Embed Size (px)
Citation preview
The Value of Experience
5/12/08
IT AuditingSo easy, a caveman can do it…
Lee Barken, CPA, CISSP, CISA, CCNA, [email protected]
Auditing IT Controls
Why should I care?
Because I have to:• Sarbanes Oxley (SOX)• SAS94
Because I have to:• Sarbanes Oxley (SOX)• SAS94
Because I want to:• I’m Loosing Sleep.• It Just Makes Sense…
Because I want to:• I’m Loosing Sleep.• It Just Makes Sense…
Auditing IT Controls
Why should I care?
Because I have to:• Sarbanes Oxley (SOX)• SAS94
Because I have to:• Sarbanes Oxley (SOX)• SAS94
Because I want to:• I’m Loosing Sleep.• It Just Makes Sense…
Because I want to:• I’m Loosing Sleep.• It Just Makes Sense…
Control Objective
“An IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity.”
- COBIT
Control Activity
“The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.”
- COBIT
Control Activity
“The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.”
- COBIT
Control Objective
“An IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity.”
- COBIT
Control Activity
“The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.”
- COBIT
Real-World Example
Real-World Example
Oops…
Oops…“Hey, we need some internal controls!”
Committee
Policy
Thou shalt not speed.
Control Objective
Control Objective = Car Safety
(Risk = Crashes are Bad.)
Control Activities
Control Activities
Evaluating Risk
When performing a risk analysis, you must consider:
• Probability (likelihood)• Severity (impact)
Low High
Evaluating Risk
Low High
Probability (likelihood)
Severity(impact)
P S(Risk = Crashes are Bad.)
COBIT
COBIT (COFIRT?) = Control Objectives for Information and related Technology
• Published by ISACA (Information Systems Audit and Control Association)• A Set of Best Practices, i.e. “a Framework”• 4 Domains
– Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate
• 34 Process Areas• 318 Control Objectives
IT Control Objectives
Control Objective = Prevent unauthorized access.
(Risk = Unauthorized access is bad.)
IT Control Activities
Control Activity = Restrict access to authorized individuals. How? Passwords!
• Password minimum length is 8 characters.• Password complexity is enabled.
Password Controls
Example: 6 Character Password, No Complexity
• Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ• Lower Case (26) abcdefghijklmnopqrstuvwxyz• Numbers (10) 0123456789• 26 + 26 + 10 = 62 possibilities for each character
• 62 ^ 6 = 56,800,235,584 unique password permutations
Password Controls
Example: 6 Character Password, No Complexity
• Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ• Lower Case (26) abcdefghijklmnopqrstuvwxyz• Numbers (10) 0123456789• 26 + 26 + 10 = 62 possibilities for each character
• 62 ^ 6 = 56,800,235,584 unique password permutations
PermutationsCombinations
Password Controls
Example: 8 Character Password, w/Complexity
Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ
Lower Case (26) abcdefghijklmnopqrstuvwxyz
Numbers (10) 0123456789
Symbols (32) !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
26 + 26 + 10 + 32 = 94 possible characters
94 ^ 8 = 6,095,689,385,410,816 unique password permutations
Password Controls
Brute Force Attack
• Cain & Abel– http://www.oxid.it/cain.html
Password Controls
Brute Force AttackTry every possible permutation in a given keyspace.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac
…………………………………………………………………
…………………………………………………………………
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
Password Controls
• My slow, crappy laptop = 3,000,000 guesses per second
• 6 characters, Upper/Lower/Numbers (62)
– 62 ^ 6 = 56,800,235,584 unique password permutations
• 8 characters, Upper/Lower/Numbers/Symbols (94)
– 94 ^ 8 = 6,095,689,385,410,816 unique password permutations
Password Controls
• My slow, crappy laptop = 3,000,000 guesses per second
• 6 characters, Upper/Lower/Numbers (62)
– 62 ^ 6 = 56,800,235,584 unique password permutations
• 8 characters, Upper/Lower/Numbers/Symbols (94)
– 94 ^ 8 = 6,095,689,385,410,816 unique password permutations
5 Hours
64 Years
Password Controls
• Medium Sized Cluster = 1,000,000,000 guesses/second
• 6 characters, Upper/Lower/Numbers (62)
– 62 ^ 6 = 56,800,235,584 unique password permutations
• 8 characters, Upper/Lower/Numbers/Symbols (94)
– 94 ^ 8 = 6,095,689,385,410,816 unique password permutations
Password Controls
• My slow, crappy laptop = 3,000,000 guesses per second
• 6 characters, Upper/Lower/Numbers (62)
– 62 ^ 6 = 56,800,235,584 unique password permutations
• 8 characters, Upper/Lower/Numbers/Symbols (94)
– 94 ^ 8 = 6,095,689,385,410,816 unique password permutations
57 Seconds
71 Days
Password Controls
Where do you stand?• Medium Sized Cluster = 1,000,000,000 guesses/second
No Complexity
(62 characters)
Complexity
(94 characters)
4 characters .01 seconds .08 seconds
5 characters .92 seconds 7.34 seconds
6 characters 57 seconds 11.5 minutes
7 characters 59 minutes 18 hours
8 characters 2.5 days 71 days
9 characters 6.5 years 276 years
10 characters 405 years 25,975 years
Great!
So-So
Doo-Doo
Legend
Password Controls
What can we do?• >= 8 Characters• Enable Password
Complexity
Password Controls
What else can we can do?• Maximum Password
Age < 60-90 days
Password Controls
Any more that we can do?• Enforce Password
History• Minimum Password
Age
Password Expires: (xyz)Change Password: (abc)Change Password again: (xyz)
Password Expires: (xyz)Change Password: (abc)Change Password again: (xyz)
Kodak Moment
There are good reasonsto enforce password controls:
• >= 8 Characters• Enable Password Complexity• Maximum Password Age < 60-90 days• Enforce Password History• Minimum Password Age
Where Are Your Risks?
It’s a big ocean…
Where Are Your Risks?
It’s a big ocean…
How fast can I paddle?
Why is the sky blue?
What year was my kayak made?
Do I taste like chicken?
How fast can the shark swim?
How close am I to shore?
Where Are Your Risks?
Evaluating IT Risks
• IIA (Institute of Internal Auditors)Guide to Assessment of IT Controls (GAIT)http://www.theiia.org/guidance/technology/gait/
• ISACA (Information Systems Audit and Control Association)IT Control Objectives for Sarbanes-Oxley 2nd Editionhttp://www.isaca.org/Template.cfm?Section=Research2&CONTENTID=29763&TEMPLATE=/ContentManagement/ContentDisplay.cfm
Where Are Your Risks?
Evaluating IT Risks
• IIA (Institute of Internal Auditors)Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitionershttp://www.theiia.org/download.cfm?file=31866
Adobe Acrobat 7.0 Document
Where Are Your Risks?
• Password Controls• User Access Controls• New Hire Procedure• Termination Procedure• Program Changes (SDLC)• Physical Security / Data Center• E-Mail Retention• Backups• Disaster Recovery / Business Continuity• Network Security• <insert your fear here>
User Access Controls
• Administrators• Network Shares/Folders• Financial Applications
New Hire Procedure
• “Welcome to XYZ Corporation”
Termination Procedure
• “Goodbye from XYZ Corporation”
Program Changes (SDLC)
• In-house Software Development?
Physical Security/Data Center
• Physical Access to the Server Room• Environmental Controls
E-Mail Retention
• Litigation• Federal Rules of Civil Procedure
Backups
• Data Loss
Disaster Recovery/Business Continuity
• St*ff Happens
Network Security
• Hackers and Evil-Doers
<insert your fear here>
16485 Laguna Canyon Road
3rd Floor
Irvine, CA 92618
T (949) 450-6200
F (949)753-1224
12707 High Bluff Drive
Suite 200
San Diego, CA 92130
T (858) 350-4215
F (858) 350-4218
IT AuditingSo easy, a caveman can do it…
Lee Barken, CPA, CISSP, CISA, CCNA, [email protected]
Questions?
