Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: security audit

  1. #1
    Senior Member
    Join Date
    Jul 2004
    Posts
    131

    security audit

    does anyone know of where one can go to see what a security audit report looks like?

    the format of the reports.

    perhaps even some templates of different types of security audit reports.

    i search tech republic, not much there of use.
    More cowbell! We need more cowbell!
    http://www.geocities.com/secure_lockdown/
    - - -
    \"Is the firewall there to protect you from the outside world or is it there to protect the outside world from *YOU*?\"

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    What kind of audit are you speaking of?

    Overall security (IT I presume) of a company or a portion?
    External or Internal or Both.
    Does it include social engineering aspects or just pen testing and configuration audits?
    How about policy and proceedure audits?

    Or are you just looking for all of the above?

    If you are speaking of Pen Testing and or exploit auditing, the nessus reporting is a good starting point.
    Most of the scanner sites have sample reports.
    http://www.hackerwhacker.com used to have a sample report. URL is not working now so not sure if ther are still around. It's been a while.

    Some more detail about what you are looking for will help narrow down results.

  3. #3
    www.wildpackets.com/elements/ whitepapers/Security_Audit.pdf

    PDF File !
    O.G at A.O

  4. #4
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    This may or may not help.

    http://www.isecom.org/osstmm/

    It's the Open Source Security Testing Methodology Manual

    Or this.. http://www.sans.org/resources/policies/#template
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  5. #5
    Senior Member
    Join Date
    Jul 2004
    Posts
    131
    Originally posted here by ss2chef
    What kind of audit are you speaking of?

    Overall security (IT I presume) of a company or a portion?
    External or Internal or Both.
    Does it include social engineering aspects or just pen testing and configuration audits?
    How about policy and proceedure audits?

    Or are you just looking for all of the above?

    If you are speaking of Pen Testing and or exploit auditing, the nessus reporting is a good starting point.
    Most of the scanner sites have sample reports.
    http://www.hackerwhacker.com used to have a sample report. URL is not working now so not sure if ther are still around. It's been a while.

    Some more detail about what you are looking for will help narrow down results.
    thanks to all for reply.

    audit to be internal departmental. i am auditing a network site. the are located seperate from my main network site, but they all connect to my F&P serverz.

    we never done one before - so this is a first.

    I was gonna look at:
    * backup procedures.
    * installs of non approved apps/servers
    * licensing tracking
    * network scan to see what is viewable to outsiders. there is a FW

    i was also gonna borrow their key and go in on a weekend and note how many staff wrote their users name & password on yellow stickys in & around their desks.

    penetration testing was not going to be minimal for now.

    we run central managed AV/FW on all clients. unless the users actually uninstall them they are fairly secure. we got the odd smart ass who thinks he's too good for a managed desktop. those guy i will flag as unsercue host regardless.
    More cowbell! We need more cowbell!
    http://www.geocities.com/secure_lockdown/
    - - -
    \"Is the firewall there to protect you from the outside world or is it there to protect the outside world from *YOU*?\"

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Is there a written and approved security policy?

    If there is one, verify if they've followed the rules.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Banned
    Join Date
    May 2003
    Posts
    1,004
    You need to have a target to audit against.

    As SirDice said, the corporate policy, however this is likely to be too vauge for this type of audit. There should be a standard these systems were developed against and then procedures based on those standards. If this documentation does not exist... might be high time to chose a few appropriate standards and treat this audit as a baseline for a migration project.

    cheers,

    catch

  8. #8
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    When writing the report, make sure you consider the audience.
    Who will you be writing the report for? A tech type? A bean counter? A bar graph lover?

    Some managers will break down in tears when trying to understand that although you are running a version of software known to be insecure, there is no need to worry because the vendor actually backports changes without changing version numbers...

    The personal visit is a good idea.
    Just the other day, at one of my clients we found a password sheet of another employee under the
    keyboard of an executive secretary. Let the fireworks begin.

  9. #9
    Senior Member
    Join Date
    Jul 2004
    Posts
    131
    Originally posted here by SirDice
    Is there a written and approved security policy?

    If there is one, verify if they've followed the rules.
    a written sec. policy does exists. no one follows it. they couldn't care less about it.

    it's a great idea, but easier said than done to implement when you are functioning in a *heavily* segmented IT environment.

    the business units will go out and buy their own servers and hire their own IT guys if they think you are stepping on their toes.

    what can you do? you can't ban them from dealing with vendors of hiring n00b IT guys.

    *welcome to the real world.* my world. :-)
    More cowbell! We need more cowbell!
    http://www.geocities.com/secure_lockdown/
    - - -
    \"Is the firewall there to protect you from the outside world or is it there to protect the outside world from *YOU*?\"

  10. #10
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Not sure what that "real world" comment means, as if polices don't exist there...

    What is you job as the auditor if not to audit and report non-compliance issues with regard to the policy? Just because other people are messing up doesn't mean that you need to change the way you are doing things. Determine what standards if any, are mentioned in the policy. The result of your audit should be a red flag to senior management that either the policy needs to change or the organization does... however unless you measure against something, the audit is useless. (No audit can exist in a vacuum. )

    Also the reason why knowning what standards are applicable is because many have predefined audit report schemes and this will save you a lot of time from trying to reinvent the wheel.

    cheers,

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •