IT Security Auditing and SOC Reports

Questions and Answers

What distinguishes a 'Prudent' permission level from a 'Permissive' permission level?

A prudent level permits any action that is deemed necessary.

A prudent level permits a reasonable list of actions while prohibiting others. (correct)

A prudent level has strict monitoring of all activities.

A prudent level allows everything unless specifically prohibited.

Which statement best describes the purpose of conducting security audits?

To create new security policies for the organization.

To determine client customer satisfaction about security measures.

To monitor employee activities and their adherence to policies.

To verify that security controls are properly installed and effective. (correct)

What defines unacceptable actions in security policy?

Actions that do not align with industry standards.

Actions that lack explicit documentation.

Actions that promote business growth.

Actions that are specifically banned by the policy. (correct)

What can be inferred about organizations that operate under a 'Paranoid' permission level?

They limit allowed actions to only a few and monitor them closely.

How should an organization determine the appropriate level of security control?

By ensuring the level matches the risks it is intended to address.

Which type of SOC report is intended for organizations that must adhere to Sarbanes-Oxley (SOX) compliance?

SOC 1

For which audience is the SOC 2 report primarily intended?

Management, regulators, and stakeholders

Which of the following is NOT a component of the SOC report framework?

SOC 4

Which area in defining the audit plan involves reviewing documentation and incident logs?

Defining the scope of the plan

Who are the primary users of the SOC 3 report?

Public consumers of SOC 2 service providers

Which of the following actions is generally NOT part of the scope definition for an audit?

Conduct employee interviews

What is the main purpose of a SOC 1 report?

To assess internal controls over financial reporting

What is the primary purpose of auditing benchmarks in IT security?

To compare system configurations against set security standards

Which of the following is NOT a method of audit data collection?

Performance assessment

Which auditing framework focuses on evaluating and improving IT infrastructure management?

Information Technology Infrastructure Library (ITIL)

What is the audit goal for cryptographic controls during a security audit?

To verify the encryption of sensitive data in transit

What would be an appropriate audit goal regarding system access policies?

To assess if policies comply with current technology standards

Which of the following is likely to be included in a review of system hardening policies?

Management of open ports and services

Which control objective is closely associated with intrusion detection and event-monitoring systems?

Perform log reviews to identify unusual activities

What is the audit goal related to endpoint protection during a security audit?

To ensure a universal application for endpoint security

Which audit area would focus specifically on key management and usage?

Cryptographic controls

What is a primary reason organizations disable logging features?

To reduce the amount of information generated

Which type of log specifically tracks requests for access to resources?

Access logs

What is a potential issue related to log management?

Excessive manual analysis requirements

Which type of encryption is specifically mentioned as a concern for network monitoring?

Network Layer encryption

What type of log is focused primarily on system and application events?

Event logs

What is a key feature of a Security Information and Event Management (SIEM) system?

Centralized log file management

Which type of anomaly in logging refers to incorrect positive identifications?

False positives

What is one major challenge associated with non-real-time monitoring?

Delayed incident response

Which type of logging captures defined events for auditing purposes?

Audit logs

Study Notes

Auditing, Testing, and Monitoring

• Auditing a computer system involves checking its operation against security goals.
• Security audits are crucial for preventing data breaches.
• Audit tests can be manual or automated.
• Assessing a system requires defining how it's supposed to work.
• Security policies should define acceptable and unacceptable actions.
• Controls must support the security policies.
• Effective controls need consistent implementation and upkeep.

Security Controls

• Monitoring ensures that controls capture actions and changes within an environment.
• Auditing reviews logs and the overall environment to independently assess the effectiveness of security policies and controls.
• Proposals for improving security programs and controls are included in audit results and accepted by management.
• New and existing controls ensure the intended level of security.

The Security Review Cycle

• The security review cycle is a process that includes monitoring, auditing, improvement, and securing.
• Each stage builds upon the previous one to establish a continuous process for maintaining a high level of security.

Determining What Is Acceptable

• Security policies define acceptable and unacceptable actions.
• Organizations may develop standards based on existing standards bodies to create security policies.
• Communications and actions permitted by policies are acceptable.
• Policies that ban specific communications or actions are considered unacceptable.

Permission Levels

• Promiscuous: Everything is allowed.
• Permissive: Anything not prohibited is acceptable.
• Prudent: A reasonable set of permitted actions and all others prohibited.
• Paranoid: A very limited set of permitted actions and all others prohibited and carefully monitored.

Areas of Security Audits

• Audits can be broad, covering entire departments or business functions, or narrow, focusing on a single system or control.

Purpose of Audits

• Audits assess the appropriateness of the security level.
• Appropriate security controls are suitable for the risk addressed.
• Security controls are correctly installed and functioning in the right location.
• The effectiveness of controls relates to how well they address identified risks.

Customer Confidence

• Customers are more likely to share sensitive information when they trust the organization's security.
• Service Organization Control (SOC) frameworks and reports provide confidence about an organization's security controls.
• SOC 1, SOC 2, and SOC 3 reports relate to the internal control over financial reporting, security controls, and other security controls respectively.

Defining the Audit Plan

• Establish objectives to define systems or business processes for review.
• Identify areas of assurance to check.
• Determine personnel to participate in the audit process.

Defining the Scope of the Plan

• Survey the system(s) to be audited.
• Review documentation related to the systems.
• Analyze risk analysis outputs.
• Review logs (server, device, application, incident logs).
• Evaluate results of penetration tests.

Audit Scope and the Seven Domains of the IT Infrastructure

• Seven major domains in the scope of IT infrastructure audit include remote access, WAN, LAN-to-WAN, workstations and users, LAN, intranet services, and system and major applications.

Auditing Benchmarks

• Benchmarking is crucial to determine if a system meets security standards, using frameworks like ISO 27002, NIST Cybersecurity Framework (CSF), ITIL, COBIT, and COSO.

Audit Data Collection Methods

• Collecting audit data uses various methods, including questionnaires, interviews, observation, checklists, reviewing documentation, configurations, policies, and security testing.

Areas of Security Audits (1 of 2)

• Endpoint protection reviews antivirus/anti-malware, endpoint detection and response (EDR), and host-based firewalls.
• System access policies ensure security in relation to access.
• System intrusion detection and monitoring systems help detect and examine potential threats.
• System hardening policies enhance system security and mitigate vulnerabilities.
• Cryptographic controls handle security of sensitive data.

Areas of Security Audits (2 of 2)

• Contingency planning addresses business continuity plans (BCP), disaster recovery plans (DRP), and continuity of operations plans (COOP).
• Hardware and software maintenance agreements are reviewed.
• Physical security of doors, power supplies, etc is monitored.
• Access control ensures "need to know" principles based on least privilege.
• Change control processes and configuration management assure changes and modifications are controlled.
• Media protection practices cover media handling and management.

Control Checks and Identity Management

• Approval processes for access requests are scrutinized.
• Authentication mechanisms employed for security purposes are analyzed.
• Effective password policies and their enforcement are assessed.
• Monitoring systems to detect unauthorized access are examined.
• Remote access systems are evaluated for security with strong authentication.

Post-Audit Activities

• Post-audit activities summarize and analyze findings by taking interview, data analysis, developing, findings and recommendations, timeline for implementation, level of risk, assessment of management response, presenting findings, and ongoing follow-up to be implemented.

Security Monitoring

• Baselines, alarms, alerts, trends, and closed-circuit TV systems are monitored for security.
• Systems that detect unusual or irregular behavior are monitored actively.

Security Monitoring for Computer Systems

• Real-time monitoring systems (HIDS), system integrity monitoring, and data loss prevention (DLP) software are critically assessed.
• Application and system logging (host-based, network based) capture activity and provide information for analysis.

Monitoring Issues

• Excessive log information can be a challenge, requiring automation to analyze and effectively monitor log data.
• Analyzing spatial distribution of switched networks, encryption requirements across layers (network and application), logging anomalies and false positives requires proper log management.

Types of Log Information to Capture (1 of 2)

• Event logs covering operating system and application events.
• Access logs to track resource access attempts.
• Security logs to detail security-related events.

Types of Log Information to Capture (2 of 2)

• Security information and event management (SIEM) system helps to standardize data and produce easy-to-read dashboards for monitoring.
• Security orchestration, automation, and response (SOAR) systems extend SIEM functionality.
• Log information from firewalls, routers, switches, web hosts, and antivirus/IDS devices are captured to understand and examine system interactions.

How to Verify Security Controls

• IDSs, IPSs, and firewalls are important for monitoring activity.

IDS as a Firewall Complement

• Intrusion Detection Systems (IDSs) are critical complements to firewalls. This prevents security breaches by identifying, logging, and reporting suspicious activity.

Basic Network IDS (NIDS) as a Firewall Complement

• Basic Network Intrusion Detection Systems (NIDS) act as a complement to firewall systems by analyzing network traffic. NIDS examine data traffic against predefined rules, detecting unauthorized activities and unusual patterns.

Analysis Methods

• Pattern-ors signature-based IDSs use rule-based detection and rely on pattern matching.
• Anomaly-based IDSs use profile-based systems, common methods to detect anomalies (statistical-methods, traffic-based methods, protocol patterns).

HIDS

• Host-based Intrusion Detection Systems (HIDS) analyze processes, system calls, and other behaviors to prevent malicious actions.
• HIDS can be paired with IPSs, preventing inappropriate traffic.

Layered Defense: Network Access Control

• Layered defense mechanisms help protect internal networks.
• Multiple security layers such as firewalls and routers prevent unauthorized access.

Using NIDS Devices to Monitor Outside Attacks

• Network Intrusion Detection systems (NIDS) monitor traffic from external networks, which can help detect outside attacks, especially malicious traffic.
• Traffic is monitored to check for unauthorized access attempts and malicious activities.

Host Isolation and the Demilitarized Zone (DMZ)

• Host isolation and DMZ (Demilitarized Zone) are implemented to separate trusted networks from external untrusted networks.
• DMZ provides a secure zone for web servers, email services, and other externally-accessible servers.

System Hardening (1 of 2)

• Unnecessary services are turned off or disabled.
• Management interfaces and applications are secured.
• Passwords are secured using strict policies.
• Unnecessary user accounts are removed.
• Systems are upgraded with the latest software patches.

System Hardening (2 of 2)

• Unused network interfaces and application ports are disabled.
• Media Access Control (MAC) filtering is used for access control.
• Secure 802.1x protocols or port-based Network Access Control (PNAC) are implemented.
• Baseline configurations are created for a known standard.
• Endpoint protection programs are reviewed for compliance and effectiveness.

Monitoring and Testing Security Systems

• Risks include unauthorized access, malicious code, Trojans, and malware from external attacks.
• Sensitive data leakage from inside the organization can pose a threat.
• Monitoring tools like IDS and IPS are used to identify and block, respectively, abnormal traffic.

Testing

• Security testing involves several steps, including reconnaissance (learning about the target system), network mapping (identifying network structures and devices), vulnerability testing (finding vulnerabilities in systems and applications), and penetration testing (simulating attacks).

Security Testing Road Map

• The security testing road map includes reconnaissance, network mapping, vulnerability testing, penetration testing, and mitigation.
• Penetration testing simulates attacks to identify vulnerabilities.
• Reconnaissance involves identifying targets and collecting information about their systems.

Establishing Testing Goals and Reconnaissance Methods

• Establish testing goals which should be ranked by criticality.
• Document vulnerabilities and time periods for comparison.
• Preparation for a security audit is required.
• Reconnaissance methods like social engineering, WHOIS, and zone transfer are used.

Network Mapping

• Network mapping involves probing to discover available services and their statuses.
• System information (operating systems, services) is gathered during network mapping.

Network Mapping with Internet Control Message Protocol (ICMP) (Ping)

• ICMP (Ping) packets allow for network mapping.
• The goal is to determine if a network host is accessible by sending and receiving ICMP packets.

Network Mapping with Transmission Control Protocol (TCP)/Synthesize (SYN) Scans

• TCP/SYN scans identify open ports by sending SYN packets.
• The SYN/ACK and RST response patterns on the probe host provides insight to target's (network's) capabilities and responses to probes.

Operating System Fingerprinting

• Fingerprinting is how systems identify each other based on probing behaviours, TCP/IP communication, and the response patterns.
• The goal is to understand the operating system of a network.

Covert Versus Overt Testers

• Covert testers impersonate external attackers and test without prior notification, while overt testers inform the target of testing and are usually considered an internal audit.

Testing Methods

• Black-box testing does not rely on knowledge of internal system architecture or design.
• White-box testing utilizes knowledge of the system's architecture and source code.
• Gray-box testing blends elements of black-box and white-box testing.

Security Testing Tips and Techniques

• Choose appropriately fitted security testing methods.
• Tools may introduce errors and must be understood.
• Protecting systems is paramount during testing.
• Simulation of real-world attacks is crucial to accurate security testing.

Summary

• Security audits, monitoring, and testing involve principles of practices to define acceptable and unacceptable actions.
• Different levels of permission, like promiscuous, permissive, prudent, or paranoid, have their different implications from the perspective of security and how the different levels require different analysis methods.
• Security testing should be as real and as possible to accurately reflect the security posture of the network being analysed.

Description

This quiz covers the fundamentals of IT security auditing, focusing on key concepts like permission levels, security policies, and SOC reports. It explores the distinctions between different types of SOC reports and the purpose of conducting audits within organizations. Test your knowledge on auditing standards and compliance requirements.