Henrik Dolle - Fotolia
Have you recently considered the current state of your network security? Many people are concerned about that these days -- and rightfully so. What are you doing about it?
Many organizations are at least reviewing system logs and occasionally monitoring network traffic. That level of information is helpful but doesn't tell the whole story. If you want to gauge the current condition of your network security, you must perform an in-depth network security audit -- also known as a vulnerability and penetration test or security assessment.
In this context, network security audits are not audits of formal IT controls at the OS, application and database levels. Instead, they're exercises in uncovering the security vulnerabilities on your network with the hopes of resolving them before the bad guys exploit them. It is important not to confuse the various security testing terms.
So, how do you construct a network security audit checklist? What systems do you test? What tools do you use, and who is involved?
The five-step network security audit checklist
A proper network security audit is pretty simple, yet involved. A network security audit checklist can include everything from the initial scoping to the execution of tests to reporting and follow-up. The important thing is to follow a proven methodology to uncover security flaws that matter.
The following five-step network security audit checklist will help evaluate the vulnerabilities and risks on your network.
- Planning things out. This phase of your network security audit outlines the scope, the tools that might be used, and who is doing the testing and when. Everyone needs to be on the same page on items such as the following:
- Will you test everything, or just external systems or just internal?
- What tools will be used? Some tools include Nessus, NetScanTools Pro, Netsparker and Acunetix Vulnerability Scanner.
- What time can vulnerability scans be run?
- Will whitelisting of the testing computers take place to prevent firewall and intrusion prevention system blocking? In most situations, this step is recommended.
- Running your tests. This is the actual execution phase where you'll run your vulnerability scanners. You'll also manually analyze and validate the scanner findings. You may perform some phishing assessment using a tool such as Lucy and even some network analysis using a tool such as CommView for Wi-Fi. Some tests must be performed manually using an HTTP proxy, such as Burp Suite; an exploit tool, such as Metasploit; or a password-cracking tool, such as Elcomsoft's Proactive Password Auditor. If you don't validate your findings or perform additional tests that tools can't do on their own, you haven't done enough.
- Analyzing your findings. This is where you perform triage, correlate vulnerabilities, and provide insight and perspective into what can happen. Your results can't simply exist as vaporware. They must be communicated in terms of the business. Skipping this step and assuming everything is a big deal or, just as bad, assuming nothing really matters will prevent you from obtaining long-term security support. This step is where experience comes into play -- knowing what counts and what doesn't in the context of your business and risk tolerance.
- Reporting your results. This is where you document your findings and communicate them to the necessary people. You can't simply save HTML or PDF reports from your security tools and lob them over the fence to developers, DevOps or management. You need to take what you've uncovered and analyzed, translate it into tangible business risks and communicate it on the right level to those involved. Hint: Spare the techie details unless it fits the audience and can add value.
- Follow up on your findings. In other words, address the security risks by fixing the weaknesses you've uncovered. Don't take this lightly. It's common for me to perform a network security assessment, deliver my report and go back a year later to discover most of the same vulnerabilities still exist. The one thing that's worse than not performing a security audit is to perform one and not do anything about the vulnerabilities that were uncovered. Come up with a plan, and follow through like it's your most important task.
Network security audit challenges
I'm often asked what the most difficult thing is related to performing a network security audit. Many people say it's money issues; others say it's political support from management. Some even say a lack of knowledge might prevent them from executing a proper security assessment. Still, the greatest obstacle to a network security audit is two simple things: willingness and discipline. You need the willingness to do what's right for your business, customers and business partners and the discipline to make it happen.
Even when resources are limited, you can still perform your own security evaluations or bring in someone from the outside. Even if your scope is limited at first and you're forced to use free tools, something can always be done, and it's probably not as pricey as you'd think. Just make sure your long-term goal is to do this in the most professional manner using the best tools for the task. It may amount to a sizable investment each year, but it's still less expensive than the alternative.
If things do go sideways and an incident or confirmed breach occurs, you'll be able to show you were making reasonable progress toward finding and fixing your network security flaws.