“Audit” Doesn’t Have to Be a Dirty Word

What is a Honeypot?
18th July 2016
Social Engineering – Why I Think Your Business Should Care
20th July 2016
Show all

“Audit” Doesn’t Have to Be a Dirty Word

Isn’t it interesting that a simple word like “audit” can invoke such stress and anxiety? Maybe it’s because HMRC uses the word audit similar to a parent scolding a misbehaving child. Having an audit looming over your head is enough to give even the most hardened individual the potential to break down in tears. It’s a shame that an audit has developed such a negative connotation as there are many positives that can come from an audit especially in the IT world. Businesses of all sizes have benefited from network audits by exposing issues and vulnerabilities before they become major problems. Let’s begin by taking a look at the very definition of an audit before we delve into the various types of network audits that are most common in the SMB space.

The origin of the word audit is rooted, as many English words are, in ancient Latin. The word derives from the Latin noun auditus which is an ancient term for a hearing. To further that definition, the deeper origin is the Latin verb audire which means to hear. The related English term is audio which does not carry a negative connotation. In fact, an audiophile is someone who has a deep enjoyment and an ear for well-designed music systems. Heaven knows the ability to listen is something often lacking in the world today! My point now comes full circle; SMB organisations should really embrace technology audits, because by listening to audit recommendations your network will run efficiently and productively.

Every small and mid-sized organisation should have a plan in place to evaluate their entire network infrastructure, all network components, and all network users on a semi-regular basis. Usually, if there hasn’t been a comprehensive audit conducted in over a year (or maybe ever), the general audit should be the first step to provide a structure to work from.

Every audit type, general or otherwise, is built on five primary steps:

  1. Developing a plan.
  2. Inspection and inventory of systems, controls, and processes.
  3. Regular and stress testing of systems, controls, and processes.
  4. Results report.
  5. Post-audit change implementation and testing.

In many cases, entities and/or their agents don’t adhere to this methodology. They may complete some of the items listed above, but they don’t plan ahead of time, they don’t test the systems to try and ward off an impending failure, and they don’t go back after the report is created to actually re-test the changes their work dictated. Following the above steps is critical when performing any type of audit otherwise the audit itself could be fraught with omissions or inaccuracies.

Now, let’s take a look at the types of IT audits most common to SMB organisations. For the most part, you can break technology audits out into three main groups: general, design/infrastructure, and security. While there may be situations that require a deeper examination into a specified area, most audit requests are of the general variety. A general audit is a comprehensive high-level review of all critical components of an organisation’s technology infrastructure. The level of granularity is open to interpretation, but the main focus is to determine if the network and its elements are functioning properly, if there are vulnerabilities, and if upgrades or cleanups are required. A general network audit includes inspection and recommendations for the following:

  • All equipment including end-user machines, physical and virtual servers, routers, switches, firewalls, security and intrusion prevention appliances, backup appliances, access points, etc.
  • Software suites and end-user applications.
  • Management consoles, administrative interfaces, and IT policies.
  • Connectivity including all wired and wireless connections, wireless transmission facilities, cabling, etc.

Since a general audit is not a deep dive, a detailed report for each of the above listed silos will likely create a good starting point for both the technical and business decision makers who will then mutually develop a plan to mitigate any negative findings. Most final reports include a list of discovered issues and distinguish issues based on a three-tiered advisory model: critical, moderate, and advised.

Now that you’ve embarked on the general audit process, and it has revealed you have a critical issue, what is the next step? A secondary audit, such as a security/vulnerability audit or a design/infrastructure audit is required to delve deeper into the issue and determine proper steps for remediation. This scenario is very much like taking your car in for an annual inspection and hearing the not-so-welcome news that your brakes need to be replaced. Obviously, it’s much better to uncover issues and vulnerabilities during an audit rather than during an actual incident that can cause devastating damage such as loss of sales data, intellectual property, or customer information.

A security audit looks at two main aspects of any organisation, the systems (hardware, software, and access control) and the users (internal and external). The most common security audits feature a comprehensive probing of your network from both the outside and inside including firewalls and network endpoints (PCs and servers); transmission facilities including switches, routers, wireless access points, etc.; personnel including employees, vendors, customers, etc.; and policies and procedures including operating systems settings, inspection of network shares, password guidelines, and historical reports and audit logs. While some will call this security audit a “penetration test” or “pen-test,” the technique is really just a component of a thorough security audit. The pen-test simulates how hackers or other malicious parties would attempt to access your network and your data. A detailed security audit will also include interviews with the management and user communities to find how policies have been applied and see if there are any inadvertent deviations from those. The tricky (and often frustrating) part is that completing this process successfully means that you appear, at that moment in time, to be secure. However, every day new hacking techniques are born and you may not be prepared or protected from them. This is why it’s indescribably important to have an audit or review plan in place that occurs on a standard basis, whether it be quarterly or annually.

Another common offshoot, after the general audit is complete, is the design/infrastructure audit. This audit can be completed hand-in-hand with the security audit, but is not necessarily required. The design audit will take a more detailed look at the actual efficiency of the systems currently in place in an organisation including complete documentation of every piece of hardware and software, all IP addresses, all network connections, and all external assets that connect to the network. This inventory is something every business, regardless of size, should have as an up-to-date document. As new systems and applications are deployed, the document must be updated to reflect those changes. This documentation is often overlooked, and a detailed design audit will clean up those gaps. In addition, the performance of those systems will be tested and evaluated. Much like the security audit, the design audit will provide a report with critical, moderate, and advised priority recommendations and fixes. As with the car example above, if your mechanic tells you your engine does not have oil in it, then that is a high priority, right? If you don’t add the oil, your engine could blow up. If he tells you the weather-stripping on the inside of your window is cracking, well, maybe that can wait. And the same rules apply here. A dying server must be addressed right away, whereas a flashing light on your UPS could be something that can wait. It all depends on your tolerance for downtime and risk.

There are do-it-yourself tools available to perform rudimentary design or general audits. While DIY audits may be a good choice in the short term to make sure you’re in no imminent danger, a thorough analysis conducted by a trained professional is preferable, and in many cases of compliance, required. Furthermore, it may be beneficial to engage with a third-party IT provider that can not only conduct the audit but perform the recommendations as well. Some consultants are great in theory, but often may not have the expertise of a seasoned engineering team to execute.

So now that you’ve been warned, don’t waste too much time in ruminating over the potential negative outcomes. Find a highly trained and well-recommended adviser and get on it! While it is often uncomfortable to have someone poking around your stuff, it is better to address issues and vulnerabilities proactively rather than waiting for the moment of failure and scrambling to keep it together. When talking about replacing an oil filter, an old Fram oil commercial used the tag line, “You can pay me now, or you can pay me later.” Don’t get caught paying more down the line, rather get some peace of mind and get the ball rolling before you are forced into panic mode.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: