Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhancing Network Security

Published byHollie Clark Modified over 7 years ago

Similar presentations

Presentation on theme: "Enhancing Network Security"— Presentation transcript:

1 Enhancing Network Security
Ashish Jain, CPA, CIA, CISA, CA Director of Internal Audit, USNH January 26, 2017

2 Webinar Moderator Jana Clark
Don’t forget to connect with us on social media! ACUA Distance Learning Director Jana Clark Senior Internal Auditor Kansas State University

3 Today’s Presenter Ashish Jain, MSA, CPA, CIA, CISA, ACDA
Director of Internal Audit, University System of New Hampshire

4 University System of New Hampshire
34,000 enrolled students 4 institutions - 15 locations Largest provider of postsecondary education in NH Produces 61% of STEM graduates in state Lowest student loan default rate in US Degree completion 78% - US average is 63%

5 Poll # 1 Average number of IT audits performed by your IA department during a year. None 1 to 5 6 to 10 11 or more

6 Why Audit Network Security?
Higher education culture Cybersecurity Often overlooked in internal audit plan Complexity Wide scope Internet of Things (IoT)

7 Common design gaps and issues Resources Key areas to cover
Agenda Key risks Common design gaps and issues Resources Key areas to cover Common issues and hurdles

8 What is Network Security?
“Network Security is the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users and programs to perform their permitted critical functions within a secure environment.” Source:

9 Where to Start? Network diagram Inventory of network devices
Results of recent penetration testing Organization chart Network security policies, procedures, and standards

10 Key risks Risk Assessment Physical security Configurations
Change management Access Risk analysis and monitoring Attack vectors

11 Audit Approach Select network devices based on
Sensitivity of data Location Type of device Ask for configuration files (for selected devices)

12 Audit Approach Develop knowledge on selected device
NIST or vendor recommendations Federal Information Processing Standard (FIPS) mode Configuration guide Policies and procedures PCI-DSS

13 Poll # 2 Has your internal audit department audited network security at your institution? Yes No Hired a consultant to do it Not sure

14 Audit Focus Areas

15 1. Usernames Look for Generic IDs Access justification Privilege level Password encryption

16 2. Password Encryption Test: Encryption settings are enabled
Proper algorithm used

17 3. Password Policy Test Password parameter are configured in accordance with policy

18 4. Key Management Shared keys are used for authentication between two network resources Test: Unencrypted keys/passwords in configuration files Settings – key length, encryption Change protocols of keys Who knows and maintains these?

19 5. Clock Settings Appropriate settings are needed for forensics Test:
Current time is accurate Daylight time settings

20 6. Patch Level Test: Compare OS patch level against recommended by vendor Understand upgrade procedures if significant security vulnerability is identified

21 7. Remote Login Protocols
Inquire on existing practices and see policies & standards Test Is activity logged? Best Practices Dedicated management interface Two-factor authentication Dedicated VPN Procedures to confirm the integrity of device configurations

22 Poll # 3 Do your organization have a formal information security architecture? a) Yes b) No c) Unsure

23 8. Available Services Test: Which services are really needed
Who ensures these services are appropriate Look for common exploited services, e.g., telnet Benchmark against organization’s policy on allowed services Common Finding No standards and periodic review of key configurations

24 9. ICMP Used to gather information about a network device Test
ICMP should be limited to hosts with a business need

25 10. Simple Network Management Protocol (SNMP)
Test: Default community names Version used – (version 3 is currently recommended) Authentication Encryption used Common audit finding – version 1 or 2c is active while version 3 is mainly used

26 Other Areas Enable logging and log review Anti spoofing settings
Authentication, authorization, and accounting (AAA) Login banners IP fragmentation Access Control Lists (ACL) Session time outs

27 Common Issues Default settings
Lack of network security policies, procedures, and standards Generic IDs or shared accounts Lack of network device inventory Segregation of duties between maintenance and security authorization

28 Poll # 4 Is a network security audit on your audit plan in the next year? a) Yes b) No c) Unsure

29 Summary Security standards Periodic review of key configurations
Segregation between security and maintenance Physical security Key management Remote access

30 Questions?

31 Contact Information Ashish Jain, MSA, CPA, CIA, CISA, ACDA Director of Internal Audit, University System of New Hampshire

32 Upcoming ACUA Events How Internal Audit & Billing Compliance/Privacy Functions Can Build a Synergistic Working Relationship February 16, 2017 Title IX Auditing (encore performance March 8, 2017 Intersection of ERM, Compliance, and Internal Audit March 21, 2017 2017 ACUA Midyear Conference – Austin, TX March 26-29, 2017 Using Interns in the Audit Shop April 19, 2017

Download ppt "Enhancing Network Security"

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Security Controls – What Works

Security Controls – What Works
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Network security policy: best practices

Network security policy: best practices
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.

MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.
HIPAA COMPLIANCE WITH DELL

HIPAA COMPLIANCE WITH DELL
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.

7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.

Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.
Auditing Information Systems (AIS)

Auditing Information Systems (AIS)
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.

Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.

Similar presentations

Ads by Google