Security audit: Knowing system vulnerabilities
Cybersecurity is essential for any company. Through a security audit, you can gather all the relevant information to know the vulnerabilities of the system and protect the business
The security audit is a service of capital relevance for companies and institutions in the digital era. It allows us to know, in all its complexity, the company system and to optimize it. At the same time, a security audit contains possible information leaks. The audit draws a three-dimensional picture that helps to understand the system and optimize vulnerability management.
Because in the cybersecurity world, it’s not only strategic to know how hostile actors act and behave. It is also key to constantly monitor our weaknesses and strengths. And that is precisely what a security audit is for: a thorough and well-documented assessment of the cracks in IT systems through which enemies can slip through.
Methodologies and metrics at the service of analysis
Tarlogic Security uses various methodologies to carry out an IT audit or ethical hacking of a client’s assets. Thus, the company’s technical team makes use of open security review methodologies recognized worldwide, for example OSSTMM, NIST SP 80-115, OWASP, and OWISAM.
Similarly, the cybersecurity company make use of standards such as CVSS for the generation of security metrics, which allow them to classify the impact caused by vulnerabilities and methods for prioritizing threats and their remediation.
Before continuing, we should point out that security audit and penetration testing are not analogous concepts. In the case of pentesting, a series of particular steps are used for the security analysis of an organization. The objective is to identify and exploit existing vulnerabilities, in some cases managing to compromise the system, elevate privileges and execute some subsequent steps such as deleting traces, to replicate what an external or internal intruder in the company could complete.
A security audit or security review focuses instead on the evaluation of a series of security controls that an asset may or may not pass, based on a methodology, security guidelines, or best practices. The result of an audit will show those vulnerabilities identified and the security recommendations to remediate them.
We will now turn to the different approaches that can be used to perform a security audit to identify vulnerabilities, as well as the various types of audits that can be implemented.
How to approach the audit
When carrying out an audit, two different approaches can be used.
First, there is the black box security audit. It is so-called because the personnel performing the analysis have no initial knowledge of the technological infrastructure underlying the IT system. They are therefore going in blind as if they were an external attacker. In addition, the audit team also has no users to interact with applications to be analyzed.
This type of security review is ideal for evaluating systems and applications from the perspective of an external attacker or outsider. With this simulation, it’s possible to identify system vulnerabilities and the level of exposure to an attack as well as weaknesses in authentication and authorization.
Through this type of security audit approach, the team of analysts will collect and analyze the available information, and from this data will try to identify the maximum possible vulnerabilities through manual techniques and the use of other specific tools.
Secondly, an assessment can be carried out from another, more comprehensive approach: The White Box audit. In this kind of approach, the audit team has, from the outset, the necessary information about the assets to be analyzed, including architectures, source code, or user or administration documentation. In addition, depending on the assets, they may have other types of data such as legitimate users.
Based on the existence of all this data, the audit team will not have to focus, as in the previous approach, on the previous collection of information, but will have to focus its efforts on the identification of vulnerabilities and critical elements for the business.
The purpose of this review is to analyze the system and protect it against the majority of attacks or the more sophisticated attacks launched by enemies that have greater resources to access information. Using this analysis, it will be possible to provide the platform with greater protection in the most sensitive areas, protecting the critical information it manages and discovering design flaws, security holes, and weaknesses in the source code.
These two approaches to security auditing are not mutually exclusive. On the contrary, they are complementary, so you can run an audit by opting for a Black Box approach, getting all the information, and preparing for the most likely attack scenarios and then perform a White Box audit, focusing on the critical aspects.
Finally, it’s possible to approach the security review work from a Grey Box approach. In these reviews, partial information is available, such as access to users with different roles or privileges on the platform, but not all the existing information. This type of approach allows speeding up review times, avoiding previous information gathering work, and accelerating vulnerability identification and exploitation processes. In some cases, it can be called post-authentication Black Box.
Approaching the review from several approaches allows knowing the system vulnerabilities in a more precise and complete way, and to develop a more solid defensive strategy.
What type of security audit can be carried out?
In logistical terms, Tarlogic Security offers its clients three ways to perform security audits. Through a project limited in time, through a bag of hours contracted by the business, or recurring advanced services where evaluation criteria are defined with the client. We will now take a brief look at the most common types:
- Web audit. This service audits web technologies in search of existing vulnerabilities. Tarlogic’s team analyzes the data and creates a report with the technological vulnerabilities (Microsoft IIS, Apache, Websphere, Nginx…), code weaknesses (.NET, PHP, Java, Python…), and the threats associated with the application logic. To carry out this assessment, the cybersecurity team uses methodologies such as OWASP, and techniques and tools developed specifically to interact with the services detected. Based on this analysis, web protection can be strengthened.
- Mobile app audit. As its name suggests, it is focused on mobile applications, both Android and iOS, and ultimately any mobile technology. It consists of a set of security tests for testing applications, with the mission of analyzing how they store, transmit and process information. But also in the security offered by the hardware device (terminal), considering it as a hostile environment.
- Audits of eCommerce platforms. It’s very focused on analyzing the availability of the e-commerce platform, to ensure its proper functioning, as well as protecting the confidentiality of customer data, especially payment information. This makes it a key tool to reduce the risk of fraud, a major issue for digital commerce.
- Audits of cloud platforms and containers. These security reviews focus on the analysis of security in the implementation of technologies. We talk about Amazon AWS, Google, and Microsoft Azure, and other recently used technologies such as Kubernetes or Docker. Technologies where failures derived from hardening configurations, cluster failures, like the implementation of network policies, role-based access control (RBAC) settings, administrator privileges, and other means that protect the Kubernetes API server are evaluated.
- Audit of security baselines in operating systems and technologies. This type of analysis studies the correct implementation of baseline guidelines and regulatory compliance, security policies, and the configuration of servers and workstations. In addition, it is used to develop secure configuration guidelines, using hardening. Security guidelines and standards such as those of CIS (Center for Internet Security) are used.
- Internal penetration test. This audit scrutinizes the weaknesses in the access routes to confidential information from the company’s internal infrastructure. Its mission is not to prevent external attacks on the system, but those that may originate from within, either by users who have access to company resources, as employees, former employees, or third parties (insider threats) or by attackers outside the organization, who have gained access to the internal network. This analysis can be very extensive and include specific projects such as an active directory pentest or a SAP security assessment.
- Perimeter security review. Unlike the previous review, this one focuses on the external perimeter of the company. Thus, it analyzes the exposed services (web portals, administration panels, mail servers, DNS…) and applications. The objective, of course, is to know the vulnerabilities of the system, but also of its perimeter. This type of review makes it possible to anticipate possible risks associated with the infrastructure and the organization’s first lines of defense and to avoid possible threats such as those caused recently, for example, by the Log4j weakness.
- WiFi audit. In this audit, a series of actions are carried out to evaluate the deployment and security of the WiFi infrastructure in wireless networks. In addition, the coverage of devices and access points is analyzed and rogue APs are raised in an attempt to trick the user into providing his legitimate WiFi credentials to a fake device introduced by the security analyst. In these cases we use the OWISAM methodology, which was developed by Tarlogic Security and in which 64 different technical control are defined.
- Hardware hacking. Not only software is important in the security management of an organization. Hardware must also be tested and analyzed. This evaluation focuses on devices with physical access, with the aim of identifying security flaws in the different gateways: communication routers, cable modems, IoT devices…
In addition to this complete portfolio of analytical solutions, customized services can also be implemented, designed to suit the customer’s needs. Among them we can highlight four:
- Vulnerability management: Tailor-made services for monitoring the vulnerability lifecycle, from identification to verification of the correct remediation. In this service, we plan together with the client how the service will be managed, the planning, inventory, and deliverables, in time and form.
- Cyber intelligence. It includes a wide range of actions aimed at obtaining relevant information for decision-making. From forensic analysis to counter-intelligence, from security incident response to fraud analysis.
- Red Team. This is a highly specialized team that simulates computer attacks against the client. In this way, it detects the weak points in the entity’s security model and the ways in which the defensive team can be penetrated.
- Bug Bounty. This program rewards researchers who identify security flaws in the system and report them following a code of good practices called Responsible Disclosure. This solution allows the company to learn about system vulnerabilities and fix them before they become public and, therefore, can be exploited by potential attackers.
This whole conglomerate of services and actions aims to create the truest possible picture of a company’s or institution’s system. Only by knowing it perfectly can attacks be prevented and defenses fortified.
Discover our work and cybersecurity services at www.tarlogic.com