It goes without saying that the economy is having a major effect on the security channel. Equipment sales are down and customer upgrade projects are being postponed. Still, despite the state of the economy, customer companies remain aware of the potential cost of a security breach.
To that end, security solution providers can offer their customers a valuable service by performing a security audit. Solution providers offer a unique set of advantages for this type of service. They combine an understanding of a customer's business with an awareness of the latest threat types.
Information security audit processes will vary based on the customer's industry and the type of data maintained, but all audits must include examination of the network, systems, software, data center procedures and employee training. Audits pertaining to specific compliance regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX) and Health Insurance Portability and Accountability Act (HIPAA), require special training and certification. In these cases, certified third parties usually must be brought in to assist. Someone without certification can do a preliminary audit to eliminate areas in advance that the certified inspector would find, but the certificated inspector is still needed. Integrators and VARs can address other potentially vulnerable areas.
Network security audit checklist
Use these suggestions as a way to set a baseline during each audit. Each customer is different; not all of these suggestions will apply and other problems may become apparent during the audit.
- The customer's procedures must be comprehensively documented and each procedure must be detailed. Procedures and people are key to the security of any company. It isn't sufficient to ensure that backups are performed. There must be a documented policy identifying the data storage location for backed-up data and how long it must be retained.
More importantly, the staff must indicate they have followed the procedure put in place by signing, initialing and dating the verification.
- Employees must have the training and knowledge required for their roles. Training is often the first budget cut area, so verify that employees have received training, either formal or informal, on their areas of responsibility. An untrained employee can easily bring down an entire network by making what he/she believes to be a correct configuration change.
As a priority, all employees should be trained to identify and avoid phishing attempts. Some companies have reported targeted phishing, a technique where the mail appears to come from a co-worker, so employees should understand the danger of clicking suspect emails links.
- Software security patches must be applied in a timely manner. Hackers monitor vendor patch releases and scan networks to find systems that are not yet up to date.
- Penetration tests should be run on a regular basis. The frequency of these tests depends on the criticality of the information stored on the site. In some cases the frequency will be dictated by compliance regulations. In any case, penetration tests should be run at least after every significant modification to the website. If they are not, assist the customer in acquiring and applying test tools or suggest a vendor specializing in this service.
- Test software that deals with sensitive data to ensure security. Static software tools inspect source code for potential problems. Dynamic tools monitor and test running software. As is the case with penetration testing, it may be necessary to suggest a specialized vendor to perform this testing.
- Inspect firewall configuration settings. Firewalls and intrusion prevention systems (IPS) are critical elements to any secure environment. A hole in the firewall may have been opened for a specific purpose or task, but may no longer be needed. If not closed, such lapses could enable a security breach.
- Ensure the customer maintains a formal methodology to classify and protect data and the systems on which it resides. The PCI DSS offers a number of helpful guidelines in this area, but short of that, ensure critical data, such as Social Security and credit card numbers, are segregated from less-critical data and strictly limit staff access. Maintain detailed logs of access to this data. Additional storage devices, servers, network devices and security software may be required to meet this requirement.
- Critical data should never be stored on a laptop. Protect less-critical data by encrypting laptop hard disks. Microsoft Windows Vista includes software that utilizes the TPM security chip included on systems purchased in the past few years, making the encryption process easier than ever before with less effect on performance. Encryption software for other operating systems is available from a variety of vendors.
- Upgrade your customer to WPA2. Wireless networks can be vulnerable, especially if the customer is using either the WEP (Wired Equivalent Privacy) or WPA (Wi-Fi Protected Access) encryption algorithms. WEP has long been known to be vulnerable to attackers, and researchers recently discovered a way to crack WPA. If wireless equipment does not support WPA2, it should be replaced.
- Scan for unauthorized access points. Employees have been known to install their own access points. Simply scanning the 2.4 GHz band is not sufficient, even if the corporate WLAN utilizes that band. IEEE 802.11n can operate on the 5.0 GHz band, and retail 802.11n access points and interface cards have been available for more than a year. An unauthorized access point operating at 5.0 GHz will be invisible to a scan at 2.4 GHz.
- Event logs must be monitored continually to detect security breaches as quickly as possible. Network devices and servers create large volumes of logs, and a single event can trigger entries from many devices. SIEM (Security Incident and Event Manager) software is available from a variety of vendors. A SIEM implementation correlates events from multiple device and channel notifications to a single management station, making it easier to spot dangerous events. A SIEM implementation can be quite complicated and expensive, but can result in long-term savings if it prevents a security breach. Still, SIEM may prove too expensive for some customers. In these cases, staff will need to allocate time to monitor logs and correlate information without assistance from a SIEM product. If SIEM software is in place, however, verify that its output is monitored.
Finally, during the audit process, evaluate other aspects of your customer's operations. Point out inefficiencies even though they may not affect security. Also identify problem areas such as inadequate backup facilities or inefficient energy usage. All of these services provide a way that you can assist your customers during this difficult period.About the author
David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.
This was first published in March 2009