List AuditNet Audits. Handouts! 2011 ALGA Annual Conference. Kenneth J. Mory CPA, CIA, CISA City Auditor - City of Austin

Transcript

1 2011 ALGA Annual Conference Handouts! Kenneth J. Mory CPA, CIA, CISA City Auditor - City of Austin List AuditNet Audits KennethJ.MoryCIA,CPA,CISA CityAuditorCityofAustin

2 List ISACA Audits SocialEngineering Hacker Cracker Spoofing Botnet Zombie KillDisk SnowFlakeTheory CloudComputing CrosssiteScriptingVulnerability DOS(DenialofService)Attack Dictionary

3 ShadowSystem Malwaremalicioussoftware) RogueSoftware Scareware ZeroDayAttack PacketSniffer KeyboardCapture JudasThreat MIM(meninthemiddle)Attack STANDARDS Script Babies are inexperienced hackers who find the scripts on the internet and using those to hack in the system. IIAGlobalTechnologyAuditGuides(GTAG) ISO/IEC27001 ISO/IEC17799 CapabilityMaturityModelIntegration(CMMI) ControlObjectivesforInformationandrelatedTechnology(COBIT) FederalInformationSystemControlsAuditManual(FISCAM) SANSInstitute TheNationalInstituteofStandardsandTechnology(NIST) InformationSystemAuditandControlAssociation(ISACA)

4 InformationTechnologyInfrastructureLibrary(ITIL) THE TOP 500 WORST PASSWORDS OF ALL TIMES November 30th, 2008 by admin in News, Password Info THISHANDOUTINCLUDESOFFENSIVEWORDSthatwereleftonthislistasreportedto giveyouanaccuratelistingofwhatpeopleareactuallyusingaspasswordssoyoucan betterusetheinformationtoimprovethesecurityofyourentity.ifyoufeelthatyouwill beoffendedpleasestopreadingthishandoutnow. Ifyouseeyourpasswordonthislist,pleasechangeitimmediately. Everypasswordlistedherehasbeenusedbyhundredsifnot thousandsofotherpeople. ncc1701- thx1138 qazwsx ou Approximatelyoneoutofeveryninepeopleusesatleastonepasswordon thelistshownintable9.1!andoneoutofevery50peopleusesoneofthe top20worstpasswords... top500

5

6 Cain&Abel SystemRecovery JohntheRipper ProactivePasswordAuditor ProactiveSystemPasswordRecovery pwdump3 PASSWORD CRACKING SOFTWARE Cain&Abel chknull ElcomsoftDistributedPasswordRecovery ElcomsoftSystemRecovery JohntheRipper ophcrack Pandora ProactivePasswordAuditor ProactiveSystemPasswordRecovery pwdump3 RainbowCrack eblaster SpectorPro Keylogger KeyGhost DictionaryAttackSoftware BlackKnightList

7 REQUEST FOR CHANGE DOCUMENT SEGREGATION OF DUTIES CONTROL MATRIX

8 LIST OF TECHNICAL EXPOSURES

9 TOOLS TO ASSESS IT SECURITY VULNERABILITY Superscan Essentialnettoolis a set of network scanning, security, and administrator tools useful in diagnosing networks and monitoring the computer's network connections. NetScanToolPro Cain&Abel GFILanguard Nessus QualysGuard WebInspect Metasploit NetStumbler AirSnort FlukeWiFiAnalyzer

10 BASELINE SECURITY EVALUATION CHECKLIST WildPacketsOmni ElcomsoftWirelessSecurityAuditor Aircrack Kismet KisMAC

11 REVIEW OF BUSINESS CONTINUITY PROCESS IT Risk Framework ITGovernance Mission ITandBusinessAlignment PortfolioManagement ITRiskManagement Policy ITStrategy&Planning ITPlanning StrategicSourcing ITOrganization HumanResources AssetManagement ITProcesses PerformanceMeasuresandControls C u s t o m e r Technology ProjectManagement Change& Configuration Management ChangeManagement (Applications,Databases& Infrastructure) DataIntegrity EnterpriseSecurity DataCenter Operations DataSWRetention/Backup Cover User&Vendor Support V e n d o r DisasterRecovery&BusinessContinuity BusinessImpactAssessment Planning Communications/CrisisManagementPlans DisasterRecovery OngoingMaintenance/Updates Testing 2010 Western Regional Conference Infrastructure&Tools September 19-22, 2010 / Anaheim, CA, USA OperatingSystems DatabaseStructures Networks Hardware Locations Tools( ,EDI,Messaging,etc.)