Download SharePoint Data w/o Rights

At a company I worked at recently, I ran across a Sharepoint site and wondered whether I could download data that I wasn’t supposed to see.

Now I understand the purpose of SharePoint and company intranets is to share data, but even then, some data should be restricted to a limited number of people.

So I decided to check (before doing things like this, you better know How to Stay Out of Jail).

Continue reading →

Advertisement

Use LinkedIn to get an IT Audit job

If you’re looking for an IT Audit job, here’s how to use LinkedIn to get noticed.

In a nutshell, you need to enhance your LinkedIn profile so that everyone knows you’re working hard at learning IT auditor skills.

If you’re already working as an IT auditor, use these suggestions to get noticed more and move ahead (or into another company with more opportunities).

Continue reading →

Optimize ACL Scripts

Have you been following the “Optimizing Script Performance” series on the ACL Blog? aclkevin has been offering some great tips.

In case you missed them:

Continue reading →

PSPad: Great Text File Audit Tool

PSPad is a great text editor and search tool, so by default, it’s a great audit tool, and it’s free. It can also handle a million lines of text–literally. Are you interested yet? It is also a great file diff/compare tool I’ve ever seen.

PSPad works with text files, such as those ending in TXT or CSV, or any text-based file (like an ini file). It works with DOC files too.

I’ll explain how to do the following with PSPad:

• Search a file (find all lines containing X)
• List all occurrences/matches of a search term
• Export a list of occurrences
• Compare 2 documents (diff)
• Download & install PSPad

Continue reading →

Download Domino Database to Excel w/o Rights

I recently downloaded the contents of a Lotus Notes Domino database to Excel without any access to the database. If you’ll recall, I do audit consulting, and was performing an audit at a Fortune 100 company.

Continue reading →

Internal Attacker Detected: Part 1

A while back when I worked in IT security, an internal attacker popped up on our radar…

I answered the phone and heard a tech from the anti-malware team say, “I think we have a problem, Mack. Got some time to come down and see what I found?”

Continue reading →

Audit Tips for the New Year

Here’s a couple tips for making your IT audits a bit easier in the new year.

First, for those systems that don’t record the creation or deletion date of user accounts (or folders, permissions, or whatever), get a list of all accounts from IT in January. Then when you do the audit later in the year, get a new list and compare it with the January list. The new and deleted accounts will jump out at you.

Continue reading →

Searching for Secrets

I was visiting a friend at large, public company doing some benchmarking when we had to schedule several meetings with IT to gather data. My friend “Meako” starting entering attendees into his online calendar to see whether we could get some important meetings scheduled during the next week.

Continue reading →

How to do an Easy Server Share Audit

Okay, so you’re not up to a wastebasket audit? Too demeaning, too sneaky, too many sticky candy wrappers? How about a simple server share audit?

Many companies have shared drives, and then they have “over-shared” drives, those locations where anyone who needs a space to store files that they share with a couple departments. Or perhaps your company just doesn’t lock their shares according to the least privilege principle.

Continue reading →