Technical Audit is comprehensive analysis and review of the security of
the Information Systems from the perspective of working of the
internal controls. This
analysis is essential to determine the adequacy and
effectiveness of the controls, which are in place, to the
organization.
To perform an effective Technical Audit it is essential that the
Technical Audit team understand your physical and logical
infrastructure, Network Architecture, Security Architecture,
critical Network devices, critical Servers and Applications.
As the Technical Audit is required to be done with full
knowledge of the systems in place, it is also essential to
know about the Operating Systems used on the desk tops and
servers, applications running, details of remote access
software, IOS and other Operating Systems on network and
security devices etc.
MIEL’s Technical Audit process is highly customized to suit the
organization’s infrastructure, which is in place,
environments and scenarios; defense in depth is looked into by
layering methodology1.
The organization’s business application is at
the lower layer, which can be reached to the legitimate and
authorized users after passing through the layers. The security is assessed at all the four layers.
The layers consist of (a) Perimeter (b) Network (c)
Hosts & Applications
Perimeter
Firewall:
MIEL will test the security of the firewall systems. This involves
mapping the firewalls rule set using firewalking techniques,
down to analyzing the firewall system and its underlying
operating system for vulnerabilities. The
following are some of the tests which will be conducted on the
target system:
-
Firewall rule set mapping
-
Firewall management interface access
-
VPN/Remote access identification
-
Buffer overruns
-
Stress testing
VPN:
MIEL will audit the security of the VPN system.
This involves verifying the configurations with
organization security policy, data encryption and key exchange
methods against industry best practices.
Remote Access Servers:
MIEL will audit the Remote Access Servers for working of the
controls in Authorization, Authentication and Accounting as
per the organization’s policy.
In case of no security policy of the organization on
remote access methods, the audit will be done as per MIEL’s
best practices.
Proxy Server:
MIEL will audit the Proxy Server and its underlying
Operating Systems as per the organization’s security policy
and also suggest the best practices if they are lacking in the
organization’ security policy.
In case of absence of organization’s security policy,
MIEL’s best practices are followed.
Network:
Router:
Routers represent the most critical part of a networks infrastructure.
After compromising a router, an attacker can perform a range
of attacks from simply shutting down the whole network, to
redirecting traffic flows, to harvesting passwords etc.
Switch:
Switches are used to divide the network into different collision
domains. The
management of the switches is important so that unused ports
are not used to connect the PCs or other devices to gain
unauthorized access. As
switches limit the broadcasting domain, they limit the
sniffing of the network.
After compromising the switch, the attacker can disable many security
services.
-
Telnet password guessing
-
Cisco IOS level bugs
-
Default Accounts
Hubs and
Concentrators:
Although hubs are not desirable on the
network as they do not limit the collision and broadcast
domains, based on the network architecture and
organization’s utility, these devices are audited as per the
best practices.
Wireless Access Points:
802.11 Wireless implementations raise a large number of security
concerns especially when integrated with pre-existing wired
architectures. The
audit is done on the use of the following:
-
WEP
-
WPA/RSN
-
MAC Filtering
Leased lines, Radio Modems, ISDN devices and
Frame relay switches:
These devices are audited for providing availability of WAN connectivity
as per the existing or proposed Service Level Agreements.
Hosts / Applications
Application Server:
Application servers are very crucial to the
organization. The
audit is done to assess the working of controls in the
organization’s security policy.
In the absence of any security policy, as a measure for
best practices, the following are looked into:
-
User Management
-
Default accounts with default passwords
-
Passwords stored in encrypted format
-
Password change frequency
-
Reusing old passwords
-
Roles/Privileges assigned to users
Authentication:
-
Access
and authentication mechanism
-
Third party authentication software
-
Change management
-
File permissions
-
File ownership
-
ACL defined on reports generated by application
-
Backup
Web-server:
A complete assessment of the systems used to
provide web-services. This will include assessment of the
security of the base operating system as well as the actual
server application.
-
Server
misconfiguration
-
Default installation, sample files,
manuals etc
-
Server administration interface
-
CGI insecurities
-
Insecure mappings
-
Buffer overrun conditions
-
Directory traversal
-
URL encoding
-
Access thorough insecure methods
Web-application:
This ties in with the module above, but is a
complete approach to auditing any dynamic application running
on the website (shopping cart, e-commerce portal, login
systems etc). The application will be tested for logical and
programming errors that can be used to make the
web-application do something it is not allowed to do. Tests
for SQL injection, Cross-site scripting and session-hijacking
vulnerabilities will be performed. This is a specialized area
of testing as each web-application is different. The following
are some of the tests which will be conducted on the target
application:
-
Source code crawling for information
-
Hidden form values
-
Weak session state management
-
Cookie theft
-
SQL injection
-
Cross-site scripting
-
Information leakage
-
Input validation errors
-
Broken access control
-
Error handling mechanism insecurities
Mail
Server:
All IT enabled companies are tremendously dependent on email as a
productivity application. The email server represents a single
point of failure for most company communications. With this in
mind, emphasis will be placed on testing the email
infrastructure (SMTP, POP, IMAP) for known vulnerabilities,
mis-configurations, denial-of-service attacks etc. The following are some of the tests which will be conducted on the target
server:
-
Information leakage
(EXPN,VRFY)
-
Web interface for accessing outlook
-
Relay checks
-
Mail header parsing errors
-
Buffer overrun conditions
DNS
Server :
The DNS service provides critical functionality to the organization to
resolve names both externally and internally. By crippling the
DNS server an attacker can render most company infrastructure
useless. Furthermore, DNS servers can be controlled to give
out information of the attackers choosing, allowing the
attacker to hijack any outbound web request, email etc by
pointing the DNS server to a system he controls. The
following are some of the tests which will be conducted on the
target server:
Database Server Security:
Securing the database is crucial to any
organization. The
technical audit is done on the database servers for default
configurations, default passwords, known attacks and other
vulnerabilities. MIEL
uses well known and highly reliable tools in addition to
in-house tools for auditing the databases.
Application
Security Testing
One often finds vendors of so-called
application security services merely run applications through
a set of black-box audit tools or source-code auditing
programs. This is not the way to find anything but the most
trivial vulnerabilities.
Since each application is different, the
only way to ensure thorough testing is to adopt a customized
approach towards assessing its security. This process can
never be automated. What is required is an in-depth
understanding of the business case and functionality of the
application. Armed with this, MIEL technical consultants
discover vulnerabilities that actually affect your business.
It is also essential that the testers adopt a standardized
methodology.
MIEL follows international standards such
as OSSTMM (Open Source Security Testing Methodology Manual) or
OWASP (Open Web Application Security Project) guidelines.
To provide additional value, the
vulnerabilities are mapped against your organization’s
security policy, or alternatively against security standards
such as BS 7799 and ISO 17799.
There are three basic approaches to
application security, they are:
-
Black-box testing – Testing
an application without access to the source code.
-
Grey-box testing – The
approach is similar to black-box testing, however the
attack team is given the same privileges as a ‘normal’
user of the application.
-
White-box testing – Often
called a ‘code-review’ exercise, the application
security team is given full access to the source code of
the application.
-
Grey-box testing & selective
code-review – Here a grey-box audit of the
application is conducted and areas of the application that
reveal security concerns undergo a code review.
Wireless
Security Audit
Computer
Forensics
MIEL uses the latest technology and techniques to provide cutting edge
services such as computer forensics and technology related
investigations. We also provide expert testimony in the areas
of: computers, computer forensics, online services, the
Internet, electronic surveillance, and child exploitation.
MIEL’s Forensic Services include:
Desktop
Audit
