LAN (Loc Area Network) AUDIT PROGRAM SUBMITTED BY: David Coderre (al260@FreeNet.Carleton.CA) EUC LAN CONTROLS RISK: INTERCEPTION OF TRANSFERRED DATA AUDIT CRITERIA: THERE SHOULD BE CONTROLS TO PREVENT THE INTERCEPTION OF TRANSFERRED SENSITIVE DATA Is the physical layout & LAN cabling secure; Is there authentication of data messages (under NOS control); Does the LAN use Hardware identifiers (network interface card); Are there special and or monitoring procedures for sensitive upload/download operations; Is there restricted use of modems & dial-up lines; (Identify where and who has control) Are there access controls at both ends (source & destination) of data transfers; Is there adequate physical security over the location of communications servers, bridges and gateways; Is encryption used when sensitive data is transmitted across communications lines; Are sensitive applications & data isolated on stand/alone PC or specific LAN workstations. EUC LAN CONTROLS RISK: UNAUTHORIZED ACCESS TO SERVER DATA AUDIT CRITERIA: THERE SHOULD BE CONTROLS TO PREVENT UNAUTHORIZED ACCESS TO FILE SERVER Is file server(s) physical secured; Do the NOS security features prevent and detect unauthorized access attempts to the file server (user-id & password); Are there policies & standards regarding use, protection & changing of passwords and are they being followed; Is access restricted by time-of-day (e.g. non-business hours); Are work stations automatically disconnected after sustained inactivity; Is there adequate training for LAN administrator(s); Are there policies regarding access to multiple LANs; If dial-up is available; - Is the dial-up number confidential; - Is dial-back used; - Is there monitoring of dial-up activities. LAN CONTROLS RISK: LOSS OF SERVER DATA AUDIT CRITERIA: THERE SHOULD BE CONTROLS TO PREVENT THE LOSS OF DATA STORED ON THE FILE SERVER Is file server data routinely backup & stored in a physically secured location; Is there periodic testing of restart & recovery procedures; Is there data redundancy used on file server for important data (e.g. disk shadowing/mirroring) Are there disaster recovery procedures and have they been tested; Are there virus protection/detection software on the file server; Are there policies regarding use of unlicensed software (e.g. shareware); Is access to public electronic bulletin boards restricted. EUC LAN CONTROLS RISK: UNAUTHORIZED ALTERATION OF SERVER DATA THERE SHOULD BE CONTROLS TO PREVENT THE UNAUTHORIZED ALTERATION OF DATA ON THE FILE SERVER Are there audit trails and transaction monitoring (by user) for sensitive applications; Are there user access rules for applications (e.g. recording, authorization & reporting of transactions); Do the NOS security features restrict certain types of transactions on the server data (read/write/delete,); Is access to specialized NOS utilities restricted. EUC LAN CONTROLS RISK: UNSUPPORTED APPLICATIONS THERE SHOULD BE CONTROLS TO ENSURE THE CONTINUED SUPPORT OF LAN APPLICATIONS Are there guidelines for purchasing vs in-house development of LAN applications; For in-house development: . Are there formal development methodology/process; . Is there adequate documentation for applications; . Is there adequate testing procedures & administrative duties & environment. EUC LAN CONTROLS RISK: LOSS OF CONNECTIVITY THERE SHOULD BE CONTROLS TO ENSURE CONNECTIVITY Is redundant network cabling schemes & communications resources used; Is the fault-tolerance in critical applications adequate; Is there a contingency plan for loss of communications server(s) and has the plan been tested. EUC LAN CONTROLS RISK: LOSS OF SERVER RESOURCES THERE SHOULD BE CONTROLS TO PROTECT AGAINST THE LOSS OF SERVER RESOURCES Are device protection features (e.g. UPS) used; Is redundant processing & data storage resources (e.g. disk duplexing, processor duplexing) used; Is there adequate trained support staff/organization; Are there "escalation procedures" for diagnosis & trouble- shooting; Are planned recovery procedures in the event of disaster and have they been tested; Is there resource capacity planning & monitoring. EUC PASSWORD CONTROL RISK: LOSS OF PASSWORD PROTECTION THERE SHOULD BE ADEQUATE CONTROLS OVER PASSWORDS Is access control software used; Are additional passwords required for sensitive activities; Are there set password standards, e.g. minimum length, number/character patterns, frequency of change; Are there procedures to force regular changes to passwords; Are passwords automatically disabled after repeated unsuccessful sign-on attempts; Have employees been made aware of passwords protection requirements. DATA ENCRYPTION Process of changing original data (clear text) into unrecognizable form (cipher text); keys are used to encrypt and decrypt information; method of encryption/decryption (Data Encryption Standard - DES) Publicly known; security depends on difficulty of computation in determining keys; can affect overall performance due to additional processing load. DIAL-UP Keep phone numbers of dial-up ports confidential; change phone numbers of dial-up ports regularly; use automatic call-back devices; prohibit vendor maintenance via remote dial-up unless schedules with operations; use time-of-day controls; use automatic terminal disconnects. LINE PENETRATION/INTERCEPTION masquerading as an authorized user to gain access; eavesdropping on telecommunications transmissions; intercepting, modifying & retransmitting. Hope you find this useful. dD Dave Coderre (dcoderre@ncs.dnd.ca)