Security Audit

How is your system security? Workstations? Servers? Web site? Terminal Server?

How do you know?

You have followed all the recommendations from all the hardware and software vendors. You’ve hardened your servers, firewalls, load balancers and other web-facing appliances. You have a protocol for regularly installing and testing service packs and security patches for your operating systems and vulnerable software. You have closed unneeded ports and deactivated unused services.

What have you missed?

You have appropriately segmented your network (DMZ) to limit access to your mission-critical servers and databases containing private or proprietary data. You scrupulously close the backdoors your administrators have used for emergency system access from home. If you host your own website or web application, you have programmed defensively guarding against the upload of executable files and scripts disguised as text files. Your input forms check for cross-site scripting (XSS) attacks in both the front end and back end code. You employ intrusion detection and prevention software or services.

What else do you need to do?

I strongly recommend an independently performed security audit that includes both automated and manual penetration testing. I have been the beneficiary of three of these very informative exercises, and it is amazing what a good security audit will turn up. For two of our audits I contracted with The Morningtown Group. My third audit was performed by SAIC at the behest of a US Government organization using our services. We have responded to auditors’ suggestions by doing everything from installing better physical security (locks and keys), to strengthening our user password requirements, to turning off stray MS Windows Server services. We have also determined that some suggestions do not apply to our situation and can be safely ignored.

What do you get for your money?

You get:

· A comprehensive security survey and audit performed by certified systems security professionals

· A report covering a panoply of potential risks to your systems from accidental intrusion, malicious human attack, and natural disasters among others

· A software scan of web-facing system vulnerabilities—automated penetration testing

· Follow-up manual penetration testing based on the findings of the software scan

· A list of potential vulnerabilities and suggested mitigation strategies, by risk severity, probability of occurrence and priority.

· Validation of all your hard work to produce a secure system for your employer

· The warm feeling that you have truly done everything you can to both secure your company’s IT infrastructure, and had that effort validated

· The ability to tell your customers and potential customers that you regularly contract for a systems security audit

Regarding that last point. When anyone asks, I tell them politely but pointedly that, “No, we do not share the audit report outside the IT department. I would be happy to summarize it for you, though.”