It is not easy to understand the content of network security audit. It is very important for enterprises to establish a complete network security management system.
Imagine that you might run anti-virus software on your computer and scan and find trojans or malware, but for the entire enterprise, you can’t be sure that the network is secure unless you scan the entire network. Cyber threats come and go, but sometimes they are discovered too late, which often makes enterprises passive in responding to cyber security attacks.
In this blog, we will discuss how to help enterprises establish a complete network security management system and improve the network security checklist so that enterprises can become proactive in responding to network security threats.
Define a network audit list? Quite simply, before you start planning the audit list in detail, do you have answers to the following questions:
- Anyway, where does a network host business data?
- Which users get access to which data?
- Anyway, which configurations (server configurations or security policies) directly contribute to data security?
Whether internal or external, the ultimate goal of an attacker is to gain access to confidential company data. Every misconfiguration of the network, or improper authorization of the user, could give an attacker a victory.
Where is the company data stored? You probably know the general location of the company’s business data store. For example, the data can be stored on file servers such as Windows Server or Cluster. It can also be stored in a SQL or Oracle database. Perhaps on Azure or Amazon Web Services (AWS) cloud; Member server, workstation; Or even other data storage media, such as NetApp, EMC or NAS. What is the allocation of resource rights of ** company? ** Imagine that your data is a valuable item stored in a safe, and user permissions are the key to it. The most common way for users to open a safe is by using a key, so it is important to understand and accurately configure user access rights.
- Queue nested Class access: You may notice that some users are granted unnecessary access to folders. However, anonymous users who backdoor into security groups with accessible folders may not be on your radar.
- Exposing user credentials: If a remote user’s VPN credentials are exposed, an attacker can use those credentials to log into the corporate network to authorize the user to legally access internal files. The only way to detect such attack attempts is to monitor malicious user login behavior and unauthorized file access in real time.
- Anyway, storing passwords and keys in the cloud is far more common than you might think, thanks to a cloud data leak: Someone using Azure accidentally inserts the keys to their account into a script file uploaded to a public GitHub repository. For example, in AWS S3 buckets, the Block Public Access parameter is disabled.
- Faulty group policy configuration: users or security groups are granted privileges to own files and folders, without much thought to the consequences.
- User roles are assigned improperly, for example, on the SQL Server, resulting in unauthorized logins to the end user.
Once a network attacker discovers a vulnerability in a user account or server and gains access, they move laterally across the network until they capture business data. To avoid this, it is important to monitor all resource allocations on the network, especially for 24/7 user account permissions. Permission changes can be real, malicious, or triggered by a process, but either way a permission change event occurs, it is important to document and review its details in a timely manner.
How are the network devices configured? Imagine also that if the key to a safe is accidentally lost, but if the safe itself is strong enough, it can withstand a certain amount of force, preventing valuables from being stolen. By contrast, the configuration of the devices connected to the corporate network is also important. In short, appropriate levels of user access together with secure network configuration constitute network security.
Let’s start by looking at some scenarios: a critical Windows service, backup, event logging process is stopped, or the creation of a new process, according to the Government. A firewall rule or registry key is modified, running the sudo or Yum command to install new software on a Linux system. The configuration of a system security file, such as a program file (x86), is changed at the cost of a virtual security project. The configuration of a VPN service running on the network is changed at the cost of a virtual security project. For example, deleting a table, executing a command, or retrieving something, the configuration on a Web server, such as Microsoft Internet Information Service (IIS) or Apache, is changed
The examples above should give you a good idea of the permissions or configuration change events that can occur on your network and spot potential security threats in a timely manner.
However, taking care of so many security events that need to be monitored at the same time is not an easy task, especially if you rely on native functions or scripts of the operating system or application, as shown in the figure below.
Is there a way to overcome these limitations?
Log360 security Information and Incident Management (SIEM) solution makes it easy for you!
Through Log360, you can simply click on in a friendly web interface to view all kinds of security events configuration and log analysis, and through the analysis of the correlation between different events, timely find sensitive, suspicious or malicious activities, and through the mail sent to the designated personnel, at the same time start the response measures to alleviate cyber threats.