Blog: SANS Audit Advice & Resources

Blog: SANS Audit Advice & Resources

Detecting Audit Prep versus Good Processes in Place Part 2

This is second part of two postings that touch upon the notion of an organization's IT personnel preparing for an audit versus having good practices in place. While the previous posting focused on the Windows environment (see Detecting Audit Prep versus Good Processes in Place - Part 1 ), this one will focus more on the Linux/UNIX side of things.

To somewhat mirror the previous blog entry, we'll look at when passwords were last changed, where some of the password controls may be, as well as take a look at when patching was last performed. One thing with UNIX/Linux though, one particular technical control may not be implemented exactly the same from flavor to flavor- that is, CentOS and openSUSE may do things one way, whereas Ubuntu does something a little differently, as will

...

Learning Powershell: How to Extract User Objects from Active Directory using Powershell!

Welcome to the show notes for ournext episode! Last time we were talking about Powershell, demonstrating some different ways that we could use it to begin to automate some of our audit and administrative tasks. For example, pulling some information out of our Active Directory.

In this week's AuditCast we're going to continue on and try to modularize some of the code that we wrote last week. At the same time, we'll try to simplify, clean it up, and finally generalize it just a bit, to create something that we can use in many different tasks that we'll be examining over the next couple of weeks. Before starting the AuditCast, I actually did do one or two things that I've done

...

Identifying Inactive and Unnecessary User Accounts in Active Directory (with Powershell!!!)

A common question in an audit of information resources is whether or not accounts for users are being properly managed. One aspect of that is determining whether or not the accounts created are needed while another is looking for evidence that accounts for terminated users are being disabled or deleted in a timely fashion. An easy way to answer both of these questions is through the use of Active Directory queries! This screencast demonstrates exactly how to do just that.

While it's true that the information that we're looking for can be obtained directly from the Active Directory using tools like DSQuery and DSGet, in the long term I think it's far wiser to learn a little bit of basic

...

Detecting Audit Prep versus Good Processes in Place - Part 1

This is the first of two postings that will begin to address some ways to test something that hopefully you will only encounter rarely in your auditing career, but it something that I have seen in a number of organizations that are in the earlier stages of the IT maturity model- audit preparation versus good practices in place. In some cases, you may be tipped off to this by howpersonnelare behaving before your technical test-work ever gets started... Too often I hear, "we're ready for the audit- we've spentthelast month getting everything ready." In some of these cases, it can cause one to wonder whether or not they "get it". If you have prudent practices and processes in place, then there's little to "prepare" for.

In this blog entry, I'll focus on just two of the many possible scenarios where technical testwork may indicate signs of audit prep rather than good processes in place. You'll have to look at all of your testwork collectively in order to try and

...

IT Auditing with Minimal Intrusiveness

The information gathering process in an IT audit can be a painstaking process. In the past (and in some cases, this is still true), an auditor may sit with an IT admin and have them take screenshot after screenshot, and/or take notes while asking the custodian to show them the settings they are testing. This is a slow and tedious process, and inevitably limits the number of systems and settings to be validated- it also leaves a lot left on the table, and can give a false sense of security, as there are a lot of things that cannot be easily validated and tested using this method.

Today, there are a number of solutions available to assist with system configuration analysis and database testwork, but they can require purchasing expensive applications, the installation of third-party software on the systems to be tested, and in some cases, cost quite a bit of money. One less expensive alternative, and what I've been doing for a number of years now, is to use scripts that

...