There are many places that the security tester needs to go to when researching prior to an audit. Some of the key research areas include:
- The organizational policy and procedural framework as well as any standards and implementation guidelines used
- The organization’s mission statement
- Industry best practice guidelines
- Legislation, regulations or standards that apply to the organization
- Audit frameworks and guidelines including generic checklists and system specific standards and checklist from organizations such as CIS, SANS, NIST, DISA and others
- Internal knowledge within the organization
Research is generally one of the more time-consuming aspects of both audit and security review . Successfully planning the audit, penetration test or review and in creating the checklist and scope prior to commencement will save time. Many people skimp on research time believing that they can make it up during the process. This is a fallacy. Treat any security process as a project. Although the scope may change their needs to be reasons for this change and it needs to be agreed and documented. The best way to ensure that this will occur is to formalize the process. The best way to formalize the process is to start by researching the engagement.
Even when you’re auditing or testing security the same systems research is critical. If you come back six months or a year later there will be additional vulnerabilities, frameworks may have changed, policies could be updated, legislation could come into effect and many other constraints that affect the system could now apply. A common mistake in both audits and penetration tests is to assume that nothing has changed and rerun the process using a prior scope and checklist without reviewing and updating the scope of work where needed.
The research stage provides all the material for our “How To” guidelines. Each time an audit has been conducted this material should be saved. Although it needs to be updated every time an audit occurs not all of the material will change and in fact much of what we have done compiled will also apply to other systems within an organization.
Citing references also provides authority. Psychologically people react to authority and the addition of external references makes it more likely that the report produced from the security engagement will be accepted and a fewer scope changes will occur.