Whilst we are talking about access from Internet. Most of the surveys indicate that breach attempts are considerably high from Internal users. So a security policy is the most basic need for the Network security. This requires reviews and redefining policies according to the changing business environment. So security policy definition requires an understanding of the environment, Loop holes in it and the steps need to be taken to check these loop holes. Hence this starts with a network audit.

This is a simple guide on conducting a network security audit, This article contains points for conducting an audit (of course I too have learned it from many an experts articles on the net and experience). This first of the series (may be, many to come. If u guys really want to hear from me.) doesn't' get into the core of each of the aspects, this will generally outline the things to be kept in mind while conducting a Network security audit. May be you guys let me to put my ideas in my future writings.

General assumption of (and wrong) Network security audit is limited to determination of the services available on the network for access. No, it doesn't, A Network security audit should address all the concerned areas that are listed in this article and if possible more (Don't forget, the more steps you take for preventing, the more secure it gets. So don't stop at this, keep on doing it better.....).

So the minimal aspects to consider are.

Management

The Audit should cover a questionnaire to the Organization's management to know about seriousness about its Information Security. The questionnaire should be able to collect a considerable amount of information like say,

1. Is the Management of the organization serious about the Information security requirements.

2. Any established procedure exists for reporting security breaches or attempts of security breach.

3. Review of Security controls

4. Life Cycle, Etc., .............

Administration

Knowing Administration controls helps in understanding the kind of protection of data has and that the security deviations are detected and corrected. Attempts to be made to understand the security implications that the following might have,

1. Backup and Disaster Recovery.

2. Response to Intrusion Detection

3. Response to Virus/Trojans

4. Grant/Change/Removal of Privileges

5. Documentation

6. Log reviews

7. Changes in Network

8. Software License compliance, Etc., .................

LAN Security

Get an understanding of the LAN configuration, the number of users on the LAN, the general use of the LAN. Audit on,

1. Protection against Viruses, Trojans, etc.,

2. Communication controls

3. Acquisition

4. TCP Ports

5. Firewall/ACLs

6. Application Finger printing

7. Lan Access policy, Etc., .........

Access Control

Determine the access control mechanism for users to access various resources across the network. Some times:

1. Authentication, Requests, Duties

2. User guidelines

3. Password policy

Operations

1. Physical Security

2. Contingency planning

3. Training

4. H/w and S/w maintenance

Now that we have outlined the aspects of Assessing, Lets look into the each of these in as much detail as possible.

Management :

What is the necessity or things that are to be checked in the Organization's Management? What does it take care of? These are some of the questions arise when we say about Assessing the Organization's Management. I will try to justify as much as possible.

The first thing to look up for would be to analyze weather the management has taken the issue of Information security seriously, this can be accessed by knowing,

1. Is there procedure/guideline specified for acquisition and installation of LAN peripherals/accessories etc.,?

2. Are the users been notified about the security concerns, terms of use of systems and network access, Limitations and Proceedings in case of breach of security policy. Have the users been notified about their tasks?

3. Are the users been notified about their emails being monitored (in case if it is)?

4. Is the procedure to formally report security breaches in place?

5. Are the findings of Audit and/or inspections reported to management?

6. Are emergency and disaster procedures established with well defined tasks and responsibilities?

7. Is there a proper backup plan in place so that the operations can return to normal in case of the installations being completely damaged? Are these plans tested ?

8. Does the organization's management taken care of forbidding Software Piracy and informed to the PC users?

9. Are there proper inventory controls for the software and hardwares?

10. Does the users know who is in charge of the security and how to get in touch with him when required to?

11. Is the security policy scrutinized every so often (is the life cycle of the security policy determined)?

12. Are the necessary corrective actions taken/granted on each of the weakness found?

The more precautions/interest taken by the management shows the Management's seriousness about the organization's information security and makes the users feel that they will be liable for any harm/loss caused by them. Thus the management should provide the basic foundation.

A organizations failure of IT security is because it's involvement is more reactive one rather than being a pro-active one. Often the vulnerabilities are closed only after those weaknesses have been exploited after an attack, at the cost of time, data, and money. Very few organizations take pro-active steps on evolving a security policy and strategies. So keeping up to date with the organization's security strategies by the management is very important.

Administration

An effective network administration ensures the continued availability and protection of data as desired by the organization's management. Its very important to have a good network administration team as they are the key peoples when comes to actual implementation of the security policies, Disaster recovery plan, etc., Hence the administration should see that

Setup of Servers:

1. Make sure that the applications available on the network are not misconfigured.

2. The applications are patched/updated very frequently as and when available.

3. Keep track of various Vulnerabilities, Backdoors, Viruses on the move and the solution to these.

4. Virus protection both at Mail server/gateway and also at the user's desktop level should be taken care of

5. Servers should conduct proper identification and authentication of users before being granted access.

6. Does the Server setup conducts proper authentication to suit the risk associated with their access?

7. Is proper encryption enabled for data transfer (Where ever required)?

User access to applications:

1. User management like adding, deleting, modify, disabling, enabling user IDs and setting proper guidelines to the users on password choosing, periodically changing the password, granting and revoking of access rights as required, etc.,

2. Formal procedure for seeking/change in access and getting formal approval for it from the management.

3. Periodically Track/Analyze the user requests, Accesses made like time and duration of the access and if possible the kind of data sought by the user etc.,

4. Periodically review the user access to the system.

5. Document any anomaly in user access, etc., Report it to the management for action if required.

6. Protecting Top secret applications meant for access only by the privileged of the users, and proper grants to its access. Take note of failed login attempts periodically and verify with the concerned.

7. Procedure established to deal with Repeated attempts by a user to gain unauthorized access to these resources.

8. Check for un-authorized use of external storage devices like Floppies, CD-ROMS, etc.

Apart from these checks, other checks should be performed regarding the way the data handling and data exchanges are made. If Third party data access is allowed (Clients/Business partners/etc.), are there proper control on their access, identification and Authentication? Is it possible to identify and track all the assets (ease of it determines the quality)? Are development systems separated from the operational systems? Is the security of media on the move established? Are the system clocks synchronized? And many more aspects.