2. • A security audit is a systematic evaluation of the security of a
company's information system by measuring how well it
conforms to a set of established criteria.
• A thorough audit typically assesses the security of the
system's physical configuration and environment, software,
information handling processes, and user practices
• Policy based
• Assessment of risk
• Examines site methodologies and practices
• Dynamic
• Communication
3. • "The world isn’t run by weapons anymore, or energy, or money.
It’s run by little ones and zeros, little bits of data... There’s a war
out there... and it’s not about who’s got the most bullets. It’s about
who controls the information.“
4. • Determine Vulnerable Areas
• Obtain Specific Security Information
• Allow for Remediation
• Check for Compliance
• Ensure Ongoing Security
5. • A security audit is necessary for every organization using
the Internet.
A ongoing process that must be tried and improved to cope
up with the ever-changing and challenging threats.
Should not be feared of being audited. Audit is good
practice.
6. • External Audit
• Public information collection
• External Penetration
• Non-destructive test
• Destructive test
• Internal Audit
• Confidential information collection
• Security policy reviewing
• Internal Penetration
• Change Management
7. • Hackers view of the network
• Simulate attacks from outside
• Point-in-time snapshots
• Can NEVER be 100%
8. • Search for information about the target and its critical
services provided on the Internet.
• Network Identification
• Identify IP addresses range owned/used
• Network Fingerprinting
• Try to map the network topology
• Perimeter models identifications
• OS & Application fingerprinting
• OS finger printing
• Port scanning to define services and application
• Banner grabbing
9. • Do not make ANY changes to the systems or networks
• Do not impact processing capabilities by running scanning/
testing tools during business hours or during peak or critical
periods
• Always get permission before testing
• Be confidential and trustworthy
• Do not perform unnecessary attacks
10. • Plan the penetration process
• Search for vulnerabilities for information gathered and
obtain the exploits
• Conduct vulnerabilities assessments (ISO 17799)
• Non-destructive test
• Scans / test to confirm vulnerabilities
• Make SURE not harmful
• Destructive test
• Only for short term effect
• Done from various locations
• Done only off-peak hours to confirm effect
• Record everything
• Save snapshots and record everything for every test done
even it returned false result
11. • Conducted at the premises
• A process of hacking with full knowledge of the network
topology and other crucial information.
• Also to identify threats within the organization
• Should be 100% accurate.
• Must be cross checked with external penetration report.
12. • Everything starts
with the security
policy
• If there is no policy,
there is not need of
security audit.
Policy
Standards
Procedures, Guidelines
& Practices
13. • Policies are studied properly and classified
• Identify any security risk exist within the policy
• Interview IT staffs to gain proper understanding of the
policies
• Also to identify the level of implementation of the policies.
14. • Discussion of the network topology
• Placement of perimeter devices of routers and firewalls
• Placement of mission critical servers
• Existence of IDS (Intrusion detection system)
• Logging
15. • Location of devices on the network
• Redundancy and backup devices
• Staging network
• Management network
• Monitoring network
• Other network segmentation
• Cabling practices
• Remote access to the network
16. For Internal penetration test, it can divided to few
categories
• Network
• Perimeter devices
• Servers and OS
• Application and services
• Monitor and response