So if I was trapped on a desert island and only had one audit tool that I could have with me to audit the island’s DHARMA systems, which would I want…
For me the answer would have to be baselines. As an auditor, ideally I want to ensure that an organization’s technology systems reflect a conscious decision on the part of the organization. In other words, I want to ensure that technology has been implemented, with a full understanding of the potential risks those systems pose, and that they have been implemented in a systematic, tested, and documented fashion. Or said another way, I don’t want to see an organization deploy systems in an ad hoc manner that exposes them to risk – I want to see controlled implementations.
A huge indicator of a controlled environment is documentation on the system being implemented. Specifically I’m looking for documented system baselines which demonstrates evidence of conscious decisions on the part of the organization to protect and secure their information.
RSA, a security division of EMC, in their Information Security Glossary defines baseline or baselining as the following:
“An effective method for identifying security attacks on a network, baselining starts by measuring normal activity on a network or network device. That measurement is used as threshold, or baseline, to detect unusual patterns or changes in levels of activity. With this method, the security expert can focus efforts on evaluating anomalies instead of looking for them by reviewing huge log files. The term is also used to refer to other security practices. A baseline, or security baseline often refers to an organizational standard for securely configuring network devices. It can also refer to the results of an organization’s first security assessment. This becomes the baseline against which the organization measures improvements and changes.”
For most auditors understanding the concept of a baseline is the easy part. The devil, it turns out, is in the details. The information auditors really want to know is what information should be baselined and then practically how do you go about performing that baseline. Of course the ultimate conclusion to this discussion would be to consider how to integrate baselines with an organization’s efforts for continuous monitoring and automation.
This year one of my goals is to help auditors by providing them resources which will enable them to more efficiently create baselines of their systems and later automate checks of those baselines. To that end I’ve decided this year I will be releasing a number of scripts to help auditors perform baselines of their systems. The scripts that I will be releasing this year will all be Microsoft PowerShell scripts, but I may throw in a few Unix Bash scripts along the way just for some diversity. So enjoy the scripts and feel free to make requests. Most importantly we want to be able to offer resources that will help you in your efforts to better secure your systems.
Wishing you a Happy New Year and a Secure 2011!