Security Auditing | Ethical Hacking

A computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, analyzing  Security or Application event logs and analyzing physical access to the systems .

Security Auditing | Ethical Hacking

Automated assessments, or CAAT's, include system generated audit reports or using software to monitor and report changes to files and settings on a system.

Systems can include personal computers, servers, mainframes, network routers, switches.

The primary objective of an audit is to measure and report on conformance. If you are auditing a web server, some of the initial things to look out for are the ports open on the server, harmful HTTP methods such as TRACE enabled on the server, the encryption standard used, and the key length.

How to manage a successful audit
  • Establish a security baseline through annual audits.
  • Spell out your objectives.
  • Choose auditors with "real" security experience.
  • Involve business unit managers early.
  • Make sure auditors rely on experience, not just checklists.
  • Insist that the auditor's report reflects your organization's risks.