New regulations and a plague of information-security threats are forcing organisations to ensure the security of their computer systems and networks. To deal with these pressures, organisations are performing system security audits to make sure their systems comply with corporate security policies and avoid common vulnerabilities.
These audits are important because incorrectly configured systems - including software patch levels, permissions for using system files, and user rights - cause most common security problems. Sometimes these problems are the result of undesirable activity, but most often simple human error is to blame.
According to IDXOnline Enterprise Solutions business manager Bruce Bean, a new generation of system security policy-management tools completely automates system security audits throughout an organisation. "These tools allow auditors, security managers, and system administrators to view and report on the system configurations of a large number of systems based on the organisation`s security policy."
"It is critical that organisations perform security audits using the most accurate method possible to determine the organisation`s security risk levels and identify specific areas for remediation. In the past, auditors and system administrators performed these reviews by going to each computer and running specific tests one at a time," he explains.
Bean says the manual approach was slow and often inaccurate. "Later, centralised security management tools and customised scripts and programs automated some of the audit process, but these could be inefficient and inaccurate, as well."
Security policy-management products greatly improve the quality of audits. For example, they tell an administrator the value of an operating system setting that controls the minimum password length. They also compare a system`s configuration against a policy template and notify the administrator if the machine is out of compliance. In some cases, policy-management tools allow an administrator to set the value needed to bring the system back into compliance.
More importantly from an auditing standpoint, security policy management tools enhance an auditor`s ability to collect, manage, and report this configuration data for a large number of machines - all from a central console. The tools allow auditors to obtain reports containing all of the details required for an audit.
Rather than ploughing through numerous screen shots and configuration files provided by system administrators, auditors can simply sit down at their own computer, bring up an application, activate a scan, and generate a clean, easy-to-read report that is formatted with the exact information they require. Even better, these reports can identify exactly where settings, values, and permissions meet - and don`t meet - policy requirements.
Moreover, automation provides a greater return on investment. Audits are much faster and easier to perform, reducing the cost and resources required. They can occur more frequently, ensuring that systems maintain the highest-possible level of compliance with corporate policy. Audit results are more predictable and measurable because there is a consistent method of collecting and reporting data.
In addition, automating data collection and reporting ensures that audits are thorough and complete. Auditors can give internal and external clients a complete picture of the organisation`s security compliance, rather than just indicating the status of the most critical assets they obtained during a spot check.
A security audit using security policy-management tools involves four steps: * Choosing or setting up a policy. Many tools are preconfigured with industry-standard, best-practice templates to help organisations develop a policy. Many organisations appoint a committee consisting of IT, security, and auditors to develop the policy.
* Identifying the systems to be audited. Some of these applications will automatically discover available systems and allow auditors to choose them from a list, while others require auditors and administrators to enter a list of machines into the program. IT security administrators and auditors are responsible for determining which policies apply to different systems.
* Scheduling or activating a scan. During this scan, the software will gather data from each machine over the network. Some products do this without additional software, but some require users to install a specialised agent program on the target system to perform scans. Scans can be performed interactively or scheduled to run at a particular time. Auditors are responsible for scheduling scans because they should be unannounced. IT managers may schedule their own scans to make sure systems can pass an audit.
* Running a report. These applications all have some kind of reporting capabilities of varying detail and customisability. Auditors are responsible for reporting.
"Because automated security audits are more accurate and complete than other types of security audits, they provide greater value to audit clients, making them an essential part of any organisation`s security strategy. To achieve the maximum benefit from an automated security audit, auditors should consider several issues when they evaluate security policy-management products," says Bean.
Auditors can install agent programs on audited systems if the number of systems is small and system administrators allow them. Agents are programs that gather and report data about a computer to a central network console. However, for large numbers of desktops and servers, an agent-less approach is more desirable. Agent-less systems gather the same type of information from machines as agent-based systems, but they use different protocols and techniques. This method reduces the cost and time needed to deploy the application and eliminates the need to manage and upgrade agents.
The audit tool must be able to measure system configurations against the organisation`s own security policy. It should not impose a policy based on templates that cannot be customised to fit the organisation`s needs. The policy configuration and customisation function must be able to cover the items being audited and be intelligent enough to account for rules that apply only in certain circumstances. Items such as the audited machine`s missions (e.g., database, Web, and file servers) and platform (e.g., Windows NT or 2000) may require different data to be collected and measured.
The information gathered from auditing a large number of machines is often significant. A tool that stores this data in a database via a standard interface, such as open database connectivity (ODBC), will make this information much more scalable and manageable. A central database also allows for easier, customised reporting.
The tool must produce data that meets the needs of the internal or external client. As a result, it should be able to generate custom reports from a database of results if the canned reports provided by the tool do not meet those needs.
"In addition to these considerations, auditors should choose a tool that closely matches the organisation`s network environment, including the types of systems attached to the network and the network`s size and complexity. As with any IT project, organisations should work with vendors to carefully plan and test the tools to ensure that they are successfully deployed," concludes Bean.
Share
IDXOnline, established in October 2001 by David Bean (formerly trading as Integrity Solution Providers since 1995), is a software solutions company focusing on the provision of products and services to Industrial, Telecommunications and Financial industries. We have a broad range of core skills related to real-time systems, process automation, industrial communications, IT security, performance improvement, system integration and custom development.
IDXOnline actively fosters long-term relationships with its clients and is always seeking to create an environment of mutual trust and integrity that allows it to "team up with" its clients such that there is the necessary transfer of technology and sense of ownership with objectives being set and met by joint determination. This has resulted in us establishing an impressive track record over the years in dealing with a number of blue chip clients and market leaders across a wide spectrum of industries.
In order to enhance its overall offering, IDXOnline has selected certain best of breed products aimed at the various industries that it services.
Headed by David Bean, IDXOnline Industrial Solutions represents the following industrial products: IDXSuite (Middleware product suite facilitating real-time industrial data exchange); OSIsoft PI (Real-time enterprise performance management platform); Softing AG (OPC Tools, Industrial communication products, and 4Control); HMS (Wide range of industrial communications solutions focused at field level); COMSOFT (PROFIBUS Interface Cards, Testers and Diagnostic Tools); and Axeda (FactorySoft OPC, @aGlance/IT middleware, internet device management).
Bruce Bean heads up the enterprise solutions division, representing the following products:
AlphaShield (ADSL Internet privacy protection); Harris STAT Analyzer & STAT Scanner (Vulnerability Management); Pedestal Software`s Intact, SecurityExpressions & NTSec (System Security Policy Management); Redwood Software (Report distribution and reporting with emphasis for SAP-R3); and WiredCity`s IT Monitor (Enterprise IT Infrastructure Monitoring).
Editorial contacts