The word audit often brings up some negative emotions. I’ll be honest — many years ago, I grimaced at the word audit, it shook me to the core. I didn’t like the idea of outsiders putting me or my work under a microscope, looking for flaws. Who would? However, in information security, I believe we should embrace audits and advocate for them. Now, before you think I’m crazy — hear me out, because it’s important and here’s why:
Security Audits Find Red Flags
After years in the industry, I now look at audits with appreciation. Think of audits like a 500-point inspection for your vehicle. Similar to taking your vehicle in for maintenance, you are proactively looking for any potential issues, and addressing them. The last thing you want is to ignore a serious issue which later becomes a serious expense! Security audits are the same thing. They aim to find problems that need resolving to ensure our infrastructures run securely.
Regulatory Information Security Audit Requirements
So here’s a question for those who have to meet regulatory obligations during an audit: Do you self-audit? I’m guessing you probably do to ensure you perform well on the required audits. What about everyone else that doesn’t experience external audits? Do you perform self-audits? In either case, it’s important to audit yourself as an outside entity would.
Auditing Information Security Controls
I know audits can be many different things, a simple security audit, a risk audit, etc. However, for the sake of this post, we’re going to focus on security audits. These audits are helpful in validating that there are controls in place; following best practices across the board. In short, the goal of a security audit is to not only validating these controls but ensuring they are working. Here are some helpful things to check:
Quick Security Audit Checklist
- Web content filtering functionality: Test your security by attempting to access something you shouldn’t have access to.
- Email filtering: Send yourself an email containing an EICAR file from a personal or test Gmail account.
- EICAR is an industry standard test file used to test malware, anti-virus, content filters, etc. The file itself is not dangerous, but all industry vendors include rules looking for keywords in the EICAR file to allow a safe way to test rule functionality.
- Firewall rules: Attempt to access something your firewall should be blocking.
- IPS: Try to run a deep port scan against your IPS from the outside, and see what happens.
- Anti-virus: Attempt to download the EICAR file, and see if your anti-virus catches it and reports it.
- Logging: Add a new user account or change group security permissions, and check to make sure it’s logged.
- More logging: Try accessing a file you don’t have access to. Is it logged?
- Even more logging: Install an application and see if it’s logged.
- SIEM: Check to make sure 6, 7, and 8 from above all show up in your SIEM.
As you can see, the security audit can be tailored based on any security controls you have/need. NIST provides the 800-53A (“A” is for audit or assessment) and provides different file formats to use. This is a great place to start creating your own audit document.
To sum it up, embracing self-audits and the benefit they provide will reduce risk and save time. The longer a security control remains in a failed state, the more time threats have to exploit a vulnerability. Protect yourself and add security by prioritizing audits.
Find more of our blogs in this series by searching “roadmap to security” in our blog or click here.