Auditing Fundamentals

⚡ Prerequisites

• Basic networks concepts

📕 Learning Objectives

• Describe cyber security and explain cyber maturity

• Identify common frameworks and governing regulations

• Perform network auditing

❗ Authorization is required to conduct systems auditing. ❗

Cybersecurity Basics

🗒️ Cybersecurity, or Information Technology Security, is the process of protecting systems, networks, programs, devices and data by preventing, detecting and responding to digital attacks. It aims to lower the risk of cyberattack and protect against the unauthorized and improper use of the involved technology.

Protected information can be:

• PII (Personally Identifiable Information)

• Healthcare Information

• Financial Data

• Intellectual Property

• Business Secrets

• Business Operations

Data must be secured from:

• Criminals

• Competitors

• Insider Threats

• Malicious Actors

CIA Triad

🗒️ The CIA Triad (Confidentiality, Integrity and Availability) is a guiding model used to describe information security, also useful for managing the products and data of research.

Policies and security controls that reduce threats to these three vital components are a part of a comprehensive information security plan and are balanced to meet business needs.

Defense in Depth

🗒️ The Defense-in-Depth is a strategy that uses multiple layers of security protection and helps reducing vulnerabilities, containing threats and mitigating risks.

Depending on what and how an organization need to secure, the strategy have to be shaped, considering a risk management plan.

🗒️ Risk Management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization’s capital and earnings. It plays the ultimate factor in an organization.

Compliance

🗒️ Cybersecurity Compliance involves meeting various controls to protect the confidentiality, integrity, and availability of data.

Compliance requirements (usually established by a regulatory authority, law or industry group) typically involve using an array of specific organizational processes and technologies to safeguard data. Controls come from a variety of Cybersecurity frameworks and regulations, such as:

• PCI DSS (Payment Card Industry Data Security Standard )

  • mandated by card brands, created to increase controls around cardholder data

  • reduce card fraud

• GDPR (General Data Protection Regulation)

  • Data protection and privacy law in the EU (European Union) and EEA (European Economic Area)

• HIPAA (Health Insurance Portability and Accountability Act)

  • United States regulations for the use and disclosure of PHI (Protected Health Information)

  • Administrative, physical, technical safeguards

• CPPA (California Consumer Privacy Act.)

  • enhance privacy rights and consumer protection for California (USA) residents

📖 Cybersecurity Compliance: A Comprehensive Guide - Celerium

Frameworks and Maturity

🗒️ Cybersecurity Frameworks are sets of controls that represents a fully functional cybersecurity program when met.

• NIST Cybersecurity Framework (National Institute of Standards and Technology)

  • Identify, Protect, Detect, Respond, Recover - best practices

  • Applies to any organization

  • NIST 800-53 disegned to apply to U.S. Federal Government agencies.

• ISO/IEC 27001 (International Organization for Standardization and the International Electrotechnical Commission)

  • Information security management systems - Requirements

  • ISO/IEC 27002 - Code of practice for information security controls

• COBIT by ISACA

  • business and generic IT management focused

• CIS (Center for Information Security)

  • 18 CIS Controls for mitigate the most known cyber attacks

• CMCC (Cybersecurity Maturity Model Certification)

  • Simplifies compliance by allowing self-assessment for some requirements

  • Applies priorities for protecting Department of Defense (DoD) information

  • Reinforces cooperation between the DoD and industry in addressing evolving cyber threats

• ASD Essential 8 (Australian Signals Directorate)

Auditing

🗒️ A security Audit is an extensive evaluation of an organization’s information system, an assessment that measures the information system’s security against an audit checklist of industry best practices, governmental legislation or externally defined standards.

An audit is necessary for a compliance plan.

• Interviews on security awareness, training and practices - CISO, system administrators, employees

• Review Paperworks - how records, logs are kept

• Assessments - using automated tools to find compliance software and devices, vulnerability assessments

• As an auditor or pentester, good notes are useful for the information gathering and the final report

• Mind maps - useful and understandable by the customer

• Reports - an important part that has value to a company as a result of a penetration test

SCAP

🗒️ The SCAP (Security Content Automation Protocol) is a specification for expressing and manipulating security data in standardized ways. It uses specific standards to help organizations automate continuous monitoring, vulnerability management and security policy compliance evaluation reporting.

DISA STIG Viewer is a GUI java based program used to open content and generate checklists for managing the security settings on a system or network.

Asset Management

nmap

• General audit internal devices with an internal network scan using nmap tool to find active services and open ports

nmap 192.168.50.0/24

nmap -A 192.168.50.1,5,10
# Aggressive scan (Syn, Service, O.S, Default Scripts Scans) on specific IPs

Nessus

nessus is a network vulnerability scanning tool, hosted locally and used for Vulnerability Assessment.

• Nessus Essentials is the free version of the V.A. tool by Tenable.

  • Limited to 16 IPs for V.A.

  • Build in insights with latest vulnerabilities

  • No usage time limit

  • Report export as PDF, HTML, CSV formats

• Nessus Documentation