A network audit is something that every company should do, but very few actually ever get around to doing. For most it is important, but not the highest priority. Any company with a network that includes multiple users, intensive security protocols, or highly secure information should have an audit on even higher priority.
A network audit is similar to a tax audit in most respects. This is a comprehensive review of network policies and procedures, to ensure that security is adequate, that the network can keep up with traffic levels, that there is no malware on a network, and more. So what exactly might be included in a general network audit?
A typical network audit will start with the simplest and most basic of problems: weak passwords. The auditor will attempt to crack the network with popular software for that purpose and ensure that no “dictionary” passwords are being used. If weak passwords are found the auditor will recommend changes to enforce password security.
The next thing that is typically checked is the software versions of software on the network. An audit ensures that all software is up-to-date with relevant security patches. If old software is being used, an audit will ensure that security patches have been backported.
A very simple thing to check is file access. Most network today use the Unix method of file access, with read/write/execute privileges based on user and user groups. Therefore, with a simple script an auditor can check all files on the network and ensure that they are only available
Many private networks today need to allow public access so that employees and users of the network can remotely access files. An auditor will ensure that such transactions are done in a secure fashion. For example, despite the insecurity, many organizations still use the telnet protocol, which offers no encryption or security. An auditor would likely recommend a transition to ssh or ftp for these transactions. During this process, an auditor may look for malware, based on logging practices, whether resource usage levels seem correct with respect to traffic levels, and packet inspection.
Continuing with security, an auditor would likely spend an inordinate amount of time crawling over every aspect of any SQL, Access, or any other database that an organization has implemented. These databases are known for requiring security updates on a very tight schedule and still being insecure.
Following security, a network auditor may move on to ensuring that a network has adequate hardware to meet its needs. Not all auditors do this, but it remains an extremely important part of an audit. For example, the first thing that an auditor may check is the amount of traffic that a network must handle. This will include the volume in terms of both data/unit time and users/unit time. The auditor will then proceed to check how well this is handled, with respect to both whether the hardware can theoretically handle the load and whether the hardware can handle the load in practice.
The auditor will also look at the redundancy of a system. Often overlooked, redundancy is important no matter how valuable the rest of the hardware on a network is. An auditor will ensure that backups are on a schedule and have enough information to recover a network in the event of a system crash. Based on the purpose of the network, the auditor will ensure that a recommended amount of time is always saved in a cache. An auditor may also check for hardware redundancy, so that the network can continue to work even if a given number of routers fail. Finally, the auditor will ensure that there are offsite backups, and test of integrity of those backups.
None of the above is the most important thing that the auditor will do. The single most important thing that an auditor does is that he or she will ensure that no changes are made during the auditing process. In fact, in many cases a system will go completely offline for an audit. Everything must stay constant so that the auditor can inspect a clean system. Only recommendations will be made. It is up to the company to choose to implement those recommendations or not, as they will.