IT security audit
As an IT security audit ( English IT security audit ; from Latin audit : "he / she hears"; analogously: "he / she checks") in information technology (IT) measures for risk and weak point analysis (English vulnerability scan ) are one IT system or computer program . Threats to security can arise from criminal attacks, from organizational deficiencies, but also from technical accidents or force majeure. Vulnerabilities are errors in an IT system or an organization that make them vulnerable to threats. However, a threat or a vulnerability alone is not enough to compromise the security of a system. The attacked system is only at risk if a threat encounters an existing vulnerability. There are many reasons for weaknesses. They can lie in the conception, implementation or operation and also include design or construction errors, human error or inadequate site security. Vulnerability analyzes are used to systematically find these errors in order to avert threats and attack scenarios. Security audits usually take place as part of quality management and serve to reduce security gaps and introduce best practices in an organization (public administration , companies ). IT security audits are part of the area of network and information security , with the boundary between LAN analysis in local networks and network analysis being blurred.
Based on the English-language terms security test and security scan , terms such as security check or security check are used in German-language literature instead of security audit . Usually this only refers to partial aspects of a full audit. The process of auditing is often referred to as auditing , while the person performing it is called an auditor .
Regular IT security audits form an indispensable part of the German basic IT protection . International management standards for IT security audits in the standard are ISO / IEC 27001 the ISO set. There are also a number of other international security policies . These are used for planning, documentation and continuous development of the information security management system of a company (ISMS, see IT service management ). The audits are usually carried out by external experts - also known as Chief Audit Executives (CAE) - in consultation with the management. The catalog of measures created in the process forms the basis for further steps by the administrators of the in-house IT department. You are responsible for the ongoing comparison of target and actual data and for maintaining the system in accordance with the company's security policy. Systems can personal computers , servers , mainframes (mainframes), routers or switches include. Applications can include, for example, web servers such as Apache , database systems such as Oracle or MySQL and mail servers .
After an inventory, the IT structure analysis, the respective tests take place. This is usually followed by an assessment of the protection requirement and a selection of measures, which are recorded in a catalog of measures. For reasons of internal security, the implementation of the measures is usually not carried out by the auditor himself, since the auditor is too familiar with the company's security gaps after an audit has been carried out. By signing a Non-Disclosure Agreement (NDA), the auditor undertakes to maintain confidentiality. An auditor must have sufficient network experience and be able to put himself in the shoes of an attacker. The reasons and goals of a potential attack determine the methodology used .
Manual security analysis measures include:
- the survey of the workforce of a company ( see Social Engineering )
- Security scans with port scanners like Nmap , sniffers like Wireshark , vulnerability scanners like Nessus and other tools, namely Vulnerability Assessment (VA) products
- checking access control for applications and operating systems
- the analysis of the physical access to the system.
Another method of determining security vulnerabilities is through penetration testing . They form an essential part of a full IT security audit. Attacks from outside ( Internet ) as well as from within the company network are simulated. This process is often referred to as friendly hacking and the auditor as a white hat hacker ( see also hacker ethics )
The BSI IT security manual makes the following distinction:
- Information base (black box, white box)
- Aggressiveness (passive, cautious, deliberative, aggressive)
- Scope (full, limited, focused)
- Procedure (obvious, covert)
- Technology (network access, other communication, physical access, social engineering)
- Starting point (from outside, from inside)
A popular inconspicuous (passive) method in manual audits is Google hacking . While a look at public job advertisements is often sufficient for a rough estimate of the IT infrastructure of a company, confidential and sensitive data can be spotted unnoticed with the help of complex search engine queries on Google , Live Search , Yahoo Search and similar search engines . The bandwidth of the "security nuggets" ranges from private information such as credit card numbers , social security numbers and passwords as well as stored files such as internal auditing reports, password hashes or log files (nessus, sniffers) to unsecure open services such as OWA , VPN and RDP to the disclosure of numerous exploits and vulnerabilities of the websites concerned . Certain search engine filters and operators are used here. The Google hacking database (GHDB) has its own collection of known tactics and possible uses. Several providers of automated vulnerability scanners for web services have integrated this database into their products. You can set up your own honeypots to detect a “Google hacking attack” . Often there are comments in the source code of websites with useful information for attackers. If this data is deleted by the provider of a website, it is in most cases still accessible to the public via the cache of a search engine or via archives such as the Wayback Machine .
Computer-assisted auditing techniques ( CAAT) can be used as an alternative or supplement to manual auditing measures . Such automatic auditing measures are part of the audit standards that are issued by the American Institute of Certified Public Accountants (AICPA) and are mandatory for the administration in the USA ( see Sarbanes-Oxley Act ). They include system-generated audit reports and the use of monitoring software that reports changes to files or settings on a system. An AICPA checklist is intended to make this work easier for administrators. Free software in this area are the auditing and reporting software TIGER and open source Tripwire as well as the monitoring software Nagios . The main purpose of these products is documentation and warning of changes to the system.
Policies and measures
The guidelines and catalogs of measures in the field of IT security proposed by security experts are very extensive. In addition to ISO / IEC 27001, there is also ISO / IEC 17799 and the British BS 7799 on which it is based . There is also the X.800 security architecture , the IT-Grundschutz Catalogs (formerly IT-Grundschutz Handbuch) of the BSI , the ITIL procedure library and the ITSEC criteria. The audit manual Open Source Security Testing Methodology Manual (OSSTMM) of the Institute for Security and Open Methodologies (ISECOM) distinguishes five categories of security interaction , called channels, according to the possible attack possibilities :
- physical interaction
- Telecommunication ( analog communication )
- Data networks (packet communication)
- wireless interaction
- human interaction
Basically, a company has to choose between different risk analysis strategies and, based on this, define the goals of an auditing. Since carrying out a detailed risk analysis of an entire organization is expensive and time-consuming, a combination of basic protection measures (Baseline Security Controls) and identification of protection requirements (High Level Risk Analysis) is usually chosen. All systems with a risk above low to medium, i.e. high to very high, are subjected to a detailed risk analysis. Depending on the possible extent of damage (the value of the threatened objects) and relevance, there is a different risk assessment and thus different protection requirements.
The range of the proposed measures extends from the establishment of a DMZ for external services and the separation of the network into different segments by VLANs (for example a separate VLAN for network printers , another for WLAN , department A, department B, management and so on) as well as the Restriction of the authorization of external access to the network via VPN through the use of encryption mechanisms , the establishment and maintenance of firewalls , IDS / IPS , virus protection , device or endpoint control and identity management as well as the evaluation of the existing user profiles and access control lists (ACLs) on both the workstation computers as well as in the network up to the establishment of a central update server for all operating systems ( see e.g. Windows Update Server ).
Security experts have the opportunity to prove their knowledge to potential customers through recognized certifications . These include the CISSP from the International Information Systems Security Certification Consortium, the CISA and the CISM from the ISACA , the OSSTMM Professional Security Tester (OPST) and the OSSTMM Professional Security Analyst (OPSA) from ISECOM, one of the numerous ITIL or LPI certifications, as well as those from APO-IT or from companies respected in the IT security sector such as Cisco . In Austria , IT consultants also have the IT civil engineer award . These and other certificates can be acquired in special courses .
Process of an audit
Audits follow essentially the same pattern as malicious attacks. Hacker attacks can be roughly divided into three different types based on method and objective:
The aim of a passive , automated attack using scripts and bots can, for example, be to expand a botnet . Worms in particular are used for the automated exploitation of vulnerabilities. Viruses and Trojans are other malicious computer programs used to spread such bots . If a computer (known as a zombie ) has been compromised , it can be used to send spam , as a data store for black copies , to carry out DDoS attacks and the like.
An active , manual attack can read out sensitive data or, if a backdoor is installed, users can be spied on and applications can be controlled by the attacker. Aggressive attacks are mostly politically motivated and are usually intended to cause a system failure.
The limits of the types of attack are fluid.
An audit therefore consists of several phases. If data such as the IP address range (IP range) to be scanned has not been disclosed by the customer, it is a black box test . In the first step, footprinting can be useful for the auditor in order to design an approximate network topology . This step is not required for a white box test . The creation of a network topology is also called “network mapping” . In the next step, the computer network is checked for potential weak points with an automatic vulnerability scanner. In order to rule out false positives , a precise evaluation of the results is necessary. A further phase of an audit can be a penetration test (PenTest) based on the knowledge gained in the weak point analysis. The results are finally summarized in a detailed report, which is to be supplemented by a catalog of measures to minimize or decimate risks.
Before an audit, questions such as the scope, duration and methods must be clarified. If the operation of a company is not allowed to be disrupted by the auditing, the exploitation of any program errors (bugs) or security holes such as buffer overflows in software - known as exploits - must be avoided. DoS attacks are widespread here . The filtering out of potential security holes in a system is known as "vulnerability mapping" . Here the auditor creates a list of all running services including known bugs. These can be queried , for example, on Bugtraq , the CVE list or US-CERT .
According to McAfee, the most common security vulnerabilities include :
- Default settings for barely configured routers, firewalls, web servers
- simple, unencrypted and / or preset passwords (factory setting)
- Lack of security, maintenance and programming skills among staff
- Inadequate security concepts such as security through obscurity , negligent handling of confidential data, susceptibility to social engineering
- Inadequate maintenance concepts, for example infrequent updates and password changes, or inadequate monitoring
- bad programming concepts like missing QA and code reviews as well as neglect of the security aspect
- Use of insecure services such as telnet , SNMP , RDP , X , SMB , MSRPC , web guis such as OWA
- poorly (mostly in a hurry) developed applications with buffer overflows, format string vulnerabilities, integer overflows and / or missing input validation
Ready-made scripts, such as those used by scriptkiddies in their attacks, are usually used to execute exploits . Metasploit , a framework for creating and testing exploits for security vulnerabilities, provides a collection of exploits for many common operating systems . It is one of the most popular tools for pen testing.
The Nmap port scanner can be used to obtain information about the current status of the applications running on the target system ( version and patch level ) and to identify the operating system through OS fingerprinting . The graphical network mapper front end nmapfe has now been replaced by zenmap, which in turn emerged from Umit. Alternatively, banner grabbing and port scanning can also be carried out with Netcat . PortBunny may offer an efficient and fast alternative to the popular Nmap. However, Nmap is one of the most powerful and widely used tools in the field.
Known security holes can be found with the Vulnerability Scanner Nessus. Manual testing of exploits in web applications such as SQL injection or cross-site scripting is also possible with Nessus. Related attacks in this area are: session fixation , cross-site cooking , cross-site request forgery (XSRF), URL spoofing , phishing , mail spoofing , session poisoning , cross-site tracing (XST).
Because Nessus a very "loud" tool, its use is therefore easy to determine in a network are often "silent" (usually passive) tools such as fire walk ( packet filtering enumerator ) hping3 ( TCP / IP -Paketanalyse with Traceroute mode) or nmap preferred. For testing web applications, there is also the Nikto Web Scanner, which can be operated alone or integrated into Nessus.
IT security audits (in consultation with the IT department) often attempt to smuggle viruses , worms , Trojans and other malware into a system. This is mostly done through social engineering, for example by the auditor sending an "important security update" to all users by email or handing it over personally. In this way, existing anti-virus software, personal firewall , packet filter , intrusion prevention system and the like can be checked for currency and effectiveness. More important, however, is the question of how users react and whether they are following the company's security guidelines.
Tools like John the Ripper can be used to attempt to crack passwords in the system. These can be read out, for example, from a hash obtained by means of sniffers such as Wireshark or tcpdump . Plug-ins for Nessus are also available for this purpose . Hidden rootkits can be discovered with Chkrootkit . Ordinary Unix on- board tools such as lsof (list open files) or top for process management can also help here. Under Windows , the use of the recommended Sysinternals Suite from Mark Russinovich .
Most of the tools described can be found in the following live systems based on GNU / Linux : BSI OSS Security Suite (BOSS), BackTrack (formerly: Auditor Security Collection), Knoppix STD (Security Tools Distribution), Network Security Toolkit ( NST), nUbuntu (or Network Ubuntu ), Helix. BackTrack was named the best Security Live CD by Darknet in March 2006.
In addition to the numerous free FOSS tools, there are a number of widespread closed source products such as the package analysis platform OmniPeek from WildPackets, the web application security scanner N-Stalker, the automatic vulnerability scanners Qualys, SecPoint Penetrator Vulnerability Scanner Retina from eEye Digital Security, the automatic vulnerability scanners Quatrashield, IBM Internet Scanner (formerly: Internet Security Scanner), Shadow Security Scanner and GFI LANguard Network Security Scanner, as well as the packet sniffer Cain & Abel and others. Tools for creating security concepts on the basis of IT-Grundschutz are chargeable, as are the BSI's GSTOOL, SecuMax and the HiScout GRC Suite. Unlike most free tools, however, most of these products only work on Windows. The Java- based ISMS tool Verinice offers a free and cross-operating system alternative to GSTOOL .
- Anonymous: Maximum Security . Ed .: Que. Sams Publishing, Indianapolis , Indiana 2002, ISBN 0-672-32459-8 ( online version - 976 pages; 4th edition; incl. CD-ROM).
- Brian Hatch, James Lee, George Kurtz: Hacking Linux Exposed: Linux Security Secrets and Solutions . Ed .: McAfee , ISECOM . McGraw-Hill / Osborne, Emeryville, California 2003, ISBN 0-07-222564-5 ( preview on Google ; website for the book - 712 pages).
- Stuart McClure, Joel Scambray, George Kurtz: Hacking Exposed: Network Security Secrets & Solutions . Ed .: McAfee. McGraw-Hill / Osborne, Emeryville, California 2005, ISBN 0-07-226081-5 ( preview on Google - 692 pages).
- Johnny Long, Ed Skoudis: Google Hacking for Penetration Testers . Syngress, 2005, ISBN 1-931836-36-1 ( preview on Google - 448 pages).
- Sasha Romanosky, Gene Kim, Bridget Kravchenko ,: Managing and Auditing IT Vulnerabilities . In: Institute of Internal Auditors (Ed.): Global Technology Audit Guide . tape 6 . Altamonte Springs, FL 2006, ISBN 0-89413-597-X ( online version of the entire series).
- Joel Scambray, Stuart McClure: Hacking Exposed Windows: Windows Security Secrets and Solutions . 2007, ISBN 0-07-149426-X ( preview on Google ; website for the book - 451 pages).
- Christian Hawellek: The relevance of IT security audits under criminal law . Ed .: EICAR . Grin Verlag, 2007 ( online version ; PDF - 15 pages).
- Dennis Jlussi: Criminal liability when handling IT security tools according to the 41st Criminal Law Amendment Act to combat computer crime . Ed .: EICAR. Grin Verlag, 2007 ( online version ; PDF - 13 pages).
- Austrian Federal Chancellery , Information Security Office (Ed.): Austrian Information Security Manual . Österreichische Computer Gesellschaft (OCG), Vienna 2007, ISBN 978-3-85403-226-7 ( online version [accessed on November 5, 2008]).
- Marc Ruef : The Art of Penetration Testing . 1st edition. Computer & Literatur (CuL), Böblingen 2007, ISBN 3-936546-49-5 (911 pages).
- Top 100 Network Security Tools , Insecure.Org 2006
- Implementation concept for penetration tests , BSI in November 2003
- Managing and Auditing IT Vulnerabilities (from: Global Technology Audit Guide ) with summary by the AICPA
- Open Vulnerability Assessment Language (OVAL): Miter open standard for security vulnerabilities
- SecurityFocus : Community of IT security experts
- Blog Boris Koch : Technical report on Google Hacking, data breaches and the Deep Web
- ↑ Fraunhofer FOKUS Competence Center Public IT: The ÖFIT trend sonar of IT security - weak point analysis. April 2016, accessed May 30, 2016 .
- ↑ BSI (Ed.): IT Security Handbook - Manual for the secure use of information technology . Bundesdruckerei , Bonn March 1992 ( online version [accessed on November 9, 2008] version 1.0).
- ↑ Google Hacking Database ( memento of the original from August 8, 2009 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice.
- ↑ In addition to the free software Wikto Web Server Assessment Tool ( memento of the original from October 14, 2008 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. , WHCC Web Hack Control Center ( Memento of the original from December 16, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. and rgod's Googledorks Scanner ( page no longer available , search in web archives ) Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. contains the commercial Acunetix Web Vulnerability Scanner and SiteDigger ( memento of the original from December 9, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. of McAfee Foundstone one GHDB integration. A selection of other products can be found under Top 10 Web Vulnerability Scanners .
- ↑ Google Hack Honeypot
- ↑ AICPA: Federal Information Security Management Act ( Memento of the original of July 24, 2008 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. , September 2003; Retrieved September 25, 2008.
- ↑ AICPA: Sarbanes-Oxley Software: Ten Questions to Ask ( Memento of the original from July 20, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. , September 2003; Retrieved September 25, 2008.
- ^ Tiger security audit and intrusion detection tool
- ↑ After Tripwire, Inc. stopped developing the GPL version in 2000, the follow-up projects were Open Source Tripwire and AIDE ( memento of the original from October 16, 2008 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked . Please check the original and archive link according to the instructions and then remove this notice. (Advanced Intrusion Detection Environment).
^ Brian Hatch, James Lee, George Kurtz: Hacking Linux Exposed: Linux Security Secrets and Solutions . Ed .: McAfee , ISECOM . McGraw-Hill / Osborne, Emeryville, California 2003, p. xxx, 7 f . ( Preview on Google ; website for the book ).
Pete Herzog: OSSTMM - Open Source Security Testing Methodology Manual . 3, ISECOM, New York, August 1, 2008.
- ↑ Austrian Federal Chancellery , Information Security Office (ed.): Austrian Information Security Handbook . Austrian Computer Society (OCG), Vienna 2007, ISBN 978-3-85403-226-7 , p. 35 ff . ( Online version [accessed November 5, 2008]).
- ↑ A popular SSL VPN solution is OpenVPN . A browser-based alternative would be the SSL Explorer . Both are under the GPL . For a better understanding see Johannes Franken: OpenSSH Part 3: Pierce firewalls ; Retrieved September 25, 2008.
- ↑ AICPA: Security Solutions ( Memento of the original of July 24, 2008 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. , September 2003; Retrieved September 25, 2008.
- ↑ Tools for performing DoS attacks can be found in the article Strategies to Protect Against Distributed Denial of Service (DDoS) attacks . Further documents and useful resources can be found on computec.ch ( Memento of the original dated December 2, 2005 in the Internet Archive ) Info: The archive link has been inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. and on packetstormsecurity.com .
- ↑ For GNU / Linux see linuxsecurity.com: Linux Advisory Watch
- ↑ Stuart McClure, Joel Scambray, George Kurtz: Hacking Exposed: Network Security Secrets & Solutions . Ed .: McAfee . McGraw-Hill Professional, Emeryville, California 2005, ISBN 0-07-226081-5 ( preview on Google - 692 pages).
- ↑ cf. Software Quality Assurance Plan and SunWorld: The Unix Secure Programming FAQ
- ↑ Achim Eidenberg: Metasploit: Exploits for Everyone , January 6, 2006
- ↑ An online-based alternative to nmap is the c't network check .
- ↑ Fyodor: The recognition of operating systems by means of stack fingerprinting ( Memento of the original from December 28, 2007 in the Internet Archive ) Info: The archive link was inserted automatically and not yet checked. Please check the original and archive link according to the instructions and then remove this notice.
- ↑ Umit nmap frontend
- ↑ Johannes Franken: Lecture on netcat .
- ↑ Linux Magazine : From Port to Port , May 2008.
- ↑ SelfLinux: nmap - the network security scanner
- ↑ HowtoForge: Security Testing your Apache Configuration with Nikto , August 11, 2006.
- ↑ See the FAQ on security on the Chaos Computer Club website : FAQ - Security ( Memento of August 18, 2004 in the Internet Archive ).
- ^ Microsoft : Sysinternals Suite
- ↑ An overview can be found on Archived Copy ( Memento of the original from October 6, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. .
- ↑ BackTrack Downloads ( Memento of the original from October 6, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.
- ↑ Knoppix STD: Download
- ↑ Network Security Toolkit
- ↑ nUbuntu: Download ( Memento of the original from October 6, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.
- ↑ Helix: Downloads
- ↑ 10 Best Security Live CD Distros (Pen Test, Forensics & Recovery)
- ↑ cf. A bunch of network admin's applications (Linux) ( page no longer available , search in web archives ) Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.
- ↑ Products | N-stalker
- ↑ Qualys Tools & Trials
- ↑ http://www.secpoint.com/ SecPoint Penetrator Vulnerability Scanning
- ^ EEye Digital Security »Retina
- ↑ http://www.quatrashield.com/ Quatrashield Scanner Tools
- ↑ IBM - Internet Scanner ( Memento of the original from June 18, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and not yet checked. Please check the original and archive link according to the instructions and then remove this notice.
- ↑ SafetyLab: Shadow Security Scanner
- ↑ GFI LANguard Network Security Scanner
- ↑ Downloads: Verinice