Security auditing tools and challenges

James Tarala is a principal consultant with Enclave Security. He is a regular speaker and senior instructor with the SANS Institute as well as a courseware author and editor for many SANS auditing and security courses. In this interview he discusses security auditing, insecure passwords, operating systems as well as his training course at SANS Secure Europe Amsterdam 2011.

What are the essential steps involved in conducting a network audit in a large organization? How do you approach such a challenging effort?
When you’re auditing any technical system the most important things to consider are:

1. What is the business goal you are hoping to achieve.
2. What is the scope of the assessment you’re trying to achieve.

Unfortunately too many people look at auditing as a one time event whose goal is to address every security risk. Doing so is a recipe for disaster and disappointment. Auditing and risk assessment have to be considered an ongoing operational process.

If you own a car, you don’t perform maintenance on that car once and then say you’re doing, it is an ongoing effort. And just as you don’t just lock the car one time when you leave it alone, you lock the car and check it every time you leave it to make sure it stays protected. Auditing is the same way.

What network auditing tools do you prefer and why?
Honestly there are hundreds of tools that we have used during the course of audits in the past. There are always reasons to pull out different tools for different purposes, depending on the scope of the audit.

These days, given the scope of the assessments I find myself doing, I tend to spend a lot of time with the Security Content Automation Protocol (SCAP) scanning tools. Traditionally we would have called these vulnerability scanners, but these days they do much more than that. We can also use them to analyze systems for configuration settings and map them against a baseline to check for compliance with our standards.

Tools like Tenable Nessus, QualysGuard, BigFix, and others have been validated for this purpose. Unfortunately all the tools in this class of products are commercial tools – there are no free SCAP scanners that have hit the market yet.

The insecurity posed by weak passwords has been in the news a lot lately. What are some of the weak passwords you encountered in your work and how did that impact the entire audit?
We see this constantly. There has been a lot of discussion about this issue in the news again this month with the HBGary breach. Weak passwords and password re-use is a huge problem. Eventually we are going to reach the point where the use of passwords will finally be considered insufficient to protecting information.

Two-factor authentication systems such as biometrics, tokens, smart cards, and others have been around for a long time. When a control isn’t enough to protect a system, a new control is needed. We see this in audits all the time.

What are the fundamental differences in auditing Windows, Linux and Mac OS X systems? Which system is the easiest to audit?
I think as an information security industry we have to get over the concept that one operating system or piece of software is more or less secure than another. At the end of the day each of these operating systems is computer code, written by flawed individuals.

The “exploit of the week” might target one OS or another, but at the end of the day each of these systems can be vulnerable to the same type of flaws. For the longest time everyone considered Firefox more secure than Internet Explorer. Now with more researchers focusing on Firefox the data has shown more vulnerabilities in Firefox than any other browser, period.

That being said, although the level of weakness might be the same, there do tend to be more automated auditing tools for Windows than for Linux or Mac OSX systems. The US federal government’s SCAP program is a perfect example of how Windows system security auditing is being automated where the other OSes are not.

Many IT professionals expect security auditing costs to rise in the near future. Based on what you see on the market, what can we expect?
Frankly not many organizations are truly evaluating their technical IS controls today. Many people are doing IS audits, but their background is financial, and so they are focusing on operational risk or what we traditionally would call a Governance, Risk and Compliance (GRC) focused audit.

The problem is that these rarely address the technical vulnerabilities that exist in code and configurations of systems. I do think the annual costs for IS audits will increase, simply because to address the threats today people are going to have to re-evaluate the scopes of their audits and likely be retrained to perform this type of assessment.

What does your SANS training course look like? What skills can attendees expect to acquire?
In our SANS audit classes, especially Audit 407 and Audit 507, which are our two foundational courses, we try to give people practical skills for performing technical IS audits of their systems. That doesn’t mean we don’t address the operational aspects of auditing. But out focus in this class is to give people the technical tools necessary to be successful when auditing for technical controls.

We cover topics such as firewall audits, auditing web applications, and auditing Windows and Unix operating systems. It’s meant to be a practical, technical class, without all the fluff.

For more information about SANS training in Amsterdam go here.