Category Archives: Security

Software Components NOT Removed from Servers

left over partsWhile installing and configuring some new software on my Windows server, I noticed that the IT department forgot to remove some previous software components from my server.

I remember seeing the notice that the software was being uninstalled and replaced by another package.

I could have removed the left over components myself (I am admin on the server), but I wanted to see if they would ever be removed. Did the Windows server team forget about this, or did the team not concern itself with such things? Maybe the procedures don’t include a process to ensure all components are removed.

I waited about 2 months, but the components were not removed.

Continue reading

Leave a comment

Filed under Audit, Case Files, Security, Security Scout, Technology

Quote: Not Concerned about General Ledger Changes

Last week I was meeting with one of our company’s Accounts Payable clerks, who told me she was not concerned about some upcoming General Ledger changes.

2 changes that were submitted by developers on her behalf.

2 changes she didn’t know anything about, so she didn’t consider them her problem.

This post is a Quote of the Weak post. For more info on these types of posts, see the Quote of the Weak topic under About.

 

Continue reading

4 Comments

Filed under Audit, Case Files, Quote of the Weak, Security, Security Scope

Quote of the Weak: We Have a Plan to Address that Risk

As an auditor, I am told all the time by the business that “we have a current project plan that is addressing that risk”, which implies that I shouldn’t waste everyone’s time writing up an audit issue regarding the problem.

It means that the risk isn’t as big as it appears.

Really?

Continue reading

Leave a comment

Filed under Audit, Case Files, Humor/Irony, Quote of the Weak, Security

Some Periodic Reviews Provide Little Assurance

securityI’ve written before how some periodic reviews provide management with little assurance, but management doesn’t realize how little.

My previous post focused mostly on server access. In this post, I want to look at normal user access.

For example, let’s assume your company has a policy that states that all IDs must be assigned within an Active Directory group. In other words, IDs are assigned to groups, and groups are assigned to assets; IDs should not be assigned directly to an asset.

Assume the control you are testing states that user access is reviewed annually.

Continue reading

Leave a comment

Filed under Audit, Security, Technology

A Sneaky Way to Analyze IT Controls

When auditors need to identify and understand IT controls, they search the company intranet, review policies, look for Github repositories, review inventories, schedule meetings, and analyze IT asset data.

I stumbled on a better way to get insight into the IT controls in my company, and I didn’t have to email anyone, do any research, or frankly, anything outright. The IT controls came after me.

Fortunately, the IT controls were blind to the fact that I am an IT auditor. To them, I was just an ordinary bloke. But that didn’t last long (more on that later).

It Began a Few Years Back

It all started a couple years ago when I was building the infrastructure required to support our data analytic efforts in internal audit.

Continue reading

1 Comment

Filed under Audit, Case Files, Security, Technology

Quote of the Weak – Clean Data Manually

clean data manuallyIf you are in IT, audit, or security (or any other job requiring data analysis), you should NOT be cleaning data manually.

Let me share a recent experience with you….

A young IT auditor texted me at work and asked for some Active Directory user account data that I capture automatically every week, using some scheduled ACL scripts.

If you’re not familiar with my ‘Quote of the Weak’ series, I described it briefly in About. For a list of posts in this series, see here.

Continue reading

3 Comments

Filed under Audit, Case Files, Data Analytics, Excel, How to..., Quote of the Weak, Security, Technology

Job Automation Quiz

automation quiz

Test how much you know about automation technologies by taking the job automation quiz at Financial Management magazine.

Continue reading

Leave a comment

Filed under Audit, Free, Security, Technology

Bank Closes Account, Doesn’t Know Why

bank deposit boxRecently, a large U.S. bank was found to have created unauthorized accounts; a similar bank closed one of my accounts, but doesn’t know why it happened.

More than a decade ago, I opened a safety deposit box at a local bank (a very large U.S. bank that all U.S. residents would have heard of). This wasn’t my regular bank, as my bank didn’t have such boxes; I only went to this other bank when I needed to access my safety deposit box, which was not often.

Continue reading

8 Comments

Filed under Audit, Security

Audit Automation is NOT all Automation

audit automation ACLSome Chief Audit Executives (CAEs) and audit managers tend to think that audit automation is a set-it-and-forget-it process. NOT.

In this post, I want to expand on a problem I mentioned in an earlier post , 10 Signs Mgmt Doesn’t Really Support Analytics.

Audit management too often thinks that once a process or an audit is automated, ALL auditor/staff hours previously spent performing that process can be reassigned elsewhere.

That is not the case at all.

Continue reading

3 Comments

Filed under ACL, Audit, Data Analytics, Scripting (ACL), Security, Technology, Written by Skyyler

New IT Auditor (and WannaBEs) Master List

Here’s a list of all my posts to-date related to becoming or growing as an IT Auditor, all in one place for easy reference.
I’ll add other posts as they are written.

Continue reading

11 Comments

Filed under Audit, Employment, How to..., Security, Technology

The Simplest, Cheapest, and Most Effective Disaster Recovery Plan Ever

disaster-recovery-planAbout a decade ago, I personally witnessed the handover of the simplest, cheapest, and most effective disaster recover plan ever.

Let me first give you a little background….

I worked for a great IT director, who moved to another company, much bigger, and brought me with him.

In the new company, he again was responsible for all IT, and he brought me along to manage security and disaster recovery.

If I named this company, at least 25% of you would recognize it, even those of you around the world–true story, too.

Continue reading

6 Comments

Filed under Case Files, Humor/Irony, Security, Security Scout, Technology

Some of my Favorites

Since some of you are newer to the blog, I thought I’d bring a couple of my favorite posts to your attention.

Continue reading

Leave a comment

Filed under ACL, Audit, How to..., Security, Technology, Top 10

Safely Check Bad URLs

If you’re looking for a way to safely check URLs for bad content, Lenny Zeltser had a great list of free online tools for you.

Continue reading

Leave a comment

Filed under Free, How to..., Security, Technology

Behind Locked Doors: Conclusion

office doorMost of the team deployed to the 2 departments and started emptying wastebaskets in the ‘wastebasket audit‘ exercise, collecting all the trash in large carts on wheels.

Two others were posted as look-outs in the main hallways outside the target department.

I carried my black bag of tools and approached THE door.

I pulled out my favorite flat-head screwdriver. Originally, I was going to remove the closing arm at the top of the door and then pry the hinge pins out of the hinges.

This is the fifth and final post in a series. See the previous post, Behind Locked Doors: Part 4. Start with Behind Locked Doors: Part 1.

Continue reading

4 Comments

Filed under Audit, Case Files, fraud, Security, Technology

Behind Locked Doors: Part 4

office doorI had to get that database fast.

After a long security team meeting, garnished with lots of pepperoni and green olive pizza, we divided the staff into 2 teams.  Team A started scanning and probing the target department’s servers in search of vulnerabilities that would provide us with admin access over the network.

Team B started planning a physical intrusion in case Team A failed.

After a couple hours, I was notified that the vulnerability team came up short. None of the identified vulnerabilities could be used to escalate our permissions.

A member of the physical intrusion team called maintenance and requested help from a specific maintenance guy: Zeke. The security team member said that we “needed Zeke’s help locating an electrical breaker panel” in a certain department.

This is the fourth post in a series. See Behind Locked Doors: Part 3. The next post will be the conclusion.

Continue reading

Leave a comment

Filed under Audit, Case Files, fraud, Security, Technology

Behind Locked Doors: Part 3

batphoneA couple days after I provided Leeda with access to the suspect’s email, her number flashed on my phone again.

I picked up the phone and said, “Hi, Leeda. Find anything interesting in that guy’s email?” I  knew she wouldn’t tell me much, but I pried anyway. It was second nature.

I could hear the Internal Audit manager’s smile when she said,”Nice try, Mack. You know that street only goes one way, and you’re headed in the wrong direction.”

This is the third post in a series. See Behind Locked Doors: Part 2.

Continue reading

2 Comments

Filed under Audit, Case Files, fraud, Security, Technology

Behind Locked Doors: Part 2

batphoneThis time, it was my turn to call someone for help.

The phone rang half a ring before I heard a familiar “Hello?” on the other end.

“Hi, James, it’s Mack. I need a favor from you, and I need today, before 5 pm.”

“Not urgent, huh?”, James teased.

“Not really, I just need it today. And I need you to keep it quiet,” I warned.

This is the second post in a series. See Behind Locked Doors: Part 1.

Continue reading

6 Comments

Filed under Audit, Case Files, fraud, Security, Technology

Behind Locked Doors: Part 1

batphoneIt all started when the phone rang, which was typical.

Typical in the days when I was a security manager…

“Information Security, Mack here,” I said, as I continued to read the magazine in front of me.

“Hey Mack, this is Leeda. I need your help,” the voice said, as my mind started coming back online.

Leeda was a manager in Internal Audit; when I heard from her, it usually meant I had to carve a few weeks out of my schedule. Fast.

Continue reading

3 Comments

Filed under Audit, Case Files, fraud, Security, Technology

Quotes of the Weak (NOT)

Over the years, I think that Skyyler and I have penned some pretty funny lines.

If you’re in the mood for some humor, read on and discover why these lines appeared in these posts.

Usually, we were making a serious point in a comical way.

Continue reading

8 Comments

Filed under Audit, Humor/Irony, Quote of the Weak, Security, Technology, Written by Skyyler

Library: Never the Twain Shall Meet

cardCatalogDuring a recent visit to a library near you, I was trying to find a book via the online card catalog.

[I remember when card catalogs were on actual cards, in drawers, like the one pictured. Yikes!]

I was trying to find a book by someone who runs an analytics blog that I frequent, but I couldn’t remember the guy’s last name.

Continue reading

2 Comments

Filed under Security, Security Scout, Technology

CISSP isn’t as technical anymore


Several of my friends passed the CISSP exam recently, and told me that it isn’t as technical as I told them it would be.

They said it was more of a security manager certification.

Continue reading

11 Comments

Filed under Certification, Security

Recover Pictures from SD Card

Recently a friend of mine went to Europe and took almost a 1000 pictures that she saved on 2 SD cards.

When she arrived back in the states, one of the cards could not be read by her camera or her PC. The card was corrupted.

Continue reading

4 Comments

Filed under How to..., Security

Excel: Basic Data Analytics

basic data analytics1Here’s a list of my basic data analytic procedures for Excel.

As I add more posts to the series, I’ll update this list.

I created this series because:

1) I often get asked by new AND EXPERIENCED auditors how to do these tasks,

2) when I review workpapers, I realize too many auditors are not aware of these functions,

Continue reading

26 Comments

Filed under Audit, Data Analytics, Free, How to..., Security

Reader Poll: Who R U?

I’d like to get a better feel for my readers, so please take the following poll.

I’ve leaving this poll open throughout 2015, so no matter when you see this, please vote. Thanks!

Continue reading

14 Comments

Filed under Audit, Poll, Security, Technology

CISSP CBK Changes

Effective April 15, 2015, the CISSP Common Body of Knowledge (CBK) is changing, which affects the CISSP exam and CPEs.

Continue reading

6 Comments

Filed under Certification, Security

SONY stored Passwords in Password Directory

And in unprotected documents.

Lots of passwords. Lots of documents. Lots of easy access.

Continue reading

2 Comments

Filed under Audit, Humor/Irony, Security

FREE CISSP Cert Webcasts from ISC2

ISC2, the organization that awards the CISSP certification, provides 1 FREE webcast about the 10 CISSP security domains, as well as several FREE webcasts about the CISSP concentrations.

Continue reading

9 Comments

Filed under Certification, Security

Don’t Use GRC app to do Workpapers!

eat internal audit dog foodI consulted with a company that implemented a new GRC package, and unfortunately they are using an application designed for GRC to do audit workpapers.

That wasn’t the only move that was questionable…

Continue reading

11 Comments

Filed under Audit, Security, Security Scout, Technology

Free CISSP Review Material, Practice Exams

I just found some more FREE CISSP review material and practice exams. One exam is 100 questions, the other 250.

Continue reading

6 Comments

Filed under Certification, Free, Free Download, Security

Server Audit for the Dauntless

dauntless server auditIf you’re looking for an insightful server audit, and you’re dauntless, you might want to jump on this train.

First, why do you need to be dauntless?

Because you’re going to need to obtain your data from a number of different sources; the bigger your company, the more likely you’ll need to call on and question more than a handful of people.

Because comparing and tracking all the servers that are on one list, but not another can be a challenge.

Because it his highly LIKELY that you WILL find something and the server team will not be happy.

Continue reading

5 Comments

Filed under Audit, How to..., Security, Technology

Data Center Failure: Conclusion

conclusion: sad faces

In previous posts, I described how I gained access to the data center area and then the data center proper.

I had bypassed door #1 and door #2.

My new colleagues were not happy.

Continue reading

Leave a comment

Filed under Case Files, Security, Security Scout

Data Center Failure: Going Behind Door #2

drop ceilingIn my previous post, I described a data center failure that I discovered as the newly hired security manager of a prominent company.

In this post, I describe my next adventure.

NOTE: Some of the details below were changed a bit to protect the guilty. I tweaked their noses enough. :)

Continue reading

1 Comment

Filed under Case Files, Security, Security Scout

Data Center Failure

Data Center FailureOne company I worked at had a sad data center failure, and I’m not talking a power outage or a fire or theft.

When I arrived at this company, it had no security department. Few security processes. Little security.

And the company also made two interesting mistakes when it hired me.

Continue reading

2 Comments

Filed under Audit, Case Files, Security, Security Scout

Infographic: Profile of a Fraudster

profile of a fraudsterThe Association of Certified Fraud Examiners recently posted an infographic entitled: Profile of a Fraudster.

Continue reading

4 Comments

Filed under Audit, Security

Security Failure: Empty Your Drawers

empty your drawersI was visiting a dear friend recently when I happened upon a security failure.

My friend lives in an upscale, assisted living facility and recently had thousands of dollars withdrawn from her accounts via ATM.

Continue reading

3 Comments

Filed under Security, Security Scout

FREE Frank (Catch Me If You Can) Abagnale video

pan am pilot frank abagnale catch me if you canFrank Abagnale, the real-life con artist depicted in the Catch Me if You Can movie, talks about his life as a fraudster in a free video.

Back in the 1960s, Abagnale posed as an Pan Am airline pilot, a pediatrician, an FBI agent, and a lawyer. He was a master at conning people and passing bad checks. He even conned his dad (see ‘First Con’ heading).

Continue reading

2 Comments

Filed under Audit, Free, Security

Periodic Access Review Problems

One of my current clients is trying really hard to do periodic access reviews.

They know that mistakes are made in granting access, that users get access and eventually don’t need it anymore, but don’t tell anyone, and that some users leave the company without their manager’s knowledge (I never have understood how that happens, but it does; it has happened in every Fortune 500 company in which I’ve worked).

Continue reading

8 Comments

Filed under Audit, Security, Technology

FREE Global Security Resource Guide

ISC2.org, the organization that grants the CISSP certification, has a great, online, FREE global security resource guide.

No membership, certification, or log-in required!

Update 1-11-14: See Kim White’s comment below about availability of this resource. If it is made public, I will link to the new version. The “remove this post now” comment makes me wonder if it’s coming back for public consumption*. – Mack

Continue reading

2 Comments

Filed under Audit, Free, Security

How to Ping a Server

If you’re an IT auditor or security analyst and you don’t know how to ping a server, then I have some words for you:

LEARN HOW!

So let’s do it.

I’m assuming most of my readers already know how to do this. If so, please answer the poll question at the bottom. If not, please read on, then answer the poll question. Thanks!

Continue reading

8 Comments

Filed under Audit, How to..., Poll, Security, Technology

Free CISA Prep: Self-Assessment Exam

cisa study guide, tipsIf you’re planning to take the CISA exam, you need to take ISACA‘s own CISA Self-Assessment exam (get it here).

The exam consists of 50 questions that allow exam candidates to “assess their knowledge of the CISA job practice areas and determine in which information security areas they may have strengths and weaknesses.”

Continue reading

2 Comments

Filed under Audit, Certification, Free, Security

FREE Infosec & Web Pentesting Education

Security Monkey posted that PentesterLab has some great resources that provide training on pentesting, like:
  • Basics of Web
  • Basics of HTTP
  • Detection of common web vulnerabilities:
  • Basics of fingerprinting
  • and more! (like Linux Host Review)

Continue reading

Leave a comment

Filed under Audit, Free, Free Download, Security

Ask a Question

This post is the parking lot for questions that don’t necessarily relate to one of my posts.

If you want to ask a question, post it here.

Continue reading

48 Comments

Filed under Audit, Security, Technology

Why CISSP?

This post answers these questions: Why get the CISSP certification? What has it done for me? What else do I need to know?

Charles, one of my readers, asked me, “Do you have postings related to CISSP?” Not many, but here’s one….

Continue reading

55 Comments

Filed under Audit, Certification, Security, Technology

Master List of CISA Articles

cisa study guide, tipsTo make these posts easier to find (and link to), here’s a list of all the CISA-related posts on this blog, in alphabetical order.
I’ll add other CISA posts as they are written.

Continue reading

9 Comments

Filed under Audit, Security, Technology

FREE CISA Glossary

cisa study guide, tipsISACA has a free glossary of IT, audit, and security terms that is not only helpful in studying for the CISA exam, but is a good reference guide for new and experienced auditors.

Continue reading

3 Comments

Filed under Audit, Free, Security, Technology

UnNeighborly Security

Hack me now!I recently ran into some unneighborly security. It happens all the time to those of us who know how to build, upgrade, secure, and troubleshoot hardware and software.

I’m over at my neighbor’s house and he says, “Hey, you work with computers, so can you take a look at mine?”

There goes the afternoon.

Continue reading

4 Comments

Filed under Security, Security Scout, Technology

How to Audit User Access

How to Audit User AccessWhen checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:

  • Application ID
  • Application role or group
  • Membership in an local server group, Active Directory (AD) group, or UNIX Group
  • Access to the application’s share and/or folder on the server
  • Database ID
  • Database role, including access permissions (read/write)
  • Other permission (from a home-grown application code or enterprise identify management system)

Continue reading

7 Comments

Filed under Audit, How to..., Security, Technology

CISA vs. CIA Certification

cisa study guide, tipsIf you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?

Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.

Continue reading

176 Comments

Filed under Audit, Certification, Security, Technology