Cyber (IT) Security Audit & Assurance
A comprehensive audit of the entire IT infrastructure of an organization including its End point computers, Servers, Networking Devices, Wi-Fi, Firewall, Switches, Router, Web applications, Mobile applications, E-Mail, Communication devices, Storage technologies, Physical security etc. is conducted by a team of empanelled certified technical professionals.
The scope of the audit is as follows :
- Gap Analysis and Review of the existing IT Security Policies and Controls with best practices & IT Security Standards
- Risk Assessment and Vulnerabilities Assessment of various computer resources
- Penetration Testing and possible exploitation of the vulnerabilities in the various computer resources
In this digital era, an organization must comply with different data security laws, rules, guidelines, regulations and international standards like
- Indian IT Act (Section 43A: Compensation for failure to protect data),
- Schedule II, Indian IT Act, Information Security Guidelines,
- ISMS ISO/IEC 27001:2013, COBIT, ITIL & Cyber Security framework,
- Payment Card Industry Data Security Standard also known as PCI-DSS,
- General Data Protection Regulation (GDPR),
- Computer Emergency Response Team India (CERT-In) Audit Guidelines
- National Critical Information Infrastructure Protection Centre (NCIIPC) guidelines to audit the critical IT Infrastructure
- Reserve Bank of India (RBI) : Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds by RBI, Data Localization,
- Cyber Security & Cyber Resilience framework for Stock Brokers/ Depository Participants by SEBI,
- Insurance Regulatory and Development Authority (IRDA) Guidelines on Information And Cyber Security For Insurers
- Insurance Self-Network Platform audit guidelines by IRDA
- Privacy, Security and Ownership of the Data in the Telecom Sector by Telecom Regulatory Authority of India (TRAI),
- Compendium of Regulations, Circulars & Guidelines For (Authentication User Agency (Aua)/E-Kyc User Agency (Kua), Authentication Service Agency (ASA) and Biometric Device Provider) by Unique Identification Authority of India (UIDAI) etc.
A web application penetration test focuses on evaluating the security of a web application. It involves in active analysis of the web application for any weaknesses, technical flaws or vulnerabilities.
Important References: OWASP Top 10, SANS top 25, WASC, CWE top 25 most dangerous software weaknesses
It evaluates an application and its security along with a various mobile applications threat vectors to identify vulnerabilities.
Reference: OWASP Mobile Security Testing Guide, Vetting the Security of Mobile Applications by NIST (National Institute of Standards and Technology
It helps to determine the effectiveness of network security in resolving underlying network security issues. It includes audit of all network devices like firewall, router, switches, wireless networks, servers, end point computers etc.
It is a method of evaluating all Wireless devices like Wi-Fi or Bluetooth and their related Security aspects by simulating attacks against authentication, encryption or other attacks like man in the middle attack, DDoS Attack etc.
For conducting the Online Evaluation & Examination, there are certain general principles and guidelines which are essential to provide reasonable security practices and procedures of the examination system. It is the responsibility of the organization who conducts online examination to develop internal processes that meet the guidelines set for the security through physical access control, site location, offsite backup, change and configuration management, network and communication security, system security, audit procedure, retention and protection of audit log, vulnerability assessment & penetration testing personal security controls and documentations. Our organization have rich experience of IT security audit of online examination & assessment platforms.
A payment gateway is an online payment solution which empowers merchants to accept payment online including credit card, debit card, direct debit, bank transfer and real-time bank transfers. Payment gateway protects sensitive customer data like credit card number & CVV, netbanking credentials etc. by encrypting the traffic to ensure that the information is passed securely between customer & merchant.
Following security issues occurs in payment gateway audit:
- Network level: Any security risk present in underlying network infrastructure may lead to the compromise of payment gateway. Therefore ensure that the devices & servers are configured properly and network perimeter is also defended against unauthorized access.
- Transaction level: The security concerns at transaction level include accepting an invalid transaction, for example – ‘0’ amount transaction, negative amount transaction and transaction with invalid details etc. Hence before accepting any transaction for processing, its validity should be checked properly.
- Application level: This level is about the coding standard of payment gateway and subject to application security risks like – SQL injection, XSS, Direct URL Access, CSRF etc.
Vulnerability reference: OWASP top 10 vulnerabilities, WASC, CWE, SANS top 25
Guidelines & Standards:
- Guidelines on Regulation of Payment Aggregators and Payment Gateways (https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NT17460E0944781414C47951B6D79AE4B211C.PDF )
- PCI-DSS: The Payment Card Industry has developed security standards for handling cardholder information in a published standard called the “PCI Data Security Standard.” The security requirements defined in the DSS apply to all members, merchants, and service providers who store, process, or transmit cardholder data.
- Payment Application Data Security Standard (PA –DSS): The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. PCI PA-DSS is the standard against which Payment Applications have been tested, assessed, and validated.
Following is the data storage permit as per PCI-DSS.
An ERP audit is an investigation into aspects of that organization’s ERP systems, An ERP audit expresses an opinion whether the records and processes are adequate. ERP systems contain the transactions of all kinds that yield that business’ financial statements. Access control is most important aspect in the ERP audit.
- ERP stands for Enterprise Resource Planning and refers to software and systems used to plan and manage all the core business operations like supply chain, manufacturing, services, financial, accounts and other processes of an organization. Top ERP Service providers in year 2020 is :
- SAP (Business one, ERP, S/4 HANA)
- Microsoft (Dynamics 365, Dynamic GP, Dynamic SL)
- Oracle (Netsuite ERP, ERP Cloud, JD Edwards Enterprise one)
- Sage (Sage intact, Sage 100, Sage 300)
- Epicor (Epicor ERP, Epicor Prophet, Epicor Eclipse)
- Infor (Cloud suite) etc.
Source code security analysis (source code review) is the examination of an application source code to find errors overlooked in the initial development phase. A tester launches a code analyzer that scans line by line the code of an application. Source code review checks the quality of the web application code.
Review: Review occurs in Differential, before changes are published.
Audit: Audit occurs in Diffusion, after changes are published.
Cloud computing, as defined by the National Institute of Standards and Technology (NIST), is “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Three service models are commonly implemented in the cloud: software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). In each of these service types, security is a significant challenge. Security audits provide a clear and recognizable trail of resource access for various organizations.
- ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Cyber Security Operation Center (CSOC) is a facility where enterprise IT infrastructure are monitored, assessed, and defended.
In SOC they use a Security information and event management (SIEM) platform to monitor the activities going inside your IT infrastructure by collecting and segregating event logs. CSOC has advanced monitoring capabilities within the organization to validate data flow from security stand point.
The Society for Worldwide Inter bank Financial Telecommunication (SWIFT), provides a network that enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment. The SWIFT Customer Security Controls Framework (CSCF) is composed of mandatory and advisory security controls for SWIFT users. The mandatory security controls establish a security baseline for the entire community. They must be implemented by all users on their local SWIFT infrastructure. SWIFT has chosen to priorities these mandatory controls for risk reduction.
Concurrent audit is a systematic and timely examination of financial transactions on a regular basis to ensure accuracy, authenticity, compliance with procedures and guidelines. The emphasis under concurrent audit is not on test checking but on substantial checking of transactions.
When the accounts are audited throughout the year by the internal audit staff under the guidance of the auditor, it is called continuous audit. The work involved in continuous audit is considerably high and the management requires the auditor to report at regular intervals.
In IT security audit, concurrent audits known as third party audit and continuous audit as internal audit.
An operating system like windows, Linux, MACOS comes under this audit etc.
Windows auditing is one of the methods to make the system secure after knowing about the weakness of the system, misconfiguration of security settings etc. Windows auditing system consists of tracking events and logs and what events were triggered in the system and policy changes .
Windows auditing is Windows changing auditing, sometimes referred to as file integrity monitoring, which entails the detection of changes within systems, most notably, Active Directory, Exchange, SQL, and file systems.
Through the analysis of Windows security and systems events, Windows auditing can identify steps to improve security management and reduce the risk of unauthorized access and unwanted changes to your systems. Through Windows auditing helps organizations remain compliant with data protection requirements, identify potential threats and help to reduce the risk of a data breach.
Internet of Things devices are everywhere and it is estimated number of IoT sensors and devices is set to exceed 50 billion by 2022.
Unique Identification Authority of India (UIDAI - Aadhar) will enable organizations to provide E-KYC and Aadhaar based authentication. Becoming an AUA (Authentication User Agency) is required for any agency/ institution registered in India, which is looking to use Aadhaar authentication services of UIDAI. It is also a requisite step in registering as KYC User Agency (KUA) for using the Aadhaar eKYC service. As per UIDAI Guidelines, the client application is to be audited by information systems auditor certified by CERT-IN and compliance audit report to be submitted to UIDAI.
SOAR platforms are a collection of software solutions and tools designed to collect information about Security threats, Data and Alerts. SOAR tools analyzes the data through a combination of human and machine learning to understand and prioritize incident response activities. Traditionally, a human would have to review, remediate, and standardize a variety of actions into a digital workflow to define incident response procedures. But that process takes a lot of time, resources and there is probability of human error. SOAR solutions can define your incident response procedures for you, by combining a variety of data tasks including: Data gathering, Case management, Standardization, Workflow and Analytics.
There are three security tasks, comprise by SOAR platform:
It is the act of integrating a wide array of technologies and connecting security software & tools, both security-specific and non-security specific, in order to make them work together while improving security incident response times. SOAR solutions can get information and analyze alerts from:
- User and entity behavior analytics (UEBA)
- Threat intelligence platforms
- Incident response platforms
- Intrusion detection and prevention systems (IDPS)
- A whole host of others.
It is a machine-driven execution of security operations. Tasks that were previously performed by human can be performed and standardized by following SOAR solutions:
- Automation steps
- Decision-making workflow
- Enforcement actions
- Status checking
- Auditing capabilities with SOAR, these tasks are no longer a drain on manual resources.
Response: Now, security orchestration is pulling and analyzing alerts from across your IT infrastructure. Repetitive manual tasks are automatically designed and handled.
Virtualization allows the separation of the operating system from the hardware, using a layer called a hypervisor exists between the hardware and the operating The hypervisor abstracts the physical hardware and presents the hardware you specify to the operating system. Virtualization is a software technology that divides a physical resource, such as a server, into virtual resources called virtual machines (VMs). This audit focuses on the hypervisor and management of the virtual environment.
Virtualization can be categorized into four areas:
- Storage Virtualization: Virtualizes the physical storage from multiple network storage devices so that they appear to be a single storage device. In general, ‘virtualization’ refers to server virtualization.
- Network virtualization: Combines computing resources in a network by splitting the available bandwidth into independent channels that can be assigned to a particular server or device in real time
- Server virtualization: Hides the physical nature of server resources, including the number and identity of individual servers, processors and Operating systems from the software running on them.
- Operating System Virtualization: it refers to running multiple operating systems on a computer system simultaneously.