Checklists a Day: Change Management Audit Checklists (Week in Review – February 1, 2010)

Posted on February 8, 2010 by James Tarala

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

This week’s focus is on audit checklists for change management programs. We are still trying to alternate between technical security controls and operational security controls. Effective change management programs are still essential to properly securing your information systems and we hope these checklists will assist you in your security efforts.

Audit Checklists for Assessing Change Management Programs:

ISACA

Institute for Internal Auditors (Old Link Removed)

UnifiedCompliance.com (Old Link Removed)

Wikipedia

AuditNet

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Web Application Audit Checklists (Week in Review – January 25, 2010)

Posted on February 1, 2010 by James Tarala

Last week we returned to the more traditional approach of posting audit checklists that were just that – checklists for auditing controls. We try our best to alternate between postings on how to audit technical controls and how to audit process based controls. Last week we took the technical approach and posted checklists for how to audit web applications that you might encounter.

Of course I always have my biases. I really like the work the people at OWASP have contributed on this topic and I think you’ll find their assessment methodology quite comprehensive. But check them all out as you prepare for your reviews. Smashing magazine especially has a great list of business oriented assessment questions to consider when you’re auditing your applications as well.

In addition to the checklists, I also noticed that Fortify is getting into the SAAS / Cloud / whatever you want to call it space and doing on demand assessments of applications (web applications included). Here’s a link to their Fortify on Demand product suite:

Audit Checklists for Assessing Web Applications:

SANS (Old Link Removed)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Daily IT audit checklists via Twitter (free)

Posted on February 1, 2010 by James Tarala

As a part of our effort to provide resources to the audit community we have been sending everyone free audit checklists daily via Twitter. Simply follow @isaudit on twitter to get the latest free checklists.

We try to focus on one topic every week that we thing will be useful to the community. Last week we covered a technical topic (web application auditing) and this week we’ve moved to process controls (auditing change management programs). We try to pick another interesting topic once per week (and yes, we do take requests).

Or if you’re looking for a more personal touch and want to learn about or discuss information security or audit topics, feel free to send me a notes at @jamestarala.

Using social media to promote good security…

Checklists a Day: Week in Review – January 25, 2010

Posted on January 25, 2010 by James Tarala

This week we took a slightly different approach than our normal audit checklist postings. Many times, especially when we take a look at bigger picture issues, like risk assessment, we receive questions on how to make these issues practical. If risk assessment is so important, how do we actually perform a risk assessment?

There are a number of ways to go about this, ranging from simple Excel worksheets to more complicated approaches to assessment. There are even software tools that you can purchase that can help you implement your programs. This week we are focusing on a few of the more popular frameworks for risk assessment that are available. You don’t need to learn all of these, but you should consider picking one such framework and fully utilizing it to help you manage your IT risk.

Here are a few of the frameworks that are available that we think might be helpful to you as you make this topic practical for your organization:

Risk Management Frameworks:

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – January 18, 2010

Posted on January 18, 2010 by James Tarala

This week we will be focusing our checklists on guides that will help you to assess your risk management programs. Often times we like to say that risk management drives our audit programs and it drives our information security programs – but how do we know our risk management programs work? I have seen some companies run asset inventories and call that a risk assessment. I’ve seen other companies run vulnerability scans of their systems and call that a risk assessment. What is a risk assessment and how do I know if it meets my business needs. This week’s resources try to answer those questions and a little more.

We’ll post a summary again next week – or follow us live at @jamestarala and @isaudit! This week’s tweets are focused on risk management models for those of you trying to decide which model works best for you. We hope you enjoy them.

Risk Management Checklists & Security Guides

NIST 800-30 on Risk Assessment

Risk Assessment Resources from the University of GA

Truth 2 Power on Assessing Risk Management

Resources from the State of Ohio EPA

Resources from the State of DE

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Automating Audit Tests with Eventtriggers.exe (20 Critical Control Scripting Tip)

Posted on January 12, 2010 by James Tarala

One of the issues that we have been dealing with extensively lately is the issue of auditing and automation. This has come most often been raised when we’ve been discussing how to address automating control assessments in conjunction with implementing the 20 Critical Controls. One of the core principles of the 20 Critical Controls is that organizations need to have the ability to automate security assessments in order to reduce risk detection times and allow for a more prompt response to detected threats.

One way to assist with the automation of any given assessment is to script your assessments and automate the scripts you write. This way your tests can work for you and can automatically respond in some way should a particular event be discovered. Rather than creating a mechanism to perform detection and alerting from scratch, why not use a mechanism that’s already built into most Microsoft Windows versions you’re already running? The Windows Event Log is a great place to start.

First, you can use a command such as EventCreate to generate new event log entries as a result of a particular action in your scripts. For example, if you use nmap with PBNJ to look for new hosts on your network (think critical control #1), then you could use EventCreate to generate an event log entry every time a new device is discovered. Or, for example, let’s say you use WMIC to list startup items on a machines (think critical control #2), then you could use EventCreate to generate an event log entry every time a new startup entry is added. Get the idea? Use built in Windows tools to support your automation efforts – and all it costs is a little sweat equity and trial with built in tools!

For more details on how to use EventCreate, check out these resources to get started:

Microsoft TechNet Reference on EventCreate:

http://technet.microsoft.com/en-us/library/bb490899.aspx

Microsoft Support article for creating custom event log entries:

http://support.microsoft.com/kb/324145

For details on how to use eventtriggers in more depth, here are a couple resources that will help to get you started:

Microsoft TechNet Reference on EventTriggers.exe:

http://technet.microsoft.com/en-us/library/bb490901.aspx

Petri.co.il Article on EventTriggers.exe:

http://www.petri.co.il/how-to-use-eventtriggersexe-to-send-e-mail-based-on-event-ids.htm

In addition to automating tasks with the eventtriggers.exe command, you may also want to consider command line e-mail tools which can be used to generate an e-mail as a result of an action in your command line tool. Two such free command line tools that you may want to consider are:

Blat (http://www.blat.net/)

Bmail (http://www.beyondlogic.org/solutions/cmdlinemail/cmdlinemail.htm) (Old Link Removed)

To run either of these tools you will need to have access to an active mail server, although thankfully it does not need to listen only on tcp/25 – but you do have to use the SMTP protocol. While security by obscurity is certainly no singular way to protect your system, running administrative mail servers like this on alternate ports can never hurt!

Checklists a Day: Week in Review – January 4, 2010

Posted on January 12, 2010 by James Tarala

Now that the New Year has begun, we’re back in the saddle providing audit checklists and resource that we hope will help auditors and information security professionals in general with their daily jobs. There are a lot of really good resources on the web that we can take advantage of, but the trouble is who has the time to find them. It turns out we do. And as we find these resources we hope it will make your lives easier by showing you some of the audit resources that are already out there for you.

This last week our focus for the week was on security metrics and organizations that have provided resources on security metrics. More and more when we’re at conference venues we have students asking us if we have resources on security metrics. Especially students of the 20 Critical Controls have been asking us – who else is providing security metrics? Here are a few for you to consider.

We’ll post a summary again next week – or follow us live at @jamestarala and @isaudit! This week’s tweets are focused on risk management resources and checklists for evaluating risk management programs. We hope you enjoy them.

Security Metric Checklists & Security Guides:

Security Metrics from the 20 Critical Controls

The Center for Internet Security Metrics Guide (Old Link Removed)

ISECOM RAVs (Old Link Removed)

NIST 800-55

NIST IR-7502 (Old Link Removed)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – October 5, 2009

Posted on October 5, 2009 by James Tarala

So as promised this last week we focused on the Software Development Lifecycle (SDLC) and how to audit an SDLC in an organization. As usual we also wanted to make sure that we gave everyone some fun technical tools to play with, so to keep with the theme we tweeted on tools that you could use to perform automated fuzzing tests on applications. There are a number of other tools we could have also addressed, and we could go on for a few weeks giving you tools , but hopefully you’ll have a good starter list of tools to use now.

This week’s tweets have been a little more random on the checklists we’ve chosen, but the tools will all be consistent. We’re going to focus the tools this week on free tools that Microsoft has embedded in the operating system to give auditors a hand with how to perform assessments against user accounts in an Active Directory environment. I hope you enjoy them!

We’ll post again next week – or follow us live at @jamestarala and @isaudit!

SDLC Audit Checklists & Security Guides:

SDLC Checklist from Baylor University

SDLC Checklist from ISACA

SDLC Resources from Microsoft

White Box Fuzzing Checklist

Checklist for Auditing IT Contracts

Fuzzing Tools for Auditing Applications:

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – September 28, 2009

Posted on September 28, 2009 by James Tarala

So this week we’re back from Tweet-cation, and back to posting audit checklists and tools for everyone to enjoy. Last week I was teaching in San Diego for SANS Network Security and now I’m back and back on the bandwagon. We know everyone’s busy and it’s easy to miss some of these references, so here you go in blog format – which can now be indexed FOREVER by the Google Gods.

This last week’s topic was web application assessment, and we’ll continue the trend via Twitter this week with audit checklists for evaluating an SDLC and tools for fuzzing applications to boot! Not following me on Twitter yet? The handles are @isaudit and @jamestarala.

Web Application Audit Checklists & Security Guides:

OWASP Web Application Checklist

Web Application Basic & Advanced Checklists

Microsoft – Web App Architecture

Basic SANS Institute Checklist

Tools for Auditing Web Applications:

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – September 7, 2009

Posted on September 8, 2009 by James Tarala

Each week via Twitter we post a daily audit checklist tweet for all the IS auditors and security administrators out there in the tweet-o-sphere. But, we realize not everyone is ready for Twitter, and many of you are still resisting (you can keep trying, but eventually you will give in and start tweeting, everyone will eventually…), so we’ve decided to start posting them in our blog as well. So once each week we’ll post the audit checklists and audit tools that we posted into Twitter here in our blog as well. This way everyone will have a chance to enjoy all the audit fun!

This week’s focuses are on auditing segregation of duties controls and tools that you can use for auditing file system access controls. As usual we try to offer a mix of commercial plus free tools for you to try out and we hope you enjoy them. On the checklist side we’ve also included a few matrixes that you can use to evaluate position descriptions within your organization as well. Hopefully you can include these in your audit plans, regardless of the technical systems you’re evaluating.

Segregation of Duties Audit Checklists & Security Guides:

Segregation of Duties #1

Segregation of Duties #2

Segregation of Duties #3

Segregation of Duties #4

Segregation of Duties #5 (Old Link Removed)

Tools for Auditing File Access Controls:

Access Auditor

Quest Active Roles

Microsoft Xcalcs

Sysinternals AccessEnum

File Server Change Reporter

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.