1
00:00:00,540 --> 00:00:08,550
‫Now, a computer security audit is a manual or systematic, measurable technical assessment of its system

2
00:00:08,550 --> 00:00:09,660
‫or application.

3
00:00:11,270 --> 00:00:18,500
‫Security audit assessments include reforming security vulnerability scans for best practices.

4
00:00:20,110 --> 00:00:25,210
‫Interviewing staff to understand the level of information security awareness.

5
00:00:26,500 --> 00:00:34,750
‫Reviewing the access controls of the applications and operating systems and analyzing the physical access

6
00:00:34,750 --> 00:00:35,860
‫to those systems.

7
00:00:37,480 --> 00:00:44,470
‫An important point to take into consideration is in order to be able to get the most accurate results,

8
00:00:44,770 --> 00:00:49,120
‫we should perform the security audits with admin privileges.

9
00:00:51,280 --> 00:00:58,480
‫Now, perhaps a major question is, where can we find the best practices to perform security audits?

10
00:00:59,560 --> 00:01:00,340
‫Good question.

11
00:01:01,270 --> 00:01:08,950
‫Thankfully, there are some organizations and consortiums which regularly publish and update the security

12
00:01:08,950 --> 00:01:11,260
‫audit checklists of IT systems.

13
00:01:12,200 --> 00:01:17,300
‫And these are the most popular organizations to collect checklists from.

14
00:01:19,070 --> 00:01:25,100
‫The center of Internet Security is a non-profit organization formed in October of 2000.

15
00:01:25,880 --> 00:01:33,950
‫Its mission is to quote, identify, develop, validate, promote and sustain best practice solutions

16
00:01:33,950 --> 00:01:41,810
‫for cyber defense and build and lead communities to enable an environment of trust in cyberspace.

17
00:01:41,960 --> 00:01:42,590
‫End quote.

18
00:01:43,940 --> 00:01:50,690
‫Now they call checklists benchmarks, but benchmarks are not the only thing that they're known for.

19
00:01:51,260 --> 00:01:53,840
‫In fact, if you are administering IT systems.

20
00:01:54,930 --> 00:02:00,480
‫See, I security dawg should be one of your home pages.

21
00:02:00,930 --> 00:02:02,640
‫Bookmark it right now.

22
00:02:03,330 --> 00:02:03,960
‫I'll wait for you.

23
00:02:06,010 --> 00:02:13,120
‫And I asked the National Institute of Standards and Technology, it's a physical sciences laboratory,

24
00:02:13,420 --> 00:02:18,070
‫as well as a non regulatory agency of the United States Department of Commerce.

25
00:02:19,010 --> 00:02:23,540
‫Its mission is to promote innovation and industrial competitiveness.

26
00:02:23,960 --> 00:02:31,040
‫If you visit their website shown in the slide here, you'll find that national checklist program repository

27
00:02:31,040 --> 00:02:34,940
‫of their national vulnerability database program.

28
00:02:35,450 --> 00:02:37,880
‫They have a wide range of up to date checklists.

29
00:02:39,770 --> 00:02:42,560
‫To help system admins automates the audit.

30
00:02:43,340 --> 00:02:47,490
‫A couple of checklist formats have been created by these organizations.

31
00:02:48,600 --> 00:02:54,270
‫If you can create your own programs or scripts, according to these standards, you'll be able to use

32
00:02:54,270 --> 00:02:57,630
‫a massive number of checklists to audit your systems.

33
00:02:58,670 --> 00:03:03,290
‫I'll let you know what some of the best known checklist standards are.

34
00:03:04,620 --> 00:03:15,300
‫Ex CC KDF, the EX CDF acronym, stands for Extensible Configuration Checklist Description Format.

35
00:03:16,500 --> 00:03:17,130
‫Mm hmm.

36
00:03:18,720 --> 00:03:25,410
‫However, as the name suggests, the language is used to describe the security checklists, the language

37
00:03:25,410 --> 00:03:32,520
‫designed to support information interchange document generation, organizational and situational tailoring,

38
00:03:33,090 --> 00:03:36,900
‫automated compliance testing and compliance scoring.

39
00:03:38,630 --> 00:03:44,870
‫Oval, the Oval acronym, stands for open vulnerability and assessment language.

40
00:03:45,940 --> 00:03:52,270
‫Oval is declared of language for making logical assertions about the state of a system.

41
00:03:53,370 --> 00:03:57,540
‫Its main component is this cap standard.

42
00:03:58,080 --> 00:04:03,300
‫It's used to describe security vulnerabilities or desired configuration of systems.

43
00:04:04,260 --> 00:04:12,270
‫Oval definitions define secure state of some of the objects in a computer, for example, configuration

44
00:04:12,270 --> 00:04:20,790
‫files, file permissions, processes, oval definitions are evaluated using an interpreter called scanner.

45
00:04:22,610 --> 00:04:28,760
‫You can, of course, create your own tool to automate your audits or use the tools created before CIA

46
00:04:28,790 --> 00:04:29,900
‫security has a tool.

47
00:04:30,500 --> 00:04:32,000
‫It's called cis cat.

48
00:04:33,160 --> 00:04:40,420
‫CI Security Configuration Assessment Tool, which automates benchmarking of a number of operating systems.