When we say “IT security”, businesses run a mile - that just seems to be the way things work. Unfortunately, we know that, despite the heavy reliance placed upon technology in the digital age, safeguarding, protecting and developing your security efforts just seems like a step too far for a surprising number of businesses.
We were shocked at the findings of a recent Spiceworks survey, which revealed 62 per cent of IT professionals said their employer does not regularly carry out security audits. That translates to over half of businesses that are leaving themselves vulnerable to growing, and increasingly intelligent, threats. But why?
Whether it’s a lack of resourcing, limited knowledge or just general ignorance, we’re here to tell you that without regular security audits, your business could fail. So, here’s all the information you need on how to carry one out.
The truth is, no business really enjoys having an audit. In fact, even the word itself draws images of surprise inspections, and ultimately being criticised for your exposed IT weaknesses. But if you fail to do your duty as an IT professional, it’s you in the firing line if your business falls victim to a cyber security breach. Therefore, if you are responsible for data security, you should insist on regular audits.
Many businesses, such as those in the finance industry, are required to have external auditors to certify compliance with regulations, but that does not mean that those where this is not a legal requirement can realistically escape them.
Therefore, you need to bring the auditors in - but choosing the right ones can be a challenge in itself.
Before you begin your search for an audit firm, you should have a set of clear objectives in place, asking yourself ‘What do I want to get out of the audit?’. These objectives should be incredibly detailed. If there is a security breach in the system that was outside the scope of the audit, it could mean you did a poor job of defining your objectives.
For the sake of convenience, you could be tempted to rely on internal staff for your audit. However, we wouldn’t recommend it. Due to the complex nature of checking operating systems and applications are securely configured, it really does pay to take on an external party.
Technical audits identify risks to the technology platform by reviewing both the policies and procedures in place, as well as network and system configurations. This job alone is one for security professionals.
During the process or looking for an auditor, consider the following factors:
There is a certain degree of common sense at work when it comes to an auditor’s assumptions, such as the fact that they will require access to certain data or staff throughout the process. However, once they are on board, do not assume that they will receive copies of policies or system configuration data - this needs to be spelled out in writing beforehand, and agreed by both sides.
It is also advisable to involve the business and IT unit managers of the audited systems as early as possible throughout the process, in order to ensure it progresses as soon as possible.
There have been documented cases where respected auditing firms have requested copies of the system password and firewall configuration files to be emailed to them, but have been refused by the targeted organisations. This could have been avoided had the audited business been involved in the process from the start.
With this in mind, it is not surprising that the ground rules should be set well in advance.
Also involved in the preparation work is the need for you to provide the basic data and documentation required for the auditor to analyse the systems. While this can vary from business to business, and depending on the nature of the audit, it would typically include:
By this point, it may go without saying that the entire auditing process, then subsequent testing, should come as part of an overall plan. For this reason, it is essential to ensure the auditor details this plan up front, and then follows through.
Again, this needs to be as detailed as possible, and the auditor should begin by reviewing all relevant policies to determine the acceptable risks. They should check for any unauthorised implementations, including unidentified wireless networks, or unsanctioned use of remote access technology. They should then confirm whether the environment matches management’s inventory.
Often, auditors utilise security checklists to review any known security issues and guidelines for particular platforms utilised within a business. However, these are no substitute for platform expertise.
The auditor will make use of a vulnerability scanner to check operating systems and application patch levels against a database of reported vulnerabilities. Obviously, it is important that the scanner’s database is current, and that it checks for vulnerabilities in each target system. Most scanners carry out this task to an acceptable level, but results may vary with different products, and in different environments.
So, once the audit has been carried out, it is your chance to take a look at the report and judge whether or not it was carried out to an acceptable standard. If the findings follow a standard checklist that could be applicable to any organisation, it is arguable that you did not get your money’s worth. While some commercial vulnerability scanners have thorough reporting mechanisms, the auditor should prove their worth by interpreting these results based on your environment.
Any analysis carried out should reflect your organisation’s risks. Unfortunately, tools lack analytical insight and often reveal false positives. It is the people, not the tools, that should audit your systems. Have your IT staff review the findings and testing methods to judge, and have them provide a written response.
The auditor’s analysis needs to follow an established criteria, which is applied to your specific business requirements. It is this that will help you to determine the action you implement as a result, therefore it needs to be as detailed as possible.
The report should outline:
There are occasions when auditors fail to identify any significant vulnerabilities. However, rather than attempt to inflate trivial concerns, auditors should outline their testing methods in detail, and acknowledge a good security set up. You could ask them to highlight any areas that could be of concern in the future, or suggest security enhancements.
Yes, there is a lot to think about when it comes to a security audit. However, the benefits outweigh the effort considerably. Remember, the purpose of having an audit is to gain an accurate picture of your business’s security position, while providing recommendations for improving it.
By doing some vital homework - such as considering what you really want to find in an auditor - the exercise has numerous advantages, and by gaining the support of your own staff to support the process as it takes place, you can rest assured that vital company information is safeguarded.