Tag Archives: Security

Couple of Favorite Posts

I thought I’d lead you on a backward journey to explore some of my favorite posts. Just for fun, notice the year some of these posts were written.

I’ve picked several posts that are a bit different from each other. Most likely, you haven’t seen most of these posts.

Continue reading

Advertisement

Leave a comment

Filed under ACL, Audit, Case Files, How to..., Humor/Irony, Quote of the Weak, Security Scout, Technology

Software Components NOT Removed from Servers

left over partsWhile installing and configuring some new software on my Windows server, I noticed that the IT department forgot to remove some previous software components from my server.

I remember seeing the notice that the software was being uninstalled and replaced by another package.

I could have removed the left over components myself (I am admin on the server), but I wanted to see if they would ever be removed. Did the Windows server team forget about this, or did the team not concern itself with such things? Maybe the procedures don’t include a process to ensure all components are removed.

I waited about 2 months, but the components were not removed.

Continue reading

Leave a comment

Filed under Audit, Case Files, Security, Security Scout, Technology

Create a Help Desk for Data

analytic metrics, numbersCompanies need to create a help desk for data, similar to the help desk they created for hardware, software, application, network, and user problems.

Can you imagine if companies didn’t have a computer help desk and each department had figure out their own computer issues? If each department had to find, load, configure, and troubleshoot their own hardware and software?

But isn’t that how most companies operate when it comes to data and data projects?

Continue reading

Leave a comment

Filed under Audit, Data Analytics, How to...

Mack-the-Auditor Gets Audited! Part 2

Review ACL log

This is the second of 3 posts; this post describes the audit, some speed bumps, and the audit results.

Read the first post here, which provides the background on the audit and the audit’s scope.

Continue reading

1 Comment

Filed under ACL, Audit, Case Files, Data Analytics, Scripting (ACL)

Job Automation Quiz

automation quiz

Test how much you know about automation technologies by taking the job automation quiz at Financial Management magazine.

Continue reading

Leave a comment

Filed under Audit, Free, Security, Technology

Careers After IT Auditing

life-after-it-auditRecently, a reader named Porak asked me what careers IT auditors can move to when they leave auditing (see the original question here).

I couldn’t find much on the Internet on this topic, but there’s a lot of options.

I’ve actually worked in quite a few of the areas mentioned below…

Continue reading

16 Comments

Filed under Audit, Employment, How to..., Technology

Do you have User IDs Hidden in the Cloud?

hidden-in-the-cloudIt’s 10 o’clock in the cloud. Do you know where all your user IDs are? Are some hidden in the cloud?

Cloud security if often cloudy because it’s not on premise where you can control it easier.

That means you may have powerful user IDs in the cloud that your security team knows nothing about, which means….

Continue reading

2 Comments

Filed under Audit, Case Files, Technology

Mack Falls Prey to Phishing Email

phishing emailIt finally happened: I fell prey to a phishing email.

I actually clicked a link.

At work, no less. Not good.

Continue reading

3 Comments

Filed under Audit, Employment, Humor/Irony

Dilbert Does Big Data

Dilbert does Big Data
If you like Dilbert cartoons or big data, you might enjoy Dilbert’s adventures in data analysis, data mining, data privacy, security, and dealing with a dumb manager.

Continue reading

Leave a comment

Filed under Audit, Data Analytics, Humor/Irony

Behind Locked Doors: Part 4

office doorI had to get that database fast.

After a long security team meeting, garnished with lots of pepperoni and green olive pizza, we divided the staff into 2 teams.  Team A started scanning and probing the target department’s servers in search of vulnerabilities that would provide us with admin access over the network.

Team B started planning a physical intrusion in case Team A failed.

After a couple hours, I was notified that the vulnerability team came up short. None of the identified vulnerabilities could be used to escalate our permissions.

A member of the physical intrusion team called maintenance and requested help from a specific maintenance guy: Zeke. The security team member said that we “needed Zeke’s help locating an electrical breaker panel” in a certain department.

This is the fourth post in a series. See Behind Locked Doors: Part 3. The next post will be the conclusion.

Continue reading

Leave a comment

Filed under Audit, Case Files, fraud, Security, Technology

Behind Locked Doors: Part 2

batphoneThis time, it was my turn to call someone for help.

The phone rang half a ring before I heard a familiar “Hello?” on the other end.

“Hi, James, it’s Mack. I need a favor from you, and I need today, before 5 pm.”

“Not urgent, huh?”, James teased.

“Not really, I just need it today. And I need you to keep it quiet,” I warned.

This is the second post in a series. See Behind Locked Doors: Part 1.

Continue reading

6 Comments

Filed under Audit, Case Files, fraud, Security, Technology

Behind Locked Doors: Part 1

batphoneIt all started when the phone rang, which was typical.

Typical in the days when I was a security manager…

“Information Security, Mack here,” I said, as I continued to read the magazine in front of me.

“Hey Mack, this is Leeda. I need your help,” the voice said, as my mind started coming back online.

Leeda was a manager in Internal Audit; when I heard from her, it usually meant I had to carve a few weeks out of my schedule. Fast.

Continue reading

3 Comments

Filed under Audit, Case Files, fraud, Security, Technology

CISSP CBK Changes

Effective April 15, 2015, the CISSP Common Body of Knowledge (CBK) is changing, which affects the CISSP exam and CPEs.

Continue reading

6 Comments

Filed under Certification, Security

FREE CISSP Cert Webcasts from ISC2

ISC2, the organization that awards the CISSP certification, provides 1 FREE webcast about the 10 CISSP security domains, as well as several FREE webcasts about the CISSP concentrations.

Continue reading

9 Comments

Filed under Certification, Security

Don’t Use GRC app to do Workpapers!

eat internal audit dog foodI consulted with a company that implemented a new GRC package, and unfortunately they are using an application designed for GRC to do audit workpapers.

That wasn’t the only move that was questionable…

Continue reading

11 Comments

Filed under Audit, Security, Security Scout, Technology

Free CISSP Review Material, Practice Exams

I just found some more FREE CISSP review material and practice exams. One exam is 100 questions, the other 250.

Continue reading

6 Comments

Filed under Certification, Free, Free Download, Security

Security Failure: Empty Your Garage

garage openerWhen I was visiting a friend, she told me that her garage door opener no longer worked. For once, I did not suspect to find any security failures.

Occasionally, I am wrong.

Continue reading

3 Comments

Filed under Security Scout, Technology

Data Center Failure

Data Center FailureOne company I worked at had a sad data center failure, and I’m not talking a power outage or a fire or theft.

When I arrived at this company, it had no security department. Few security processes. Little security.

And the company also made two interesting mistakes when it hired me.

Continue reading

2 Comments

Filed under Audit, Case Files, Security, Security Scout

Security Failure: Empty Your Drawers

empty your drawersI was visiting a dear friend recently when I happened upon a security failure.

My friend lives in an upscale, assisted living facility and recently had thousands of dollars withdrawn from her accounts via ATM.

Continue reading

4 Comments

Filed under Security, Security Scout

Periodic Access Review Problems

One of my current clients is trying really hard to do periodic access reviews.

They know that mistakes are made in granting access, that users get access and eventually don’t need it anymore, but don’t tell anyone, and that some users leave the company without their manager’s knowledge (I never have understood how that happens, but it does; it has happened in every Fortune 500 company in which I’ve worked).

Continue reading

8 Comments

Filed under Audit, Security, Technology

FREE Global Security Resource Guide

ISC2.org, the organization that grants the CISSP certification, has a great, online, FREE global security resource guide.

No membership, certification, or log-in required!

Update 1-11-14: See Kim White’s comment below about availability of this resource. If it is made public, I will link to the new version. The “remove this post now” comment makes me wonder if it’s coming back for public consumption*. – Mack

Continue reading

2 Comments

Filed under Audit, Free, Security

FREE Infosec & Web Pentesting Education

Security Monkey posted that PentesterLab has some great resources that provide training on pentesting, like:
  • Basics of Web
  • Basics of HTTP
  • Detection of common web vulnerabilities:
  • Basics of fingerprinting
  • and more! (like Linux Host Review)

Continue reading

Leave a comment

Filed under Audit, Free, Free Download, Security

FREE CISA Glossary

cisa study guide, tipsISACA has a free glossary of IT, audit, and security terms that is not only helpful in studying for the CISA exam, but is a good reference guide for new and experienced auditors.

Continue reading

3 Comments

Filed under Audit, Free, Security, Technology

UnNeighborly Security

Hack me now!I recently ran into some unneighborly security. It happens all the time to those of us who know how to build, upgrade, secure, and troubleshoot hardware and software.

I’m over at my neighbor’s house and he says, “Hey, you work with computers, so can you take a look at mine?”

There goes the afternoon.

Continue reading

4 Comments

Filed under Security, Security Scout, Technology

CISA vs. CIA Certification

cisa study guide, tipsIf you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?

Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.

Continue reading

176 Comments

Filed under Audit, Certification, Security, Technology

IT Admin vs. IT Auditor

IT admins and IT auditors often don’t see eye-to-eye, and they don’t usually think their goals are similar.

The IT auditor just has to work a little harder to convince the IT admin of that. I’ve worn both hats, so I know it can be done.

Continue reading

5 Comments

Filed under Audit, Security

Twitter Hacked Again, Change Password

Twitter hacked againTwitter said that it was hacked again on Friday, 2/1/13, and attackers gained access to 250,000 accounts and passwords.

Twitter says the passwords were encrypted, the intrusion was limited, and and everyone’s taxes are going down soon (okay, I was kidding about the last one). It’s always hard to sort out what is true and how much of the truth is told, so regardless of what Twitter says, change your password.

Continue reading

1 Comment

Filed under Security

Why U Should Question Security Questions

Capital letters, security questionsEvery once in a while I question security controls, and the latest one I questioned was security questions.

I’m talking about those questions that financial sites like banking and credit card sites ask you when you log in. Not the ones used to reset your password (although this post applies to them too).

No, this won’t be a rant about the stupid questions that sites give you to chose from, such as your mother’s maiden name or what is your favorite color. I gave up questioning those issues long ago.

Continue reading

Leave a comment

Filed under Security, Security Scout

Biggest Problem in Computer Security

What’s the biggest problem in computer security, according to valsmith at carnal0wnage.attackresearch.com? Well, it’s…

Staffing.

As the author admits, the post leans toward self-promotion of the company, but it makes many good points and deserves a read and a good pondering.

Continue reading

Leave a comment

Filed under Audit, Security

Important update regarding your LinkedIn password = SPAM?

A friend of mine received the following email on Friday, 2 full days after the LinkedIn attack was made public, titled “Important update regarding your LinkedIn password”. Here’s the text she received, addressed to her by her first and last name:

[see UPDATE below]

Continue reading

6 Comments

Filed under Security

LinkedIn Hack: Don’t Just Change Password, Reconfigure

LinkedIn Hacked

We all know that LinkedIn was hacked and lost at least 6.5 million hashed passwords, or at least that’s how many were was posted. Besides changing passwords, is anyone thinking about their LinkedIn lock-down/security settings? What about other social media? See further below instructions for locking down LinkedIn, Facebook, Twitter, and Google+.

Continue reading

3 Comments

Filed under Free, Security

Security Diagram and SOX Space Lazer

I recently found a Sarbanes-Oxley (SOX) Space Lazer (sic) on a network security diagram. No kidding. The following items also appeared:

  • Interstate 495
  • Wang 5000
  • Batphone
  • Peanut butter
  • Printer of evil
  • Gene Hackman
  • Automated Retirement Party Flyer Generation Appliance

Continue reading

Leave a comment

Filed under Humor/Irony, Security, Technology

Internal Attacker Detected: Part 1

A while back when I worked in IT security, an internal attacker popped up on our radar…

I answered the phone and heard a tech from the anti-malware team say, “I think we have a problem, Mack. Got some time to come down and see what I found?”

Continue reading

3 Comments

Filed under Case Files, Security, Security Scout

Top 10 Reasons NOT to Virtualize

Trend Micro’s Dave Asprey has posted 10 reasons not to virtualize.

I generally disagree with all of them (as I’ll explain later), but I think he missed the REAL #1 reason not to virtualize…

Continue reading

Leave a comment

Filed under Technology, Top 10

How Virtualization Changes Audits

If you haven’t determined how server virtualization changes your audit plans, you better get moving. I’m not just talking about a virtualization audit (more on that later), but the audits that you typically do every year or on a multi-year cycle.

For example, if every year you do an audit on all networks, servers, applications, and databases that host your key financial reporting or PHI systems, you’re looking at policies and procedures, configuration management, security (including patching), user access, logging, and so on. But do you first consider whether those assets run on virtualized servers?

Continue reading

2 Comments

Filed under Audit, How to..., Security, Technology

Firewalls vs. Fire Hydrants

I recently stumbled across an article discussing how to choose an outside IT auditor by Kevin Beaver that stated, “With a few exceptions, auditors aren’t highly technical”–and may not need to know the difference between firewalls and fire hydrants.

If you know me, you know non-technicality of many IT auditors really bangs my keyboard (see the CISA posts listed below). An IT auditor who doesn’t have technical knowledge about IT is like a person who washes dishes without water.

Continue reading

5 Comments

Filed under Security, Technology

Bruce Schneier Useless Fun Facts

If you have any idea of who Bruce Schneier is, you have to check out http://www.schneierfacts.com/. It is useless funny facts about Bruce a la Chuck Norris. Try not to LOL.

Continue reading

2 Comments

Filed under Humor/Irony, Security

Top 7 Reasons for Security Certification

Here’s my top 7 reasons for getting a security certification:

  1. It opens the hiring door. Or more simply stated, employers are looking for them. More and more, if you’re not certified, your resume won’t get past Human Resources. When they scan your application and resume, you’ll end up in the digital delete bucket if the screening software doesn’t see those special letters (CISSP, GIAC, CISA, CCSP, CISM, etc.). Continue reading

31 Comments

Filed under Audit, Certification, Security, Technology, Top 10

Security Certs for Commoners? Nope

SC Magazine’s CISSP! Who Cares? article says that security certifications are not as valuable as they used to be because they are rather commonplace. Too many people going for the same job have the same qualifications. However, that is not my experience, and I disagree with some of the article’s statements.

I earned my CISSP more than 5 years ago. Let’s take a look at a couple companies I’ve worked for and count the CISSPs…

Continue reading

3 Comments

Filed under Security

My Blog Comment Deleted!

I left what I considered a thoughtful comment on another security blog, but my comment was deleted. Denied. Ignored.

Read about what happened in Creating a Culture of Security and my thoughts about it, which I added at the end of that post.

Ever had a similar experience? Think I got carried away? Afraid to leave a comment of your own? Let me know about it here.

Leave a Comment

7 Comments

Filed under Security

Pathethic Password Help Pages

I found some really pathetic password help pages on a company’s intranet while I was there visiting.

This is a large company that most people would recognize, and it is subject to plenty of government regulations. Overall, I’ve heard the security is pretty tight, but since I’ve never worked there, I can’t speak from experience. Except, that is, the experience I mentioned in an earlier post, Randomly Generate Weak Passwords. Perhaps all their security is what Bruce Schneier likes to call “security theater.”

Continue reading

2 Comments

Filed under Audit, Humor/Irony, Security, Security Scout

Shipley on Security Spend

Greg Shipley, founder of Neohapsis, wrote an article in Information Week magazine, this time about how ineffective most of the money spent on security defenses is against the attacks we’re facing.  It’s not a short article, but as I’ve said before, Shipley is always worth reading. Here’s what I found most interesting in the article:

  • “Deficiencies, even in our security technologies, are an unfortunate fact of life,” says Shipley.

Continue reading

Leave a comment

Filed under Security

Securing Virtual Servers

Here’s my take on the issues that I found with the following quote from SC Magazine (for more info, see Quote of the Weak (Securing Virtual Servers):

We don’t treat the virtualization servers any different than the physical servers when it comes to security. We treat them the same. Security is security.

Continue reading

Leave a comment

Filed under Quote of the Weak, Security

Quote of the Weak (Securing Virtual Servers)

When I read the following in SC Magazine, my brain identified and attempted to process so many issues at once that I experienced multiple memory and neural page faults and felt physical pain:

Continue reading

Leave a comment

Filed under Quote of the Weak, Security

Security is Too Much Trouble, Too Complicated

I was thinking about why people don’t take the time and effort to practice good computer security–and then I remembered two things:

Continue reading

1 Comment

Filed under Security

How to Pass Certification Exams

Getting ready to take the CISA, CISM, CISSP, CIA, PMP, MCSE, or other certification exams? Here’s what you need to do to pass those tests:

Continue reading

12 Comments

Filed under Audit, Certification, How to..., Security, Technology

Simple Audit Success Formula

I am often amused how common sense is paraded as a solution (aka “how to write a post about anything”).

When you consider the bullet points in 5 Tips to Survive a Social Media Disaster, you can see that those actions can be applied to many issues, including one of our favorite subjects, auditing.

Continue reading

Leave a comment

Filed under Audit