Recently, a reader named Porak asked me what careers IT auditors can move to when they leave auditing (see the original question here).
I couldn’t find much on the Internet on this topic, but there’s a lot of options.
I’ve actually worked in quite a few of the areas mentioned below…
Continue reading →
Like this:
Like Loading...
Filed under Audit, Employment, How to..., Technology
Tagged as analytics, BCP, compliance, controls, DR, it audit, life after, management, merger, penetration, process improvement, risk management, Security, technical writing, training, vulnerability
It’s getting to the point where some audit directors are saying, “No bad audit reports allowed.” In other words, don’t shoot the messenger, just the message. What follows is an experience from one of my audit colleagues…
First, a couple “I know” statements…I know auditors are supposed to be helpful and friendly. I know auditors are supposed to add value. I know auditors need to be careful about giving only bad news; we should also note in our report what the auditee is doing right (if anything). I know that it’s hard for auditees to get hammered again and again by audit reports.
Continue reading →
Like this:
Like Loading...
Filed under Audit, Technology
Tagged as Audit, bad, combine, committee, director, finding, issue, mange risk, report, shoot the messenger, swallow, threshold, visibility, VP, vulnerability
Bruce Schneier has written about and compiled some great info and links regarding the market for creating and selling zero-day exploits in his Crypto-Gram newsletter.
Here’s some highlights:
Continue reading →
Like this:
Like Loading...
Filed under Security
Tagged as antivirus, arms, Cryptogram, cyber, exploit, malware, mariket, NSA, patch, price list, race, schneier, vulnerability, weapon, zero day
Greg Shipley, founder of Neohapsis, wrote an article in Information Week magazine, this time about how ineffective most of the money spent on security defenses is against the attacks we’re facing. It’s not a short article, but as I’ve said before, Shipley is always worth reading. Here’s what I found most interesting in the article:
- “Deficiencies, even in our security technologies, are an unfortunate fact of life,” says Shipley.
Continue reading →
Like this:
Like Loading...
Filed under Security
Tagged as application, assessment, attack, custom, database, defense, endpoint, fail, firewall, greg shipley, information week, layered, malware, neohapsis, old flaw, outgunned, patch, Security, verizon, vulnerability, waf, web
Here’s my take on the issues that I found with the following quote from SC Magazine (for more info, see Quote of the Weak (Securing Virtual Servers):
We don’t treat the virtualization servers any different than the physical servers when it comes to security. We treat them the same. Security is security.
Continue reading →
Like this:
Like Loading...
Filed under Quote of the Weak, Security
Tagged as ethicalhacker, etsy, harden, machines, monitor, Quote of the Weak, risk, Security, server, servers, sprawl, traffic, virtual, VM, VMWare, vulnerability
If you work in information security or IT audit (and I don’t mean IT SOX audit), I’d advise you to carry a “get-out-of-jail” (GOOJ) card at all times. In short, get permission before you do your dirty work.
Continue reading →
Like this:
Like Loading...
Filed under Audit, Security
Tagged as assessment, dumpster diving, get-out-of-jail, GOOJ, hacking, pentesting, scanning, security configuration, sql injection, stay out of jail, tools, vulnerability
A short while back, I attended a meeting in the basement of a branch of a major, national bank. The bank didn’t know whether I was a hacker or not, but I was allowed in (kind of invited) anyway.
Continue reading →
Like this:
Like Loading...
Filed under Audit, Security, Security Scout
Tagged as anonymous access, bank hackers, bank information, bank network traffic, bank policy, bulletin board, community service, employee lounge, hide in the restroom, martin bishop, meeting room, my money wasn't safe here, national bank, network jack, non-public area, online banking, risk assessment, robert redford, sneakers, unencrypted, unlocked electric panel, vulnerability, wireless access point
Lenny Zeltser, of the SANS Internet Storm Center, posted his Three Laws of Behavior Dynamics for Information Security. These laws describe why people follow or don’t follow new security initiatives. Basically, it describes how people react to change overall, but Zeltser focuses on security change specifically.
Continue reading →
Like this:
Like Loading...
Filed under Security
Tagged as 3 laws, behavior dynamics, handler's diary, information security, internet, internet storm center, lenny zeltser, policy, resistance, sans, Security, status quo, threat level, vendor updates, vulnerability
The lead security study group (group 17) from the International Telecommunication Union provides a paper containing general suggestions for writing secure applications. In the paper, each item is hyperlinked to additional information.
Continue reading →
Like this:
Like Loading...
Filed under Security
Tagged as algorithm, application, boundary condition, buffer overflow, business, change management, code, complexity, cryptography, digital certificate, fuzzer, International Telcommunication Union, ITU, program, resource allocation, secure, Security, software, telecommunication, testing, vulnerabi, vulnerability
Is it really true that one person’s trash is another person’s cash or treasure? It depends. When was the last time a trash can near you contained anything like this?
Continue reading →
Like this:
Like Loading...
Filed under Security, Security Scope, Written by Skyyler
Tagged as cash, cicrular file, confidential, dumpster diving, fun, laid off, layoff, post-it notes, Security, Security Scope, sensitive, shredder, social security, SSN, trash can, treasure, vulnerability, waste basket