Sep 19, 2010

IT security audits

At the moment to audit a computer system, there are three kinds of audits:

Black box audit. It is the sort of audit most difficult of all; it is carried out from the external network of the architecture to be audited, for instance from Internet. The auditor has got little data (usually, public IP addresses or URLs) and he has to use different techniques to attempt to access the system (Google hacking, social engeneering, scanning open ports and analysis of vulnerabilities, penetration tests, etc.)

This type of audit does not assure that a system will be absolutely secure, since there can be services which are properly protected through right perimeter security policies.

Grey box audit. In this sort of audits, the analysis is performed from the own internal network of the infrastructure to be audited. Unlike the black box audit, the auditor is connected to the internal network (he has not already to worry about evading the external network elements - routers, firewalls, security appliances, etc.) and therefore, he will have greater visibility about the differents devices which can be found inside.

Through various hacking techniques (inventory of equipments and services, internal traffic captures, analysis of vulnerabilities, intrusion tests, etc.), the auditor's goal will be obtaining administrative privileges of the most of the infrastructure elements.

White box audit. This type of audit is also made from the own network to be audited, but in contradistinction to the previous, the auditor will have credentials of the systems (normal user and administrator accounts), as well as the more detailed information of the architecture (it should be provided by the audited organization).

Therefore, the target of this type of audit will be looking into the configurations of the different services and systems, in order to look for possible anomalous situations (not updated software, weak passwords, malware infections, etc.) which depend on their own local security architecture. To do this, the auditor will be able to have tools provided by the own vendors, as well as other applications available in the market, which always try to realize a full system check.

From all this can be concluded that the three kinds of security audits which have been explained are complementary each other, because although the black box audit provides us a more generic view of how a supposed hacker would act, we must know that this person will not stop when he has achieved access for example to the web server, but that he will also attempt to gain access to the rest of systems.

White box audits supply us a more detailed information about the local security of the different devices, and they are usually the most requested audits by the companies, since they can prevent for example that the own or former employees of the company can make malicious tasks.

And why do companies often require white box audits and no grey box? The response is very simple: it is a time question that the auditor who is connected to the internal network of the company can get users credentials capturing network traffic. So just what is wanted is a time saving for both parts.

And finally it is also important to remind that securing an infrastructure does not mean that you have to set many security elements at the input point of Internet, but that it will be necessary to apply correct local security policies (network segmentation, strong passwords, antivirus, security patches, etc.).

1 comment:

  1. Nice blog audit system is very useful system to justify a company work and it is also helpful for judge performance of employee work.
    Thank you for sharing us.
    Commodity 100% Sure Shot Tips || Accurate Silver Calls