Checklists a Day: Week in Review – September 7, 2009

Each week via Twitter we post a daily audit checklist tweet for all the IS auditors and security administrators out there in the tweet-o-sphere. But, we realize not everyone is ready for Twitter, and many of you are still resisting (you can keep trying, but eventually you will give in and start tweeting, everyone will eventually…), so we’ve decided to start posting them in our blog as well. So once each week we’ll post the audit checklists and audit tools that we posted into Twitter here in our blog as well. This way everyone will have a chance to enjoy all the audit fun!

This week’s focuses are on auditing segregation of duties controls and tools that you can use for auditing file system access controls. As usual we try to offer a mix of commercial plus free tools for you to try out and we hope you enjoy them. On the checklist side we’ve also included a few matrixes that you can use to evaluate position descriptions within your organization as well. Hopefully you can include these in your audit plans, regardless of the technical systems you’re evaluating.

Segregation of Duties Audit Checklists & Security Guides:

Segregation of Duties #1

Segregation of Duties #2

Segregation of Duties #3

Segregation of Duties #4

Segregation of Duties #5 (Old Link Removed)

Tools for Auditing File Access Controls:

Access Auditor

Quest Active Roles

Microsoft Xcalcs

Sysinternals AccessEnum

File Server Change Reporter

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – August 31, 2009

Each week via Twitter we post a daily audit checklist tweet for all the IS auditors and security administrators out there in the tweet-o-sphere. But, we realize not everyone is ready for Twitter, and many of you are still resisting (you can keep trying, but eventually you will give in and start tweeting, everyone will eventually…), so we’ve decided to start posting them in our blog as well. So once each week we’ll post the audit checklists and audit tools that we posted into Twitter here in our blog as well. This way everyone will have a chance to enjoy all the audit fun!

This last week we focused on a series of operational security audit checklists and guides that didn’t follow one particular theme – they were checklists we found that we thought would generally be helpful to everyone. We also decided to give everyone a list of some of the more popular vulnerability assessment engines out there – both commercial and open source. If you’re not using one already, pick one free and one commercial tool – compare the results!

Please feel free to keep the requests coming. We’ll try to oblige as often as we can with new checklists based on your feedback.

Audit Checklists & Security Guides:

Security Update Process

Policy Inventory Checklist

Anti-Virus (Old Link Removed)

Handheld Devices

Data Center Physical Security

Tools for Vulnerability Management:

Tenable Security

eEye Digital Security

Qualys

OpenVAS

Rapid7

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – August 24, 2009

Each week via Twitter we post a daily audit checklist tweet for all the IS auditors and security administrators out there in the tweet-o-sphere. But, we realize not everyone is ready for Twitter, and many of you are still resisting (you can keep trying, but eventually you will give in and start tweeting, everyone will eventually…), so we’ve decided to start posting them in our blog as well. So once each week we’ll post the audit checklists and audit tools that we posted into Twitter here in our blog as well. This way everyone will have a chance to enjoy all the audit fun!

This last week we focused back to process controls and operational assurance. We listed checklists to help auditors evaluate an organization’s stance on privacy based issues. We also listed out tools that exist to help an organization to better manage their audit program. Many of this past week’s tools were commercial, but sometimes those can be the best tool for the job.

This upcoming week will focus on additional operational controls, and we’ll through in some choices for vulnerability assessment along the way.

Privacy Audit Checklists & Security Guides:

Privacy Checklist #1

Privacy Checklist #2

Privacy Checklist #3

Privacy Checklist #4

Privacy Checklist #5

Tools for Audit Program Management:  

Archer Technologies

TeamMate

MetricStream

Paisley Enterprise GRC

Pentana Audit Work System (Old Link Removed)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – August 17, 2009

Each week via Twitter we post a daily audit checklist tweet for all the IS auditors and security administrators out there in the tweet-o-sphere. But, we realize not everyone is ready for Twitter, and many of you are still resisting (you can keep trying, but eventually you will give in and start tweeting, everyone will eventually…), so we’ve decided to start posting them in our blog as well. So once each week we’ll post the audit checklists and audit tools that we posted into Twitter here in our blog as well. This way everyone will have a chance to enjoy all the audit fun!

We kept the technology focus last week and decided to post links to checklists and security guides that we thought would help people with their audits of Microsoft Windows systems. This may or may not be related to my migration to Windows 7 this week personally. What can I say though, I just can’t help myself sometimes. So enjoy your Windows audits. This coming week we’ll go back to some process controls. Enjoy the privacy checklists this week…

Microsoft Windows Audit Checklists & Security Guides:

General Windows Security

Microsoft Windows Vista

Microsoft Windows Server 2008

Microsoft Windows Server 2003

DISA Checklists for Windows

Microsoft Windows XP

Microsoft Windows Audit Tools:

Microsoft Baseline Security Analyzer

WinAudit

WinFingerprint (Link no longer available)

BelSecure

DISA Gold Disks (Old Link Removed)

Quest Reporter

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – August 10, 2009

Each week via Twitter we post a daily audit checklist tweet for all the IS auditors and security administrators out there in the tweet-o-sphere. But, we realize not everyone is ready for Twitter, and many of you are still resisting (you can keep trying, but eventually you will give in and start tweeting, everyone will eventually…), so we’ve decided to start posting them in our blog as well.

So once each week we’ll post the audit checklists and audit tools that we posted into Twitter here in our blog as well. This way everyone will have a chance to enjoy all the audit fun!

So, from all the folks at Enclave Security, enjoy this week’s audit checklists and tools. This week we focused on firewall auditing. So all the checklists and tools are firewall focused this week.

Firewall Audit Checklists & Security Guides:

From University of North Carolina (UNC Cause)

From NIST

From Lance Spitzner

From the Center for Internet Security (Old Link Removed)

From the SANS Institute

Firewall Audit Tools:

Nmap v.5.0

Athena FirePac

Skybox Firewall Auditor

ManageEngine Device Expert

Hping

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – June 6, 2009

Each week via Twitter we post a daily audit checklist tweet for all the IS auditors and security administrators out there in the tweet-o-sphere. But, we realize not everyone is ready for Twitter, and many of you are still resisting (you can keep trying, but eventually you will give in and start tweeting, everyone will eventually…), so we’ve decided to start posting them in our blog as well.

So once each week we’ll post the audit checklists and audit tools that we posted into Twitter here in our blog as well. This way everyone will have a chance to enjoy all the audit fun!

So, from all the folks at Enclave Security, enjoy this week’s audit checklists and tools.

Audit Checklists & Security Guides:

Auditing Public Companies (Old Link Removed)

Auditing Phone Systems

Auditing the Software Development Lifecycle (SDLC)

Auditing Access Controls (Old Link Removed)

Auditing Home Wireless Networks

Auditing Wireless Networks

Auditing Boundary Security (Old Link Removed)

Audit Tools:

Archer SmartSuite

(Audit Management Software)

WarVOX

(Phone System Audit Software)

W3AF

(Web Application Vulneraility Assessment Software)

LC6

(Password Auditing Software)

Kismac

(Wireless Auditing Software)

Vistumbler

(Wireless Auditing Software)

Nagios

(Network Management Software)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Password Assessment with LC6 – Why it Matters for Auditors

Last week the researchers over at the L0phtCrack team (Christien Rioux, Chris Wysopal, and Peiter Mudge Zatko) released a new version of their famous tool – l0phtcrack, this time known as LC6. The tool has finally returned from its long slumber and is now available for download and purchase from their website (http://www.l0phtcrack.com/index.html). And can I just say to these developers, Welcome back!

The million dollar question security engineers and auditors are probably asking right now is, why would I willingly pay for a password cracking tool when there are free tools like John the Ripper, LCP, and Cain & Abel available that will do the same thing?

Well, I’m glad you asked…

LC6 has a feature called – “Display Passwords when Audited” which can be disabled.

That feature alone should make this the password cracking tool of choice for any security auditor. If you’re an auditor, do you really want to know what your users’ passwords are? Or do you simply want to know how long it takes to crack the passwords and whether they are in compliance with the organization’s password policies? It seems to me as an auditor, we want to protect our passwords and our hashes from inadvertent disclosure. What better way to do that than not displaying them at all?

Auditors, password assessment should be a part of your testing regiment, but only in a controlled manner and with proper management authorization. Although I don’t get any corporate sponsorship for saying this, I think we should consider LC6, to protect our integrity as auditors and yet still be able to test a critical system control.

Crack responsibly…

Checklists a Day: Week in Review – May 30, 2009

Each week via Twitter we post a daily audit checklist tweet for all the IS auditors and security administrators out there in the tweet-o-sphere. But, we realize not everyone is ready for Twitter, and many of your are still resisting (you can keep trying, but eventually you will give in and start tweeting, everyone will eventually…), so we’ve decided to start posting them in our blog as well.

So once each week we’ll post the audit checklists and audit tools that we posted into Twitter here in our blog as well. This way everyone will have a chance to enjoy all the audit fun!

So, from all the folks at Enclave Security, enjoy this week’s audit checklists and tools.

Audit Checklists & Security Guides:

Auditing Microsoft Windows Vista Systems

Auditing Unix Systems

Auditing Outsourced Business Functions

Auditing Cisco Routers (Old Link Removed)

Auditing Bank ATM Machines (1)

Auditing Bank ATM Machines (2) (Old Link Removed)

Auditing Change & Patch Management (Old Link Removed)

Auditing Mac OS X Systems (Old Link Removed)

Audit Tools:

NEWT Professional

(Inventory & Assessment Tool)

Lynis

(Unix Audit Scripts)

Netifera

(Network Assessment Tool)

Nipper

(Network Device Audit Tool)

OpenVAS

(Vulnerability Assessment Tool)

Microsoft BSA

(Windows Security Assessment Tool)

ClamXav

(Mac OS X Anti-Malware Tool)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.