IT Auditing Fundamentals – Theoretical to Practical
IT auditing is not directly reflect the image of penetration testing and vulnerability assessment because there are multiple types of audit, its all depend on the objectives and the goals. An organization uses IT auditing to control the flow of information, to find the network weaknesses, policies, backup procedure, patching and to ensure the protection of users and customer information, well as said earlier its all depend on the goal.
Generally IT audit means to find the hardware’s and software’s that are associated with the network, like IT auditing can be used to track
- Partition
- Sound cards, Videos cards, LAN cards and other
- System component
- Installed software’s (including OS)
- Security setting
A quick example of an IT audit result can be see in this picture.
Auditing Network Security
As the security is an important part of IT audit so how an auditor can perform network security test, information gathering is the first step of it, gather maximum information about the network.
- What actually a network is?
- What is the network topology?
- How many devices are associated with the network?
- How many hosts are alive?
- What are the weaknesses of the network?
- Which operating system are used on most of the host?
- Is patch management work?
- How to break network security?
- How to exploit a host? To gain the access on the network.
So these are the main question of network security auditing and an auditor supposed to give the detail answer of these questions.
Tools are the essential component of any test including network security auditing, there are both open source and commercial tools are available for this purpose. Nmap, Openaudit and nessus are the best tools for this purpose.
Network mapper (Nmap) the best tool for multiple purposes, basically it is a network scanner and a port scanner utility but in this tutorial we will use it for auditing network security. Zenmap is a GUI of nmap, while nmap is a command line tool.
Let start with the first phase, what is a network ? Network topology, number of host, alive host, open ports, services and others can be find by using nmap.
On the target box enter the IP of the target but for auditing case I want to scan the whole network that is why I have used class C IP subnet. Intense scan is a famous and it gives you the complete picture of the network while if you want just ping than you can do this and if you want nmap to scan a specific port Intense scan, all TCP ports and than define the range of the ports.
By looking the result you can realize the alive host and the open ports even we can find the topology look at the picture below.
The important picture that give you all the information about any host including the operating system, IP address, MAC address, open ports, operating system class, up time, last boot time and many more.
So after this quick scan an auditor has so many information about a network and in my views the more information more the chance of the success. Now the next step would be to find the weaknesses (vulnerabilities) that cause a network to exploit.
Vulnerability Assessment
This is another an important step for network security auditing, vulnerabilities assessment is a process to find the vulnerability on a system and a network. There are different kind of vulnerability can be find on a system like the high risk vulnerability and low risk vulnerability. Usually the high risk vulnerabilities like :
- Buffer overflow
- Default password
- Known back-doors
- Poor/mis configuration
- Out dated software’s
If we see as a hacker/attacker perspective than these vulnerabilities can cause a network to be compromise so a network security auditor is responsible to find the vulnerabilities and suggest something (technical stuffs) to fix the vulnerabilities.
There are different vulnerability scanners are available on both open source and commercial platform but make sure there are some vulnerability scanner for web application but in this article our focus is network vulnerability scanner. Nessus, OpenVAS and Retina vulnerability scanner and management are the wonderful tools for this purpose, before going to the practical aspect I want to introduce false positive result/response.
False positive means an incorrect result, a software may find a vulnerability that you want it to find, if you think that false positive response is not a matter than you are wrong it takes your time. Keep in mind about false positive result before deciding a software for vulnerabilities assessment.
In this article we will discuss Nessus and we will use Nessus as a vulnerabilities scanner and assessment tool, nessus is a very power tool that can used for multiple purposes from network vulnerabilities scanning to web vulnerability scanning, it can be used for:
- Vulnerability scanning
- Vulnerability management
- Configuration auditing
- Log management
- Network discovery
Now why nessus and what nessus can do for us, if we are discussing about passive scanning than is a tool to find:
- SSL certificate
- Host file detection
- Host services detection
- Open port detection
- Vulnerability detection (It suggests the solution too)
- Internal IP address detection
- VPN detection
- Firewall, IDS and IPS detection
- Proxy detection
- Real time DNS traffic
- Real time web traffic
- More
For detection purposes the real weapon of Nessus is SYN packets because every operating system uses SYN packets in a unique way so by using the SYN packets Nessus discover the host and the services, as in a basic DOS attack theory the SYN packets can be used for SYN flooding so an auditor must take care these aspect of vulnerability assessment. Your test must not be count as a Denial of service attack for a network.
Vulnerability monitoring that is used in Nessus vulnerability scanner are CVE (Common vulnerability and exposure) and CPE, beside auditing and analyzing host, port, services and vulnerability nessus can be used to monitor real time activities like:
- DNS (DNS lookup analysis)
- Facebook (Log in/ log out, user ID analysis)
- SMTP (source and sink of an email)
- SMB
- Twitter (Log in/ log out and other activity analysis)
- Database (SQL,Oracle and other database analysis)
- More..
Continuous monitoring or real time monitoring reduce the chance of the active scanning so as a economical aspect it is a good process and highly recommended because active scanning means operation or test on all the network from physical layer to application layer and it takes time, money, human effort (more engineer required) and the process may slow down the network or if the test is not perform carefully than there is chance of denial of service.
As we have discussed most of the theorical, economical and technical side of this test but before going to the example of test I want to let you know about an important side of the picture, let suppose an network security auditor/ penetration tester going to conduct a test on a large enterprise network keep in mind that these sort of network usually has web application server or may be some of the applications are enable for web. So in this case web server security monitory is also a necessary part and the web applications are the most common victim. That is why I choose nessus for vulnerability assessment because it provides an effective platform to perform a test on web application as well as network.
Nessus has designed to check each and every port of a web application and other services whether it is an uncommon port, the depth analysis of web application provides:
- Analysis of HTTP and HTTPS services
- Analyze all the website that is host on a server
- Analyze SSL certificate, expiry of SSL certificate and more
- Analyze content for insecure JavaScript that is lead towards the code injection attack
Second part of this series article will be publish!
