Security Audit Best-Practices


Published on

Roadmap and Best-practices for Security Audit

Published in: Technology, Business

Security Audit Best-Practices

  1. 1. IS Audit Preparing and Correctly Deploying an Audit Marco Raposo, CISSP-ISSMP, QSAp, ABCP October, 2007
  2. 2. Agenda <ul><li>1. Audit Drivers and Objectives </li></ul><ul><li>2. Assessment in SDLC </li></ul><ul><li>3. Methodologies </li></ul><ul><li>4. Audit Phases </li></ul><ul><li>5. “Take Away’s” </li></ul>
  3. 3. <ul><li>Daniel E. Geer, Sc.D., “Risk Management Is Where the Money Is” (1998) </li></ul><ul><li>Andrew Jaquith, “ Risk Management Is Where The Confusion Is “ (2007) </li></ul>Why audit? Auditing is part of a quality control and risk management process <ul><li>Auditors must be independent </li></ul><ul><li>External Auditors hired to present an independent vision and evaluation </li></ul><ul><li>Internal Auditors integrating a separate line of reporting in order to preserve independence </li></ul>Security Audits are performed to ascertain the validity and reliability of existing controls and countermeasures <ul><li>Common Audits </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Compliance Assessment </li></ul><ul><li>Technical Assessment </li></ul><ul><li>External Assessment (pen testing) </li></ul><ul><li>Performance audit </li></ul>
  4. 4. System Development Life Cycle and Security Initiation - Security Categorization - Preliminary Risk Assessment Implementation - Inspection and Acceptance - Security Control Integration - Security Certification - Security Accreditation Operations / Maintenance - Configuration Management and Control - Continuous Monitoring Disposition - Information Preservation - Media Sanitization - Hardware and Software Disposal Security Assessment in SDLC Acquisition / Development - Risk Assessment - Security Functional Requirements Analysis - Security Assurance Requirements Analysis - Cost Considerations and Reporting - Security Planning - Security Control Development - Developmental Security Test and Evaluation - Other Planning Components
  5. 5. <ul><li>Top-Down Approach </li></ul><ul><li>Business and Risk focus </li></ul><ul><li>Early Stages of SDLC </li></ul><ul><li>Business Analysis </li></ul><ul><li>Qualifies Risk </li></ul><ul><li>Evaluates Controls efficiency </li></ul><ul><li>Outputs residual risk </li></ul>Risk Business Mitigation Controls <ul><li>Bottom-up Approach </li></ul><ul><li>Control Objectives focused </li></ul><ul><li>Later Stages of SDLC </li></ul><ul><li>Qualifies residual risk </li></ul><ul><li>Evaluates Controls efficiency </li></ul><ul><li>Outputs new control objectives </li></ul>Assessment Top-Bottom approaches
  6. 6. Objectives Security Standards and best practices… <ul><li>Use Industry standards and best-practices as control objectives </li></ul><ul><li>Risk Management </li></ul><ul><li>IS best-practices </li></ul><ul><li>Business Continuity Management </li></ul><ul><li>Federal and government </li></ul><ul><li>Payment Industry </li></ul><ul><li>IS Operation </li></ul><ul><li>Network Security </li></ul><ul><li>Application Security </li></ul><ul><li>Physical Security </li></ul>Business 27002 27001 20000 BS 25999-2 VISA PCI 18028-2 27005 27003 27004 OSSTMM OWASP COBIT Information Security Standard NIST SP 800-53 Technology Processes
  7. 7. Audit Phases <ul><li>Audit Workflow </li></ul>Vulnerability/ impact report Security Scorecard Prioritized recommendations Supplied Information Testing Interviews/Observation Analysis Recommendations Results Discussion Consolidation Results Presentation
  8. 8. <ul><li>Obtain an understanding of the organization and its processes </li></ul><ul><li>Define Audit Scope for assessment </li></ul><ul><li>Define an Audit Plan that includes the auditee and business objectives </li></ul><ul><li>Create a “Term of reference”, a document that confirms the client’s and the IS auditor’s acceptance of a review assignment </li></ul><ul><li>Plan should be endorsed by the audit management </li></ul><ul><li>Define an Audit Program </li></ul><ul><li>Describe the audit steps planned </li></ul><ul><li>Identify management and personnel resources </li></ul><ul><li>Identify any limitations in the audit and the program </li></ul><ul><li>Establish Contingency Actions for sensible tests </li></ul>Pre-engagement work includes taking responsibilities, setting boundaries and planning. Phase 1 - Pre-Engagement Work Setting the rules Supplied Information Testing Interviews/ Observation Analysis Recommendations Results Discussion Consolidation Results Presentation
  9. 9. <ul><li>Interviews </li></ul><ul><li>Document all interviews </li></ul><ul><li>Hold one to one Interviews </li></ul><ul><li>Ensure confidentiality </li></ul><ul><li>Ask subjective questions </li></ul><ul><li>Give the interviewee time to develop </li></ul><ul><li>Take notes </li></ul><ul><li>Ask questions outside interviewee scope </li></ul><ul><li>Direct observation </li></ul><ul><li>Observe procedures during normal operation </li></ul><ul><li>Don’t assume an active role </li></ul>Phase 2 - Data Collection Data Sources <ul><li>Testing </li></ul><ul><li>Use trustworthy tools </li></ul><ul><li>Operate in read only mode </li></ul><ul><li>Protect audit tools </li></ul><ul><li>Don’t affect system operation integrity </li></ul><ul><li>Evidence collection </li></ul><ul><li>Collect logs </li></ul><ul><li>Take pictures </li></ul><ul><li>Take screenshots </li></ul><ul><li>Identify when/how/who regarding all the evidence </li></ul>Supplied Information Testing Interviews/ Observation Analysis Recommendations Results Discussion Consolidation Results Presentation
  10. 10. <ul><li>Technical reports </li></ul><ul><li>Check for false positives </li></ul><ul><li>Establish a “Proof of Concept” </li></ul><ul><li>Seek for compensatory controls </li></ul><ul><li>Mark verified problems as “findings” </li></ul>Phase 3 – Data analysis “Findings” <ul><li>Data Flows </li></ul><ul><li>Check unnecessary data flows </li></ul><ul><li>Check inbound-outbound data flows </li></ul><ul><li>Identify data flows between distinct security levels </li></ul><ul><li>Mark all above as “findings” </li></ul><ul><li>Dependencies </li></ul><ul><li>Check operative dependencies </li></ul><ul><li>Identify permission dependencies </li></ul><ul><li>Mark abnormal issues as “findings” </li></ul>Supplied Information Testing Interviews/ Observation Analysis Recommendations Results Discussion Consolidation Results Presentation
  11. 11. <ul><li>Workflow </li></ul><ul><li>Terminate all processes </li></ul><ul><li>Search for unfinished endpoints </li></ul><ul><li>Search for missing links </li></ul><ul><li>Identify non existing connections </li></ul><ul><li>Mark above items as “Findings” </li></ul>Phase 3 – Data analysis “Findings” <ul><li>Compliance Radar </li></ul><ul><li>Mark controls as “Compliant” or “Non Compliant” </li></ul><ul><li>Seek for 85% compliance with benchmarking </li></ul><ul><li>Identify low areas of compliance </li></ul><ul><li>Mark non compliant controls as “Findings” </li></ul>
  12. 12. Phase 3 – Data Analysis Measuring Risk RISK
  13. 13. <ul><li>Recommendations should directly derivate from findings </li></ul><ul><li>One finding should link to a recommendation </li></ul><ul><li>Recommendations should be considered for immediate mitigation or strategic </li></ul><ul><li>Best practices are “nice to have”’s that don’t present current risk </li></ul><ul><li>Observation is accepted and documented risk </li></ul>Phase 4 – Recommendations The Responsive Actions Finding 2 Strategic Finding 1 Immediate Finding 3 Best Practice Observation … Finding N High Risk Low Effort High Effort Major Changes Holistic Low Effort Recommended Low risk Risk documentation Finding Recommendation Supplied Information Testing Interviews/ Observation Analysis Recommendations Results Discussion Consolidation Results Presentation
  14. 14. <ul><li>Recommendations must be categorized and a priority assigned. </li></ul><ul><li>Recommendations may be subject to risk management </li></ul><ul><li>Compensatory controls should be used </li></ul><ul><li>Risk acceptance is a viable outcome </li></ul>Phase 4 – Recommendations Establishing Priorities Auditor task is to document and support decisions, not to take decisions
  15. 15. Phase 4 – Recommendations Establishing Priorities 4 III I F1 F2 F4 Technical Reports Data Flow Dependencies Workflows Compliance Radars Inputs Outputs Output Input 1 2 Implementation Effort Change factor Exposure Impact 3 II Findings Priority Risk Management Decision F3 <ul><li>Mitigate </li></ul><ul><li>Compensatory controls </li></ul><ul><li>Best Practices </li></ul><ul><li>Risk Acceptance </li></ul>Priority = Function (Risk, Cost, Change Impact)
  16. 16. <ul><li>Intended Audience </li></ul><ul><li>Version Control </li></ul><ul><li>Executive Summary </li></ul><ul><li>Objectives </li></ul><ul><li>Actions </li></ul><ul><li>Results & Findings </li></ul><ul><li>Recommendations </li></ul><ul><li>Data </li></ul>report Discuss Accept Present Phase 5 - Reporting & Results Presentation Closing the Audit Supplied Information Testing Interviews/ Observation Analysis Recommendations Results Discussion Consolidation Results Presentation
  17. 17. <ul><li>“ Do’s” </li></ul><ul><li>Present a non technical executive summary </li></ul><ul><li>Identify top 5 problems </li></ul><ul><li>Be factual </li></ul><ul><li>Be flexible </li></ul><ul><li>Be descriptive </li></ul><ul><li>Be open minded </li></ul><ul><li>Collect all evidence </li></ul><ul><li>Document all actions </li></ul><ul><li>Be practical and result oriented </li></ul><ul><li>Use graphics, workflows and radars </li></ul><ul><li>“ Don'ts” </li></ul><ul><li>Be biased towards a specific person, technology or solution </li></ul><ul><li>Be influenced </li></ul><ul><li>State something that you can’t sustain </li></ul><ul><li>Exclude specific constraints </li></ul><ul><li>Push decisions regarding risk management </li></ul><ul><li>Focus on a particular problem </li></ul>Phase 5 - Reporting & Results Presentation Best Practices and Common Mistakes
  18. 18. <ul><li>Audit is a useful tool in the SDLC </li></ul><ul><li>Audit is a science. However, should be performed as an art </li></ul><ul><li>Follow a specific methodology and rules </li></ul><ul><li>Use experienced auditors </li></ul><ul><li>Both technical and human skills are important </li></ul><ul><li>Explicit control objectives </li></ul><ul><li>Consolidate information from distinct planes </li></ul><ul><li>Findings and symptoms of existing problems, not the problem itself </li></ul><ul><li>Try get the parachute view </li></ul><ul><li>Analyze the issues from a risk perspective </li></ul><ul><li>Present synthetic information </li></ul><ul><li>Present graphical information </li></ul><ul><li>Don’t take decisions, provide information to management decision </li></ul>“ Take Away’s”