IT Auditing and Controls – Internet and Web Technology

June 3, 2011 by Kenneth Magee


Internet and Web Technology

This article is going to attempt to tread the fine line between IT Auditing and Penetration Testing.  Remember as an IT Auditor, it is your job to ask the client to tell you what they are doing, then to ask them to show you that they are in fact doing what they said they were going to do, and then to follow that with testing to ensure that what they did was effective and efficient.

As a sample network architecture for Web-based applications, we might find the following:

What we see here is that the organization has placed a border router or edge router on the periphery of their network.  The next device that we see is a firewall which is configured to allow web traffic to only go to the web server in the DMZ.  The web server in the DMZ then communicates with the data server in the internal network, retrieves the requested information and then sends it back to the user on the internet.  While you may ask about the other two servers in the DMZ, which might be an Exchange server or a DNS server, this article will only look at the Web Server sitting in the DMZ.

So as an IT auditor let’s examine (read that as audit) this diagram from an IT auditor’s perspective.  A typical conversation between the IT Auditor (John) and the client (Jane) could go something like this:

John:  “How did you architect your web application environment to protect your systems and data with respect to confidentiality, integrity, and availability?”

Jane: “We placed a border router at the edge of our network to filter traffic, blocking unwanted inbound traffic and stopping unauthorized outbound traffic.”

Jane: “We then placed a firewall immediately behind the border router and only allow inbound web traffic on ports 80 and 443 and only to the destination IP address of the web server sitting in the DMZ.  We also added NAT’d to prevent an outsider from knowing the real IP Address of the internal network.  The web server is only allowed to communicate with the database server as this communication goes through another set of ACEs (Access Control Entries) in the firewall configuration.  The database server returns the information only to the IP ADDR of the web server.”

John: “Show me the configuration files of the border router and the firewall.”

John: “How do you know that the configuration files are blocking and routing traffic according to the ACEs in the configuration file?”

Jane: “We are using a third party tool called WireShark and sending packets designed to test the ACEs to ensure they are working as designed.”

John: “Show me the WireShark reports.”

If you follow the logic of the audit questions, you will notice that John is going down the road until he has gathered sufficient evidence to state that the border router and firewall configurations in his opinion are configured to perform as designed and meet industry best practices for firewall configuration design.  John might go on to state that he is using NIST SP 800-41 Guidelines of Firewalls and Firewall Policy as his source of reference for industry best practices.

Just from the conversation above you will have already identified several risks, but let me point out just a few:

  • Incorrect router/firewall configurations (not according to organization specifications)
  • Inadequate configurations (do not work as designed)
  • Ability for remote users to bypass the border router and firewall and get direct access to the database server (e.g. via a modem installed for support)
  • Ability to spoof the internal IP Address and bypass the web server
  • Internal users who have malicious intent and by being internal do not go through the firewall and/or border router
  • System administrators having unlimited direct access to the database
  • Developers not being adequately trained in secure coding techniques for web application development

Some of the more obscure insider abuses could be things such as:

  • Collusion between an insider and an outsider (to wit, I (outsider) place an order for 3 new 53” color TVs, and my partner (insider) goes in and adjusts the item price from several thousand dollars to $0.33 each.  When the order is invoiced I pay $0.99 for 3 new 53” color TVs.
  • Unauthorized access by insider (maybe I change the delivery location to be my apartment, instead of the real customer’s location)
  • Unauthorized customer record access (an insider can change the designation from customer to employee, thereby entitling the order to receive the 25% employee discount).
  • Uncontrolled changes – enough said

I talked a little about the network perimeter security above mentioning border/edge routers and firewall and NAT (Network Address Translation).  With all of these, you as an IT Auditor need to remember your basic function in life is to ask the client to tell you what they are doing, then ask them to show you they are doing what they said they were going to do and then to ask them if it is effective and efficient.  Once you’ve got all that information, it is also your job to advise management of the risks involved with a particular design.

For example, if you look at a network design and you do not see any border router and no firewall and the web server is connected directly to the internet, it is your job to advise management of the risks associated with that design.  It is NOT your job to re-design the network.  Management, in their infinite wisdom may choose to accept your advice, or they may choose to disregard your advice but that’s a whole another discussion.

I’ve covered some of the risks and I want to mention just a couple of safeguards.  First, as an IT auditor you should be able to look at a network design and determine whether the architecture is effective at protecting the confidentiality, integrity  and availability of the systems and data or whether it is not.  You should also be prepared to demonstrate to management why the design is flawed.  So go download a couple of the open source tools, take the Web App Pen Testing course and do some reading, so that you are familiar with and can demonstrate design flaws if asked.  Second, as an IT Auditor you should be able to look at a developer’s skill set, training, and coding examples to determine if they are proficient in Secure Coding.  If you say they are inadequately trained, you should be able to substantiate that statement with examples from their code or by the demonstrated lack of training.  Again here’s where the Web App Pen Testing course will come in handy for you.

For audit strategies for Internet and Web application, you will want to look for layered defense or defense in depth.  Routers, followed by firewalls, followed by DMZ, followed by NAT, accompanied by NIDS and NIPS (Network Intrusion Detection system, Network Intrusion Prevention system), an application firewall in front of the database server and maybe even HIDS and HIPS (host based intrusion detection and prevention).  And that’s just the network defense.  We’ll cover software and hardware layered defense in a later article.  And we’ve just briefly talked about people defense, that is, training, training, training…

Earlier I introduced you to one of my favorite tools – WireShark.   When you have some spare time take a look at and maybe you’ll even want to pick up your WCNA certification.  If not, at least download a copy of WireShark and get your company to buy you a copy of the WireShark Network Analysis book.  It’s well worth the $90 cost.

Until next time, happy reading.


P.S. You can find other articles related to IT Auditing and Controls here.

Posted: June 3, 2011
Kenneth Magee
View Profile

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.