Security audit   


Why a security audit?

Information technology (IT) security refers to protection measures designed to maintain confidentiality, integrity and availability. Its intended use and value of the information is stored, processed or transmitted electronically. It also includes the protective measures that apply to assets used to collect, process and store or destroy information electronically.

The audit can be performed for different purposes:

  • React to an attack;
  • To get a good idea of the level of security;
  • To test the effective implementation of the security policy;
  • To test new equipment
  • To evaluate the security’s evolution (involves a periodic audit).

In any case, its purpose is to verify the security. In the security cycle, verification takes place after an action has been conducted. For instance, when setting up a new component, It is highly recommended to test its security after integrating the component into a test environment, and before its effective implementation. The result is the audit report. It contains the exhaustive list of vulnerabilities found on the analyzed system. It also contains a list of recommendations to remove the vulnerabilities found.

In order to have the most exhaustive list of vulnerabilities in a system, different practices exist and are traditionally implemented. The best known practice is to perform an intrusion test.


Intrusion test: the two main categories are external and internal tests.

An external test means that the person performing the test is under intrusion conditions: the test is performed externally, and the auditor has minimum information about the information system. This type of test starts by identifying the target:

  • Public information gatherings: web pages, information on employees, company having a bond of trust with the target;
  • Identifying points of presence on the Internet;
  • Network monitoring

The internal test is performed inside the company. It starts with vulnerability scan using various technical tests such as the search for open ports, application versioning, etc.

The last phase is to exploit vulnerabilities. It consists of determining how to compromise the system using discovered vulnerabilities. Depending on the means to be implemented, the client may decide that the risk associated with the identified vulnerability is negligible (low probability of exploitation) or on the contrary to be taken into account. To prove the feasibility of the exploit, auditors create programs that exploit the vulnerability, called exploits. These simulate an attack that could be carried out by a malicious group or individuals. Several computer, social engineering and even physical intrusion techniques can be used in this type of test.