Auditing Fundamentals

⚡ Prerequisites
Basic networks concepts
📕 Learning Objectives
Describe cyber security and explain cyber maturity
Identify common frameworks and governing regulations
Perform network auditing
❗ Authorization is required to conduct systems auditing. ❗

Cybersecurity Basics

🗒️ Cybersecurity, or Information Technology Security, is the process of protecting systems, networks, programs, devices and data by preventing, detecting and responding to digital attacks. It aims to lower the risk of cyberattack and protect against the unauthorized and improper use of the involved technology.

Protected information can be:

PII (Personally Identifiable Information)
Healthcare Information
Financial Data
Intellectual Property
Business Secrets
Business Operations

Data must be secured from:

Criminals
Competitors
Insider Threats
Malicious Actors

CIA Triad

🗒️ The CIA Triad (Confidentiality, Integrity and Availability) is a guiding model used to describe information security, also useful for managing the products and data of research.

Policies and security controls that reduce threats to these three vital components are a part of a comprehensive information security plan and are balanced to meet business needs.

CIA Triad

Description

Confidentiality

Protecting information from unauthorized access, allowing only authorized users to access certain data

Integrity

Data is trustworthy, complete, accurate and have not been accidentally altered or modified by an unauthorized user. Data can be retrieved in the future without changes

Availability

Data is accessible when needed

Defense in Depth

🗒️ The Defense-in-Depth is a strategy that uses multiple layers of security protection and helps reducing vulnerabilities, containing threats and mitigating risks.

Depending on what and how an organization need to secure, the strategy have to be shaped, considering a risk management plan.

🗒️ Risk Management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization’s capital and earnings. It plays the ultimate factor in an organization.

Compliance

🗒️ Cybersecurity Compliance involves meeting various controls to protect the confidentiality, integrity, and availability of data.

Compliance requirements (usually established by a regulatory authority, law or industry group) typically involve using an array of specific organizational processes and technologies to safeguard data. Controls come from a variety of Cybersecurity frameworks and regulations, such as:

- mandated by card brands, created to increase controls around cardholder data
- reduce card fraud
- Data protection and privacy law in the EU (European Union) and EEA (European Economic Area)
- United States regulations for the use and disclosure of PHI (Protected Health Information)
- Administrative, physical, technical safeguards
- enhance privacy rights and consumer protection for California (USA) residents

Frameworks and Maturity

- Identify, Protect, Detect, Respond, Recover - best practices
- Applies to any organization
- Information security management systems - Requirements
- business and generic IT management focused
- 18 CIS Controls for mitigate the most known cyber attacks
- Simplifies compliance by allowing self-assessment for some requirements
- Applies priorities for protecting Department of Defense (DoD) information
- Reinforces cooperation between the DoD and industry in addressing evolving cyber threats

Auditing

🗒️ A security Audit is an extensive evaluation of an organization’s information system, an assessment that measures the information system’s security against an audit checklist of industry best practices, governmental legislation or externally defined standards.

An audit is necessary for a compliance plan.

Interviews on security awareness, training and practices - CISO, system administrators, employees
Review Paperworks - how records, logs are kept
Assessments - using automated tools to find compliance software and devices, vulnerability assessments
As an auditor or pentester, good notes are useful for the information gathering and the final report
Mind maps - useful and understandable by the customer
Reports - an important part that has value to a company as a result of a penetration test

SCAP

Asset Management

General audit internal devices with an internal network scan using nmap tool to find active services and open ports

nmap 192.168.50.0/24

nmap -A 192.168.50.1,5,10
# Aggressive scan (Syn, Service, O.S, Default Scripts Scans) on specific IPs

nessus is a network vulnerability scanning tool, hosted locally and used for Vulnerability Assessment.

- Limited to 16 IPs for V.A.
- Build in insights with latest vulnerabilities
- No usage time limit
- Report export as PDF, HTML, CSV formats

PreviousVulnerability Assessment Next📒2. Host & Network Penetration Testing

Last updated 2 years ago

Was this helpful?

Auditing Fundamentals

⚡ Prerequisites
Basic networks concepts
📕 Learning Objectives
Describe cyber security and explain cyber maturity
Identify common frameworks and governing regulations
Perform network auditing
❗ Authorization is required to conduct systems auditing. ❗

Cybersecurity Basics

Protected information can be:

PII (Personally Identifiable Information)
Healthcare Information
Financial Data
Intellectual Property
Business Secrets
Business Operations

Data must be secured from:

Criminals
Competitors
Insider Threats
Malicious Actors

CIA Triad

🗒️ The CIA Triad (Confidentiality, Integrity and Availability) is a guiding model used to describe information security, also useful for managing the products and data of research.

Policies and security controls that reduce threats to these three vital components are a part of a comprehensive information security plan and are balanced to meet business needs.

CIA Triad

Description

Confidentiality

Protecting information from unauthorized access, allowing only authorized users to access certain data

Integrity

Data is trustworthy, complete, accurate and have not been accidentally altered or modified by an unauthorized user. Data can be retrieved in the future without changes

Availability

Data is accessible when needed

Defense in Depth

🗒️ The Defense-in-Depth is a strategy that uses multiple layers of security protection and helps reducing vulnerabilities, containing threats and mitigating risks.

Depending on what and how an organization need to secure, the strategy have to be shaped, considering a risk management plan.

Compliance

🗒️ Cybersecurity Compliance involves meeting various controls to protect the confidentiality, integrity, and availability of data.

(Payment Card Industry Data Security Standard )
- mandated by card brands, created to increase controls around cardholder data
- reduce card fraud
(General Data Protection Regulation)
- Data protection and privacy law in the EU (European Union) and EEA (European Economic Area)
(Health Insurance Portability and Accountability Act)
- United States regulations for the use and disclosure of PHI (Protected Health Information)
- Administrative, physical, technical safeguards
(California Consumer Privacy Act.)
- enhance privacy rights and consumer protection for California (USA) residents

📖

Frameworks and Maturity

🗒️ are sets of controls that represents a fully functional cybersecurity program when met.

(National Institute of Standards and Technology)
- Identify, Protect, Detect, Respond, Recover - best practices
- Applies to any organization
- disegned to apply to U.S. Federal Government agencies.
(International Organization for Standardization and the International Electrotechnical Commission)
- Information security management systems - Requirements
- - Code of practice for information security controls
- business and generic IT management focused
(Center for Information Security)
- 18 CIS Controls for mitigate the most known cyber attacks
(Cybersecurity Maturity Model Certification)
- Simplifies compliance by allowing self-assessment for some requirements
- Applies priorities for protecting Department of Defense (DoD) information
- Reinforces cooperation between the DoD and industry in addressing evolving cyber threats
(Australian Signals Directorate)

Auditing

An audit is necessary for a compliance plan.

Interviews on security awareness, training and practices - CISO, system administrators, employees
Review Paperworks - how records, logs are kept
Assessments - using automated tools to find compliance software and devices, vulnerability assessments
As an auditor or pentester, good notes are useful for the information gathering and the final report
Mind maps - useful and understandable by the customer
Reports - an important part that has value to a company as a result of a penetration test

SCAP

🗒️ The (Security Content Automation Protocol) is a specification for expressing and manipulating security data in standardized ways. It uses specific standards to help organizations automate continuous monitoring, vulnerability management and security policy compliance evaluation reporting.

DISA is a GUI java based program used to open content and generate checklists for managing the security settings on a system or network.

Asset Management

General audit internal devices with an internal network scan using nmap tool to find active services and open ports

nmap 192.168.50.0/24

nmap -A 192.168.50.1,5,10
# Aggressive scan (Syn, Service, O.S, Default Scripts Scans) on specific IPs

nessus is a network vulnerability scanning tool, hosted locally and used for Vulnerability Assessment.

Nessus Essentials is the free version of the V.A. tool by .
- Limited to 16 IPs for V.A.
- Build in insights with latest vulnerabilities
- No usage time limit
- Report export as PDF, HTML, CSV formats

PreviousVulnerability Assessment Next📒2. Host & Network Penetration Testing

Last updated 2 years ago

Was this helpful?