A Security Audit describes the analysis of risks and vulnerabilities of an IT-System or computer program. We perform these tests within the quality management process of companies and optimize network and information security.
The inspection takes place in local area networks by using LAN analysis, but can also be performed as an external audit. The analysis is supposed to unveil potential security issues of a company network. We strictly rely to the ISO/IEC 27001 norm defining management standards for IT security audits. Thereby we focus on intense planning, meticulous documentation and innovative development of your company information network and security management system.
How does a security audit look like?
Comprehensive security audits normally split up in five phases:
Preparation Phase: While preparing the analysis, we intensely communicate with the customer to create a so called „test arrangement“. Furthermore, we define risk analysis strategies and declare audit objectives in compliance with the company's security policy and in collaboration with the customer.
Information Aquisition: The second phase outlines the status quo, performing an IT structure analysis by using professionell scan and sniffing tools (e.g. port scanners). Collecting publicly accessible information and determining the targeted network or application are part of this process. The analysis constitutes the foundation for further actions and states the inital point for the essential test.
Test Phase: In accordance with the customer's instruction and permission, we perform external and internal attacks on the system. The attacks are staged and scaleable, implying various real-life scenarios.
Test Evaluation: Afterwards, we collect the retrieved information and deliver the results in a security report.
- Postprocessing: In compliance with the security report we finally compose security advices for the customer and outline concrete instructions which will be published in a catalogue of measures.
Who perfoms the test?
The person performing the security audit is called auditor. Beside a rich knowledge of security issues, he possesses the ability to act as a potential attacker.
With years of practical experiences we are aware of the customer's needs, especially when it comes to sensible data. To guarantee the highest possible security standard for your company, we rely on meticulous and detailed documentation of every work stage. Furthermore, our security experts will counsel you with regard to the reasons and targets of a security audit, the applied method as well as range and timeframe of the test.
The employees of curesec GmbH are bound to Non-Disclosure Agreements (NDA) and are educated as certified security experts.
Which measures are part of the analysis?
The measures differ in accordance to the real-life scenarios of an IT infrastructure. Manual measures may be the execution of security scans via software tools, verification of system access points or the analysis of physical access to systems, devices and applications.
The penetration test outlines the essential part of a comprehensive security audit and contains external and internal attacks on the company network.
Beside the mentioned manual measures, computer assisted auditing techniques (CAAT) and system generated audit reports can be a useful completement.
What are potentiall security flaws?
Most security flaws are caused by structural, technical and personal deficiency. Structural deficiency may result from poor security concepts, insufficient monitoring and incomplete security policies. Unciphered and open connections, deficient configurations (factory adjustment) of network advises or services, faulty or bad coded software and the usage of insecure services (e.g. telnet, SNMP, RDP) illustrate the major technical concerns. However, humans with a lack of security, maintenance and programming qualifications still provoke the most security issues. These issues and risks must be identified by scans and analysis to point out priorities and ideally prevent any security issues.
The Curesec Academy provides workshops and seminars for your staff members. Experienced docents will teach you how to initially recognize security flaws and to avoid them.