| Necessary to perform audit |
 |
Process of audit |
 |
|
|
|
The Audit of security consists in validating the means of protection implemented at the organizational, procedural and technical plans, regarding the security security policy calling to a one third of expert trust third in computer security audit.
The audit security leads, beyond the statement, to analyse the operational risk of the studied area, and subsequently to propose recommendations and a plan of quantified and prioritized actions to correct vulnerabilities and reduce risk exposure .
The team involved in an audit mission must be composed of consultants and engineers who are experts in their fields, it is always headed by a project manager, responsible for operations and deliverables.
Organizational audit security
The objective of an organizational audit of security is to establish a complete inventory and a target level of security of the entire system of information on the organizational, procedural and technological plans.
This phase may cover the general organization of the security: (rules, procedures, personnel), physical security of premises (fire protection, access control, backup and archiving), operation and management (backup and data archiving, continuity of service, logging), networks and telecoms (equipment (routers, modems, PABX ..), logical access control, and transmission lines), the systems (workstation, server, basic software, antivirus solution) and applications (development methods, testing procedures and maintenance ,..).
During meetings held within the audited organizations, the auditor defines the scope of the audit and the interviewees and plans their interventions.
To better complete this phase, the auditor applies a methodology and risk analysis "formal" (Marion,Mehari, Melisa, Ebios ...) as it can adapt these methods according to the needs of the organism or follow an appropriate personalized and simplified approach.
The assessement of the level of security has moved from interviews with interviewees and from the analysis of critical resources and provided materials.
The vulnerabilities identified in previous stages will be approximated threats that may arise in the context of technical and functional audit.
Reducing risks comes back either to act on vulnerabilities, or trying to reduce the impact that the exploitation of a vulnerability by a threat according to the formula: Risk = Threat * Vulnerability * Impact.
After this phase, the auditor provides recommendations for the establishment of organizational measures and an adequate security policy, it can also be a presentation of the synthesis of the mission with the objective to raise awareness about the risks and potential measures to implement.
Technical audit of security
The technical audit is carried out in three phases:
 Phase of approach:
To assess the level of network security, we must first know it.
In order to recognize the architecture of the system, the auditor receives information listed by the local IT team to verify the IP addressing plan and possibly the strategy of implementation of DHCP and NAT.
It then uses multiple tools tracking network and gateways,in order to detect stations, routers and firewalls and network tools for tracking external borders of the network: external gateways (routers and firewalls) and modem connections to determine the external perimeters of network.
It also uses the information available from any SNMP services and local name servers or the Internet.
Multiple tools of open source are used to identify the network topology as Cheops, traceroute and tcptraceroute.
During this phase, the auditor performs tests of network survey and system for determining network services, the types of applications and their associated updates, network shares and implemented security measures.
The most used tools of scan of open source are Nmap, NSAT, knocker, Blaster Scan.
It also carries out tests of flow survey to analyze the network traffic, identify the protocols and predominant services in the audited network,the utilization rate and cross-flow stations.
The open source tools used are: Ntop, Bing, iptraf and Network Probe.
Before discussing the analysis phase of the systems of vulnerabilities, the auditor identifies servers, file servers, backup, logs, NIS, and other server applications and important data and then uses a set of tools to monitor their condition, their activity and performance and inspects the means of access control and theiradministration' strategy.
Phase of analysis of vulnerabilities:
During this phase, the auditor determines, with the help of results obtained in the previous step,the potential vulnerabilities and tools necessary to their operation.
In practice, the auditor is testing the resistance of the system facing to known vulnerabilities through automated analysis of vulnerabilities, thus, it sets for eachone the type of applications and services.
Nessus is an example of automatic test tool for vulnerabilities, it offers reports evaluated on the advanced degrees of vulnerabilities and risks imposed by vulnerabilities detected on the audited system. Sara, Whisker Webserver_fingerprinting, karma and Tnscmd.pl are examples of tools for vulnerabilities analysis of data servers and applications.
Phase of intrusive tests:
The goal of intrusive test is to Survey the technical architecture deployed and to measure the compliance of network equipment configurations, firewalls, switches, sensors, etc.. with the defined professionally security policy. The intrusion tests were carried out after explicit authorization of the client, based on a set of scenarios of expert attacks(penetration, intrusion, etc. ..) implemented to compromise a system of information.
Carried out repeatedly,the intrusion tests are used to validate periodically the security of information system and to measure changes.
The intrusion tests start with a phase of collecting information publicly available, without interacting with the target environment, then it locates and characterizes the target components (operating systems and application services, positioning the equipments compared each one to other, types of implemented security features, etc..) it is the mapping phase of the target environment and finally it is the matter of exploiting the vulnerabilities identified during previous phases in a way to get access "unauthorized" to resources.
Pour plus de détails
http://www.frsirt.com/alertes/12.14.audit.php
http://www.webindustrie.fr/
|
|
|
|
|
