digg

Facebook Connect Join Digg About

How to: Conduct a Basic Security Audit

itsecurity.com These days every business--from Fortune 500s to Mom and Pop groceries--have valuable IT assets such as computers, networks, and data. This detailed 10-step guide can help anyone to conduct their own quick n dirty security audit.

Who dugg this? Made popular Jan 4, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

18 Comments

show profanity settings
expand all
  • PPoff, on 10/12/2007, -0/+15I did a security audit for our small company a few months back and was pretty surprised at what came out as our biggest threat...employee's stealing information.

    I think its a bigger problem than most small business people realize.


  • Thuktun, on 10/12/2007, -0/+5Luckily, the linked article's recommendations don't look Q&D.
  • trghpy, on 10/12/2007, -1/+5Quick and Dirty is better than Jack and ***** (of course Jack left town last week...)
  • PPoff, on 10/12/2007, -0/+4I've read the article all the way through. Its pretty dang thorough. I'm no expert on security audits...just a lowly IT guy here...but I think this article will give any small company a good baseline to work from.
  • chimpinator, on 10/12/2007, -1/+5But, alas, they are. If you're someone in charge at a Fortune 500 co. and anything on this list is news to you, you should be fired.
  • trghpy, on 10/12/2007, -1/+4Backups are worthless unless they work.
    It is funny how everyone talks about backup schedules, backup security, and off site storage but they never tell you to test your backups...

    If you can't prove your backup works, are you truly backed up?

    One place I worked at had a ***** up tape drive which let us "backup" for months till someone tried loading one of the tapes...

    Ain't technology great?
  • SamsLembas, on 10/12/2007, -1/+3Kinda like those backs that advertise all their anti identity theft stuff, but then have you submit your login info over http, not https.
  • brewer, on 10/12/2007, -1/+3Test security, you say? Simple: call RED CELL.

    http://www.specialoperations.com/Navy/Red_Cell/Default.htm

    Oh, network security. Nevermind.
  • johngalt9999, on 10/12/2007, -0/+2I don't know why people with comments related to "quick and dirty" audit are being digg down. I have worked both at KPMG - Information Risk Management practice and the Ernst & Young - Technology Security Risk Services group for over three years, and I can vouch for the lack of in-depth audit analysis. For example, many IT auditors simply print out the primary domain controller configuration settings, and do a 10 second review, and spend the next five hours typing up a fancy audit work paper. By conducting IT audit in such a manner, the end user/client would not receive any benefits. In the end, no security risks are being amended, which can result in possible future security outbreak.

  • exzaltid, on 10/12/2007, -0/+1Here's a good vid I found on supporttube that SHOWS a security audit of a college network!

    http://www.supporttube.com/view_video.php?viewkey=5ee0bc9d43bbf5bbe87f
  • inactive, on 10/12/2007, -0/+1After getting burned by tape made with proprietary software, we went to detachable HDs. Wrote my own scripts so I actually understand what they're doing.
  • jiminoc, on 10/12/2007, -2/+3In my previous job working at a vulnerability assessment company one fortune 500 company had 22 million security vulns. This was just 2 years ago. This is also a company who runs commercials about how their securing customer networks :) Ironic.
  • xt0ph3r, on 10/12/2007, -1/+2Is that your analysis of the article, or the description on Digg?
  • toogs, on 10/12/2007, -0/+0Helped me out alot, i'm going to try these steps on mine.
  • dblyth, on 10/12/2007, -1/+1That's my analysis of the description on digg. I haven't read through the article yet.

    Yes, quick and dirty can be better than no audit at all, but a cursory/superficial audit can also lead to complacency and a feeling that things are more secure than they really are.
  • SjRaptor, on 10/12/2007, -3/+1Buried... they don't even know wtf the difference between a threat and vulnerability is!

    Threat: A circumstance or event with the potential to intentionally or unintentionally exploit one or more vulnerabilities in a system resulting in a loss of confidentiality, integrity, or availability. Threats are implemented by threat agents. Examples of threat agents are malicious hackers, organized crime, insiders (including system administrators and developers), terrorists, and nation states.

    Vulnerability: A flaw or weakness in the design or implementation of hardware, software, networks, or computer-based systems, including security procedures and controls associated with the systems. Vulnerabilities can be intentionally or unintentionally exploited to adversely affect an organization's operations (including missions, functions, and public confidence), assets, or personnel.
  • inactive, on 10/12/2007, -5/+2Absolutely.

    No penetration testing? No mention of eEye? No mention of Nessus? No mention of MITM attacks using print servers?

    Buried. No digg and marked as lame.
  • dblyth, on 10/12/2007, -6/+1Sorry, but "quick and dirty" security audits usually don't get the job done.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.