Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

It Audit And Forensics


Published on

Internal Audit Issues 2006

  • Great presentation.
    Are you sure you want to  Yes  No
    Your message goes here

It Audit And Forensics

  1. 1. IT Audit and Forensics Proposed Training Plan for Tribal Internal Audit Prepared by John Donnelly
  2. 2. Training Plan <ul><li>IT Risk Assessment </li></ul><ul><li>A New Approach to General Controls </li></ul><ul><li>Network Controls and Security </li></ul><ul><li>Control and Security of UNIX </li></ul><ul><li>Auditing Windows </li></ul><ul><li>Internet Control and Security </li></ul><ul><li>Putting It All Together </li></ul>
  3. 3. The IT Risk Assessment <ul><li>IT risk universe </li></ul><ul><li>Historical risk models </li></ul><ul><li>Understanding new IT risks </li></ul><ul><li>Technical Risk assessment </li></ul><ul><li>Creating an IT Audit Plan </li></ul><ul><li>Timing and Budgets </li></ul><ul><li>Presenting the plan to management </li></ul>
  4. 4. The IT Risk Assessment <ul><li>It certainly isn’t news that our organization is confronted with risk every day. In fact, how we identify and deal with risk is key to our success. </li></ul><ul><li>Companies without best practice risk management implemented consistently across the enterprise will significantly under perform their peers. </li></ul>
  5. 5. The IT Risk Assessment <ul><li>The logic is simple. Just like the solution. </li></ul><ul><li>Risk is too important to leave to chance. </li></ul><ul><li>We need an integrated risk management effort. </li></ul><ul><li>Do we have a holistic approach to enterprise risk management? </li></ul>
  6. 6. Senior Management Decide to Change <ul><li>Recognize and communicate the urgency to change information management practices </li></ul><ul><li>Get line management involved and create ownership. </li></ul><ul><li>Take action and maintain momentum. </li></ul>
  7. 7. Direct Change <ul><li>Anchor strategic planning in customer needs and mission goals </li></ul><ul><li>Measure the performance of key mission delivery processes </li></ul><ul><li>Focus on process improvements in the context of an architecture </li></ul><ul><li>Manage IS projects as investments </li></ul><ul><li>Integrated the planning, budgeting and evaluation processes </li></ul>
  8. 8. Support Change <ul><li>Establish customer/supplier relationship between line and IS professionals </li></ul><ul><li>Position a chief information officer as a senior management partner. </li></ul><ul><li>Upgrade skills and knowledge of line management and IS professionals. </li></ul>
  9. 9. Benefits of Change <ul><li>Increased productivity </li></ul><ul><li>Improved customer service </li></ul><ul><li>Higher returns on IS investments </li></ul><ul><li>Lower risks of failure, delay, and overspending </li></ul>
  10. 10. The IT Risk Assessment <ul><li>Benchmark our current risk profile, processes and spending vs. our peers, industry, and best practices </li></ul><ul><li>Assess and analyze threats and vulnerabilities, and their potential impact including financial consequences of loss </li></ul><ul><li>Develop plans for organization, governance, strategy, architecture, business continuity , disaster recovery and crisis management </li></ul>
  11. 11. IT Risk Assessment <ul><li>Strategy </li></ul><ul><li>Policies and procedures </li></ul><ul><li>Information management practices </li></ul><ul><li>Information systems organizational Structure </li></ul>
  12. 12. Strategy <ul><li>Mission Statements </li></ul><ul><li>Strategic Planning </li></ul><ul><li>IS budgeting </li></ul><ul><li>IS Planning or steering committee </li></ul><ul><li>Monitoring techniques </li></ul><ul><li>Total Quality Management </li></ul><ul><li>Management techniques </li></ul>
  13. 13. Policies and Procedures <ul><li>IS Purchasing policies </li></ul><ul><li>Human resource policies </li></ul><ul><li>Security/privacy policies </li></ul><ul><li>Standards </li></ul>
  14. 14. Standards <ul><li>COBIT </li></ul><ul><li>ISO17799 </li></ul><ul><li>NIST </li></ul><ul><li>SANS </li></ul><ul><li>NSA </li></ul><ul><li>CIS </li></ul>
  15. 15. Information Management Practices <ul><li>IS Quality assurance </li></ul><ul><li>Security awareness program </li></ul><ul><li>Personnel practices </li></ul><ul><li>IS Purchasing practices </li></ul>
  16. 16. Organizational Structure <ul><li>Organizational Structure </li></ul><ul><li>Job description </li></ul><ul><li>Segregation of duties and responsibilities </li></ul><ul><li>Organizational change management </li></ul><ul><li>IS internal audit function </li></ul><ul><li>IS quality assurance </li></ul>
  17. 17. A New Approach to General Controls <ul><li>Physical security post 9/11 </li></ul><ul><li>Logical security in a hacker infested world </li></ul><ul><li>Business continuance-surviving and thriving when others fail </li></ul><ul><li>Disaster preparedness– when all else fails, planning prevails </li></ul><ul><li>Storage management- protecting your assets </li></ul>
  18. 18. A New Approach to General Controls <ul><li>Evaluating IT organizational effectiveness </li></ul><ul><li>Risk/Control tables </li></ul>
  19. 19. A New Approach to General Controls <ul><li>Business Process Evaluation and Risk Management </li></ul><ul><li>Disaster Recovery and Business Continuity </li></ul><ul><li>Protection of Information Assets </li></ul>
  20. 20. Protection of Information Assets <ul><li>Importance of Information Security Management </li></ul><ul><li>Logical Access Exposures and Controls </li></ul><ul><li>Auditing Information Security Management and Logical Access Issues and Exposures </li></ul><ul><li>Network Infrastructure Security </li></ul><ul><li>Environmental Exposures and Controls </li></ul>
  21. 21. Importance of Information Security Management <ul><li>Ensure the integrity of information stored on their computer systems </li></ul><ul><li>Preserve confidentiality of sensitive data </li></ul><ul><li>Ensure the continued availability of their information systems </li></ul><ul><li>Ensure conformity to laws, regulations and standards </li></ul>
  22. 22. Key Elements of Information Security Management <ul><li>Policies and Procedures </li></ul><ul><li>Organization </li></ul><ul><li>Data Classification </li></ul><ul><li>System Access </li></ul>
  23. 23. Key Elements of Information Security Management: Organization <ul><li>Executive Management </li></ul><ul><li>Security committee </li></ul><ul><li>Data owners </li></ul><ul><li>Process owners </li></ul><ul><li>IT developers </li></ul><ul><li>IS auditors </li></ul><ul><li>Users </li></ul>
  24. 24. Data Classification <ul><li>Who has access rights </li></ul><ul><li>Who is responsible for determining access rights and access levels </li></ul><ul><li>What approvals are needed for access </li></ul>
  25. 25. System Access <ul><li>Security, Awareness and education </li></ul><ul><li>Monitoring and Compliance </li></ul><ul><li>Incident Handling and response </li></ul>
  26. 26. Information Security Management Standards <ul><li>Privacy Impact Analysis </li></ul><ul><ul><li>Identifying the nature of personally identifiable information associated with business processes </li></ul></ul><ul><ul><li>Document the collection, use, disclosure and destruction of personally identifiable information </li></ul></ul><ul><ul><li>Providing management with a tool to make informed policy, operations and system design decisions based on an understanding of privacy risk and options available </li></ul></ul>
  27. 27. Risk Management Domains <ul><li>Security: Focuses on security and privacy concerns including cryptography, confidentiality, integrity, availability and more </li></ul><ul><li>Systems and Technology: Enabling technologies for customer and supplier chain support and highlights integrated software solutions and trends in technology </li></ul>
  28. 28. Risk Management Domains <ul><li>Strategy-Critical business strategic issues such as setting strategic direction, analyzing competitors, and leveraging information technology </li></ul><ul><li>Organization and Competencies- Aspects as whether organization requires new skills, new competencies </li></ul>
  29. 29. Risk Management Domains <ul><li>Performance Management – How an organization plans, measures, monitors, and controls the performance of its business capabilities and function </li></ul>
  30. 30. Network Control and Security <ul><li>Auditing the Carriers </li></ul><ul><li>Understanding and auditing communications alternatives </li></ul><ul><li>Auditing network equipment and configuration </li></ul><ul><li>Auditing the wire-based intranet </li></ul><ul><li>Auditing dial up access </li></ul>
  31. 31. Network Management Systems Review <ul><li>Audit Objectives </li></ul><ul><ul><li>To review the adequacy of administrative procedures. </li></ul></ul><ul><ul><li>To assess the effectiveness of the configuration management function </li></ul></ul><ul><ul><li>To assess the network security function </li></ul></ul><ul><ul><li>To assess the adequacy performance management system </li></ul></ul>
  32. 32. Network Administration <ul><li>Obtain a copy of organization chart for the telecommunications and network function </li></ul><ul><li>Inquire whether segregation of duties is available </li></ul><ul><li>Understand the type of network services being used. </li></ul><ul><li>Take an inventory of data circuits and terminals </li></ul>
  33. 33. Network Administration <ul><li>Review network traffic volumes for identifying trends. </li></ul><ul><li>Inquire whether network balancing procedures are being practiced </li></ul><ul><li>Determine whether backup and recovery procedures for the network are included? </li></ul><ul><li>With the use of audit software determine connect time, the type and volume </li></ul>
  34. 34. Configuration Management <ul><li>Review the adequacy of network configuration procedures for the following situations </li></ul><ul><ul><li>When network components malfunction </li></ul></ul><ul><ul><li>When nodes are added to or removed from networks </li></ul></ul><ul><li>Confirm that network management has adequate procedures to address the following conditions </li></ul><ul><ul><li>To diagnose and remedy performance degradation problems in order to provide quality and reliable service to system users </li></ul></ul>
  35. 35. Network Security <ul><li>Determine whether access can be restricted to a specific time of day with automatic time zone adjustment </li></ul><ul><li>Confirm that access can be restricted </li></ul><ul><li>Ensure that a user ID and password are required to reconnect a session </li></ul>
  36. 36. Network Terminal Expansion System <ul><li>Determine whether the terminal expansion system has the ability to </li></ul><ul><ul><li>Produce an audible alarm when changes occur in a hidden session </li></ul></ul><ul><ul><li>Provide duplex support which allows concurrent access to a single session from two physical terminals </li></ul></ul>
  37. 37. Network Control and Security <ul><li>Auditing wireless networks </li></ul><ul><li>Auditing VPN networks </li></ul><ul><li>Mapping the network </li></ul><ul><li>Trading partner connectivity </li></ul><ul><li>Network Management and operations </li></ul><ul><li>Network incident management </li></ul>
  38. 38. Auditing Wireless Networks <ul><li>Introduction to the Wireless Community </li></ul><ul><li>Wireless Internet </li></ul><ul><li>Internet Security </li></ul>
  39. 39. Introduction to the Wireless Community <ul><li>Trends </li></ul><ul><ul><li>Faster bandwidth connections to the World Wide Web </li></ul></ul><ul><ul><li>Higher clock speed process </li></ul></ul><ul><ul><li>New breakthroughs in wireless technology </li></ul></ul><ul><ul><li>There are now around 200 million internet users in the United States alone. And half of them are wireless. </li></ul></ul>
  40. 40. Wireless Internet <ul><li>Wireless technology uses radiation as it means of transmitting date through space. </li></ul><ul><ul><li>Specifically, wireless technology uses electromagnetic radiation to transmit data, because it does not require a medium to transfer the energy from one point to another. </li></ul></ul><ul><ul><li>The set of evolutionary IEEE standards, 802.11 is designated as the Wireless LAN Working Group. </li></ul></ul>
  41. 41. How Wireless Access Protocol Works <ul><li>Takes requests </li></ul><ul><li>Sends it to the gateway </li></ul><ul><li>Optimize the Network </li></ul><ul><li>Translation </li></ul>
  42. 42. Why WAP? <ul><li>Wireless networks present a constrained communication environment. </li></ul><ul><ul><li>Due to fundamental limitations of power, available spectrum, and mobility wireless data networks tend to have </li></ul></ul><ul><ul><ul><li>Less bandwidth </li></ul></ul></ul><ul><ul><ul><li>More latency </li></ul></ul></ul><ul><ul><ul><li>Less connection stability </li></ul></ul></ul><ul><ul><ul><li>Less predictable availability </li></ul></ul></ul>
  43. 43. WAP Security <ul><li>Specifies a framework for secure connections, using protocol elements from common Internet security protocols like SSL and TLS </li></ul><ul><li>Provides security facilities for encryption, strong authentication, integrity , and key management </li></ul>
  44. 44. WAP Security <ul><li>Provides end-to-end security between protocol end points </li></ul><ul><li>Lightweight and efficient protocol with respect to bandwidth, memory and processing power </li></ul><ul><li>Employs special adapted mechanisms for wireless usage: Long lived secure sessions </li></ul>
  45. 45. Internet Security <ul><li>No security backbone </li></ul><ul><li>Security has become a big issue </li></ul><ul><ul><li>Wired Equivalent Privacy (WEP) was one of first wireless security encryptions designed to protect Wide Local Area Networks from unauthorized users. </li></ul></ul><ul><ul><ul><li>This protocol uses security keys that are created within the router and then encrypted. </li></ul></ul></ul>
  46. 46. Operating Systems <ul><li>Operating System overview </li></ul><ul><li>Windows </li></ul><ul><li>Mainframe </li></ul><ul><li>UNIX ( HP, Solaris, AIX) </li></ul><ul><ul><li>What are some tools and resources </li></ul></ul><ul><ul><li>Common Vulnerabilities </li></ul></ul>
  47. 47. Control and Security of Unix <ul><li>Understanding UNIX </li></ul><ul><li>System Command Directories </li></ul><ul><li>File systems </li></ul><ul><li>The Super-user </li></ul><ul><li>UNIX communications </li></ul><ul><li>UNIX security </li></ul><ul><li>Using audit scripts </li></ul><ul><li>Risk/Control tables </li></ul><ul><li>Unix Audit Guide </li></ul>
  48. 48. Understanding UNIX <ul><li>To understand how numerous attacks function, we must have a basic understanding of the UNIX operating system because it so popular both as a target platform and as an operating system to launch attacks. </li></ul>
  49. 49. Learning about UNIX <ul><li>Architecture </li></ul><ul><ul><li>UNIX File System Architecture </li></ul></ul><ul><ul><li>The Kernel and Processes </li></ul></ul><ul><ul><li>Automatically Starting up Processes </li></ul></ul><ul><ul><ul><li>Init-Starts various processes at boot time </li></ul></ul></ul><ul><ul><ul><li>Inetd-Listens for network traffic for numerous services </li></ul></ul></ul><ul><ul><ul><li>Cron-Used to schedule the running of specific system commands </li></ul></ul></ul>
  50. 50. Learning about UNIX <ul><li>Accounts and Groups </li></ul><ul><ul><li>The /etc/passwd File </li></ul></ul><ul><ul><li>The /etc/group File </li></ul></ul><ul><ul><li>Root: It’s a Super User! </li></ul></ul><ul><li>Privilege Control –UNIX Permissions </li></ul><ul><ul><li>Set UID Programs </li></ul></ul><ul><li>UNIX Trust </li></ul>
  51. 51. Learning about UNIX <ul><li>Common UNIX Network Services </li></ul><ul><ul><li>Telnet: Command-Line Remote Access </li></ul></ul><ul><ul><li>FTP- File Transfer Protocol </li></ul></ul><ul><ul><li>TFTP- The Trivial File Transfer Protocol </li></ul></ul><ul><ul><li>Web Servers: HTTP </li></ul></ul><ul><ul><li>Electronic Mail </li></ul></ul><ul><ul><li>r - commands </li></ul></ul>
  52. 52. Auditing Windows <ul><li>Understanding Windows 2000 </li></ul><ul><li>Understanding Active Directory </li></ul><ul><li>File System Administration </li></ul><ul><li>User & Group Administration </li></ul><ul><li>Overall Security </li></ul><ul><ul><li>Differences between NT and 2000 </li></ul></ul><ul><ul><li>Policies </li></ul></ul><ul><ul><li>Logs </li></ul></ul>
  53. 53. Internet Control and Security <ul><li>Internet Security Basics </li></ul><ul><li>Internet communications and Architecture </li></ul><ul><li>Securing the web presence </li></ul><ul><li>Controlling internet connections </li></ul>
  54. 54. Internet Control and Security <ul><li>Understanding and responding to attacks </li></ul><ul><li>Tools and techniques of the hacking trade </li></ul><ul><li>Vulnerabilities and Exploits </li></ul><ul><li>Building and maintaining secure firewalls </li></ul><ul><li>Hardening your network </li></ul><ul><li>Risk Control Tables </li></ul><ul><li>Internet Audit Guide </li></ul>
  55. 55. Putting it All together <ul><li>Risk assessments </li></ul><ul><li>Staging the audits </li></ul><ul><li>Presenting issues in an understandable format </li></ul><ul><li>Reporting </li></ul><ul><li>Follow-up: Tracking control implementation </li></ul><ul><li>What comes next: On Going Monitoring </li></ul><ul><li>Closing comments </li></ul>
  56. 56. IT Risk Assessment <ul><li>Identifying your Assets </li></ul><ul><li>Who you need to be cautious of and why </li></ul><ul><li>Security Basics </li></ul><ul><li>Frequently Exploited Ports and Services </li></ul><ul><li>Tools of the Trade </li></ul><ul><li>Hacking Your Network </li></ul><ul><li>Interpreting the results </li></ul><ul><li>Resolving the Issues </li></ul>
  57. 57. Identifying Your Assets <ul><li>Customers </li></ul><ul><li>Employees </li></ul><ul><li>Company Trade Secrets </li></ul><ul><li>Fast Global connections </li></ul><ul><li>Proprietary Software </li></ul><ul><li>Storage Facility </li></ul>
  58. 58. Who you need to be cautious of and why <ul><li>Disgruntled Employees </li></ul><ul><li>Contractors, Business Partners and Trade Associates </li></ul><ul><li>Competitors </li></ul><ul><li>Hackers </li></ul><ul><li>Industrial Espionage Agents </li></ul>
  59. 59. Security Basics <ul><li>Policies and Procedures </li></ul><ul><li>Security Banners (no trespassing signs) </li></ul><ul><li>Password Standards </li></ul><ul><li>Log Files </li></ul><ul><li>Internet </li></ul><ul><li>Anti-Virus Software </li></ul><ul><li>Backup Systems and Media </li></ul><ul><li>Network Security Software </li></ul><ul><li>Encryption </li></ul>
  60. 60. Frequently Exploited Ports and Services <ul><li>Commonly Exploited Ports and Services </li></ul><ul><li>E-mail </li></ul><ul><li>Denial of Service </li></ul><ul><li>Spoofing </li></ul>
  61. 61. Tools of the Trade <ul><li>Network Scanners </li></ul><ul><li>Port Scanners </li></ul><ul><li>War Dialers </li></ul><ul><li>Password Crackers </li></ul><ul><li>Packet Snifers </li></ul><ul><li>Miscellaneous Tools </li></ul>
  62. 62. Hacking your network <ul><li>Safe hacking </li></ul><ul><li>Internet </li></ul><ul><ul><li>Servers </li></ul></ul><ul><ul><li>Firewall </li></ul></ul><ul><ul><ul><li>Securing of the Firewall </li></ul></ul></ul><ul><ul><li>Routers </li></ul></ul><ul><ul><ul><li>Router usage </li></ul></ul></ul><ul><ul><ul><li>Router rules </li></ul></ul></ul><ul><ul><ul><li>Securing your routers </li></ul></ul></ul>
  63. 63. Common Network Devices <ul><li>Switches, Routers, and Bridges </li></ul><ul><ul><li>Have all network connectivity devices been identified? </li></ul></ul><ul><ul><li>Have all of the security devices been implemented on each of network devices/ </li></ul></ul><ul><ul><li>Have vendor default passwords been changed/ </li></ul></ul><ul><ul><li>Are direct dial modems attached to any network devices? </li></ul></ul>
  64. 64. Control Check Lists: Routers <ul><li>Do vendors have remote access to routers? </li></ul><ul><li>Are router tables dumped periodically to ensure there are no unusual entries? </li></ul><ul><li>Are static routers used to ensure that only approve traffic is routed through the network? </li></ul>
  65. 65. Control Checklists: Firewalls <ul><li>Are hacker penetration attempts investigated? </li></ul><ul><li>Are internal firewalls used to limit damage that can be done when the network is penetrated? </li></ul><ul><li>Is a firewall proxy server used to protect the internet connection? </li></ul><ul><li>Are password crackers run against all of the machines in the internet cluster periodically? </li></ul>
  66. 67. What We Do? <ul><li>Write published products, including articles posted daily to Web sites, Strategic Analysis Reports, Monthly Research Review contributions and newsletter articles </li></ul><ul><li>Assume project management responsibilities to fulfill project deadlines </li></ul><ul><li>Select suitable topics for articles to be written for high level executives </li></ul>
  67. 68. What we do? <ul><li>Analyze technological and financial information for inclusion in written work. </li></ul><ul><li>Translate complex and confusing ideas and concepts into clear and understandable writing . </li></ul>
  68. 69. Putting It All Together <ul><li>Do we understand how technology impacts our organizations, our departments and us. </li></ul><ul><li>Are we using technology as a tool to get us where we need to be or is technology managing us. </li></ul><ul><ul><li>Technology should not control us. We should take control of technology and put it to work for us. </li></ul></ul>
  69. 70. Putting It all Together <ul><li>What is the inside information about how to identify real organizational barriers and find ways to resolve them </li></ul><ul><li>How do know how to apply technology properly? </li></ul><ul><li>How do we secure rapidly expanding information warehouses properly? </li></ul>