IT Auditing So easy, a caveman can do it

1
IT AuditingSo easy, a caveman can do it
5/12/08
Lee Barken, CPA, CISSP, CISA, CCNA,
MCPlbarken_at_hwcpa.com
2
Auditing IT Controls

Why should I care?

• Because I have to
• Sarbanes Oxley (SOX)
• SAS94

• Because I want to
• Im Loosing Sleep.
• It Just Makes Sense

3
Auditing IT Controls

Why should I care?

• Because I have to
• Sarbanes Oxley (SOX)
• SAS94

• Because I want to
• Im Loosing Sleep.
• It Just Makes Sense

4
Control Objective

An IT Control Objective is defined as a
statement of the desired result or purpose to be
achieved by implementing control procedures in a
particular activity. - COBIT
5
Control Activity

The policies, procedures, practices, and
organizational structures designed to provide
reasonable assurance that business objectives
will be achieved, and that undesired events will
be prevented or detected and corrected. -
COBIT
6
Control Activity

The policies, procedures, practices, and
organizational structures designed to provide
reasonable assurance that business objectives
will be achieved, and that undesired events will
be prevented or detected and corrected. -
COBIT
7
Control Objective

An IT Control Objective is defined as a
statement of the desired result or purpose to be
achieved by implementing control procedures in a
particular activity. - COBIT
8
Control Activity

The policies, procedures, practices, and
organizational structures designed to provide
reasonable assurance that business objectives
will be achieved, and that undesired events will
be prevented or detected and corrected. -
COBIT
9
Real-World Example

10
Real-World Example

11
Oops

12
Oops
Hey, we need some internal controls!

Committee
13
Policy

Thou shalt not speed.
14
Control Objective
Control Objective Car Safety (Risk Crashes
are Bad.)
15
Control Activities
16
Control Activities
17
Evaluating Risk

• When performing a risk analysis, you must
  consider
• Probability (likelihood)
• Severity (impact)

18
Evaluating Risk
P
S
(Risk Crashes are Bad.)
Severity (impact)
Probability (likelihood)
19
COBIT

• COBIT (COFIRT?) Control Objectives for
  Information and related Technology
• Published by ISACA (Information Systems Audit and
  Control Association)
• A Set of Best Practices, i.e. a Framework
• 4 Domains
• Plan and Organize, Acquire and Implement, Deliver
  and Support, Monitor and Evaluate
• 34 Process Areas
• 318 Control Objectives

20
IT Control Objectives
Control Objective Prevent unauthorized
access. (Risk Unauthorized access is bad.)
21
IT Control Activities

• Control Activity Restrict access to authorized
  individuals. How? Passwords!
• Password minimum length is 8 characters.
• Password complexity is enabled.

22
Password Controls

• Example 6 Character Password, No Complexity
• Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ
• Lower Case (26) abcdefghijklmnopqrstuvwxyz
• Numbers (10) 0123456789
• 26 26 10 62 possibilities for each
  character
• 62 6 56,800,235,584 unique password
  permutations

23
Password Controls

• Example 6 Character Password, No Complexity
• Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ
• Lower Case (26) abcdefghijklmnopqrstuvwxyz
• Numbers (10) 0123456789
• 26 26 10 62 possibilities for each
  character
• 62 6 56,800,235,584 unique password
  permutations

Permutations
Combinations
24
Password Controls
Example 8 Character Password, w/Complexity Upper
Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ Lower Case
(26) abcdefghijklmnopqrstuvwxyz Numbers (10)
0123456789 Symbols (32) !"'(),-./ltgt?_at_\
_ 26 26 10 32 94 possible
characters 94 8 6,095,689,385,410,816 unique
password permutations
25
Password Controls

• Brute Force Attack
• Cain Abel
• http//www.oxid.it/cain.html

26
Password Controls
Brute Force Attack Try every possible permutation
in a given keyspace. aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaab aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaac
zzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzz
27
Password Controls

• My slow, crappy laptop 3,000,000 guesses per
  second
• 6 characters, Upper/Lower/Numbers (62)
• 62 6 56,800,235,584 unique password
  permutations
• 8 characters, Upper/Lower/Numbers/Symbols (94)
• 94 8 6,095,689,385,410,816 unique password
  permutations

28
Password Controls

• My slow, crappy laptop 3,000,000 guesses per
  second
• 6 characters, Upper/Lower/Numbers (62)
• 62 6 56,800,235,584 unique password
  permutations
• 8 characters, Upper/Lower/Numbers/Symbols (94)
• 94 8 6,095,689,385,410,816 unique password
  permutations

5 Hours
64 Years
29
Password Controls

• Medium Sized Cluster 1,000,000,000
  guesses/second
• 6 characters, Upper/Lower/Numbers (62)
• 62 6 56,800,235,584 unique password
  permutations
• 8 characters, Upper/Lower/Numbers/Symbols (94)
• 94 8 6,095,689,385,410,816 unique password
  permutations

30
Password Controls

• My slow, crappy laptop 3,000,000 guesses per
  second
• 6 characters, Upper/Lower/Numbers (62)
• 62 6 56,800,235,584 unique password
  permutations
• 8 characters, Upper/Lower/Numbers/Symbols (94)
• 94 8 6,095,689,385,410,816 unique password
  permutations

57 Seconds
71 Days
31
Password Controls

• Where do you stand?
• Medium Sized Cluster 1,000,000,000
  guesses/second

Legend
32
Password Controls

• What can we do?
• gt 8 Characters
• Enable PasswordComplexity

33
Password Controls

• What else can we can do?
• Maximum PasswordAge lt 60-90 days

34
Password Controls

• Any more that we can do?
• Enforce PasswordHistory
• Minimum Password Age

Password Expires (xyz) Change Password
(abc) Change Password again (xyz)
35
Kodak Moment

• There are good reasons
• to enforce password controls
• gt 8 Characters
• Enable Password Complexity
• Maximum Password Age lt 60-90 days
• Enforce Password History
• Minimum Password Age

36
Where Are Your Risks?
Its a big ocean
37
Where Are Your Risks?
Its a big ocean
How fast can I paddle?
How fast can the shark swim?
How close am I to shore?
Why is the sky blue?
What year was my kayak made?
Do I taste like chicken?
38
Where Are Your Risks?

• Evaluating IT Risks
• IIA (Institute of Internal Auditors)
• Guide to Assessment of IT Controls (GAIT)
• http//www.theiia.org/guidance/technology/gait/
• ISACA (Information Systems Audit and Control
  Association)
• IT Control Objectives for Sarbanes-Oxley 2nd
  Edition
• http//www.isaca.org/Template.cfm?SectionResearc
  h2CONTENTID29763TEMPLATE/ContentManagement/Con
  tentDisplay.cfm

39
Where Are Your Risks?

• Evaluating IT Risks
• IIA (Institute of Internal Auditors)
• Sarbanes-Oxley Section 404 A Guide for
  Management by Internal Controls Practitioners
• http//www.theiia.org/download.cfm?file31866

40
Where Are Your Risks?

• Password Controls
• User Access Controls
• New Hire Procedure
• Termination Procedure
• Program Changes (SDLC)
• Physical Security / Data Center
• E-Mail Retention
• Backups
• Disaster Recovery / Business Continuity
• Network Security
• ltinsert your fear heregt

41
User Access Controls

• Administrators
• Network Shares/Folders
• Financial Applications

42
New Hire Procedure

• Welcome to XYZ Corporation

43
Termination Procedure

• Goodbye from XYZ Corporation

44
Program Changes (SDLC)

• In-house Software Development?

45
Physical Security/Data Center

• Physical Access to the Server Room
• Environmental Controls

46
E-Mail Retention

• Litigation
• Federal Rules of Civil Procedure

47
Backups

• Data Loss

48
Disaster Recovery/Business Continuity

• Stff Happens

49
Network Security

• Hackers and Evil-Doers

50
ltinsert your fear heregt
51
IT AuditingSo easy, a caveman can do it
Lee Barken, CPA, CISSP, CISA, CCNA,
MCPlbarken_at_hwcpa.com
16485 Laguna Canyon Road 3rd Floor Irvine, CA
92618 T (949) 450-6200 F (949)753-1224
12707 High Bluff Drive Suite 200 San Diego, CA
92130 T (858) 350-4215 F (858) 350-4218