Why Run Network Security Audits?
In modern business environments that rely heavily on information technology, the network security audit or assessment is a vital component of network maintenance and repair. A network security consultant will often perform an audit as the first stage in providing consulting services to a business. However, in addition to these foundation-building audits, businesses must also perform network security audits or assessments on a regular basis to ensure optimal performance.
Whether the internal IT department performs the network security audit or a network security consultant does, this is a fundamental network task. A company will make many design decisions after this point, based on detailed analysis of the information gathered.
The Core Focus of a Network Security Assessment
- Identify and evaluate assets
- Determine the threats that those assets are exposed to
- Determine the necessary measures to protect against those threats
The goal of the IT department or a network security consultant is to perform an evaluation without disrupting normal business. For this reason, the auditors often perform much of the network security assessment outside normal business hours. However, that is not always possible because proper evaluation for some components require that the auditors evaluate during normal business operation.
Auditors will often break the network security assessment into areas or components. By breaking the task down into smaller pieces that are more manageable the auditors can perform the assessment more effectively. These components range greatly from one business to the next, but here is a list of the most common areas:
- External resources
- Mobile security
- Network architecture
- Physical security
- Remote access
- Routers, hubs, and firewalls
- Server equipment and configuration
- Social engineering
- Virtual infrastructure
- Virtual private networks (VPNs)
- VoIP security
- War dialing
- Wireless security
- Workstations using Microsoft Windows
- Workstations using UNIX environments
That general list of categories may look quite different after the auditing team designs it to meet a business’ specific general and network needs.
Once the auditors have itemized these areas of focus, they will put each of them through a series of auditing phases. The first phase is footprint analysis and information gathering. The second and third phases are vulnerability scanning and penetration testing, respectively. The fourth phase is manual vulnerability and penetration verification, and the auditors conclude the assessment with vulnerability analysis.
Phase I – Footprint Analysis & Information Gathering
During this initial phase, auditors inventory the entire network both physically and virtually. For the physical inventories, the auditors are collecting data concerning hardware and software information such as software licenses. For virtual inventories, auditors target host information, software, processes, domain names, IP network ranges, etc. The goal of this stage is to achieve a detailed blueprint of the network and a comprehensive security profile. This information serves as the basis for the remaining phases of the assessment.
Phase II – Vulnerability Scanning & Assessment
At this stage, the auditors leverage the network blueprint and security profile to “attack” the network from an external posture. The goal in this phase is to penetrate vulnerable aspects of the system in order to acquire sensitive data. This not a Hollywood-style hacker assault, but rather the subtle chaining of low-level vulnerabilities that allow a skilled technician to achieve high-level access.
Phase III – Penetration Testing & Assessment
Penetration testing and assessment is very much like Phase II except that the focus is on attacking the network internally rather than externally. Once again, the auditors chain low-level vulnerabilities to acquire high-level access. There are generally more small vulnerabilities from an internal perspective. Auditors must thoroughly challenge internal defenses because most severe network compromises originate inside the network.
Internal attacks are not always malicious attempts by employees. They are often vulnerabilities introduced via emails and USB flash sticks. Therefore, the task is to scrutinize all entry points for weakness, and to ensure that an internal attack cannot compromise the integrity, confidentiality, or availability of the system.
Phase IV – Manual Vulnerability & Penetration Verification
In the fourth stage, the auditors must investigate each vulnerability that they successfully exploited during previous stages. The goal here is to identify all false positives, so that the business does not wastefully expend resources. In addition to manual verifying vulnerabilities, the inspection often extends to equipment and software identification so that all avenues are exhausted.
Phase V – Vulnerability Analysis
Now that auditors have identified and verified the vulnerabilities, they must perform in-depth analysis of all the assembled data. The goal here is to identify systemic causes, and then they formulate plans to remedy each cause. These plans are the basis of the strategic recommendations that they bring before the business’ executives.
Once the auditors have completed their assessment, the IT department or the consultants work alongside the executives to fix those problem areas. Once the business rectifies vulnerabilities, they can direct their attention to upgrading or transitioning the network.
Security audits and assessments are not one-time events. They continue to be an important aspect of regular network maintenance, although regular network assessments include a broader examination of the network.
Additional Areas of Focus Included in Regular Network Security Audits:
- Asset management and classification
- Business continuity management
- Environmental and physical security
- Human resources security
- Incident management
- Information security
- Information systems
- Internal policy compliance
- Legal compliance
- Operations management
- Security access controls
- Security organization and personnel
- Security policy and process
Network security audits and assessments are an integral component of maintaining a healthy and safe network. This is no longer simply the domain of the large corporation. Most small businesses incorporate an audit into their procedures at least once per year.
There are many network security consulting firms dedicated to the small business that specialize in performing these network security audits. Check the Internet for local providers.