Tag Archives: vulnerability

Software Components NOT Removed from Servers

left over partsWhile installing and configuring some new software on my Windows server, I noticed that the IT department forgot to remove some previous software components from my server.

I remember seeing the notice that the software was being uninstalled and replaced by another package.

I could have removed the left over components myself (I am admin on the server), but I wanted to see if they would ever be removed. Did the Windows server team forget about this, or did the team not concern itself with such things? Maybe the procedures don’t include a process to ensure all components are removed.

I waited about 2 months, but the components were not removed.

Continue reading

Advertisement

Leave a comment

Filed under Audit, Case Files, Security, Security Scout, Technology

Careers After IT Auditing

life-after-it-auditRecently, a reader named Porak asked me what careers IT auditors can move to when they leave auditing (see the original question here).

I couldn’t find much on the Internet on this topic, but there’s a lot of options.

I’ve actually worked in quite a few of the areas mentioned below…

Continue reading

16 Comments

Filed under Audit, Employment, How to..., Technology

No Bad Audit Reports Allowed?

No Bad Audit ReportsIt’s getting to the point where some audit directors are saying, “No bad audit reports allowed.” In other words, don’t shoot the messenger, just the message. What follows is an experience from one of my audit colleagues…

First, a couple “I know” statements…I know auditors are supposed to be helpful and friendly. I know auditors are supposed to add value. I know auditors need to be careful about giving only bad news; we should also note in our report what the auditee is doing right (if anything). I know that it’s hard for auditees to get hammered again and again by audit reports.

Continue reading

14 Comments

Filed under Audit, Technology

Creating and Selling Zero-day Exploits

Bruce Schneier has written about and compiled some great info and links regarding the market for creating and selling zero-day exploits in his Crypto-Gram newsletter.

Here’s some highlights:

Continue reading

Leave a comment

Filed under Security

Shipley on Security Spend

Greg Shipley, founder of Neohapsis, wrote an article in Information Week magazine, this time about how ineffective most of the money spent on security defenses is against the attacks we’re facing.  It’s not a short article, but as I’ve said before, Shipley is always worth reading. Here’s what I found most interesting in the article:

  • “Deficiencies, even in our security technologies, are an unfortunate fact of life,” says Shipley.

Continue reading

Leave a comment

Filed under Security

Securing Virtual Servers

Here’s my take on the issues that I found with the following quote from SC Magazine (for more info, see Quote of the Weak (Securing Virtual Servers):

We don’t treat the virtualization servers any different than the physical servers when it comes to security. We treat them the same. Security is security.

Continue reading

Leave a comment

Filed under Quote of the Weak, Security

How to Stay Out of Jail

If you work in information security or IT audit (and I don’t mean IT SOX audit), I’d advise you to carry a “get-out-of-jail” (GOOJ) card at all times. In short, get permission before you do your dirty work.

Continue reading

4 Comments

Filed under Audit, Security

Major Bank Invites Hackers In?

A short while back, I attended a meeting in the basement of a branch of a major, national bank. The bank didn’t know whether I was a hacker or not, but I was allowed in (kind of invited) anyway.
Continue reading

Leave a comment

Filed under Audit, Security, Security Scout

Why People Don't "Do" Security

Lenny Zeltser, of the SANS Internet Storm Center, posted his Three Laws of Behavior Dynamics for Information Security. These laws describe why people follow or don’t follow new security initiatives. Basically, it describes how people react to change overall, but Zeltser focuses on security change specifically.

Continue reading

Leave a comment

Filed under Security

Write Safe and Secure Applications

The lead security study group (group 17) from the International Telecommunication Union provides a paper containing general suggestions for writing secure applications. In the paper, each item is hyperlinked to additional information.

Continue reading

Leave a comment

Filed under Security

Another One’s Treasure

Is it really true that one person’s trash is another person’s cash or treasure? It depends. When was the last time a trash can near you contained anything like this?

Continue reading

1 Comment

Filed under Security, Security Scope, Written by Skyyler