Skip to content

Latest commit

 

History

History
156 lines (116 loc) · 16.7 KB

1.5-auditing-fundamentals.md

File metadata and controls

156 lines (116 loc) · 16.7 KB
Raw

1.5 Auditing Fundamentals

⚡ Prerequisites

  • Basic networks concepts

📕 Learning Objectives

  • Describe cyber security and explain cyber maturity
  • Identify common frameworks and governing regulations
  • Perform network auditing

Authorization is required to conduct systems auditing.

Cybersecurity Basics

Cybersecurity refers to the practice of protecting computer systems, networks, software, and data from various forms of cyber threats, attacks, and unauthorized access. It encompasses a wide range of measures, technologies, processes, and best practices designed to ensure the confidentiality, integrity, and availability of digital information and technology resources.

The main objectives of cybersecurity include:

  1. Protecting Confidentiality: Ensuring that sensitive and valuable information remains accessible only to authorized individuals or entities, preventing unauthorized access, data breaches, and leaks.
  2. Maintaining Integrity: Ensuring that data and systems are accurate, trustworthy, and free from unauthorized alterations or manipulations that could compromise their reliability.
  3. Ensuring Availability: Ensuring that systems, networks, and data are accessible and operational when needed, and defending against attacks that could disrupt or deny access to resources.
  4. Authenticating and Authorizing Users: Verifying the identity of users and granting them appropriate levels of access based on their roles and responsibilities within the organization.
  5. Implementing Defense Mechanisms: Employing various technologies and strategies to prevent, detect, and respond to cyber threats. This includes firewalls, intrusion detection and prevention systems, antivirus software, encryption, and more.
  6. Educating Users: Providing training and awareness programs for employees and users to help them recognize and respond to potential cyber threats, such as phishing attacks and social engineering.
  7. Incident Response: Developing plans and processes to quickly and effectively respond to security incidents, breaches, and cyberattacks to minimize damage and restore normal operations.
  8. Regular Monitoring and Analysis: Continuously monitoring networks, systems, and data for unusual or suspicious activities and analyzing potential vulnerabilities and threats.
  9. Compliance and Regulations: Ensuring that cybersecurity practices align with industry regulations and legal requirements to protect user privacy and data security.

CIA Triad

CIA refers to the three core principles that guide information security practices. These principles are often referred to as the "CIA Triad," and they represent the fundamental goals that cybersecurity measures aim to achieve for protecting information and systems. The CIA Triad stands for:

  1. Confidentiality: This principle focuses on ensuring that sensitive information is accessible only to authorized individuals or entities. Confidentiality involves controlling access to data and preventing unauthorized disclosure of information. Encryption, access controls, and user authentication mechanisms are examples of measures that help maintain confidentiality.
  2. Integrity: Integrity aims to ensure the accuracy, trustworthiness, and reliability of data and systems. It involves protecting data from unauthorized alterations, modifications, or deletions. Hashing, digital signatures, and data validation mechanisms are used to maintain data integrity.
  3. Availability: Availability emphasizes that systems, networks, and data should be accessible and operational when needed. This principle involves implementing measures to prevent and mitigate disruptions caused by cyberattacks, hardware failures, or other incidents. Redundancy, backup systems, and disaster recovery plans are examples of strategies to maintain availability.

Compliance

Compliance refers to the process of adhering to relevant laws, regulations, standards, and best practices that are designed to ensure the security, privacy, and ethical handling of digital information and technology resources. Organizations are required to meet certain cybersecurity compliance requirements to protect sensitive data, prevent data breaches, and maintain the trust of their customers and stakeholders.

Key aspects of compliance in cybersecurity include:

  1. Regulations and Laws: Various laws and regulations, such as the European Union's General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA) in the United States, and the Payment Card Industry Data Security Standard (PCI DSS), impose specific cybersecurity requirements on organizations operating within their jurisdictions.
  2. Industry Standards: There are industry-specific standards and frameworks that provide guidelines for cybersecurity best practices. Examples include ISO 27001, NIST Cybersecurity Framework, and CIS Critical Security Controls. These standards help organizations establish robust security practices tailored to their industry.
  3. Data Protection: Compliance often includes measures to protect personal and sensitive data from unauthorized access, disclosure, and manipulation. This involves implementing strong access controls, encryption, and data retention policies.
  4. Privacy: Compliance with privacy regulations involves safeguarding individuals' personal information and providing transparency about how data is collected, used, and stored. Organizations need to obtain appropriate consent and provide individuals with the ability to manage their data.
  5. Risk Management: Compliance frameworks often require organizations to identify and assess cybersecurity risks and develop plans to mitigate them. This includes conducting regular risk assessments and implementing security controls accordingly.
  6. Incident Response: Compliance requires organizations to have a well-defined incident response plan in place to handle security breaches and data breaches effectively. Timely reporting of incidents to relevant authorities and affected individuals may also be mandatory.
  7. Audits and Assessments: Compliance often involves internal and external audits to assess the organization's adherence to the required cybersecurity controls. These assessments help identify gaps and areas for improvement.
  8. Documentation: Organizations need to maintain proper documentation of their cybersecurity policies, procedures, risk assessments, and compliance efforts. Documentation helps demonstrate a commitment to security and can be useful during audits.

Non-compliance with cybersecurity regulations and standards can lead to legal consequences, financial penalties, damage to reputation, and loss of customer trust. Therefore, compliance is a critical aspect of an organization's overall cybersecurity strategy, ensuring that they are following best practices to protect their data, systems, and stakeholders.\

Controls come from a variety of Cybersecurity frameworks and regulations, such as:

  • PCI DSS (Payment Card Industry Data Security Standard )
    • mandated by card brands, created to increase controls around cardholder data
    • reduce card fraud
  • GDPR (General Data Protection Regulation)
    • Data protection and privacy law in the EU (European Union) and EEA (European Economic Area)
  • HIPAA (Health Insurance Portability and Accountability Act)
    • United States regulations for the use and disclosure of PHI (Protected Health Information)
    • Administrative, physical, technical safeguards
  • CPPA (California Consumer Privacy Act.)
    • enhance privacy rights and consumer protection for California (USA) residents

Frameworks and Maturity

🗒️ Cybersecurity Frameworks are sets of controls that represents a fully functional cybersecurity program when met.

  • NIST Cybersecurity Framework (National Institute of Standards and Technology)
    • Identify, Protect, Detect, Respond, Recover - best practices
    • Applies to any organization
    • NIST 800-53 disegned to apply to U.S. Federal Government agencies.
  • ISO/IEC 27001 (International Organization for Standardization and the International Electrotechnical Commission)
    • Information security management systems - Requirements
    • ISO/IEC 27002 - Code of practice for information security controls
  • COBIT by ISACA
    • business and generic IT management focused
  • CIS (Center for Information Security)
    • 18 CIS Controls for mitigate the most known cyber attacks
  • CMCC (Cybersecurity Maturity Model Certification)
    • Simplifies compliance by allowing self-assessment for some requirements
    • Applies priorities for protecting Department of Defense (DoD) information
    • Reinforces cooperation between the DoD and industry in addressing evolving cyber threats
  • ASD Essential 8 (Australian Signals Directorate)

Auditing

A security audit is a comprehensive assessment of an organization's information systems, policies, procedures, and practices to evaluate their effectiveness in safeguarding digital assets and sensitive information. The primary purpose of a security audit is to identify vulnerabilities, weaknesses, and potential risks that could compromise the confidentiality, integrity, and availability of data and systems. It involves a systematic and thorough review of various aspects of an organization's security posture.

Key elements of a security audit include:

  1. Objective Assessment: A security audit is conducted by trained professionals who are independent from the organization being audited. This ensures an unbiased evaluation of security controls and practices.
  2. Compliance Evaluation: Auditors assess whether the organization's security measures align with relevant laws, regulations, industry standards, and internal policies. This includes checking for adherence to frameworks like ISO 27001, NIST Cybersecurity Framework, and specific industry regulations.
  3. Risk Identification: Auditors identify potential security risks, vulnerabilities, and threats that could lead to security breaches or unauthorized access. This may involve vulnerability assessments and penetration testing.
  4. Control Effectiveness: Security controls, such as access controls, firewalls, encryption methods, and intrusion detection systems, are evaluated to determine if they effectively mitigate identified risks.
  5. Data Protection and Privacy: Auditors assess how the organization handles and protects sensitive and personal data to ensure compliance with data protection and privacy regulations.
  6. Physical Security Review: In addition to digital security, physical security measures are often evaluated. This includes access controls to facilities, server rooms, and storage areas.
  7. Documentation Analysis: Auditors review security policies, procedures, incident response plans, and documentation to ensure they are comprehensive and up-to-date.
  8. Reporting and Recommendations: Following the audit, auditors compile their findings into a detailed report. This report includes identified vulnerabilities, weaknesses, compliance gaps, and recommendations for improvements.

SCAP

The SCAP ((Security Content Automation Protocol) is a framework that provides a standardized approach for creating, maintaining, and sharing security-related information, such as configuration standards, vulnerability information, and security checklists. SCAP is designed to help organizations automate security-related tasks, including vulnerability assessment, compliance checking, and security measurement. It aims to streamline security processes by providing a common language and format for expressing security-related information.

STIG

DISA STIG Viewer (Security Technical Implementation Guide) is a specific implementation of SCAP developed by the U.S. Department of Defense (DoD). STIGs provide guidance for securing computer systems and software by detailing specific configuration settings and security measures that should be applied to various technologies. STIGs cover a wide range of systems, applications, and devices, and they help organizations align with DoD security requirements.

A STIG Viewer is a tool that allows users to view, search, and analyze the content of STIGs in an organized and user-friendly manner. It helps security professionals, system administrators, and auditors to understand the specific security requirements outlined in the STIGs and to assess their systems' compliance with these requirements. STIG Viewers often provide features such as filtering, searching, and reporting, making it easier to identify configuration settings that need to be adjusted to meet security standards.

Asset Management

Nmap

{% content-ref url="http://127.0.0.1:5000/s/iS3hadq7jVFgSa8k5wRA/pratical-ethical-hacker-notes/nmap" %} Nmap {% endcontent-ref %}

  • General audit internal devices with an internal network scan using nmap tool to find active services and open ports
nmap 192.168.50.0/24

nmap -A 192.168.50.1,5,10
# Aggressive scan (Syn, Service, O.S, Default Scripts Scans) on specific IPs

Nessus

Nessus is a widely used vulnerability assessment tool designed to help organizations identify and assess vulnerabilities within their computer systems, networks, and applications. It is developed by Tenable, a cybersecurity company, and is known for its effectiveness in detecting security weaknesses that could potentially be exploited by malicious actors.

Nessus performs automated vulnerability scanning and provides detailed reports that help organizations understand their security posture, prioritize remediation efforts, and reduce the risk of cyberattacks. Here are some key features and functionalities of Nessus:

  1. Vulnerability Scanning: Nessus scans systems and networks for known vulnerabilities, misconfigurations, and security weaknesses. It identifies issues such as outdated software, missing patches, default credentials, and insecure configurations.
  2. Remote and Local Scanning: Nessus can conduct both remote scans (over the network) and local scans (on the host itself) to identify vulnerabilities from different perspectives.
  3. Plugin Database: Nessus uses a vast database of security plugins that contain checks for various vulnerabilities across different platforms, applications, and services.
  4. Customized Scans: Users can tailor scans to focus on specific assets, systems, or compliance requirements. This allows organizations to address their unique security concerns.
  5. Compliance Auditing: Nessus can assess systems against various compliance standards, such as PCI DSS, HIPAA, and CIS benchmarks, to ensure that systems adhere to industry-specific security requirements.
  6. Web Application Scanning: In addition to network and system scanning, Nessus offers capabilities for identifying vulnerabilities in web applications, helping organizations secure their web services.
  7. Reporting: Nessus generates detailed reports that provide information about identified vulnerabilities, severity levels, and recommendations for remediation. These reports help organizations prioritize and address security issues.
  8. Integration: Nessus can integrate with other security tools and platforms, enabling organizations to streamline vulnerability management and response workflows.
  9. Continuous Monitoring: Organizations can use Nessus for regular and continuous vulnerability monitoring to stay informed about new vulnerabilities and potential threats.
  • Nessus Essentials is the free version of the V.A. tool by Tenable.
    • Limited to 16 IPs for V.A.
    • Build in insights with latest vulnerabilities
    • No usage time limit
    • Report export as PDF, HTML, CSV formats
  • Nessus Documentation