eJPT - 2.1 Auditing Fundamentals

HmadHmad
13 min read

Table of contents

Introduction

Security Auditing is a systematic process of evaluating and verifying the security measures and controls in place within an organization to ensure that they are effective, appropriate and compliant with relevant standards, policies and regulations. It involves reviewing various aspects of the organization's information systems, networks, applications, and operational procedures, to identify vulnerabilities, weaknesses and areas for improvement.

Importance of Auditing

Identifying Vulnerabilities & Weaknesses

  • Security audits help uncover vulnerabilities and weaknesses in an organization's information systems and infrastructure that could be exploited by attackers

  • Regular audits ensure that security controls are effective and up to date minimizing the risk of breaches

Ensuring Compliance

  • Organizations must comply with various regulatory requirements and industry standards to protect sensitive data and maintain trust with customers and stakeholders

  • Security audits help verify compliance with standards such as GDPR, HIPAA, PCI DSS, and ISO 270001, avoiding legal and financial penalties

Enhancing Risk Management

  • Audits provide a comprehensive assessment of an organization's security posture, identifying and prioritizing risks based on their potential impact

  • Effective risk management strategies can be developed and implemented based on audit findings to mitigate identified risks

Improving Security Policies & Procedures

  • Audits review the effectiveness of existing security policies and procedures, identifying areas for improvement

  • Updated and robust security policies and procedures help create a strong security culture within the organization

Supporting Business Objectives

  • A strong security posture supports overall business objectives by ensuring that critical business operations are protected from disruptions caused by security incidents

  • Audits help build customer trust and confidence as clients are assured that their data is handled securely and responsibly

Continuous Improvement

  • It's an ongoing process that ensures people or employees adhere to these policies

  • Ensures that security measures evolve to address new threats and vulnerabilities

Essential Terminology

Security Policies
Formal documents that define an organization's security objectives, guidelines and procedures to protect information assets. This establishes the framework for implementing and enforcing security controls.

Compliance
Adherence to regulatory requirements, industry standards, and internal policies related to security and data protection. This ensures that the organization meets legal obligations and best practices.

Vulnerability
A weakness in a system or process that can be exploited to gain unauthorized access or cause harm. Identifying vulnerabilities is crucial for assessing and improving security measures.

Control
A safeguard or countermeasure implemented to mitigate risks and protect information assets. Controls are designed to prevent, detect, or respond to security threats and weaknesses.

Risk Assessment
The process of identifying, analysing, and evaluating risks to an organization's information assets. This helps prioritise security measures based on the likelihood and impact of the identified risks.

Audit Trail
A chronological record of events and activities that provides evidence of actions taken within a system. This supports accountability and traceability during security audits and investigations.

Compliance Audit
An examination of an organization's adherence to regulatory requirements and industry standards. This validates whether the organization meets the necessary compliance criteria and identifies areas for improvement.

Access Control
Measures and mechanisms used to regulate who can access specific information or systems and what actions they can perform. This help to protect sensitive information from unauthorized access and misuse.

Audit Report
A formal document that presents the findings, conclusions, and recommendations resulting from a security audit. By communicating these results to the client, this provides guidance for improving security practices.

Auditing Process

1: Planning & Preparation

  1. Define objectives and scope - Determines the goal of the audit and the specific systems, process, and controls to be evaluated

  2. Gather relevant documentation - Collect policies, procedures, network diagrams and previous audit reports

  3. Establish audit team and schedule - Assemble a team and set a timeline for the audit

2: Information Gathering

  1. Review policies and procedure - Examine the organization's security policies, procedures, and standards

  2. Conduct interviews - Interview key personnel to understand security practices and identify potential gaps

  3. Collect technical information - Gather data on system configurations, network architecture and security controls

3: Risk Assessment

  1. Identify assets and threats - List the critical assets and potential threats to those assets

  2. Evaluate vulnerabilities - Assess existing vulnerabilities in systems and processes

  3. Determine risk levels - Assign risk levels based on the likelihood and impact of the identified threats and vulnerabilities

4: Audit Execution

  1. Perform technical testing - Conduct technical assessments like vulnerability scans, penetration tests and configuration reviews

  2. Verify compliance - Check adherence to relevant regulations and standards

  3. Evaluate controls - Assess the effectiveness of security controls and practices

5: Analysis & Evaluation

  1. Analyse findings - Review the data collected during the audit to identify security weaknesses and areas for improvement

  2. Compare against standards - Check the organization's security posture against industry standards and best practices

  3. Prioritize issues - Rank the findings based on their severity and potential impact on the organization

6: Reporting

  1. Document findings - Create a detailed report outlining audit findings, including identified vulnerabilities, non-compliance issues and ineffective controls

  2. Provide recommendations - Offer actionable recommendations to address the identified issue and enhance security

  3. Present the results - Share the audit report with the relevant stakeholders and discuss key findings and recommendations

7: Remediation

  1. Develop remediation plan - Work with the organization to create plans for addressing the audit findings

  2. Implement changes - Assist in implementing the recommended changes and improvements

  3. Conduct follow-up audits - Schedule follow-up audits to ensure that the remediation efforts have been acted upon and are effective

  4. Monitor and update - Continuously monitor the organization's security posture and update the security measure as and when needed

Types of Audits

They can be categorized based on their scope, methodology, and the aspects of the organization they focused on.

Internal Audits

This is generally conducted by the organization's internal audit team or security professionals to evaluate the effectiveness of internal controls and compliance with policies. They provide insights into the organization's self-assessment of its security posture and highlight areas that may require more in-depth testing.

For example, an internal audit might review user access controls to ensure that only authorized personnel have access to sensitive data.

External Audits

These are performed by independent third-party auditors to provide an unbiased evaluation of the organization's security measures and compliance with external standards. They often serve as benchmarks for compliance and security effectiveness. Penetration testers can use these findings to guide their testing efforts.

For example, if a company is undergoing a PCI DSS compliance audit might hire an external auditor to validate its security controls and ensure that they meet the required standards.

Compliance Audits

These focus on verifying that the organization complies with specific regulatory requirements and industry standards (e.g. GDPR, HIPAA, PCI DSS). These help identify regulatory gaps that penetration testers can address through the targeted testing.

For example, a healthcare provider might undergo a HIPAA compliance audit to ensure that patient data is protected according to federal regulations.

Technical Audits

These focus on assessing the technical aspects of the organization's IT infrastructure including hardware, software, and network configurations. They provide a detailed view of the technical controls in place, highlighting areas where penetration testing can uncover vulnerabilities.

For example, a technical audit might involve a through review of firewall configurations to ensure that they are properly securing the network perimeter.

Network Audits

These assess the security of the organization's network infrastructure, including routers, switches, firewalls and other network devices. They can reveal vulnerabilities in network design and configurations that penetration testers can exploit to assess network security.

For example, this might identify insecure protocols being used for data transmission, prompting penetration testers to test for potential exploits.

Application Audits

Evaluate the security of software application, focusing on code quality, input validation, authentication mechanisms, and data handling. These highlight security flaws in applications that penetration tester can exploit to demonstrate real-world attack scenarios.

For example, an application audit might reveal vulnerabilities such as SQL injection or cross-site scripting (XSS) in a web application.

Auditing & Pentesting

In order to perform a penetration test correctly, it's important to know or understand the when, how, and why audits are performed. Audits and penetration tests and two different types of security assessments. Each have their own unique scope, objectives, and desired outcomes. It's also important to know when each is performed and whether they can be combined into a singular process or assessment.

Security AuditPenetration Test
PurposeIt's to evaluate an organization's overall security posture by assessing compliance with policies, standards and regulations. It focuses on the effectiveness of security controls, processes and practices.It's to simulate real-world attacks to identify and exploit vulnerabilities in systems, networks or application. It focuses on technical weaknesses and how they can be exploited by attackers.
ScopeIt's comprehensive, covering various aspects such as policies, procedures, technical controls, physical security and compliance with regulations.It's specific to the systems, networks or applications being tested. The scope is defined to focus on particular areas of interest. This is often defined by the security audit.
MethodologyTypically involves reviewing documentation, conducting interviews, performing technical assessments, and evaluating compliance with security standards.This involves using various tools and techniques to attempt to breach systems, exploit vulnerabilities and assess the effectiveness of security defences.
OutcomeIdentifies gaps in security policies, procedures and controls. It provides recommendations for improving overall security and ensuring compliance.Provides a detailed assessment of vulnerabilities and potential attack vectors. It provides recommendations for mitigating identified risks and improving security defences.
FrequencyOften performed on a regular basis (annually or biannually) or as required by regulations.Performed as needed, such as after significant changes to systems, on a regular schedule, or as part of compliance requirements.

Sequential Approach

What normally happens is that companies perform a security audit first to evaluate their overall security posture, ensure compliance with regulations and identify areas for improvement in policies and procedures. Based on the findings of the audit, a penetration test may be performed to assess the effectiveness of technical controls and identify specific vulnerabilities. Sometimes, they may not perform any remediation and ask for a pentest to give detailed insights or confirmation on the findings of the audit.

The advantages of this:

  • comprehensive view of security from both policy and technical perspectives

  • identifies and addresses gaps in both procedural and technical controls

  • helps to prioritize remediation efforts based on audit findings

Combined Approach

Some organizations choose to combine security audits and penetration tests, often through a holistic security assessment that incorporates both elements.

The advantages of this:

  • streamlines the assessment process by combining policy, procedural and technical evaluations

  • more complete picture of the organization's security posture in a single engagement

  • can be more efficient and cost-effective by addressing both

GRC

GRC stands for Governance, Risk and Compliance. It's a comprehensive framework used by organizations to manage and align their governance practices, risk management strategies and compliance with regulatory requirements. This helps organizations maintain transparency, accountability, and resilience.

Governance:
This refers to the framework policies, procedures and practices that ensures that an organization achieves its objectives, manages its risks and complies with legal and regulatory requirements. It includes policy development, defining roles and responsibilities, and establishing accountability mechanisms for security performance.

Risk:
This involves identifying, assessing and mitigating risks that could negatively impact an organization's assets and operations.

Compliance:
This is ensures that an organization adheres to relevant laws, regulations and industry standards. It includes whether a company meets legal obligations such as GDPR, HIPAA or PCI DSS and whether they adhere to their internal security policies and procedures. Conducting regular reviews to ensure compliance is part of it as well.

Importance of GRC

GRC is important to penetration testers as is helps to conduct more through and relevant assessments. It allows testers to frame their findings in the context of organizational policies, risk management and compliance requirements. Testers can provide more strategic recommendations that align with their GRC framework, helping to strengthen their security posture.

Frameworks, Standards & Guidelines

Frameworks provide a structured approach to implementing security practices, often flexible and adaptable to various organizations and industries. Standards are to set specific requirements and criteria that must be met to achieve compliance, often mandatory in regulated industries.

NIST CSF

The NIST cybersecurity framework is a set of guidelines and best practices developed by the National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risks. Their core functions are to Identify, Protect, Detect, Respond and Recover.

COBIT

COBIT stand for Control Objectives for Information & Related Technologies. It's a framework for developing, implementing, monitoring and improving IT governance and management practices. It focuses on aligning IT goals with business objectives, managing IT risks and ensuring compliance with regulations.

ISO/IEC 27001

It is an international standard for information security management systems (ISMS) that outlines best practices for managing and protecting sensitive information. It focuses on establishing, implementing, maintaining and continually improving an ISMS.

PCI DSS

This stands for PCI Data Security Standard. It a set of security standards designed to protect payment card information and ensure secure processing of credit card transactions. It's legally required for organizations that handle credit card transactions. It focuses on protecting cardholder data, maintaining a secure network and implementing robust access control measures.

HIPAA

It stands for the Heath Insurance Portability & Accountability Act. It's a US law that sets standards for protecting sensitive patient information and ensuring privacy and security of health data. It a legal requirement in the US for healthcare providers, health plans and other entities handling protected health information.

GDPR

It stands for the General Data Protection Regulation. It a regulation within Europe or the EU that governs data protection and privacy for individuals within the EU and EEA (European Economic Area). Its a legal requirement for organizations processing personal data or individuals within the EU or EEA. It focuses on data protection principles, rights of data subjects and obligations for data controllers and processors.

CIS Controls

These controls, Center for Internet Security Controls, are a set of best practices and actionable steps to help organizations improve their cybersecurity posture.

NIST SP 800-53

This is a publication by NIST that provides a catalogue of security and privacy controls for federal information systems and organizations. Its a legal requirement for US federal agencies and organizations handling federal data. It focuses on security controls for federal information systems, including controls for risk management and information security.

Auditing to Pentesting

We will use a practical example to explain and demonstrate how security audits work, how they are performed and how they relate to a penetration test. This is to outline the changes or adaptations to a penetration test to align or comply with specific standards or regulations.

Background: Company - SecureTech Solutions

Description:

  • Specialises in securing IT infrastructure for various clients

In this example, we will demonstrate the process of developing a security policy for Linux servers, performing a risk assessment using the NIST SP 800-53 framework, performing a security audit and testing the remediations.

Phase 1 - Develop a Security Policy

We need to establish a baseline security policy for Linux servers that aligns with NIST SP 800-53 guidelines, ensuring that servers and configured and managed securely. This policy should ensure that Linux servers are secure and protected from unauthorized access, vulnerabilities and other security threats.

The steps in this case would be to:

  1. Purpose and scope of the security policy

  2. Access control

  3. Audit and accountability

  4. Configuration management

  5. Identification and authentication

  6. System and information integrity

  7. Maintenance

You can view the NIST SP 800-53 documentation here.

Phase 2 - Auditing with Lynis

We need to perform a security audit using Lynis (which you can see here), identifying vulnerabilities and then remediate the vulnerabilities such as updating the software and enforcing the password policies.

Lynis performs a health-scan of your system to support system hardening and compliance testing. You can download it from the web or from the terminal. Run all of this from the Linux server, not from your Kali machine or VM.

wget https://downloads.cisofy.com/lynis/lynis-3.1.4.tar.gz
gzip -d lynis-3.1.4.tar.gz
tar -xf lynis-3.1.4.tar
cd lynis/
chmod +x lynis

To perform an audit scan using Lynis:

./lynis audit system

You can then contextualise the results against the organization's policy and perform remediation.

Phase 3 - Penetration Test

We need to validate the effectiveness of the remediation actions though a penetration test ensuring that the Linux server is secure and compliant with the security policy. We would then compare the initial audit findings to the penetration test results to verify that vulnerabilities have been addressed, and we'll check to see if there are any other vulnerabilities on the system. We would then write up a report indicating to what needs to be remediated and how rated by their severity.

That’s it for this section. Next one up is the system / host-based attacks section.

— Hmad

0
Subscribe to my newsletter

Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ejptauditinggrcNIST#gdpr

Written by

Hmad
Hmad

I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.