How to Perform a DIY Security Audit

A security audit can be an important measure of your organization's readiness to fight off cyber attackers, but you have to do the right audit of the right stuff.

By now, you've heard plenty of horror stories about malware and phishing attacks, you know about ransomware, and you've heard about how foreign governments are helping attack major companies in the US. It's all pretty alarming, but those stories don't really provide much guidance on what you can do to protect your business. 

One good way to learn whether you're protected sufficiently is to have a security audit. This will take you through the process of finding security errors and vulnerabilities in your network configuration. But be aware, while you can venture forth on your own, some types of audits require an outside professional.

First, here are some questions that need to be answered.

  • What type of audit? If it's a formal compliance audit, you'll need to involve a third party to certify your compliance. If you're confirming readiness for regulations such as the GDPR or CCPA, you'll need to download the requirements and use them as a guide.
  • Who is going to perform the audit? The person on your staff who is primarily responsible for security should not conduct the audit. You need a fresh set of eyes.
  • Do you suspect fraud or some other illegal or unethical activity? If you suspect criminal activity, you need to involve law enforcement. Otherwise, you should involve someone not suspected of participation.

But if you're looking for an indication of your overall security, you can do the audit yourself once you've appointed the staff member who will direct it. First, you need to look at the big picture:

  • Determine the scope of the audit. You can't audit everything at once. Perhaps you can audit the security of your website, your ecommerce operation, or your internal network. You may also consider testing your ability to recover data from backup.
  • Decide on the goal. If you're just trying to detect obvious gaps, you may not need a detailed report.

Now you need to divide your security picture into areas of focus. You may want to do these separately, or involve multiple people and do more at once.

Physical Security

If the bad guys have physical access to your network, they can do anything they want. You'll need to make sure.

  • All network equipment, including servers, switches, and routers are behind a locked door.
  • Access to network equipment uses a method of recording entry and exit, such as an electronic combination lock or (preferably) a key card system.
  • Access is monitored through video or personnel.
  • Alarms are in place for unauthorized entry, fire, flooding, smoke, and other environmental hazards. These alarms should be monitored.

Access Security

By now you know that you have to control access to your data. That's why you have passwords.

  • Confirm that you have basic access security in place, such as passwords, and that you have basic requirements as to their length, complexity, and frequency of updates. You may also want to include biometrics as an access method.
  • Confirm that access is limited to those who have a specific need for the data.
  • Confirm that all corporate data, including your company phone directory and email directory, are protected with access control.
  • Check for network segmentation by function. This means that some job functions are prevented from having access to inappropriate areas on your network. Your forklift drivers probably don't need access to the accounting network, and the HVAC repair contractor doesn't need access to the point of sale network.
  • Confirm that internet-facing services, such as your website, are separated from your internal corporate network. This means completely separate--on a totally different network.
  • Confirm that you have a means to notify IT at once of employee separations, so that those accounts can be blocked or deleted immediately.

Data Security

Even if the bad guys get into your network, you can still be protected if they can't find or can't use your data.

  • Confirm that your organization's data is encrypted. Windows 10 and Windows Server can do this just by changing a configuration setting. Other operating systems may require different steps, but all of the data should be encrypted. 
  • Make sure your encryption keys are kept somewhere besides on the device being protected. A USB key inside a locked safe is a good place.
  • Confirm that you have adequate anti-malware software installed, that it's kept updated and set to monitor your systems in real time. The software should be able to detect malware signatures and also suspicious activity. Monitor your email and your employee browsing activity, as well.
  • Confirm that your data is encrypted in transit as well as when it's stored on disk. This means that all communications should be encrypted using a VPN or other means, and that the remote network operator is trusted.
  • Check to confirm that your cloud services have security and encryption enabled. You should plan on having a separate security audit of your cloud services.

System Security

Resist the temptation to delay updates to your operating systems or applications. If your IT manager says they're too busy, find another manager. If your application vendor says they can't respond to updates right away, fire the vendor.

  • Confirm that you have practices in place to apply system patches and endpoint updates immediately. This may mean adding an update server to your network.
  • Consider adding a security appliance, such as the Sonicwall devices available through Dell. These appliances have the ability to scan for vulnerabilities, scan for malware, and create VPN connections.
  • Consider performing vulnerability tests for your internet-facing networks using OWASP or another vulnerability assessment service. OWASP is the Open Web Application Security Project,  and it contains a wealth of information, including a list of assessment tools.
  • Confirm that you're applying firmware updates to your devices, including servers and infrastructure equipment, as soon as available.
  • If you have any hardware that's outdated, or running OSs that are no longer being supported, retire and refresh. Keeping older servers connected to the internet is a recipe for problems.

Personnel Security

 Your staff can be the strongest part of your security or the weakest. This is a factor over which you have complete control.

  • Confirm that your organization has a comprehensive staff security manual, and that it's up to date. Check to make sure it reflects current best practices for your industry.
  • Confirm that your staff receives regular training on security, including impromptu tests and walk-throughs of attack scenarios.
  • Confirm records of training and testing of each staff member.
  • Make sure each staff member knows how to report real or suspected security threats, phishing attempts, or other security concerns, including risky practices of other staff or visitors.
  • Consider a rewards program for reporting security concerns.
  • Ensure that staff gets positive feedback for adopting a correct security posture.
  • Check to ensure that daily security practices are followed. This could mean getting a stranger to try to access the server room, or testing staff to see if they can handle a simulated phishing attack.

Record Everything

Even if a formal report of your security audit isn't required, make sure that a detailed record is available of the findings and recommended actions, and then make you take those actions. Information security isn't about snooping or getting people in trouble; it's about safeguarding sensitive data and protecting your business, your customers, and your employees.