I’ve written before how some periodic reviews provide management with little assurance, but management doesn’t realize how little.
My previous post focused mostly on server access￼. In this post, I want to look at normal user access.
For example, let’s assume your company has a policy that states that all IDs must be assigned within an Active Directory group. In other words, IDs are assigned to groups, and groups are assigned to assets; IDs should not be assigned directly to an asset.
Assume the control you are testing states that user access is reviewed annually.
This is Part 4 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1, Part 2, Part 3.
Does the Process X team provide metrics around their process?” I asked.
“Yes,” the most senior auditor replied, showing me the web page where the Process X metrics were displayed.
After reviewing the page briefly, I said, “I see they do metrics by month. You have a year’s data; are you planning to understand how they prepare their metrics and re-calculate them to see if you get the same numbers?”
This is Part 3 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1 and Part 2.
I looked at the third page of the handout and asked, “What is this?”
“A list of Active Directory (AD) groups and the user IDs in each group. I searched AD for any group containing the system name,” the junior auditor said, “and identified these 6 groups. I then downloaded all the members of these groups from AD into Excel.”
Some auditors struggle with basic auditing. So when these auditors try to data analysis, well you can imagines how that goes.
I recently met with a team of auditors to give them input on what data profiling would be appropriate to perform. And what analytics might be insightful.
This is Part 1 of a 4-part Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. Do not try these methods at home or work. Don’t even dream about them, awake or asleep.
Here’s a way to automate the download of data from Active Directory (AD), specifically group members, into ACL using adfind and the ACL Execute command.
I’ll walk you through it step-by-step.
Even if you don’t use ACL, you might gain a better understanding of AD and LDAP in general….
If you’re looking for an insightful server audit, and you’re dauntless, you might want to jump on this train.
First, why do you need to be dauntless?
Because you’re going to need to obtain your data from a number of different sources; the bigger your company, the more likely you’ll need to call on and question more than a handful of people.
Because comparing and tracking all the servers that are on one list, but not another can be a challenge.
Because it his highly LIKELY that you WILL find something and the server team will not be happy.
Here’s my list of IT/security basics that I think IT auditors ought to know. If you can’t understand and audit these items, you do not know enough about technology to avoid having the wool pulled over your irises (not matter how good an auditor you are). The list is in no particular order.
If you’re a CISA or CISSP and you don’t know the following, I think you have some work to do.