‘Technical’ ISO 27001 Audit

Process review, a common term used in cyber securutiy to assess the controls of the IT infrastructure. Generally, there is a checklist to perform such audits. However, I would prefer doing it technically rather than doing it robotic.

Background

Use some OSINT on the company. Here are some things that you can check:

• DNS dumpster for basic sub domain enumeration (This will be used to get idea of IP and applications)
• Shodan: Vulnerable ports and services.
• Google News: Any previous hack or fine imposed on the organization.
• Dorks: Misconfigured files/folders.
• Play Store: List of android applications on playstore. etc.

Day 0: Audit Day

Lets take each domain one by one. First thing that you need to see while entering the building is the physical security and the placements of cameras. Also look for the visitor card issuance and proper checking of the same. Lets start the audit:

Architecture Diagram:

Network diagram forms the heart of your understanding. Its divided in two parts. One is diagram understanding. Learn the traffic flow from internet to internal network. In step 1, you would have known components of organization that are internet facing. Ask for traffic flow of these apps. In case of any critical web application, it should have a web server in DMZ, app server and a db server. Following are some of the tech checks that you can find in the diagram or enquire form it:

• DMZ implementation
• Firewall placements between two networks.
• Email server, AD server, WSUS/update server, AV update server, ADFS etc placement.
• FTP/SFTP/RDP/VPN access from outside.
• Security devices placement e.g Anti DDoS -> Firewall -> WAF -> Anti APT -> Proxy -> DLP -> Load balancer -> DAM etc.

Second part is diagram validation. Sometimes components will be present in the diagram but not in actual infrastructure. How to verify? Just ping any random device that is shown in the diagram. Or ask the IT admin to open the console of that device and check for its presence. This will help validate the implementation.

Antivirus Management:

Antivirus forms an important aspect of security. How to validate if these controls are full? Just get the asset register with number of assets. Give specific attention to the tablets, VMs, linux, mac, mobiles etc which are non-windows based. Now tell the IT admin to open the Antivirus console which shows number of reporting agents and agents that are down. Some common issue that can be figured from AV console are:

• Completeness of assets in AV tool.
• AV signature not updated in endpoint
• Agents corrupted.
• Agents not reporting due to any reason
• Actions not taken against detected malwares.

Best place to validate the agent installation is a developer’s machine. Just ask IT admin to show any developer/software engineer’s system. These are people who tend to disable the AV !. Also take one system of top management for AV installation.

User Access Management:

Active directory is your best friend here. Just ask the IT admin to run the power shell command to extract all the user-names inside the domain. You can do it yourself using net users command in any terminal.

• Hunt for generic users in the list and ask for its ownership (Ex. DeskAdmin, support etc)
• Pick a random user and check for the details like when password was last changed, password complexity etc.
• Ask the HR for separated employees and search for the name. Match the termination date with that of the AD disabled date.
• Search for outlook logs to see when was the email last accessed for separated employee.
• Many a times local logins are created for the application users. Ask for which application separated users had access to and look for local logins.