Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Tip of the Day: Audit - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Tip of the Day: Audit
As the last in the series of tips of the day, I chose the subject Audit.

Audits might sound scary as they verify your work, but they really should not. They can be a great tool into doing the right thing and catching (and correcting) errors before they escalate and become a problem. As a matter of fact, you can audit your own work. Or do it in a team. We all know we cannot find errors in stuff we wrote ourselves while it's obvious if somebody else wrote it.

Audit yourself

You can do various audits yourself of your work:
  • Are backups actually able to be read?
  • Can we actually restore a backup from a system if we loose all the harddisks or are we missing information?
  • Are the dates/sizes of system files on all our computers still the same (poor man HIDS, but it can also detect failed patches etc.)
  • Do logs from all our systems actually end up in our central log repository?
  • Did managment acknowledge all incident reports you gave them? Where there changes implemented due to the incidents?
  • Do we have blocklists? Do we update them regularly? Did we check if they are still relevant?
  • Exposed scripts (such as e.g. cgi-bin perl scritps)? Who reviewed them for security? Where they changed afterwards?
  • ...

Internal Audits

Internal audits can go further:
  • Are all our users in our user database(s) still rightfully there? Does the list match with what e.g. HR has as list of employees/contractors? Are the other users interactively used? Are they regularly re-confirmed as needed users? Do we have users that never log in?
  • Can we actually start a Disaster Recovery without touching the existing equipment and information?
  • Do people inside the company know where to find security policies? Do they know key content of the policies? When were they last reminded of the password policy? Are all our policies easy to read? Are all our policies short enough to be read in under 5 minutes?
  • Is equipement we rely on for being warned about problems (availability, IDS, logs, ...) actually tested regularly? How are we sure?
  • Are policies overruled? Why? By who? How often? Was it investigated? Did the policy change afterwards to fix the problem?
  • Where are incidents logged? What were the conclusions? Do people know incidents that were not logged?
  • ...

External Audits

Well external audits generally should check the same stuff as the Internal audits do, but be independent. Sill they are valuable as they can give you the one magic bullet: management support. Typically this starts with regulatory and legal requirements, but it can check compliance with standards as well.
  • Can grant a seal of approval.
  • These audits can also audit those persons that are very hard to audit as an employee: the big chief: does (s)he feel the policies do not apply to him/herself?
  • ...

Swa Frantzen -- Section 66

760 Posts
Aug 31st 2006

Sign Up for Free or Log In to start participating in the conversation!