write report

      • NIST SP 800-53A, Assessing Security and Privacy controls and Open source Testing Methodology manual.

How to find out - How secure, the system and Networks are

  • Review.

    • Review techniques are often manual examinations of systems, applications, networks, policies, and procedures to ensure they meet minimum security requirements.
    • Firewall and switch rulesets
    • System config
    • Network sniffing
    • File integrity checking

  • Target Identification and analysis.
    • Automated tools conduct

      • Network discovery
      • Ports and service identification
      • Vulnerability scanning
      • Wireless scanning


  • Target vulnerability validation.

    • are used to confirm that any vulnerabilities identified in earlier testing are valid.
    • Password cracking
    • Penetration tests
    • Social Engineering


Testing View Point:

  • External = outside the org network and physical assets.

    • 3 Phases
      • Reconnaissance
      • Enumeration
      • testing

  • Internal
    • In the view of malicious insider, who has access and trying to escalate privileges 

  • Overt testing - white hat testing
  • Covert testing - black hat testing

    • Costly and time consuming

Security Assessment reviews:


  • Process of examining docs, sys files, networks to look for vulnerabilities & security gaps
  • Review tech
    • Documentation review

      • Requested docs - Security policy, standards, processes, procedures.
      • Security plans and configuration instructions.
      • Network architecture and diagrams.
      • Incident response plans
      • Evidence of third party testing or certifications.

        • Regulatory standards - HIPAA, PCI, ISO27001

      • Looking for outdated, missing or inaccurate info. 

    • log review,

      • Log review is determined if systems are adequately logging important security events and if the organization is following its own logging policies and standards.
      • Sys logs for acc changes
      • IDS/IPS logs or malicious acts
      • Firewall logs for outbound connections
      • Anti-malware logs for software failures
      • Patch logs for deployment failures
      • Backup system logs for backup failures
      • Tools used like - MS Log parser

    • ruleset review (Firewall rule sets),
      • Firewall actions

        • Permitting and routing packets
        • Denying packets
        • Logging traffic activity
        • Creating system events and alerts

      • SANS - firewall checklist

        • First - Filter rule sets
        • Sec - Permit rules
        • Finally - Deny rules

      • All firewall policy has corresponding rules
      • All rules still required
      • Unnecessary open ports - closed
      • Traffics doesn't escapes defense
      • Rules enforce least privilege access  
      • Tools

        • Algosec
        • Solar winds
        • 360-FAAR
    • system configuration review,

      • Is done to identify incorrect or missing sys settings 
      • Poor hardening

        • Configurations misaligned with Sec Standards

        • Weak passwords settings
        • Unmanaged services
        • Inadequate logging
        • Tools

          • checklists from the NIST National Checklist Program Repository or from the Center for Internet Security
          • CISCAP tool
          • Nexpose
          • Tenable Security center

    • network sniffing,

      • Collect and review information
      • Discover active devices
      • Identity systems and services
      • Uncover potential security vulnerabilities
      • Tools

        • Dsniff
        • Ettercap
        • Wireshark
        • Kismet
        • Tcpdump
        • Libpcap

    • File integrity checking.

      • File that should change only under authorized chain.

        • E.g: accounting ledger programs should only be changed by the authorized personnel from accounting.

      • Malicious activities - can delete certain files and replace the existing ones - 

        • system or configuration file to gain privileges access.

      • Best way to check the file integrity using the hash values of the files.

        • HASH values will change even if a single character is changed in the file, thus change in hash values results that the two files are different or changes are made.

      • Hashing Tools

        • Aide
        • Rootkit Hunger
        • Samhain
        • Tripwire

      • Host-based intrusion detection systems, or HIDs, such as OSSEC
      • Files to monitor
        • Key system files

          • Configuration files
          • Windows registry

        • Sensitive information classified files
        • Rarely change

          • Static web pages

      • If an important file changes during their assessment without proper permission and without telling system or security administrators, that could be a problem. File integrity checks help organizations keep an eye on the security of their most important files.

    • How exposed is your organization is to data loss due to human error on a set of database systems

      • What to look for

        • Security Controls

          • Org require and enforce least privileges
          • Who all have access to the database servers
          • How frequent is the data back up done

            • Are data backup is adequate in event of data loss

        • Documentation review

          • policies , standards, guidelines

        • Log reviews

          • Who access the database
          • Who modified

        • Ruleset reviews

          • Critical systems needs to be isolated from main network
          • DMZ zone

        • System configuration review

          • Correct set of controls configured

        • Regular database integrity reviews

Identifying and analyzing Targets:-

  • To determine which systems and devices are available on the network

    • Asset inventories
    • Network diagrams

  • After identifying next steps involves testing 
  • Techniques used for identifying

    • Conducting network discovery

      • Purpose and functions of network devices - Need knowledge on TCP/IP 
      • IP addressing and subnetting 
      • Network scanners

    • Identifying network ports and services 

      • Ports and services workflow 
      • Common ports and services
      • Port and service scanning tools

    • Scanning for vulnerabilities 

      • Protocols and system misconfigurations 
      • Vulnerability scanning tools 

        • OpenVAS

    • Scanning wireless network. 

      • Wifi tech and protocols 

        • Wifi protected access, WPA

      • Wireless scanning tools

    • Conduct network discovery

    • Active

      • ISMP or echo request or ping
      • Faster than passive
      • Sometime noisy and creates traffic 

        • Can slow down network
        • Cause a denial of service

      • Communicate in advance for running active n/w discovery

    • Passive 
      • Network sniffing tools 

        • Wireshark - captures open ports, operating systems of devices 

      • Sniffer 

        • Placed in the network, where it captures the network traffic. 

      • Stealthy

        • No detection of devices that aren't active

    • Network discovery Tool

      • Network miner 
      • Nmap

    • Identify network ports and services

      • E.g - Port 80 = HTTP = Active yes = likely Apache/ Microsoft IIS
      • To identify

        • Operating systems
        • Functions - web server / FTP server 
        • Security vulnerabilities on ports & services 

    • OS fingerprinting 

      • Port = 111 = likely OS = Unix or Linux
      • Port = 135, 139, 445 = likely OS  = windows 
      • Tool

        • Legion

    • Scan devices for vulnerabilities

      • Scan to find outdated software, 
      • missing patches 
      • Missing configurations
      • Used to validate system compliance with internal security configurations. 
      • Vulnerability scanners require Admin privileges to run and perform scanning. 
      • Types of scanning

        • Local Vulnerability scanning 
        • Network vulnerability scanning 

      • Tools

        • GVM 

Planning Technical Security Assessments

  • Security Assessment Policy 

    • Vulnerability assessment policy
    • Risk assessment policy
    • Risk management policy 

  • Guidance for Sec Assess

    • Frequency
    • Sec std the org should comply with.
    • Network and Systems in scope
    • Documentation and reporting requirements 

  • Roles and responsibilities

    • Who conducts audit
    • Who receives the final reports 
    • Who is responsible for remediation 

  • Effective policy 

    • Approved by relevant stakeholders 
    • Communicated to staff and 3rd parties
    • Review and update periodically. 

  • Prioritize and schedule
    • Define objectives 

      • Quarterly assess & Standards - 27001

    • Scopes

      • All systems or sub-set of systems 

    • System priority 

      • Systems impact ratings 
      • Assessment time - overdue
      • Scheduling constraints 
      • Technical consideration - significant vulnerabilities 

    • Frequent requirements

      • Quarterly or annually 

    • Resource availability 

      • Qualified staff
      • Organizational IT staff 
      • Testing equipments 

    • Size and complexity 
  • Choosing Techniques

      • Assessment objectives 
      • Testing view point
      • Resource availability 
      • Technique risk 

    • Perspective 

      • Covert = social engg.
      • Overt = log reviews 
      • Test external facing systems

    • E.g Compliance with 27001 std

      • Document reviews
      • Ruleset and security configuration reviews 
      • Network discovery and vulnerability scanning
      • Wireless scanning
      • Penetration test with social engineering 

    • Select the Assessors
      • Technical security assessors

        • Strong IT understanding- n/w, OS, firewalls 
        • Latest security threats 

    • Assessment leads

      • Experience in leading audits
      • Communication skills
      • Project Management skills

    • Internal Assessors

      • Part of ITr security of internal audit
      • Conduct assessment in accordance with policies 
      • Analyze results
      • Recommend mitigation for security gaps
      • Retest if necessary 

    • Third party / External Assessors

      • Vetted prior to process
      • Sign NDA

  • Selecting locations

      • Internal testing from any part of the network
      • External testing - outside the org n/w 
      • Right privilege access for internal testing

  •  Select tools and resources 

      • Third party assessors - laptop with capabilities
      • Internal assessors - local desktop 

  • Develop assessment plan

      • Type and objective
      • Systems and network in scope
      • Time frame
      • Security controls
      • Testing techniques
      • Sensitive data handling
      • Organizational risk
      • Completeness criteria 
      • IP addresses and MAc address 
      • How to handle incidents 
      • How to handle a security breach 

  • E.g. Security Assessment methodology 

    • For external Covert test

      • How data will be gathered 

        • To conduct assessment, scripts and software tools will be used to run the following tests against the in-scope systems

          • Network discovery to find unknown or rouge systems
          • Port and service discovery to identify OS and potential vulnerabilities 

        • Will attempt to exploit any known exploitable vulnerabilities

      • How security controls will be tested

        • Testing will be conducted during business hrs to give incident response team maximum opportunity to detect and respond 
        • The response or lack of response will be noted as part of results
        • Keeping tech support alert in due to failure of systems during testing
        • No DOS attack will be carried out

      • When testing will be conducted

        • After testing is concluded, analyze any vulnerabilities found
        • Determine the root cause
        • The mitigation plan and recommendation will be identified

      • All findings, results, and test conduct are recorded in the final report and published with relevant stakeholders.
      • Legal requirements 

        • Limitation of liability
        • NDA
        • Privacy requirements
        • Data handling req

Executing the Technical security 

  • Coordinating the assessments 

    • All key stakeholders are aware
    • Assessors have privileges and access
    • Higher management informed 
    • Communication in all stages to key stakeholders

  • Conduct assessments 
    • Some risk 

      • Systems outage
      • Security attack can be discovered 
      • High severity vulnerability found mid-way 

    • Standard escalation procedures to be followed in occurrence of these risks. 

    • Some roadblocks 

      • Resistance from staff
      • An unrealistic assessment plan not complied within budget or timeline. 

  • Conduct analysis

    • False positives 
    • Found vulnerabilities are validated by manually on the each systems 
    • Validated vulnerabilities are categories 

      • Severity of risk
      • Control families - NIST 800-53

    • Finding Root cause
      • Common root cause found

        • Patch management
        • Anti-malware controls
        • Infrequent signature updates
        • Policies and standards 

  • Data Handling

    • HIghly sensitive data 

      • Assessment plans and rules of engagement
      • Configurations and network documentations 
      • Results for testing tools 
      • Assessments findings and reports
      • Remediation recommendations 

    • Data lifecycle phases

      • Creations, collection or receipt
      • access , use or reuse
      • Transmission 
      • Storage
      • Disposal 

    • Assessment data stored in encrypted form

Post testing activities 

  • Recommended Mitigations

    • Are reviewed and accepted

  • Finally Report the results
    • Final Report

      • Describe why and how testing is done
      • Vulnerabilities of system, network, and remediations recommendations

  • Implementation of remediation and mitigations

    • Who is responsible for implementing the mitigation plans
    • Remediation steps

      • Test
      • Coordinate
      • Implement and validate
      • Report closure

        • What implemented and validated

  • Modification applied to test systems
  • Then moved to production systems


This is end of the conducting technical security assessments. 

*********************************************************************************************************

search keyword: Security Audit, GRC, Governance, Risk, Compliance, Quality Management

Comments

Post a Comment

Popular Posts

Marriage Registration Online steps [Tamil Nadu]

Marriage Registration Online 1. Hindu Marriage Act 2. TamilNadu Marriage Act Steps To follow 1. Log into :-> https://tnreginet.gov.in/portal/  2. Click on "User Registration"   under " LOGIN " section 3. Now Login with UserID & Password  Hindu Marriage Registration 4. After Log in then select  Home > Marriage Registration > Hindu Marriage Registration 5. Fill in the details     1. Husband details           A.  Details Must be know - District, Taluk, Village and then f rom Drop down select the " street name "         B . if any of the parent is not alive mark the same and produce the death certificate while submitting the application in-person.      2. Wife Details          A. same as above, have all the information to fill in details 3. Witness Options 4. Other Details 5. Proof Details: for Husband & Wife  Home > Draft Listing T...
Read more

Plagiarism

Image
Plagiarism      Plagiarism score or similarity score is obtained by the tool ( Turnitin ) to check,  whether the  s ubmitted documents contains any copied & pasted as it is from any sources. The plagiarism is  used to check the similarity of the phrases and sentence that are used in the document are they copied as it is and used in the  report. Even when the credit is provided for referencing these source under the reference section. One must use the quotations to use the same sentence or phrases, that are copied & pasted in the document. When the filter is applied to ignore the quoted sentenced, these are ignored by the tool to obtain the similarity score.       The image below displays an example of a plagiarism or similarity score, which is obtained by Turnitin, a tool used to check whether submitted documents contain any copied and pasted content from other sources. The similarity score indicates how similar th...
Read more

HOME LAB : HANDS-ON

Image
HOME LAB : HANDS-ON Disclaimer Home LAB Home Assistant on OMV Container in Raspberry Pi https://www.gouti1454.com/p/homeassistant.html Installing Home Assistant on Docker using OMV Compose, along with Portainer, Jellyfin, and MQTT. Here’s the breakdown: Home Assistant on OMV Compose Setting up MQTT and connected it to Home Assistant HomePage with Docker Compose https://www.gouti1454.com/p/homepage-docker.html Setting Up HomePage with Docker Compose Key things to get right, While installing  HomePage Docker:  Best Practices for Docker Compose: Widgets Configuration: Common Errors & Fixes: Lamma AI https://www.gouti1454.com/p/llama-ai.html This post covers some useful tips and tricks for extracting YouTube transcripts and using the Fabric framework. The topics include: ...
Read more