Search in ISMS Guides

Google
 

Sunday, October 7, 2007

Network Security Audit Case Study

This is a case study of Dionach carrying out a network security audit on an insurance company based in the UK. The audit comprised of an internal security audit and an external perimeter security audit. Some of the information has been changed or omitted to maintain confidentiality.

Background

The organisation carries out much of its business online, and felt that an independent view of their internal and external network security was required. The organisation selected Dionach to carry out the auditing. Dionach carried out an external penetration test, and then the on-site audit.

Internal Audit

Three Dionach consultants carried out the internal audit, with one of them nominated as the lead auditor. This lead auditor liaised with the organisation's information security officer I(ISO).

The ISO was interviewed to gain an understanding of the setup of the network, servers and LAN, along with other staff with the appropriate knowledge. This allowed an up-to-date network diagram to be created. Copies of existing network diagrams and the security policy were also taken.

The lead auditor then assigned consultants to audit the configuration of firewalls, routers, web servers, database servers and domain controllers, and samples of other workstations. Antivirus, email, network topology and physical security were also areas that were examined.

Throughout the process, the organisation's staff responsible for each area being audited were interviewed further as required; however, the purpose of the audit was to determine the actual, technical setup and compare it to best practice.

At the end of the on-site process, the lead auditor held a meeting with the ISO to provide an initial oral report of findings. The audit team's task was then to produce the final report.

Report

The report produced was a comprehensive, detailed report with an executive summary, a section for the external audit, and on-site internal audit. There was finally a technical summary of conclusions.

The executive summary first specified that the security of the network represented medium risk. Most elements of the network were configured securely, and the recent introduction of a group security policy would reinforce and improve security awareness.

The executive summary also listed the following issues:

  • The external security risk was low, although one of the firewall configurations would allow outbound connections if a server was vulnerable, an attacker could more easily compromise it.
  • Although external, email and server anti-virus was in place, the individual user workstations were not protected. There was also no patching for workstations, so if a virus or worm found its way onto the internal network it would spread unhindered.
  • There was no intrusion detection system (IDS) in place; the external penetration test was not noticed by the organisation, and the organisation being dependent on online business meant that Dionach highly recommended the implementation of a network IDS, that would be monitored.
  • A domain users password audit showed that many users had simple passwords, although the security policy gave guidance on choosing strong passwords. There was no mechanism enforcing strong passwords.
  • A number of internal SQL Server databases had blank administrator passwords and service pack levels that were not up-to-date.

Further detail and recommendations was provided in the rest of the report.

The external audit section listed the external test results in detail, with a technical summary of issues and recommendations, for which there were few.

The internal audit section listed the areas audited, good security practices, and areas where security could be improved: antivirus protection, physical security, information security, wireless connectivity, database servers, firewall configurations, DMZs and perimeter security.

The internal audit section presented the audit findings, including diagrams and tables, such as the network topology.

Finally, the report showed a summary of conclusions with issues listed in order of risk, with the most critical first.

Presentation

The report was then agreed with the organisation, and presented to them in a meeting to ensure that the organisation gained the most value from the audit and the report.

The organisation then proceeded to prioritise and resolve the issues.

Source : www.dionach.com

3 comments:

Jay said...

Sounds interesting. For simplifying security auditing I would implement something like enterprise security reporter. This tool coolects information and stores it in sql database where you can easily query, compare or create reports. It includes like 140 built-in reports covering the most important things that needs to be reported. In addition to this, there's a wizard-style report designer you can use to create your own custom reports.

viji said...

My cousin recommended this blog and she was totally right keep up the fantastic work!


Management Audit

Margo McCann said...

Thanks for the information. I am looking into having a network security audit performed to make sure that my business information is protected.