Network Security: Chinese Hackers, Google, and the NSA

It is a good idea to have a few anecdotes in your back pocket to put I.T. Security and the importance of I.T. Audit into context. This article by Shane Harris is a great place to start when it comes to understanding the depth and breadth of Chinese Hacking and protecting your company's and your client's data. Hacked by the Chinese Government Google [...]

By |2020-01-17T21:29:11+00:00November 27th, 2014|IT Audit & Compliance|1 Comment

Change Management: Internally Initiated Changes & Control Environment

The Change Management Process (a.k.a CMLC) is one of the most vital processes for any IT Auditor or Security professional to understand when assessing an organization's risk universe. In general, there are three key change management life cycles that exist within most organizations: 1. Internally Initiated Changes - Changes that are internally initiated and controlled (i.e., periodic software updates, scheduled patches, request [...]

By |2020-01-17T21:29:11+00:00November 24th, 2014|Cyber Risk Management, IT Audit & Compliance|6 Comments

Your Home Router Could Be Vulnerable

Photo from Belkin.com. A major vulnerability in the Belkin n750 router could allow hackers to activate the guest network functionality and join your network without any authentication requirements. How to fix the vulnerability Fortnuately, Belkin has already patched the issue so the only thing you need to do to solve the problem if you own a Belkin n750 is update the firmware. [...]

By |2020-01-17T21:29:17+00:00November 20th, 2014|Cyber Risk Management|2 Comments

Auditing Administrators in Active Directory

Note: For this post I am operating under the assumption that you have a basic understanding of what Active Directory is and why a company uses it. If you do not have that basic understanding try these articles in Wikipedia or Microsoft. Control Statement Administrative access to the network (Active Directory) is limited to appropriate individuals based on job duty and [...]

By |2020-01-17T21:29:18+00:00November 17th, 2014|Cyber Risk Management|2 Comments

Analysis of Strong VS Weak Passwords

Data breaches are a dime a dozen these days. But when hackers steal databases full of customer info, login names and passwords, the passwords themselves aren’t usually sitting out in plain sight. Typically the passwords will be cryptographically hashed.Hashing a password is the process of taking a string of any length (the password in this example) and producing a fixed length [...]

Online Voting and IT Security

Some election officials are considering a method to allow voters to cast their votes via email. Hypothetically, this would allow voters to more easily cast their ballots and allow voters who are unable to make it to the polls (disabled or out-of-the-country, for example) to participate in the election process. Some cyber-security experts; however, believe this opens the door to wide-spread ballot tampering. [...]

By |2020-01-17T21:29:21+00:00November 12th, 2014|IT Audit & Compliance|1 Comment

Can I Use a Screenshot as Audit Evidence?

There are a lot of situations where the easiest way to provide information to an auditor is via a screenshot. For example, sometimes administrator listings from Active Directory or password configuration settings are so plainly obvious by the screenshot that the natural inclination of the Network Admin is to take a screenshot and send it to the auditor as evidence. But the question [...]

By |2020-01-17T21:29:21+00:00November 10th, 2014|IT Audit & Compliance|5 Comments

What is a Stateful Firewall

Stateful refers to the “state” of the connection between the outside internet and the internal network. A stateful firewall keeps track of the connections in a session table. When a packet comes in, it is checked against the session table for a match. If a match is made, the traffic is allowed to pass on to its destination. Older firewalls (Stateless) [...]

By |2020-03-09T00:59:48+00:00November 6th, 2014|Cyber Risk Management|2 Comments

There are no good I.T. Audit Blogs

Results courtesy of Google.com. It's true. There aren't. I've Googled it and I can't find a single I.T. Audit blog I find helpful. Most of the I.T. Audit related sites out there either claim to be "I.T. Security" blogs or are so specific and so technical that they are almost always unusable to the layman or manager who doesn't [...]

By |2020-01-17T21:29:24+00:00November 4th, 2014|IT Audit & Compliance|2 Comments