Security audits go through the current policies and procedures and see if there are holes or things that need updating
They need internal access to the company.
Everyone should have a security policy, the audit goes through that policy with a fine tooth comb
Audit vs Pen Test
Penetration tests tell you what's seen from the outside.
Your digital footprint
You don't need cooperation from the company, just the right authorizations
Audits are what's on the inside.
From the internals of the company are there any holes or vulnerabilities that might be concerning.
You need cooperation form the company so that you can see what they are doing, and help them make it better
Physical Enviornment
Part of an audit is a walkthrough of the company
How's the heat? Humidity? Location
Who has access? Type of access control. How often does that change? Who's the backup
Are people leaving sensitive data out?
Post-its with passwords on monitors or under keyboard?
Pages left in printers or fax machines
Are people getting up and leaving computers unlocked?
What's the shredding policy?
People
What are the password policies and how are they enforced. Are people getting around them?
Ex. New password every 90 days? Summer2019-->Fall2019 -->spring2020 or password22 --> password23--> password24
Does the company use knowledge based answers? Common information like hometown, pets's names etc?
What about Multi Factor Authentication.(MFA)
How are you protecting data?
Encryption? Whole disk vs files vs multiple partitions
Third party encryption? Or PGP? Or in house roll your own (BAD idea!)
How about USB drives?
Cloud storage?
Backups?
Don't forget about remote workers!
Servers
What's the configurations?
How's it documented? How often is it updated? And who does that?
How are you dealing with accounts? dead accounts? Guest accounts?
What's the policy on applications and updates for the system?
How do you do patch management? Testing?
Who's responsible? What about cross training and backups?
Are there different policies for different areas of the company? Such as dev has one set of policies and one for sales?
What's the firewall setup?
Blocked or Allowed list? (Formally known as whitelists and blacklists)
Baysean filtering?
Types of Audits
Is the company doing a self audit?
Hiring an outside consultant?
Who are you talking to about compliance? Just management? Workers? Are you observing what people actually do or what they say they do?
Is this audit for compliance or laws? Or just because the company thinks it's useful
Antivirus
Is there a global antivirus firewall policy
Security appliance from a vendor? Or Are there multiple appliances from multiple vendors
What about backups, who's in charge of them?
Are you worried about APTs and targeted viruses? Or just general threats?
Policies
Do you do something different for desktops vs other hardware? Again, don't forget remote workers!
What's the log management policy
Copies? Archives? What's automated?
Who's in charge of whatand who's the alternate
What's the red flag policy? What sets off red flags? Who checks? What records them?
Who is checking to see if your policies are being followed?
If they aren't being followed, what are you doing about it?
Suggested Activities and Discussion Topics:
In pairs, discuss one example of a policy such as password rules, or computer timeouts at your job or school, discuss what the policy is, how it's enforced, how people get around it, and what you would change about it.
In pairs, discuss how you would perform a security audit at your job. If you haven't had a job before, talk about it for your school.
In a small group of 2-4 discuss one industry's audit policy, first think about what you think it should be as a group, then research together what laws/regulations are actually in place. Share with the class what you've found and if you think it's ok or should be changed.
Would you like to see some more classes?
Click here