Warning: session_start() [function.session-start]: open(/var/chroot/home/content/a/u/r/auraesol/tmp/sess_15afede49314a177ae15a25e34578c75, O_RDWR) failed: No such file or directory (2) in /home/content/a/u/r/auraesol/html/aurasol/api/class.session.php on line 60
Internal ( Local) Audit

Quick Search

Advanced Search

Internal ( Local) Audit

>   Internal (Local) Audit: Structure

Internal security audits are performed by a team of professionals connected to local networks of a company or organisation. They aim to assess opportunities and risks of attacks and other malicious behaviour from within the audited infrastructure and recommend necessary fixes and appropriate countermeasures to reduce such risks. These audits are especially critical for companies and organisations, that

  • have massive, difficult to monitor and control network infrastructure with plentiful users
  • need to enforce strong data and systems access restrictions between different departments and/or project teams
  • frequently rotate stuff and have many part-time employees
  • provide guests, contractors or customers any access to their internal networks
  • prefer to host websites and other public services within their infrastructure and not in specialised third party data centres
  • suspect discontent, disloyalty, serious conflicts of interests and tense relationships among employees
  • have previous history of internal information security incidents

Key benefits

  • Identifying different risks presented by internal attackers of all kinds
  • Discovering user misbehaviour and other security policies violations
  • Verifying the strength of internal information security processes and controls
  • Eliminating lateral and side channel attack opportunities against your company or organisation
  • Assessing the protection level and correctness of the whole IT infrastructure design and configuration
  • Suggesting appropriate remedies and fixes for all security and quality of service problems discovered
+ Description

According to the published statistics collected by industry, independent and governmental bodies around the world, successful internal attacks constitute more than two thirds of serious information security incidents that cause serious damage to the affected businesses and organisations. In many cases internal attackers are driven by strong psychological motivations to misbehave, such as envy, unsatisfied ambitions or revenge. They already have certain, often quite high levels of access to corporate systems and data, know what they want, and are positioned behind the protected network perimeter. However, not only disgruntled, disloyal, upset, too curious, unreasonably greedy or overambitious employees can launch devastating attacks from within. External attackers, who somehow managed to penetrate the perimeter and get a foothold inside, wireless hackers, any trespassers on your physical premises and industrial spies are some of the examples of internal attackers one should be aware of. To halt them multilayered, disperse in depth defences spanning the whole IT infrastructure and not just the external entry points must be properly deployed, maintained and regularly tested.

Just like other security audit types, internal security audits are split into reconnaissance and vulnerability discovery & analysis phases. The principal difference between the internal and external audits is that the auditors who are plugged into local networks have access to all traffic carried by these networks. Testing security of data streams and network protocols is a separate, highly specific field that requires different skills, knowledge and instruments as compared to the external security assessments. Besides, risk and attacker proficiency level evaluation scales, as well as the audit reporting formats also have to take these differences into account.

Internal security audits often uncover disturbing architectural deficiencies of the tested networks, misconfigurations of the deployed infrastructure appliances, unauthorised covert channels, various acceptable use policy violations and other forms of users misconduct. Discovering obsolete and unpatched services and systems is commonplace. While such weak spots are usually inaccessible across the secure network perimeter, they easily fall prey to internal attackers of all kinds, including outside hackers who employ lateral approaches (social engineering, wireless attacks, attacks against connected trusted remote systems and out-of-bound channels) to get through. They will also get exposed and abused if the perimeter defences are accidentally or intentionally lifted during various upgrade, reconfiguration, troubleshooting or hardware replacement procedures.

Apart from a variety of network, system and service-centric tests, complete internal security audits must include assessments of other crucial information security elements. These can cover checking boot-up and screensavers protection, passwords and authentication tokens safety, security of USB ports and mobile storage devices use, and physical security verification. The latter includes reviewing CCTV and other monitoring means, alarms, entry controls and physical operating environments of premises where sensitive data are stored and crucial servers and network appliances are operating.

 

+ Case Studies
  1. "Shaky Border".
    A major financial company's information security policy stated that the top management traffic should be completely separate from the rest of the network data. In practice, this was implemented via placing all top management workstations and laptops on a specific restricted access VLAN out of reach for the rest of the employees. In the process of an internal security assessment our consultants have uncovered architecture and configuration flaws that allowed them to intercept sensitive data from that VLAN while staying connected to a different network segment as a casual member of staff. The discovered problems were resolved by altering the network infrastructure and connecting all senior managers computers to separate physical switches.
  2. "Pirates Among Us".
    While performing an internal security assessment for a large retailer unauthorised traffic streams have been detected and followed to one of the production servers, on which a suspicious web service bound to a high port was running. That service has been identified as hosting a password-protected site, accessible from several external IP addresses only. A man-in-the-middle attack was employed to capture login credentials for this site. Upon login, large volumes of illicit media content and pirated software were discovered and quarantined. An incident response procedure was initiated. As an outcome of the internal investigation one of the system administrators was found to be responsible and got fired immediately.
  3. "Fatal Backup".
    A large investment management company has ordered an internal assessment to examine security architecture of it's networks after a recent merger. Shortly after the start of testing, a database holding sensitive information about the company's clients was identified and verified to be well-protected against database-centric and other attacks. However, the same could not be said about the database backup server. Our consultants have managed to obtain administrative access to this server and retrieve all the data stored as backups. As a result, access to business-sensitive information including personal details of clients and employees, e-mail archives and other corporate documents has been gained. After the audit a more secure backup solution was suggested and implemented.
This category is currently has no content associated with it.

Subscribe via RSS