Problem solve Get help with specific problems with your technologies, process and projects.

A guide to internal and external network security auditing

Contributor Stephen Cobb reviews the baseline network audit processes that a security professional should absolutely conduct regularly.

According to a recent survey of IT executives and network administrators by VanDyke Software Inc., 46% of companies...

that undertake internal security audits find that the tests result in the identification of significant security problems. That's close to half, and the number rises to 54% for external network security audits conducted by outside companies.

Think of it like this: There's at least a 50/50 chance you have one or more significant network security problems, and an audit is good way to find them. In fact, 43% of survey respondents felt their organizations should audit their networks more frequently.

However, it's a good bet that some people reading this article work for companies where network security is still not audited on a regular basis, probably because such audits are seen as an unwelcome interference with day-to-day network administration. But an audit should not be seen as a chore. Think of it as a process that others have found useful for ensuring their organization is adequately protecting itself from data loss and related complications, such as litigation, which may ensue. In this tip, let's review what is required to conduct a systematic examination and verification of network security, which can serve as a potent control while also providing vital feedback on the state of an organization's security strategy.

Setting the network security baseline
To be effective, an audit must be performed against a defined set of standards: an organization's data security, integrity and availability policies and procedures, applicable regulatory requirements, and industry best practices. Data gathered during the audit is compared against these to check "what is" against "what should be."

It may sound like a daunting process, but if some baseline network audit processes are conducted on a regular basis, you can make any major audit less onerous. The first step? Establish a baseline of the network. A good tool for this is Nmap, the free open source utility for network inventory and security auditing. Nmap can inventory network devices and reveal what services they run, as well as what OS and application versions are installed.

Once the network has been mapped, future scan results can be compared against this known and accepted baseline. Any scan results including, for instance, unauthorized applications or never-before-seen devices should serve as red flags. Of course, any such changes should be investigated and resolved, i.e. either remediated or added to your baseline. Prohibited applications discovered by a scan may include peer-to-peer networking, instant messaging, Skype or social media file sharing.

Because network threats constantly evolve, certain baseline checks should be carried out on a weekly, if not daily, basis. Intruders always look to exploit open ports because they are an easy gateway to your systems. Therefore, port scans that identify open ports and the services running on them should be among the most frequently conducted scans. An Nmap scan can also check trust relationships that exist on a network and find connections that violate security policy.

Network security audit tools

There are plenty of open source tools such as Nmap, Wireshark, Metasploit, and Microsoft's Baseline Security Analyzer, which can help you stay on top of regular network auditing tasks.  Another excellent set of free tools comes from the Center for Internet Security (CIS).

The CIS Benchmark and Scoring tools verify and monitor the security configuration of network devices for ongoing conformity with internationally accepted standards for security configuration. Commercial products also include integrity monitoring tools, which provide real-time file integrity and device configuration monitoring.

Regular reviews
Another network element in constant flux is the user base. Regular reviews of network accounts and privileges against HR records are essential to ensure unused accounts are terminated and rights are appropriately assigned. You can combine this with other employee-related checks, such as ensuring separation of duties and compliance with password policies like aging and complexity.

Not every network security control needs checking with equal frequency, but all controls should be reviewed on a regular basis, including basics like physical security, document backup and destruction, and patching. Are backups being performed according to policy and regulatory requirements? Is data destroyed in accordance with its classification? Have backup and restore processes been tested recently to make sure they're working? Are automated patching processes functioning correctly and deploying updates within an acceptable timeframe?

If you're in charge of network security, then making these checks part of the regular work cycle will make life much easier when the time comes for a major network audit. The internal assessments you perform to prepare for a big audit only need to cover areas outside your regular monitoring routine.

These include evaluating patch processes, validating that backups perform per policy, assessing the effectiveness of physical security controls, and ensuring compliance with the requirements of relevant regulatory standards.

For some companies, auditing is not always optional. If your systems need to be compliant with a particular standard -- such as the PCI Data Security Standard -- then an audit by external auditors will be necessary. Even without such requirements, an external network security audit may be the best, or only option if there is suspicion of an internal threat, such as a malicious administrator, or if an organization has too many remote offices for qualified internal staff to ensure policies have been implemented at all sites.

Finally, a few words of caution about one oft-cited reason for security auditing. No audit, internal, external or compliance-related, can by itself ensure a network is secure. Just because a network has been audited does not mean it is, or will remain, secure. The real benefit of an audit comes from implementing its recommendations on how security controls can be improved, dealing with any concerns reported, and more closely aligning information security needs and risk mitigation with business goals. All of which makes the network security audit a worthwhile undertaking.

About the author: Stephen Cobb has nearly three decades of experience in computer audit, security, and data privacy. He authored a comprehensive manual of personal computer security in 1992 and has been a CISSP since 1996. One of the first analysts to predict that privacy concerns would become a leading driver of enterprise security, Stephen published a privacy handbook for businesses in 2002. A co-founder of two successful security startups, he helped develop ground-breaking network security technology acquired by Symantec Corp. in 2004. When he is not busy advising clients or conducting seminars, Stephen is an adjunct professor of Information Assurance at Norwich University, Vermont, where he helped create the curriculum for the award-winning Master of Science in Information Assurance degree.

This was last published in December 2009

Dig Deeper on Real-time network monitoring and forensics