A new IT auditor needs some help dealing with database patching issues and how far you need to dive into technology during an IT audit.
Take a moment to read his comment and add your thoughts. I’ve put in my 2 cents. Let’s get a good discussion going.
I think any auditor can chime in, as audit scope and audit limitations are not unique to IT audit.
Dinesh’s comment appears in What IT Auditors Ought to Know – and Don’t!
Bruce Schneier has written about and compiled some great info and links regarding the market for creating and selling zero-day exploits in his Crypto-Gram newsletter.
Here’s some highlights:
Bot net trends are changing, according to an Information Week article. Tim Wilson notes the following:
- Overall, bot net activity is picking up after a late 2010 lull.
- Large bot nets will be aggressive in capturing more computers for their kingdom. Bot nets will attempt to steal seats from their competition, patching the computers they take over so to defend themselves against other thieves.
- Social networks are becoming the command points for bot nets.
- Similar to the SETI programs where you can donate some of your computer’s processing capacity to search for alien intelligence, some bot nets are becoming opt-in so that you can participate in politically-based bot net activity.
- Small botnets are becoming used more effectively, as they are harder to detect.
Read all about it at Botnets Coming Roaring Back in New Year.
Leave a Comment
Greg Shipley, founder of Neohapsis, wrote an article in Information Week magazine, this time about how ineffective most of the money spent on security defenses is against the attacks we’re facing. It’s not a short article, but as I’ve said before, Shipley is always worth reading. Here’s what I found most interesting in the article:
- “Deficiencies, even in our security technologies, are an unfortunate fact of life,” says Shipley.
As an auditor, I’ve been accused many times of looking for trouble. I have to admit that it’s true, because that’s my job. But too often, trouble comes looking for me. Sure it makes my job easier, but it also makes me scratch my head.
When I was in IT operations, before I got into security and audit, I was always thorough and followed common sense and company policy. However, any projects that I was doing that might draw the eyes of either of those departments, I double-checked prior to delivery. Most bosses don’t like surprises, and I was always a details guy. Besides, why poke the bear?
Lenny Zeltser suggest 5 steps that mid-market organizations can take down the security path:
- Identify key data flows
- Understand user interactions
- Examine the network perimeter
- Assess the servers and workstations
- Look at the applications