Internet Connectivity Audit (ICA)
A Internet Connectivity Audit (ICA) is an in-depth analysis of inbound and outbound network activity through an Internet connection point. An Internet connection point is composed of one or more devices that provide and limit access between the internal network and the outside world. The purpose of the audit is to:
- Identify security issues and usage concerns
- Validate and fine-tune security access and usage policies
- Detect unauthorized access or control of devices attached to the network
- Detect unauthorized access or transmission of information
- Identify the use of unauthorized or high-security risk applications
- Identify undesirable activity or misuse of company resources
- Identify misconfigurations
Why do organizations need a ICA?
Although many organizations spend a lot of money on security hardware, software, services and personnel, they have no means to independently verify and validate that security access and usage restriction policies are properly implemented. A ICA gives an organization the ability to determine what is actually happening on their network. It’s especially beneficial for organizations that do not have their own security personnel.
What is the difference between a ICA and using a protocol analyzer (a.k.a. sniffer)?
For a ICA, the auditor looks at usage and access trends of individual internal and external IP addresses over time. A protocol analyzer will typically only identify similar security issues and usage concerns based on network protocol and port usage.
Can’t our own personnel or security provider do a ICA?
Yes, but it’s like having your accountant audit their own financial statements. An independent auditor often sees or knows things that your own security team may have missed or may not be aware of. Your security team also has to have the right tools for the job. One thing to keep in mind, is that an independent auditor has no vested interest in negative findings, so you can be assured that all results will be fully disclosed.
Do we need an audit if we have a firewall, Intrusion Detection System (IDS) and use anti-virus software?
Yes. Although these tools are on the “must have” list to prevent and detect specific types of activity, there is a lot of activity that these tools do not block or detect. A ICA will often reveal what these systems are missing.
Isn’t a vulnerability scan the same thing as a ICA?
No. A vulnerability scan only scans devices attached to a network for known vulnerabilities and security issues. Vulnerability scanning does not involve analyzing actual network activity. While a vulnerability scan is on the list of “must do” activities and will find similar things that a ICA will uncover, it does not take the place of a ICA.
My security provider recently did a “vulnerability risk assessment” and provided recommendations on how to improve my security posture, which we implemented. Do we really need a ICA?
It depends. If your security provider did not do a ICA, then the answer is yes. If your security provider just used a protocol analyzer (a.k.a. sniffer), then you probably still need a ICA, because protocol analyzers do not always identify specific types of connectivity trends or activity that is indicative of a compromise.
Phase 1: Data Collection
This phase involves obtaining the running configuration on each device at the Internet connection point and capturing network activity (full packets) for a specific period of time.
- An 8-day collection will identify glaringly obvious security issues or usage concerns that need to be addressed.
- A 15-day collection expands upon the 8-day collection and allows additional activity to be analyzed that may not have presented itself during a one-week period. This usually includes systems that were offline due to absences or workstations that were not actually used by someone.
- A 30-day collection identifies trends and usage patterns that are typical of an organization on a month-to-month basis. A lot of network activity is based on what is actually going on within an organization (i.e. deadlines, projects, downtime) and a month long audit tends to reveal traffic that occurs when specific business functions are performed or during lighter workload periods. A 30-day audit also increases the likelihood of being able to review traffic from notebooks or other devices that are only occasionally connected to the network.
- A 60-Day collection confirms all of the connectivity results from the initial 30-day period and provides a baseline of normalcy of a network. It also provides enough information for an organization to reconfigure and completely tighten its security configuration.
- Daily collection. This is for organizations that have a permanent analyst on staff to analyze data.
Phase 2: Data Validation
Once the data is collected, it needs to be validated to ensure that it is usable and complete. Any significant gaps in time or collection errors (protocol headers cannot be decoded) may invalidate the dataset and require that another dataset be collected.
Phase 3: Analysis
All activity is analyzed and scrutinized to identify as many issues or concerns as possible. If any significant security issues are uncovered, such as Trojans, worms or unauthorized access, the auditor should bring them to your attention immediately.
Phase 4: Final Report
Once the data is analyzed, the auditor creates a report of his findings. The report includes an executive summary and detailed information on each issue and usage concern that was found, along with specific recommended actions.
A custom auditing suite runs the network activity through a special packet processing engine which aggregates the data down to a manageable size. Packets are also runs through one or more network intrusion detection (IDS) filters. The resulting data is run through a profiling engine with firewall and access control list (ACL) emulation capabilities, which collapses and superimposes discrete information onto one record. The resulting dataset is then mapped to an extensive knowledgebase of information. An analyst reviews the dataset to identify anomalous activity and refine the activity profile of the network, with the ability to retrieve and decode packets for inspection as required.
Additional data source options including importing firewall, ACL and IDS data from other information sources, such as databases and log files.