Introduction.....................................................................................................................................3
Auditing Basics................................................................................................................................3
What IT Auditing does not Consist
of.............................................................................................3
Accounting controls, financial auditing and compliance
testing..................................................3-4
The Essence of IT
Auditing.............................................................................................................4
Audit
fieldwork................................................................................................................................4
Control
activities...........................................................................................................................4-5
Evaluating control
effectiveness......................................................................................................5
IT Auditing and Detecting an
Attack...............................................................................................6
Logging.........................................................................................................................................6-7
Automation......................................................................................................................................7
Intrusion Detection/Prevention Systems
(IDS/IPS).....................................................................7-8
Conclusion.......................................................................................................................................8
Given the prevalence and dependence
on Information Technology (IT) assets throughout today’s organizations, there is
a need to preserve the confidentiality, integrity and the availability (CIA) of
the information that is being processed and stored on these systems. Given the
value of this information, it must be protected from attacks of all kinds because
hackers are constantly trying to steal this information and sell it on the dark
web. One of the most valuable tools that an organization has in this ongoing
war is the process of IT auditing coupled with automation and the use of
Intrusion Detection and Protection Systems (IDS/IPS).
Auditing
Basics
There are many components to
properly conducting an IT audit but it is important to understand the
fundamental differences between a traditional audit and an IT audit. The scope
of these two processes differ greatly. Traditionally, auditing was focused on
financial aspects and accounting controls (Singleton, 2014), but now, being as
there is so much of a reliance on technology and safeguarding information,
auditing has evolved to branch out into financial auditing and IT auditing.
What IT Auditing does not Consist of
Being as IT auditing is centered on the IT aspect, there are a few things that it does not encompass, therefore keeping the audit strictly within the scope of the IT. The reason for this is the need that has been established to mitigate the risk that has been introduced to the organizations since the adoption of IT systems and the data they contain including financial information although the IT audit is not concerned with the accuracy of the financial information as with a traditional audit; the IT audit is concerned with the systems that handle this information throughout the information lifecycle (Singleton, 2014). Furthermore, the IT audit is not concerned with the accounting controls either (Singleton, 2014).
Another
aspect that IT audits are not concerned with is compliance testing. It is not
the role of an IT auditor to ensure that employees are being compliant with the
rules (even rules related to IT) and report infractions, the IT auditor is
checking if the processes and systems the organization has in place for the
management of compliance are working efficiently (Singleton, 2014).
The
essence of IT auditing. Although IT auditing encompasses many areas within
the realm of IT, it does have some main objectives that can be applied across
the various domains within the organization relating to the IT infrastructure,
relevant systems, applications and business processes that deal with handling
information during any stage of its lifecycle. All of these elements are facing
various risks and it is the objective of the IT audit to ensure that there are
controls in place to minimize these risks, as well as verifying that these
controls are working as intended (Magee, n.d.).
Audit
fieldwork. The process of audit fieldwork consists of several areas and
in essence it is the steps that are performed to complete the audit from
beginning to end (Goldberg, 2011). This begins with requesting documents [these
can be anything from prior audit results to mappings of interconnected
processes, controls and the purpose of said control], interviews, testing,
documentation of the audit and a review by the supervisor (Goldberg, 2011).
Control activities. There are many types of controls and to put it simply, controls are procedures that have been put in place by management to make sure that any occurring activities are functioning as intended (Norman, 2004). Control activities are actions that are taken to minimize the risks that have been realized during the process of the risk assessment, according to the Office of Financial Management (OFM) (2008). These types of activities can be of a preventive nature, which stops a risk from materializing or they can be detective in nature which merely identifies what occurred and notifies alerts management/administration (OFM, 2008).
Evaluating
control effectiveness. With all the controls that are in place to
mitigate many areas of risk within the IT environment, there are many areas
that need to be evaluated to ensure that the control is operating effectively.
First and foremost, this requires a different skillset than what was required
of an auditor years ago due to the widespread integration of IT into almost
every aspect of an organization in modern society. IT auditors need to better
understand the technology that is supporting the business with a holistic
approach as well as understanding how this technology impacts the
organization’s risk management (Philip, 2008). To understand the complexity of evaluating
controls, it helps to look back at what an IT audit consists of and according
to Wulandari (as cited by Majdalawieh &Zaghloul, 2009), it is “the process
of evaluating and reporting the adequacy of system controls, efficiency,
economy, effectiveness, and security practices to assure that data integrity is
protected, and that the system complies with applicable policies, procedures,
standards, rules, laws and regulations.”
Therefore, once the risks are identified and the controls are identified for each risk, it is necessary to test the controls to make sure they are working properly; the testing methods depend on what controls are being evaluated. For example, if the controls that ensure patch management is being handled properly are being evaluated, then a vulnerability scan or a penetration test could be used to check for missing patches and if any patches are missing, then that control is not functioning as expected and needs to be redesigned. Conversely, if application controls that prevent unauthorized access to the database behind the application are being evaluated, Structured Query Language (SQL) Injection techniques can be performed on the user input fields that the application provides and if information can be successfully extracted then the controls are not functioning as intended and they need to be reworked. All this information would be provided in the audit report concerning what was evaluated, the results of the evaluation and recommended actions to correct the deficiency.
IT
Auditing and Detecting an Attack
Another area
that IT auditing is very useful is when it comes to detecting various types of
attacks. When it comes to auditing in Linux, logging is paramount to detecting
many of the events that normally occur prior to the occurrence of a security
incident (Zeng, Yang, & Chen, 2015). The main drawback to logging is that
there can be large numbers of logs generated, which not only would take an
enormous amount of time to sift through manually, but would also impact the
performance of the machine itself (Zeng, Yang, & Chen, 2015).
Logging
Logging is the process of the
system recording various events that occur regarding any situation the system
is manually instructed to record as well as events that are recorded
automatically by default such as system events, security messages and cron
tasks (Red Hat, n.d.). Logs are also helpful when there are problems and
troubleshooting must be performed, detecting unauthorized login attempts (Red
Hat, n.d.) and more.
When it comes to Linux auditing, these logs record many things; Linux auditing records file access, it logs system calls, it also makes a record of any commands that users execute, and events that are related to security (Zeng, Yang, & Chen, 2015). Some of these events are authentication events, authorization events and privilege escalation events and included with these logs are the day and time these events occurred, the identity of the user that performed the actions, the result of the actions as well as sensitivity labels (Zeng, Yang, & Chen, 2015). This information is of great value when detecting an attack, tracking the issue down and implementing controls to prevent the actions from occurring in the future (Zeng, Yang, & Chen, 2015). These logs can also be recorded anywhere the system administrator wishes. They can be recorded on the local system, they can be forwarded to a log server on the network or forwarded to a remote location which also adds an additional layer of security because logs can be manipulated and remotely storing the logs makes it more difficult for an attacker to find and manipulate them when trying to cover their tracks.
Automation. Once the system is
instructed to log whatever it is the system administrator wishes to record,
this can result in many logs being generated which could take some considerable
time to sort through manually. There are tools that can assist with the sorting
and identification of specific information contained within the logs; all the
administrator must do is enter the search terms and the tool will scan the logs
and return relevant results. Automation is also useful in the area of detecting
intrusions and preventing intrusions onto the network or systems on the
network.
Intrusion Detection and Prevention Systems (IDS/IPS). Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are automated systems that serve two purposes but the IPS type is becoming more prevalent due to its preventative capabilities as opposed to just the logging capability of the IDS. Because the IDS only logs and alerts system administrators to security events and the IPS works to lock out the attacker when an intrusion is detected. This level of automation proves highly valuable because it allows for a quicker initial response to the attack until the system administrators can receive the alerts and respond to them. These tools also come with the ability to sort through the logs. For example, Snort is an open source IPS that can analyze traffic in real-time and detect various attacks (Snort, n.d.) and take appropriate action to prevent the attack from succeeding.
Conclusion
IT auditing is vital in many areas, it is not just vital for troubleshooting the systems, it is very useful in detecting attacks. It is also paramount to ensuring that information systems are secure and evaluating the effectiveness of the control measures that have been put in place throughout the organization’s systems. Although the process can generate volumes of logs there are tools to aid with the analyzation of logs and IT auditing is one more process in the layered approach to security that will keep information systems more secure.
References
Goldberg,
D. (2011). General auditing for IT
auditors. Retrieved from
https://www.isaca.org/Journal/archives/2011/Volume-3/Pages/General-Auditing-for-IT-Auditors.aspx
Magee,
K. (n.d.). IT auditing and controls –
planning the IT audit. Retrieved from
https://resources.infosecinstitute.com/itac-planning/#gref
Majdalawieh,
M., Zaghloul, I. (2009). Paradigm shift in information
systems auditing. Managerial Auditing
Journal, 24, 352-367. doi:
10.1108/02686900910948198
Norman,
M. (2004). The more things change... The
Internal Auditor, 61, 60-64. Retrieved from
https://search-proquest-com.ezproxy1.apus.edu/docview/202749391?accountid=8289
Office
of Financial Management. (2008). Control
activities. Retrieved from https://www.ofm.wa.gov/sites/default/files/public/legacy/policy/20.25.htm
Philip,
S. (2008). IT skills for internal auditors. The
Internal Auditor, 65, 44-48. Retrieved from
http://yw6vq3kb9d.search.serialssolutions.com.ezproxy1.apus.edu/?ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=IT+SKILLS+FOR+INTERNAL+AUDITORS&rft.jtitle=The+Internal+Auditor&rft.au=Philip+Smith&rft.date=2008-08-01&rft.pub=Institute+of+Internal+Auditors%2C+Incorporated&rft.issn=0020-5745&rft.volume=65&rft.issue=4&rft.spage=44&rft.externalDocID=1769705001¶mdict=en-US
Red Hat. (n.d.). Chapter 25: Viewing and managing log files. Retrieved from https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/ch-viewing_and_managing_log_files
Singleton, T. (2014). IS audit basics: The core of IT auditing. ISACA Journal, 6. Retrieved from https://www.isaca.org/Journal/archives/2014/Volume-6/Pages/The-Core-of-IT-Auditing.aspx
Snort.
(n.d.). What is Snort. Retrieved from
https://www.snort.org/faq/what-is-snort
Zeng,
L., Xiao, Y., & Chen, H. (2015). Auditing overhead, auditing adaptation,
and benchmark evaluation in Linux.
Security Comm. Networks, 8, 3523–3534. doi: 10.1002/sec.1277
No comments:
Post a Comment