Additional considerations when performing the next audit of your external facing network
By: Mitchell H. Levine, CISA - Audit Serve, Inc.
Network audits have always been a high priority within most internal audit departments. Unfortunately these audits require extensive technical expertise to actually carry out these audits effectively. In addition, the scope of these audits varies within the industry. For the purpose of this article, the Network Audit will focus on external facing components such as firewalls, routers, SMTP (email) servers, FTP Servers, Web Servers and VPN Concentrators.
The primary focus of the audit of these components is to ensure that most recent security patches has been applied at the server level and all other operating services used by these components. In addition, there are known industry vulnerabilities based on certain services used which have been replaced by upgraded services such as SSLv3 replacing SSLv2. The second part of the review is to ensure that each of these components has been secured which is comprised of security access rules and individual security parameters. Instead of an auditor having to develop technical expertise for each of these types of external facing components, consideration should be made for the audit department to license vulnerability assessment tools to serve as the compliance test to determine whether these components have been patched, secured and are not running services which have known vulnerabilities. It should be known that running a vulnerability assessment against these components does not cover all potential audit areas.
Many organizations already subscribe to a service with a security vendor or perform this function internally to scan their external facing devices on a periodic basis. In this case, the audit department could use the results of these scans to support their compliance testing relating to the secured deployment of external facing devices. One additional audit step should be to ensure that these external scans are reviewed to identify the “true” vulnerabilities. As part of the process of generating the vulnerability scan reports, a review needs to be conducted to identify false positives. In order to certify a vulnerability as being a false positive, additional internal validations need to be performed. In addition, these vulnerability assessment tools identify insignificant issues that should excluded from subsequent scans. Overall, the auditor should review the management review process of these scans to ensure that issues are being addressed in a timely basis and are not being ignored and therefore do not reappear on subsequent scans.
The most important area which should be included in an external facing Network Audit is the review of the remote access which is granted to the staff working remotely. VPN access is typically comprised of establishing secured tunnels into the corporate network which requires holes to be made within the Firewall to support these connections. For larger organizations, VPN concentrators are used to handle a very large number of VPN tunnels. When using a VPN concentrator, access profiles can be established which limits the paths that the user can travel inside the corporate network. The Auditor needs to determine whether these outside connections are being restricted to only those hosts which actually need to be accessed remotely by the individual based on the requirements of their job function.
The audit of the external access via VPN also needs to determine whether an additional level of security is required for users to remotely connect to the network. At a minimum, the VPN client should require an additional logical security to connect to the internal network. Otherwise, the user would just require the IP address of the device (i.e., VPN concentrator) which handles the remote connection. Additional controls can be established to limit which staff members can use this remote access facility by interfacing the VPN concentrator to Windows Active Directory. For organizations which want a establish level of control over remote access, two-factor authentication should be consider which can be interfaced with the VPN concentrator. For those organizations which do not have strong evasive action controls for logon security, whereby a userid requires an administrator reset when the invalid logon attempt thresholds are exceeded, allowing remote access further compounds the risk.
Requirements 1 & 2 of the Payment Card Industry (PCI) Data Security Standard, provides additional test procedures which should be considered when performing a network audit
Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs PCI Assessment and Remediation Project Management consulting services. Audit Serve also conducts Integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.
Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.