Skip Navigation Links Home   »  About CGA-Canada  »  CGA Magazine  »  2004  »  Nov-Dec  »  IT Security Audits

IT Security Audits 

Select the archived issue you wish to view: 

 

Information Technology

IT Security Audits

To ensure the security of IT operations, regular audits are a necessity.

 

FROM: NOV-DEC 2004 ISSUE | BY GABRIEL VITUS

Twenty years ago, life in the computer world was relatively carefree, as not many users were connected to the Internet. Those that were believed the Internet would be self-regulating, and users with malicious intent would be banished. Most online users lived by an unwritten code of honour, and attempting to send a virus was met with great wrath by the rest of the Internet community. During this time, hackers were in infancy and often left messages such as "Bob was here!" on targeted computers, as the game was to "conquer and tag" rather than to "conquer and destroy."

But it was only a matter of time until some hackers took a leap from leaving innocent messages to major attacks on organizations storing personal data. Awareness of Internet and IT security has increased exponentially over the past five years, but there are still users who don't believe they can be the target of an attack. However, attacks on home computers are often used to establish unsuspecting users' computers as hosts for attacks on corporate targets.

Weak Links

The main areas of weakness in IT security are:

  1. Virus attacks from the Internet using e-mail as the vehicle. When the user opens the e-mail, the virus code hidden in the attachment is activated. E-mails carrying viruses are sophisticated and cunningly disguised in messages coming from friends, family, and colleagues. Mail scripting software such as sendmail, ghostscript, and Outlook are susceptible to virus attacks, but most viruses can be stopped by an up-to-date antivirus program.
  2. Attacks from the Internet using various pieces of code to penetrate IT operations through unmanaged or non-existent firewalls. In most cases, these attacks could be stopped by a properly managed firewall.
  3. Various scripts that run while users are browsing the Internet. Scripts are pieces of code, such as Java script, that are activated while a user accesses a Web page. Some of the scripts are innocent, but some carry dangerous virus signatures. Most of these could be stopped by using an up-to-date antivirus program.
  4. Installing unlicensed computer programs from diskettes, CDs, and USB keys. There are many bootlegged copies of programs circulating on the black market, and some programs are infected with viruses. Again, having an antivirus program is crucial.
  5. Unmanaged network infrastructure, user accesses, remote accesses, passwords, and screen savers not protected by passwords can threaten the integrity of the network. None of these security breaches can be prevented by antivirus programs or firewalls; they can only be managed by proper policies, rules, and procedures.

An Ounce of Prevention

For home computer systems, basic prevention steps may be all that is necessary, providing that the computer is used mainly for e-mail, browsing the Web, and home management applications. The steps are:

  1. Upgrade to Windows XP Home or Professional if you use Microsoft Windows, as the security features are better than with earlier versions. Microsoft has embarked on a campaign to patch the Windows operating system in order to prevent major security flaws, so check Microsoft's site every two weeks and upgrade your system with the latest patch available.
  2. To protect from internal attacks, make sure that individual user access is set up for each user's needs and apply access rules where possible. Do not make your administrator password public, as those with administrator rights have absolute power and may wilfully or mistakenly cause irreversible damage to the operating system configuration.
  3. Install either a hardware or software firewall and make sure that the firewall is updated on a regular basis. There is a debate as to whether or not software firewalls are better than hardware firewalls, and vice versa. Each type has its pros and cons, so you may want to consult a specialist to find the right solution for your particular IT environment.
  4. Install an antivirus program and update the software on a regular basis — weekly if possible. Make sure that all software installed or copied from floppy, CD, or USB keys is checked by the antivirus software before installation or copying.
  5. Have a general awareness of who is using your computer and for what.

Numerous Threats

The more complex an IT environment, the greater the chances the network will be attacked. For a home system with a high-speed Internet connection, an occurrence of 10 to 100 firewall attacks per day is not unusual. For a larger environment such as CGA-Canada's, a few thousand attacks per day are a normal occurrence, but we have observed days when the number has peaked at 10,000. Most attempted attacks are hackers probing various accesses, but any full-fledged attack could be extremely destructive. As for viruses, we have counted more than 20,000 infected e-mails trying to enter the system when a new virus is making its way through the Internet.

An Outside Perspective

Most organizations with small and medium-size networked systems use the services of an administrator. Administrators are doing a great job setting up and maintaining networks and security rules; however, an external review of system security can add valuable insight. IT security audits should be performed by a certified professional on a regular basis to ensure that all security systems, policies, and rules are up-to-date. The most recognized certification is the Certified Information Systems Security Provider (CISSP).

A properly conducted external IT security audit is a very complex process and may take a few weeks to complete. There are many IT consulting companies that provide this service, and the most important things to look for when choosing one are certification qualifications and a solid track record in performing IT security audits.

Conducting a Successful Audit

When performing an audit, tests and reviews should be adapted to the specifics of the operating system, as each system has security policies and rules that need to be addressed. The audit should focus on the following areas:

  1. Architecture and Processes
    The first step is a review of the network architecture against both the needs of the business and IT security best practices. Review all policies, rules, and processes governing access and interconnection between systems. For example, the internal network should be separated from the Web application by a firewall server in two distinctive network zones so attacks can be contained to one zone.
  2. Internal and External Network Testing
    All internal and external networks should be reviewed. Focus on network configuration vulnerabilities, integrity controls, and security reporting tools.
  3. Host Vulnerability
    Use information collected in the previous steps to perform penetration tests on servers and desktop computers. The tests should identify vulnerabilities caused by weak configurations or outdated software patches, as well as vulnerabilities at the firewall level, encryption level, and firewall ports.
  4. Web Application Testing
    The final step is to actively attempt to hack into Internet applications to determine security vulnerabilities.

Given that there is no end in sight for hacker and virus attacks, organizations of all sizes must perform IT security audits periodically to ensure that computer systems and data are safe and secure.

[ TOP ]

Gabriel Vitus is director of information technology at CGA-Canada.

© 2008 CGA-Canada

Please Upgrade Your Browser

This site's design is only visible in a graphical browser that supports web standards, but its content is accessible to any browser or Internet device.