Information Class Warfare part III

Information Security Process: Internal Auditing

August 28, 2013

Information Security like all relationships requires time and effort. I use a security management system which works well for the companies I have secured and maintained. Classify, Secure, Audit, Educate, Repeat. Not a memorable acronym, but a very valuable path to cycle through. Each iteration has made my companies better prepared for the inevitable attacks and business recovery easier and faster.

I cover auditing of the various security policies in this short article. Perhaps one of the driest piece of this repetitive puzzle, unless you decide to make this a game.

Continuous scanning, is one of the best methods to secure internal and external networks. These will detect poorly configured servers before external auditors, or hackers, and alert you to each device someone attempts to slip onto your network. Using a log consolidation system, helps identify threats and attacks, but can also be used for auditing. Attack each server with one of the various vulnerability frameworks and rotate through those only during maintenance windows or when agreed by the product owner. The logs will help indicate if there are any additional vulnerabilities that can be exploited, along with the framework reporting.

The game I generally see security professionals play is to attack servers and try to determine vulnerabilities before the System or Network Engineers are able to patch those servers, this always encourages poor cooperation between these teams, which succeed or fail only with each others help. A more interesting way is to hire outside auditors to test your site security or internal corporate security, and then run your own internal tests to see if you can find more vulnerabilities than they did. This is always more rewarding and rarely incurs the wrath of those on your own team.

Internal Auditing is a crucial piece of the the security puzzle, and must be regularly executed to maintain a working and thorough knowledge of your networks, perimeters and the success of your policies.

.wdnii.

© 2013 Norris Proprietaries Inc.