Best Practices for Performing a Security Audit from Laura Chappell

I was talking with Laura Chappell about useful security tips since she "lives and breathes" security. As a bit of background, last year, she received the international Award for Professionalism founded by the NPA and given out at the Interop Conference in Vegas. Some of you may have caught her packed sessions at Microsoft TechEd conferences or HP Enterprise Symposiums. I know from my talks with some of you, you are familiar with her "Internet Safety for Kids Project" which she founded together with the "Protocol Analysis Institute."

Anyways, I asked her about the best ways to perform a security vulnerability audit on your network and she provided this list:

***
Well, Stephen, there are so many ways to go about this so I'll just start spewing out options:

  1. Identify assets (risk assessment)
  2. Prioritize the audit focus (separate the task into smaller chunks)
  3. Differentiate between intrusive and non-intrusive audit procedures
  4. Map the network from outside and inside the firewall
  5. Audit server and client software and hardware
  6. Examine software/hardware audit results against an ‘acceptable’ list
  7. Examine log files and log file usage
  8. Audit routers, firewalls and critical infrastructure devices
  9. Verify system and user configurations
  10. Audit application traffic for cleartext data transfer or unusual dependencies
  11. Audit all network access points (dial-in, wireless, tunnels, partner/consultant links)
  12. Audit security training information for users, management, consultants
  13. Check against industry-known vulnerabilities
  14. Audit antivirus and anti-spyware capabilities and status
  15. Audit patch and fix levels for hosts and servers (multiple OS types too)

***

Laura shares more of her best practices and provides her viewpoint on security in an upcoming interview. Look for it here...

Thank you,
Stephen Ibaraki