How to Perform a Security Audit

By Melissa Dark and Amy Poftak
published

Picture this scenario: a student logs in to your school's network using the password of a former teacher and "improves" his first-quarter grades and attendance along with those of his nine friends. This is just one real-life example of the many kinds of network security breaches occurring at schools across the country. How big is the problem? Purdue University's Center for Education and Research in Information Assurance and Security decided to investigate the issue by performing penetration tests on the networks of five Indiana school districts-in other words, hacking into their systems with permission. The results were alarming. The testing team was able to hack into all five networks via the Internet. In four of the five schools, they accessed payroll and grade information without difficulty; and in three cases, they were able to easily obtain a complete list of students and staff. Perhaps most troubling of all, these attacks and security compromises went undetected by school IT staff.

The above cases underscore the importance of taking a proactive approach to securing your school's network. To do this, however, you first need to know your system's specific vulnerabilities and what steps you can take to reduce them. The formal process for doing this is known as an information security risk assessment, or a security audit. What follows is an overview, loosely based on the National Institute of Standards and Technology's Risk Management Guide for Information Technology Systems and other commonly accepted industry standards, of how to perform a basic audit for your school or district. In doing so, you will:

  • Demonstrate due diligence by developing a security process that is consistent and objective
  • Help your school or district make informed decisions about what preventive measures it needs and why
  • Justify the up-front costs of security
  • Show your staff the importance of best security practices that they sometimes resist (such as changing passwords).
  • Technology resources (hardware and software)
  • Information resources (grades, health records, payroll records, and personally identifiable information)
  • Curriculum resources (lesson plans and other teaching materials, and Internet connectivity for student assignments)
  • People resources (students, staff, and families).

There are various ways to gather this data, including interviewing key IT staff, examining any previous audits, and reviewing inventory records.

After identifying assets, classify them with regard to confidentiality, integrity, and availability. Examples of assets that need strict confidentiality are student grades, health records, and bank account numbers for direct deposit. Assets that require integrity (meaning they can't be altered) include payroll and lesson plans. Assets that need to be available at all times are attendance systems, lesson plans, and online systems that provide homework updates for parents. By performing this step, you'll learn what specifically needs protection and what type of protection might be warranted.

Step 2: Threat and Vulnerability Assessment

This is one of the most important steps in the risk analysis process. Once all assets have been classified, list potential threat sources for each one. The National Institute of Standards and Technology defines a threat source as "any circumstance or event with the potential to cause harm to an IT system" (see Table 1).

Table 1:
Threat SourceExamples Natural A hurricane, flood, earthquake, tornado, water pipe that bursts, or an electrical storm Human Accidental mishaps, intentional intrusions, or violations. Accidents can be caused from people within the organization or an outsider. Environmental A power failure, pollution, or a chemical spill
Adapted from the NIST Risk Management Guide

Next, determine the corresponding vulnerabilities for each threat source. A vulnerability can be triggered accidentally-for example, a system crash that occurs due to a flood or a network design flaw-or intentionally, such as a student hacking in to the network and changing his or her grades. Table 2 shows the relationship between a threat source, a vulnerability, and the corresponding consequence.

Table 2:
Threat SourceVulnerabilityPotential Result Unauthorized users such as outside hackers, disgruntled or mischievous students A Windows design flaw (e.g., the recent RPC vulnerability that has made it possible for any user on the Net to access the system) Unauthorized users gain access to confidential data, and are able to steal or modify it
Adapted from the NIST Risk Management Guide

How do you come up with a list of prospective threats and vulnerabilities? One way is to hire an outside contractor to perform a penetration test like we did for the five schools in Indiana. Penetration tests use special network scanning software to identify system flaws. There are many organizations that perform penetration testing including Infotex (www.infotex.com), AT&T (www.business.att.com), Symantec (enterprisesecurity.symantec.com), and Guardent (www.guardent.com). Other ways to determine potential weak spots include surveying staff (see Security Checklist) and joining a vulnerability notification/incident response service. Worthwhile vulnerability services include CERT (www.cert.org), SANS (www.sans.org), SecurityTracker (www.securitytracker.com), ICAT (icat.nist.gov), and CASSANDRA (cassandra.cerias.purdue.edu).

Step 3: Evaluation of Controls

Once assets, threats, and vulnerabilities have been identified, evaluate potential countermeasures. These should be thought of in terms of whether they prevent, detect, or respond to attacks as well as whether they're technical-, policy-, or personnel-oriented (see Table 3). The main point of this step is to determine whether a single safeguard is sufficient for protecting your assets. If not, which combination of countermeasures is needed to achieve the desired level of security?

Table 3:
PreventionDetectionResponse Technology - Antivirus protection
- Access control lists that partition levels of access to sensitive systems and data
- Firewalls
- Intrusion detection systems that monitor the integrity of the system and files - Intrusion detection software Policy - Acceptable use policies
- Systems development and maintenance policies - Policies on intrusion response (i.e., roles and responsibilities of your emergency response team) - Business continuity planning to ensure procedures for bringing your system back online if it is hacked and/or crashes Personnel - Information security training - Computer emergency response teams

Step 4: Analysis, Decision, and Documentation

The final step is to analyze your controls and then make decisions about which ones you want to implement. Begin with a cost-benefit analysis. Estimate costs for all suggested safeguards and assign a dollar amount to the expected benefit for each one. In addition to the actual price tag, be sure to consider implementation, operations, maintenance, usability, scalability, and performance costs. In many instances, more than one safeguard will be identified to mitigate a risk. For each threat or risk, determine to what degree the selected safeguards will reduce the likelihood of occurrence, the damage of such an incident, or both. To learn more about the process, a sample cost-benefit analysis is available in the NIST Risk Management Guide.

The cost-benefit analysis, along with the rest of your audit data, should be included in a formal report. In addition to providing management with the information they need to select appropriate countermeasures, it creates baseline data for the next audit.

A Final Word

While a comprehensive audit will help integrate security throughout your school, it's important to think of risk assessment as an ongoing process. Continual education and communication are keys to realizing the effects of the audit. When new staff is hired, for example, be sure to educate them about the role of information security in your district and the associated responsibilities. Likewise, as new technology is deployed or when problems occur, inform the school community of any related security issues. If security is discussed outside of the audit, then the staff and students will deem it as the core value it is.

NEXT: Learn More

Melissa Dark, associate professor of computer technology at Purdue University, is the assistant director for educational programs at the Center for Education and Research in Information Assurance and Security.

Amy Poftak is executive editor of Technology & Learning.

Read other articles from the February Issue

Learn More

The American Society for Industrial Security's general security risk assessment guidelines www.asisonline.org/guidelines/guidelines.pdf

Center for Education and Research in Information Assurance and Security www.cerias.purdue.edu

Computer Security Institute (an entity of CMP Media, Technology & Learning's parent company) www.gocsi.com

Consortium for School Networking Cyber Security For the Digital District securedistrict.cosn.org

Information Security Management Handbook by Harold F. Tipton, and Information Security Risk Assessment by Thomas Peltier from Auerbach Publications www.auerbach-publications.com

The National Institute of Standards and Technology's Risk Management Guide for Information Technology Systems csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

< < < Return to Intro

Read other articles from the February Issue

Melissa Dark and Amy Poftak