WIXLIB

IT Auditing Tools and TechniquesMission /ObjectiveThe AuditProcessUsing Controls to Protect Information AssetsEstablished Internal Controls on system & process (id. &mitigrate risks) Preventive, detective, reactive (corrective) controltypes Administrative control (eg policies & processes) Technical implementations tools & software enforcecontrol (eg passwords) Physical implementations control (eg guards, lockeddoors)Determine what to audit Centralize IT functions Decentralize IT functions Business Applications Regulatory Compliance Ranking those potential Audit in orderindependent assurance internal controls in placeStages of an Audit Planning Fieldwork & documentation Issue discovery & validation Solution development Report drafting & issuance Issue trackingidentify and addressing internal control weaknessesincorporate International Standards for the ProfessionalPractice of Internal AuditingAuditingEntity-Level Controls1. Review overall IT org structure to ensure it providesclear assignment of authority & responsibility over ITOp. & provide adequate duties segregation 2. Review IT strategic planning process & ensure italigns v biz strateigies. Eval IT org's processes formonitoring progress against the strategic plan 3. determine whether technology & app strategies &roadmaps exist, & eval processes for long-rangetechnical planning 4. review & ensure has performance indicators &measurements for IT. Measuring performance ofdaily activities & for tracking performance againstSLAs, budgets & other Op requirements 5. review IT org's process for approving & prioritizingnew projects. Determine whether has adequateprocess for ensuiring that system acquisition & devprojects cannot commence w/out approval. Ensuremgt & key stakeholders review project status,schedule, budget periodically thru/out the life ofsignificant projects 6. Evaluate standards for governing the execution ofIT projects & for ensuring the quality of productsdeveloped or acquired by IT org. Determine howthese stds are comm. & enforced. 7. Ensure IT security policies exist & provideadequate req for the sec of the env. Determine howthose policies are comm & how compliance ismonitored & enforced 8. Review & eval risk assessment process in plancefor the IT org 9. review & eval processes for ensuring IT employeesat the company have the skills & knowledgenecesssary for performing their jobs 10. review & eval policies & processes for assigningownership of company data, classifying the data,protecting the data in accordance with theirclassification, def the data' life cycle 11. ensure that effective processes exist forcomplying v appliacable laws & regulations thataffect IT & for maintaining awareness of changes inthe regulatory env. 12. review & eval processes for ensure end users ofIT env have ability to report problems, appropriateinvolvement in IT decisions, satisfied with theservices provided by IT 13. review & eval processes for managing 3rd partysvs, ensure their roles & responsibilities are clearlydefined & monitoring their performance 14. review & eval processes for control nonemployeelogical access 15. review & eval processes for ensure company is incompliance with applicable software licenses 16. review & eval controls over remote access intocompany's network 17. ensure hire & terminate procedures are clear &comprehensive 18. review & eval policies & procedures forcontrolling the procurement & movement ofhardware 19. ensure system config are controlled v change mgtto avoid unnecessary system outages 20. ensure media transportation, storage, reuse,disposal are address adequately by company widepolicies & procedures 21. verify capacity monitoring & planning areaddressed adequately by company policies &procedures 22. based on the structure of company's IT org &processes, id & audit other entity-level IT processesAuditingDataCenters &DisasterRecoveryFacility based controls Access control systems Alarm systems Fire Suppression systemsSystem & site resiliency Power Heating, Ventilation, air-conditioning Network connectivityData Center Operations Physical access control System & facility monitoring Facility & equipment maintenance Responding to outages, emergencies & ls1. Review controls around dev & maintainconfigurations 2. Ensure appropriate controls in place for any vul.assoc. v current software version. These controlsmight include software updates, config change, orother compensating controls. 3. Verify that all unnecessary svs are disabled 4. ENsure good SNMP mgt practices are followed (egSNMPv3, strong password & change frequency) 5. Review & eval procedures for creating useraccounts & ensuring that accounts are created onlywhen there's a legitimate biz need. Also review &eval processes for ensure that accounts are removeor diable in a timely fashion in the event ofterminate or job change. 6. Ensure appropriate password controls are used. 7. Verify that secure mgt protocols are used wherepossible. 8. Ensure that current backups exist for cong files ifapplicable. 9. Verify that logging is enabled & sent to acentralized system. 10. Eval use of Network Time Protocol (NTP) 11. Verify that a banner is configured to make allconnecting users aware of the company's policy forAuditing2 Devices - additional controls foruse & Layermonitoring.switches 12. Ensure that access controls are applied to the 1.verify thatconsoleport.admin avoid using VLAN 113.EvalEnsurethatofalltrunknetworkequipment is stored in a 2.the useautonegotiationsecurelocation 3. Verify that Spanning-Tree Protocol attack mitigration14. Ensure thata std namingconventionused foris enabled(BPDU Guard,RootisGuard)allEvaldevices 4.the use of VALNs on the network.15.DiableVerifyallthatstd, documentedfor 5.unusedports, & put processesthem in anexistunusedbuildingnetworkdevicesVLAN 6. Eval use of the VLAN Trunking Portocol (VTP) in theenv 7. Verify that thresholds exist that limitbroadcast/multicast traffic on portsAuditing Layer 3 Devices - Additional controls for Routers 1. Verify that inactive interfaces on the router aredisabled 2. Ensure that the router is config to save all coredumps 3. Verify that all routing updates are authenticated 4. Verify that IP source routing & IP directedbroadcasts are diabledAuditing Firewalls- additional controls 1. Verify that all packets are denied by default 2. Ensure that inappropriate internal & external IPaddresses are filteredAuditingWindowsOperatingSystems1. Obtain the sys info & svs pack ver, & compare vpolicy req 2. Determine if the server is running thecompany-privisioned firewall 3. Determine if the server is running acompany-provisioned antivirus program 4. Ensure that all approved patches are installed peryour server mgt policy 5. Determine if the server is running acompany-provisioned patch mgt solution 6. Review & verify startup info 7. Determine what svs are enabled on the system &validate their necessity v the system admin. Fornecessary svs, review & eval procedures forassessing vul assoc v those svs & keeping thempatched 8. Ensure that only approved app are installed on thesystem per your server mgt policy 9. Ensure that only approved scheduled tasks arerunning 10. Review & eval procedures fore creating useraccounts & ensuring that act are created only whenthere's a legitimate biz need. Revemo or disabled actin timely fashion in the event of termination or jobchange. 11. Ensure that all users are create at the domainlevel & clearly annotated in active directory. Eachuser should trace to a specific employee or team 12. Review & eval the use of groups, & determinethe restrictiveness of their use 13. Review & eval the strength of system passwords 14. Eval the use of password controls on the server,such as password aging, length, complxity, history &lockout policies 15. Review & eval the use of user rights & securityoptions assigned to the elements in the securitypolicy settings 16. Review & eval the use & need for remote access,including RAS connections, FTP, Telnet, SSH, VPN, &other methods 17. Ensure that a legal warning banner is displayedwhen connecting to the system 18. Look for & eval the use of shares on the host 19. Ensure that the server has auditing enabled peryour policies or org's practices 20. Review & eval system admin procedures formonitoring the state of security on the system 21. If you are auditing a larger env, determinewhether there is a std buld for new systems &whether that baseline has adequate iting a system freshly created 1.Determineif the clients is running thefromthe baseline company-provisioned22. Auditing data centers& disaster recovery (followfirewallsteps) 2.Determine if the client is running acompany-provisioned antivirus program 3. Determine if the client is running acompany-provisioned patch mgt solution 4. Determine if the client is equipped v the minimumrecommended svs pack, hotfixes, & software 5. Ensure that the client has following MS BaselineSecurity Analyzer (MBSA) 6. Scan the system using a commercial-grade networkscanner 7. Eval physical sec controls during a walk-thruAuditingUnix &LinuxOperatingSystemsAccount Mgt & Password Controls 1. Review & eval procedures for creating Unix/Linuxuser accounts & ensure that act are create only whenthere's legitimate biz need. Remove/diabled in atimely fashion in the event of terminate/job change 2. Ensure that all UID's in the password file(s) areunique 3. Ensure that passowrds are shadowed & use stronghashes where possible 4. Eval the file permissions for the password &shadow password files 5. Review & eval the system password strength 6. Eval the use of password controls such as aging Auditing7. Reviewprocessused by the system admin forFile theSecurity& Controlssettinginitialfor new& commsamplethose of 1.Eval thefilepasswordpermissionsfor a userjudgmentalpasswordfiles& theirdirectories critical8. Ensurethateach relatedact is assocv & can be traced 2.Looktoforopen directorieseasilya specificemployeeon the system, &whethershouldstickly determine9. Ensure setdisabled act 3.the securityof all userSUID(root-level)files on theaccesssystem,10.EvalReview& eval superto "root" especially11. Reviewthose& evalthattheareuseSUIDof groups,& determine the 4.Review & evaloverrestrictivenessofsectheirusethe kernel 5.thathave a legalownerthe12.EnsureEval theusealloffilespasswordsat thegroupinlevel /etc/passwd13. Review &fileeval the security of directories in the 6.Ensuretheusedchowncannotwhenbe usedbydefaultpathby commandthe sysm adminaddingusersto compromiseuseract "current directory" innew users.Eval the useof the Auditing7.& evalSecuritythe defaultumask vale for the serverNetwork& ControlstheObtainpath eReview & whateval thesecuritydirectoriesin root's1.networksvsofareenabled currentdirectory"inthesystem& validatenecessitysys admin.Forwithinnecessary path9.Reviewthe securityof thevfilesreferencesvs,review& evalproceduresfor assessingvul entriesassoc vcrontabentries,particularlyroot's.Ensurethe those15.Reviewevalthesecurityof dbyThey& writableonlyby thedirectoriesconfigfiles.generallyshouldbe owner2.Executea&networkvulscanningtool intoof thecrontab.Ensureno cronsareorderrun fromwritableby thecheckdirectories.foronlycurrentvulownerin the envopen 3.Review&evaltheuseoftrustedaccessviathe10. Exam system's schedul at jobs for/etc/hosts,if necessary,is restricted to the extentunusual/suspiciousentriespossible 4. If anonymous FTP is enabled & needed, ensure thatit is locked down proerly 5. If NFS is enabled & needed, ensure it is securedproperlyAuditingAudit Logs6. ReviewReview controlsfor the usesecure protocols 1.forofpreventingdirect "root" logins 7. Review & eval the use of .netrc files2. EnsureReview athesu warning& sudo commandto ensure 8.legalbanner is logsdisplayedwhenthatwhenthesetocommandsare used, they are logged vconnectingthe systemthedate,userusewhotheoncommand 9. Reviewtime,& eval&theof typedmodemsthe server 3. Eval the syslog in order to ensure that adequateinfo is being captured 4. Eval the security & retention of the wtmp log,sulog, syslog, & any other relevant audit logs 5. Eval security over the utmp fileAuditing Security Monitoring & other controls 1. Review & eval sys admin procedures for

Full range from Nipper Studio (Network device) to Paws Studio . auditing & compliance. Invicti (formerly Acunetix) Full range of automated Acunetix web vulnerability scanner (WVS) - standard, premium, A360 for dynamic application security testing (DAST) Invicti (formerly Netsparker) DAST scanner 2006 invent by Ferruh Mavituna, penetration