Careers After IT Auditing

Recently, a reader named Porak asked me what careers IT auditors can move to when they leave auditing (see the original question here).

I couldn’t find much on the Internet on this topic, but there’s a lot of options.

I’ve actually worked in quite a few of the areas mentioned below…

Continue reading →

No Bad Audit Reports Allowed?

It’s getting to the point where some audit directors are saying, “No bad audit reports allowed.” In other words, don’t shoot the messenger, just the message. What follows is an experience from one of my audit colleagues…

First, a couple “I know” statements…I know auditors are supposed to be helpful and friendly. I know auditors are supposed to add value. I know auditors need to be careful about giving only bad news; we should also note in our report what the auditee is doing right (if anything). I know that it’s hard for auditees to get hammered again and again by audit reports.

Continue reading →

Creating and Selling Zero-day Exploits

Bruce Schneier has written about and compiled some great info and links regarding the market for creating and selling zero-day exploits in his Crypto-Gram newsletter.

Here’s some highlights:

Continue reading →

Shipley on Security Spend

Greg Shipley, founder of Neohapsis, wrote an article in Information Week magazine, this time about how ineffective most of the money spent on security defenses is against the attacks we’re facing.  It’s not a short article, but as I’ve said before, Shipley is always worth reading. Here’s what I found most interesting in the article:

• “Deficiencies, even in our security technologies, are an unfortunate fact of life,” says Shipley.

Continue reading →

Securing Virtual Servers

Here’s my take on the issues that I found with the following quote from SC Magazine (for more info, see Quote of the Weak (Securing Virtual Servers):

We don’t treat the virtualization servers any different than the physical servers when it comes to security. We treat them the same. Security is security.

Continue reading →

How to Stay Out of Jail

If you work in information security or IT audit (and I don’t mean IT SOX audit), I’d advise you to carry a “get-out-of-jail” (GOOJ) card at all times. In short, get permission before you do your dirty work.

Continue reading →

Major Bank Invites Hackers In?

A short while back, I attended a meeting in the basement of a branch of a major, national bank. The bank didn’t know whether I was a hacker or not, but I was allowed in (kind of invited) anyway.
Continue reading →

Why People Don't "Do" Security

Lenny Zeltser, of the SANS Internet Storm Center, posted his Three Laws of Behavior Dynamics for Information Security. These laws describe why people follow or don’t follow new security initiatives. Basically, it describes how people react to change overall, but Zeltser focuses on security change specifically.

Continue reading →

Write Safe and Secure Applications

The lead security study group (group 17) from the International Telecommunication Union provides a paper containing general suggestions for writing secure applications. In the paper, each item is hyperlinked to additional information.

Continue reading →

Another One’s Treasure

Is it really true that one person’s trash is another person’s cash or treasure? It depends. When was the last time a trash can near you contained anything like this?

Continue reading →