    !"#$%&Pat Trueman Page 3 12/21/2005  The auditors are coming! The auditors are coming! Those of you working in the environment know those words bring fear. Management preparation for an audit often includes; do not tell do not show anything unless you have to. Is a security audit out to prove incompetence or is it an opportunity to see beyond the day to day operations and really improve your information security system is secure. What are auditors looking for? A computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited. Security audits provide a fair and measurable evaluation of how secure a site really is. An audit can be anything from a full-scale analysis of business practices to a sysadmin monitoring log files. The scope of an audit depends on the goals. It is most productive to define the scope of the audit in order to stay focused and understand the deliverables in terms of what’s in it for you. Audits should always provide a guideline or framework for improvement in your system. Computer security auditors perform their work though personal interviews, vulnerability scans, examination of operating system settings, analyses of network shares, and historical data. Quite often, security policy, which is a very effective foundation of a security strategy, can be written in an administrative vacuum and auditors attempt toPat Trueman Page 4 12/21/2005 verify how policy is implemented. System Audit - also called a Process Audit: can be narrowly focused and conducted for any activity. Security audits are usually made against a specific document such as operating procedure, work instruction, training manual, etc. Auditors can also test for software functionality. Software packages that are written to perform vulnerability tests, event management, network traffic monitors, ect. are often sold by salesmen who have a slick approach with PowerPoint presentations, testimonials, lunches and gifts. If software is not tested for functionality and all that is advertised, you might be thinking that you have an effective product but, you may indeed have a product where particular features are not included in the purchased release or performance metrics provided by the vendor do not account for real network traffic. Purchasing decisions that are made without a prior evaluation or pilot testing can leave your system vulnerable. (1) Auditors will have lots of questions and some attitude. Don’t forget, auditors are not always treated as welcome guests; they are more extraordinary work in an already crowded schedule. They come with questions that may seem judgmental or confrontational; it is their job to look under the rocks. Some questions an auditor may ask: • ‘Are passwords difficult to crack? Are access control lists in place and up to date, • Are there access control lists (ACLs) in place on network devices to control who has access to shared data? • Are there audit logs to record who accesses data? • Are the audit logs reviewed? • Are the security settings for operating systems in accordance with accepted industry security practices? • Have all unnecessary applications and computer services been eliminated for each system? • Are these operating systems and commercial applications patched to current levels? • How is backup media stored? Who has access to it? Is it up-to-date?Pat Trueman Page 5 12/21/2005 • Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan? • Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured? • Have custom-built applications been written with security in mind? • How have these custom applications been tested for security flaws? • How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review? ‘ (2) Documentation is the key to explaining how your security program works. The auditors will use this documentation as a guide for reviewing and measuring your security program. Common audit documents describe the system, security policies, operational procedures, network and system diagrams, process charts, change control procedures, process definitions, security scans/reports, test results and, of course, logs. If your organization has been audited in the past, you probably already have most of the information and materials you need. But, they will likely need updating, since no two audits are exactly alike -- especially if you're switching auditors. It is recommended to set up an audit team. The team can present the documentation and roadmap the system before the audit begins. Team members can guide auditors physically to areas to conduct interviews, be available to grant and remove system access and decipher and or clarify on the spot perceptions. Sharing the responsibility allows team members to have time for other work and a break from the process. This creates an atmosphere of collaboration, clarifying for you where your system needs improvement. The auditors are a second set of eyes, looking at your policies, infrastructure and practices and verifying the areas in which you're doing well, and those that need work. Most importantly, they tell you how well you're complying with standards and regulations. (3)Pat Trueman Page 6 12/21/2005 Penetration testing: Practical or too Risky Penetration testing is the method used to simulate an internal or external attack on your environment.