The ability to effectively and efficiently audit IT security has never been more important.
Whether internal or external, financial or operational, business or regulatory, audits are increasingly performed on IT controls and IT security. This increase is driven by the need to rely on internal controls, the requirement to effectively manage risk, and the role of the auditor in assessing compliance with regulations, policies, and standards.
The most common approaches to security auditing involve manual procedures and network-based scanning. Unfortunately, these are fraught with challenges and limitations and often create an undue burden on the auditor.
Manual audit procedures for IT security are still fairly common. To some degree, manual procedures are unavoidable. They might include enquiries of administrators and other technical personnel regarding their practices for security, such as backups and system maintenance. However, they also often include procedures for checking the technical security of the system, such as reviewing system policy settings, looking at user and group accounts, and other procedures that could be automated.
The greatest problems with manual procedures are that they take considerable time to perform, often require significant technical expertise, are potentially prone to missing new vulnerabilities or threats, and rarely result in a thorough evaluation of system security. Automating as many audit procedures as possible should be the goal.
Another common method of performing IT audits is the use of scripts to gather data from targeted systems. While this automates a significant piece of work - the gathering of data - it fails to perform the most important and often most time consuming piece of work: the interpretation of the data and the identification of compliance exceptions and vulnerabilities. The manual analysis of data is highly prone to errors, leading to flawed audit reports or oversights of potentially high-risk exceptions.
Another of the most significant challenges with using scripts to audit IT security is the required maintenance of those scripts. This requires technical expertise and time, both of which are often in short supply among security teams and other IT security personnel.
Network vulnerability scanners
Network-based vulnerability scanning is a common practice in businesses today. Unfortunately they are often unable to prove compliance with policies and standards and essentially present a 'hacker's view' of system security rather than an administrator's view. Network scanners can rarely determine if a system has already been compromised and often give inaccurate views of security. They are hindered by network level controls such as firewalls and router ACLs and can only 'see' what they are allowed to see.
Network scanners often lack scalability and rarely support multiple simultaneous users in distinct roles. Most scanners are a single tier application, designed for use by a single user. Rolling out network scanning to distributed roles in the business is generally impossible.
They can also be dangerous to use. Since scanners often are capable of performing invasive or even disruptive tests, denial of service and corruption of services is possible. Users must be careful to restrict scans to only the safe tests.
Today, there are a number of solutions available to IT security professionals that automate the auditing process and provide a much more accurate view of an organisation's IT security and where potential weaknesses might be.
Key considerations when choosing an IT security auditing solution
Any IT security auditing approach should be efficient, automating processes wherever possible and minimising the amount of manual procedures
Compliance with applicable policies and standards such as Sarbanes-Oxley and PCI-DSS are important in today's business. The approach should facilitate compliance by identifying exceptions from policies and standards.
IT security audits should provide a view from the inside out, so that it is clear where you have compliance exceptions and vulnerabilities.
Supporting continuous auditing
The solution should enable assessments to be scheduled on a recurring basis, performed during off hours, and hold the results and data securely for subsequent reporting and analysis.
The solution should grow with the business and support the entire enterprise. This means the solution should work over large, distributed networks and should communicate and store data securely, so that the solution itself does not become a potential exposure.
Automation, prevention and remediation
Automation, prevention and remediation will provide another level of security maturity. Although new vulnerabilities and threats will always require investigation, it makes sense to automate your current security environment. In an ideal world, your security solution should provide you with the means to prevent or remediate any threats or vulnerabilities, but as a minimum you should be able to detect and report on these incidents.
By implementing a solution that automates the auditing process, IT security professionals can be freed up to perform more valuable tasks such as interpreting and reporting results, formulating recommendations, and moving on to the next audit.
Patrick Eijkenboom is the Principal IT security consultant at NetIQ Australia.