Embedded Files
DO NOT RE-POST OR COPY.
IT Audit
Stage: Preliminary
Prepared for _______________
Assessment Written by Nicole Tenev
IT Architecture
Preliminary run-through: Physical Network Topology (Attached network map included)
The network spans across four buildings. Ethernet is used to interconnect these structures via an underground conduit.
The upper, lower and office buildings are equipped with an ethernet switch and a wireless access point.
The library is equipped with a single ethernet switch. There are no access points in place.
The entire wireless network is provided by a consumer grade wireless access point which services the staff, students and guests.
The internet is accessed through a SOHO router with a DSL connection that has a 100 Mbps down speed and 10 Mbps up speed.
FOR IT PERSONNEL USE ONLY
Network mapping present: Yes | No | Needs improvement:
Physical network topology: Sufficient | Efficient | Needs Improvement
Perimeter network in place: Yes | No | Needs improvement:
Risk Exposure: High Medium Low
Preliminary run-through: Network Topology
The Network Topology of your existing network is known as a “flat network”.
Explanation: For the purposes of this document, a flat network is a network which is vulnerable to threats. Any vulnerabilities present in your organization’s environment are likely to be exploited by intruders. Vulnerabilities can include an operating system that does not have the latest service pack or hotfix applied. A workstation without an antivirus program installed or a standard user unknowingly having administrative access to network resources or sensitive information.
It is highly recommended to set up a Perimeter Network. Setting up your network as a perimeter network secures web servers and incoming and outgoing communication.
Explanation: Attackers attempting to gain access will have to overcome several security controls that are in place. An example may be to secure your web server by placing it into a DMZ (demilitarized zone). If a website is public facing and you are hosting your website through your servers, A DMZ will only allow outside traffic to view only the information presented on your web site and nothing more. A perimeter network places firewalls between a DMZ and an internal network to protect internal users and securing your web server.
FOR IT PERSONNEL USE ONLY
Network topology: Ring Star Bus Mesh Hybrid
Network topology Efficiency: Yes | No | Needs improvement:
Perimeter network in place: Yes | No | Needs improvement:
Risk Exposure: High Medium Low
Network Design
Current network design has no network segmentation in place.
Explanation: In this case, we use network segmentation to separate traffic. The purpose of separating network traffic is to increase network performance by giving each group of users their own route to communicate on the network. Without this separation, all network users will be using the same route to traverse or communicate on the network. This means all users will experience slow network access and some users may not be able to access network resources at all. Segmenting (also known as subnetting) allows network traffic to travel the network using the best route to reach its destination. This is beneficial if you have mission critical applications that need to communicate across the network; giving these applications their own route enables quick delivery of critical information. For example, if you are running an Exchange mail delivery solution, email sent and received needs to be delivered quickly, especially if an email needs to be responded to in order to meet a deadline.
Load Balancing may need to be implemented.
Explanation: Load balancing allows user requests and services requesting information from a server to be responded to in a timely manner. Load balancing requires at least two servers that perform the same function. In this way, if several requests for information made to a server cannot be responded to by a single server who is already routing requests to their destinations, a second server can respond to requests by “balancing” the load of information evenly between the two servers. If one server cannot respond to a request, a load balancer will send that request to the second server and the information is delivered by that second server timely and quickly. A load balancer uses special algorithms to decide which server to send the request to. For example, a class full of students who have numerous questions and there is only one instructor to answer them, a second instructor makes themselves available to “balance” the load.
Using a single SSID causes network degradation in a wireless network.
Explanation: Using a single SSID to service staff, students and guests alike causes everyone to use the same network route to communicate on the network. Whereas segmenting access points (creating multiple SSIDs) will allow each group of users to have their own dedicated route to traverse the network. SSIDs are displayed as a list when you use a laptop, workstation or mobile device to connect to a wireless network. In addition, duplicating SSIDs would help the flow of traffic on the network; however it is a better practice to separate them. In addition to adding separate differently named SSIDs, having internal staff should be connecting to a hidden network as this is not broadcasted to everyone who has a wifi-enabled device.
Implementing IPv6
Network Cabling
Explanation: Network cabling should be secured and not running across the floor which could present a tripping hazard. Plenum-grade cable should be used in confined areas such as inside walls and ceilings. Plenum-grade cabling is used to prevent fires. In addition, other types of cabling located too close to network cabling could cause interference. Interference is generally caused by RF waves traveling too near or across other RF waves. Waves are emitted from devices and cabling. The end result of interference can cause a network to perform slow and wireless device signals will become weakened.
FOR IT PERSONNEL USE ONLY
Network segmentation: Yes | No | Needs improvement:
Load balancing: Yes | No | Needs improvement:
Wireless SSIDs present: Yes | No | Needs improvement:
Network cabling: Yes | No | Needs improvement:
Implement IPv6: Yes | No
Risk Exposure: High Medium Low
Some network equipment only operates at 10Mbps.
Explanation: Network hardware speeds should meet today’s standards. Much of the information accessed on the internet is published with the assumption of at least a 100Mbps connection. Accessing information via the network or the internet using network hardware that operates at 10Mbps will take 10 times as long versus a 100Mbps connection.
Some network hardware is not equipped with the features to meet your organization’s needs.
Explanation: Network hardware today has built in features that allow for network segmentation. Please review the Network Security and Network Design portion of this document as it explains the importance of network segmentation. Network segmentation is crucial and should be implemented in any organizational network.
Hardware inventory should be documented.
Explanation: Proper documentation of inventory informs an organization of all the hardware it purchased and where the hardware is located (in a workstation or in the inventory room) and keeps track of hardware inventory. If theft occurs, the organization will discover it is missing either by routine inventory audits or when there is a need for that piece of hardware. In addition, hardware tracking informs an organization whether they need to upgrade or replace a piece of hardware as time passes. The device may be out-of-date or becomes obsolete and is no longer needed.
Hardware firmware
Explanation: Updating your network hardware with the latest firmware addresses any issues from previous firmware that was released. In addition, updating the BIOS (firmware) on workstations. Firmware is the software installed by hardware device manufacturers that enables your network or hardware devices to function. Sometimes after hardware is released to be purchased by consumers, design developers receive reports on firmware design flaws. A design flaw may be a bug or glitch in the hardware’s firmware which may cause problems in the hardware device purchased by consumers. For example, a problem with the firmware installed on a router, may cause the router to malfunction sometimes requiring a user to unplug the router from an electric outlet and plug it back in to regain functionality. Or the router may intermittently cease and stop working.
FOR IT PERSONNEL USE ONLY
Network equipment up-to-date: Yes | No | Needs improvement:
Hardware firmware up-to-date: Yes | No | Needs improvement:
Hardware properly inventoried: Yes | No | Needs improvement:
Network cabling: See above
Risk Exposure: High Medium Low
Internet Access
The size of your current organization including approximately 100 students requires a fast internet connection. DSL is better suited for home use as it services a limited amount of users. To meet your organization’s needs, faster internet speed will allow all staff and students to access internet resources much more quickly and timely. The key is to find the information you need and to find it quickly while avoiding lengthy wait times.
FOR IT PERSONNEL USE ONLY
Sufficient internet connection: Yes | No | Needs improvement:
ISP:
Risk Exposure: High Medium Low
Network Documentation
Lack of network documentation.
Explanation: Keeping up-to-date records on your present network configuration enables you to track changes to your network as new configurations take place. In addition, keeping an original baseline configuration of your network map is used as a basis of comparison in case a new change causes problems. Knowing how your network is configured is extremely helpful for any new IT engineers you introduce to your organization. They will be able to familiarize themselves quickly to your current network infrastructure. Existing IT personnel will benefit from accurate network maps as new changes take effect and if necessary, rollback changes in the event an undesired result is discovered.
FOR IT PERSONNEL USE ONLY
Network documented: Yes | No | Needs improvement:
Risk Exposure: High Medium Low
Network Auditing
Network auditing should be performed periodically to reassess or reexamine network configuration sets.
Explanation: Performing routine audits will allow you to revisit or revise your current network infrastructure. Reassessing configuration may determine that your business has new needs or no longer requires certain configuration sets. An example would be….
FOR IT PERSONNEL USE ONLY
Network auditing in place: Yes | No | Needs improvement:
Risk Exposure: High Medium Low
Network Monitoring
Explanation: Monitoring your network on a daily basis will help detect any suspicious changes to the network. Performing a baseline configuration and collecting data will help determine and distinguish between normal network activity and abnormal network activity. Abnormal network activity could be a sudden change in the accessibility of a website or a long wait time when trying to access a shared network folder.
FOR IT PERSONNEL USE ONLY
Network monitoring solution in place: Yes | No | Needs improvement:
Risk Exposure: High Medium Low
Network Security
There is no firewall in place to protect network users from outside threats and to prevent intruders from accessing your network.
Explanation: Intruders and attackers are constantly seeking access to vulnerable networks. Intruders seek to gain access to confidential information such as financial records, personal information, usernames and passwords or by “hijacking” your network bandwidth.
There is no content filtering mechanism in place to protect web users.
Explanation: Content filtering enables you to control what types of information on the internet may be accessed. An example would be to deny access to illegal websites or inappropriate material. Or to block a website from displaying content that is located on an illegal server.
There is no network segmentation in place to divide privileged users, guest users and high priority users.
Explanation: In this case, network segmentation is implemented and enforced to allow only privileged users access to confidential network resources. Restricted access should be applied to guest users; such restrictions for guest users may be to allow access only to public-facing information. Staff users should only have access to the information they need and nothing more. The principle of least privilege should be exercised here.
Software applications running under the local system account.
Explanation: Network applications should be run with only the permissions needed to operate. Attackers can gain access to the network through network or server applications running with administrator-level permissions or by using an application’s credentials to gain access to other areas of the network. The principle of least privilege should be exercised here.
Multi-featured network firewall needed.
Explanation: Consolidating some of your organization's security needs can be reduced to a single firewall that includes anti-virus, anti-spyware, intrusion detection, intrusion prevention and content filtering capabilities built-in.
Port security should be implemented.
Explanation: Properly securing the ports on your network will prevent attackers from carrying out port scanning activities to gain information about your network.
Network Wireless Security may need to be implemented.
Explanation: Using a stronger encryption algorithm for wireless access protects your wireless network from attackers attempting to decipher your wireless access keys to connect to it. Using WEP encryption is vulnerable to attacks because it uses a weak encryption algorithm and thus attackers will use special decryption tools to decipher wireless keys. Using a stronger encryption algorithm such as WPA-2 or WPA-2 Enterprise encryption makes it difficult for an attacker to decipher your passphrase or key due to its complex algorithms. You may also consider repositioning your wireless access points to avoid outside users from seeing or attempting to connect to your wireless network. Positioning your access points in combination of adjusting signal power as well as beacon intervals restricts wireless signals to cover only those areas where your wireless users are located. In addition, it makes it difficult for attackers to capture wireless packets which may contain sensitive information.
Penetration Testing. Performing periodic penetration testing will help continue to keep your network safe.
Explanation: Penetration testing is usually done by a “white hat” security consultant. When penetration testing is performed, attempts are made to compromise or infiltrate your network and servers. Tools that may be used are protocol analyzers, port sniffers and brute force. This is done to test how well your network and servers are protected when it is under a simulated attack. White Hat consultants are specifically brought in to perform these tests. They use a series of techniques to gain access to company resources. If the consultant can break through or find a way around a security flaw, the consultant produces a report on these findings and IT security personnel are made aware of any areas that need to be reconfigured to provide stronger security.
Overall Security
User training should be implemented regarding safe practices.
Explanation: Educating your users regarding best security practices will minimize outside threats from compromising or infiltrating your organization. Your end-users will then be aware of attacks such as social engineering, phishing, pharming and tailgating. In addition, introducing other safe practices such as using strong passwords, locking workstations when not in use and safely disposing of confidential information.
Physical security is at risk.
Explanation: Physical hardware should be secured by lock cables, fasteners and storage space. Work areas should be secured to prevent unauthorized access to sensitive company information. A video surveillance system should be in place to monitor user access to sensitive areas or to spot intruders attempting to gain access to company facilities. Unused hardware should be stored in a secured inventory area. Routers, switches, modems, workstations should be secured by using locking cables to protect against theft. Servers should be stored in a restricted access room and users attempting to gain access should be prompted by using multi-factor authentication. Examples of multi-factor authentication include: a username and password, key card and pin, biometrics like fingerprint scanners in combination with swipe card badge.
No backup strategy or disaster recovery plan implemented.
Explanation: Having an effective backup plan saves time and prevents data loss in case of an emergency. Having a data loss prevention procedure in place will help preserve customer and confidential information. Routine backups should be scheduled daily or weekly. The media used to store backup data depends on your organization’s needs. Typically, administrators will store backups on a remote network, tape (one located onsite and another located off site) or backing up to the cloud. In case of data loss, the mean time to restore data from backup media shouldn’t take too long; this is why administrators may perform full backups weekly while performing incremental backups daily or performing full backups daily. Disaster recovery refers to business continuity by recovering from natural disasters or fires as quickly as possible.
Security controls maintain and enforce the security needs of an organization; strict account management security controls should be implemented and enforced.
Explanation: There are four security controls that should be implemented into your organization. User ID and password requirements should be required to access all data systems and services within a network, or when accessing services on the Internet. Account access guidelines should be documented for each type of account used within an organization. For example, user account and group account privileges and systems access information should be documented. The principle of least privilege should be exercised here. Account management guidelines can include a number of different tasks. The most common security guidelines include account creation, disablement, lockout and expiration. Security guidelines should include organizational procedures for each account action and what specific conditions must be present to allow for an account change or deletion. Multiple user accounts may have access to many different systems or have more than one user account for an individual system. Managing multiple accounts include proper documentation of all accounts assigned to an individual, including privileges, permissions and data access rights assigned to each type of account. Verify that user accounts are assigned properly and that each individual only has the necessary accounts assigned to perform his or her job. Verify that the proper level of access is assigned to each account.
Encryption enables confidentiality by protecting data from unauthorized access. It ensures data integrity because it is difficult to decipher encrypted data without the corresponding decrypting cipher. Some form of encryption should be employed in authentication mechanisms to protect passwords.
Explanation: Utilizing encryption to encrypt hard disks, network communication, email communication and applying a PKI is essential when it comes to preserving data integrity and protecting confidential information.
Server Security and configuration.
Explanation: Servers should be running at their peak efficiency, have redundancy, have the latest service packs installed, upgraded to conform to your organization’s needs, routinely audited, if necessary, implemented using virtualization. In addition, turning off unneeded services reduces the chances of an intruder attempting to connect to a service that is turned on; instead, disable services you do not use. In addition, if you have an on-premise server, it is important to maintain environmental controls. Environmental controls establish proper temperature, humidity and ventilation. This protects your servers from damage against extreme heat, moisture and improper airflow.
Security Audits
Explanation: Auditing user, group, object and share-level access permissions allows you to know whether a user or group has too much access to network and server resources. Auditing objects allows you to know if an object has too much privilege. For example, an object can be a program, a service, a script, a local system account or a database. If a program is executed and requires internet access to function, you can review audit logs to view the permissions and rights it possesses. If it has administrative access, and accesses the internet, an attacker can exploit that program by using its privileges to access your organizations resources or confidential information.
Cloud Computing implementation
Explanation: Your current environment
FOR IT PERSONNEL USE ONLY
Assessment tool executed to gather system wide information: Yes | No | Scheduled date:
Network map performed by IT technician: Yes | No
Penetration testing performed by IT technician: Yes | No | Scheduled:
Firewall: Yes | No | Needs improvement:
Content filtering: Yes | No | Needs improvement:
VLANs needed (if applicable): Yes | No
VLANs implemented: Yes | No | Needs improvement:
Segmentation/subnets in place: Yes | No | Needs improvement:
Internal traffic segmentation present: Yes | No | Needs improvement:
Port security implemented: Yes | No | Needs improvement:
Network protocols: ____________________
Use of IP phones implemented: Yes | No | Needs improvement:
Software or server applications running insecurely: Yes | No | Needs improvement:
Multi-featured network security firewall: Yes | No | Needs improvement:
User awareness / security training: Yes | No | Needs improvement:
Physical security: Yes | No | Needs improvement:
Backup solution present : Yes | No | Needs improvement:
Disaster recovery plan: Yes | No | Needs improvement:
Penetration testing regularly performed: Yes | No | Needs improvement:
Network wireless security: Yes | No | Needs improvement:
Security controls implemented: Yes | No | Needs improvement:
TPM present: Yes | No | Needs improvement:
Hard disk encryption: Yes | No | Needs improvement:
Network communications encrypted: Yes | No | Needs improvement:
Network servers present: Yes | No | Needs improvement:
Server operating system(s) out-of-date: Yes | No | Needs improvement:
Network Redundancy: Yes | No | Needs improvement:
Hard disk Redundancy: Yes | No | Needs improvement:
Server Redundancy: Yes | No | Needs improvement:
Other Redundancy mechanism(s) __________
Operating Systems used: Windows ___ Linux ___ BSD ___ Apple iMac___ Other___
Security patching mechanisms present: Yes | No | Needs improvement:
User, group and object management system in place: Yes | No | Needs improvement:
Active directory present: Yes | No | Needs improvement:
Group policy implemented: Yes | No | Needs improvement:
Share-level permissions applied: Yes | No | Needs improvement:
Permissions properly applied: Yes | No | Needs improvement:
DNS server present: Yes | No | Needs improvement:
Other server roles present: Yes | No | Needs improvement:
Server hardware up-to-date: Yes | No | Needs improvement:
Servers routinely audited: Yes | No | Needs improvement:
Security auditing in place: Yes | No | Needs improvement:
User or object permissions routinely audited: Yes | No | Needs improvement:
Orphaned objects present: Yes | No | Needs improvement:
User accounts/computer accounts properly decommissioned: Yes | No | Needs improvement:
Virtualization present: Yes | No | Needs improvement:
Virtualization utilized where needed: Yes | No | Needs improvement:
Environmental controls in place: Yes | No | Needs improvement:
User security training routinely performed: Yes | No | Needs improvement:
Other tasks IT technician is scheduled to perform:
Risk Exposure: High Medium Low
Overall
Number of critical risks:
Number of critical vulnerabilities:
Number of items that need improvement:
Security and Efficiency Score:
_______________
Preliminary Evaluation Recommendations: Optimization
Includes several of the issues already addressed in this document:
Load balancing
Network monitoring
Segmentation (subnetting)
Using the proper hardware that will meet your organization’s needs.
Fast internet connection speeds
Redundancy
Applying firmware updates.
Updating BIOS firmware on workstations and servers.
Network and server auditing
Proper network mappings
Perimeter network
Utilizing VoIP as your telephony solution saves time and money.
Additional Recommendations: Preliminary Evaluation
Upgrade or replace existing switches to provide manageability, ability to shape network traffic and to apply physical and virtual network segmentation to the entire network.
Install a multi-featured network firewall to fulfill your organization's’ security needs.
Upgrade internet connection to conform to at least 50 Mbps speed in order to meet your organization's needs.
Upgrade and deploy enterprise-grade wireless access points to provide wireless network segmentation and utilize the advanced features they provide to meet your business needs.
Create up-to-date network documentation and continue to keep it updated.
User awareness / security training should be implemented and adopted into your current organizational policies and procedures.
Deploy a network monitoring solution to track network changes.
Network cabling should be secured and plenum-grade cabling used inside walls and ceilings. Arrange cables to avoid EMI or RFI (if applicable).
The information contained in this document is privileged. This document is the property of _____ and ______. All or any of the information listed in this document must not be shared to any third party unless explicit written permission is given. This is an agreement by and between _____ and ______. Any attempt to copy or misuse this information will be subject to confidentiality laws.
Page updated
Report abuse