Information Security Audit Tools - Literature review Example

INFORMATION SECURITY AUDIT TOOLS Name Course Tutor University Date Introduction Advancements in technology have enormously increased the information available. The large chunks of information create security risks that have major effects on the information itself, operations, supported infrastructure, as well as, to the computer systems in use (Ben-Natan 2009).These risks are responsible for not only the external but also the internal attacks, and necessitate the need for an audit system. When audit systems are adopted, they assist to prevent the attacks and reduce their associated consequences. The invention of internet has facilitated faster communications. It is quick, inexpensive, and an instant way of accessing information from any source. However, if the speed and the fact that web technology is readily available are not properly checked, then unprecedented risks await the system (Ben-Natan, 2009). The information system may become susceptible to fraud and malicious acts from unauthorized users. Figure 1.below shows information security management. Fig.1: Information security management. Oliphant (2004) states that in order to stop cybercrime, it is good to avoid the risks before application of an appropriate tool to curb any intrusion to the information system. Further, the only way to improve the security of an organizations’ information system is to have an audit program that is risk based. An information system needs to get protection from two kinds of risks, namely the physical and logical risks. Risks that revolve around hardware, such as vandalism or unauthorized tampering, theft and damages resulting from natural disasters constitute the physical risks. In order to prevent physical damage, a number of factors are put in place, such as, using locks and insuring the hardware, although the cost of recovering data and backing up information can be costly (Oliphant2004). Unauthorized intentional access and altering of information and accidentally access of information about an organization constitute logical risks. These risks can be prevented by installing an information security to protect the organization software from intruders. Thus, this paper will seek to discuss, in detail, some of the information security audit tools. Ben-Natan (2009) argues that information security is a crucial concept in an advanced technological society. To deter unauthorized computer users, information security is of great help. The unauthorized users of hardware in many cases abuse the core business of organizations when they hack into their systems. This forms the basis for the discovery of information security audit tools that are meant to detect and stop such unwarranted access (Oliphant 2004). The policy on computer security is meant to ensure that organizations’ operations are of impeccable integrity and the information has to be of utmost confidentiality and must be available in the security systems. Some of the information security matters include the management of risks, contingency planning, risk analysis, policy on information security and the recovery during a disaster (Vacca 2013). What is an audit program? An audit program refers to formal examination and inquiry, verifying the facts about the expectations and ensuring that there is system compliance. It establishes if the set standards or procedures are adhered to and the records are up to date. It also ensures that efficiency levels increase in an organization. Both internal and external auditors can carry out an audit program. Vacca (2013) states that during an audit program, three computer areas to monitor include; audit trail, system-monitoring activity and the user access control. This is because they are the basics to security implementation strategy. To increase the computer productive time, the user control is necessary because it minimizes the risks anticipated and checks for fraud, blocks access by unauthorized persons. This is to ensure that the security of information belonging to an organization is safe and confidential. The other need for security audit is to ensure that no occurrence of malice or fraud to which the system is prone. The audit is meant to detect and prevent them from occurring (Delak & TerčElj 2012). Keeping a comprehensive log of all transactions going on in the organization system is another sure way of monitoring the security information. (Ben-Natan 2009) explains that the system auditor will need this information to ascertain the security levels of the organization. Fig 2: Control clauses . Figure (1) below is a representation of the phases for coming up with a security management system. Fig 2: Information Security Management Phases. Security audit tools Audit tools are so many but this section will discuss a few and highlight how they are applied to the enhancement of security information. Some of these tools include; Google The information got in Google provides a good platform in understanding the system administrator. Google is not necessarily an audit tool but performs functions similar to the actual audit tools. By just typing a given name on Google, some crucial data will appear on the web page. Utility Tools Utility tools operate on a single purpose mode as observed by Delak & TerčElj (2014). In some instances, they are native while in others they are freely available. They involve customized scripts and usually manual approach oriented. They are also found in products that are manual in nature. Strengths Utility tools are task specific and can be found freely. This explains why they are efficient. Weakness Utility tools cannot be operated without knowledge of how it works. Utility tools are further divided into native utilities and open source scripts utilities. The native utilities include: Ping: This establishes if the target network is related to ICMP packets. Traceroute: It shows the network route. It is also known as the tracing network utility. Nslookup: This offers the ownership of the domain. The open source scripts include; Nmap Nmap is a free port utility used for scanning. It is preferred by most professional as a scanning tool. It is readily available on UNIX and sometimes on Windows. It can be used detect operating systems, scan ports and in the ping sweeps. Crack Crack is a password cracking devise. It is used to crack a strange password. John the Ripper; used to discover UNIX passwords. Binfo.c Binfo.c is a version checker for BIND. It is used to pull out a version of a script running especially on a remote server. Ghba.c: Ghba.c discovers the IP addresses of B and C classes of subnet Power Tools Power tools are bundled utilities that are meant to automate and streamline the process involved in an audit system. A lot of them are found as commercial products while others are open source with packages. Strengths Since power tools are automated, they are able to scan for risks in the database. This information may be contained in alert system. They give good reports on the dangers exposed to and the risks associated with them (Oliphant2004). Weaknesses Their roles are limited to vulnerabilities existing in the database and only if they are current. It is rated depending on the number of vulnerabilities discovered. Open Source Power Tools Nessus: is comprehensive, free, and authored by Renaud Deraison. SARA: Also known as, the Security Auditors Research Assistant originates from COPS, the original scanners for vulnerabilities Oliphant, A. (2004). Whisker: checks if the website is vulnerable to CGI scripts. It operates on a remote operating network. Hpings2:it supports TCP, ICMP, RAW-IP, and UDP protocols. It can trace files on a covered route. Other Commercial Scanners include; Internet security systems: reports well and has a comprehensive system to detect vulnerabilities eEye Digital Security’s involves the use of retina to discover the hacker methods. Bind Views: comprehensively discovers and provides solutions to security problems Core Security Technology’s has both the loggings and reporting on the same platform. It manages information regarding security in a graphical format. Importance of security audit tools In order to attend to customer requests, it is important to ensure the server you use to collaborate with them is protected. Firewall is used to protect a server against external risks. According to Ben-Natan (2009), protection using firewall configuration can be achieved by controlling information traffic across it to ensure only the authorized clientele can access protected data. Wright. et.al (2008) stated that one reason as to why audit tools are important when auditing information security is because they equip users with skills that they would otherwise not acquire. They also improve data and hence decisions made within the company are better. Tools make auditing work easier because they only require running of already installed software. Therefore, auditing efficiency is at the peak if these tools are used and auditing is not done manually. Han, Choi, & Song (2014) observes the use of auditing software reduces the workload and creates time that can be used to come up with new company ideas as well as conduct analysis of the current position of the company. In addition to this, security audit tools improve transparence in company governance, identify what really cause problems or predispose company information to attacks, reduce abuse and theft and help the organization to identify sources of savings from their supply management , human resource and enterprise and computer management (Information Systems Audit &Control Association, 2006). Information security is important to financial institutions, governments, corporations, business owned as private entities, as well as, hospitals. This is because these institutions need to be confidential on information regarding their products, market, research, financial position and employees. It also dates to the current data collection processing and storage that has to be done using electronic computers. Data stored in these computers must again be transferred to other computers using networks that must be protected to keep hackers at bay (Reddick2010). This is necessary to ensure that data is kept confidential and its availability and integrity are maintained regardless of which form it may take. Currently, information security is a universal requirement. Many tools have been developed to help out with the security issues. Some of these include, but are not limited to, antivirus, USB scanners, malware detectors and password codes that are difficult to crack. Firewall protectors are also used to detect any information that cannot be trusted to be accessed through internet browsers thus enabling the users to choose on whether to carry on with the access or reject if they sense that their security may be compromised (Ben-Natan 2009). Some features of these audit tools use large memory space or many cycles during processing, long band width and huge storage. In such cases, one user may block other users from accessing a computer when accessing a file using a program that searches all records in a file to arrive to the required file. Storage space may not be sufficient for huge files. Therefore, if the application tool requires large space for storage, it may lead to crashing of the server. Due to these shortcomings, processing audit on information security can, therefore, be scheduled only when all other users are done with use of the server to avoid working delays. Specialists in software are required to conduct these audits because there is numerous software for conducting information security audits that may take time for auditors to learn. In addition, due to the independence required to ensure security of audit procedures, it may be expensive to implement use of these tools (Information Systems Audit &Control Association 2009). There is also the challenge to do with hackers. These are people who search for a loophole in an application and use it to get through in order to access information. Depending on their purpose, they may alter the information or expose it leading to need for another security plan to be developed. Risk management can be conducted as by the framework shown in figure (3) below. Figure (3): Risk Management Framework Instead of using specialized human resource, the tool that is being developed in this project can be used by any user. It is economically friendly and can be used on any operating system. It is also developed using available web design tools such as MySQL database for persistence of information and data, PHP5.5.12 for scripting on server side, JavaScript for scripting client part, as well as, validating it. HTML5/CSS is used for developing the user interface and the front end and Bootstrap framework is used to create interfaces that are mobile friendly to ensure clarity in displaying information on laptops and other smaller screens. These features help cater for the deficiencies encountered when using the other tools in the market (Chirillo 2003). By developing an information audit tool, the society will benefit. This is because in the current state of technology advancements, the society largely relies on technology and use of computers to perform daily tasks. For instance, the use of internet is becoming a necessity and there is need to learn how to counter the risks that come with its usage. Therefore, network providers should ensure that they are assured of the security of information before they engage. Due to the threats posed by storing personal information like the Social Security numbers and numbers of bank accounts in computers, there is need to keep it protected from unknown people. This can be easily achieved when the information is set as private to allow only people in the ‘friends’ category to get access to it as is the case with Facebook and other social media platforms. Also, it is good not to follow links you don’t know their sources (Vacca 2013). Information Systems Audit &Control Association (2006) displays the army as an example of an institution that uses a security tool in its operation. In this case, a password consisting of a minimum of two lower case letters, two letters on upper case, two special characters, symbols and two numbers is used. Such a password is difficult to hack. However, numbers that can be easily guessed like years of birth, phone numbers, social security numbers and numbers like 54321 should be avoided when creating passwords. Backing up passwords wit security questions with personalized answers has an added advantage in case someone else tries to claim they forgot the passwords when their real intention is to hack into the account. Figure (4) below provides the levels of using security audit tools as used to conduct security audits. Figure (4): Security Audit Tool Layers of Application Conclusion Any company that manages to acquire a reliable information security model that is complex enough to keep hackers at bay will have achieved a safe information technology system. Currently, information technology is widely used in organization. This has brought attention to information security. Practitioners have taken up on developing guidelines and strategies to address security of their computers and the data stored therein. In this paper, tools for auditing information security have been analyzed. Security is an important aspect for anyone conducting business online, whether it is social or official. It is desirable that all organizations ranging from the top government organization to local business entities be equipped well on information security, especially when it involves personal information. Also many organizations store sensitive data on the computers and this exposes them to hackers. Hackers may distort information or infect it with malwares and viruses. Therefore, it is important for any organization to have a tool that detects and clears any information that may be detected as insecure or notify the user of such information for them to decide whether to keep off or get rid of it. There is no any security tool that is hack proof. Therefore, it is recommended that continuous and elaborate developments and changes be made on the existing ones. Alternatively, new tools can be acquired though they might be expensive (Hui, Kai Lung, Wendy, & Yue 2013). ReferencesTop of Form Bottom of Form Baldwin, A. and Shiu, S. (2005). Enabling shared audit data. International Journal of Information Security, 4(4), pp.263-276. Ben-Natan, R. (2005). Implementing database security and auditing a guide for DBAs, information security administrators and auditors. Burlington, MA, Elsevier Digital Press. http://search.ebscohost.com/login.aspx?direct=true&scope=site&db=nlebk&db=nlabk&AN=187259. Ben-Natan, R. (2009). Implementing database security and auditing a guide for DBA's, information security administrators and auditors. Burlington, MA, Elsevier Digital Press. http://search.ebscohost.com/login.aspx?direct=true&scope=site&db=nlebk&db=nlabk&AN=187259. Chirillo, J. (2003). Hack attacks testing: how to conduct your own security audit. New York, Wiley. Delak, B., & TerčElj, M. (2012). Information security auditing. The Proceedings of the 4th International Conference on Information Technologies and Information Society [Also] ITIS 2012. 1-7. Delak, B., & TerčElj, M. (2014). ISO 27007 Information System Audit and Comparison with ISO 27006. Frontiers in ICT. 103-114. General Accounting Office Washington Dc. (2001). Information Security: IRS Electronic Filing Systems.http://oai.dtic.mil/oai/oai?&verb=getRecord&metadataPrefix=html&identifier=ADA387752. Han, K. J., Choi, B.-Y., & Song, S. (2014). High Performance Cloud Auditing and Applications. New York, Springer. http://dx.doi.org/10.1007/978-1-4614-3296-8. Hui, Kai Lung, Hui, Wendy, & Yue, Wei T. (2013). Information Security Outsourcing with System Interdependency and Mandatory Security Requirement. http://dx.doi.org/10.2753/MIS0742-1222290304. Information Systems Audit And Control Association. (2006). Security, audit and control features Oracle e-business suite a technical and risk management reference guide. Rolling Meadows, Ill, ISACA. http://www.books24x7.com/marc.asp?bookid=30842. Information Systems Audit And Control Association. (2009). Security, audit and control features: SAP ERP. Rolling Meadows, IL, ISACA. Jha, S., & Mathuria, A. (2011). Information Systems Security 6th International Conference, ICISS 2010, Gandhinagar, India, December 17-19, 2010. Proceedings. Berlin, Heidelberg, Springer Berlin Heidelberg. Library Of Congress Washington Dc Congressional Research Service, & Tehan, Rita. (2013). Cybersecurity: Authoritative Reports and Resources. http://oai.dtic.mil/oai/oai?&verb=getRecord&metadataPrefix=html&identifier=ADA582219. Moeller, R. R. (2010). IT audit, control, and security. Hoboken, N.J, Wiley. http://site.ebrary.com/lib/alltitles/docDetail.action?docID=10469768. Montana. Legislature. Legislative Audit Division. (2008). State web server security audit, Department of Administration : information systems audit. Montana State Library. http://cdm15018.contentdm.oclc.org/u?/p15018coll2,9515. O'hanley, R., & Tiller, J. S. (2013). Information security management handbook on CD-ROM. Oliphant, A. (2004). Auditing IT infrastructures practical information for auditors, IT auditors, and audit managers. Edinburgh, Pleier Corporation. Osborne, M., & Summitt, P. M. (2006). How to cheat at managing information security. Rockland, MA, Syngress. http://www.books24x7.com/marc.asp?bookid=14603. Park, J. J. (. H., Zomaya, A., Jeong, H.-Y., & Obaidat, M. (2014). Frontier and Innovation in Future Computing and Communications. Dordrecht, Springer Netherlands. http://dx.doi.org/10.1007/978-94-017-8798-7. Patnaik, S., & Li, X. (2014). Proceedings of International Conference on Soft Computing Techniques and Engineering Application ICSCTEA 2013, September 25-27, 2013, Kunming, China. New Delhi, Springer India. http://dx.doi.org/10.1007/978-81-322-1695-7. Reddick, C. G. (2010). Information Security in Government. Rountree, D. (2011). Security for Microsoft Windows system administrators: introduction to key information security concepts. Burlington, MA, Syngress. http://site.ebrary.com/lib/alltitles/docDetail.action?docID=10427742. Setola, R., & Geretshuber, S. (2009). Critical Information Infrastructure Security Third International Workshop, CRITIS 2008, Rome, Italy, October13-15, 2008. Revised Papers. Berlin, Heidelberg, Springer Berlin Heidelberg. Solomon, M., & Chapple, M. (2005). Information security illuminated. Sudbury, MA, Jones and Bartlett. United States, & Scovel, C. L. (2008). Audit of information security program Department of Transportation. [Washington, D.C.], U.S. Dept. of Transportation, Office of the Secretary of Transportation, Office of Inspector General. http://purl.fdlp.gov/GPO/gpo25438. Vacca, J. R. (2009). Computer and information security handbook. Amsterdam [u.a.], Elsevier/Morgan Kaufmann. VACCA, J. R. (2013). Computer and information security handbook. Amsterdam, Morgan Kaufmann Publishers is an imprint of Elsevier. http://search.ebscohost.com/login.aspx?direct=true&scope=site&db=nlebk&db=nlabk&AN=485997. Vacca, J. R. (2013). Computer and information security handbook. Amsterdam, Morgan Kaufmann Publishers is an imprint of Elsevier. http://search.ebscohost.com/login.aspx?direct=true&scope=site&db=nlebk&db=nlabk&AN=485997. Vladimirov, A. A., Gavrilenko, K. V., & Mikhailovsky, A. A. (2010). Assessing information security strategies, tactics, logic and framework. Ely, IT Governance Pub. http://www.books24x7.com/marc.asp?bookid=36115. Wright, C., Freedman, B., & Liu, D. (2008). The IT regulatory and standards compliance handbook "How to survive an information systems audit and assessments"--Cover. Burlington, Mass, Syngress Pub. Read More