How to Perform a Security Audit
2/15/2004 By: Melissa Dark and Amy Poftak
Picture this scenario: a student logs in to your school's network using the password of a former teacher and "improves" his first-quarter grades and attendance along with those of his nine friends. This is just one real-life example of the many kinds of network security breaches occurring at schools across the country. How big is the problem? Purdue University's Center for Education and Research in Information Assurance and Security decided to investigate the issue by performing penetration tests on the networks of five Indiana school districts-in other words, hacking into their systems with permission. The results were alarming. The testing team was able to hack into all five networks via the Internet. In four of the five schools, they accessed payroll and grade information without difficulty; and in three cases, they were able to easily obtain a complete list of students and staff. Perhaps most troubling of all, these attacks and security compromises went undetected by school IT staff.
The above cases underscore the importance of taking a proactive approach to securing your school's network. To do this, however, you first need to know your system's specific vulnerabilities and what steps you can take to reduce them. The formal process for doing this is known as an information security risk assessment, or a security audit. What follows is an overview, loosely based on the National Institute of Standards and Technology's Risk Management Guide for Information Technology Systems and other commonly accepted industry standards, of how to perform a basic audit for your school or district. In doing so, you will:
- Demonstrate due diligence by developing a security process that is consistent and objective
- Help your school or district make informed decisions about what preventive measures it needs and why
- Justify the up-front costs of security
- Show your staff the importance of best security practices that they sometimes resist (such as changing passwords).
The primary goal of risk management is for schools to protect their ability to fulfill their educational missions. Therefore, a security audit should be treated as an essential management function, headed up by a district's chief information officer or technology director, but also involving administrators, teachers, and building-level technology staff. An effective way to do this is to form a risk assessment committee, co-chaired by a high-level administrator and the senior IT staff member, whose charge is to design the audit from beginning to end and oversee its execution.
To get a better idea of where your school may be vulnerable, we recommend surveying your staff. Here, a sampling of potential issues to address.
- Evaluation, testing, and installation of vendor-recommended patches
- Software policies
- Staff knowledge and awareness of information security risks
- User password practices, such as password sharing and how often passwords are changed
- Procedures for disabling accounts of personnel who quit or are released
If you've never done a security audit before, chances are your system is vulnerable and now is the time to start. If you've already performed an assessment, then you'll want to update it whenever you make significant changes, such as moving a database to a new server or adding substantial code to an existing system. You'll also need to revise it when you introduce new hardware and software to the network and before undertaking any major projects, such as installing a wireless network. In addition, it's a good idea to schedule regular updates-either annually or biannually-of your risk assessment.
When performing a security audit, solely assessing your technology assets is not enough. Schools should also take into account policies addressing such issues as acceptable use, network rights, software installation, and the practices of both students and staff.
There are four steps to follow when conducting an information security risk assessment (see Figure 1).
Figure 1: Information Security Risk Assessment Process
Step 1: Asset Identification and Classification
This is the process of identifying valued assets and categorizing them into manageable groups. For schools, assets can generally be grouped in the following categories:
- Technology resources (hardware and software)
- Information resources (grades, health records, payroll records, and personally identifiable information)
- Curriculum resources (lesson plans and other teaching materials, and Internet connectivity for student assignments)
- People resources (students, staff, and families).
There are various ways to gather this data, including interviewing key IT staff, examining any previous audits, and reviewing inventory records.
After identifying assets, classify them with regard to confidentiality, integrity, and availability. Examples of assets that need strict confidentiality are student grades, health records, and bank account numbers for direct deposit. Assets that require integrity (meaning they can't be altered) include payroll and lesson plans. Assets that need to be available at all times are attendance systems, lesson plans, and online systems that provide homework updates for parents. By performing this step, you'll learn what specifically needs protection and what type of protection might be warranted.
Step 2: Threat and Vulnerability Assessment
This is one of the most important steps in the risk analysis process. Once all assets have been classified, list potential threat sources for each one. The National Institute of Standards and Technology defines a threat source as "any circumstance or event with the potential to cause harm to an IT system" (see Table 1).
Adapted from the NIST Risk Management Guide
||A hurricane, flood, earthquake, tornado, water pipe that bursts, or an electrical storm
||Accidental mishaps, intentional intrusions, or violations. Accidents can be caused from people within the organization or an outsider.
||A power failure, pollution, or a chemical spill
Next, determine the corresponding vulnerabilities for each threat source. A vulnerability can be triggered accidentally-for example, a system crash that occurs due to a flood or a network design flaw-or intentionally, such as a student hacking in to the network and changing his or her grades. Table 2 shows the relationship between a threat source, a vulnerability, and the corresponding consequence.
Adapted from the NIST Risk Management Guide
|Unauthorized users such as outside hackers, disgruntled or mischievous students
||A Windows design flaw (e.g., the recent RPC vulnerability that has made it possible for any user on the Net to access the system)
||Unauthorized users gain access to confidential data, and are able to steal or modify it
How do you come up with a list of prospective threats and vulnerabilities? One way is to hire an outside contractor to perform a penetration test like we did for the five schools in Indiana. Penetration tests use special network scanning software to identify system flaws. There are many organizations that perform penetration testing including Infotex (www.infotex.com), AT&T (www.business.att.com), Symantec (enterprisesecurity.symantec.com), and Guardent (www.guardent.com). Other ways to determine potential weak spots include surveying staff (see Security Checklist) and joining a vulnerability notification/incident response service. Worthwhile vulnerability services include CERT (www.cert.org), SANS (www.sans.org), SecurityTracker (www.securitytracker.com), ICAT (icat.nist.gov), and CASSANDRA (cassandra.cerias.purdue.edu).
Step 3: Evaluation of Controls
Once assets, threats, and vulnerabilities have been identified, evaluate potential countermeasures. These should be thought of in terms of whether they prevent, detect, or respond to attacks as well as whether they're technical-, policy-, or personnel-oriented (see Table 3). The main point of this step is to determine whether a single safeguard is sufficient for protecting your assets. If not, which combination of countermeasures is needed to achieve the desired level of security?
||- Antivirus protection
- Access control lists that partition levels of access to sensitive systems and data
- Intrusion detection systems that monitor the integrity of the system and files
|- Intrusion detection software
||- Acceptable use policies
- Systems development and maintenance policies
|- Policies on intrusion response (i.e., roles and responsibilities of your emergency response team)
||- Business continuity planning to ensure procedures for bringing your system back online if it is hacked and/or crashes
||- Information security training
||- Computer emergency response teams
Step 4: Analysis, Decision, and Documentation
The final step is to analyze your controls and then make decisions about which ones you want to implement. Begin with a cost-benefit analysis. Estimate costs for all suggested safeguards and assign a dollar amount to the expected benefit for each one. In addition to the actual price tag, be sure to consider implementation, operations, maintenance, usability, scalability, and performance costs. In many instances, more than one safeguard will be identified to mitigate a risk. For each threat or risk, determine to what degree the selected safeguards will reduce the likelihood of occurrence, the damage of such an incident, or both. To learn more about the process, a sample cost-benefit analysis is available in the NIST Risk Management Guide.
The cost-benefit analysis, along with the rest of your audit data, should be included in a formal report. In addition to providing management with the information they need to select appropriate countermeasures, it creates baseline data for the next audit.
A Final Word
While a comprehensive audit will help integrate security throughout your school, it's important to think of risk assessment as an ongoing process. Continual education and communication are keys to realizing the effects of the audit. When new staff is hired, for example, be sure to educate them about the role of information security in your district and the associated responsibilities. Likewise, as new technology is deployed or when problems occur, inform the school community of any related security issues. If security is discussed outside of the audit, then the staff and students will deem it as the core value it is.
NEXT: Learn More
Melissa Dark, associate professor of computer technology at Purdue University, is the assistant director for educational programs at the Center for Education and Research in Information Assurance and Security.
Amy Poftak is executive editor of Technology & Learning.
Read other articles from the February Issue
The American Society for Industrial Security's general security risk assessment guidelines www.asisonline.org/guidelines/guidelines.pdf
Center for Education and Research in Information Assurance and Security www.cerias.purdue.edu
Computer Security Institute (an entity of CMP Media, Technology & Learning's parent company) www.gocsi.com
Consortium for School Networking Cyber Security For the Digital District securedistrict.cosn.org
Information Security Management Handbook by Harold F. Tipton, and Information Security Risk Assessment by Thomas Peltier from Auerbach Publications www.auerbach-publications.com
The National Institute of Standards and Technology's Risk Management Guide for Information Technology Systems csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
< < < Return to Intro
Read other articles from the February Issue