The challenge for Day Nine is – Discover the process and procedures around Security Auditing.
I’ve never performed a security audit, nor have I ever seen one done, but from the brief reading I’ve done for this challenge I can absolutely see the merit in doing a security audit for a company.
To put it very simply, a security audit is looking at how vulnerable a business (or part of a business) is to a cyber attack.
These can be conducted:
Externally – By an organisation independent of the the business, often run by expert teams. These audits are incredibly thorough, but can be too expensive for small-to-medium sized businesses.
Having an independent party conduct the audit also has the benefit of being neutral from company politics or bias
e.g. Every workstation gets inspected, even sweet little old Glenda from accounts – turns out Glenda had an incredibly weak password and if she hadn’t been advised about it could have leaked company information without knowing it.
Internally – having a team from within the company run a security audit can be considerably cheaper than an external audit, but their scope and findings may be limited.
These can be fit “around” other work, and might not be as thorough as an external audit. Auditors may find themselves in awkward situations and hesitate to report on it
e.g. “Uh-oh, Jerry has been using his work PC to look at gambling websites – if I raise this, he could lose his job”
A positive knock-on effect from practising internal audits is that it can build a culture and awareness of security. For this reason it is a good idea to make sure that it isn’t just the same people running the same checks, this risks complacency and box-ticking. Involve the whole team over time so everyone has an idea of what to look out for – eliminate the “that’s not my job” factor.
Teresa from WeTest shared a great article she found about how to conduct an internal review following 5 steps/guidelines.
In case TLDR (but do read it as there’s much more detail than what I’m listing), the summary is:
- Define Your Audit – Identify what assets and areas that you will test, and highlight the areas you wont test with an explanation (time/money/expertise etc). E.g. company laptops x7, building security alarm, PABX, Router and switches – won’t be attempting to test employees knowledge of security procedures as testing will be conducted outside of business hours.
- Define Your Threats – Define the kinds of attacks/vulnerabilities you are looking to exploit/uncover/expose. E.g. Weak passwords, negligence (checking desks for “sticky note passwords”), DDos
- Assess Current Security Performance – This is where you give your findings from the previous two steps, and explain them in such a way that all stakeholders involved in the audit can clearly understand.
- Prioritize (Risk Scoring) – Here you’ll rank your findings from the previous step in order of most important to address, to least.
- Formulate Security Solutions – The final step is to give recommendations on how to address the concerns you have highlighted in the previous steps.
I would probably add a 6th step in this to Record, Report and Review where you would organise a formal setting to explain your findings with stakeholders, keep a record of your findings as a baseline, then arrange a time to review the progress of the solutions and to run another audit to see if vulnerabilities still exist.
Thanks for reading my post and following my progress through the 30 Days of Security Testing.
Feel like joining in? Sign into the WeTest Slack group and get involved!