INFORMATION SECURITY AUDITS - THE SECOND STEP TO SECURING YOUR BUSINESS FROM CYBERSECURITY THREATS

Having information security policies and procedures is not adequate enough for an assurance that organizational information assets are well protected. The policies may not be adequate or the compliance with the policies may not be adequate. For an assurance that they are effective in achieving their objectives a review must be performed.

                                                                  I. What is Security audit?

                                                                  A computer security audit is a manual and systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the system. 

                                                                  II. Why Security Audit?

                                                                  Security audit is needed to ensure that your cyber-defenses are as up to date so they can respond effectively to threats posed by hackers and other criminals who manipulate IT systems for their own ends.

                                                                  III. Components of Security Audit:

                                                                  + Physical security 
                                                                  + Port and Services 
                                                                  + Install/ Configuration 
                                                                  + Security event log
                                                                  + Account security 
                                                                  + Backup & Disaster Recovery
                                                                  + Network

                                                                  1. Physical Security

                                                                  Decide on the location of your servers. Make sure your servers are placed in a secured environment to protect your employees and assets. Have a checklist in place and make sure it is regularly maintained and followed.
                                                                  Do consider implementing the 3 rings-of-security, which is a logical and cost-effective approach to flexible security. Each ring has a definite and separate function but, when combined, provides flexible and effective security, at a reasonable cost:

                                                                  1. The first and outermost ring addresses the building and its outer perimeters. These areas are secured with a combination of mechanical locks and electronic access controls. The first ring is electronically monitored.

                                                                  2. The second ring of security includes physically separating and locking controlled areas. These areas are secured, at the very least, with mechanical locks.

                                                                  3. The third and innermost ring of security includes restricted areas. Entry into these areas is controlled on a need-to-enter basis. These areas are secured with electronic access control. The third ring is also electronically monitored.

                                                                  2. Installation/Configuration

                                                                  While this is a very thorough list, there are additional protective measures being discovered every day. These steps are in the installation process that includes security implications:

                                                                      + Remove your server from the network to prevent your computer from being attacked or exploited before appropriate patches or configurations are in place.
                                                                      + Create separate partitions for each major portion of the server: operating system, file serving, log, etc.
                                                                      +  Format all drives using NTFS. The NTFS file system allows you to control access to file and directory. 
                                                                      +  You will be prompted to set-up the administrator’s password. Select a strong password but note you will make additional changes later. 
                                                                      +  Install all services and hotfix appropriate to your server. It is extremely important to keep up-to-date on new versions and releases.
                                                                      +  Install antivirus packages and keep them updated. Schedule your software to update regularly and frequently. Have a process in place that will detect and alert support immediately when an unknown event takes place.
                                                                      +  Use the “Custom Settings” to configure your network settings. This is where you will enter your designated IP information - static IP addresses are more secure. Configure the DNS and WINS on your NIC cards, disable the Enable LMHOSTS lookup and select the Disable NetBIOS Over TCP/IP option on the WINS tab.

                                                                  Now that your server has been configured properly for the network, it is time to start configuring and applying numerous security enhancements that will protect your server from internal and external intrusions.

                                                                  3. Account Security

                                                                  Verify that the Guest account is disabled - since attackers can log into host as a guest user using a random account. Such a vulnerability will be found easily by Singalarity’s Vulnerability Assessment:  


                                                                                                                              Guest Account Vulnerability

                                                                  • A common suggestion is to rename the Administrator account - even create a dummy account named "Administrator". While this may be a simple procedure, it could stop some hacking attempts to attack Window Host by using Administrator Account. Whatever your decision is, make sure you are using a strong password policy. 

                                                                  • Do not create unnecessary accounts such as test accounts, shared accounts, or generic accounts as doing so will create unnecessary vulnerabilities to your system. If you must create these types of accounts, be sure to disable them when they are not being used and use group policies to assign permissions and audit these accounts regularly.


                                                                  4. Authentication Group

                                                                           +  Replace the Everyone Group with Authenticated Users on file shares as this setting will allow anyone who gains access to your network to access all your data.

                                                                  5. Password Policies

                                                                  Password Policies is a set of rules designed to enhance computer security by encouraging users to set strong passwords and use them properly.


                                                                                          The password policies requirement of Government System

                                                                  Some common suggestions are (tested in Windows Server):

                                                                  1. Enforce Password History Enabled (recommended value is 5 past passwords)

                                                                  2. Maximum Password Age Enabled (recommended value is 60 characters)

                                                                  3. Minimum Password Age Enabled (recommended value is 5 characters)

                                                                  6. Account Lockout Policies 

                                                                  Account Lockout Policies are a useful method for slowing down online password-guessing attacks and to compensate for weak password policies. These three policies work together to limit the number of consecutive login attempts within a set timeframe that fail due to wrong passwords.

                                                                  Some suggestions are (tested in Windows Server of with Audit checklist  by Singalarity for Government System): 

                                                                  1. Account Lockout Threshold Enabled (recommended value is 3-5 invalid logon attempts)

                                                                  2. Account Lockout Duration Enabled (recommended value is 30s)

                                                                  3. Reset Account Lockout Threshold After Disabled (recommended manual reset of accounts)

                                                                  7. Audit Policies

                                                                  Audit policy determines which type of information about the system you'll find in the Security log. 
                                                                  Some suggestions in Singalarity’s Security Audit Checklist for Government’ System



                                                                  Take note that in large organizations, recording Success events will cause the logs to fill up rapidly. You may consider recording Success events at certain Domain Controllers or specific member servers that may hold highly sensitive or confidential information.

                                                                  8. Services

                                                                  Disable any network services that are not required. Be aware that many applications installed require additional services to run, which will open the server to potential exploitation. A few services that that should be disabled are IIS services, FTP services, Network News Transport Protocol (NNTP), Simple Mail Transport Protocol (SMTP), and the World Wide Web Publishing Service. Some suggestions for Windows services are: 



                                                                  9. Ports

                                                                  Disable any ports that are not required, but never assume your servers are safe! You can find a list of open ports on your local system by opening the file located at %systemroot%\drivers\etc\services. 

                                                                  Some suggestions by Singalarity experts for special ports: 


                                                                  Summary

                                                                  This paper has explained how proper configuration and planning for servers as an initial step in the audit process will ensure your system information is secured. The cost of time and money is significant. However, the budget for security, controls and monitoring is necessary to minimize/eliminate risks posed to a networked system that will have many potential avenues for penetration. 


                                                                  Share: