Auditing: Discovering Enterprise Security Gaps
As part of an organization’s security strategy, the security officer must establish the type and frequency of audits that would be appropriate for the enterprise. Security professionals need to be familiar with audit trails as well as audit tools that may be used to identify attacks that create a threat to vital assets or information. Auditing must be an essential element of every organization’s security policy.
An audit provides valuable information that can determine if security violations did in fact take place and the scope of the damage experienced. The analyzed information can also provide insight into areas such as:
- Are users accessing information that does not relate to their job functions?
- Are attempts being made to access specific areas of the system?
- Are there accounts that consistently have authentication failures?
The analysis of all such information will increase awareness of areas that need to be looked at closely to prevent security violations.
The objective for conducting a security audit is to:
- Ensure the confidentiality, integrity and availability (CIA) of sensitive business information and resources.
- Investigate security violations and ensure compliance with the organization’s security policies.
- Monitor user or system activity where necessary.
The audit provides an opportunity to learn about security risk to the business and ways to mitigate those risks. A security audit is essentially about a comprehensive security assessment that includes penetration testing of internal and external systems and a review of security strategy, policies and procedures. The audit should typically involve an outside organization that specializes in this area or individuals with expert knowledge and experience. This enables the business to get a truly independent assessment of its “state of security.”
Certain regulations require organizations to conduct audits. These include the Gramm-Leach-Bliley Act (GLBA), which impacts the financial industry, and the Health Insurance Portability and Accountability Act (HIPAA), which covers the health-care industry. Further, an organization may require audits to be conducted every six to 12 months.
Security audits enable a business to implement hardware, software and procedural mechanisms that record and examine activity in information systems that contain or use sensitive information. The first step is for businesses to develop their audit policy.
An audit policy establishes the requirements and provides the authority to conduct audits. Businesses must develop an audit policy to establish policy requirements in the areas of:
- Individual Accountability: An audit trail supports accountability by providing a trace of a user’s actions.
- Reconstruction of Events: Audits support after-the-fact investigations of how, when and what occurred with respect to a security incident or a violation.
- Unauthorized Access: Audits assist in determining unauthorized access to restricted resources.
- Real-Time Monitoring: Audit information may be used real-time, online, to help identify problems such as violations as they occur.
Audit activities result in log reviews and attempts to identify if critical systems have changed “state.” The motivation for maintaining audit trails is to determine if sensitive business resources are being used for authorized purposes only.
An audit trail typically includes sufficient information to establish:
- What event occurred.
- When the event occurred.
- Who caused the event.
- How the event was detected.
- When the event was detected.
The audit trail consists of audit events. An audit event may be of two types: successful events and failure events. Successful events indicate that a user successfully gained access to a resource. Failure events indicate that the individual was not successful at accessing the resource, but did attempt to try to gain access.
The event record must specify:
- User IDs.
- Dates and times for log-on and log-off.
- Terminal identity, IP address or location if possible.
- Records of successful and rejected system-access attempts.
- The type of violation and the consequence.
- When the event occurred.
Businesses must secure the audit trail from unauthorized access. Precautions that organizations must consider include:
- Strict controls for accessing online audit logs.
- Separation of duties between those who administer the audit-control function and those who administer the audit trail.
- Confidentiality of audit-trail information.
- Periodic review of audit trails.
It does no good to collect information if that information is not reviewed and analyzed. Auditing systems also may have an impact on the performance of the system. Thus, careful attention needs to be paid to the critical parts of the system that do need to be audited, and to balancing that with not impacting the performance of the system from the perspective of end-users or applications.
Auditing tools enable the tracking of activities within a network or on a specific system or device. Audit trails may be reviewed manually or with the use of auditing tools. For example, an audit log may be reviewed after a security violation or it may be viewed periodically to check for unusual activities. There are three major types of auditing tools. These are variation-detection tools, audit-reduction tools and attack-signature-detection tools.
The variation-detection tools generate alerts if there is a deviation from established usage of accounts or access to resources. For example, if backups are done on a certain date at a certain time and there was an attempt to back up data on a different day or time, that could result in an alert to the administrator. System logs often contain a large volume of information, much of which is extraneous to security monitoring. To help identify significant events for security monitoring purposes, the use of an audit-reduction tool to perform file interrogation may be considered. The audit-reduction tool removes all information that may not be essential. It does maintain information that may be important for performance or security analysis. The attack-signature-detection tool maintains a database of information about specific types of attacks. These are referred to as “attack signatures.” This tool parses audit logs to check for “attack signatures,” and if there is a match, an alert is generated to advise the administrator of an attack on the infrastructure.
A number of open-source utility tools as well as commercial scanners are available that can provide further insight into an organization’s vulnerabilities. Examples of open-source tools include Nessus (www.nessus.org), Nmap (www.insecure.org) and Crack (www.crypticide.org). Examples of commercial scanners include Internet Security Systems’ Internet Scanner (www.iss.net) and eEye Digital Security’s Retina (www.eeye.com).
Once the audit report is generated, it must be reviewed by key members of the IT staff as well as key managers. The audit report should clearly identify the “gaps” in the infrastructure as well as the source of the threat (internal or the Internet). It is really important for the audit report to identify any risk leading to service interruption, such as that from a denial-of-service (DOS) attack. It must also include recommendations to address the problems identified. If the problems rel