Auditing
Security Auditing is the process of evaluating and verify the security measures of an organization.
Auditing
Security Auditing is the process of evaluating and verify the security measures of an organization.
Why is Security Auditing important?
- Identify vulnerabilities and weaknesses
- Ensuring compliance
- Enhancing risk managment
- Improving security policies and procedures
- Supporting business objective
- Continuous improvements
Frameworks
- Nist Cybersecurity Framework (CSF) is a set of guidelines and best practices deployed by NIST.
- Cobit a framework for implementing, monitoring and improing IT governance.
- ISO/IEC 27001 an international standard for information security managment systems (ISMS).
- PCI Data Security Standards (PCI DSS) a set of security standards to protect payment information.
- Hipaa U.S. health data law that sets the standards to protect sensitive patient information.
- GDPR European regulation that governs data protection and privacy for individuals in the EU.
Guidelines
- CIS Controls a set of best practices to improve an organization cybersecurity posture.
- Nist Sp 800-53 a catalog (published by Nist) for security and privacy controls for federal informations.
Governance, Risk and Compliance (GRC)
GRC is a framework used by organizations to manage and align their governance practices, risk strategies and compliance with regulatory systems.
- Governance means that the organization can complete its objective with compliance with legal requirements.
- Risk identify, analyze and mitigate risks that could negatively impact the organization (like vulnerabilities).
- Compliance ensures that the organization adhere to relevant laws and industry standards (such as GDPR, HIPAA, PCI DSS).
For Penetration Testers, knowing GRC can help doing more precise assessments, enhance their reporting and create strategical reccomendations.
Security Auditing Process/Lifecycle
The Security Auditing process has different phases:
- Planning and Preparation
- Information Gathering
- Risk Assessment
- Audit Execution
- Analysis and Evaluation
- Reporting
- Remediation
Phase 1 - Developing a Security Policy
Define the purpose, the authentication method(s), the configuration needed and
the general principles the company must adhere (like the Nist Sp 800-53).
Create a table specifying the Policy Area - Control ID - Policy Statements that must follow the guidelines we decided to use (like the Nist Sp 800-53) for the categories such as:
- Access Control (AC)
- Audit and Accountability (AU)
- Configuration Management
- Identification and Authentication
- System and Information Integrity (SI)
- Maintenance (MA)
Phase 2 - Security Auditing with Lynis
Lynis is a Linux tool that can do an health scan of your system for compliance testing.
Download and install Lynis
Make it executable:chmod +x ./lynis
Start an audit for your local system (you can specify different types of audit):
./lynis audit system
Make an audit check trying to follow the HRDN-7230 for our malware detection systems:
./lynis audit system --tests HRDN-7230
Save the results with a name:
./lynis audit system --auditor "name"
Phase 3 - Conduct Penetration Test
Test the effectiveness of the audit remediation by performing a penetration testing, to very if the system is now secure (or more secure).
Create a final report with your findings.