78 network security auditing

78 Network Security Auditing

■ Communications and ops management■ Access control■ Information systems acquisition, development, and maintenance■ Information security incident management■ Business continuity■ Compliance

The ISO standards define a solid benchmark for assessing a company’s information secu-rity practices, but as with most high-level control documents, it doesn’t give the auditordetails about security architecture or implementation guidance. 27002 is a great interna-tionally recognized standard to refer back to for control requirements in anaudit reportor findings document and makes excellent source material for an auditor’s checklist.

NISTThe National Institute of Standards and Technologies (NIST) is a federal agency of theUnited States government, tasked with helping commerce in the U.S. by providing weightsand measurements, materials references, and technology standards. If you have configuredyour computer to use an atomic clock source from the Internet to synchronizetime to, thenyou have used a NIST service. NIST also provides reference samples of over 1,300 items,including cesium 137, peanut butter, and even oysters. The division within NIST that is mostinteresting from an information security standpoint is the Computer SecurityResourceCenter (CSRC), which is thedivision tasked with creating information security standards.The CSRC is currently directed by the United States Congress to create standards forinformation security in response to laws such as the Information Technology Reform Actof 1996, the Federal Information Security Management Act of 2002 (FISMA), andHIPAA. Although FISMA is a federal law and not enforceable in the private sector, pri-vate companies can reap the benefits of the many excellent documents NIST has createdfor FISMA compliance.Federal Information Processing Standards Publications (FIPS) standards are aseries of

standards that government agencies must follow by law according to FISMA. FIPS stan-dards include encryption standards, information categorization, and other requirements.FIPS also mandates standards for technology through a certification program.Hardwareand software involved in encrypting data via AES for example, must be FIPS 140-2 (level2) compliant to be used by the federal government. Many Cisco products meet theserequirements; for a complete list of all vendors tested, go to http://csrc.nist.gov/groups/STM/cavp/validation.html.The NIST Special Publications (800 series documents) are a treasure trove ofgood infor-mation for auditors, systems administrators, and security practitioners of any size compa-ny. These documents give guidance and provide specific recommendations abouthow toaddress a wide range of security requirements. These documents are created by academicresearchers, security consultants, and government scientists. They are reviewed by the

Chapter 3: Information Security Governance, Frameworks, and Standards 79

security community through a draft process that allows anyone to provide comments andfeedback on the documents before they are made standards. The documents are alsorevised on a regular basis as new technologies become adopted.Table 3-2provides a list of some of the most widely used NIST 800 series documents.This list is not exhaustive, and there are new documents added all of the time, so checkthe NIST website on a regular basis for updates and new drafts.

Table 3-2 NIST 800 Series DocumentsSP 800-14 Generally Accepted Principles and Practices for Security Information

Technology SystemsSP 800-18 Guide for Developing Security Plans for Information Technology SystemsSP 800-27 Engineering Principles for Information Technology Security (A Baseline for

Achieving Security)SP 800-30 Risk Management Guide for Information TechnologySP 800-34 Contingency Planning Guide for Information Technology SystemsSP 800-37 Guidelines for Security Certification and Accreditation of IS SystemsSP 800-47 Security Guide for Interconnecting Information Technology SystemsSP 800-50 Building an Information Technology Security Awareness and Training

ProgramSP 800-53 Recommended Security Controls for Federal Information SystemsSP 800-53A Techniques and Procedures for Verification of Security Controls in Federal

Information Technology SystemsSP 800-54 BGP SecuritySP 800-55 Security Metrics Guide for Information Technology SystemsSP 800-58 Security Considerations for VOIP SystemsSP 800-60 Guide for Mapping Types of Information and Information Systems to

Security Categories (2 Volumes)SP 800-61 Computer Security Incident-Handling GuideSP 800-66 An Introductory Resource Guide for Implementing the Health Insurance

Portability and Accountability Act (HIPAA) Security RuleSP 800-77 Guide to IPSEC VPNsSP 800-88 Guidelines for Media Sanitization

SP 800-92 Guide to Computer Security Log ManagementSP 800-95 Guide to Security Web ServicesSP 800-97 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11iSP 800-100 Information Security Handbook: A Guide for Managers


The Cyber Security Research and Development Act of 2002 requires that NIST developchecklists to help minimize the security risks of hardware and software usedby the fed-eral government. These checklists show detailed configurations of many hardware andsoftware platforms including Cisco. SP 800-70 outlines the format, goals, and objectivesof the checklists, and how to submit a checklist if you build one that you would like toshare. NIST provides these checklists in Security Content Automation Protocol (SCAP)format and can be loaded into a SCAP-validated scanner for automated auditing. Thereare a number of scanning vendors that support SCAP such as Qualys and Tennable(Nessuse Scanner). For a complete list of scanning vendors and downloadable checklists,visit http://checklists.nist.gov.

Center for Internet SecurityThe Center for Internet Security (CIS) is a not-for-profit group dedicated to creatingsecurity best practices and configuration guidance for companies to help reduce the riskof inadequately securing corporate systems. CIS provides peer-reviewed configurationguides and templates that administrators and auditors can follow when securing or testingthe security of a target system. These guides are well written and provide asufficientlevel of detail down to the actual configuration level to use as a checklistwhile alsoexplaining why the particular configuration option needs to be implemented.CIS refers to its best practice documents as benchmarks and has two categories:

■ Level 1 benchmarksconsist of the minimum level of security that needs tobe con-

figured that any skilled administrator can implement.■ Level 2 benchmarksfocus on particular applications of security based on the type

of system or manner in which the system is used. Proper security depends on under-standing risk, which determines at what level you need to protect an asset. Laptops,for example, have a different risk profile than servers, which are explored in the Level2 benchmark section in detail.

The CIS benchmarks are often used for configuration-level auditing of technology forproper implementation of security features and good defensive practices. Many compli-ance laws dictate high-level controls, but never go into the details of how to actually per-form the tasks necessary. These benchmarks developed by CIS help to fill in the blankswhen auditing for compliance through consensus-validated device configuration recom-mendations. CIS also makes available automated assessment tools that leverage thesebenchmarks. CIS benchmarks can be found at www.cisecurity.org.

NSAThe National Security Agency (NSA) has been responsible for securing information andinformation assurance since it began in 1952. As a component of the U.S. Department ofDefense, the NSA is typically known for its cryptology research and cryptanalysis of


encrypted communications. The NSA created the DES encryption standard that was (andstill used in the form of 3DES) the most commonly deployed encryption technique, untilit was replaced by AES.Although the NSA’s mission is to keep government communications private, it hasalso shared a significant amount of computer security research in the form of configura-tion guides on hardening computer systems and network infrastructure equipment.Through research conducted by the Information Assurance Department of the NSA, aseries of security configuration guides have been posted to help the public better securecomputers and networks.These guides cover:

■ Applications■ Database servers■ Operating systems■ Routers■ Supporting documents■ Switches■ VoIP and IP telephony■ Vulnerability reports■ Web servers and browsers■ Wireless

Auditors are free to use these configuration guidelines when examining security controls.They make a great resource and are updated as new technologies and applications arestudied. You can find the guides at http://www.nsa.gov/ia/index.cfm.

DISAThe Defense Information Security Agency (DISA) is a component of the U.S. Departmentof Defense that is charged with protecting military networks and creating configurationstandards for military network deployments. DISA provides a number of usefulconfigu-ration checklists for a wide variety of information system technologies. Security

Technical Implementation Guides (STIG) are great source material for security configura-tion assessments and highly recommended as a tool for any auditor looking for vettedconfiguration recommendations. While STIGs are written with military auditors in mind,they are easy to read and include justification for the configuration requirements andwhat threats are mitigated. Youcan access the current list of STIGs at http://iase.disa.mil/stigs/stig/index.html.


SANSThe SANS (SysAdmin, Audit, Network, Security) Institute is by far one of thebestsources of free security information available on the Internet today. Established in 1989as a security research and education organization, it has become a source oftraining andknowledge that shares information about security for hundreds of thousands of individu-als across the globe. The SANS website has something for everyone involved in informa-tion security, from the CIO to the hard-core security technologists and researchers.SANS is in the business of security education and delivers training events, conferences,and webcasts. It offers an extensive array of technical security and management trackscovering everything from incident handling and hacking to creating security policies.SANS security training conferences are the most common venue for a student attendingthese courses, but many are also offered through on-demand web training and self-study.Each of these courses also offers an opportunity to test for certification through the GIACorganization (a separate entity that governs the certification and testing process for SANS).For those students who want a more traditional educationprocess, SANS is accredited inthe state of Maryland to grant master’s degrees in information assurance andmanagement.Although SANS focuses on training, it also provides a wealth of free security informationas part of its mission to use knowledge and expertise to give back to the Internet com-munity. SANS offers the following free services and resources that are perfect for audi-tors and security professionals to use to gain insight into new issues and understandingtechnical security controls:

■ SANS reading room:The reading room consists of over 1,600 computer security

whitepapers from vendors and research projects written by SANS students going forGIAC Gold certification. There are a wide range of topic categories, ensuring you willfind something relevant to what you are looking for from best practices to configura-tion guidance.

■ SANS Top 20:SANS Top 20 is a list of the top 20 vulnerabilities in operating sys-

tems and applications that hackers attack. This information is updated yearly by alarge panel of security experts, and it provides auditors and security practitionerswith a good list of high-risk areas they need to ensure are addressed. Although thislist is good, it doesn’t cover the latest threats, so it should not be used as a checklist,but rather as a tool to focus your efforts.

■ SANS security policy samples:If you are looking for sample security policies, this

resource is a goldmine. All of the policies represented are free for use,and in somecases, you can simply insert the business’s name. These policy templates cover awide range of security functional areas and are added to on a regular basis. It isimportant to note that security policies are a serious documents and require thatlegal departments and HR departments be involved in their adoptions.

■ SANS newsletters:SANS provides a number of newsletters available as e-mails or

RSS feeds that you can subscribe to. Many topics are present, including one focusedon auditing (SANS AuditBits).


■ Internet Storm Center:The Internet Storm Center is a group of volunteer incident

handlers who analyze suspicious Internet traffic from across the globe. They look atpacket traces to determine if a new virus, worm, or other attack vectors have poppedup in the wild. The ISC also compiles attack trend data and the most frequentlyattacked ports. Incident handlers are always “on duty,” and you can read their notesas they go about analyzing attacks.

■ SCORE:SCORE is a joint project with the CIS to create minimum standards of con-

figuration for security devices connected to the Internet. These checklists are avail-able for free and provide sound guidance about necessary technical controls.

■ Intrusion Detection FAQ:The Intrusion Detection FAQ is a fantastic resource for

better understanding how to identify an attack on your network. FAQs cover thebasics of intrusion detection, details about tools to use, and a detailedanalysis ofsample attacks.

The SANS website should be considered mandatory reading for auditors who want tobetter understand the tools and techniques attackers use to break into systems. Having allof this knowledge in a single place is useful as auditors tailor their checklists and auditcriteria to address current events and attacks.

ISACAIf you are involved in security auditing to any degree, you undoubtedly haveheard of theInformation Systems Audit and Control Association (ISACA). ISACA is the largest associ-ation of IT auditors in existence with over 65,000 members across the world.Many of theauditing techniques and security governance processes used to audit IT todayhave beencompiled and standardized by ISACA. Over 50,000 people have earned the CertifiedInformation Systems Auditor certification (CISA), demonstrating knowledge inauditing.The Certified information Systems Manager (CISM) is also offered to test IT governanceand management expertise.

ISACA is more than just a certification-granting organization. In addition to founding theIT Governance Institute and developing COBIT, they have created the de-factostandardsguide for assessing and auditing IT controls. The IS standards, guidelines, and proceduresfor auditing and control professionals are regularly updated and reviewed toprovide theauditing community with standards, guidelines, and procedures for conductingaudits.The auditing guide includes:

■ Standards of IS Auditing:This section includes Code of Conduct for professional

auditors, auditing process from planning to follow-up, and various other standards forperforming audits.

■ Auditing G:This section provides information on how to conduct audits while

following the standards of IS auditing.


■ Auditing Procedures:How to audit various types of systems and processes is de-

tailed in this section, providing a sample approach to testing controls such as firewallsand intrusion detection systems.

The IT Assurance Guide to using COBIT is another excellent resource for how to conductan audit using COBIT as the governance framework. Regardless of whether or not thecompany being audited uses COBIT, the guide describes how to leverage the controlsidentified by COBIT and apply those to the audit process. This enables an auditor to fol-low a well documented framework to ensure that no major areas are missed.

Cisco Security Best PracticesThe Cisco website is a primary resource for anyone configuring or maintaining Ciscogear, as Cisco provides a wealth of guidance for configuration and design ofsecurity sys-tems. Cisco believes in pervasive security throughout its product lines, so it should comeas no surprise that security design guides and best practices are available for all Ciscoproducts.Cisco takesanarchitectural approachto security that focusesonsecurity asasystem.Afirewall isanimportant security component,but by itself doesnot addressall of thesecu-rity needsof adiverseorganization.To better alignto defenseindepthand security solu-tionarchitectures,Cisco hascreated abest practicesrepository that encompassesall typesof network designswithsecurity embedded.Thetwo areasthat aremost relevant toaudi-torslookingfor best practicesaretheDesignZoneand Cisco Validated Designsprogram.The Design Zone’s main objective is to take the guesswork out of building a scalable andmanageable network solution that maps to business requirements. These designguidescover a wide range of solutions and best practices for configuring and developing archi-tectures for places in the network, such as the branch office or campus and vertical indus-tries such as retail and health care. Security practices are integrated intoeach solution,and there is a dedicated section covered in the Design Zone for security. The Design

Zone for security provides fundamental protection strategies for the networkas a wholeand is built on the principles introduced by SAFE. The Design Zone for security cate-gories are:

■ Network Foundation Protection:Core network security design fundamentals■ Secure Branch:Branch office security designs■ Enterprise Campus Security:Campus network security design guidance for the net-

work core■ Secure WAN:Security services for wide area network connectivity■ Secure Data Center:Security for critical data and applications■ Threat Control:Security solutions that protect against attacks and intrusions from

the core of the network to the end points


Following are solution-specific design guides that auditors might find useful:

■ Secure Unified Communications:Designing and securing voice services and applica-

tions■ Network Virtualization:Network path isolation and access control techniques for

delivering secure network services on demand■ SecureWireless:Security concernsand solutionsfor mobiledevicesand applications■ Secure Industry Solutions:Solutions focused on particular industries such as

healthcare, government, and retail■ Security Product Implementation Guidance:Individual product installationguides

and examples

The Cisco Validated Designs (CVD) program was created to provide not just design guid-ance in the form of a whitepaper, but to provide solutions that are tested and document-ed to work together. All of the designs placed in the Design Zone have been through theCVD process to provide reference designs with recommended configuration and codeversions. Each CVD is built in a lab environment that closely represents a customerdeployment scenario. There are three types of deliverables created for CVDs:

■ System Assurance Guides:Guides that provide the results from testing andgive sys-

tem and solution recommendations for network deployment.■ Design Guides:Full architectural design, technical deployment, and implementation

guides for the solution■ Application Deployment Guides:Interoperability guidance for third-party applica-

tions that have been tested with Cisco solutions

Cisco also has technical papers and other references such as hardware and software matri-ces for CVDs when applicable. Auditors can find more information about the CiscoDesign Zone and CVD program at www.cisco.com/go/designzoneandwww.cisco.com/go/cvd.

SummaryThis chapter delivers an overview of IT security governance and some of the key gover-nance frameworks, standards, best practices, and guidelines that can be usedto assess asecurity program. Although no one framework or standard addresses every aspect of asecurity program, the controls and best practices they represent can be usedas buildingblocks for a cohesive security governance strategy. In summary:

■ Security governance is the coordination of people, process, and technologies to meet

business objectives and reduce risk.


■ Clearly defined roles and responsibilities with the appropriate measurement are

essential to successful security service delivery.■ COSO, COBIT, and the ISO 27000 series provide high-level strategies and controls

for managing information security and the ability to audit against them.■ Technology best practices are available from a wide variety of sources, including

NIST, NSA, DISA, SANS, ISACA, CIS, and Cisco. Each provides detailed configura-tion and design guidance that explains how to design and set up network securitycountermeasures.

References in This ChapterPeltier, Thomas and Justin Peltier. Complete Guide to CISM Certification. Auerbach, 2006.—Information Security Governance: Guidance for Boards of Directors and ExecutiveManagement, Second Edition. IT Governance Institute.—ISO 27001:2005 (27001 and 27002)—COBIT 4.1 Executive Summary and Framework. ISACA.—ITIL V3 Foundation Coursebook. Pink Elephant, 2008.

Web Resourceswww.coso.orgwww.iso.org/iso/home.htmwww.nist.govwww.coso.orgwww.wikipedia.orgwww.isaca.orgwww.sans.orgwww.cisecurity.orgwww.Cisco.com/go/cvdwww.cisco.com/go/safewww.cisco.com/go/designzone

Chapter 4

Auditing Tools and Techniques

Assessing security controls involves more than simply scanning a firewall to see whatports are open and then running off to a quiet room to generate a report. It isnatural forsecurity engineers to gravitate toward technology and focus on technical security controltesting (otherwise known as penetration testing), because it is likely the “fun” part ofsecurity for most engineers. Conducting a penetration test is like throwing down thegauntlet to security professionals, and it gives them an opportunity to flex their hackerskills. Testing security as a system, however, involves significantly more thanlaunchingcarefully crafted evil packets at the network to see what happens. This chapterdiscussessoftware tools and techniques auditors can use to test network security controls.It is important to note that this is not a chapter about hacking. You will not learn all ofthe techniques and tools available today for breaking into networks. Do a search at yourfavorite online bookseller for the terms hacking, hacker, or penetration testing and youwill find a slew of books devoted to the topics. Security testing as a process is covered,but the focus is on gathering the evidence useful for an audit. Thoroughly assessing secu-rity controls serves a vital part in determining whether or not a business is compliant withits policies, procedures, and standards. Throughsecurity controls testing, you can deter-

mine whether the organization meets its goals for reducing risk and keeping evildoers outof the network and away from critical systems.

Evaluating Security ControlsSecurity controls are the safeguards that a business uses to reduce risk and protect assets.Policy determines what security controls are needed, and those controls are selected byidentifying a risk and choosing the appropriate countermeasure that reduces theimpactof an undesirable event (such as a customer database being stolen). The evaluation ofsecurity controls in its simplest form validates whether or not the control adequatelyaddresses policy, best practice, and law. Testing security controls for effectiveness andmeasuring them against standards are of the best ways to help an organization meet itsobligations to shareholders and regulatory responsibilities.


As discussed in Chapter 1, “The Principles of Auditing,” the main security control typesare administrative, technical, and physical. Under each category, the specific controls thatcan be implemented are preventative, detective, corrective, or recovery. These controltypes work together, and in general, you must provide controls from each category toeffectively protect an asset. When testing controls, make sure that each functional cate-gory is addressed and all controls are implemented in a way that doesn’t allow someoneeasy circumvention. You can have the most advanced firewall in the world as a preventa-tive control, but without monitoring its effectiveness throughdetective controls, such aslog reviews and IPS, you would never know for sure if it enforced policy. These missingpieces are typically what hackers exploit to break into systems, andit’s the auditor’s jobto identify and report on weaknesses in the system.When evaluating security effectiveness, you need to examine three primary facets forevery control. All security incidents, from break-ins to lost customer records, can usuallybe traced back to a deficiency that can be attributed to people, process, or technology.Testing these areas enables you to analyze security from a big picture perspective, givesyou a better understanding of how an organization performs today, and recommendsimprovements for tomorrow.Following are the three facets to examine:

■ Peopleareusers,administrators,dataowners,andmanagersof theorganizationwith

varyinglevelsof skills,attitudes,andagendas.If usersarenot followingsecurity poli-cies,theremight beaneedforstrongeradministrativecontrolssuchassecurityawarenesstrainingorpenaltiesfornoncompliance(thisisthe“uptoandincludingget-tingfired” clausethat HRputsintheemployeemanual).Anorganizationcanalsoim-plement adetective/correctivecontrol toenforcepoliciessuchashavingthelatest an-tivirusupdatesoroperatingsystempatchesbeforetheuserisallowedonthenetwork.Peoplealsorepresent theorganizational structureandpoliciesthat drivesecurity.

■ Process represents how the organization delivers the service of IT. These are the pro-

cedures and standards that are put into place to protect assets. Processes must be upto date, consistent, and follow best practices to be effective. Process is one of the

most important areas to test, because most attacks that result insignificant loss havea component in which process has failed. Take, for example user account creationand decommission. Someone is hired, and a request is put into IT to create theappropriate accounts the new hire. Who is allowed to send the request? Is it any hir-ing manager or does it have to be one from Human Resources? How is the requestvalidated as legitimate? Without strong process and the appropriate controls in placeto prevent, detect, and correct, anyone can call and impersonate a hiring managerand request an account be created. This is significantly easier (and quicker) than try-ing to run a brute force, password-cracking tool against a server.

■ Technology representsthefacilities,equipment,computer hardware,and software

that automateabusiness.Technology enablespeopleto accomplishrepetitivejobsfaster and withlesserror.Of course,technology also enablessomeoneto do stupidthingsjust asefficiently (and faster).Misconfigurationsand poorlyimplemented soft-warecantakeamistakeand multiply itsimpact exponentially.Imagineleavingthedoor unlocked onaroomthat houseshardcopy files.Someonecould potentially