Home/2014

Beware of Phishing – Spam Attempt or just Bad PR?

A few weeks back I received an email for an offer to review an Audit tool by a company named Netwrix. In exchange, the company said they would share my review with their 60,000 contacts which would drive some traffic to my blog. Shane and I researched the tool and it looked like something our readers might value, but we were skeptical [...]

By |2020-01-17T21:27:24+00:00December 29th, 2014|IT Audit & Compliance|4 Comments

SCRUM Development Explained in 10 Minutes

Scrum is a software development framework for managing source code development. Scrum breaks down large projects into more manageable chunks that can be developed and tested individually. Breaking larger projects into component projects aids in the efficiency and quality of product development by setting short term goals that ultimately add value to the larger product. As an IT Audit and Security Consultant [...]

By |2020-01-17T21:27:31+00:00December 25th, 2014|Cyber Risk Management, IT Audit & Compliance|0 Comments

Pen Testing: SQL Injection/Injection Flaws

What are SQL Injections/Injection Flaws? Injection Flaws allow attackers to run a malicious command or block of malicious code on the back-end (the database) of a targeted web based application. For example, an attacker may send instructions to a vulnerable back-end database via an SQL command to manipulate the functionality of an application or to steal data.  These injected database instructions (hints the [...]

By |2020-01-17T21:28:49+00:00December 18th, 2014|Cyber Risk Management|0 Comments

Performing a Physical Security Audit

Photo from security.honeywell.com Physical Security audits are designed to ensure that data and information technology infrastructure are protected from malicious and/or unintentional acts of harm. That includes preventing hackers from plugging directly into your machines to steal data or preventing a clumsy co-worker from spilling coffee on a server rack. Physical Security audits are most common for data centers and [...]

Payment Tokenization: the Future of Electronic Transactions

Credit card data is notoriously susceptible to theft (home depot and target). The problem stems from the use of a single set of data points to authenticate your card for payment. For example, when you visit a merchant or online retailer, a single number, expiration date and CVV (card verification code) are used again and again for all purchases, everywhere, for years. This gives [...]

By |2020-01-17T21:28:51+00:00December 11th, 2014|IT Audit & Compliance|0 Comments

Pen Testing: Cross Site Scripting (XSS)

What is Cross Site Scripting (XSS)? Cross Site Scripting (XSS) is the first test in a series of controls which exist to protect user data, prevent fraud and secure the organization's web application and environment. Cross Site Scripting (XSS) is a common application layer web attack that, despite originating from a website is actually executed on the users’ computer. In this [...]

By |2020-01-17T21:29:04+00:00December 4th, 2014|Cyber Risk Management|0 Comments

Change Management: Externally Initiated Changes & Control Environment

As previously discussed, there are three key change management life cycles that exist within most organizations: 1. Internally Initiated Changes - Changes that are internally initiated and controlled (i.e., periodic software updates, scheduled patches, request from employees, etc.) 2. Externally Initiated Changes - Changes that are initiated from entities outside the company - typically by a client (i.e., software fixes, unscheduled [...]

By |2020-01-17T21:29:06+00:00December 1st, 2014|Cyber Risk Management, IT Audit & Compliance|0 Comments

Network Security: Chinese Hackers, Google, and the NSA

It is a good idea to have a few anecdotes in your back pocket to put I.T. Security and the importance of I.T. Audit into context. This article by Shane Harris is a great place to start when it comes to understanding the depth and breadth of Chinese Hacking and protecting your company's and your client's data. Hacked by the Chinese Government Google [...]

By |2020-01-17T21:29:11+00:00November 27th, 2014|IT Audit & Compliance|1 Comment

Change Management: Internally Initiated Changes & Control Environment

The Change Management Process (a.k.a CMLC) is one of the most vital processes for any IT Auditor or Security professional to understand when assessing an organization's risk universe. In general, there are three key change management life cycles that exist within most organizations: 1. Internally Initiated Changes - Changes that are internally initiated and controlled (i.e., periodic software updates, scheduled patches, request [...]

By |2020-01-17T21:29:11+00:00November 24th, 2014|Cyber Risk Management, IT Audit & Compliance|6 Comments