LECTURE 6 : Network Security Audit

A network audit is a formal or informal inventory, assessment, and analysis of your network’s
hardware, software, operating systems, servers, and users.

Network audits typically check:

 All network infrastructure and internet-accessible systems
 The security mechanisms activated to protect the network
 The practices used for day-to-day network management

Network security best practices for threat detection and response

Baseline network protocols and monitor usage.

Establish the baseline usage of different protocols on your wired and wireless networks. To create
an accurate baseline, data should be gathered from a variety of sources including routers, switches,
firewalls, wireless access points, network sniffers and dedicated data collectors. Then monitor for
deviations from these baselines, which can be indicative of data tunneling, malicious software
transmitting data to unauthorized destinations, and other threats.

Use honeypots and honeynets.

A honeypot is a decoy system designed to look like a real network asset, and a honeynet is a
network of honeypots that simulates a larger, more complex network environment. They are
designed to lure adversaries into interacting with them, both to divert malicious actors from true
assets and to enable security teams to study attack techniques and gather other intelligence for
effective threat management.

Use intrusion detection and prevention systems.

It is vital to monitor and log activity across the network and analyze it to spot unusual logins,
suspicious computer events and other anomalies.
An intrusion detection system (IDS) monitors network data flows for potentially malicious activity
and alerts administrators about anomalies.
An intrusion prevention system (IPS) also monitors network traffic for threats; however, in
addition to alerting administrators, it can automatically take action to block or mitigate threats.
These tools can be a valuable part of your network security strategy. For example, by comparing
current activity to an established baseline, they could spot a spike in network activity that could
indicate a ransomware or SQL injection attack.
They can also use attack signatures — characteristic features common to a specific attack or
pattern of attacks — to spot attacks that don’t generate activity that violates your organization’s
baseline.

Automate response to attacks when appropriate.

Many modern security tools can be configured to respond automatically to known threats. For
example, these systems can:
 Block IP address — An IPS or firewall can block the IP address from which the attack
originated. This option is very effective against phishing and denial-of-service attacks.
However, some attackers spoof the source IP address during attacks, so the wrong address will
be blocked.
 Terminate connections — Routers and firewalls can be configured to disrupt the connections
that an intruder maintains with the compromised system by targeting RESET TCP packets at
the attacker.
 Acquire additional information — Tools can also collect valuable information that help
determine such the point of initial access, which accounts were compromised, how the
intruders moved across the network and what data was compromised.

Use multiple vendors.

Using solutions from different vendors bolsters cyber resilience by reducing the risk associated
with a single point of failure — if a solution from one vendor is compromised, the presence of
solutions from other vendors helps maintain the defensive shield. This approach also enables
greater adaptability in response to evolving threats and security requirements. More broadly, it can
lead to competitive pricing and drive innovation, as vendors strive to offer the most advanced and
cost-effective solutions.

The OSI Model

The OSI (Open Systems Interconnection) model is an established framework for network systems.
It comprises seven layers, from physical hardware to application-level interactions:

What A Network Security Assessment Checklist Should Look Like

Doing things are a lot easier if you have some sort of guide to help you. This applies to network
security as well. Knowing the strengths and weaknesses of your network is important. Using
a network security assessment checklist gives you direction.

Here are the details one could expect in a network security assessment checklist:
Things to
check for Description
Make sure all This is a standard physical security procedure. Someone sneaking in your business
security or premises can do malicious things on your network.
surveillance Having security cameras everywhere will prevent an attacker from entering your
cameras are business premises. A network security assessment checklist should always include
 Things to
check for Description
working. this detail on it.
Check if your This is very important for the physical security of your network. A sample keyless
keyless entry entry system is a door using biometrics for authentication. An intruder can’t enter
systems are your building without verifying their identity first.
working. A network security assessment checklist should also include this detail on it.
Lock This is a standard computer security procedure that most people do not follow. The
computers importance of locking your PC is that no one could use it other than you.
when not in You should always lock your workstation if you are going away from it like when
use. taking breaks. One of the major threats to information security is the insider threats.
These are the employees who are negligent and don’t follow security policies. They
are the security risks that are outside the scope of a network assessment tool.
A network security assessment checklist must always include this security
procedure on it.
Test the Your anti-malware software should be capable of detecting, removing, and
capability of preventing various threats. This includes the following:
your  Viruses
antimalware  Trojans
software.  Worms
 Rootkits
 Spyware
 Adware
 Ransomware
Also, consider the variations of these threats and zero-day attacks. A network
security assessment checklist should always contain this security procedure on it.
Check for Block adult sites, gaming sites, and social media sites. This should be in align with
web content. your company’s security policies. These sites should be inaccessible by default.
Browsing these sites also reduces productivity and increases security risks. Clicking
on links especially on adult sites will trigger a malware infection.
A network security assessment checklist should always include this security
procedure.
Try working Test if your firewall is effective at doing its job. It should react to any suspicious
around your and malicious activity. Upon threat detection, it should notify you right away.
firewall. There are a lot of tools out there to test the strength of a firewall. It is a matter of
preference which one best fits your business needs.
It is necessary to include this detail in a network security assessment checklist.
Use a This procedure gives programs and processes access to network resources. A
whitelisting whitelist can contain the following:
approach  applications
 email addresses
 IP addresses
All the elements in the whitelist have access to network resources. Things not on
the list do not have permission. The logic here is to deny all and permit some.
Whitelisting is an important thing to add in your network security assessment
checklist.
Patch Cybercriminals always target outdated software. They exploit the weaknesses while
management the software vendor is preparing a patch.
 Things to
check for Description
It is necessary to update the software components of your network. Patching them
will fix the bugs and vulnerabilities.
Patching is a vital process to include in a network security assessment checklist.

Check list
1. General
 A written Network Security Policy that lists the rights and responsibilities of all staff,
employees, and consultants
 Security Training for all users regarding the use of the Network Environment and
sharing data outside the company as well as allowing anybody to access their systems
 Make sure users have been trained regarding the sharing of information by email and
the Internet
 All outside vendors and contractors need to sign a security agreement while they are
working in your environment
 Have contingency plans in place for if and when there is a data breach or security
breach.
2. Password Security
 Written password policy
 Password Training for all authorized users to ensure they understand the potential risks
of using passwords in an insecure way
 Inspect Workstations for written passwords in the user or server areas
 Keep password requirements documentation in a safe place
3. LAN Security
 Hardening of servers on the internal network, removing unnecessary services and
applications
 Keeping unnecessary files off of servers
 Server permissions set appropriately for users
 No anonymous users allowed
 Share the functions of server administration between administrators
 Remote administration policy
 Disable Remote Administration where it isn’t needed
 Remote Access Security policy and implementation
 Rename Administrator Account
 Enable auditing of Administrator login attempts
 Create extra-strong passwords for Administrator accounts
 Passwords for server administration accounts should be different than workstation user
accounts for the same users
 Disable Guest Account
 Restrict Access to the Everyone Group
 Create appropriate user and group accounts
 Set appropriate group access permissions
 Configure audit logs to track unauthorized access of files/systems/folders/accounts
 Configure patch management or scheduled download and application of the operating
system and security patches
 Ensure Wireless Network security is configured properly, including the use of wireless
 security protocols
4. Workstation Logons
 Screen Locks on all computers
 Require passwords on all computers, including screen lock recovery
 Consider using two-factor authentication
 Harden workstations, removing unnecessary applications and programs
 Anti-virus software installed and disable circumnavigating
 Ensure anti-virus updates are occurring regularly
 Ensure software updates are occurring regularly
 Ensure the operating system and security patches are occurring regularly
 Pop-up blockers enabled
5. Mobile Devices
 An IT security policy or BYOD policy (Bring Your Own Device) needs to be in
place for mobile devices that are used on the network
 Enforcement of the mobile device policies needs to be decided on and enforced
 Wireless access points need to be secure
6. Network Equipment Security
 Configure audit logs to monitor access
 Document configuration working configuration settings in case of failure
 Document user accounts/passwords for accessing these devices and put them in a safe
place
 Make sure that firmware upgrades occur regularly
7. Router/Firewall Security
 Use a firewall and make sure that all public-facing services are on a separate network
segment or DMZ (email, FTP, web, for example) for intrusion prevention.
 Make sure that all externally sourced IP addresses are not allowed inside the LAN, but
only to the DMZ
 Configure firewall policies to deny inbound access to unused ports
 Review all firewall policies for potential security risks
 Implement network address translation (NAT) where possible
 Use stateful packet inspection on the firewall, preventing IP address spoofing and DOS
attacks.
 Make sure the router and firewall software is updated regularly
 Make sure the router and firewall firmware is updated regularly
 Consider having penetration testing performed for further weakness exposure