From Wikipedia, the free encyclopedia

A computer security audit is a process that can verify that certain standards have been met, and identify areas in need of remediation or improvement. Decades ago, identifying problem areas had to be done by a team of human auditors, but now software can analyse what's on a computer, and present a story that you do not need to be an expert to comprehend. It is important to use software that stays current with rapidly evolving security threats. Software cannot resolve the whole problem. Computer Users need to evaluate the reports, make changes to correct the problems, then rerun the reports. When success is achieved in resolving all the identified problems, we can raise the bar on the standards we are trying to achieve.

Computer security audits go beyond information technology audits, which audit what is on the computer system and how it is being used, to verify programs are working as intended, and the data is reliable, to also verify that none of the data is being tampered with, or can be tampered with, to show incorrect results. MSP managed service provider also conducts EVS Such as Virtual IT Solution http://www.virtualitsolution.com. Example, the risk of insider embezzlement can be detected by an information technology audit. Auditing information security can be part of an information technology audit conducted by a team of human auditors with expertise in the computer system being audited and the application software there. Computer security audits go beyond annual financial audits and physical inventory audits to the data content, which are standard processes in most businesses. They also look into how the data is stored, on a hard disk or other storage area and whether the data is secure. Home users of personal computers cannot afford the price tag of a standard audit so they have to make do with whatever diagnosis tools are readily available for their use.

There are some activities in common between computer security audits and auditing information security.

Auditing information security tends to be top down comprehensive analysis, typically only at major corporations, such as those traded on the stock market, followed by education in the areas that need fixing. Smaller companies and home users cannot justify this expense. a computer security audit is bottom up what can be resolved using automated software tools, combined with access to a panorama of education, from which the affected users can pick and choose which topics to learn at their own pace.

This computer security audit article describes what any individual computer user, any business enterprise, government agency, non-profit organization, can do, relatively inexpensively, to find out what security remediation is needed, much of which they can do themselves, and get education to see how to improve their security into the future. Some of the discoveries will lead to calling on professional help associated with part of what is done by auditing information security and other consultants. Implementation of computer security audits often comes with access to continuing education, which is marketed different ways by the vendors of computer security audit tools. Some provide up-front consulting, others offer some amount of free tech support time.

The evolution of computer technology resembles that of the automobile in that computers have become ubiquitous consumer commodities. Almost anyone can buy a computer and start using it with almost no training. Unlike cars, however, computers present potentially complex security issues that go far beyond a layman's understanding. Many computer systems are delivered with defaults that are insecure if installed, while much standard software has been designed without concern for security, then sold to millions of computer users, who might not realize the potential risk.

This failure to include security in most software is not because of any nefarious motives by the computer software publishers, but rather an outgrowth of computer security education being thought of as specialized training that is not deemed essential for computer programming. Also many programmers are self-taught, using text books that teach the mechanics of writing in some computer language without a bigger picture of what it means to write quality software that has good security, performance, ease-of-use, interoperability, good data base design, and satisfies other information technology goals. Thus the vast majority of computer programmers know absolutely nothing about how to design their work products for good computer security.

This lack of security within many computer ingredients has led to a market for computer security tools to test computer systems to locate computer insecurity problems that can be repaired, provide computer users and owners with explicit instructions how to fix the problems, and include resources to help computer users get educated on doing a better job of security, whether they using personal computers at home elsewhere, or organizational use of larger networks.

Contents 1 What these Audits Don't do 1.1 Prevent Laptop Theft 1.1.1 Cell Phones also at Risk 1.2 Some Intruder Risks 1.3 Credit Card Commerce Theft 1.4 Backup Media Theft 1.5 Supply Chain Risks 2 Where such Audits can Serve Everyone 3 What these Audits do for small and medium size enterprises 4 Examples of these Audit Tools 4.1 Enterprise Computing 4.1.1 Auditor's Computer Audit 4.1.2 OS/400 iSeries 4.1.2.1 Report Card 4.1.2.2 Who Dun it 5 What these Audits do for Home computer users 5.1 Personal Computer 6 See also 7 References 8 External links 8.1 IBM Midrange Security

What these Audits Don't do

Many typical Security breaches would not occur, had the breached institution been doing regular computer security audits. But there are also types of Security breaches which are not prevented by most state-of-art computer security audits process. Data in transit, outside areas subjected to security audits, is also at risk. But this normally is not obvious to the people in charge of that data, until after their first breach. Also, there is a lot of older hardware formerly standalone, that gets connected to business networks that have high security needs, without applying security review to that connection.

Prevent Laptop Theft

Sometimes a portable PC or lap top is stolen from an automobile, and there is critical data on it. This might not be preventable by audits at the company where the lap top owner or user works, and many lap top users are somewhat self-employed, but the risk of this happening can be dramatically reduced if the owner had been undergoing computer security auditing education which included seeing what is needed to protect the lap top from having a wireless steal me sign, and verify that any such sign has been removed.

Some companies, engaged in the computer security audit process, include standards of security education for all employees, but often there is personnel turn-over such that new staff are using computers in unsecure ways, long before the contrary education gets to them. There is often uncertainty how much of this applies to what consultants and business partners are doing with data shared across multiple companies. Security is everyone's responsibility, and we also need to do a better job of communicating to everyone how to find out what needs to be done.

Many lap tops come with wireless turned on by default. Autos are often parked in places without good security. Many criminals can check parking areas, looking for the wireless signals that identify which locked autos contain lap tops out of physical sight. This also applies to other semi-public areas where a lap top owner or user might temporarily leave it unattended. Thus, the lap top wireless defaults can be like a steal me sign for the lap tops of new owners who are unaware of the need to turn this off when they not need it.

Many enterprises, that conduct security audits, fail to consider risks associated with protable PCs transported by employees on and off company property. A traveler might connect at a public site, that has inadequate security compared to the home office, catch some malware and not know it, then when return to the office, plug into the network, inside the corporate firewall, then the maware jumps to the company intranet, then from there to all other employee PCs.

Computer security is only as good as the areas that get audited, then identified problems acted on. If some area of computer operations is not audited, then problems there might not get identified.

Cell Phones also at Risk

Most everything just stated about laptops is also true for cell phones and other portables, because consumer electronics is getting smaller, and acquiring a growing volume of resources, storing data that might place the owner at some risk if and when that hardware gets stolen.

Some Intruder Risks

Some types of security auditing do not yet have good automated comprehensive diagnostic tools, that can be applied at a network level, instead of tedious inspection at each individual PC at an enterprise that can have quite a few.

One of the security breaches at Microsoft involved a telecommuting employee whose home computer did not have the latest patches. The computers at Microsoft HQ had state-of-art security, but not all employees and contractors were up-to-date. This is a type of exposure for many enterprises. The hand-shake process, by which a remote PC signs onto a larger network, can include script, on the host system, to check the client for some security issues, but since the end user expects rapid sign-on, not everything is practical to check.

A white hat communications check can find out if any employee in an institution's network has software on their PC that makes it easy for an intruder to get into the network through them. Current state-of-art is for a white hat auditor, who knows nothing about the business, to see how far he can get, armed only with a directory of the company's phone #s. Then this process is repeated, after the auditor has been briefed about the business, and the industry it is in. Hacker techniques evolve so rapidly that it is prudent for any enterprise, desiring this kind of inspection, to have it done by an outside consultant who is up-to-date on those techniques.

Credit Card Commerce Theft

Many very small companies, such as restaurants and retailers, where credit cards get used, are staffed by people whose expertise is in the products and services provided there, not in the technology being used. As with the personal auto analogy, there are potential security risks for anyone who uses computer technology in business.

There is a special kind of phone line that carries credit card information about customers of retailers through the process of verifying and approving that credit. This line can be hacked. Other enterprises in ordinary commerce, and in e-commerce, also have common business needs to use specialized communication services, all of which have security implications.

People at the retailers, and other enterprises, are typically unaware of the security settings on their communication lines, if those settings are up-to-date, and if the method of communication connection is appropriate to our evolving collection of security threats. It is like people using ordinary voice phone. We assume our line is not tapped, and cannot imagine why anyone, other than an error in a police investigation, would lead to us getting tapped. However, a lot of cellular and wireless conversations are going over public airwaves, and there is a sub-group of society that loves to listen to police scanners and other business, for pure pleasure. Some of this other business communication is carrying traffic of interest to criminals, such as credit card sales.

Normally in business, a company gets something installed, sees that it appears to be working fine, and the contract is ended with the installment working as expected. But security for that installed service is a moving target. There are new threats needing new security measures. Over time, any installed technology, if it is not subjected to a relevant security audit process, becomes more and more vulnerable to security problems. Education, that such an audit process is needed, does not communicate itself to people who do not realize it is needed.

Backup Media Theft

Data needs to be backed up, in case something goes wrong where the computer is located, such as fire, natural disaster, serious human error, hardware crash, some vehicle crashes into the building, sabotage. Some risks are very low probability, but over the life of a computer, there may be multiple incidents requiring access to what is on the backup. Suppose a building that houses a computer burns down. Both the computer, and any backups stored there, are ruined.

Those copies of backups need to be stored at another location, along with a list of what hardware is needed to reconstitute the system, and phone numbers for tech support and other services. There have been several instances of backups stolen in transit, then the security of the transportation of those backups questioned. Even bank armored cars carrying money can be robbed. It is a matter of weighing risks, then deciding how much money should be spent on security for the backup media in transit. What is the value of the data on those backups to potential criminals?

Backups can be encrypted, but if something is causing data to be corrupted, recovering data from a corrupted encrypted backup is beyond affordability for the average business. Thus, a backup strategy needs to include encryption on backup media leaving the place where the computer is, and unencrypted with the computer, but suitably secured, such as in a locked file cabinet.

Many people, who use computer security audit tools, apply them only to what is on the computer, ignoring this bigger picture.

Supply Chain Risks

In modern e-business, many computer systems at many different enterprises, and in the hands of ordinary computer users, are communicating with each other over competitively cheapest means, through a variety of intermediate service providers. At each link, in a communication chain between multiple computer systems, there are security risks. All these different entities need to provide some assurance of good security, The whole process of security assurance must be sufficiently inexpensive that it does not drive competitors to places significantly less expensive because they are less secure.

Many companies do not handle all parts of their busininess with internal employees. They may use other companies to handle: product delivery; payroll; other accounting; banking. Each of these other enterprises need to have access to some data from the company using the services.

Some companies are in the business of communicating rather confidential information, about police investigations, personal finances, medical information. There are individuals authorized to access this data, which needs to be communicated somehow between the computer system of the company with the data to that of the people who are authorized to access it.

The products and services, that any company is in business to provide, are often sold to other companies, and the raw materials to make those products and services possible, also come from other companies. Data must be transmitted between the companies identifying what is needed, when, at what price, with forecasting of future needs.

For the whole interconnected system to work without any security breaches there must be good security, which includes a continuing security audit process, with each and every organization, service provider, computer, communication system, transportation methods, storage, paperwork system, in the entire supply chain network, with intercommunication to everyone who might be affected in any security breakdown, to assure them about safety of their data here. The state-of-art has been doing an inadequate job of communicating such assurances to the little guy in the chain.

Depending on the contractual business relationship, some companies can send audit teams to others that they are in business with, to verify security standards have been adhered to. This is potentially quite expensive. Alternatively there can be industry-wide standards organizations, such as ISO that issue certifications to companies that meet certain standards, then other companies endeavor to only do business with those that have achieved these standards.

Where such Audits can Serve Everyone

Some protection should be on most every computer, such as backups, power protection, and firewalls. Firewall logs of intruder attempts can be sent to a service such as Internet Storm Center using software such as D shield.

Thus, those individuals who are in the business of looking for a computer system to break into, without permission, to perform various mischef, they will immediately become the target of e-cops seeking to put them out of business, and in time discourage such criminal enterprises.

What these Audits do for small and medium size enterprises

Computer security audit tools to test your computer security are used by enterprises and government facilities running one of the operating systems for personal computers or computer network systems to find any standard protections and settings that may have overlooked, in achieving various computer security standards. Business and government using very popular application software packages can get computer security audit software that is tailored to the particular package, to identify settings not in the best interests of good computer security, and what needs fixing so as to achieve the best known standards of computer security for the industries where that kind of computer software is ordinarily deployed.

Examples of these Audit Tools

For each example given, there are competing products and services that do similar things. In time, this article will comprehensively include info on more of them.

Enterprise Computing

Auditor's Computer Audit

Software is available that can be loaded on an operating system, in association with the visit of auditors for financial or other audit, or as part of other oversight, to translate technical data settings into a form understandable to non-technical people, such as people on the audit staff who may be unfamiliar with the particular computer system or its software. The reports include both widespread reccommendations of various authorities that apply to most any computer system, and some that are specific to an industry or a software package. This is contrasted with how the system being audited has implemented its rules, or not complied with these national standards.

The technical staff of the institution may add comments as to why this institution must not implement some national standards. For example, we are using a particular software package to run our business, that is considered to be mission critial, but to implement certain standards would crash this package. Another example is that a specific manager has made demands that certain things be done that are incompatible with some standards. There may also be an issue that to comply with some standards requires outside expertise for which we have no budget.

One of many such auditor packages is PS Audit from Netiq, formerly PentaSafe, available for major operating systems such as Windows, Unix, Linux, OS/400. It is designed to be used by general auditors, who need not know anything about the specific computer system, operating system, or application software used by their client that is being audited.

PS Audit analyses the settings of the Operating System, Computer security, Application software and generates a report identifying Computer insecurity that needs repairs. Can unauthorized people get onto this system? What are all the ways that people can get onto this system, and how is each one secured? Without giving out information that would be helpful to an Intruder, are there passwords here that are too easy to be guessed?

The auditors, management, and computer staff can then discuss what this audit tool has revealed, and prioritize what actions are needed. It can also be left on the computer system for the client use after the auditors have left, performing such tasks as monitoring system logs, with notification of events needing immediate action.

OS/400 iSeries

Many Businesses run on the IBM AS/400 whose Operating System is one of the most secure available, but modern business needs to be connected to many resources whose Security is less developed than what IBM offers. At one time it was advertised as being so reliable that it did not need a computer staff. There are in fact several installations that run for weeks or months without needing a technical person other than general user help desk support. Problems of computer insecurity here are usually not due to malware, hackers, or any of the problems that personal computer users are familiar with, but avoidance of insider crime and certain patterns of systemic human error.

Report Card

When we are in school, the institution periodically issues a document that is a score card on how we are doing in our classes. When we are very young, this report goes to our parents or guardians. Computer security audit tools can do the same kind of thing with respect to elements of a computer system. The report goes to the owners or operators of the computer system. It is a summary statement of how we measure up to some standards, as of this time in our security education process, with links to more information on how come we got less than a perfect score in this or that subject.

• Bill of Health, from Unbeaten Path International, provides a Report Card on your overall Computer Security, with guidance on what needs to be upgraded to improve your Security.
  • A company keeps several copies of this report over time to show to auditors. This is evidence of corporate governance progress towards having, and maintaining good Computer security.
  • Any time new software gets installed, or upgraded, the Bill of Health is run again, to make sure that no Security standards got compromised.

Who Dun it

At the beginning of detective stories we are often faced with a dead body, wreckage of some place that got broke into and valuables stolen, or evidence that something got breached. We do not know who did it, how they did it, what they took. Figuring that out is the challenge that keeps the human detective earning a paycheck. Similarly when bad things are suspected of having happened with a computer system, we want to know exactly what got messed up, so that we can fix it, and we want to track down and apprehend the perpetrators, with smoking gun evidence that will stand up in a court of law.

Statistics on computer crime can be very misleading for several reasons.

While the news media gives great play to computer Security breaches due to outsiders breaking in, most computer crime, as reported in law enforcement statistics, is Insider. This may seem counter-intuitive to operators of personal computers who are perpetually bombarded with spam, viruses, spyware, hackers, etc. However, if none of the incidents, that we experience, are reported to law enforcement, then they do not make it into the crime statistics. Similarly, the police only get involved if the damage is significant sums of money, far in excess of the inconvenience to any one end usr. When the criminal is an insider, the crime is much easier to solve than when it is an outsider. Thus we might have millions of unsolved crimes of outsiders which do not make it into the statistics because they are unsolved.

• Stitch in Time, from Unbeaten Path International, tracks updates to your data base.
  • It does not matter how the data got updated, by whom, using what kind of software, or system connection, because the files or tables contain internal rules about what contents are to be monitored. This builds a history of before / after changes, that can then be traced, using tools that are manager-friendly.
    • When was this price changed, and by whom?
    • Where did this inventory go, and who took it?
    • Has anyone been changing the rules for vendor terms, in support of phony trading partners?
• The OS/400 community recognizes this as a top notch service.

What these Audits do for Home computer users

Personal Computer

Any user can visit Steve Gibson Research site's Shields Up collection of tools to run tests to identify any things that need fixing, then after implementing repairs, return here and test again, repeating until there is nothing left to fix. There are other internet sites with similar servicies, worth visiting after installing any new software, to see if the installation process messed up any computer security settings, now in need of further adjustment.

One of the biggest problems on personal computers in contemporary times is spyware, which most anti-virus fails to adequately protect against, so PC users need to install anti-spyware protection in addition to anti-virus. Also, PC users need to have more than one anti-spyware product on their PC because none of them protect against all the threats. Further, many products that claim to be anti-spyware are in fact spyware.

Fortunately, several web sites have evaluated the different solutions that are out there, and provide useful guidance such as Spyware Warrior. Unfortunately, several sites that claim to do this kind of service, in reality are promoting spyware disguised as anti-spyware. For more guidance on protection, see the spyware article.

See also

• Computer insecurity, or all the things that can go wrong thanks to vulnerabilities to malware, hackers, crackers, vandals, Insider crime, then what all has to be done to protect against this.
• Computer security or Good Design to achieve good Security
• Penetration Testing
• Security breaches

References

External links

• http://auditnet.org/ Information Technology Audit Resources.
• http://www.auditmypc.com Online Computer Security Audits.

IBM Midrange Security

• http://www.woevans.com/ Wayne Evans is one of the fathers of IBM Computer security architecture. He has retired from IBM and now does consulting work, which includes education in computer security. Some of that education can be downloaded from his web site.
• One of the mothers of IBM Computer security architecture has retired from IBM and founded Skyview Partners in concert with another former IBM professional. They provide security audit tools and security education.
• Unbeaten Path International provides services including security audit tools for the IBM AS/400 market, and security education for the staff of such computer systems
  • Government Compliance Standard overviews, by no means complete, but a good introduction. Other education can be downloaded from this web site.