1 / 51

5/12/08

IT Auditing So easy, a caveman can do it…. 5/12/08. Lee Barken, CPA, CISSP, CISA, CCNA, MCP lbarken@hwcpa.com. Auditing IT Controls. Why should I care?. Because I have to: Sarbanes Oxley (SOX) SAS94. Because I want to: I’m Loosing Sleep. It Just Makes Sense…. Auditing IT Controls.

baker-nolan
Download Presentation

5/12/08

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IT AuditingSo easy, a caveman can do it… 5/12/08 Lee Barken, CPA, CISSP, CISA, CCNA, MCPlbarken@hwcpa.com

  2. Auditing IT Controls Why should I care? Because I have to: • Sarbanes Oxley (SOX) • SAS94 Because I want to: • I’m Loosing Sleep. • It Just Makes Sense…

  3. Auditing IT Controls Why should I care? Because I have to: • Sarbanes Oxley (SOX) • SAS94 Because I want to: • I’m Loosing Sleep. • It Just Makes Sense…

  4. Control Objective “An IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity.” - COBIT

  5. Control Activity “The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.” - COBIT

  6. Control Activity “The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.” - COBIT

  7. Control Objective “An IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity.” - COBIT

  8. Control Activity “The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.” - COBIT

  9. Real-World Example

  10. Real-World Example

  11. Oops…

  12. Oops… “Hey, we need some internal controls!” Committee

  13. Policy Thou shalt not speed.

  14. Control Objective Control Objective = Car Safety (Risk = Crashes are Bad.)

  15. Control Activities

  16. Control Activities

  17. Evaluating Risk High Low When performing a risk analysis, you must consider: • Probability (likelihood) • Severity (impact)

  18. Evaluating Risk High Low P S (Risk = Crashes are Bad.) Severity (impact) Probability (likelihood)

  19. COBIT COBIT (COFIRT?) = Control Objectives for Information and related Technology • Published by ISACA (Information Systems Audit and Control Association) • A Set of Best Practices, i.e. “a Framework” • 4 Domains • Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate • 34 Process Areas • 318 Control Objectives

  20. IT Control Objectives Control Objective = Prevent unauthorized access. (Risk = Unauthorized access is bad.)

  21. IT Control Activities Control Activity = Restrict access to authorized individuals. How? Passwords! • Password minimum length is 8 characters. • Password complexity is enabled.

  22. Password Controls Example: 6 Character Password, No Complexity • Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ • Lower Case (26) abcdefghijklmnopqrstuvwxyz • Numbers (10) 0123456789 • 26 + 26 + 10 = 62 possibilities for each character • 62 ^ 6 = 56,800,235,584 unique password permutations

  23. Password Controls Example: 6 Character Password, No Complexity • Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ • Lower Case (26) abcdefghijklmnopqrstuvwxyz • Numbers (10) 0123456789 • 26 + 26 + 10 = 62 possibilities for each character • 62 ^ 6 = 56,800,235,584 unique password permutations Combinations Permutations

  24. Password Controls Example: 8 Character Password, w/Complexity Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ Lower Case (26) abcdefghijklmnopqrstuvwxyz Numbers (10) 0123456789 Symbols (32) !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ 26 + 26 + 10 + 32 = 94 possible characters 94 ^ 8 = 6,095,689,385,410,816 unique password permutations

  25. Password Controls Brute Force Attack • Cain & Abel • http://www.oxid.it/cain.html

  26. Password Controls Brute Force Attack Try every possible permutation in a given keyspace. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac ………………………………………………………………… ………………………………………………………………… zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

  27. Password Controls • My slow, crappy laptop = 3,000,000 guesses per second • 6 characters, Upper/Lower/Numbers (62) • 62 ^ 6 = 56,800,235,584 unique password permutations • 8 characters, Upper/Lower/Numbers/Symbols (94) • 94 ^ 8 = 6,095,689,385,410,816 unique password permutations

  28. Password Controls • My slow, crappy laptop = 3,000,000 guesses per second • 6 characters, Upper/Lower/Numbers (62) • 62 ^ 6 = 56,800,235,584 unique password permutations • 8 characters, Upper/Lower/Numbers/Symbols (94) • 94 ^ 8 = 6,095,689,385,410,816 unique password permutations 5 Hours 64 Years

  29. Password Controls • Medium Sized Cluster = 1,000,000,000 guesses/second • 6 characters, Upper/Lower/Numbers (62) • 62 ^ 6 = 56,800,235,584 unique password permutations • 8 characters, Upper/Lower/Numbers/Symbols (94) • 94 ^ 8 = 6,095,689,385,410,816 unique password permutations

  30. Password Controls • My slow, crappy laptop = 3,000,000 guesses per second • 6 characters, Upper/Lower/Numbers (62) • 62 ^ 6 = 56,800,235,584 unique password permutations • 8 characters, Upper/Lower/Numbers/Symbols (94) • 94 ^ 8 = 6,095,689,385,410,816 unique password permutations 57 Seconds 71 Days

  31. Password Controls Where do you stand? • Medium Sized Cluster = 1,000,000,000 guesses/second Legend

  32. Password Controls What can we do? • >= 8 Characters • Enable PasswordComplexity

  33. Password Controls What else can we can do? • Maximum PasswordAge < 60-90 days

  34. Password Controls Any more that we can do? • Enforce PasswordHistory • Minimum Password Age Password Expires: (xyz) Change Password: (abc) Change Password again: (xyz)

  35. Kodak Moment There are good reasons to enforce password controls: • >= 8 Characters • Enable Password Complexity • Maximum Password Age < 60-90 days • Enforce Password History • Minimum Password Age

  36. Where Are Your Risks? It’s a big ocean…

  37. Where Are Your Risks? It’s a big ocean… How fast can I paddle? How fast can the shark swim? How close am I to shore? Why is the sky blue? What year was my kayak made? Do I taste like chicken?

  38. Where Are Your Risks? Evaluating IT Risks • IIA (Institute of Internal Auditors) Guide to Assessment of IT Controls (GAIT) http://www.theiia.org/guidance/technology/gait/ • ISACA (Information Systems Audit and Control Association) IT Control Objectives for Sarbanes-Oxley 2nd Edition http://www.isaca.org/Template.cfm?Section=Research2&CONTENTID=29763&TEMPLATE=/ContentManagement/ContentDisplay.cfm

  39. Where Are Your Risks? Evaluating IT Risks • IIA (Institute of Internal Auditors) Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners http://www.theiia.org/download.cfm?file=31866

  40. Where Are Your Risks? • Password Controls • User Access Controls • New Hire Procedure • Termination Procedure • Program Changes (SDLC) • Physical Security / Data Center • E-Mail Retention • Backups • Disaster Recovery / Business Continuity • Network Security • <insert your fear here>

  41. User Access Controls • Administrators • Network Shares/Folders • Financial Applications

  42. New Hire Procedure • “Welcome to XYZ Corporation”

  43. Termination Procedure • “Goodbye from XYZ Corporation”

  44. Program Changes (SDLC) • In-house Software Development?

  45. Physical Security/Data Center • Physical Access to the Server Room • Environmental Controls

  46. E-Mail Retention • Litigation • Federal Rules of Civil Procedure

  47. Backups • Data Loss

  48. Disaster Recovery/Business Continuity • St*ff Happens

  49. Network Security • Hackers and Evil-Doers

  50. <insert your fear here>

More Related