As a cyber-security analyist you need to ask the following Qs:

• Are security policies sound and appropriate?

• Are there controls supporting your policies?

• Is there effective implementation and upkeep of controls?

Yes: You're in good hands

No: Wait until the end of the session

Security Controls

1. Auditing

• A systematic evaluation of the security of an information system.

• Purpose: To ensure that security protocols are adhered to and identify any potential vulnerabilities that need to be addressed.

Goals of Cybersecurity Audits

• Compliance Verification: Ensure adherence to laws, regulations, and policies.

• Security Posture Assessment: Evaluate the effectiveness of existing security measures.

• Risk Identification: Discover and document new and existing threats.

Areas of Security Audits

• Could be thorough and/or limited

So what are we checking here?

• Appropriate—Is the level of security control suitable for the risk it addresses?
  • Implementing multi-factor authentication (MFA) for high-risk user logins to prevent unauthorised access.
• Installed correctly—Is the security control in the right place and working well?
  • A correctly configured firewall blocks external traffic at the network boundary to secure internal systems.
• Addressing their purpose—Is the security control effective in addressing the risk it was designed to address?
  • An intrusion detection system (IDS) flags suspicious traffic, effectively alerting admins of potential intrusions.

How often should you conduct audits?

• On demand e.g. post incident or required by an external authority
• According to a schedule (annual or quarterly)

Outcome(s)

• Audit may reveal untrained staff and poor security oversight.
• Can prompt better staff training or confirm compliance.
• New regulations hold management personally accountable for fraud/mismanagement.

Ensuring compliance is crucial to protect the organisation and its people.

Types of Security Audit

• Internal audits: in these audits, a business uses its own resources and internal audit department. Internal audits are used when an organisation wants to validate business systems for policy and procedure compliance.

• External audits: with these audits, an outside organisation is brought in to conduct an audit. External audits are also conducted when an organisation needs to confirm it is conforming to industry standards or government regulations.

What systems does an audit cover?

• Network vulnerabilities
• Security controls.
• Encryption.
• Software systems
• Architecture management capabilities.
• Telecommunications controls
• Information processing

What is Audit Control(s)

The measures, policies, practices, and solutions that an organisation implements to protect its information assets.

• Preventive Controls: Firewalls, antivirus software, access controls, encryption, and security awareness training.

• Detective Controls: Intrusion detection systems (IDS), log monitoring systems, and regular security audits.

• Corrective Controls: limit the extent of any damage caused by a security incident

  • Patch management systems, incident response teams, and backup and restore procedures.

Framework and benechmarks

Standard to which your system is compared to determine whether it is securely configured to help identify differences.

• NIST Cybersecurity Framework (CSF)
• ISO 27002
• NCSC (UK)
• Commonly used audit frameworks:
  • COBIT
  • COSO

Unless a law or regulation prohibits it, organisations are free to choose whatever audit methods make the most sense to them

Audit methodologies:

• Risk-Based Auditing (RBA): Evaluating the risks that pose the most significant threat to an organisation’s assets.

• Control-Based Auditing: evaluation of an organisation’s internal controls (e.g., NIST, ISO 27001)

• Compliance Auditing: Ensures that an organisation meets the requirements of specific regulations (e.g., GDPR, HIPAA, SOX)

• Framework-Based Auditing: Utilises established cybersecurity frameworks to guide the audit process (e.g., CRA, NIST and ISO-27001)

• Technical Auditing: Technical aspects of an organisation’s IT infrastructure.

Audit Data Collection Methods:

• Questionnaires
• Interview
• Observation
• Checklists
• Reviewing documentation
• Reviewing configurations
• Reviewing policy
• Performing security testing

Areas that you should include in an audit plan.

Cybersecurity Audit Process

1. Pre-Audit Preparation

• Define Objectives:
  • Clearly establish audit goals such as compliance assessment, security evaluation, or vulnerability identification.
• Determine Scope:
  • Specify the systems, networks, applications, and data to be examined, influenced by regulatory needs and business priorities.
• Gather Documentation:
  • Collect relevant documents including security policies, system configurations, and previous audit reports.

Cybersecurity Audit Process

2. Audit Planning

• Develop an Audit Plan:

  • Outline methodologies, timeline, and resources required for the audit.

• Communicate Plan:

  • Share the audit plan with stakeholders for approval and coordination.

Cybersecurity Audit Process

3. Audit Execution

• Conduct Audits:

  • Perform assessments involving technical tests.

• Data Collection:

  • Collect evidence including logs, configurations, and stakeholder responses.

• Interview Stakeholders:

  • Interview key personnel to understand the effectiveness and implementation of security measures.

Cybersecurity Audit Process

4. Analysis and Reporting

• Analyse Findings:

  • Analyse collected data to assess compliance and identify deviations or gaps.

• Prepare Audit Report:

  • Compile findings, risks, and recommendations into a comprehensive audit report.

• Review and Revise:

  • Obtain feedback on the draft report, revise for accuracy and completeness.

Cybersecurity Audit Process

5. Post-Audit Follow-Up

• Discuss Findings:
• Plan Remediation:
  • Develop a plan to address identified vulnerabilities and assign responsibilities.
• Monitor Progress:
  • Regularly check the implementation of remedial actions for effectiveness.
• Schedule Follow-Up Audits:
  • Plan subsequent audits to ensure continuous compliance and security.

Cybersecurity Audit Process

6. Continuous Improvement

• Update Policies and Procedures:
  • Revise security policies and practices based on audit insights to enhance security measures.
• Training and Awareness:
  • Conduct training sessions to update staff on new security practices and reinforce security awareness.
• Integrate Security Practices:
  • Embed security best practices into daily operations and corporate culture to improve overall security posture.

Technical Controls

• Identity & Access Management (IAM)
• Data Integrity
• Vulnerability Assessment & Management
• Patch Management
• (Next Week)Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS)
• Endpoint Security
• Network Security/Segmentation
• Business Continuity Plan (BCP)
• Change Management
• Incidence Response & Management

Cybersecurity Audit Scenario: TechFirm Inc.

Background

TechFirm Inc. specialises in providing cloud-based solutions and has stringent requirements for compliance with HIPAA for healthcare for financial services. This audit aims to assess the security measures and compliance status.

HIPAA: The Health Insurance Portability and Accountability Act of 1996

1. Define Objectives

Objective: Ensure comprehensive security and compliance with HIPAA across all operations.

2. Determine Scope

• Scope Includes:
  • AWS cloud infrastructure including EC2, RDS, and S3.
  • Network configurations and security groups.
  • IAM policies and practices.
  • Encryption mechanisms (AWS KMS, SSL/TLS).
  • Third-party API integrations.

3. Conduct Audits

• Technical Execution:
  • Automated Vulnerability Scanning: Using e.g., Nessus to scan all cloud instances and databases for vulnerabilities.
  • Penetration Testing: Using Metasploit and custom scripts to exploit vulnerabilities, focusing on SQL injection, XSS, and privilege escalation.
  • Manual Security Configuration Review: Inspecting IAM roles and policies using AWS CLI and Policy Simulator.
  • Network Security Review: Analysing traffic with Wireshark and AWS VPC Flow Logs for anomalies.
  • Code Review: Static analysis with SonarQube to identify security flaws in application source code.

4. Report Findings

• Detailed Reporting:
  • Vulnerability and Penetration Test Outcomes: Documenting exploited vulnerabilities, exploitation methods, and potential impact.
  • Compliance Assessment: Assessing encryption standards against HIPAA and PCI DSS requirements.
  • Recommendations: Providing remediation strategies, prioritised by risk level, including upgrading SSL/TLS implementations and revising IAM policies.

5. Implement Improvements

• Remediation Steps:
  • Immediate: Patching vulnerabilities and restricting IAM roles.
  • Mid-term: Upgrading encryption across all data storage and transmission points.
  • Ongoing Efforts: Implementing continuous monitoring with Splunk for real-time security logging and incident response.

6. Follow-Up

• Continuous Compliance and Monitoring:
  • Utilising AWS Config for automated compliance monitoring.
  • Scheduling regular penetration tests and vulnerability scans to adapt to new threats.

Lab:

• Veiw the lab here