The word "audit" describes any process designed to review and assess a system's current state, capacity, and integrity.
An internal audit is a review process initiated and carried out by an organization itself. External audits are often performed by or on behalf of banking entities or government regulatory bodies like tax authorities.
Security Audits: What's in it for You?
In theory at least, all technology audits share a few goals in common. They want to confirm that your systems are operating with acceptable levels of security and efficiency, and that they're compliant with all applicable standards.
The point isn't just to make sure all the right boxes are checked, but to genuinely look for hidden problems so you can fix them.
In that context, you should look at compliance with regulatory frameworks like the credit card industry "Payment Card Industry Data Security Standard" (known as PCI-DSS) or the US government's "Health Insurance Portability and Accountability Act" (HIPAA) as valuable opportunities.
If you can legitimately pass those standards, then you can be pretty confident that you really are doing what you can to protect the privacy and security of the data you manage. And even more important, that your systems are reasonably secured against common threats.
This article comes from my Introduction to Cybersecurity course. If you'd like, you can follow the video version here:
Security Audits: How They Work
For all intents and purposes, a formal security audit involves inspecting and testing all the systems that could impact security in one way or another.
You might, for instance, be required to demonstrate:
- That your data at rest and in transit is always encrypted
- That all servers and workstations involved in your business are properly patched
- That your networks block access to all but necessary users
- That third party vendors whose operations and products you use also comply with necessary security standards
- That you've got an effective protocol for regular data backups
- That you've got formal – and tested – emergency response and recovery plans
Well even if it's some government or bank that's pushing you to do this – and even if full compliance is very expensive – the basic goals are well aligned with your own interests, so it's definitely not a complete waste.
Security Audit Tools
Let me quickly describe three categories of auditing tools.
Processing and parsing system logs
Whether your infrastructure stack lives in the cloud, on premise, or both, over time, you're regularly going to be generating gigabytes of boring data.
The only way to make sense of the mess is by streaming it through analytics scripts that can filter out the noise generated by millions of normal events, and find serious events. Good log monitoring systems (which include Splunk, Nagios, Syslog-ng, and Datadog) can be configured to send alerts when possible problems are detected, or even trigger automatic fixes.
If you're running anything more complicated than a WordPress website and a few laptops, then you'll probably need some kind of monitoring process. One low-level form of monitoring is an intrusion detection system (IDS).
An IDS is software you install on a server whose function is to constantly monitor the state of pre-set system and configuration files. If a target file is updated or deleted – potentially an indication that there's unauthorized activity going on – the IDS will send an alert to one or more admins. Once you've fine-tuned your IDS so it's not sending you annoying false-positives all the time, it can be an effective first-line of defense.
Installing and configuring IDS software can be a lot easier than you might think. Popular packages include Snort and Security Onion.
A pen tester is usually an independent consultant hired by an organization to attempt to hack into their internal systems.
In other words, pen testers are given explicit legal permission to do exactly what criminal hackers would do – without causing permanent damage, of course.
Using attack software suites like OWASP ZAP or Metasploit, pen testers search for and then exploit vulnerabilities in an organization's systems. The further in a tester can penetrate, the more dangerous are the discovered vulnerabilities, and the more work you'll have to do to fix them.
Pen testing is expensive and sometimes even disruptive. But not nearly as much as suffering the same intrusions by and actual malicious hacker.
Another form of pen testing involves dividing your admins and engineers into red team attackers and blue team defenders for attack simulations. The teams compete to test how robust your defences are.
Deploying a full pen test can be complicated. More often than not, organizations will engage with third party providers to plan and carry out a test.
These are a less invasive form of pen testing. Rather than trying to breach your networks and servers, vulnerability testers will instead scan your network from the outside looking for open ports and unpatched software. They'll also search the internet for information your employees might have inadvertently left on public platforms that could provide hints to active credentials or the secret sauce used by your software applications.
How might that work? Well free software exists (like OpenVAS and Burp Suite) that will, for instance, harvest data from job ads you might have placed on LinkedIn – especially from the "required skills" sections.
Such software can also survey public posts from your team members, assessing the topics of interest in their Stack Overflow questions and answers. If this stuff is out there, you'll want to know about it.
Security audits are a very big deal. Whether you're running them to satisfy some regulatory requirements or to protect your assets – or both – you definitely want to take them seriously.