IT audit
23.05.2022 2022-05-25 15:34IT audit
IT audit
CERTINSPECT REGISTER can perform IT audits, vulnerability scans and computer system penetration tests. These audits will assess at least:
1. The policies, procedures and technical and organizational measures implemented by the organization:
Example:
- access rights management;
- user awareness and training;
- journaling and ensuring the traceability of activities within computer networks and systems;
- testing and evaluating the security of computer networks and systems;
- management of network and computer systems configurations;
- ensuring the availability of the essential service and the operation of computer networks and systems;
- management of the continuity of the operation of the essential service;
- user identification and authentication management;
- incident response;
- maintenance of computer networks and systems;
- external memory media management;
- ensuring the physical protection of computer networks and systems;
- implementation of security plans;
- ensuring staff security;
- security risk analysis and assessment;
- ensuring the protection of products and services related to computer networks and systems;
- vulnerability management and security alerts.
2. Vulnerability scans and penetration tests of IT systems
The purpose of this type of audit is to identify vulnerabilities in computer networks and systems and to verify the possibilities of exploiting them, as well as the impact of their exploitation on the network, in the real conditions of a cyber attack on computer networks and systems. The audit activity can be carried out either outside the network (in particular the Internet or the third party interconnected network) or within the network and is an activity that must be carried out in conjunction with other audit activities to improve their effectiveness or to improve their effectiveness. demonstrate the feasibility of exploiting the vulnerabilities discovered.
Possible methods for IT technical audit include:
- Vulnerability Scanning (Nessus, OpenVAS);
- Active testing of exploited identified vulnerabilities;
- Verification of authentication systems and limited brute-force actions;
- Exploitation of vulnerability (Metasploit, Public Exploitation);
- Post-exploitation techniques (accessing private data and systems).
The vulnerability identification process involves scanning the Beneficiary's IT infrastructure in order to identify its vulnerabilities and identify remedial solutions.
The objectives of the vulnerability identification process are the following:
- Infrastructure discovery - identification of servers and other network devices, using industry standard solutions.
- Service detection - identification of open ports and services available on each discovered system, such as: email services, web applications, file sharing services.
- Vulnerability identification - performing the analysis based on the operating system, services, configurations and information collected in the previous phases.
- Vulnerability classification - classification of discovered vulnerabilities and use of existing standards (CVE) to calculate the impact of risks based on vulnerability.
- Reporting - centralization of conclusions, prioritization and organization according to the requirements of the Beneficiary.
- Vulnerability management - the sorting and prioritization of vulnerabilities will be done depending on the degree of risk and the number of affected equipment. Solutions will be provided for the "Critical" and "High" vulnerabilities discovered.
There are two types of vulnerability scans:
- internal scans - these are performed from the networks controlled by the Beneficiary and within them will be used user accounts with privileges that allow extensive verification of versions of services and libraries of operating systems and applications, as well as their settings;
- external scans - these will be performed after intrusion prevention and detection firewalls are set to allow connection. It is recommended to use several solutions using attacker-specific penetration tests to ensure that as many vulnerabilities as possible are detected and that the resistance of the equipment to vulnerability is checked, as well as the hardware resistance to a prolonged and constant attack.
The discovered vulnerabilities can be exploited in a penetration test audit. Performing penetration tests offers the following benefits:
- prevention of computer attacks based on vulnerabilities of the computer system;
- network testing using a methodology and tools similar to those of attackers;
- checking and exposing existing vulnerabilities in the IT infrastructure;
- having a complete and in-depth picture of the issue of the vulnerabilities discovered can show how they can be exploited to attack the systems;
- tests show that vulnerabilities exist not only theoretically but also practically;
- provides a realistic approach to identified security issues;
- allow testing of procedures and the risk posed by the human factor (through social engineering techniques).
For a personalized offer, please contact us.