It Audit And Forensics


Published on

Internal Audit Issues 2006

1 Comment
1 Like
  • Great presentation.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

It Audit And Forensics

  1. 1. IT Audit and Forensics Proposed Training Plan for Tribal Internal Audit Prepared by John Donnelly
  2. 2. Training Plan <ul><li>IT Risk Assessment </li></ul><ul><li>A New Approach to General Controls </li></ul><ul><li>Network Controls and Security </li></ul><ul><li>Control and Security of UNIX </li></ul><ul><li>Auditing Windows </li></ul><ul><li>Internet Control and Security </li></ul><ul><li>Putting It All Together </li></ul>
  3. 3. The IT Risk Assessment <ul><li>IT risk universe </li></ul><ul><li>Historical risk models </li></ul><ul><li>Understanding new IT risks </li></ul><ul><li>Technical Risk assessment </li></ul><ul><li>Creating an IT Audit Plan </li></ul><ul><li>Timing and Budgets </li></ul><ul><li>Presenting the plan to management </li></ul>
  4. 4. The IT Risk Assessment <ul><li>It certainly isn’t news that our organization is confronted with risk every day. In fact, how we identify and deal with risk is key to our success. </li></ul><ul><li>Companies without best practice risk management implemented consistently across the enterprise will significantly under perform their peers. </li></ul>
  5. 5. The IT Risk Assessment <ul><li>The logic is simple. Just like the solution. </li></ul><ul><li>Risk is too important to leave to chance. </li></ul><ul><li>We need an integrated risk management effort. </li></ul><ul><li>Do we have a holistic approach to enterprise risk management? </li></ul>
  6. 6. Senior Management Decide to Change <ul><li>Recognize and communicate the urgency to change information management practices </li></ul><ul><li>Get line management involved and create ownership. </li></ul><ul><li>Take action and maintain momentum. </li></ul>
  7. 7. Direct Change <ul><li>Anchor strategic planning in customer needs and mission goals </li></ul><ul><li>Measure the performance of key mission delivery processes </li></ul><ul><li>Focus on process improvements in the context of an architecture </li></ul><ul><li>Manage IS projects as investments </li></ul><ul><li>Integrated the planning, budgeting and evaluation processes </li></ul>
  8. 8. Support Change <ul><li>Establish customer/supplier relationship between line and IS professionals </li></ul><ul><li>Position a chief information officer as a senior management partner. </li></ul><ul><li>Upgrade skills and knowledge of line management and IS professionals. </li></ul>
  9. 9. Benefits of Change <ul><li>Increased productivity </li></ul><ul><li>Improved customer service </li></ul><ul><li>Higher returns on IS investments </li></ul><ul><li>Lower risks of failure, delay, and overspending </li></ul>
  10. 10. The IT Risk Assessment <ul><li>Benchmark our current risk profile, processes and spending vs. our peers, industry, and best practices </li></ul><ul><li>Assess and analyze threats and vulnerabilities, and their potential impact including financial consequences of loss </li></ul><ul><li>Develop plans for organization, governance, strategy, architecture, business continuity , disaster recovery and crisis management </li></ul>
  11. 11. IT Risk Assessment <ul><li>Strategy </li></ul><ul><li>Policies and procedures </li></ul><ul><li>Information management practices </li></ul><ul><li>Information systems organizational Structure </li></ul>
  12. 12. Strategy <ul><li>Mission Statements </li></ul><ul><li>Strategic Planning </li></ul><ul><li>IS budgeting </li></ul><ul><li>IS Planning or steering committee </li></ul><ul><li>Monitoring techniques </li></ul><ul><li>Total Quality Management </li></ul><ul><li>Management techniques </li></ul>
  13. 13. Policies and Procedures <ul><li>IS Purchasing policies </li></ul><ul><li>Human resource policies </li></ul><ul><li>Security/privacy policies </li></ul><ul><li>Standards </li></ul>
  14. 14. Standards <ul><li>COBIT </li></ul><ul><li>ISO17799 </li></ul><ul><li>NIST </li></ul><ul><li>SANS </li></ul><ul><li>NSA </li></ul><ul><li>CIS </li></ul>
  15. 15. Information Management Practices <ul><li>IS Quality assurance </li></ul><ul><li>Security awareness program </li></ul><ul><li>Personnel practices </li></ul><ul><li>IS Purchasing practices </li></ul>
  16. 16. Organizational Structure <ul><li>Organizational Structure </li></ul><ul><li>Job description </li></ul><ul><li>Segregation of duties and responsibilities </li></ul><ul><li>Organizational change management </li></ul><ul><li>IS internal audit function </li></ul><ul><li>IS quality assurance </li></ul>
  17. 17. A New Approach to General Controls <ul><li>Physical security post 9/11 </li></ul><ul><li>Logical security in a hacker infested world </li></ul><ul><li>Business continuance-surviving and thriving when others fail </li></ul><ul><li>Disaster preparedness– when all else fails, planning prevails </li></ul><ul><li>Storage management- protecting your assets </li></ul>
  18. 18. A New Approach to General Controls <ul><li>Evaluating IT organizational effectiveness </li></ul><ul><li>Risk/Control tables </li></ul>
  19. 19. A New Approach to General Controls <ul><li>Business Process Evaluation and Risk Management </li></ul><ul><li>Disaster Recovery and Business Continuity </li></ul><ul><li>Protection of Information Assets </li></ul>
  20. 20. Protection of Information Assets <ul><li>Importance of Information Security Management </li></ul><ul><li>Logical Access Exposures and Controls </li></ul><ul><li>Auditing Information Security Management and Logical Access Issues and Exposures </li></ul><ul><li>Network Infrastructure Security </li></ul><ul><li>Environmental Exposures and Controls </li></ul>
  21. 21. Importance of Information Security Management <ul><li>Ensure the integrity of information stored on their computer systems </li></ul><ul><li>Preserve confidentiality of sensitive data </li></ul><ul><li>Ensure the continued availability of their information systems </li></ul><ul><li>Ensure conformity to laws, regulations and standards </li></ul>
  22. 22. Key Elements of Information Security Management <ul><li>Policies and Procedures </li></ul><ul><li>Organization </li></ul><ul><li>Data Classification </li></ul><ul><li>System Access </li></ul>
  23. 23. Key Elements of Information Security Management: Organization <ul><li>Executive Management </li></ul><ul><li>Security committee </li></ul><ul><li>Data owners </li></ul><ul><li>Process owners </li></ul><ul><li>IT developers </li></ul><ul><li>IS auditors </li></ul><ul><li>Users </li></ul>
  24. 24. Data Classification <ul><li>Who has access rights </li></ul><ul><li>Who is responsible for determining access rights and access levels </li></ul><ul><li>What approvals are needed for access </li></ul>
  25. 25. System Access <ul><li>Security, Awareness and education </li></ul><ul><li>Monitoring and Compliance </li></ul><ul><li>Incident Handling and response </li></ul>
  26. 26. Information Security Management Standards <ul><li>Privacy Impact Analysis </li></ul><ul><ul><li>Identifying the nature of personally identifiable information associated with business processes </li></ul></ul><ul><ul><li>Document the collection, use, disclosure and destruction of personally identifiable information </li></ul></ul><ul><ul><li>Providing management with a tool to make informed policy, operations and system design decisions based on an understanding of privacy risk and options available </li></ul></ul>
  27. 27. Risk Management Domains <ul><li>Security: Focuses on security and privacy concerns including cryptography, confidentiality, integrity, availability and more </li></ul><ul><li>Systems and Technology: Enabling technologies for customer and supplier chain support and highlights integrated software solutions and trends in technology </li></ul>
  28. 28. Risk Management Domains <ul><li>Strategy-Critical business strategic issues such as setting strategic direction, analyzing competitors, and leveraging information technology </li></ul><ul><li>Organization and Competencies- Aspects as whether organization requires new skills, new competencies </li></ul>
  29. 29. Risk Management Domains <ul><li>Performance Management – How an organization plans, measures, monitors, and controls the performance of its business capabilities and function </li></ul>
  30. 30. Network Control and Security <ul><li>Auditing the Carriers </li></ul><ul><li>Understanding and auditing communications alternatives </li></ul><ul><li>Auditing network equipment and configuration </li></ul><ul><li>Auditing the wire-based intranet </li></ul><ul><li>Auditing dial up access </li></ul>
  31. 31. Network Management Systems Review <ul><li>Audit Objectives </li></ul><ul><ul><li>To review the adequacy of administrative procedures. </li></ul></ul><ul><ul><li>To assess the effectiveness of the configuration management function </li></ul></ul><ul><ul><li>To assess the network security function </li></ul></ul><ul><ul><li>To assess the adequacy performance management system </li></ul></ul>
  32. 32. Network Administration <ul><li>Obtain a copy of organization chart for the telecommunications and network function </li></ul><ul><li>Inquire whether segregation of duties is available </li></ul><ul><li>Understand the type of network services being used. </li></ul><ul><li>Take an inventory of data circuits and terminals </li></ul>
  33. 33. Network Administration <ul><li>Review network traffic volumes for identifying trends. </li></ul><ul><li>Inquire whether network balancing procedures are being practiced </li></ul><ul><li>Determine whether backup and recovery procedures for the network are included? </li></ul><ul><li>With the use of audit software determine connect time, the type and volume </li></ul>
  34. 34. Configuration Management <ul><li>Review the adequacy of network configuration procedures for the following situations </li></ul><ul><ul><li>When network components malfunction </li></ul></ul><ul><ul><li>When nodes are added to or removed from networks </li></ul></ul><ul><li>Confirm that network management has adequate procedures to address the following conditions </li></ul><ul><ul><li>To diagnose and remedy performance degradation problems in order to provide quality and reliable service to system users </li></ul></ul>
  35. 35. Network Security <ul><li>Determine whether access can be restricted to a specific time of day with automatic time zone adjustment </li></ul><ul><li>Confirm that access can be restricted </li></ul><ul><li>Ensure that a user ID and password are required to reconnect a session </li></ul>
  36. 36. Network Terminal Expansion System <ul><li>Determine whether the terminal expansion system has the ability to </li></ul><ul><ul><li>Produce an audible alarm when changes occur in a hidden session </li></ul></ul><ul><ul><li>Provide duplex support which allows concurrent access to a single session from two physical terminals </li></ul></ul>
  37. 37. Network Control and Security <ul><li>Auditing wireless networks </li></ul><ul><li>Auditing VPN networks </li></ul><ul><li>Mapping the network </li></ul><ul><li>Trading partner connectivity </li></ul><ul><li>Network Management and operations </li></ul><ul><li>Network incident management </li></ul>
  38. 38. Auditing Wireless Networks <ul><li>Introduction to the Wireless Community </li></ul><ul><li>Wireless Internet </li></ul><ul><li>Internet Security </li></ul>
  39. 39. Introduction to the Wireless Community <ul><li>Trends </li></ul><ul><ul><li>Faster bandwidth connections to the World Wide Web </li></ul></ul><ul><ul><li>Higher clock speed process </li></ul></ul><ul><ul><li>New breakthroughs in wireless technology </li></ul></ul><ul><ul><li>There are now around 200 million internet users in the United States alone. And half of them are wireless. </li></ul></ul>
  40. 40. Wireless Internet <ul><li>Wireless technology uses radiation as it means of transmitting date through space. </li></ul><ul><ul><li>Specifically, wireless technology uses electromagnetic radiation to transmit data, because it does not require a medium to transfer the energy from one point to another. </li></ul></ul><ul><ul><li>The set of evolutionary IEEE standards, 802.11 is designated as the Wireless LAN Working Group. </li></ul></ul>
  41. 41. How Wireless Access Protocol Works <ul><li>Takes requests </li></ul><ul><li>Sends it to the gateway </li></ul><ul><li>Optimize the Network </li></ul><ul><li>Translation </li></ul>
  42. 42. Why WAP? <ul><li>Wireless networks present a constrained communication environment. </li></ul><ul><ul><li>Due to fundamental limitations of power, available spectrum, and mobility wireless data networks tend to have </li></ul></ul><ul><ul><ul><li>Less bandwidth </li></ul></ul></ul><ul><ul><ul><li>More latency </li></ul></ul></ul><ul><ul><ul><li>Less connection stability </li></ul></ul></ul><ul><ul><ul><li>Less predictable availability </li></ul></ul></ul>
  43. 43. WAP Security <ul><li>Specifies a framework for secure connections, using protocol elements from common Internet security protocols like SSL and TLS </li></ul><ul><li>Provides security facilities for encryption, strong authentication, integrity , and key management </li></ul>
  44. 44. WAP Security <ul><li>Provides end-to-end security between protocol end points </li></ul><ul><li>Lightweight and efficient protocol with respect to bandwidth, memory and processing power </li></ul><ul><li>Employs special adapted mechanisms for wireless usage: Long lived secure sessions </li></ul>
  45. 45. Internet Security <ul><li>No security backbone </li></ul><ul><li>Security has become a big issue </li></ul><ul><ul><li>Wired Equivalent Privacy (WEP) was one of first wireless security encryptions designed to protect Wide Local Area Networks from unauthorized users. </li></ul></ul><ul><ul><ul><li>This protocol uses security keys that are created within the router and then encrypted. </li></ul></ul></ul>
  46. 46. Operating Systems <ul><li>Operating System overview </li></ul><ul><li>Windows </li></ul><ul><li>Mainframe </li></ul><ul><li>UNIX ( HP, Solaris, AIX) </li></ul><ul><ul><li>What are some tools and resources </li></ul></ul><ul><ul><li>Common Vulnerabilities </li></ul></ul>
  47. 47. Control and Security of Unix <ul><li>Understanding UNIX </li></ul><ul><li>System Command Directories </li></ul><ul><li>File systems </li></ul><ul><li>The Super-user </li></ul><ul><li>UNIX communications </li></ul><ul><li>UNIX security </li></ul><ul><li>Using audit scripts </li></ul><ul><li>Risk/Control tables </li></ul><ul><li>Unix Audit Guide </li></ul>
  48. 48. Understanding UNIX <ul><li>To understand how numerous attacks function, we must have a basic understanding of the UNIX operating system because it so popular both as a target platform and as an operating system to launch attacks. </li></ul>
  49. 49. Learning about UNIX <ul><li>Architecture </li></ul><ul><ul><li>UNIX File System Architecture </li></ul></ul><ul><ul><li>The Kernel and Processes </li></ul></ul><ul><ul><li>Automatically Starting up Processes </li></ul></ul><ul><ul><ul><li>Init-Starts various processes at boot time </li></ul></ul></ul><ul><ul><ul><li>Inetd-Listens for network traffic for numerous services </li></ul></ul></ul><ul><ul><ul><li>Cron-Used to schedule the running of specific system commands </li></ul></ul></ul>
  50. 50. Learning about UNIX <ul><li>Accounts and Groups </li></ul><ul><ul><li>The /etc/passwd File </li></ul></ul><ul><ul><li>The /etc/group File </li></ul></ul><ul><ul><li>Root: It’s a Super User! </li></ul></ul><ul><li>Privilege Control –UNIX Permissions </li></ul><ul><ul><li>Set UID Programs </li></ul></ul><ul><li>UNIX Trust </li></ul>
  51. 51. Learning about UNIX <ul><li>Common UNIX Network Services </li></ul><ul><ul><li>Telnet: Command-Line Remote Access </li></ul></ul><ul><ul><li>FTP- File Transfer Protocol </li></ul></ul><ul><ul><li>TFTP- The Trivial File Transfer Protocol </li></ul></ul><ul><ul><li>Web Servers: HTTP </li></ul></ul><ul><ul><li>Electronic Mail </li></ul></ul><ul><ul><li>r - commands </li></ul></ul>
  52. 52. Auditing Windows <ul><li>Understanding Windows 2000 </li></ul><ul><li>Understanding Active Directory </li></ul><ul><li>File System Administration </li></ul><ul><li>User & Group Administration </li></ul><ul><li>Overall Security </li></ul><ul><ul><li>Differences between NT and 2000 </li></ul></ul><ul><ul><li>Policies </li></ul></ul><ul><ul><li>Logs </li></ul></ul>
  53. 53. Internet Control and Security <ul><li>Internet Security Basics </li></ul><ul><li>Internet communications and Architecture </li></ul><ul><li>Securing the web presence </li></ul><ul><li>Controlling internet connections </li></ul>
  54. 54. Internet Control and Security <ul><li>Understanding and responding to attacks </li></ul><ul><li>Tools and techniques of the hacking trade </li></ul><ul><li>Vulnerabilities and Exploits </li></ul><ul><li>Building and maintaining secure firewalls </li></ul><ul><li>Hardening your network </li></ul><ul><li>Risk Control Tables </li></ul><ul><li>Internet Audit Guide </li></ul>
  55. 55. Putting it All together <ul><li>Risk assessments </li></ul><ul><li>Staging the audits </li></ul><ul><li>Presenting issues in an understandable format </li></ul><ul><li>Reporting </li></ul><ul><li>Follow-up: Tracking control implementation </li></ul><ul><li>What comes next: On Going Monitoring </li></ul><ul><li>Closing comments </li></ul>
  56. 56. IT Risk Assessment <ul><li>Identifying your Assets </li></ul><ul><li>Who you need to be cautious of and why </li></ul><ul><li>Security Basics </li></ul><ul><li>Frequently Exploited Ports and Services </li></ul><ul><li>Tools of the Trade </li></ul><ul><li>Hacking Your Network </li></ul><ul><li>Interpreting the results </li></ul><ul><li>Resolving the Issues </li></ul>
  57. 57. Identifying Your Assets <ul><li>Customers </li></ul><ul><li>Employees </li></ul><ul><li>Company Trade Secrets </li></ul><ul><li>Fast Global connections </li></ul><ul><li>Proprietary Software </li></ul><ul><li>Storage Facility </li></ul>
  58. 58. Who you need to be cautious of and why <ul><li>Disgruntled Employees </li></ul><ul><li>Contractors, Business Partners and Trade Associates </li></ul><ul><li>Competitors </li></ul><ul><li>Hackers </li></ul><ul><li>Industrial Espionage Agents </li></ul>
  59. 59. Security Basics <ul><li>Policies and Procedures </li></ul><ul><li>Security Banners (no trespassing signs) </li></ul><ul><li>Password Standards </li></ul><ul><li>Log Files </li></ul><ul><li>Internet </li></ul><ul><li>Anti-Virus Software </li></ul><ul><li>Backup Systems and Media </li></ul><ul><li>Network Security Software </li></ul><ul><li>Encryption </li></ul>
  60. 60. Frequently Exploited Ports and Services <ul><li>Commonly Exploited Ports and Services </li></ul><ul><li>E-mail </li></ul><ul><li>Denial of Service </li></ul><ul><li>Spoofing </li></ul>
  61. 61. Tools of the Trade <ul><li>Network Scanners </li></ul><ul><li>Port Scanners </li></ul><ul><li>War Dialers </li></ul><ul><li>Password Crackers </li></ul><ul><li>Packet Snifers </li></ul><ul><li>Miscellaneous Tools </li></ul>
  62. 62. Hacking your network <ul><li>Safe hacking </li></ul><ul><li>Internet </li></ul><ul><ul><li>Servers </li></ul></ul><ul><ul><li>Firewall </li></ul></ul><ul><ul><ul><li>Securing of the Firewall </li></ul></ul></ul><ul><ul><li>Routers </li></ul></ul><ul><ul><ul><li>Router usage </li></ul></ul></ul><ul><ul><ul><li>Router rules </li></ul></ul></ul><ul><ul><ul><li>Securing your routers </li></ul></ul></ul>
  63. 63. Common Network Devices <ul><li>Switches, Routers, and Bridges </li></ul><ul><ul><li>Have all network connectivity devices been identified? </li></ul></ul><ul><ul><li>Have all of the security devices been implemented on each of network devices/ </li></ul></ul><ul><ul><li>Have vendor default passwords been changed/ </li></ul></ul><ul><ul><li>Are direct dial modems attached to any network devices? </li></ul></ul>
  64. 64. Control Check Lists: Routers <ul><li>Do vendors have remote access to routers? </li></ul><ul><li>Are router tables dumped periodically to ensure there are no unusual entries? </li></ul><ul><li>Are static routers used to ensure that only approve traffic is routed through the network? </li></ul>
  65. 65. Control Checklists: Firewalls <ul><li>Are hacker penetration attempts investigated? </li></ul><ul><li>Are internal firewalls used to limit damage that can be done when the network is penetrated? </li></ul><ul><li>Is a firewall proxy server used to protect the internet connection? </li></ul><ul><li>Are password crackers run against all of the machines in the internet cluster periodically? </li></ul>
  66. 67. What We Do? <ul><li>Write published products, including articles posted daily to Web sites, Strategic Analysis Reports, Monthly Research Review contributions and newsletter articles </li></ul><ul><li>Assume project management responsibilities to fulfill project deadlines </li></ul><ul><li>Select suitable topics for articles to be written for high level executives </li></ul>
  67. 68. What we do? <ul><li>Analyze technological and financial information for inclusion in written work. </li></ul><ul><li>Translate complex and confusing ideas and concepts into clear and understandable writing . </li></ul>
  68. 69. Putting It All Together <ul><li>Do we understand how technology impacts our organizations, our departments and us. </li></ul><ul><li>Are we using technology as a tool to get us where we need to be or is technology managing us. </li></ul><ul><ul><li>Technology should not control us. We should take control of technology and put it to work for us. </li></ul></ul>
  69. 70. Putting It all Together <ul><li>What is the inside information about how to identify real organizational barriers and find ways to resolve them </li></ul><ul><li>How do know how to apply technology properly? </li></ul><ul><li>How do we secure rapidly expanding information warehouses properly? </li></ul>