The process of auditing focuses on validating and assessing the effectiveness of the controls that are in place. Similar to any Information Technology (IT) or information security domain, network security is also subjected to predefined audit cycles to ensure the efficacy of the security controls and their efficiency as part of the overall security program.

In this chapter, we will understand the processes, tools, frameworks, and industry standards of network auditing.

The following topics will be covered in this chapter:

Getting started with your audit
Understanding the fundamentals of an audit
Performing a network security audit
Exploring network audit tools
Network audit checklist
Auditing best practices and latest trends

Technical requirements

To get the most out of this chapter, please familiarize yourself with the following topics before you begin:

Auditing frameworks such as SOX, HIPPA, GLBA, and PCI-DSS
Platforms such as SolarWinds Network Topology Mapper, Open-AudIT, Nmap, Nessus, Nipper, Wireshark, SolarWinds's Network Automation Manager (NCM), SolarWinds's Network Configuration Manager (NCM), and BMC

Getting started with your audit

The goals and objectives of an information security audit are to measure, monitor, and observe the effectiveness and efficiency of the information security process in an organization. A network security audit forms a smaller sub-section of the security audit's overall engagement. Information security auditing encapsulates more IT functions, while network auditing focuses mainly on the network's setup, management, and monitoring capabilities. Every organization now relies on a network, and without an effective network, no organization can survive a single day in this digital information era.

Before we get into the gory details of network auditing, let's cover the basics. The following subsections will take you through the details of what a network audit actually is, and we will enumerate a few key concepts.

What is a network audit?

A network audit is a systematic process whereby we analyze the network to ascertain its health in accordance with the organization's business requirements. It also provides insights into how effectively the network controls and procedures that have been put in place are for compliance against industry standards and regulations.

There are different varieties of network audits, where the scope and objectives of the audit determine what the auditor looks at. Various organizations conduct annual audits of their business-critical assets and systems, which is performed by an external audit firm. They may or may not also be conducting half-yearly internal audits when there is a significant change in the business, such as in the case of new business units being formed or in the case of mergers and acquisitions.

The overall goal of network auditing is to ensure that the organization is in compliance with the set standards and compliance and regulatory requirements that they are mandated to follow. This also provides continuous feedback on the security status of the network, as well as areas of improvement, which can be fixed prior to emerging or causing a security liability.

Why do we need a network audit?

Today, organizations of all sizes and verticals depend on their IT network in order to run their business operations smoothly. With the constantly evolving threat landscape and changes being made to networks based on company operations, it is more crucial than ever to ensure stable connectivity and operational capability.

Periodic auditing and reviewing networks are essential activities that need management focus and due diligence. Besides this, there are other reasons to carry out a network audit, as follows:

Compliance: Network auditing ensures that the appropriate compliance and regulatory requirements are met and that the relevant activities are initiated. This helps to quickly establish whether current systems comply with the company's internal policies and whether the licenses of all the software being used have been updated.
Software availability: It is important for any company that relies on IT to know about the software that is being used in-house. It helps to know if certain computers or other hardware needs to be updated. This helps protect the company from potential hacks and other IT risks. Sometimes, the latest software updates would help provide a better user experience as they come with improved features.
Hardware availability: Network auditing assists in achieving clarity in the hardware and software asset inventory of the organization. This helps us identify which hardware is obsolete or needs to be configured or patched in order to operate securely. It also helps in discovering unauthorized devices, if any, that can lead to potential security threats.
IT issues management: It helps to recognize the IT problems that are being faced by the organization as such problems have an impact on the employee's productivity when it comes to risking the company's sensitive data.
Overcoming of vulnerabilities: IT networks need to be highly secure. A network audit would reveal vulnerabilities such as insecure services and ports; misconfigured files, folders, and S3 buckets, all of which are accessible externally; accessibility; unverified accounts; weak passwords; open shares; and other threats to the network. Identifying these vulnerabilities helps to eliminate them.

Now that we understand what a network audit is and why we need them, let's take a look at the key concepts of an audit and its types.

Key concepts of network auditing

As we go about understanding and exploring networking auditing, we must be aware of a few key terms:

Audit scope: While starting an audit, it's important to establish the scope of the audit in order to set the correct expectations and outcomes for the auditing engagement. Broadly speaking, four high-level audit categories can be considered:

Auditing organization: This focuses on the high-level approach, from a governance standpoint, of looking at all the attributes of the business.
Auditing domain: Such audits focus on the people, processes, and technologies of a specific domain.
Auditing function: Here, the focus is on the functional aspects, which may or may not include several teams, and their processes and relevant technologies.
Auditing a process: Process auditing focuses on validating all the steps involved in a process from beginning to end.

With this basic understanding of what a network audit is and a few key terms, we will now dig deeper into the concept of network auditing. We will try to understand the four pillars of network auditing, the auditing process, the role of an auditor, and a few industry standards.

Understanding the fundamentals of an audit

This section covers the basic information and terms that an auditor like you should be familiar with. This will help you plan your activities and understand the output expected of them. Governance frameworks and industry standards help you baseline a scope and what to look for during the audit. Standards, controls, procedures, policies, and risk assessment all play an important role in network auditing as most organizations need to comply with the industrial standards and regulations. Without a risk assessment, none of the audits would be complete. Network audits are no different. Hence, these are some of the topics we will cover here.

Understanding the types of audits

Network audits can be classified into three types – review, assessment, and audit – depending on what the audit's scope is and the organization's requirements and standards, as per the regulatory and compliance mandates. Let's take a closer look at these:

Review: This is one of the most basic forms of audit, where the auditor needs to examine based on experience and provide an opinion (as output). The output needs to be examined in order to determine the course of action and the priority in which it needs to be done. This can be broken down into architecture review, policy review, and compliance review.
Assessment: Assessment involves analyzing the examination output for prioritization based on the criticality and organizational and business relevance. Quantifying the associated risk is also important to understand the impact of the issue or threat at hand. For instance, let's say there are two financial servers and a print server with the same vulnerability. The assessment should consider the financial risk; what's more critical based on the threat impact and the risk associated with the business?

The principal distinction between a review and an assessment is the intensity and extent of the examination. Examples of this would be policy assessment and architecture assessment, respectively.

Audit: Typically, an audit involves both assessment and review. It may also include conducting gap analysis with respect to standards such as ISO/IEC 27000:2018 to measure how well the organization complies with regulatory compliances such as HIPAA or PCI.

An audit comprises factors such as people, processes, and technologies compared to a benchmark in a repeatable, standardized format. Examples include the following:

- Policy audit
- Compliance audit
- Risk audit

Irrespective of the audit type and category, policies, procedures, standards, and controls form the foundational pillars of any audit. A networking audit is no different from this.

Foundational pillars for network audits

Policies, procedures, standards, and controls form the basic foundational pillars of a successful network audit. Every network is different in terms of its composition and architecture while keeping the business requirements in mind, as well as the goals at the time of the network's creation. With the change in the landscape and business operations, this often results in synchronous changes and alterations. Hence, the networking and security tenants, which would have been kept in mind at the time of the creation of the network, may not be continued throughout the life cycle. This is why these points will be a good starting point to understand the network better and benchmark it.

Policy

The policy is crucial for organizations, irrespective of its operating size, industry vertical, and geolocation. It acts as a binding agent between organizations and their users, and it dictates how corporate resources behave. It also guides the overall organizational operational approach by illustrating the need for such policies and how it's measured based on industry best practices and applicability.

Procedures

Procedures are comprehensive instructions with respect to the implementation of policies. Therefore, it is an important aspect that should be consulted in the implementation phases and should be explicitly documented with the relevant policy. It acts as an operations manual for the organization. This document can assist the auditor with insights into how the organization operates and runs the processes.

Standards

Standards outline expected configurations and controls as per industry standards and/or best practices. An example of a good password standard would be mandated password length and complexity. Referring to standards documents such as NIST or ISO/IEC 27000:2018 helps rationalize as to why a technical configuration or product was selected in order to comply with policy requirements.

Controls

Controls are the building blocks of any security mitigation that's implemented in the organization. A major portion of an audit is centered on the many controls that an organization has in order to reduce risk. Auditors focus on the effectiveness and efficiency of implemented security controls against the threats that they are meant to mitigate against, as per the organizational security plan.

Controls can be categorized as administrative, technical, or physical, as follows:

Administrative controls: Focuses on managing people via policies; guidelines such as separation of duties; data classification; background checks; and work supervision and security training, which could be used to dissuade fraudulent or improper behavior employee behavior.
Technical controls: Used to prevent malicious activity; for example, firewalls, IPS/ IDS, endpoint security applications, and access controls.
Physical controls: The organization has physical controls such as door locks, RFID/biometric access controls, video surveillance, and guards, which are forms of physical access controls that are used to regulate access to critical locations in the organization's premises. For instance, financial organizations have stringent physical security controls to restrict access to unauthorized personnel in order to protect their assets.

These three primary categories can be further classified into preventive, detective, corrective, and recovery. This helps with gauging the risks correctly during the risk assessment:

Preventative controls: Preventative controls aim to prevent unauthorized access and the impact on Confidentiality, Integrity, and Availability (CIA) attributes. Examples include firewall rules and MAC-based filtering.
Detective controls: Detective controls focus on enhancing the capability to detect a potential threat. This includes alarms and alerts that occur once a threat has been detected. Examples of detective controls include video surveillance, firewall logs, SIEM, IDS, and security audits.
Corrective controls: Corrective controls focus on correcting the changes in the system or environment post a security threat or breach. Examples including implementing security patching on an application or system; system reboots; quarantining a malicious file, malware, or virus; and terminating malicious activity.

Recovery controls: Recovery controls focus on bringing the system state or environment back to its original state after a security threat or breach. Examples include backup systems, a redundant power supply, business continuity plans, and disaster recovery plans.

The auditor needs to understand the interaction between the various controls to decide whether the company under audit has thoroughly addressed its controls. An example that depicts the logical grouping of controls for remote access VPNs is shown here:

	Administrative	Technical	Physical
Preventive	Remote access VPN policy	Firewall access, MAC filtering, SSL, IPSEC VPN, NAC assessment	Delivery and data center requires an access card; password recovery disabled on VPN appliance
Detective	VPN user access review	Intrusion prevention system, firewall log review	Video surveillance; alarm sensors on the doors to equipment, data, and delivery centers
Corrective	Access revocation procedures	NAC access remediation	Auto-locking doors after unauthorized entry
Recovery	Recovery procedures documented	VPN cluster, modem pool	Uninterruptible power supply

Now that we understand the different aspects of auditing, let's take a look at the role that risk management plays in a network audit.

Risk management in a network audit

Technology can help dramatically reduce risks. However, if it isn't implemented properly, it does not provide any meaningful data about risks and fails to detect a real attack. Hence, companies need to understand the risks through risk assessment.

Most organizations have a risk management program as most of the industrial standards such as PCI, GLBA, SOX, and HIPAA require a risk management program. Organizations need to have clarity on the threats and subsequent threats that they may face, which can be achieved by quantifying the risk. This helps the auditor classify the findings under the right category so that management understands the criticality of the findings so that they take the appropriate actions.

Therefore, auditors need to conduct risk analysis to ensure their controls are effective. This helps the auditor assist the organization in reducing the risk at hand by implementing recommendations.

Risk assessment

There are two main approaches to risk measurement, namely quantitative and qualitative. As quantitative methods require a lot of number crunching, most organizations use qualitative methods only. Its results are actionable, and ratings can be customized as critical, high, medium, and low. The formula that's used for risk calculation is as follows:

Risk = Threat*Vulnerability*Impact of Exposure

Let's take a look at what the different parts of the formula mean:

Threat: Anything that can cause potential harm to an organization or its business operations is a threat. This can result in partial or complete impact on the CIA triad.
Vulnerability: An avenue or loophole via which damage or harm can be done to a system, process, or asset is known as a vulnerability. However, the existence of a vulnerability doesn't always equate to the possibility of it being exploited.
Impact of exposure: This variable refers to the impact on the organization if the threat is successfully exploited. It is important to note that the time taken to make the exploit work is also a crucial factor. If a password takes 100 years to crack, then it's not going to be a major concern as the password will be changed long before those 100 years are up.

Given the dynamic aspect of today's businesses, periodic risk assessments are critical. Risk assessment needs to be an ongoing process of identifying, rectifying, and resolving security issues. NIST's six steps to risk assessment are as follows:

Identifying the systems in scope
Identifying and documenting internal and external threats
Determining the risk and impact
Analyzing the security controls
Determining the likelihood of the risk
Identifying and prioritizing the response

Next, we will take a look at the risk management strategies that can be utilized.

Risk management strategies

After determining the risks, the next logical step is to mitigate them via several options, such as risk avoidance, risk acceptance, risk transfer, and risk mitigation. Let's quickly take a look at these options:

In broad terms, the idea of risk avoidance is to stop the activity that is causing the risk.
In risk acceptance, we accept the risk as part of the business requirement.
Risk transfer refers to transferring the business risk to a third-party service provider or vendor or buying insurance.
Risk mitigation, which is the preferred strategy, is where we put mitigating controls in place to avert the risk. This may result in the elimination of the risk entirely or producing some amount of risk even after the mitigation, which is known as residual risk.

Some of the key questions to ask should be: Is your intellectual property adequately protected? Are your business-critical applications and processes resilient? Can you ensure your board, regulators, and clients, as well as your organization's data are protected? Do you have an action plan for a breach? Do you have a plan to ensure you're operational after a major cyber disruption?

Next, we will take a look at the various industry standards that can be employed by organizations.

Industry standards and governance framework

Compliance and regulatory requirements have been a major reason for the adoption of information security controls in organizations worldwide. Some of the major ones are as follows:

SOX: In order to protect information usage by organizations, the US congress passed the Sarbanes-Oxley (SOX) Act in 2002. The intent is to increase transparency in financial reporting and to require a formalized system of checks and balances. IT security controls play an important role in SOX financial controls as the deal with data access, security, and confidentiality. It is very crucial to audit these management procedures and controls for SOX compliance.
HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a regulatory standard that deals with the usage of Protected Health Information (PHI). HIPAA is managed by HHS and enforced by OCR. The focus here is on the need to audit the security policies and procedures for handling protected health care data.
GLBA: The Gramm-Leach-Bliley Act (GLBA) is a US federal law that focuses on clarifying how financial institutions work with respect to how PII information pertaining to customers is handled. As per the GLBA, financial organizations are required to protect customers' data and provide them with an option to opt out of sharing their data with third parties.
PCI DSS: PCI deals with protecting cardholder data and the business that processes, stores, and transmits the data. The following are the required controls:
- A secure network where cardholder data is protected with vulnerability management programs
- Strong access controls
- Active monitoring
- Well-documented security policies

Governance framework: Generally speaking, in an audit process, we benchmark the current state of the environment against the aspired state, which provides insight into the process gaps that need attention. As an industry, we have various best practices and standards that should be followed for the best security posture, but it is important that the organization selects the best-fit standard to cater to their business operations and relevance.

Governance provides a framework for measuring performance against the set benchmarks, as mandated by the standards and guidelines. Some frequently used governance frameworks include ITIL, COSO, and COBIT.

So far, our focus has been purely on what auditing is all about. But who is the person who conducts a network audit?

Understanding the auditor's role

The auditor is the person who plays a crucial role in the outcome of the audit. Some of the key areas that they should focus on are as follows:

Identify and report the risk, issues, observations, and findings with relevant recommendations.
Provide an overview of the overall effectiveness in conjunction with the people, processes, and technologies being implemented.
Measure the organization's activities, processes, and procedures against the industry standards and best practices.
Conduct interviews with the correct stakeholders to gain insights into the operations, as well as examine how controls are implemented and how well they work to protects the company's interests and meets its objectives.
Ensure they (the auditor) have appropriate access, controls, and cooperation to perform the audit.

Now that we understand the key areas an auditor needs to focus on, let's look at the audit process itself.

Understanding the auditing process

The auditing processes can be divided into the following broad stages:

The planning stage: This is the first stage in the auditing process and focuses on forming an overall plan for the audit. This helps in documenting the purpose of the audit, as well as the requirements and standards that will be referred to and measuring the findings. This also includes determining the objectives, scope, and time frame.
The research stage: This is the second stage, and the focus is on operational attributes such as skills, technology, organization structure, process and flow of data, identifying the correct stakeholders to be interviewed, the process for control testing, and creating an audit checklist.
The data gathering stage: This is the third stage of the audit, where the audit itself is conducted. The checklist and standards and compliance/regulatory requirements that were articulated in the planning and research stage are now put to use for benchmarking. Technical control testing is conducted in this stage, along with personnel interviews, documentation reviews, and processes.
The data analysis stage: This is the fourth stage of the audit and is where the evidence and observations that have been collected are analyzed. The auditor is expected to reflect on these findings, draw conclusions, and determine the severity of them while mapping them to the relevant industry standards and regulatory compliance requirements, and then document recommendations for the findings.

The audit report stage: This stage focuses on documenting the findings in the required format and presenting them to management or the required authority. Such reports contain two distinct sections:
- Executive summary: This is meant for top management or senior leadership to get an overview of the findings and the broad issues at hand, as well as their impact, severity, and recommendations.
- Detailed findings: This is typically meant to provide a complete picture of each observation and their suggested mitigations in a detailed format.
The follow-up stage: This is the final stage in the audit process and revolves around validating that the recommendations provided in the earlier stages were implemented correctly and have produced the desired outcomes and results. The auditor is expected to reexamine the controls, processes, and procedures to make sure that all the previously identified issues are now fixed.

So far, we have covered important aspects such as the essential aspects and requirements of an audit, the different types, and risk management strategies and industrial frameworks. With this, we are now well-equipped to learn about the stages involved in performing a network audit.

Performing a network security audit

In this section, we will take a look at the operational aspect of a network security audit and the various inter-dependencies. This includes different phases such as planning and research, data gathering, and analysis, as well as reporting and follow-up. Each of these phases plays an important role in ensuring that due diligence and due care is consistent throughout the audit process.

Planning and research phase

This is where the audit process is initialized. It focuses on defining the scope of the audit's engagement. It ensures that the correct attributes of the network have been appropriately considered in the scope of the audit, along with any dependencies to other assets, processes, or technologies. You may have to sign off the NDA and services agreement for the audit.

In this stage, we determine the network's technical landscape, as well as identify the crown jewels and the high-value targets in the environment, any recent changes, results of previous audits, controls currently in place, and the current documentation and network diagrams.

You need to construct a checklist that provides areas to be audited (the next section covers this checklist in detail). You will use the network's inventory and mapping tools to understand the network architecture and devices that are interconnected in the network.

Data gathering and data analysis phase

The data gathering phase is where the real action takes place. Here, you need to conduct surveys and interviews and observe the system and processes in action. You may need to look at previous review audits, if any, for trends, as well as inspect the configurations and run certain tools (such as penetration testing and technical vulnerability assessment) to verify the effectiveness of the technical controls. Then, you must gather and record the evidence.

In the data analysis phase, the data that's gathered needs to be categorized and used so that you can distinguish between the evidence. You must also prioritize risks and ranks according to their severity and then rank critical assets, potential threats, and vulnerabilities. This is where auditor experience comes into play. Though tools produce reports, you may need to use your experience to identify the relevant details from the reports, as per the agreed scope with the customer. You are expected to provide recommendations and opinions wherever required.

Audit report and follow-up phase

The audit report phase is one of the most crucial phases of the audit process. This includes generating the executive summary, which provides a high-level overview of the audit process that's been followed, the main findings and observations, along with the recommendations to fix those findings.

You need to present your findings to senior management. Usually, technical jargon is avoided in the executive summary report. You need to prepare an architecture review report that includes technical details that will be discussed with the technical team.

Finally, the audit report encompasses all the checklists for findings, evidence, risk severity, and recommendations. You will agree on the actions and come up with the required timelines for closure. You can use tools reports wherever required for the discussion. However, you may need to analyze the reports before the discussion.

In the last and final phase, known as the follow-up phase, you ensure that the timelines that were agreed to in the previous phase are met. At this stage, you may need to conduct a subsequent review of the actions that were taken and fix the issues that have been reported. You may need to update all the audit reports as per the review.

While discussing the data gathering stage previously, I mentioned analyzing and interpreting reports. There are a variety of tools out there that can help us gather and visualize data that will aid our network audit. We'll discuss them in the next section.

Exploring network audit tools

Various tools and platforms aid in the process of conducting a network security audit. Network audit tools can provide information such as the following:

The device's inventory: Device name, capacity, make/serial number, MAC address, End of Support (EOS), and End of License (EOL) information
Network diagram: Depicts the connection between the devices
Software installed: Software name, license, and security patches
Reports: Generate reports

Network audit tools can be broadly categorized as follows:

Network inventory and network diagram analysis
Security assessment
Performance assessment
Configuration management

The tools you use will vary, depending on the audit's scope. However, at the time of writing, vendors are coming up with unified product suites for network management and monitoring. This section covers the best tools under each category. The organization has to undertake due diligence to figure out the best tool as per their needs.

Network assessment and auditing tools

In this section, we will take a look at some platforms that are used by security professionals and auditors to actively monitor the network for threats and assess the environment in scope for potential violations.

SolarWinds

The SolarWinds Network Topology Mapper has an automated process for identifying available networks and creating a complete network topological map from a single network scan. The following is a screenshot of its dashboard:

It also has a process for iterative scans. These keep updating the network topology based on the incremental changes observed by each scan, which comes in handy for identifying any malicious network alterations, rogue devices, and access points. It also has functions that help check for adherence to regulatory compliance and other industry requirements.

Open-AudIT

Open-AudIT is another leading network auditing platform that can be used for software, hardware, and Windows domain audits. It is extremely user-friendly and provides a host of audit functionalities.

The following is a screenshot of its user interface:

It provides features such as network device and agentless discovery, change monitoring, license management, asset tracking, network analysis reports and dashboards, network automation, cloud discovery and audit, file integrity monitoring, network configuration, and change management.

Nmap

Nmap is an open source platform for network reconnaissance and security auditing. It is useful for quickly scanning large networks using IP packets to identify the live hosts, ports, and services running on them. The following screenshot shows Nmap's operating system name and version:

Today, Nmap is majorly used for network security operations, though it is also a useful utility for network admins for conducting IT-related network operations.

NetformX

NetformX provides a vast range of professional solutions that enable organizations to quickly design, build, and execute large-scale enterprise solutions. Some of the key solutions, such as Netformx Discovery, can be used for conducting comprehensive network audits and suggest upgrading for EOL or out-of-service applications, which is especially helpful.

So far, we've discussed network assessment and auditing tools. Next, let's take a closer look at security assessment tools.

Security assessment tools

The objective of vulnerability assessment is to identify, classify, and report on known vulnerabilities in the environment. An automated vulnerability assessment tool is good for conducting large-scale assessments in organizations with vast environments where iterative scans are required from time to time.

While conducting such assessments, you should take into consideration that systems and applications might suffer downtime, due to which service outages should be planned and a contingency plan should be put in place.

Nessus

Nessus comes with pre-built policies and templates, as shown in the following screnshot:

If you upgrade to Nessus Pro, you can group vulnerabilities by several factors. It has options to snooze certain vulnerabilities that are not crucial and can help you focus on critical ones instead, thus reducing distractions or noise:

With Nessus Pro, you can create branded reports in a variety of formats (for example, CSV and HTML) to easily share your most critical information with your team or client.

Nipper

Nipper is a handy tool that can be used to discover vulnerabilities and audit network devices such as firewalls, switches, and routers. It also provides automated prioritization with readily available recommendations and fixes to remediate the identified issues.

Here's a screenshot of its dashboard:

Nipper offers features such as audit reports for device configuration, security, vulnerability and compliance, scheduled audits and SIEM integration, suggested technical fixes, and remediation steps for the identified threats.

Wireshark

Wireshark is one of the most widely used network security platforms. It enables us to capture live data in the network and analyze the data packets. It provides the analyst with the ability to perform deep inspections and allows them to use decryption support such as IPsec, ISAKMP, Kerberos, SSL/TLS, and WPA/WPA2, among others.

The following screenshot shows how Wireshark captures packets so that users can examine their content:

Using an automated platform or tool for network security assessment and auditing helps tremendously, yet we should be aware of all the checks that should be conducted as part of a network audit. Hence, in the next section, we will take a look at the network audit checklist and all the attributes that should be validated as part of the audit.

Network audit checklist

The network auditing checklist acts as the outline plan for the audit's entire engagement. This helps in documenting the objectives of the audit and ensures accurate coverage of artifacts and processes in the audit scope, assessment methods, and expected results.

In this section, we will discuss the composition of a comprehensive checklist and list the activities that should be in scope and taken into consideration. This will be followed by a case study where we will create our own checklist of a dummy organization.

Comprehensive checklist

A comprehensive checklist should be customized as per the individual requirements. This should be tied up with control areas such as the company's policy, industry standards, and compliance such as ISO/IEC 27000:2018, NIST, assessment methods, risk category, the evidence required, and recommendations for a complete audit report. Every step under subdivision (design and architecture review, network infrastructure security, and so on) should be detailed, depending on the audit scope.

Planning phase

The planning phase is focused on setting the right scope and documentation for the attributes that will be validated or reviewed as part of the audit process. It includes the following:

Hold meetings to discuss customer objectives: Discussions must be held on a regular basis to discuss business objectives, customer expectations, and any known issues.
Customer meeting to discuss scope: Understanding the customer's business objectives and document any known issues.
Scope and schedule: This includes documenting the customer scope to be assessed and the customer NDA (a non-disclosure agreement is a legal requirement for conducting the assessment and signing the master services agreement).

This helps us in setting the right context and ensuring that the outcomes will be as expected.

Design and architecture review

Next, we take a look at the design of the environment, the architecture, and the business logic and data flow in the environment. This includes the following:

Network overview architecture: Conduct reviews for the modularity, scalability, and capabilities of the network.
Traffic flow: Assess the application's traffic flow, data center, internet edges, client access, WAN, cloud, and so on.
Services and OLAs: Assessment of high availability, if Operational-Level Agreements (OLAs)/Service Level of Agreements (SLAs) have been defined.
MPLS/VPN service: Remote office and client access capabilities.
QoS Standards: Deployment methods used.
Layer 2 optimization: Assess spanning tree security/optimization and distributed layer 2 attributes.
Layer 3 routing: Review that the routing is dynamic, optimized, and secure.

Next, we will take a look at the physical inventory of the environment.

Physical inventory

The focus here is to ensure there's documentation about all the hardware components in the network, as well as connectivity, routing, and so on. It includes the following:

Hardware inventory spreadsheet: Document and review physical hardware inventory and serial numbers if possible
Layer 1-2 diagrams/documentation: Assessment with respect to physical interconnectivity
Layer 3 diagrams/documentation: Assessment with respect to routing connectivity, gateway management, summarization, and route entrances/exits
Rack elevation diagrams/documentation: Assessment of the physical rack diagrams
Environmental capabilities: Power, cooling, cable management, and so on

Next, we'll look at the attributes of the network infrastructure with respect to security.

Network infrastructure security

The focus here is on the various network components and their state of security. This includes the following:

Misconfiguration or design flaws: Assess and review all the configurations of the network devices, such as firewall design review, IDS/IPS, and switches.
Weak authentication or encryption protocols: Review VPN, wireless, and 802.1x authentication methods.
Centralized authentication, authorization, and accounting.
Attack Awareness (IPS/IDS): Assess the IPS/IDS design and conduct a log review.
Control plane policing/security: Attributes such as infrastructure device access, CoPP, and rogue detection (both wired and wireless).
Infrastructure physical security: Review policies and the implementation of cameras, locks, and restricted physical access.

Next, we will take a look at the infrastructure for monitoring and managing software and applications.

Infrastructure for monitoring and management

This phase focuses on a number of key areas that are important for the sustainability of the network. They include the following:

Central monitoring/alerting capabilities: Assessment of management platform utilization/capabilities
Syslog capabilities: Assessment of controls, retention, and management
Host-end monitoring/management: Assessment of host detection/monitoring
Software management: Assessment of deployment processes for upgrades/patches
Configuration validation capabilities: Assessment of the lab environment
EOL/EOS hardware and licensing: Assessment of the process for life cycle and licensing compliance

The next phase is known as configuration management and focuses on the various configurations and their alignment to industry best practices.

Configuration management

The focus here is on attributes such as backup, automation, and change management:

Centralized configuration backup and automation: Review configuration backups and automation capabilities.

Configuration change management workflow: Assess change control management.

Next, we will take a look at the performance monitoring and analysis phase.

Performance monitoring and analysis

This phase focuses on validating the performance capabilities of the environment. This includes the following:

Netflow and packet capture capabilities: Assess bandwidth planning and packet capture capabilities.

Network performance capabilities: Assessment of L4-L7 visibility and baseline capabilities.

Next, we'll take a look at the last phase, which is the documentation phase.

Documentation

In the documentation phase, the focus is on ensuring that all the processes, procedures, and configurations are well-documented and in place. The documentation includes the following:

Executive summary documentation: Review the overall summary review.
Principle architect review: Review architecture-engineering documentations.
Detailed documentation book/audit report: Everything gathered in a single place.

This concludes the audit checklist for a network audit. Now, we will take a look at a case study for a network security audit and learn how to implement the principals that we have learned about so far.

Case study

A financial institution has outsourced its network management activity of "Managing and monitoring the institution's network and designing, configuring, and implementing additions and improvements for the network" to a third-party vendor. The institution has also signed a service agreement with the auditing firm to audit the outsourced work of network monitoring and management.

Let's outline how the auditor went ahead with the network audit to get an idea of the entire process:

Audit scope: As indicated in the previous sections, the auditor's first and foremost task is to understand the audit scope. Here, the audit's scope is to audit the third-party vendor on behalf of the financial institution. An auditor can use the statement of work signed with the third-party vendor for the activity, "Managing and monitoring the institution's network and designing, configuring, and implementing additions and improvements for the network," on the basis of the proposed checklist.
Audit plan: Specific guidelines that are to be followed during the audit engagement.
Objective: To audit the third-party vendor for network monitoring and management on behalf of the financial institution.
Scope: The auditing firm has to audit the third-party vendor as per the customer's network policy, which demands that ISO/IEC 27000:2018 is adhered to. As per the requirements, a third-party vendor has to set up a Network Operation Center (NOC) to manage and monitor the customer's network. The customer has listed NOC monitoring requirements that are part of the RFP. Hence, the auditing firm has to audit the NOC as well.
Artifacts: The auditing firm has to submit a report to the customer highlighting the risks and to provide recommendations as per their expertise.
Time Frame: 1 month.
Checklists: We will have two checklists:
- Network monitoring checklist
- NOC checklist

We'll take a look at the aforementioned checklists in the following subsections.

Network monitoring checklist

This checklist ensures that the audit scope covers the audit requirements.

The last column gives you an idea of how to leverage the comprehensive checklist. This is only a sample list and you may end up with a much more comprehensive and detailed list based on the scope and depth of the audit:

#	Area	Audit Requirements	Evidence Required	Relevant Review
1	Pre-implementation	Study the network architecture, including the IP scheme, router configuration, IPsec encryption, and routing protocols.	Existing low-level network architecture diagrams for the existing sites and new sites. This highlights the IP scheme, router configuration, IPsec encryption, routing protocols, and design and architecture.	Design and architecture review
2	Pre-implementation	Design and implement upcoming branch offices to ensure the redundancy and availability of the network links and components.	The number of existing/upcoming branches wherein the network implementation was performed. Existing low-level network architecture diagram highlighting redundancy and availability.	Design and architecture review
3	Implementation	Business traffic should be encrypted by IPsec using the AES -128 algorithm or higher.	List of devices configured during the quarters with an AES-128 or higher algorithm. Configuration snapshot stating configuration of an AES-128 or higher algorithm on devices.	Network infrastructure security
4	Implementation	Prevention mechanism for Denial of Service (DoS)/Distributed DOS attacks (DDoS) such as control plan DoS/DDoS attacks.	Implementation status of the DDoS protection system for all the networks. Reports on the implementation of a DDoS protection system, if any (SIEM integration reports, incident report, and so on).	Network infrastructure security and monitoring
5	Implementation	A strong hashing encryption algorithm should be used for authentication; for example, SHA -2 (160 bits key size or more).	List of devices configured during the quarters with SHA-2 for authentication. Configuration of the snapshot stating the configuration of SHA-2-based authentication for devices.	Network infrastructure security
6	Implementation	A centralized access control mechanism should be in a place such as TACACS and RADIUS to access these devices.	Process of onboarding network and security devices.	Network infrastructure security
7	Implementation	All devices should be time-based and synchronized with the customer's existing NTP server. The details of this will be provided.	Snapshot for NTP settings configuration on network devices.	Network infrastructure security
8	Configuration	To implement IPsec, you need encryptions on existing routers, as well as new routers. The implementation includes installing the hardware, configuring the router, and creating IP tunneling, testing, monitoring, and so on.	Relevant documentation.	Network infrastructure security
9	Configuration	Responsible for providing network device security features such as MAC binding and port blocking. These features will be configured according to the customer's access control policies.	Relevant documentation.	Network infrastructure security
10	Incidents and operations management	Maintain and ensure adequate support for all equipment that has already either reached EOL, EOS, or end of warranty through an Annual Maintenance Contract (AMC).	ITSM report on the list of devices present within the application, along with the EOL, EOS, and AMC details.	Infrastructure monitoring and management
11	Inventory management	A detailed inventory of all the equipment that has been deployed and is held as spare, along with complete information such as site ID, locations, configuration details, model, serial number, license key, service coverage, and contract details such as EOL and EOS.	Relevant documentation.	Physical inventory/configuration management/infrastructure monitoring management
12	Patch management	Network devices are monitored and updated with the latest firmware and security patches.	Relevant documentation.	Network infrastructure security
13	Configuration	Document the changes and configuration that's done on the device.	Change request forms for the changes that are carried out in network devices. Standard Operating Procedure (SOP) for change management shall be shared.	Configuration management
14	NOC monitoring	Availability of functioning NOC at a location and to provide onsite support on a 24/7 basis.	Physical visit.	Network infrastructure security
15	NOC monitoring	Implement the following controls at NOC to control physical security: The NOC should be set up as a separate area dedicated to the operations area in a separate zone, which has no data, people, or tools that are shared with an outside entity.	Physical visit to the NOC site.	Network infrastructure security

Next, we will take a look at the NOC audit checklist and its various components.

NOC audit checklist

As we mentioned earlier, policies, standards, and procedures form the building blocks of any audit. Ideally, an organization already has a documented policy, so it is best to map audit questions to the policy and come up with a checklist to ensure the third party is managing the given task of "Monitoring and managing the network" as required. Hence, the checklists consist of the policies, procedures, and details of the NOC audit:

#	Area	Questions/Controls for NOC Audit	Controls for Policies	Controls for Procedures
1	Network design and architecture	The hardware and software configuration of the network servers should be documented.
2	Network design and architecture	Incorporation of industrial technical standards, maintain uniform naming conventions, and comply with relevant regulations.
3	Network design and architecture	Incorporation of well-defined sub-networks, defended by rule-based traffic filtering using firewalls, VLANS, and other relevant technology.
4	Network design and architecture	Validation of possible single points of failure and ingress points of the network.
5	Network design and architecture	Maintainance of network management and audit reports.
6	Network design and architecture	Formal documentation of network design with business requirements.
7	Network design and architecture	Hardware redundancy mechanisms (such as duplicating certain or all hardware elements) should be adopted for all critical applications and network servers.
8	Network design and architecture	Mechanisms for high availability should be implemented.
9	Network design and architecture (RFP requirements 2)		Adequate redundancy should be provided for network links and network devices.	The level of redundancy should depend on the criticality of the applications utilizing the link. For critical links including but not limited to inter-office WAN connections, redundant links should be configured with automatic failover to ensure that there is minimum disruption to the business. If the primary link offers encryption and firewall protection, the secondary link should also have a similar security level.
10	Network design and architecture (RFP requirements 2)		Redundant network links and devices should have the same level of security as the primary links.	Firewall redundancy should be configured based on the criticality of the applications being protected. For all critical applications, firewalls should be configured in high availability mode to ensure minimum downtime for the respective applications.
11	Network design and architecture (RFP requirements 2)		The redundant link should be reviewed and tested for working and automatic switchover at least every quarter.	Recovery testing of network devices is recommended to be performed on an alternative infrastructure, not on the production infrastructure.
12	Network design and architecture (RFP requirements 2)		Redundant network devices should be installed in failover or load balancing mode based on the criticality of the applications being supported by the network devices.	The following should be backed up after their installation and after making any changes to the network devices: - Network device OS files - Network device application files - Configuration files - ACLs of the firewall - Access logs of VPNs - Signature of IDS/IPS - Routing table - Network device logs
13	Network design and architecture (RFP requirements 2)			A full backup of configurations and the system files of network devices should be taken before any major changes, including upgrading the network device's OS/application, installing any additional components on the network device, integrating the network device with the supplier's components (for example, integrating the firewall with RSA for authentication), and adding a new network device interface.
14	Network infrastructure security (RFP requirements 4)		A Network-based Intrusion Detection System (NIDS) should be deployed to monitor the traffic to and from all customer systems, including application servers, web servers, database servers, and network devices.	Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) should be configured to automatically download new signatures from the supplier's site upon successful verification.
	Network infrastructure security (RFP requirements 4)			Servers that cannot be monitored by NIDS should have host-based IDS (HIDS) installed. Even for systems monitored by NIDS, additional security can be obtained by setting up HIDS.
15	Network infrastructure security (RFP requirements 4)			Logging should be enabled to track any changes that are made to the device's configuration, including changes to ACLs in case of a firewall, access controls in case of VPNs, and signature updating in the case of IDS and IPS.

This NOC audit checklist ties the requirements from the network monitoring checklist and refers to the customer's policies, which are related to network security, wireless security, and the network's industry standards, including network management, firewall security, change management, business continuity, logging and monitoring, and so on. The customer's policies and industry standards, such as ISO/IEC 27000:2018, are used as a basis for the checklist.

Audit report (sampling)

The audit report is the most important artifact to be submitted and helps the customer understand their current network status and performance. It helps them chart out further actions that need to be taken. The following is an example of what an audit report looks like:

Name of the Vendor:

Auditor Name:

Auditor Date:

#	Activity Name	Category	Risk Category	Risk Rating	Checklist
1	Managing and monitoring the customer's network and designing, configuring, and implementing additions and improvements for the network	Process	Vendor may not be following secure networking procedures	High/Medium/Low	Does the vendor have a network policy that is aligned with the customer's broad information risk policy and objectives? Is the vendor following recognized network design principles to help define the network security qualities for the perimeter and internal network segments?
2	Managing and monitoring the customer's network and designing, configuring, and implementing additions and improvements for the network	Process	Vendor may not be following secure networking procedures	High/Medium/Low	Have capabilities such as network address translation been implemented to prevent internal IP addresses from being exposed to the external network and attackers? Have the network intrusion detections and preventions tools been placed on the network where penetration tests and simulated cyberattack exercises had been conducted on the infrastructure regularly, to ensure all security controls have been implemented correctly?
3	Managing and monitoring the customer's network and designing, configuring, and implementing additions and improvements for the network.	Process	Vendor may not have delivered as per the SLA	High/Medium/Low	Is the vendor submitting the design and configuration document for customer approval? Is the vendor preparing a disaster recovery plan for the network, including all links and equipment? Is the vendor maintaining rack monitoring facilities for network equipment at all sites and ensuring standard earthing at all sites?

The preceding audit report can also consist of a column for recommendations that can be made to the vendor to tackle any problems that might have come to light during the audit.

With this, we have finished looking at the network audit checklist. Now, you should be aware of the various factors that go into auditing a network and be able to conduct an audit yourself.

Auditing best practices and latest trends

Network auditing is a topic that can be very vast and can include a lot of procedures and guidelines. Hence, before I end this chapter, I want to present you with a few best practices in the industry that will help you out. We will then follow this discussion with a few emerging trends in network auditing.

Best practices

Here are a few best practices that you, as a network auditor, must follow when auditing your network:

You should be aware of the latest regulatory requirements.
The service agreement or statement of work should detail the audit strategy, and the approach and testing techniques, tools, and deliverables. Assumptions should be mentioned clearly.
Commercial terms should be stated clearly and signed off before the audit.
You should sign the NDA wherever applicable.
You must ensure that the business and IT unit managers are involved in the discussions before the audit. This will help to prevent disputes over the access privileges required for the audit.
Set ground rules, such as availability, for interviews with the required stakeholders.
Agree on the time of the day and explain the impact before running penetration testing and vulnerability assessment on the production system.
Have a recovery plan in case of system outage during penetration testing or the vulnerability assessment.
Conform to the customer's policy on handling proprietary information. Sensitive information should be handled properly and should be encrypted if it's sent through an email.
Ensure that you get the indemnification statement, which gives the authorization to probe the network.
Ensure you get all the relevant data and documentation that you need to navigate and analyze the network. This includes policies and procedures.
Document the steps in detail to explain the vulnerability wherever actual testing is not feasible.
Add value by interpreting the results and reports that have been generated by the tool based on the customer environment and the organization's policies.
Avoid technical jargon in the executive summary.
Avoid inflating the significance of trivial security issues.
If you have no findings, acknowledge the good implementation and point out areas of future concern and enhancements.

You can refer to the organization's policy and industry standards as a starting point to create the checklists.
Understand the stakeholders' structure in the organization. Without their cooperation, the audit cannot be completed.

In the process of auditing, you may come across various other best practices that you should include in the checklist and make a living document that gets updated with each audit. This increases the efficiency of the audit process.

Latest trends

The latest technological advents, such as digital transformation, cloud computing, and DevOps and DevSecOps, have been instrumental in driving innovation, scale, and speed for businesses while also increasing the workload for network and security teams. Resultant changes span complex multi-vendor, multi-technology, and hybrid cloud environments. This has caused the need for network automation.

Now, we will take a look at some of the platforms that focus on the automation aspect of network management, including SolarWinds Network Automation Manager, SolarWinds NCM, and TrueSight Network Automation.

SolarWinds Network Automation Manager

SolarWinds Network Automation Manager, as its name suggests, is a platform that can be used for automating various network activities. Some of its key features are as follows:

Standardization of network configurations
Major configuration push to a vast number of network devices
Detect unauthorized changes from a security standpoint
Vulnerability assessment capability with NVD integration
High availability of the environment by mitigating IT issues

The following screenshot shows the results of the scan:

You can try out all its functionalities by applying for the 30-day free trial on the official website.

SolarWinds NCM

SolarWinds NCM is one of the leading products on the market, with a wide range of devices and configurations being supported by it. Some of its key features are as follows:

Configure backups for equipment that aid in service recovery
Change management features that can quickly pinpoint and highlight the changes in the configuration file

Demonstrates compliance and regulatory audits
53 reporting templates that provide clarity into the network inventory, configuration changes, security and policy requirements, and so on

The following screenshot shows the results of a scan carried out by Solarwinds NCM:

However, there are some issues that can occur if you use it in a large environment. It is known to have frequent unexpected timeouts. The configuration change templates have certain restrictions, which some users may find limiting.

TrueSight Network Automation

BMC has a niche service offering known as TrueSight Network Automation. It supports various regulatory requirements such as HIPAA, SOX, PCI/DSS, and SCAP. Based on the policies' content, it verifies the configuration of the device for compliance. BMC markets the product as fast and scalable, which means it aces configuration changes with lowered costs and increased agility. The following diagram explains its functionality:

Some of the key benefits that organizations yield from its implementation include quick identification and closure of vulnerabilities, cost-effectiveness, reliability, and speed of operation, as well as compliance, real-time visibility, and streamlined configuration management.

Summary

In this chapter, you understood network essentials such as risk management for industry standards and governance frameworks such as SOX, HIPPA, GLBA, and PCI. We then looked at various auditing process analysis platforms, including SolarWinds, Open-AudIT, and Nmap. We also briefly looked at security assessment tools such as Nessus and Nipper, as well as performance assessment tools such as Wireshark. We also went through a comprehensive audit checklist that focused on the various attributes of a well-defined network security audit. We then looked at a case study of a financial institution that had outsourced its network management activity to a third-party vendor. Finally, we discussed auditing best practices and the latest trends.

In this chapter, we learned about the requirements for initiating a network audit exercise and the various dependencies. We also took a look at different risk management strategies and industry standards that can be utilized by the auditor for guidance. Hopefully, this chapter has helped you understand the role of an auditor and the different phases in an audit process.

In the next chapter, we will take a look at continuous and effective threat management. We will deep dive into topics such as cyber threat management, how to actively manage threats and risk, and various management aspects of dealing with threats in an environment.

Questions

The following is a list of questions so that you can test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

Which of the following is a popular tool used for discovering networks, as well as in security auditing?
- Ettercap
- Metasploit
- Nmap
- Burp Suite
Which of the following does Nmap not check?
- Services that different hosts are offering
- What OS is running
- What kind of firewall is in use
- What type of antivirus is in use
Wireshark is a tool that can be used for what?
- Network protocol analysis
- Network connection security
- Connection analysis
- Defending malicious packet filtering
Which of the following is a password recovery and auditing tool?
- LC3
- LC4
- Network Stumbler
- Maltego

Which of the following options describes an audit charter best?
- Should be dynamic and can adjust to help the evolving technology.
- Lay out audit objectives and verify, maintain, and review internal controls.
- Achieve prospective audit objectives by documenting the audit procedures.
- Outline the overall authority, scope, and responsibilities of the audit function.
Select the option that would adequately support WAN to ensure continuity.
- Built-in substitute routing
- Conduct regular full system backups
- A servicing agreement with a service provider
- A standby system with separate servers
Choose the best option that helps information owners properly classify data.
- Understanding of technical controls that protect data
- Training on organizational policies and standards
- Use of an automated Data Leak Prevention (DLP) tool
- Understanding which people need to access the data

Table of Contents for Performing Network Auditing

Create new playlist

Sign In

Sign Up