Computer security has become a very important subject for companies and institutions, as well as individuals. Because of this, numerous legal texts have been enacted in most of the world’s countries to structure this area and define solutions and measures to adopt when securing computer systems, which constitute the backbone and a valuable asset for companies, as well as individuals.
A security audit is a necessary legal and economic legal requirement for the survival and existence of the company, as well as for its reputation and influence. It is a periodic task led by security experts to identify security vulnerabilities and faults, along with the appropriate solutions and recommendations. A new discipline has thus been developed, that of the security consultant or auditor.
An audit goes through three necessary stages. The first step concerns the organizational and physical aspect. It identifies structural and physical vulnerabilities. Then, the second step is devoted to the technical aspect. It consists of uncovering security faults at various levels and providing the necessary solutions for such problems. Finally, the intrusive test must be passed, which consists of bombarding our own system with a series of attacks to evaluate how robust it is.
In the domestic sphere, as well as at the company level, it is necessary to plan a security policy with the objective of limiting risks, attenuating attacks and increasing the efficiency of security solutions. A security policy covers several axes, intervenes at several levels and calls on different actors to apply it appropriately.
In order to develop a security policy, it is necessary to first test the state of things and evaluate the existing level of security.
The development and follow-through of a security policy is governed by a piloting committee led by a security manager. Once the policy is developed, depending on the existing norms and standards and the identified interlocutors, its application will require the definition of directives and procedures that will facilitate its implementation and efficiency.
A security audit, required by law in many countries, is necessary for a company to overcome the challenges of attacks and security failures.
Security presents a very specific and specialized problem that can under no circumstances be resolved internally or by company personnel. Their expertise may be limited, which could prevent them from properly identifying and fixing the problem. An audit must warn users first, and after the identification of faults, must then provide solutions and measures to face them, in the form of recommendations.
Security is a culture above all, and the personnel of a company must have a minimum of this culture if they are to remain aware, secure and behave appropriately when faced with potential attacks.
An audit must focus on security and make the management, agents and clients aware of the issue of security by identifying bad habits. This culture can be presented through organizations, posters, charters and control measures limiting physical and computer access.
After identifying security faults, the audit team must try to find solutions for such problems. The solutions must cover several aspects:
The action diagram during an audit is summarized in the following figure.
The first phase is devoted to the documentation and preparation of the task, with a precise and clear definition of the actors, interlocutors, circumstances, limits and obligations.
The second phase is the audit in the strictest sense, the on-site intervention using the appropriate generic and specific tools, both technical and otherwise.
Finally, during the third phase, the audit team focuses on the analysis of the results and the writing of a report.
Companies should not limit themselves to getting audits and then leaving the report to one side. It is important to apply the recommendations made, especially when the report is validated by authorized authorities.
Most companies neglect computing and security insofar as it serves as a tool facilitating the work and is not in and of itself a productive unit. The measures taken for computing are the product of numerous users who are not specialists in the field. For this reason, following every consultation, it is necessary create, restructure, enrich and ensure the independence of computing services and/or the security unit.
For personnel development, training activities are necessary. The audit must provide an indicator regarding security knowledge within a company, and the investment in training should be based on this indicator.
This is the technical aspect to implement after a security consultation. It covers several areas:
Also called a high-level audit, this estimates risk by analyzing organizational and physical vulnerabilities.
This is a preliminary stage that allows us to critique organizations and uncover bad structures or a bad division of labor and responsibilities among the participants.
The second stage is devoted to physical security through a critique of physical access to computing system sites.
The discovery of organizational and physical vulnerabilities is done through appropriate questionnaires for management, agents and clients, covering various aspects.
We can also use known models that offer a database of questionnaires related to many topics, and that can be adapted depending on the context of the audited company. This produces statistics and security indicators.
There are two possible approaches: ascending and descending.
Also called a low-level audit, this identifies technical vulnerabilities (in systems and networks). This part requires expertise from the auditors that covers multiple areas. There are several aspects that require auditing:
This is the most important part, providing an audit of systems and computer applications by finding technical vulnerabilities and faults, on the one hand, and formulating appropriate technical recommendations, on the other hand.
A technical audit requires auditors with a minimum of expertise who will discuss issues with administrators and security managers by way of questionnaires and discussions, as well as the use of appropriate tools for systems, services and applications.
The tools used vary depending on the context and importance of the computer service and its content in terms of equipment and deployed solutions, data traffic, services and functions provided.
Many computing tools can be used for a technical audit. The most appropriate tools are free software, the very same tools used by hackers and attackers.
Examples of these tools are as follows:
This is a simulation of attacks that tests the strength of a computer system and its response to attacks. It consists of using attack tools and observing the way the system reacts. The intrusive test must be programmed carefully to avoid perturbing proper functioning.
There are several audit methodologies that can be adapted during an audit.
Descended from the British BS 7799 norm, the ISO 17799 norm provides guidelines and recommendations for managing security1.
The ISO 17799 norm thus offers a model for identifying and implementing solutions for the following risks:
The MARION method (acronym for the French equivalent of Methodology of Analysis of Computing Risks Oriented by Level) is an audit methodology that, as its name suggests, evaluates the level of security in a company (the risks) by way of moderated questionnaires that provide indicators in the form of notes on different topics related to security.
The level of security is evaluated following 27 indicators divided into six themes, each given a score of 0 to 4, with level 3 being the level to reach if we are to have what is considered adequate security. The method is based on questionnaires focusing on precise areas. The questionnaires must allow vulnerabilities specific to the company in all areas of security to be evaluated.
The group of indicators is evaluated using several hundreds of questions, whose responses are moderated (the moderations evolving along with the updates to the method).
The themes are as follows:
MEHARI (acronym for the French equivalent of Harmonized Method of Risk Analysis) is derived from two other risk analysis methods, MARION and MELISA. This method was developed and kept in France by CLUSIF, the French Security Club for Information Systems. MEHARI is one of the most commonly used methods of risk analysis today. This method appears to be a veritable tool kit for computer system security, identifying risks within an organization in various ways. This tool kit is made up of several modules which, independently of the selected security method, provide in particular:
A security policy, written and published, must be established in any organization making use of a large- or medium-sized computer system. It requires a test to validate and measure the requirements and the existing levels of security.
Tests and evaluations are a necessary first step before proceeding to the formulation of a security policy. Security tests take many forms and use diverse and targeted tools.
Security tests are used to verify the strength of a computer system and identify weaknesses and limits. These tests fall into the following categories:
These types of tests cover the different areas of security and their results make up an inventory of the computer system, which will be the starting point for defining and formulating a security policy.
To provide an efficient evaluation, we should use different types of free software, the same ones used by hackers and attackers.
The most commonly used tools are:
Nmap, short for Network Mapper, is a free and open-source tool used for discovering networks and security audits2. Many system and network administrators also find it useful for tasks, such as network inventories, calendar management for service updates and monitoring the availability of the host or service. Nmap uses raw IP packets in an innovative way to determine which hosts are available on the network, which services (name and application version) these hosts offer, which operating systems (and versions of the operating systems) they use, what kind of packet filters or firewalls are being used and dozens of other characteristics. It was conceived to analyze large networks quickly, but works very well for unique hosts. Nmap works on all the principal computer operating systems, and official binary packages are available for Linux, Windows and Mac OS X. In addition to the traditional executable line command Nmap, the later version includes an advanced graphic interface and a Results Viewer (Zenmap), a flexible tool for data transfer, redirection and debugging (Ncat), a tool for comparing analysis results (Ndiff) and a tool for generating packets and response analysis (Nping).
Nmap has the following characteristics:
Zenmap is the official graphic interface of the security scanner, Nmap. It is a free and open-source multi-platform application (Linux, Windows, Mac OS X, BSD, etc.) that makes Nmap easy to use for beginners, all while providing advanced functions for experienced Nmap users. Frequently used analyses can be recorded as profiles to facilitate repeated execution. The results of the saved analyses can be compared to each other to see how they differ.
GFI LANguard is the award-winning network analysis and security software used by more than 20,000 clients3. GFI LANguard analyzes networks and ports to detect and repair vulnerabilities with minimal management.
Any network administrator must individually manage vulnerability issues, patches and audits, sometimes using several products. With GFI LANguard, these three keystones of vulnerability can be managed with just one software program.
GFI LANguard provides a complete image of an installation network and helps maintain the network secure, easily and efficiently.
Tripwire is integrity control software that ensures that sensitive files on a computer are not modified without it creating an alert4. To do this, the software creates a database (or a reference table for simpler cases) containing the digital signature (hash) of files that the administrator wishes to keep an eye on. During the integrity control phase, Tripwire recalculates the digital signature of each file to be monitored and verifies that this signature corresponds to the one calculated at the time the database was created. If the two signatures do not correspond, Tripwire sends an alert.
Monitored files can be classified according to different degrees of criticality. Tripwire can be rather complex to configure because files and configurations are encrypted. The alerts sent after the files are modified can be sent via email.
Nessus is a computer security tool5. It signals potential or clear weaknesses on tested computers. This includes, among others, services vulnerable to attacks that would allow control to be taken of the computer, sensitive information to be accessed, and service to be denied.
Nessus works with Unix and Windows; its last version was 8.4.0, published on May 14, 2019.
It is widely used by users and computer system administrators. It is generally used by security managers and auditors.
Nessus detects live computers on a network, sweeps open doors, identifies active services and their versions, and then attempts various attacks.
Nessus is divided in two parts: nessusd, which is a daemon (service) executing requests and communication with the target, and nessus, which is a client application that recovers data and shows the result.
This division is classic, with the daemon running with advanced privileges (root), while the graphic interface, more complex and thus vulnerable, runs under the identity of an unprivileged user. The tests are played out using plugins; some are compiled in C, but most are written in the script language NASL (Nessus Attack Scripting Language).
Nessus is a network security scanner capable of detecting weaknesses that can be exploited locally; as well as remotely, by either:
A security policy that appears as a well-defined action plan composed of a group of measures guarantees a minimal level of security. This policy covers all aspects and calls on many interlocutors at various levels. It must foresee measures to take and people to alert in case an organizational failure or a technical intrusion is detected.
The principal objective, namely maintaining a level of security, comes through the establishment of a culture and technical security solutions.
The first sub-objective is ensured through training sessions, charters, posters, sports, alerts and so on.
The second sub-objective covers policies, archives, monitoring, analysis, filtering, updates, alerts and so on.
Once defined, a security policy must be formulated and written before being distributed and applied.
For the development and establishment of a security policy, numerous actors can be called upon:
The establishment and application of a security policy goes through several steps, which are defined as follows:
For a security policy to be efficient and applicable, it must be composed of several complementary elements that cover different hierarchical levels of the company.
The importance of computer security demands a high-level intervention in a company with the purpose of increasing the efficiency of decision-making and action-taking.
To satisfy this requirement, a security manager and security committee are necessary.
The security manager reports to the management of computer services, fulfilling the following tasks and abilities:
The security committee includes and brings together the pertinent actors of a company, that is, all of the directors. It is led by the security manager and ensures technical vigilance and creates a culture of cyber security.
The technical section of the security policy covers technical domains. It varies depending on the material and software assets installed, and the degree of criticality of the information that is dealt with.
A technical security policy is composed of a group of technical measures and solutions for saving, filtering, monitoring and follow-up. The distinct areas are as follows:
The section on security culture is of capital importance. It must be addressed to all personnel without neglecting any of the end-users. The end-user is anyone with access to the computer system and represents an important link in the chain of computer security and the policy to be established.
The user must be sensitized and informed via targeted training sessions, posters and charters, which must be adhered to.
Several norms and standards can be used when conducting an audit or following up on its results and impacts, as well as in establishing a computer security policy:
The ISO 27000 series of norms was specifically reserved by the ISO for questions of information security. The 27000 series includes a range of individual norms and documents. A certain number of them have already been published.
ISO 31000 designates a family of norms for managing risks, codified by the international organization for normalization. The objective of the ISO 31000 norm is to offer the principles and guidelines for risk management, as well as the processes for establishing it strategically and operationally. It does not seek to promote the uniformity of risk management in organizations, but rather to harmonize the multitude of existing approaches, standards and methodologies for risk management.
Currently, the ISO 31000 family includes:
ISO/IEC 38500 is the international norm for the governance of information technology by companies. It is the first official norm for computer governance.
This norm concerns the governance of management processes related to information and communication services used by an organization. These processes can be controlled by computer specialists in an organization or by external service providers.
Security audits are necessary for securing computer systems, but they remain insufficient; they must be completed and heeded by technological monitoring throughout a company, in order to follow the daily state of security through audit and surveillance tools, and through a strictly cooperative relationship with appropriate organizations.
The security audit constitutes an important step for the survival of a company. It provides a constructive external critique by experts in the domain. This task, required by law, is beneficial for a company seeking to protect its computing assets.
A security policy, well-defined and correctly applied, is the finishing touch to the security measures and activities taken by users. It covers organizational and technical aspects and creates a culture that protects the company from risks and threats.
Computer security continuously presents itself as an urgent issue, to the detriment of other factors; it takes its importance and relevance from both circumstances and conditions that remind us of the volume of destruction, material and otherwise, for individuals, companies and states.