- Oxford: +44 (0)1865 877830
- Manchester: +44 (0)161 713 0176
- Edinburgh: +44 (0)131 541 0118
- New York: +1 646-781-7580
- Minneapolis: +1 612-324-7410
- Bucharest: +40 316 301 707
This is a case study of a Network Security Audit that Dionach performed for an insurance company based in the UK. Some of the information has been changed or omitted to maintain confidentiality.
The organisation carries out much of its business online and felt that an independent view of their internal and external network security was required and selected Dionach to carry out both an external penetration test to assess perimeter security, and an on-site network audit to assess internal security.
Three Dionach consultants carried out the internal audit, with one of them nominated as the lead auditor. This lead auditor liaised with the organisation's Information Security Officer (ISO). The purpose of the audit was to determine the actual technical setup and compare it to best practice.
The ISO, together with other staff with appropriate knowledge, were interviewed to gain an understanding of the setup of the network, servers and LAN. This allowed an up-to-date network diagram to be created. Copies of existing network diagrams and the security policy were also taken.
The lead auditor then assigned consultants to audit the configuration of firewalls, routers, web servers, database servers and domain controllers, and to take samples of other workstations. Antivirus, email, network topology and physical security were also areas that were examined.
Throughout the process, the staff responsible for each area being audited were interviewed further as required.
At the end of the on-site process, the lead auditor held a meeting with the ISO to provide an initial oral report of findings.
The final output was a comprehensive, detailed report consisting of an executive summary, a section for the external penetration test, a section for the internal network audit, and a technical summary.
The executive summary first specified that the security of the network represented medium risk. Most elements of the network were configured securely, and the recent introduction of a group security policy would reinforce and improve security awareness.
The executive summary also listed the following issues:
Further detail and recommendations were provided in the rest of the report.
The external audit section listed the external test results in detail, with a technical summary of issues and recommendations, for which there were few.
The internal audit section listed the areas audited together with a diagram of the network topology. Good security practices were highlighted as were areas where security could be improved:
Finally, the report provided a summary of conclusions with issues listed in order of risk, with the most critical first.
The report was then agreed with the organisation, and presented to them face to face to ensure that the organisation gained the most value from the audit and the report.
The organisation then proceeded to prioritise and resolve the issues.
© Copyright 2018 Dionach