Enhancing Network Security: Key Area of Assessment and Corresponding Audit Strategies



This week, our lesson focused on several critical areas of network security, each playing a crucial role in safeguarding information systems. In today’s digitally connected threat landscape, network security becomes foundational in monitoring and controlling traffic both in and out of any system. The CISA Certified Information Systems Auditor Study Guide discusses the importance of implementing proper internal controls with comprehensive CISA auditing that identifies potential vulnerabilities or failure points to mitigate risk: “It is the job of the CISA to evaluate the auditee's technology implementation. Despite advancements in technology, common problems will usually be rooted in fundamental errors of design or implementation. Security is best implemented in multiple layers to provide compensating control for design vulnerabilities” (Cannon et al., 2016, p. 298). Network Firewalls, Intrusion Detection and Prevention Systems, and Wireless Access Security represent three influential areas where auditing serves to identify potential vulnerabilities and ensure compliance with established standards, regulations, guidelines, and best practices. 


Network Firewalls. The network firewall blocks unwanted access by controlling the traffic that passes through it. Without the firewall, external internet users would have unlimited access to the network. A two-tier architecture employs a primary network boundary firewall to limit network access and an additional firewall to isolate high security data, such as PCI DSS or HIPAA information from other internal devices. This segregation adds an additional layer of protection to comply with laws and regulations. Misconfigured firewalls lead to unauthorized access and an ability to escalate privileges to attack other areas in the system. Firewalls should intentionally require a separation of duties. Firewalls can be configured to protect a single host, use two interface cards to relay communications securely, or create a protected subnet accessible from both inside and outside the network. These configurations enhance security and add complexity to the network, making unauthorized access more difficult.


Firewall Generations. An understanding of firewall generations offers additional clarification to the influential role of a firewall. The most basic, first generation firewall operated as a packet filter that examined IP addresses and ports to provide low-cost protection from basic unauthorized access to the network. As attackers became more sophisticated and implemented fake IP addresses to bypass security rules and even sent malicious packets in smaller pieces to evade detection, second-generation application proxies became necessary to relay requests through an additional layer that inspected the content of each request for compliance with safe computing standards. In due time malicious hackers learned to bypass proxies by exploiting open connections and connectionless sessions making third-generation firewalls with stateful inspection necessary to record and monitor TCP and UDP requests in a history table to provide more protection against attacks through meticulous tracking of connection states and ensuring that only legitimate traffic could pass through. Dynamic and adaptive attacks empowered hackers to modify their behavior in real-time to evade detection. Fourth generation firewalls with adaptive response capabilities integrated with intrusion detection and prevention systems to strengthen the organization’s ability to detect threats through automation that kept up with attackers. Attackers learned to mask as authorized network devices or innovate zero-day exploits to breach firewalls. Fifth generation firewalls advanced to provide operating system kernel-level verification to examine and approve each individual request against an internal access control list that requires authorized commands. Organizations continue to innovate advanced firewall approaches such as unified threat management systems (Ali et al., 2012) that combine multiple security functions such as deep packet inspection, intrusion prevention, and SSL inspection in one platform to address continuously evolving cyber threats. Zone-based monitoring (Ali et al., 2012)  isolates different segments of the network for enhanced security.


Auditing Firewalls. When auditing a firewall, an organization’s security policy defines the expected firewall configuration. Absent or incomplete policies may indicate insufficient security. Firewall policies should align with security best practices such as the CIS Controls, NIST SP 800-41, and ISO/IEC 27001. Verifiable firewall logs provide a conduit for examining networks for suspicious behavior that may indicate an inadequate firewall configuration. Regular penetration testing and incident reports provide insight into potential weaknesses in the network. Network diagrams, network segments, configuration files, security policies, firewall rules, access control lists, traffic filtering settings, and change management records should all be examined for effectiveness against security best practices and guidelines. Simplifying Firewall Audits and Ensuring Continuous Compliance (2012) provides a comprehensive step-by-step guide for performing a successful firewall audit. Through detailed documentation, proactive information gathering, and a research-oriented approach to align current policies with best practices, auditors identify overly permissive firewall rules, poorly implemented policies and configurations, risky services and traffic, and create responsive plans that remediate, clean, update, and log behavior over time to facilitate an effective, continuous auditing process.


Intrusion Detection and Prevention Systems. Intrusion Detection and Prevention Systems respond to security incidents in real-time to detect, monitor, and alert dynamic and adaptive attacks through automation that evolves and responds within an active attack scenario. While attackers aim to innovate zero-day attacks or mask as authorized devices to circumvent Intrusion Detection and Prevention Systems, “detection is the most important control in compliance,“ (Cannon et al., 2016, p. 288) and “every organization should have an intrusion detection and prevention system in place” (Cannon et al., 2016, p. 287). These systems are crucial for identifying and mitigating unauthorized access attempts, ensuring that suspicious activities are promptly addressed to prevent breaches. Modern IDP Systems employ a combination of signature-based, anomaly-based, and stateful protocol analysis detection methodologies to enhance their effectiveness (Turner et al., 2016). This approach enables the detection of known threats, deviations from normal behavior, and protocol-specific anomalies. Even though Intrusion Detection and Prevention Systems have existed in the market for decades, organizations continue to innovate their effectiveness to provide comprehensive defense mechanisms against malicious cyber threats.


Auditing Intrusion Detection and Prevention Systems. Because Intrusion Detection and Prevention Systems must continuously monitor network and system activities to detect suspicious behavior and potential attacks, an Intrusion Detection and Prevention Systems audit should assess the timeliness and effectiveness of alerts and responses. System configuration must be examined to ensure updated and accurate threat signatures. Detailed logs and incident response plans provide documentation that alerts are properly managed and minimize false positives and negatives to provide comprehensive, accurate, real-time results that integrate with assessment tools. Focused penetration tests with detailed logs can be utilized to verify expected behavior and reaction times. 


Wireless Access Points. Wireless Access Points introduce additional challenges to a network security audit. Similar to firewall generations, wireless security protocols (WEP, WPA, WPA2: 802.11i) have evolved overtime to become more secure. Temporal keys and port-based access control improve authentication, nonrepudiation, accountability, and integrity by requiring devices to re-authenticate using time-bound keys that make it harder for unauthorized users to gain access, unique session keys to minimize device session masking and improve tracking and auditing, and data encryption with time-bound keys to ensure detection of data when it has been tampered with.


Auditing Wireless Access Points. Similar to Firewall and Intrusion Detection and Prevention System auditing, Wireless Access Points consider security protocols, configuration, threat signatures, logs, penetration tests, incident response reports, access control settings, vulnerability testing, and key metrics to assess effectiveness. Adhering to ISACA IT Audit and Assurance Standards to document audit objectives, audit steps, findings, and conclusions guides organizations in performing audits that evolve with the latest developments and trends and remain aligned with standards such as COBIT, NIST, and regulations such as ISO/IEC 27001 and HIPAA, GDPR, PCI DSS.


References:

Ali, S., Al Lawati, M. H., & Naqvi, S. J. (2012, September). Unified threat management system approach for securing SME's network infrastructure. 2012 IEEE Ninth International Conference on e-Business Engineering (ICEBE) (pp. 144-149). IEEE. https://doi.org/10.1109/ICEBE.2012.36


Cannon, D. L., O’Hara, B. T., & Keele, A. (2016). CISA: Certified Information Systems Auditor Study Guide, Fourth Edition. Sybex.


Erdheim, S. (2012, March 28). Simplifying Firewall Audits and Ensuring Continuous Compliance. Algosec. https://www.algosec.com/blog/simplifying-firewall-audits-and-ensuring-continuous-compliance-part-1-of-6/


Turner, C., Jeremiah, R., Richards, D., & Joseph, A. (2016). A Rule Status Monitoring Algorithm for Rule-Based Intrusion Detection and Prevention Systems. Procedia Computer Science, 95, 361–368. https://doi-org.proxy.library.maryville.edu/10.1016/j.procs.2016.09.346

Comments

Post a Comment

Popular posts from this blog

SalonAboutBeauty: Less Integration for Consistent Styling Across Components

Ensuring Consistent Variables Less provides several advantages for organizing CSS to ensure consistency across a website. The variables.less file defines reusable properties that allow a developer to easily communicate and maintain styles according to a style guide or theme.  The Less Web Development Cookbook describes properties in the variables.less file in relation to other programming languages: “Variables in Less are defined as the equivalent to statics in other programming languages. You assign a value to a variable once and use it everywhere in your code” (Meyghani & Jobsen, 2015, p. 50). It suggests that less allows a developer to set properties, such as colors and length, to variable names that retain their meaning and can be used everywhere in the code. Examples: @base-color: red, @primary: green.  By providing these definitions in a central location, developers create code consistency in all areas of the website. Creating an Organized File St...
Read more

Why “Human Error” Is Usually a System Design Problem

In complex systems, failure rarely comes from a single bad decision. It comes from problems that evolve slowly, cross boundaries, and remain unresolved while everyone involved behaves reasonably. Managing risk in these environments means managing trajectories, not just incidents. When ownership is divided strictly by role, function, or severity threshold, gaps are inevitable. Those gaps are where issues linger, age, and quietly accumulate risk, not because they were ignored, but because no one was responsible for carrying them forward end to end. This is common in healthcare, where delay is often necessary. A patient may require observation, referrals, or time to clarify diagnosis. The failure is not that care takes time; it is that the trajectory of care becomes fragmented. Each clinician escalates correctly within scope, yet no one owns the evolving picture across visits, domains, and decisions. The patient is evaluated repeatedly, reassured locally, and sent away without continuity ...
Read more

Challenges in Prosecuting Deep Web and Darknet Crimes: The Case of Ross Ulbricht and the Silk Road

  The deep web represents online information that is not easily accessible through search engines. Prosecuting crimes on the deep web is no more challenging than prosecuting crimes for any standard website because law enforcement can still track the user's location through a domain or IP address. Alternately, the darknet poses a challenge for law enforcement to address illicit activity because while the darknet is a web-based system, it is accessible only through the Tor protocol that encapsulates HTTP and HTTPS traffic, much like a VPN that hides a user’s location and identity. The Tor protocol, often called the Onion Router, contains methods for encrypting and routing traffic between peers. The purpose of the Tor protocol is to make web browsing anonymous by routing each request through multiple peers and altering encryption at various steps until the request reaches its destination. Subsequent requests may hop through different peers, making traffic appear random, unpredictable,...
Read more