Posts Tagged ‘network security auditing’


Network Security Auditing

Wednesday, September 15th, 2010

The word audit brings a lot of scenes to your mind. A lot of unpleasantness is associated with this word. Network security audit does ring a bell of tax audit though in an altogether different sense. In the regular tax audit you can see people physically accessing your files and network security audit they crawl into the virtual world of computer network.

Network security auditing is an approach to auditing networks in order to ensure their safety. In the entire information systems audit framework, the audit of networks is one piece of a big puzzle. The other pieces of the puzzle are audits of application software, data base etc.

A Network Security Auditor’s job is to gather certain information and understanding of this information about the network to review in order to complete the audit of network security.

The first step in this Network Security Audit is to determine the expanse of the network. A typical way to do this is to examine the network diagram. This diagram shows all the routes available on the network. A Network Security Auditor had to ensure the accuracy of this diagram.

Businesses change and the network diagram needs to be updated with these changes. An auditor has to observe the processes that exist in the organization to update and maintain the diagram accurately. Concentration at particular areas in the network such as data centers where ERP servers are hosted, and the points from where these are accessed is of great importance to the auditor. Complex networks may have many hosting points where critical resources are located. Network diagram acts as an input on the types of devices and protocols used in the network. This input can be used as a referral throughout the audit.

Once a Network Security Auditor gets the pressing issues of key areas in the network he next moves to information about critical assets, systems and services that need to be secured. Key areas like enterprise systems consisting of ERPs, mail servers and other internal applications, web servers that host applications accessed by customers and vendors and the network and its components. Hence, security and access mechanism surrounding applications and servers also needs to be strong.

The Network Security Auditor then assesses who all have access to the network and for what reasons they access. If any employees access the network from outside the office or if any customers and vendors access the systems? Is the network accessed via Internet or is there a remote access mechanism? The Network Security Auditor finds answers to these question which have a strong impact on network security.

After examining all accesses and modes of access, the auditor next moves to the network’s connections with external networks. The auditor can press this examination in the first step itself by analyzing the diagram. However, a sincere auditor should treat this separately. An external network has its own threats on the network security of a company. Internet is accessed in companies for various purposes depending on the nature of the job performed. The simplest may be browsing sites or reading and dispatching mails by employees. On a sophisticated scale some companies’ business is dependent on e-commerce websites through which the companies establish their business and exchange information with other companies. Hence there are sensitive points through which information parts enters and leaves a company.

Now that the Network Security Auditor has the knowledge of the systems accessed internally and those externally, he can determine where to install firewalls and intrusion detection systems. To ensure internal security, the gateways of the external networks should be secured. Threats from outside are checked first and then threats from inside and a plan to enhance security can be put in place. The Network Security Audit can now offer protection mechanisms by evaluating their effectiveness and adequacy.

www.DataTriage.com, a leading expert in Computer Forensics, Network Forensic Analysis, Network Security Auditing and Network Vulnerability Services.

Network Forensic Analysis Tools to Assess Network Vulnerabilities

Friday, October 24th, 2008

Every organization today has some type of a network security policy to protect or secure its systems, but when there is a violation of organization policies with vulnerable attacks then forensic analysis plays a crucial role. The evidence in computer forensics may take many forms with the help of network forensic tools.

Many network analysis tools are available nowadays to create a report containing details of potential problems like monitoring network computers for possible vulnerabilities, checking network for all potential methods that a hacker might use to attack etc. Some of the forensic tools are specially designed for networks.

For example: DNA (Distributed Network Attack) a new approach in computer forensic analysis is one of the most efficient forensic tools in recovery of password protected files. The new tool made major advancements in recovery of distributed network system, which were earlier limited to the processing of single machine.

With installation of the DNA tool on the server it will have access to the network and power to processes on different machines to decrypt the passwords. There by the DNA manager is responsible for coordinating the attack, assigning small portions of key search to machines distributed throughout the network. With the use of this forensic tool the liability of client to commit mistakes can be avoided.

There are other forensic tools, some designed for analysis of network activity and some are intended for log aggregation or analysis. Through these forensic tools you can see the services operating over the network like file openings and closing.

Network security audit helps reduce the possibility of network downtime by discovering the security incidents and the attacks through its LAN, WAN or intranet. In terms of network security concerns you can even go for external and internal security audits to identify and eliminate any security vulnerabilities in your systems.

An External network access will test your network devices and servers for vulnerability to a wide range of exploits, viruses, worms and other common internet attacks. Where as internal security audit starts with threat discoveries which include frequent virus outbreaks, unauthorized access to sensitive e-mail or documents etc.

The domain hijacking, machine break-ins, cracking user passwords, retrieval of sensitive documents, and physical access to sensitive hardware or software can also be analyzed with these audits.

Once the analysis or audit is completed you can easily eliminate the network security problems. These are also applied to the storage area networks and network attached storage. With the help of network forensic tool you can identify and respond to computer crimes and policy violations, not just investigating historical incidents.

www.Datatriage.com, a leading expert in Network Forensic Analysis, Network Security Auditing and Network Vulnerability Services.

Tips To Protect Your Server From Getting Hacked

Monday, September 15th, 2008

Generally as we know that when we visit a web page or when you interact with any web application on internet, some of the information pertaining to us will be stored on the server. When the hackers enter into a hosting server they will try to obtain the root access of your server and will know the confidential database details, which are restricted to the regular visitors. They crack the personal information about the user and steal credit card numbers, which the user submit while making a purchase through the website.

Have doubt on how this hacking on your server takes? Want to know more how the servers are hacked and how we can protect our servers from being hacked?

Being able to run this server-side scripting language or the data in transit is not protected or not encrypted are the reasons to hack, most of the time. Different hackers use different ways, often called white hat hackers and black hat users. These white hat hackers find the security flaw in a script of a website or software and make it public, where as black hat users are malicious hackers, who tamper illegally with software installed in your computers and tell other users about how to do the same.

Finding hackers breaking into your server is difficult to find, as they are not easy to spot. The script kiddies utilize free software hacking programs called “exploits” and distribute them over the internet.
When you suspect malicious software programs, you must be able to react quickly to minimize the outbreak. If your server is prone to an attack by a hacker, here are some tips on how you can protect your server:

1. Disconnect the system from the network

If you suspect your server is infected, then you simply disconnect the system from the network to avoid from any infected programs. Rather than fixing the current problem, leave the system on the network and document this reports in your incident response plan.

2. Discover the method used by the hacker

Know the methods hackers use to overcome the problem, as they use different types of hacking technologies. Using software tools like tripwire, you can identify the files whether any they are uploaded, added or changed on the system. Also find the owner of the files to let you know what is the application used by the hacker to get into server breaking. Investigate the files that were uploaded on the server system which might provide the valuable information about the attack against your server.

3. Information from the running scripts launched by the attacker

Use the lsof (list open files) commands in the system which includes the disk files, pipes, network sockets, the user who owns them, and devices opened by all the processes through which you can find the source of the attack from this information. Also use rootkit detection tools like rkhunter or chkrootkit to scan the possible local exploits to identify and detect the common attacks. It also performs checks to see if commands have been modified, and various checks on the network interfaces.

4. Stop all the attacker scripts and remove the files

Now that when you have identified the cause of the attack on the server you can safely eradicate the running scripts launched by the attacker and remove all the files and save them in a different location for further investigation. Once we know the method used by the hackers, we can stop it and restore the network connection like mail, DNS etc.

These steps are obviously helpful to some extent in restoring the server system from variety of attacks which you might encounter and can be used as a baseline to develop your own plan of actions. Also you can go for the Data Triage Intrusion Detection and Prevention Products, which provide comprehensive and easy to use protection against current and emerging threats at both the application and network layer. www.Datatriage.com, a leading expert in Network Security Auditing and Network Vulnerability Services.