IT Audit and IT Security Audits: Is There a Difference?

0
Posted by David Hoelzer on November 10, 2009 – 5:37 pm
Filed under Compliance, Security, Standards

Last week I had an interesting conversation with some principals in one of the Big Four.  We were discussing some upcoming plans that we have for creating a course to assist non-IT folks to transition into IT Audit in addition to assisting non-Audit folks to take on more of an audit role.

During the conversation, we were asked by one person, “Well, are you teaching IT Audit or are you teaching IT Security Audit?”  What an interesting question, we thought.  We went on to explain our point of view.

The purpose of IT Audit is to ensure that all of the controls are functioning correctly to meet the objectives of the business.  This includes operational matters like user creation process, active directory management, group policy settings, firewall configurations, router infrastructure configurations, etc.  Almost all of the controls in IT today include security settings.  In our view, there is no sense auditing these items to verify that the settings match the policies unless you are also validating that the processes governing the policies are correct.

In other words, if your IT Audit isn’t validating that, in addition to operating correctly, your organization is correctly applying security principles and controls, what exactly are you auditing???  The folks we were speaking with, fortunately, seemed to agree that this was the correct view even though they had posed the original question.  It does give us pause to wonder, however.

For example, consider the recent findings regarding FISMA, specifically the notion that FISMA has failed because the IT auditors who are doing the evaluations have been tasked with verifying that everyone is doing what NIST says in terms of procedures without any consideration for where the actual risks are to the business!

This is also precisely the reason that Sarbanes-Oxley has language requiring that the IT systems support the accuracy of the financial results.  In the past I have railed against the lack of specificity in Sarbanes-Oxley, but given what’s happened with FISMA it makes me wonder if it might be better in some respects.

In the end, determining the best strategy or standard to use to ensure security will always be a task best done as a retrospective, but it seems safe to say that the “right” answer falls somewhere between too much and too little.  Like Goldilocks, we’re all looking for the “Just Right” level of detail in standards, forcing organizations to develop well thought out controls that connect to business and security objectives!

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.

Making the transition from IT to IT Audit

0
Posted by J Kenneth Magee on November 6, 2009 – 5:00 am
Filed under How To

IT Audit: Making the transition from IT to IT Audit

On several occasions I’ve been asked “How does someone make the transition from IT to IT Audit?”
If you’re new to Information Security then you should take an introductory course in information security. SANS has an excellent one in SEC301 Intro to Information Security. Then follow that course with a bootcamp style security essentials course, something similar to SEC401 SANS Security Essentials Bootcamp Style. And while you’re in the mood for bootcamps, follow the security essentials up with an IT Audit essentials bootcamp. Look at AUD429 IT Security Audit Essentials Bootcamp from SANS.

Now you’ve got the essentials down, security and IT Audit, or should I say you’ve got the skeleton course work finished. Now let’s put some substance to the body of knowledge that you’re building. There are three more things that you need to do; two courses and one certification exam. You will need to take a course in IT auditing that covers things like networks; routers, switches and the like; operating systems (UNIX and Windows); and maybe even some web application auditing. Look at AUD507 Auditing Networks, Perimeters, and Systems from SANS and make sure it’s being taught by David Hoelzer. Also look at AUD 423 Training for the ISACA ® CISA ® Cert Exam. Then the last thing you want to do is to register for and take the CISA certification exam from ISACA.

As your taking the courses from SANS, most of them will have optional GIAC certifications and I encourage you to take those as you complete each SANS course. The certification for SEC301 course is GISF; for SEC401 it’s GSEC and for AUD507 it’s GSNA.

Now with some work experience you’ve made the transition from IT to IT Audit and you’re well on your way, congratulations.

IT Audit: Hybrid Password Assessment & Password Cracking

0
Posted by David Hoelzer on November 4, 2009 – 5:00 am
Filed under Compliance, How To, Security

In the last of our three part series on IT Audit and password strength validation we’ll take a look at the final aspect:  Hybrid password assessment.

Before we dig into hybrid assessment, you may be wondering why an IT auditor wouldn’t perform a brute force attack against the password hashes.  The easy answer is that a brute force assessment simply doesn’t provide any valuable information to an auditor.  Remember, we’re trying to validate that the strong password controls are effective.  If we can break the password with a dictionary or a hybrid attack, the controls are not sufficient. A brute force attack will always be successful and reveals nothing about the controls.  Even when we break a password with a dictionary or hybrid attack, the passwords themselves are unimportant; we’re really interested in how easy the passwords are to guess.

A hybrid attack takes your preexisting dictionary from our last article and expands upon it.  Using the dictionary as a foundation, the hybrid attack will try adding numbers to the end of the potential password (single and double digits are common), capitalizing the word, capitalizing the first letter, etc.  In other words, we’re using the dictionary as a basis to generate additional passwords without generating every possible password.

Based on our experience, you can expect to find between ten and twenty percent of passwords in an organization to be broken using the combination of a dictionary and hybrid attack.  Should this be the case, one of the most effective controls to solve this problem is good training.

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.

IT Audit: Dictionary Attacks, Password Validation & Password Cracking

0
Posted by David Hoelzer on November 1, 2009 – 8:21 pm
Filed under Compliance, How To, Security

In our last posting concerning validation of strong password controls, we discussed the importance for an IT Auditor to do more than just check the settings on the operating system since it is still likely that some users will select poor passwords.  In this article we’ll explore one aspect of the testing that an auditor should perform in cooperation with the administrator.

As someone performing an IT Audit, when we submit our report findings, we are also providing a level of assurance, a guarantee if you will, of the security of an environment based on its compliance with a stated policy or standard.  If we fail to go beyond what the controls say by verifying the effectiveness of the controls we increase our own personal liability and also provide a false sense of security for management.

To perform a dictionary based attack, we simply work with the administrator to obtain a copy of the current password hashes stored on the system being examined.  Using a password testing tool of our choice (John the Ripper or Cain & Abel are excellent choices) we then test the password hashes against a dictionary of common words and passwords.

Where do you get a good password testing list?  You can get one in the Advanced System & Network Auditing course that SANS offers, but you can also start building your own!  As you come across good wordlists while performing IT Audits, start gluing them together!

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.

IT Audit: Effective Controls vs. Paperwork – FISMA Failures

1
Posted by David Hoelzer on October 31, 2009 – 3:25 pm
Filed under Compliance, Security

For years now, we’ve been trying to tell IT auditors that they need to worry less about what the policies and procedures say and more about whether or not the controls are actually effective.  Finally, the US Government has seen the light!

Last week a series of reports and statements were released discussing the effectiveness if FISMA.  More specifically, the report details the failings of the OMB when it comes to FISMA.  According to the reports (and according to the experiences of many technical folks and IT auditors) OMB has relied far too much on the NIST procedural documentation, measuring paperwork measures, rather than examining real operational controls.

What this means is that Certification and Accreditations (C&A) are worthless if all we’re doing is looking to see if the paperwork is in order.  Unfortunately, as correct as this is, there is a real issue when it comes to convincing IT auditors and management that far more is necessary than looking at the paperwork and interviewing administrators.  This comes back to the definition of what “Validation” is about.  The job of an IT Auditor is to provide a level of assurance regarding security and controls by measuring the sufficiency of the controls on paper and validating that the controls are actually functioning at a level that effectively limits risk!  Teaching someone how to solve this problem is something that requires more than a single blog entry.  If your IT audit staff needs assistance solving this problem, whether they are government auditors or working in private industry, you may want to consider SANS training!

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.

IT Audit: Password Strength vs Password Cracking

0
Posted by David Hoelzer on October 30, 2009 – 6:00 am
Filed under Compliance, Security

Every security standard in IT today includes a requirement for “Strong Passwords“.  What, exactly, a strong password is and how to create one is a whole different discussion, but as an IT Auditor, how to we validate compliance with this control?  For example, is it sufficient to look at the Group Policies in our Active Directory domain and just verify that strong password requirements are enabled?

Verifying the strong password setting in an operating system like Microsoft Windows, whether that’s Windows XP or Server 2008, is a fair test.  However, it turns out that it’s still completely possible, even likely, that individuals are selecting very weak passwords.  My favorite example is that “Password1″ meets all of the strong password requirements built into Windows!  To be fair, it meets the requirements for most strong password controls too.

For this reason, it does make a lot of sense to work with the administrator of whatever system we’re testing to actually run a dictionary and hybrid test against the passwords on a system.  How does this help us as an IT Auditor, though?  As an auditor we are interested in knowing not only if there are controls in place (often, these are settings), but we are also interested in verifying that the controls are effective.  In our next article we’ll define Dictionary and Hybrid attacks and discuss how they are used.

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.

Professional Communication: A Key to Successful IT Audit

0
Posted by David Hoelzer on October 27, 2009 – 1:07 pm
Filed under Uncategorized

As someone who works in IT Audit, you well know that the ability to communicate clearly and effectively is absolutely key.  For example, a major obstacle that we face is assisting people to appreciate that IT Audit is really a lot more than marking off checkboxes.

While a checklist is definitely a critical tool for auditing, our main objective is to assist the organization to validate that the controls in the business really do assure that efforts to meet business objectives are successful.  For this to happen, we need to be able to communicate with the individuals being audited, but we also must be able to clearly communicate findings and recommendations to management.  Certainly our findings must be presented in written form, but a live presentation is far more powerful for management.

If you’re looking to improve in your report writing, presentation and public speaking skills, you may want to have a look at a new offering that SANS has just put on the books in Washington, DC this December:  Professional Communication and Presentation Skills.  Since this is the first offering, SANS is offering a discounted rate, but we understand that the attendance will be capped, so don’t wait too long if you need this information!

Free Webcast: Auditing Risk Rather than Settings

Comments Off
Posted by David Hoelzer on October 1, 2009 – 3:10 pm
Filed under Uncategorized

In IT Audit, we sometimes lose track of what’s most important.  This 30+ minute webcast discusses some of the highlights of this problem as well as offering a possible solution!  Have a look over in our Webcasts section.

Risk Rather Than Settings – Free Webcast

Comments Off
Posted by David Hoelzer on September 30, 2009 – 12:42 pm
Filed under Compliance, How To

At 10:00 AM Pacific, 1:00 PM Eastern, David Hoelzer will do a free WebCast on how to take a step back from the settings and get back to the risks associated with processes.

In the IT Audit realm we can sometimes become so focused on specific settings that we lose sight of the actual objectives that we’re trying to meet.  As soon as this happens, we become out of touch with actual risks that need to be controlled in a business and begin focusing on settings for their own sake.  In this talk we take a look at one of the principles that we emphasize in the Advanced System and Network Auditing course (Audit 507):  How to take a step back from settings and focus on control processes instead.  This keeps us looking at what really matters; not the settings themselves but the processes that determine and maintain those processes!

IT Auditing, Consensus Audit Guidelines, and ISO 27002 Compliance

Comments Off
Posted by J Kenneth Magee on September 24, 2009 – 3:26 pm
Filed under Compliance, Uncategorized

This series of articles looks at each of the Top 20 Critical Controls and ISO27002 and will give the IT auditors guidance for determining whether their organization is in compliance with ISO 27002.

Let’s look at the Critical Control 1: Inventory of Authorized and Unauthorized hardware. In their review SANS identifies how attackers exploit the lack of this control; how the control can be implemented, automated, and its effectiveness measured; and some procedures and tools for implementing and automating the control. But what does ISO 27002 require an organization to do to be in compliance with the International Organizational Standard for Information Security Management Systems.

ISO 27002 § 7 Asset Management has as its objective(s), “To achieve and maintain appropriate protection of organizational assets” and “To ensure that information receives an appropriate level of protection.” There are 5 controls for this objective

  1. All assets should be clearly identified and an inventory of all important assets drawn up and maintained,
  2. All information and assets associated with information processing facilities should be owned by a designated part of the organization.,
  3. Rules for the acceptable use of information and assets associated with information processing facilities should be identified, documented, and implemented,
  4. Information should be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization, and
  5. An appropriate set of procedures for information labeling and handling should be developed and implemented in accordance with the classification scheme adopted by the organization.

ISO 27002 § 7.1.1 goes on to define assets as “physical assets: computer equipment, communications equipment, removable media, and other equipment;”

From an IT auditing perspective we should be asking the following questions and looking for supporting evidence that the control has been implemented:

  1. Are all assets accounted for and has an owner been identified?
  2. Has responsibility for the maintenance of appropriate controls for those assets been assigned?
  3. Is there an inventory of all assets?
  4. Has the importance of those assets been documented?
  5. Does the asset inventory include:
    a. Information necessary to recover from a disaster
    b. Asset type
    c. Format
    d. Location
    e. Backup information
    f. License Information
    g. Business value.
  6. Do the asset inventory and information classification agree, based on the importance of the asset, its business value, security classification, and the level of protection?
  7. Is the asset inventory used as input to the organization’s risk assessment process?
  8. Have the assets owner’s responsibilities been identified; and do they include
    a. Ensuring appropriate classification
    b. Periodic review
  9. Have rules for acceptable use been identified, documented and implemented?
  10. Are users informed of the rules for acceptable use?
  11. Are assets classified in terms of their value, legal requirements, sensitivity and criticality to the organization?
  12. Does the classification take into account the need for sharing or restricting access to information?
  13. Has consideration been given to the process for de-sensitization of assets?

So you see it’s much more than just an excel spreadsheet of computer names and departmental locations. To be ISO 27002 compliant that spreadsheet needs to have a lot of extra columns which cover all of the items mentioned above and the IT auditors need to be checking assets to see if they are inventoried, classified, reviewed, maintained, and disposed of in accordance with ISO 27002 requirements.  In short, if ISO 27002 has the word “should” listed in § 7 it should be one of your audit questions.