If you fall under one of the many governmental regulatory
acts that mandate information privacy protection for various industries–for
example, the Health Insurance Portability and Accountability Act (HIPAA) or the
Gramm-Leach-Bliley (GLB) Act–securing the data on your network is more than
just a best practice; it’s the law. That means you must be able to prove that
your systems are properly configured to prevent access by unauthorized persons
and you must have mechanisms in place to log when and by whom data was
accessed.

Even if your company has thus far escaped regulatory
requirements, keeping track of how securely your systems are configured and
who’s accessing sensitive data is just plain smart.

Regardless of the size of your company and the size of your
budget, there are security auditing tools that you can use to track and report
on important security information on an on-going basis.

Tips in your inbox

TechRepublic’s free Strategies that Scale newsletter, delivered each Tuesday, covers topics such as how to structure purchasing, when to outsource, negotiating software licensing or SLAs, and budgeting for growth.

Automatically sign up today!

Security auditing tools for small businesses and tight budgets

When we talk about security auditing, we’re really talking
about two different aspects:

  • Auditing
    user access to information
  • Auditing
    system configurations

When your organization is small, you may not have a lot of
extra room in the budget for auditing tools. The good news is that there are a
number of free or low cost software utilities that can help your small business
implement both types of auditing.

Auditing user access with Windows auditing feature

If you’re using Windows 2000, XP and/or Server 2003
computers, either in a peer-to-peer network or a domain, you can use the
built-in auditing function to set audit policies to log security-related events
to the Security log in the Windows Event Viewer. There is no extra cost and no
software to install. You can choose to log any or all of the following:

  • Logon
    attempts and events (successful and failed)
  • Account
    management
  • Directory
    service access
  • Object
    access
  • Policy
    changes
  • Privilege
    use
  • Process
    tracking
  • System
    events

Auditing is disabled by default in Windows 2000, but can be
turned on easily through the Local Security Policy snap-in. An extra step is
necessary to set up auditing of access on a particular object (file, folder,
printer). In Windows Server 2003, auditing of account logon and logon events
are enabled by default, but object access is not. You can define audit policies
for a local computer, domain controller, domain or OU.

For instructions on enabling security auditing on Windows
Server 2003, see http://technet2.microsoft.com/WindowsServer/en/Library/74783f7a-49bc-4f16-b920-34081b890a3d1033.mspx?mfr=true

It’s important to plan carefully when enabling auditing of
object access, as this can result in a very large security log that takes up a
lot of disk space and is difficult to sort through. You can also use the
Security Configuration Wizard in Server 2003 Service Pack 1 to help you
configure auditing.

Auditing system settings with configuration scanners

To audit system configurations and determine if your
computers and network devices are securely configured, you can use one of many
popular vulnerability scanners. Again, Microsoft provides a free tool that can
be used by small businesses on a budget: the Microsoft
Baseline Security Analyzer (MBSA).

The MBSA v.2 scans and analyzes the configurations of
Windows 2000 SP3 and later operating systems, Office XP and later, Exchange
2000 and later, SQL Server 2000 SP4 and later. The tool can detect common
misconfigurations and determine whether your machines have the current service
packs and security updates applied.

The MBSA only works for Microsoft products. If you have
other operating systems on your network, there are numerous free and low cost
vulnerability scanners that support UNIX/Linux. An example is Nessus, an open
source vulnerability scanner available from http://nessus.org/

Sophisticated security auditing for the enterprise

As your organization grows, your auditing demands may become
more sophisticated. This is especially true if you’re in a regulated industry.
Then it’s time to turn to commercial enterprise-level solutions for auditing both
access and configuration.

Access auditing for the enterprise

Access auditing products for the enterprise include:

Enterprise level vulnerability scanners

Configuration/vulnerability scanners designed for large
organizations provide for centralized scanning of large numbers of systems with
centralized reporting. They don’t come cheap, but they can make auditing of
your network assets much easier. Some examples include:

  • Sunbelt
    Network Security Inspector (SNSI) from Sunbelt Software    , which
    supports a wide variety of Windows and UNIX/Linux operating systems as
    well as Macintosh OS X, HP printers and Cisco network devices.
    Per-administrator licensing makes it cost effective in large environments.
  • LANguard
    Network Security Scanner (NSS) from GFI     gives you per-IP address
    information about all the machines on your network, as well as wireless
    access points and USB devices. The ReportPack add-on lets you create
    graphical reports geared toward both IT and management uses.

Planning a security auditing solution that will grow with your organization

The key to developing a security auditing solution that will
grow as your organization does is to plan ahead. Assess your auditing needs
based on regulatory status, nature of business, sensitivity of data, network
infrastructure, and threat levels and exposure.

Auditing can be deployed in a layered construction,
beginning with auditing of a few local machines and transitioning to
domain-wide auditing or centralized auditing via third party products by adding
layers (and removing layers at the other end if/when they are no longer
needed).

A good audit plan takes into consideration what needs to be
audited, who needs to be audited, when auditing is needed, where auditing is
needed, and how the audit information is to be formatted and used.