Acknowledgement

Foremost I would like say thanks to god for all support in all my life and secondly University of Greenwich to give this my life aim to complete my masters. Next my supervisor Professor Kevin Parrott to the supports he gave because without his support I wouldn't be able to complete my project with this quality. Especially the suggestions and appreciation given my supervisor make me feel better and gave positive thinking. Finally need to thank my family and friends for unbelievable supports and encouragements.

Abstract

As we are in the information era the world is changing to use electronic means for day to day use. The paper documents is gone and most of them are paper free because of so many reasons such as pollution, easy, fast, etc... At the same time this digital media has availability, scalability, confidentiality and integrity which are required behaviour for secure communication. The risk is increased with the increase of computer and digital means usage and the single security lack may cause huge losses.

There are some surveys says most of the crimes are happening through electronic means and the target is computer or computer peripherals. If the attacker found a single security lack that is enough to start and break the whole system and the security lack could be configuration mistake, firewall issue and basically problems in the protection mechanism. Because of these reasons testing become very important and this process called as Auditing.

There are so many types in the auditing and this auditing requires technical knowledge to make these tests perfect and to give an audit report including suggestions. The auditing falls into two main categories such as Automatic and manual. The test will be efficient if it is automated using testing tools which are called as automated or computerised test. Even though there are some tests cannot be automated and need to test manually.

This auditing covers network security test, physical or environment security test, computer security test which includes software and hardware tests. The computerised test will carry on with some security tools and the manual will use questioner to minimise human made errors mainly forgetting.

        Security audit is the technical assessment of the application or system. The assessment may be manual or systematic or both. In most case the auditing process uses manual and systematic/ automatic methods because there are some tests cannot be automatic such as review of the security policy, asset management, etc...

        This auditing has different types such as internal or external. This type is depends on the company size and the resource availability. Usually big companies have their own security auditor so they will perform the audit internally and the small and medium size companies mostly hire auditor form outside. Both types got pros and cons in security and financial manor.

Chapter 1

Introduction

This chapter largely contains non-technical information to give the understanding of high level objectives. Also describe the techniques and technologies used in the project and research to accomplish the project Objective

Audit

The audit is a systematic or manual security assessment of the network, infrastructure, system, etc... The complete audit should be the combination of manual and automatic assessment because in every test target there will be some test cannot be automatic. The audit has so many categories and the following paragraph will explain about the categories and the functions or techniques behind that. There are 3 controls in the auditing process which are

Preventive control

The preventive controls are controls may in the form of software or hardware or ant configuration to prevent the error or vulnerabilities. This is an active type control always monitor the interface for any vulnerabilities and block such vulnerabilities or errors before it enter into the system or infrastructure. This is most effective control mechanism because not allows the vulnerabilities.

Detective control

The detectives are in placed to monitor the vulnerabilities in the form of software or hardware but the different between preventive and detective is the preventive won't allow the vulnerabilities into the system where detective allows entering everything and correcting the vulnerabilities after enter. The best example is for this control is fire alarm because fire alarm won't prevent the fire before but if any fire it will work.

Corrective controls

The corrective controls are the controls to correct the error or issue before it make any harm. This is very important control for all places even if they have other controls because there are some issues or vulnerabilities cannot detect by the controls if they will come and attack so there should be some control to correct those before loss occur. Addition to that the controls should up to date such as latest firmware or latest definition.

Type of auditors

        There are two basic types of auditors in the information era the internal and external auditors. This selection of the auditor will be done by the management with the use of financial status of the organisation. Size of the organisation and the policies defined in the company.

Internal auditors

Internal auditors are auditors belong to that particular company which is going to perform the audit. That means the auditor is an employee of the company. So the auditor is always available to do the auditing and data or information will keep within the organisation. This is the main advantage of having the internal auditor and the same time and the employee purposely recruited for auditing then is cost a lot for the company. So it is only possible for the big level companies because they have huge investments and revenue. The disadvantage of the internal auditor is they may be up-to-date and don't have current market or audit status such as new techniques and tools.

External auditors

The auditor recruited from other auditing firm for the auditing so it is very hard to find professional auditor because of the availability and as the auditor recruited from outside the company information may go out. At the same time the auditor needs some time to get and understand the company process. But the advantage of recruiting the external auditor is their knowledge and it is suitable for middle and small level companies.

Types of Audit:

Traditional Audit

It is just like a manual auditing. It is useful when working with a large amount of data in a large company. Here auditor took some sample data from different place then provide a report.

Advantage:

  • Easy
  • Cheaper

Disadvantage:

  • Always do not provide correct information.
  • In IT sector it is not useful.

Software audit:

Software audit is a wide popular for any educational institute or organization. It is just like a review of the software and the system that can find all information of the system such as operating system, application software, processor, drives, controllers, bus adapters, multimedia, virus protection, system model, main circuit board, memory models, local drive volumes, network drives, printers information etc.. There are so many auditing tools in the market such as Belarc Advisor, E-Z audit that are very power full. KW116 is the main Lab for school of computing and mathematical science in University of Greenwich. CMS installed lots of software for students to continue study or research. According to Copy right, Design and Patents Act 1988, all Software must have a valid licences to continue the process. As Lab uses large amount of software and different software expire on different time so it is very difficult for Lab administrator to keep up to date all licence by manually checks. Only auditing by software can possible to give details report to administrator to keep up safe the system.

Advantages:

  • Correct Information: Machine always provide the correct information so it has less chance to provide the incorrect information.
  • Save time: Software very quickly provides a report of the system so it saves time.
  • Details description: It provide a details description of system including any warning or licences issues etc
  • Minimise the cost: By implementing the software audit two people's work may possible with one people so it reduce the extra cost.

Disadvantages:

  • Investment Costly: Software is very expensive so university need extra money to buy this software.
  • Risk: Auditor knows the details information of the system.
  • Work flow: Auditor needs part of the lab to check the system. So it discontinues the student workflow.

The approach

The typical audit has different approach to collect the data. The single audit will use multiple techniques to gather full information and it is necessary to use different technique for different level of people. These are common techniques here.

Interview

This technique uses to collect the information from outside people or top level people and the number should be limited. During the interview the auditor or interviewer will ask questions from other people and collect the information. So the person will be well prepared for the interview. This is very robust method because it will allow people to express fully and the method also simple as it is talking which is natural way to communicate. Another advantage is this bi directional communication, means both parties allows to ask questions for clarification or gather information.

Observation

This method uses in the place where real time process monitoring or behavioural change is required. This is a powerful way of do the changes throughout the audit because other techniques exist in currently not possible to get real time information.

Inspection

The technique required to do some action with collected data to collect audit related information. This is the form of observation with advance criteria expected. This is extended version of observation because if the auditor apply any advance criteria to gather the data which is necessary to the auditing.

After collecting the data the next step is to identify the weakness and process it. The identifying is the key work in the audit and after that categorising. The identifying uses some techniques to make that easy, preface and professional. The techniques used here are

Root cause analysis

General technique for analyse and get the better solution for the vulnerability or weakness. Because this technique drilldowns to the issue and finds the root and fix the weakness. The basic technique behind this is if the root is fixed automatically it will fix all other problems related to that. So simply close all related issues at once. As mention the easy and robust way to stop the issues exist and the issues may come in the future.

After root cause analysis the next step is to get the solution for the root of the issue. The important thing here is choosing better and effective solution for the issue. The selection depends on some external and internal restrictions.

  1. Organisation policy
  2. Cost per benefit
  3. Legal restrictions
  4. Availability
  5. Compatibility
  6. Vendor and citification

Advantage of having Auditing:

  • Satisfaction: It brings the confidence of the Lab administrator of the University of Greenwich to continue the business process. Owner always thinks is there any lack that breaks down the continuity of the business.
  • Detection and prevention of errors: Human can made error in any times .on one can say there is no error in there company. By auditing people can find the error and suggestion to recover the error.
  • Detection and prevention of fraud: It also just likes errors. Sometimes user intentionally or unintentionally does this thing. So after audit we can find out the fraud.
  • Verification of the Licences: KW116 Lab installs lots of software for student. Here some software for 1 year some software for more than one year and some software has limitation (No. Of user can use) for use. So auditor can find all kind of licence issues.
  • Independent opinion: Audit always done by the independent people .so this report always accepted by everyone.
  • Safety form exploitation: Health and safety always is a big issue for any organization. KW116 Lab got lots of equipment that are connected with electricity. So always chances for short circuit or exploitation. Audit identifies the all lack point and advice for prevention.

Disadvantage of having Auditing:

  • It is expensive
  • Sometimes slow or stop the work flow
  • External people know the company information.

Encryption

Encryption is the simple technique in the different for to send the date securely through shared place like internet. The form of encryption may vary from each other but they all commonly use digital certificate to encrypt and decrypt the data. Encryption use keys to make cipher text from actual message. The cipher text is not readable and it is the encrypted version of the massage using some algorithm.

Security roles/user roles

The security roles are very important technique to make network administration easy. This is basically creating some groups with different permissions according to the organisation operation or policy. A user or staff can have multiple security roles according to their need. This roles use to authorise the user permission.

Security policy

Security policy is a document which has all rules and regulations documented and approved by management and align with laws and legislation. This policy is used to define all activities and this is used to make some decision.

Business Continuity:

There are three things always we have to mind to continue the business

  1. Essential: to running the business any customer order cannot be delay more than seven days.
  2. Tolerate delay: some application may delay to continue the business such as management pay. It is a midterm i.e. one to four weeks.
  3. Discretionary: some application is useful for business but it is not affected to continue the business operation such as management report. It is a long term i.e. 3 to 6 months.

Business continuity planning

Business continuity planning (BCP) is the most important for any organization to continue the business. BCP engages with only different kind of risk to continue the business process that might occur in the organization and it also creates the policies, plan and procedures to reduce the risk. BCP can continue the business process in disaster situation as well. The main goal of the BCP is to combine together all policies, procedures and process so that any disruptive situation business process can continue or it may impact very little. Here main important function of BCP is -

  • Maintaining the business operation
  • Continue the business in emergency situation
  • Reduce the risk

If any situation BCP cannot take over then Disaster recovery planning (DRP) takes over.

British Auditing Standard

BS7799:

It is a British standard called as BS7799 that developed by British standard institution where describes the security policy and standard procedures.BS7799 become the ISO IEC 17799 after accepting the ISO IEC technical committee for international use. Now a day's information is a valuable asset for organization .So it is very important to protect the information like other corporate asset. Here BS7799 introduces how to protect the information from threats and suggest the three points to secure the information such as -

  • Integrity: it is assurance the completeness and accuracy of the information.
  • Confidentiality: Information can only access by the authorise people
  • Availability: Authorise people can access the information when needed.

Attacks and prevention for the attacks

Errors and Omissions:

Errors and Omission is one of the most common and toughest vulnerabilities .It is a human made error because human interact with programming, controlling and enter data for computer. There are no countermeasures to protect the errors and omission.

Fraud and theft:

It is a one kind of criminal activities that may occur in the KW116 Lab. It includes computer component such as mouse, keyboard, router, switch, cables, CPU box etc. It was observed that security person always not in the access point. So it is harm to secure the lab from fraud and theft. By protecting the access control we can reduce the fraud and theft. Both internal and external people are responsible for that kind of activities.

Prevention of Fraud and theft:

  • Regular auditing and monitoring program will help to identify all kind of fraud and theft.
  • Deploy all of the access control.
  • CCTV in proper place.

Virus:

Virus is a malicious code that has ability to reproduce his code itself and spread one system to another system via e-mail, downloading, storage devices (CD, DVD, memory stick, removal hard drive) and destroy the computer system. It was observed that removal memory stick all most every user are using and it is the most change to spread the virus in the Lab computer system and also observed user are using their own laptop and connected to the university wireless network. If user laptop effected with virus then it also change to spread the lab network that can affect the internal network and attack the server and crash the hard drive.

Prevention:

  • Install the latest antivirus software.
  • Regular update the antivirus software.
  • Follow the backup procedures regularly.
  • Scan the device when transfer data.
  • Installing the NIDS (Network Intrusion detection system) and firewall
  • Minimise the download from internet.
  • Download only repudiated site web site.
  • Scan before the download.
  • Care full to open unknown e-mail attach.
  • Scan all incoming file from the remote site.
  • Aware the user about danger of the virus.

Trap-doors:

It is an undocumented command that might user can create to speed up the work flow. Unfortunately sometimes student might leave these trap-doors.

Prevention of Trap-doors:

  • Use latest antivirus software.
  • Give permission to develop the code only authorise people.
  • Check properly all coding before use it.

Logic bombs:

It work s like time bombs and affect the system in a particular event or day such as program launch, website logon. It changes the data and deletes the data from the system. Here student are accessing the lots software to do the course work or project. So they are strong enough to build the logic bombs. It is normally happen in company if employee leaves the job.

Prevention:

  • Audit regularly and monitoring
  • Always back up the necessary file
  • Allow authorise people to develop the code
  • Need record of all modification or changes

Trojan Horses:

It is a software programming that contains the malicious code. Normally students are interested to download the music, free software from internet. It is the most change to affect the lab computer and destroy the data stored on lab computer system.

Prevention:

  • Avoid unwanted software and music download from internet.
  • Aware the user about Trojan Horses.

Worm:

Warm also is a malicious code that can spread itself without any human involvement from one system to another system .It works only computer network system and does not need any devices to transport.

Prevention:

  • Use firewall
  • Use update antivirus software

Spyware:

It is an unwanted software interface that monitors the activity of the user and transfers the important information like log in details or account details to the remote system that monitor the user activities.

Adware:

It is also similar to spyware but it does not intent to transfer the user details to a remote system. It works like advertisements on the internet. Some adware monitor the searching behaviour of the user and then redirect the related websites.

Prevention of Adware /Spyware:

  • Close the pop up window.
  • Aware about the spyware/adware.
  • Click only reputed link.

Social Engineering: Most of the users are getting unknown mail and they are also chatting with unknown people. Social engineering is one of the most popular techniques that attackers use to access the system by sending the mail or chatting with people to know the password. So it is a major risk to the security of the password.

Prevention:

  • Not response the unknown mail.
  • Not chatting with unknown people.
  • Don't give any one personal information or login id.
  • Proper training or aware the new user about social engineering.

Ping of death: we have only permission to send the largest packet (65,536 bytes) on the server. Attackers know this amount of bytes from ICMP specification. So they try to send the packets more than 65,536 bytes (at least 65,537). If the server does not check the size of the packet and try to process then it hung or crashed the operating system.

Dumpster diving: Every day Lab user printing there necessary document but sometimes by mistake they are printing unnecessary document and end of the day through all document in the bin. Hacker is very intelligence. They always look at the bin and find the necessary document to access the network.

Prevention:

  • Destroy all documents before put in a bin

Natural disasters:

If anything happen that is not under control of human it is called natural dusters such as earthquakes, volcano, floods, fires, storms, hurricanes etc... It may occur in any time but most risk is the fire for KW116 lab. It may cause from heater, power supply, over heating the power box, short circuit etc. Natural disaster is less chance for lab but it affect is more than any threat .It may destroy the part of the building, loses the all information.

Prevention:

  • Follow the health and safety procedures.
  • Clear the fire exit.
  • Aware the user about possible disaster.

Man-Made Disasters:

If anything happen intentionally to destroy the business process or destroy the part of the business and it is control of human then it is called the Man-Made Disaster such as Fire, Act of Terrorism, Bombings/Explosions, and Power Outages etc.

Prevention:

  • Check always ID card
  • Allow only authorise people
  • Use metal detector
  • CCTV

Equipment failure:

Students are always busy with their course work and other course related work so equipment failure may loss the all data.

Prevention:

  • Use extra UPS
  • Back up all data

Auditing Stages/Steps

  1. Scope and Pre-Audit survey
  2. Planning
  3. Field work
  4. Analysis
  5. Reporting

Scope and Pre-Auditing

The first step or stage of the audit is to understand the purpose of the audit and the areas need to cover during the audit. Understanding the audit purpose is basically get the idea why this audit needs to perform; means any special risk assessment or annual audit. If it is special risk assessment audit this will be more specific and the scope will be narrow and deep otherwise if it is annual audit it will be the general audit to cover as much as possible area.

Pre-Auditing survey is to verify the audit areas using risk management techniques and some general techniques such are reading previous audit report, web browsing, background reading, etc... This will reduce the chance of failure by correcting the plan by lesson learned.

Planning and Preparation

In this stage the scope is going to break into small areas to make auditing easier and clear. So the clarity will be more and purpose will be easy to understand. Usually this stage will involve the work breakdown plan and risk control matrix. The risk control matrix is just a check list contains questions to carry out during the audit.

Field work

Actual auditing will perform during this stage by different techniques or methods. Simply it starts with interviewing staff or students using questioner or oral interview to system or network test by auditing software tools. The result of this stage will be the evidence of the audit to get a conclusion or submit to the management with audit report. So this will be the most important stage in the audit process.

This step may use several testing software tools depend on the scope of the audit and the software selection is another key event of the audit process because there are so many fake software applications available in the market. Actually those are virus and the reason of making virus in the form of auditing tools. The reason of spreading the virus in the form of auditing or testing tool is very easy and hart to detect.

Analysis

Using the evidences or any results collected in the previous stage are the input of this stage. This stage is fully analysis and decision making so it needs a lots of time to investigation and assessment. The most sensitive area of the audit process is analysis because this is the place going to take the decision to submit to the board so that should be perfect otherwise the audit is useless and it will lead to make some wrong decision.

Reporting

The stage is to present all audit findings in the form of report. This is the document contains all evidences, analysis results, suggestions & recommendations, conclusion, etc... This document will pass to the management or the higher level people to review approve and take necessary action if necessary. The report should be clearly written and easy to understand because this document need for future also to give some information to start next auditing or to take some strategic decision.

Problem Domain

Because of the increased use of university of Greenwich KW116 lab the chances of threats or issues are high and this is the responsibility of the student and the staff to make the lab secure in all aspects. The reason of this project based on KW116 is that is the lab used by the students largely and usually network related or any other lab sessions and happening in this lab so if the lab got any security hole or lack that may affect the student and the staffs.

Easiest way to ensure the security level of the lab is auditing. This auditing needs to cover all areas from physical security to network security. Then only this will the perfect audit and the audit can use some standard checklist to make more efficient and to eliminate human made errors such as forgotten, typing mistakes, etc...

There are so many ways to make sure the security level such as penetration testing and vulnerability testing. These are more specific with attacks and threats and for the general purpose security audit is the suitable one as it will cover all areas of the security. According the reasons given above the general security audit is the most suitable technique to verify the security level of the lab.

So the auditing will cover most of the areas of the lab with the aid of standard checklist which is approved by British Standard Institute.

Test behind the auditing

  1. Physical test
  2. Network test
  3. Software Test
  4. Security Policy test
  5. Hardware/Peripherals test
  6. Access control test

Objectives

To evaluate the actual level of security that exists at The University of Greenwich Maritime campus KW116 Lab.

Activities

  • plan and schedule the audit
  • Auditing with software tools
  • Analysis audit result

Deliverable

Detailed audit report with suggestions and recommendation

This is the main objective of the project and this will carry on with several tools like packet sniffer, port scanner software, etc... There are three different tests using these tools to identify internal and external vulnerabilities.

To evaluate various methods of implementing the security policy, determine the security weaknesses and implement risk management for the existing security weaknesses.

University lab security policy review

Analysis

Deliverable

Detailed security policy analysis report with changes/suggestions/recommendation. The reason of this objective is to stop the holes from policy level because this is the easy way to implement.

Learn Audit and Audit process and practice auditing and Research auditing products available in the market and select appropriate.

This task is fully learning about audit and audit related stuffs.

This objective is the key or starter of this project because if project start without proper knowledge that will mislead to somewhere else not to project aim.

To draft a new security policy that addresses the existing weakness to the management.

According to the analysis draft a security policy to fix or overcome all existing security holes.

Deliverable

Draft security policy

How the objectives will be achieved

Third and fourth objectives will be achieved with books and internet. This objective will give the idea about auditing the outcome of this objective will be a documentation which contains all requirements which need to cover in this project.

The research will give the details about tools which requires to perform the auditing the methods/process for the auditing. Internet is the main and basic mean for this research as it is easy to access and with wide range of data.

Tools which identified from the research will used to perform the security auditing and this audit result will monitor in real-time and document instantly. Mostly these tools will be freeware and from well-known vendor.

The auditing will perform in three different views to make sure the area is secured fully. The views are inside computer - local network, outside computer - local network, outside computer - different network.

Audit Methodology

This project uses two different methodologies to accomplish the task such as checklist and questioner. The check list is an aid for the auditor to perform the audit and it is a manual to the audit. So the checklist will contains all tests need to perform during the auditing where questioner is to get the opinion or feedback for the staffs and students (generally this will be feedback from stockholders). The analysis also will carry in two different way using questioner and the checklist and finally compare both and get the conclusion.

The questioner and checklist covers most of the areas and those are grouped separately to make the auditors life easy and more understandable. The areas coved in the documents are

Physical Security/ Environment Security control

This section mainly covers the physical security issues and the recommendation. Mainly it covers all natural disasters, actual control and recommendation.

Access control

This section is all about permit or deny to the access to KW building using several ways. The questions used to get the actual control, status of the control implemented, recommended control need to implement.

Software and hardware

The hardware and software related testing and verifying is the main job of this area. When talk about testing it will start from licence to the current status of the hardware or software.

Servers and network

All about network related testing from cabling to server level security. This is the key test of the security assessment/auditing because network in the hard of most of the organisations.

Security policy

The area is to review the existing security policies and make sure they are valid with the current limitations and technology improvement. This is because there is a necessary to keep the security policy up-to-date as well.

Personal security

This is all about personal security when user or staff made mistake or for any human made errors such as how the system behave if a user forgot to log off the computer when he leave and analysis the actual control implemented. This will use to give the status of the current implementation and propose enhancement if necessary.

Virus/Threats

This area covers the security vulnerabilities through virus or any other similar threats. So mostly this questions or the test task will relate virus and antivirus or antispyware controls. Especially this area will talk about the up-to-date definitions of the antivirus because this is the important task will make sure the status of the security level. That means it is no use if u have antivirus or any anti-threats software without proper update or latest update.

Remote connection / external connection

Very important area which should verify before authorise because once access given they can do anything from outside. So there should be a software use to validate the user and the place of login and important point is the software should be from well-known vendor and properly tested.

Non Achieved Objectives

It was mention in the objective to use auditing software's for scanning all of computer and the network system to gather information about expire date of Licence, list of software and hardware details, network risk and warning but because of security and licensing reason university did not allow to use the software's proposed for this project. Even though Belarc Advisor software runs from outside laptop with university network for the sample analysis and the result documented in the report for the analysis. It would easier to make conclusion if auditing uses the software to gather information. But instead of software the audit uses a standard checklist to carry on.

Summary

        The chapter 01 assisted in clearing and understanding the problem domain. This is mostly non-technical or less-technical have as much as possible general and basic ideas which covered in this project.

Final Report University of Greenwich

The checklist analysis methods used for this project made audit wider and deeper because it follows mostly BS7799 standard. The checklist clearly describes that there are some places got weakness and some of them are in the level of acceptable. The concern of the audit is the place security is lacking because these are the vulnerabilities for the KW116 lab. The checklist clearly mentions the findings and recommendation. Here finding is the actual control implemented and the recommendations are the expert suggestions. These expert suggestions made with experiences and some other means such as internet, books, etc...

The expert rating for the security level of the lab in chart is bellow. The chart description makes auditor's decision very clearly with recommendation result.

The chart above Describes the Security deference between actual control and the security level after recommendation is made. The reason for the non 100% achievement is organisation restriction such as budget, policy and it is not practical to achieve 100 % security. The requirement for the security is to meet acceptable level. The level of acceptable is a keyword in security as it is not possible to secure the system 100 % if it is connected to external world. As mention above the lab KW116 is very weak in access control but if the university implements the recommendation it may achieve 100%.

Analysis - Checklist

Access Control

There is no proper control to access KW and no consistence in the rules and regulations because only some time security staff checks the resource card. In general anyone can enter into university KW building which is big issue here. Because even CCTV fined any issues with the person entered when they check the CCTV later they can't do anything because university don't have any clue about that person entered into the lab.

Remote/ virtual connection

        The virtual connection is still using which is well-known and trustable software and the system is using windows authentication. So the login is validated at the place of active directory. Active directory authentication is very strong because it is using complex encryption method with non-reversible method. But the server needs more resources to increase the performance because the virtual desktop is really slow. The lag of the security audit is

Security policy

        The university have own policy security for the lab but those are not in the well-known place to read or there is no instruction from where student can get those information

2.1.4 Environmental and Physical security

        The lab is almost safe in environment manner such as wind, rain and sunlight. In addition to that if any mechanism to monitor the window covers against sunlight that would improve the security level. The audit flag for this is

Network and Equipment Security

User Responsibility

        This is another huge security hole in the lab and this looks simple issue but it may cause any kind of issues. There are so many things will come under this. For an example following images are simple and good evidence for how users are behaving in the lab. The mobile phone usage, foods chatting, etc... The audit status flag for this area is

Chapter 3

Recommendation

Access control

The staffs in the entrance should verify the student before enter into the KW premises. University can use two different methods to here.

Staff in the entrance should check the university resource card always

  1. This is power technique because the staff can verify the student with the card image. In this method illegal use of the resource card will be eliminate. But this technique requires CCTV for the evidence if anything goes wrong and the staff working in the entrance should work
  2. Entrance should have at least one security staff always and they have to be well trained.

The second option is electronic access contrail which uses access card, finger print or code to open the entrance. But as it is an academic intuition there is no need for more security like this.

So the best and cheaper way to control this is the first option. This is the first and primary level of control KW building. But another issue here is there is no control to say the student has entered to the lab other than CCTV. Because the access control in the entrance will make the student or staff has entered to KW not to KW116.

Remote/ virtual connection

        The system should upgrade with more resource because there are possibilities for huge number of remote connection. So if the system works very slowly it is useless to implement this facility. The system may split into multiple virtual clusters and the clusters will increase the performance.

User Responsibility

The responsibility of the user are not known even it is well-defined which is useless of having riles and regulation. So there should be a way to introduce all these responsibilities to the user such are notice board, labelling with rules or small sessions to pass these rules to users.

Notice board

  1. This method can carry big set of information on it but there is no proof those users checking the notice board which again come as not effective way of communication.

Ladling

  1. A strong way of communication can put these in the physical stuffs as sticker or in software as message box or software label with different colour. But the disadvantage here is it can carry small and that particular area or situation rules and regulation.

Meeting

  1. The suitable way of communication because talking is the easy way of communication and two way interaction also possible in this method. But the requirement here is to make this meeting as compulsory for all users and penalise if anyone miss. But punishment should be related to pass these to user.

Entry Control (Web)

This covers all possible web based application with 1st level security. There are two places which users usually use for their day to day work through web and lab computer login. This password strength is strong enough for academic based industry but suggesting reducing the password expire period which is simple technique to improve the security level.

Portal - University of Greenwich

  1. The login configuration of the portal is strong enough for the academic industry and the session out time is very good.

Intranet - University of Greenwich

  1. The login control is acceptable in intranet but the session maintaining is very poor and logout mechanism also poor. Simply there is no session controlling and logout is not working properly. The main issue with logout is logged is allowing the user to access previously visited pages which is wrong and it requires internet explorer shutdown to complete the action. Suggestion to implement session control because this session control will eliminate these two issues.

Computer Login.

  1. Again the lignin mechanism is acceptable here but idle time control such user timeout because of idle timeout is not proper here so need to improve here because this is a security risk. But this is also users responsible too but the system it should handle as much as human errors.

Chapter 4

Audit Report -Draft Version

Scope

The project covers only KW116 lab and in the lab it will assess network, physical, policy, etc... There are many limitations to do the testing because auditing done with student user credentials which got less privileges.

Objective of the engagement

  1. Find out status of the lab in security point of view
  2. Recommendations for the weaknesses.
  3. Audit Report submission to the board

Coverage period

4/3/2010 to 30/4/2010

Brief description of the work performed

The audit assessments processed all areas with student's credentials.

Background information

N/A

Overall audit conclusion

        The conclusion of this audit is the KW116 is protected in network or network related stuffs such as attacks and vulnerabilities are almost safe. But the access control and some of the process mentioned above needs to change or enhance. When it comes to overall audit conclusion the level of security is average.

Chapter 5

Conclusion and Future Improvement

        The audit to KW116 is to find the status of the security level and existing security issues. The auditing covers most of the security areas including physical security. This audit uses checklist method as auditing technique because this checklist method will eliminate some issues even the technology is software based because human made errors or mistakes such as typing mistakes, forgotten, etc... and the same time the check list used in this auditing mostly satisfy BS7799 and ISO12007 which are basic and powerful standard. This check split in to sever categories to make the auditing process easy and understandable.

        This audit process uses one software to validate the system. Basically this software scans the system and the network to retrieve security related and system related information. The output of this software is all-in-one report with details. The report also split into several categories. Even though the main advantages of this software is validation of software licences, network scanning and security updates.

        addition to there was a survey using questioner created for this project with general and basic questions and the survey limited to 100 students. The result of the questioners is summarised and analysed. The basic reason of this survey is to get the students opinion. According to the analysis the student allows some security weakness because of their easy such as password expires period.

The standard checklist analysis is the major part of the project and according to the audit there are so many weakness in the KW116 and related process especially access control mechanism. The access control mechanism should change or enhance. This should be the first consideration of the board or authorities. At the same time students are not very keen to follow these regulations because following the rules and regulations are not easy and the policies are not available or not visible to the student or appropriate users. This is the second concern of the audit. Because if the student needs to obey they rule they should know the rules and regulations.

The final conclusion of this audit is the KW116 is protected in network or network related views such as attacks and vulnerabilities are almost safe. But the access control and some of the process mentioned above needs to change or enhance.

Future improvement

        The audit needs to add some more software to the testing this will be effective if project apply some simple penetration testing. The penetration test will give the level of the security or security lacks which will allow attackers to some inn or attack. The checklist can go more deeply to get the root cause of the problem easily.

Chapter 6

Appendix A

Security Audit for KW116 Lab, University Greenwich

Security Assessment questioner

I am Manik Saker doing my masters in University of Greenwich in Computer Security forensics and risk management. For partial fulfil of my masters I am caring out this auditing for KW116 lab and this questioner is to get the feedback from students and analyse the security level or security acceptance level of the lab. The questioner is split into several parts to make this to easy and effective. The responses from the students are confidential and cannot be linked back to you. Please fill this and return to me on completion