Vulnerability Self-Assessments

Audits are generally very time consuming and require a great degree of planning and coordination before they can be successfully completed. Comprehensive audits consist of thorough review controls detailed in policies, procedures, standards, and vulnerability testing. These steps are expensive and for this reason audits are generally performed annually at best. Many organizations need to design more expedient methods by which they can assess their risks, enter the self-assessment. Self-assessments can be used as checklists helping senior managers address vulnerability elements during systems design phases and after the system goes into production, before they become findings in the next audit.

In the perfect world, application vulnerability assessments actually begin in the planning stages of the Systems Development Life Cycle. When the system design phase begins, vulnerabilities should be identified and addressed before the system goes through the acquisition and implementation phases.

Vulnerability Self-Assessment

It is important in vulnerability self-assessments that all steps document policies and procedures addressing risk-elements. It is also important that if system vulnerabilities are identified during the course of the self-assessment, they should be made part of the company's risk management and audit processes.

The following discussion is a checklist that can be used in system vulnerability self-assessment.

Hardware

Describe the system infrastructure. Is there a diagram illustrating the topology? Is there an organizational chart reflecting job description and hardware responsibilities?

Document and describe the data outlets for servers, workstations, printers, modems, video cameras, CSU/DSU (network interface equipment), switches, hubs, load balancing, routers, firewalls, gateways, VPN appliances, etc.

Document and describe the cabling between the major hardware components.

Describe the location, organization, and person responsible for the relevant hardware documentation.

When was the date of the last hardware inventory? Was all hardware accountable? Were there any instances of unauthorized hardware installed?

Is all hardware authorized?

Is there a policy addressing official use of personal equipment?

Document and describe all pertinent hardware components that have software installed with default configurations. Why?

Document and describe access control lists, ACLs, for the firewall configurations including interior and exterior firewalls.

Document and describe perimeter router filtering policies, rules, and enforcement.

Document and describe the standard software installation policies and procedures for each hardware platform.

Document workstation access measures such as: BIOS passwords, Screensaver Passwords, Tokens, Biometrics, and Smart Card requirements.

Physical Security

Document and describe the location of fire suppression equipment.

Document any and all equipment that is not physically secure. Why?

Describe server and workstation boot processes. Do these equipment configurations have floppy drives (A) disabled for booting processes?

Are there BIOS, Basic Input/Output Information System, passwords? Do workstations have screensaver passwords? Are hard drives of mobile computing devices encrypted? Does mobile equipment have antitheft devices?

Are hard drives and removable media, containing sensitive information, secured in approved receptacles during idle periods?

Describe safeguards protecting equipment/media from theft.

Describe the location and safeguards of all publicly accessible equipment, including mobile units, e.g., laptops, PDAs, cellular telephones, PBX (Telephone Branch Exchange) equipment.

Emergency Power Management

Are there sufficient resources in the form of auxiliary power generators, uninterruptible power supplies, and electrical power conditioners for all user needs?

Is there individual hardware protection for power surges and voltage spikes?

Environmental Conditions

Are specific environmental needs met for employees, data, and equipment?

Are heating, air conditioning, and ventilation equipment in conformity with building and safety codes?

Is the employee work environment safe?

Configuration Management

Describe hardware and software configuration management. Who is responsible for configuration approval?

Are the protected interior systems connected to systems, through modems, terminal equipment, or PBX equipment having weak security procedures?

Are IP or IPX addresses accountable? When was the last inventory?

Are telephone numbers accountable? When was the last inventory?

Is information, within the organization, classified relative to its sensitivity?

Does information have an owner?

What is the means by which access is granted to information resources?

Network Protocols

Have all nonessential network services been disabled or removed on all relevant equipment?

Can any system be accessed by telephone, and if so, why?

Can any system be accessed wirelessly, and if so, why?

What security precautions have been implemented in wireless environments? Is there adequate supporting documentation?

Are wireless security precautions adequate for the traffic?

Are cabling cabinets/closets secured? Who has access, and why?

Are rooms containing networking equipment secured with restricted access? Who has access, and why?

Document all network equipment with remote configuration. Why?

Is network equipment accessible from consoles other than those located immediately next to the equipment? Why?

Have Web services been placed in a DMZ?

Are interior networks protected by firewalls?

Are sensitive interior networks partitioned by firewalls?

In the case of sensitive information, what is the justification of having open-ended networks connected?

Has intrusion detection technology been installed at the network and host levels?

Is there a procedure to respond to IDS alarms?

Disaster Recovery and Business Resumption

Have critical assets been identified and prioritized?

Has there been a risk management program implemented? Has this risk plan been thoroughly tested in the past 12 months?

Do employees know of shut-off procedures for water, electricity, and gas?

Is there a business resumption program? Has it been tested in the past 12 months?

Is there a critical incident management program?

Is there a Critical Incident Response Team?

Is there a business resumption plan? Has it been tested in the past 12 months?

Are there application and network transaction logs? With what frequency are they reviewed?

Software

Is there a list of authorized software to be installed on systems? Document authorized software lists.

Is there a policy regarding employees authorized to install software?

When was the last software inventory? Did this inventory include version numbers?

Is there a policy that addresses personally owned software?

Is there a standard configuration procedure for all authorized software installations?

What are the procedures for remote access to network/applications/workstations?

Are nonessential ports and services disabled?

Has antivirus software been installed and updated? How often is it run?

Have all applications and operating systems been updated with appropriate security patches?

Are software licenses audited regularly? When?

Are applications/operating systems protected by access control procedures?

Who are the employees having access to data? Why?

Who are the employees having access to production systems? Why?

Who is capable of accessing production code/applications/operating systems?

Do engineers/programmers/help desk employees have access to data? Why?

Are there system maintenance accounts? Who has access?

What justification is needed for user accounts?

Are departing employees' accounts audited before exiting? Are former employees' accounts disabled appropriately?

Media

Are media containing sensitive information appropriately secured during use and in idle periods?

Is there a policy regarding the use of personally owned media?

Is there a policy regarding scanning all media antivirus software?

Are media regularly backed up with copies secured offsite?

Is there a test of the integrity of backed-up media?

Is backed-up media tested for systems recovery? How long do recovery steps take?

Is printer output protected?

Is media, containing sensitive information, appropriately labeled?

Is there a procedure for media destruction and disposal?

Are there efforts requiring passwords to be changed regularly, minimum length, and containing special characters and capital letters? Are passwords required for application and operating system access? Are biometrics used to grant system access? Are Tokens/Smart Cards required for system access?

Are there documents showing that user authentication mechanisms are installed to limit system, building, and workspace access?

Are procedures requiring employee background investigations in place? Have the professional and personal references of all employees been verified? Have the professional qualifications of all employees been verified?

Is there appropriate separation of duties and least privilege?

Employee Security Awareness Training

Have employees been trained relative to risks and their management?

Is security awareness training mandatory for all employees? Are there documented attendance records?

Audit Conferences: More (but Important) Meetings You Need to Attend

Opening Conferences
Opening conferences occur at the initiation of the audit and should communicate the scope of the audit, the audit's objectives, introduce the audit staff, agendas, schedules, and relevant handouts. In part it is an opportunity to explain in professional terms the purpose and expected results of the audit to the employees who are going to be going to be participating in the audit. The entrance conference should be conducted with the following in attendance: Directors, or department heads responsible for the area being audited, managers and their subordinates who work in the specific audit target and any appropriate senior employees.

A typical entrance conference will have an agenda similar to the following:

Welcome

Introduce auditors and related audit participants

Review audit objectives

Review audit steps

Review time schedule

Identify relevant points of contact for each step

Describe the audit process from the auditor's and target's perspective

Set up first contact appointments

Conclusion

Other Conferences
During the course of the audit, there will likely be reasons for other conferences. For example, if an auditor finds there is something of a fraudulent nature, this should be brought to the attention of senior managers immediately. This meeting will take place behind closed doors. It is recommended that conferences between the entrance and exit conference take place away from the eyes of employees. If held before employees' view, they tend to foster unwarranted speculation, and damaging rumors can be fomented. Conferences of this type should be scheduled away from the work area being audited. In the case of reporting potential criminal activities, it is strongly recommended that the persons participating in this conference communicate through out-of-band means. Cellular telephones and communications methods, not using the organization's communication networks, are the best out-of-band communications. Involve the appropriate levels of staff including senior managers, legal unit, security unit, and risk managers in all conferences.

One point of professional due diligence is the discussion of the audit findings somewhere toward the end of the audit with the senior managers of the unit being audited. This gives them a chance to see any "hot grounders" headed their way. Responding to the auditor's findings is an effective way of determining if the auditors "hit their marks" with their work. Most senior managers realize their strengths and weaknesses before the audit takes place. Often the audit results merely provide them with the motivation to take corrective action.

An end of audit conference provides a formal means for a meeting of the minds and makes a matter of record of the audit's performance in the eyes of the responding managers. If there are serious differences between the auditor's findings and the manager's responses, it may be the auditors did not have a sufficient grasp of their material or they were not diligent in their efforts. In a worst-case scenario, it could mean the senior managers were out of touch with their business processes. In the former case, it is the responsibility of the audit managers to see that audit team members receive training to bring their skills up to par or find ways to motivate them to diligently perform their tasks.

Meetings whose purpose it is to preliminarily discuss their findings, allow senior managers an informal opportunity to discuss the audit findings and recommendations. This is a useful technique in addressing significant findings and permits the meeting's participants to determine if a follow-up audit is going to be needed.

Usually, follow-up audits are very narrow in their scope focusing entirely on those significant findings of the previous audit. Follow-up audits are much abbreviated, do not have opening or closing conferences and are staffed only with enough auditors to review the findings for compliance.

Exit Conferences
The auditors have completed their work, the report is done, and it is time to bring the audit to a close. Often, auditors deliver a performance survey to the managers of the target business unit. Such surveys have the purpose of collecting information about the performance of the auditors and the audit in general. Audit managers commonly use these surveys in completing the auditors' performance appraisals.

The agenda below is typical of a closing conference:

Welcome

Review audit objectives

Review audit steps

Briefly review controls adequacy

Briefly review controls recommendations

Present draft report

Field any questions from the attendees

Conclusion

Summary of Audit Steps
By way of summary, here are some steps to successfully completing audits:

Preparation

Predication for audit, routinely scheduled or based on an allegation

Form audit team from qualified employees

Prepare audit management plan

Prepare and deliver preliminary questionnaires

Prepare audit program

Prepare audit budget

Field work

Entrance conference

Audit field work

Audit status conference

Prepare draft of report including senior management responses

Exit conference

Conclusion

Prepare final audit report

Complete audit performance survey

Schedule follow-up audit, if necessary