As people increasingly rely on computer systems and networks for services such as online banking, online shopping, and socialization, information security for identity protection and privacy has become more important today than ever. Businesses and organizations are also obligated to provide such security to comply with state and federal laws and regulations. Managing security risks and ensuring compliance with information security regulations and industry standards have become important for businesses and organizations. Security auditing is an effective process to assess policies, procedures, and controls in identifying risks associated with networks and various operating systems. This chapter emphasizes network security audits and discusses various auditing procedures and technologies to identify and examine threats and vulnerabilities in computer networks, and to determine how to assess and manage risk posed to a network.
TopIntroduction
We live in a connected world, increasingly dependent on computer systems and networks for news, business, social networking, and daily life activities. However, over the past decades, very little has changed in the computer system and network architectures and communications protocols, which were not initially designed for the magnitude of current networks and usages. By taking advantage of existing vulnerabilities and flaws in protocol designs and implementations, adversaries with various motives have launched cyber-attacks against businesses and organizations to steal intellectual property and personal records, which results in financial losses, damaged reputations, serious degradations of critical services, and reduced public confidence (Kraemer et al, 2009; McClure et al, 2009; Wilson, 2009). Network security is a prime concern for governments, businesses and citizens. Maintaining network and systems integrity, availability and security is imperative for protecting data and ensuring normal operations.
A combination of technologies such as firewalls, intrusion detection systems (IDS), and encryption, has greatly increased network security, but these are insufficient to prevent web-based attacks, social engineering attacks, social networks attacks, hidden backdoors, etc. To counter these types of attacks, security policies, procedures and controls must be set and checked regularly. Security auditing, through penetration tests (He & Body, 2005), active scanning, passive sniffing and analysis, is an effective process to measure policies, procedures and controls in identifying risks associated with networks and various operating systems (Buchanan & Gibb; Longley et al, 2008; Sayana, 2003; Wright et al, 2008; Zhang et al, 2009). Auditing creates roadmaps for organizations to build defenses and countermeasures against cyber attacks and threats. As Westcott (2007) stated, “A comprehensive security audit may not cure all of a security manager’s data woes, but it should go a long way toward reducing the risk of exposing negative consequences” (p. 8). Audits will uncover security holes that expose organizations to malicious acts.
Information system audits include auditing corporation policies, framework, operating systems and database, application software, physical security, network security, etc. Although most companies are confident about the physical security of their offices and facilities, little is known about the security of their computer networks. This chapter emphasizes on an important component of overall information systems auditing -- network security audits. Procedures and technologies to identify various network threats and vulnerabilities, and determine how to assess and manage risks posed to a network are discussed. This chapter also demonstrates the state of art techniques, through a case study, used in different phases of network auditing including network discovery, penetration, and network threat analysis and control.