Auditing Fundamentals
⚡ Prerequisites
Basic networks concepts
📕 Learning Objectives
Describe cyber security and explain cyber maturity
Identify common frameworks and governing regulations
Perform network auditing
❗ Authorization is required to conduct systems auditing. ❗
Cybersecurity Basics
🗒️ Cybersecurity, or Information Technology Security, is the process of protecting systems, networks, programs, devices and data by preventing, detecting and responding to digital attacks. It aims to lower the risk of cyberattack and protect against the unauthorized and improper use of the involved technology.
Protected information can be:
PII (Personally Identifiable Information)
Healthcare Information
Financial Data
Intellectual Property
Business Secrets
Business Operations
Data must be secured from:
Criminals
Competitors
Insider Threats
Malicious Actors
CIA Triad
🗒️ The CIA Triad (Confidentiality, Integrity and Availability) is a guiding model used to describe information security, also useful for managing the products and data of research.
Policies and security controls that reduce threats to these three vital components are a part of a comprehensive information security plan and are balanced to meet business needs.
| CIA Triad | Description |
|---|---|
Confidentiality | Protecting information from unauthorized access, allowing only authorized users to access certain data |
Integrity | Data is trustworthy, complete, accurate and have not been accidentally altered or modified by an unauthorized user. Data can be retrieved in the future without changes |
Availability | Data is accessible when needed |
Defense in Depth
🗒️ The Defense-in-Depth is a strategy that uses multiple layers of security protection and helps reducing vulnerabilities, containing threats and mitigating risks.
Depending on what and how an organization need to secure, the strategy have to be shaped, considering a risk management plan.
🗒️ Risk Management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization’s capital and earnings. It plays the ultimate factor in an organization.
Compliance
🗒️ Cybersecurity Compliance involves meeting various controls to protect the confidentiality, integrity, and availability of data.
Compliance requirements (usually established by a regulatory authority, law or industry group) typically involve using an array of specific organizational processes and technologies to safeguard data. Controls come from a variety of Cybersecurity frameworks and regulations, such as:
PCI DSS (Payment Card Industry Data Security Standard )
mandated by card brands, created to increase controls around cardholder data
reduce card fraud
GDPR (General Data Protection Regulation)
Data protection and privacy law in the EU (European Union) and EEA (European Economic Area)
HIPAA (Health Insurance Portability and Accountability Act)
United States regulations for the use and disclosure of PHI (Protected Health Information)
Administrative, physical, technical safeguards
CPPA (California Consumer Privacy Act.)
enhance privacy rights and consumer protection for California (USA) residents
📖 Cybersecurity Compliance: A Comprehensive Guide - Celerium
Frameworks and Maturity
🗒️ Cybersecurity Frameworks are sets of controls that represents a fully functional cybersecurity program when met.
NIST Cybersecurity Framework (National Institute of Standards and Technology)
Identify, Protect, Detect, Respond, Recover - best practices
Applies to any organization
NIST 800-53 disegned to apply to U.S. Federal Government agencies.
ISO/IEC 27001 (International Organization for Standardization and the International Electrotechnical Commission)
Information security management systems - Requirements
ISO/IEC 27002 - Code of practice for information security controls
business and generic IT management focused
CIS (Center for Information Security)
18 CIS Controls for mitigate the most known cyber attacks
CMCC (Cybersecurity Maturity Model Certification)
Simplifies compliance by allowing self-assessment for some requirements
Applies priorities for protecting Department of Defense (DoD) information
Reinforces cooperation between the DoD and industry in addressing evolving cyber threats
ASD Essential 8 (Australian Signals Directorate)
Auditing
🗒️ A security Audit is an extensive evaluation of an organization’s information system, an assessment that measures the information system’s security against an audit checklist of industry best practices, governmental legislation or externally defined standards.
An audit is necessary for a compliance plan.
Interviews on security awareness, training and practices - CISO, system administrators, employees
Review Paperworks - how records, logs are kept
Assessments - using automated tools to find compliance software and devices, vulnerability assessments
As an auditor or pentester, good notes are useful for the information gathering and the final report
Mind maps - useful and understandable by the customer
Reports - an important part that has value to a company as a result of a penetration test
SCAP
🗒️ The SCAP (Security Content Automation Protocol) is a specification for expressing and manipulating security data in standardized ways. It uses specific standards to help organizations automate continuous monitoring, vulnerability management and security policy compliance evaluation reporting.
DISA STIG Viewer is a GUI java based program used to open content and generate checklists for managing the security settings on a system or network.
Asset Management
General audit internal devices with an internal network scan using
nmaptool to find active services and open ports
nessus is a network vulnerability scanning tool, hosted locally and used for Vulnerability Assessment.
Nessus Essentialsis the free version of the V.A. tool by Tenable.Limited to 16 IPs for V.A.
Build in insights with latest vulnerabilities
No usage time limit
Report export as PDF, HTML, CSV formats
Last updated
