•  Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  •  London: +44 (0)203 5983740 
  •  New York: +1 646-781-7580 
  • Dubai: +971 (0)4 427 0429

Network Security Audit Case Study

You are here

This is a case study of a Network Security Audit that Dionach performed for an insurance company based in the UK. Some of the information has been changed or omitted to maintain confidentiality.

Background

The organisation carries out much of its business online and felt that an independent view of their internal and external network security was required and selected Dionach to carry out both an external penetration test to assess perimeter security, and an on-site network audit to assess internal security.

Internal Audit

Three Dionach consultants carried out the internal audit, with one of them nominated as the lead auditor. This lead auditor liaised with the organisation's Information Security Officer (ISO). The purpose of the audit was to determine the actual technical setup and compare it to best practice.

The ISO, together with other staff with appropriate knowledge, were interviewed to gain an understanding of the setup of the network, servers and LAN. This allowed an up-to-date network diagram to be created. Copies of existing network diagrams and the security policy were also taken.

The lead auditor then assigned consultants to audit the configuration of firewalls, routers, web servers, database servers and domain controllers, and to take samples of other workstations. Antivirus, email, network topology and physical security were also areas that were examined.

Throughout the process, the staff responsible for each area being audited were interviewed further as required.

Report

At the end of the on-site process, the lead auditor held a meeting with the ISO to provide an initial oral report of findings.

The final output was a comprehensive, detailed report consisting of an executive summary, a section for the external penetration test, a section for the internal network audit, and a technical summary.

The executive summary first specified that the security of the network represented medium risk. Most elements of the network were configured securely, and the recent introduction of a group security policy would reinforce and improve security awareness.

The executive summary also listed the following issues:

  • The external security risk was low, although one of the firewall configurations would allow outbound connections if a server was vulnerable, an attacker could more easily compromise it.
  • Although external, email and server anti-virus was in place, the individual user workstations were not protected. There was also no patching for workstations, so if a virus or worm found its way onto the internal network it would spread unhindered.
  • There was no intrusion detection system (IDS) in place; the external penetration test was not noticed by the organisation, and since the organisation was dependent on online business, Dionach highly recommended the implementation of a monitored network IDS.
  • A domain users password audit showed that many users had simple passwords. Although the security policy gave guidance on choosing strong passwords, there was no mechanism enforcing strong passwords.
  • A number of internal SQL Server databases had blank administrator passwords and service pack levels that were not up-to-date.

Further detail and recommendations were provided in the rest of the report.

The external audit section listed the external test results in detail, with a technical summary of issues and recommendations, for which there were few.

The internal audit section listed the areas audited together with a diagram of the network topology. Good security practices were highlighted as were areas where security could be improved:

  • Antivirus protection
  • Physical security
  • Information security
  • Wireless connectivity
  • Database servers
  • Firewall configurations
  • DMZs
  • Perimeter security

Finally, the report provided a summary of conclusions with issues listed in order of risk, with the most critical first.

Presentation

The report was then agreed with the organisation, and presented to them face to face to ensure that the organisation gained the most value from the audit and the report.

The organisation then proceeded to prioritise and resolve the issues.