Baselining as a Primary Audit Tool

So if I was trapped on a desert island and only had one audit tool that I could have with me to audit the island’s DHARMA systems, which would I want…

For me the answer would have to be baselines. As an auditor, ideally I want to ensure that an organization’s technology systems reflect a conscious decision on the part of the organization. In other words, I want to ensure that technology has been implemented, with a full understanding of the potential risks those systems pose, and that they have been implemented in a systematic, tested, and documented fashion. Or said another way, I don’t want to see an organization deploy systems in an ad hoc manner that exposes them to risk – I want to see controlled implementations.

A huge indicator of a controlled environment is documentation on the system being implemented. Specifically I’m looking for documented system baselines which demonstrates evidence of conscious decisions on the part of the organization to protect and secure their information.

RSA, a security division of EMC, in their Information Security Glossary defines baseline or baselining as the following:

“An effective method for identifying security attacks on a network, baselining starts by measuring normal activity on a network or network device. That measurement is used as threshold, or baseline, to detect unusual patterns or changes in levels of activity. With this method, the security expert can focus efforts on evaluating anomalies instead of looking for them by reviewing huge log files. The term is also used to refer to other security practices. A baseline, or security baseline often refers to an organizational standard for securely configuring network devices. It can also refer to the results of an organization’s first security assessment. This becomes the baseline against which the organization measures improvements and changes.”

For most auditors understanding the concept of a baseline is the easy part. The devil, it turns out, is in the details. The information auditors really want to know is what information should be baselined and then practically how do you go about performing that baseline. Of course the ultimate conclusion to this discussion would be to consider how to integrate baselines with an organization’s efforts for continuous monitoring and automation.

This year one of my goals is to help auditors by providing them resources which will enable them to more efficiently create baselines of their systems and later automate checks of those baselines. To that end I’ve decided this year I will be releasing a number of scripts to help auditors perform baselines of their systems. The scripts that I will be releasing this year will all be Microsoft PowerShell scripts, but I may throw in a few Unix Bash scripts along the way just for some diversity. So enjoy the scripts and feel free to make requests. Most importantly we want to be able to offer resources that will help you in your efforts to better secure your systems.

Wishing you a Happy New Year and a Secure 2011!

Audit Checklists a Day: MySQL Database Audit Checklists (Week in Review)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

In our last batch of posts we continued our month of database audit checklists with tweets focusing on MySQL database systems. This month we’ve tried to bring you a series of audit checklist for databases that would help you, regardless of the application system that is the scope of your audit. So many of the business systems we audit utilize databases as backend systems to support the application that we often find ourselves in the situation where we need to audit databases as well. I hope these MySQL checklists help (regardless of what Oracle decides to do with MySQL in the near future).

Also, while many of you on Twitter have already noticed this, we have been using a particular Twitter hashtag when posting our tweets. Each of our daily posts can be found using the hashtag #AuditChecklists.

If you have other similar checklists that you think are better, let us know, we’ll happily tweet them as well. This is a community effort, why not share?

Audit Checklists for Auditing MySQL Database Systems:

From Cert-in.org

From NGS Software

From the SANS Institute

From Webmaster2020.com

From MySQL

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Oracle Database Audit Checklists (Week in Review – April 17, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

Last week we continued our month of database system audit checklists with a week of checklists on how to audit Oracle database systems. Like last week most of these checklists focus on the database server itself, and not the application code, database structure, or permission sets in the database. But at least these should serve as starting points for someone who is auditing technical controls on Oracle systems.

Also, while many of you on Twitter have already noticed this, we have been using a particular Twitter hashtag when posting our tweets. Each of our daily posts can be found using the hashtag #AuditChecklists.

If you have other similar checklists that you think are better, let us know, we’ll happily tweet them as well. This is a community effort, why not share?

Audit Checklists for Auditing Oracle Database Systems:

From the SANS Institute

From Oracle

From ISACA

From Vgrigorian

From Pete Finnigan

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Microsoft SQL Server Audit Checklists (Week in Review – April 12, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

Last week we tweeted on audit checklists we thought might be useful when auditing a Microsoft SQL Server. There are so many MSSQL servers deployed today that is seems like you can hardly perform an audit without running into one these days. Maybe you audit a full blown instance of a server, or on the other hand maybe you only see SQL Express or the older MSDE installed. But still they seem to multiply like rabbits. So this week we tried to provide you resources to help with those audits. This also begins our month of database checklists. So every day (work day that is – please don’t make us tweet these on the weekends) – we’ll post a new checklist.

If you have other similar checklists that you think are better, let us know, we’ll happily tweet them as well. This is a community effort, why not share?

Audit Checklists for Auditing Microsoft SQL Servers:

Microsoft TechNet Checklist

Microsoft MSDN Checklist

Microsoft MSDN Checklist

TechTarget Checklist

SQLSecurity.com Checklist (Old Link Removed)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Phone System Audit Checklists (Week in Review – April 5, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

We focused this week on checklists to help assist you with your audits of phone systems this week. Some of the checklists focus on general audit techniques for phone systems and some of them are particular to Voice over IP systems. I hope these will assist you as you’re auditing more than just network devices. Enjoy!

Audit Checklists for Auditing Phone Systems / PBX / VoIP:

General PBX Audit

General PBX Audit (Old Link Removed)

General PBX Audit (Old Link Removed)

VoIP Audit

VoIP Audit

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Virtualization Audit Checklists (Week in Review – February 22, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

We decided to hit another hot topic this week, so we decided to talk about virtualization. I mean, when you’re not talking about cloud computing security over the family dinner table, you’re probably most likely talking about virtualization security and how it impacts your daily lives (Honey, can you install that new garbage disposal? Of course I can dear, but couldn’t we just virtualize it?). So we’re hoping that these audit checklists will help you as you’re evaluating the controls that protect these environments. You know you’re using them, might as well protect them!

Audit Checklists for Auditing Virtualized Environments: 

DISA (Old Link Removed)

Tripwire (Old Link Removed)

VirtualizationAdmin.com

Microsoft

DarkReading

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Cloud Computing Audit Checklists (Week in Review – February 15, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

For this week’s checklists we’re going to be returning to the world of more operational controls. Specifically we’ve been investigating audit checklists for evaluating cloud computing environments. Come on, we know you’ve been thinking about it and talking about it both in your IT departments and in your corporate board rooms. Heck, you’ve probably been chatting up other parents at your kid’s little league and talking with them about it! So this week we’re listing off some helpful checklists we’ve found for auditing cloud computing environments. Enjoy!

Audit Checklists for Auditing Cloud Computing Providers: 

ENISA

Cloud Security Alliance

Grid.org.il

SNIA (Old Link Removed)

FUMSI

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Searching for Hashes of Malicious Files (APT – Aurora)

A couple weeks ago I posted a blog article with some sample file hashes and domain names associated with the recent Google hacks (think APT or Aurora).

Since then I’ve had quite a few people ask me, if you have a system that you suspect might have been compromised, how do you search that system for files that are malicious if you have a list of hashes that you know are malicious? In other words, you have a list of hashes and you want to know if there are any files on your file system that has the same hash value.

Disclaimer – before we continue you should know, hashes of malicious files are just one way of attempting to discover if your system has been compromised. Especially when dealing with a threat like APT, which is highly intelligent and adaptable, you have to know that if the threat knows that you’re on to them and that you’re looking for a specific set of hashes, that they’re smart enough to adapt. What will they do, they’ll change their malicious files so the hashes change as well. There’s no doubt this is a limitation. But utilizing the technique we’re about to describe you can at least start to eliminate some of the low hanging fruit. You may also want to investigate the projects involved with fuzzy hashing. This may be an alternative to some of the standard techniques described here.

Ok, now that you’re ready to start examining your systems for malicious files, here is a process to consider:

Step One: Assemble a Text File of Known Malicious Hashes. The first step you need to follow is to gather a list of hashes of known malicious files. This will be the list of hashes you’re scanning your system for. Remember, the value of your scan will only be as good as the list of hashes you have. A starter list of MD5 hashes is currently being hosted at Enclavesecurity.com and can be found here if you’re looking for a list to get you started. This list certainly is not comprehensive, but at least is a place to consider building your first list from.

Step Two: Decide Which Hashing Tool to Use. There are a number of good tools that you can use to scan your system and to generate hashes of all the files on your file system. Many of these tools are commercial and there are open source tools for this as well. On the commercial side tools like Tripwire, Lumension, and Bit9 are quite effective at this. There are certainly others, but many of you are already using these tools, so you might as well take advantage of them. Unfortunately there are also many of you that simply cannot afford these tools. If you’re looking for a good open source tool to use to start scanning your systems, let me recommend MD5Deep. This is a tool in the public domain that is especially useful for this purpose. While there’s not enough time in this post to talk about how to use the tool, we’ll post more on it later. You could also consider rolling your own scripts, using PowerShell or shell scripting to generate these hashes as well (but I still recommend MD5Deep – it’s cross platform, supports recursive file scans of directories, and natively interfaces with a number of hash databases).

Step Three: Scan Your System. Now that you have your list of hashes for malicious files and you have your scanning tool, now it’s time to scan your system to see if any files with these hashes exist on your system. This is the basic part of the exercise – do you have malicious files on your system or not? Depending on the tool you’re using this process will be slightly different, but in the end you’re trying to determine if you have a compromised host. Auditors – you should be asking companies the control question, if law enforcement approaches you with a list of hashes like we’re describing here and they say you need to check your system to see if any of these files exist on particular hosts in your environment, how would you look for the hashes? Ask to see their process in action (we want more than tabletop reviews here).

Step Four: Automate System Scans. Finally once you have your tool working in a manual mode, automate the scans. This is one of the major principles of the 20 Critical Controls / Consensus Audit Guidelines that we talk so much about. Manual scans are fine when you need to use them – but how much better is it if you could implement a tool that would be constantly scanning your systems and would notify you one of the hashes were discovered? Automation is key.

While there are certainly other ways to go about looking for malicious files on your file system or indicators of compromise on a system, examining file hashes certainly has to be part of your arsenal. If you’re auditing a system, knowing that you have a control in place to scan for signatures of known bad files has to be part of your toolkit. Traditionally we’ve done this with anti-malware tools, but unfortunately many of the large anti-malware vendors still don’t let you know which hashes they’re scanning for and they don’t give you the ability to add hashes that you’d like to scan for in their tools. Thus we’re left to our own devices to discover if files with these signatures are still on our systems.

Hopefully putting this tool in your toolkit gives you one more angle to consider when looking for indicators of a compromise on your systems.

Checklists a Day: Wireless Network Audit Checklists (Week in Review – February 8, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

This week we turned back to a technical topic and posted checklists for auditing wireless 802.11 networks. We know that many of you, whether you approve of your users using wireless or not, know that your organization is using wireless, but you want to make sure that it’s being done responsibly. Or maybe you just don’t know if a particular site you’re supporting is using wireless networks or not. This week’s checklists are meant to give you a list of controls to consider when auditing the wireless side of your infrastructure. I hope it helps!

Audit Checklists for Auditing Wireless 802.11 Networks: 

DISA (Old Link Removed)

20 Critical Controls / CAG

US Department of Justice

The SANS Institute

SmashingPasswords.com

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Top 5 Essential Tips for Passing the ISACA CISA Exam

It’s that season again, and auditors are starting to think about the next step in their careers. Many started the new year with resolutions, including educational goals. For an auditor, one of the educational eventualities that all auditors must eventually face is, is this the year I should become CISA certified?

ISACA only offers the exam twice a year, once in June and once in December each year. So taking the exam requires a little planning. If you’re one of those people that’s considering the exam this year, I have some advice for you. I’ve been teaching a CISA preparation class that I authored for the SANS Institute since 2005, and in all these classes I’ve taught, we’ve only ever had one student fail the exam. That being said, I have some advice for those of you considering taking the exam that I hope will help you to prepare and meet your educational resolutions!

1. Start Planning Now. You can’t wait until May and then expect to pass the exam. First of all, registrations for the exam are cutoff in April. That means you have to at least sign up for the exam two months in advance. If you don’t sign up I guarantee you won’t pass the exam. Once you’ve signed up for the exam, the second part of this step is to make yourself a training schedule and stick to it. Don’t underestimate the power of a good project plan for passing the exam!

2. Digest the ISACA Review Manual. You have to plan on reading the Review Manual from ISACA for the year you take the exam. Don’t bother with any other books or websites. This is the authoritative material that the exam questions are based on. Focus your time on this book, read it cover to cover, and make sure you understand everything inside. How easy is that?

3. Attend an In-Depth Review Course. There are a lot of courses out there run by volunteers, especially local ISACA chapters, that are trying to help their members with study sessions. These classes can be good refreshers, but make sure you know, they’re just that refreshers run by good hearted volunteers. If you take a short review class, bootcamp, or try to prepare on your own make sure you know, you will have to spend a lot more time preparing for the exam on your own. If your self motivated, these methods will work. But if you need structure to help you with your goals, consider signing up for a course that will help mentor you through the materials from start to finish and that won’t assume you already know the information.

4. Start Thinking Like an Accountant. This is one of the best pieces of advice you can get when you’re preparing for the exam. Remember, most of the people who wrote the CISA exam are either accountants or work in the financial services industry. They think like accountants. They don’t think like technology geeks or infosec professionals. Start to ask yourself the question, how would an accountant think about this question? This will help tremendously especially once you start taking practice tests and are trying to decide between two answers that both seem like they could be valid answers.

5. Take as Many ISACA Practice Tests as Possible. Like the ISACA Review Manual, focus on taking practice tests from ISACA as a part of your training schedule. Don’t try to use brain dump sites or memorize answers – but take as many ISACA practice tests as possible. This will get you into the mode of being able to answer questions the way ISACA wants you to answer them. This will also help test your knowledge level of the different content areas covered by the exam. The more questions and practice tests you take the better off you will do. You should plan on consistently scoring 90% or better on your tests before you take the real thing. (Side note, if you decide to take the preparation course with SANS, don’t buy these on your own, they’re included in the price of the class).

Overall passing the exam is possible. Many people have gone before you to pass the exam and have been successful and so can you. But passing the CISA exam is not something you try to throw together at the last minute. It requires time and dedication to reach the goal. Everyone I talk to that works in the audit field tells me, this certification is a must if you want a career in the IS Audit field. Maybe this is your year?

 As I mentioned before, at the SANS Institute we do offer an in-depth training program for passing the exam. This is not a boot camp, but it is in-depth training and mentoring that is designed to teach you what you need to know to be a good auditor, as well as help you pass the exam. To learn more about the next class we’re offering, check us out online here: http://tr.im/MGnD.

Good luck, and we wish you the best in your preparations this year!