V-TECH LTD

VTECH Security Audit for Dummies

By Kevin Townsend

What is Security Audit?

There is no formal definition for a security audit; and there is no legal requirement for a specified function called a security audit. Nevertheless, you need to do it; and the bigger you are, the more likely it is that there is effectively if not quite explicitly a legal requirement to do it. 

Defining Security Audit

If you search on the internet you'll find many different definitions. And now we're going to add another. A security audit is the final step in the implementation of your security defenses. First you undertake a risk analysis to discover your assets and your risks. Then you develop a security policy to define what you are going to defend and how you are going to defend it. Then you use various methods, including information security products, to enforce that policy. And finally, you undertake a security audit to check the efficiency of those methods. (But then, of course, you start the whole process again.)

So a security audit is the process of testing and ensuring that your company assets are fully protected - nothing more, and nothing less.

Why do I need Security Audit?

Put very simply, you need a security audit in order to ensure that your security systems are working. Not only is there no point in having security that doesn't work, it is probably worse than having no security - at least with no security, you know that you have no security. Also, a good security audit, if undertaken by an outside consultancy, will point out gaps in your existing defenses.

But the best way to understand the need for a security audit is with real-life examples. At the time of writing this, there have been two major new reports. The first is "Network Attacks: Analysis of Department of Justice Prosecutions 1999 - 2006", August 28, 2006, A study by Trusted Strategies, L.L.C. commissioned by Phoenix Technologies, Ltd. This is a report well-worth reading. It states "Unauthorized access of privileged logon accounts caused by far the greatest financial losses to individual companies of all crimes analyzed. These were not sophisticated hacks; they were relatively simple crimes committed by attackers obtaining valid user IDs and passwords and using that information to logon to protected resources." The report also states: "These crimes could have been prevented if penetrated systems had checked the computer’s identification as well as the individual’s identification during logon." Well, it would, because that's what Phoenix sells. But the simple fact is that these crimes would also have been prevented if the victim companies had sufficiently audited their ID and password security to ensure an adequate level of protection. So go get audited.

The second report is a genuine audit report. It is a report by the Auditor General, State of Arizona, on Arizona Department of Education–Information Management. It concludes "Sensitive information, such as social security numbers, has been exposed because of security weaknesses in ADE’s Web-based applications." That's why you need to audit - to find the flaws before they find you. And remember this also, again at the time of writing this, there has been a flurry of senior executive departures (walked or pushed?) from companies such as AOL and organizations such as the VA because the security for which they were responsible was found to be lacking. That's why you need security audits - to ensure that your own security isn't lacking.

But there is another reason for you to undertake security audits. The increasing incidence and complexity of legislation designed to counter cyber terrorism and protect personal privacy throughout the world simply means that the only way you can prove compliance with some these laws is through documented security audits. Think of HIPAA, SOX and the European Data Protection Laws...

Where do I get Security Audit?

There's a simple choice: do it yourself, or buy in. The first involves either developing your own security tests or acquiring software that will do the tests for you. The latter involves the use of external security consultants.

There is no hard and fast rule over which is best. If you are a small company, you may well have less at risk and can less afford to employ expensive consultants. At the same time, you are unlikely to have the in-house expertise to develop your own auditing software. Small companies may well be obliged to rely on free and low cost audit software.

Larger companies are more likely to have the ability to develop their own software, but little time to do so. At the same time, the complexity of large company systems makes it less likely that off-the-shelf software can fully audit all the systems. Larger companies may well feel obliged to employ external security auditors.

How can I evaluate Security Audit?

This is the conundrum of information security. Just because you haven't had a security breach doesn't mean you're secure: you can never prove that you are secure; you can only prove (by bitter experience) that you are not secure.

So how can you evaluate a security audit? Well, your security audit will tell you how effective your security is against what it is meant to be securing; that is, the audit will enable you to measure the effectiveness of your security policy enforcement. This, in turn, requires that you have a detailed and effective security policy in place; and that your security policy has been directed by a thorough risk management exercise.

You should then take the 'deliverables' (that is, the full reports) from your auditor (either software of audit company) and relate them to every aspect of your security policy. For example, if your security policy is to include strong passwords that are changed every two months, make sure that the audit report confirms that all of this actually happens and that users have no way of bypassing the policy.

Provided that your audit report covers every aspect of your policy, then the auditors have done a complete job. Notice that I haven't said a 'good' job - that's more difficult to evaluate. Your audit can only be as good as your auditors. So if you do the job in-house, you will never know what you might have missed - and there's no-one to blame. If you use an external consultancy, there is possibly someone to blame if things go wrong. Hopefully, if you choose the auditor well and implement all the recommendations, you will have had a successful security audit. And you will be more secure for it.