Enterprise Security Audits
In this age of ever-growing information security threats, security professionals should be familiar with audit trails, as well as audit tools that can be used to identify attacks that threaten vital enterprise assets or information. Auditing is an essential element of every organization’s security policy.
Security audits provide a methodical examination and review of the enterprise’s defenses, resulting in an audit report that summarizes findings and provides details about problems or concerns. Auditing the vital infrastructure components of the enterprise is a critical activity for any organization. The core objective is to verify that the organization is in compliance with any applicable legislative requirements and to ensure that security gaps in the infrastructure have been closed and locked.
Auditing can be thought of as the alarm on a home security system. Without it, someone could break in to your home, steal your valuables and escape without you ever knowing about it. The same principle applies to computer systems. Firewalls, passwords and other security mechanisms can keep most intruders out, but if someone slips by, auditing allows you to trace their footsteps.
An audit can help determine whether security violations have taken place and the scope of the damage. The information analyzed also can provide insight into such questions as:
- Are users accessing information that does not relate to their job function?
- Are attempts being made to access specific areas of the system?
- Are there accounts that consistently have authentication failures?
Systems should be monitored to detect deviation from access-control policy, and events should be recorded to provide evidence in case of security incidents. The analysis of such information will increase awareness of areas that need to be looked at closely to prevent violations. The objective of a security audit is to:
- Ensure the confidentiality, integrity and availability of sensitive business information and resources.
- Investigate security violations and ensure compliance with the organization’s security policies.
- Monitor user or system activity where necessary.
The audit provides an opportunity to learn about the business’s security risk and ways to mitigate those risks. Certain regulations, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA), require organizations to conduct audits.
Audit activities result in log reviews and attempts to verify whether critical systems are being used for authorized purposes. An audit trail is an automated or manual set of records that provide documentary evidence of user transactions. All entities should define the scope and content of an audit trail based on risk analysis requirements.
An audit trail typically includes sufficient information to establish:
- What event occurred.
- When the event occurred.
- Who caused the event to occur.
- How the event was detected.
- When the event was detected.
The audit trail consists of audit events of two types: successful events and failure events. Successful events indicate that a user gained access to a resource. Failure events indicate that an individual did not successfully access the resource, but did attempt to gain access. The event record must specify:
- User IDs.
- Dates and times for logon and logoff.
- Terminal identity, IP address or location, if possible.
- Records of successful and rejected system-access attempts.
- The type of violation and the consequence.
- When the event occurred.
Businesses must secure the audit trail from unauthorized access. Precautions to consider include:
- Strict controls for accessing online audit logs.
- Separation of duties between those who administer the audit control function and those who administer the audit trail.
- Confidentiality of audit trail information.
- Periodic review of audit trails.
Auditing systems also may have an impact on system performance. Thus, careful attention is needed to perform effective audits without impacting system performance from the application or end-user perspective.
Also, note the difference between an audit trail and a log file. A log file is generally larger in size and content, and may be turned off or on, while an audit trail is always on. A log file is specific to a vendor’s product or application, while an audit trail refers to an entire history of information related to an event and may include several log files.
Most security technologies support audit reports that can be customized to the organization’s requirements. Audit reports may be designed to view activities, exceptions, incidents and usage summaries. Security solutions also typically support notification based on events so that the administrator can be alerted to a failed logon attempt or an attack. For example, the RSA Security ACE/Server automatically provides an audit trail of each login attempt and operation performed.
The automated log maintenance feature enables administrators to create settings for archiving log files. These “set and forget” features ensure that usage logs are safely preserved without intervention.
The audit report that is generated must be comprehensive. Organizations can use logs and reports generated by deployed security technologies, as well as the operating systems on critical systems that process key information. The logs supported by most systems can be configured to trace activity not only to the device doing the accessing, but also to the user. Log files are typically time-stamped and strictly restricted to system administrators. For example, most authentication and access-control software generates an audit trail of each login attempt and operation performed.
The administrator also should enable notification to be recorded as well as sent based on certain events. For example, if a certificate is denied to a user based on some authentication violation, that may be an event to log and communicate further to determine severity and whether a response is required. The objective is to enable an “end-to-end auditing” of all critical and sensitive information communicated over the infrastructure. This audit trail, which includes detailed logs, provides proof of activity that prevents users from denying their participation. The audit logs themselves may be signed by a certificate authority (CA) for added security. All of this provides the basis for a detailed audit report.
Once the audit report is generated, it must be reviewed by key members of the IT staff, as well as key managers. The audit report should clearly identify the gaps in the infrastructure, as well as the source of the threat (internal or the Internet). It is important for the audit report to identify any risk to service continuity, such as interruption due to a denial-of-service (DOS) attack. It also must include recommendations to address the problems identified. If the problems relate to compliance violations with regulations such as HIPAA, those need to be emphasized in further detail.
Finally, the executive summary of the audit report must establish the state of security within the organization. Both strengths and weaknesses need to be clearly communicated.
Overall, the audit report must be not only an automated report generated from vulnerability scanners, but also one that reflects the opinion of the auditor who interprets the results and provides guidance and recommendations for next steps. In other words, the audit report must be “actionable.”
Audits provide insight into vulnerabilities of an organization. A secure computing infrastructure is a strategic business asset. Regular