Office of CIO Communications Team

What is a Computer Security Audit?

The mere mention of the word “audit” can invoke a sense of dread, but in the world of Information Assurance (IA), an audit can be a very good thing. It’s the best way to analyze the security of our information and information systems. And as technology evolves and ever so stealthily inches from the perimeter into the very nucleus of our lives, information security will become increasingly more paramount.

Information security has been a hot topic in the defense and commercial environments in the last several years. According to the Computer Security Institute / Federal Bureau of Investigation Computer Crime and Security Survey published in October 2005, total cyber crime losses in 2005 totaled more than $130 million. Most of the losses were due to viruses and unauthorized access to computers and theft of proprietary data. With stakes so high, many organization’s leaders have found it worthwhile to conduct computer security audits to more quickly identify issues that could lead to critical system compromises.

A computer security audit is essentially an assessment that involves conducting vulnerability scans, reviewing system access controls, and analyzing physical access to the systems. The audit also focuses on how the information security is implemented throughout the organization.

Examiners look at how technical as well as non-technical procedures are adhered to in order to ensure that the organization’s information infrastructure is being adequately protected. One example of a technical check would be to make sure all of the firewall rules match the organization’s firewall policy. This could be done by conducting a penetration test or vulnerability scan using one of many tools that are available. A password cracking package, such as L0phtCrack, can also be used to ensure password policies are being followed.

Among the non-technical security audit review items is the enforcement of separation of duties. Separation of duties ensures that different security related tasks are carried out by different people. This makes it more difficult to for a single individual to compromise an entire system. As an example, you wouldn’t want one person to write software code, test it, and then put it in a production environment without oversight. Other non-technical items that can be examined during an audit are access control lists, audit logs, and configuration management.

So what can you do to help your organization pass a computer security audit?
Securing the computers and facilities is only part of the process. System users can also create vulnerabilities for an organization’s information system. Often, during a security audit, examiners will question users about their interactions with the systems that they use on a daily basis. As a user, you should be aware of policies governing the systems and applications you use regularly.

Many applications have rules of behavior that explain the security features of the system and how they are used to protect the system and the user from threats. Rules of behavior might describe the system’s password policy, rules for sharing data that is being accessed, and the consequences for violating these policies.

One method auditors use to detect user responsiveness is to attempt to violate security through social engineering or using social skills to obtain information, such as passwords, personal identification numbers or other crucial authentication information. Our natural human tendency is to accept someone at his or her word and this is exactly what leads to the weakest link in the security chain – people. For example, someone could call a NAVAIR end user at his or her desk and identify himself or herself as an NMCI help desk representative or network administrator charged with resetting passwords. Once the caller obtains a username and password, he or she can gain unauthorized access to the network and attack the network infrastructure or access the organization’s proprietary documents. The goal of social engineering may be to simply disrupt the system or network or it could be something much more serious, such as to commit fraud, identity theft, network intrusion, or espionage.

Individual end users are a key element in helping system administrators and security officers protect an organization’s information resources. It all starts with awareness.

If you would like more information on any information security or IA matters or if you suspect any unusual activity or security compromise, contact your local IA Officer, IA Manager, the NAVAIR 7.2.6 Information Assurance office, or the NAVAIR 7.4.1 security office. A list of IA Points of Contact is located on the Office of CIO Web site https://cio.navair.navy.mil.

About the author: Kevin Meadows, a regular contributor to Office of CIO communications, is an employee of Smartronix Corporation, Information Assurance Division.