Security Audit - Wright State University安全审计-莱特州立大学.ppt

Security Audit Prabhaker Mateti What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication What kinds of Security Audits are there? Host Firewall Networks Large networks Security Policies Documentation  What is a security policy? Components Who should write it? How long should it be? Dissemination It walks, it talks, it is alive.. RFC 1244 What if a written policy doesnt exist? Other documentation Components of a Security Policy Who can use resources Proper use of the resources Granting access use System Administrator privileges User rights responsibilities What to do with sensitive information Desired security configurations of systems RFC 1244 - ``Site Security Handbook Defines security policies procedures Policy violations Interpretation Publicizing Identifying problems Incident response Updating Other Documentation Hardware/software inventory Network topology Key personnel Emergency numbers Incident logs Why do a Security Audit? Information is power Expectations Measure policy compliance Assessing risk security level Assessing potential damage Change management Security incident response When to audit? Emergency! Before prime time Scheduled/maintenance Audit Schedules Individual Host 12-24 months Large Networks 12-24 months Network 12 months Firewall 6 months How to do a Security Audit Pre-audit: verify your tools and environment Audit/review security policy Gather audit information Generate an audit report Take actions based on the reports findings Safeguard data report Verify your tools and environment The golden rule of auditing Bootstrapping problem Audit tools The Audit platform The Golden Rule of Auditing Verify ALL tools used for the audit are untampered with. If the results of the auditing tools cannot be trusted, the audit is useless The Bootstrapping Problem If the only way to verify that your auditing tools are ok