Menu

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

  • en
  • pl
  • What can you learn from an ICT security audit?

    What can you learn from an ICT security audit?

    Date: 23.09.2021

    Author:
    Category: Security


    Online data privacy and security is a particularly important topic when most of us work remotely. There are plenty of traces that we leave behind on the Internet, and we encounter cybercrime daily. We should, therefore, consider how we can protect ourselves against the loss of both personal data and key company information.  

    When should we decide to conduct an ICT security audit? 

    First of all, it is worth realizing that the ICT audit is a certain component of the entire security policy. It is most often carried out to prevent threats that may occur in the future.

    Depending on the nature of the IT environment, we can distinguish two types of organizations: 

    • organisations where a lot is going on and changes in IT, adoption of new technologies or introduction of new systems are relatively dynamic, 
    • organisations where the application, server and hardware infrastructure is changing slowly. There, relatively little happens over time. 

    In the earlier, it is worth carrying out an audit as a response to a given change. In some situations, this may even happen more than once a year.  
    In the latter, where relatively less is happening, a cyclical approach, i.e. conducting an audit once a year, is a good practice. 

    The difference between penetration testing and audit 

    An audit can cover many aspects of infrastructure and cybersecurity. Penetration testing is an active form of searching for vulnerabilities in the network and in IT systems. The search is followed by proving that identified vulnerabilities do exist, i.e. they are not so-called false positives.  


    Penetration testing consists of several stages.
     

    • The process of collecting information about the area to be tested, e.g. a given application or group of applications, is definitely worth specifying.
    • Then passive tests are performed. They usually involve scanning a certain range of applications.
    • The next stage is active and manual tests, which make the testers confirm the accuracy of the findings made in the earlier stages.
    • It should be emphasized that the key product of penetration testing is the report that is created when the tests are over. It contains a description of finds and technical recommendations and pinpoints what the neglect of a given area may result in. The conclusions and recommendations at the end of the report are closely related to each vulnerability and how to patch it.  
    • Very good practice in conducting penetration tests is verification, i.e. so-called retest. It is performed after some time when a given organization believes that it has improved the identified vulnerabilities in line with the recommendations. Then it is worth checking again whether the vulnerabilities still exist, whether they have been corrected and patched.  

    How can we effectively protect the network against data leakage or loss? 

    The first element, and perhaps the most important, is the human factor, i.e. the employee. They should be vigilant in their daily work with data, e-mail messages, and attachments they receive. They should be careful about which links they click on and where they redirect them. User training and education, like testing and auditing of the infrastructure itself, should be cyclical. Users should be reminded to handle their data properly.   

    Another element is DLP (Data Loss Prevention) systems. Their task is to prevent data leaks, including leaks of sensitive data. The aforementioned DLP system should analyze whether what a given employee wants to send is not confidential information. It should state whether or not this is legitimate and possibly inform the security department that such a breach is taking place.  
     
    The last aspect that should help with data protection is a whole set of good practices related to network configuration, filtering, and enabling relevant mechanisms of the so-called application layers.  

    Wi-Fi security – a weak link

    Wireless networks in 802.11 standards, like Wi-Fi you mentioned, are in fact relatively easy to penetrate due to their nature, i.e. working on freely available frequencies. These are not licensed frequencies, so every potential attacker or user who has a device with access to a network with a Wi-Fi interface is able to check, for example, if there are networks available in their vicinity.  
     
    We achieve security today through the use of 802.1x mechanisms, which allow users to connect to the network in a granular manner. It involves authentication by entering your login and domain password or presenting a user / machine certificate, which is also issued by a given organization, which makes a given computer and user a trusted person for the network.  
     
    Secondly, a Wi-Fi network should be based on some central source of identity system for communicating with e.g. Active Directory databases, which are able not only to confirm the user’s identity by verifying permissions. Such a set of permissions may also be assigned to a specific user or functional group in which they are located, e.g. employees of the R&D department will have access to other systems than employees of the financial department.

    The ease of this connection lies in the fact that after the first connection to the network, a given end user’s computer remembers the network and always uses the same login and password or the user’s certificate in the background. The user does not have to enter a login and password or link a certificate each time they come to work and connect to a given network. This happens transparently.  

    Choosing ICT security – key factors

    It is worth asking yourself a question at the very beginning: what do we want to secure? Different companies have different requirements. Some companies are based on the e-commerce segment, others run production processes, and thus the burden of security in individual organizations may be located in a different place. However, if we are talking about the mechanisms and technologies that are worth choosing when securing the infrastructure, we must think about the access security we already mentioned.  

    • Systems and devices must be selected so that they are able to secure the user’s access both to the wired and wireless networks. Today this can be ensured by using one system.  
    • Internet connection. It is worth considering strong professional security, such as Firewall, tools such as Next-Generation Firewall, the so-called UTM, which can understand application traffic. Not only do they filter the allow/deny communication, but are also able to verify whether the data we send as part of the connection is safe, whether there are any leaks or reverse attacks. UTM is equipped with mechanisms such as IPS, anti-virus, sometimes DLP, or malware protection. 
    • Systems that protect access to application segments, i.e. Web Application Firewall, the so-called WAF. They can distinguish between normal and attacking traffic. 
    • Educating the end-users themselves, who should undergo training or trial tests related to simulating phishing campaigns. The point is not to evaluate, but to obtain information about the level of employee awareness. If it is low, they should be trained. 

    Actions and techniques to help protect user privacy and data

    Above all, we should constantly educate and remind users not to write passwords on the desk and stick them onto computers. Educational campaigns among employees of a given company are very important. And if we are talking about the Internet and computer users in general, we should always be aware of where our data may go, who can obtain it, and for what purposes.  

    Any excessive publication of your actions or private data, activities, and photos should be minimized if we also want to avoid the risk of our private data leakage. The media say more and more often than sharing your activities and vacation plans on social media such as Facebook, LinkedIn, and Instagram is information that can be easily used. 
     
    It is also important not to send sensitive data such as Personal Identification Numbers (PIN), ID card numbers, and address data in open forums and chat rooms with consultants. It is worth verifying the information that consultants are trying to obtain from us, for example at a bank. There has been a long discussion about the fact that the bank verifies us by making a phone call. The question arises how can we say that the person calling and claiming to be a bank employee is actually one. This discussion will probably go on for a long time. If I can make a suggestion, we should simply use common sense.  

    Author

    Marcin Bialy

    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

    Leave a Reply

    Your email address will not be published. Required fields are marked *


    Grandmetric