The Value of Experience 5/12/08 IT Auditing So easy, a caveman can do it… Lee Barken, CPA, CISSP, CISA, CCNA, MCP

Auditing IT Controls Why should I care? Because I have to: Sarbanes Oxley (SOX) SAS94 Because I have to: Sarbanes Oxley (SOX) SAS94 Because I want to: I’m Loosing Sleep. It Just Makes Sense… Because I want to: I’m Loosing Sleep. It Just Makes Sense…

Auditing IT Controls Why should I care? Because I have to: Sarbanes Oxley (SOX) SAS94 Because I have to: Sarbanes Oxley (SOX) SAS94 Because I want to: I’m Loosing Sleep. It Just Makes Sense… Because I want to: I’m Loosing Sleep. It Just Makes Sense…

Control Objective “An IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity.” - COBIT

Control Activity “The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.” - COBIT

Control Activity “The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.” - COBIT

Control Objective “An IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity.” - COBIT

Control Activity “The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.” - COBIT

Real-World Example

Oops…

“Hey, we need some internal controls!” Committee

Policy Thou shalt not speed.

Control Objective Control Objective = Car Safety (Risk = Crashes are Bad.)

Control Activities

Evaluating Risk When performing a risk analysis, you must consider: Probability (likelihood) Severity (impact) Low High

Evaluating Risk Low High Probability (likelihood) Severity (impact) PS (Risk = Crashes are Bad.)

COBIT COBIT (COFIRT?) = Control Objectives for Information and related Technology Published by ISACA (Information Systems Audit and Control Association) A Set of Best Practices, i.e. “a Framework” 4 Domains –Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate 34 Process Areas 318 Control Objectives

IT Control Objectives Control Objective = Prevent unauthorized access. (Risk = Unauthorized access is bad.)

IT Control Activities Control Activity = Restrict access to authorized individuals. How? Passwords! Password minimum length is 8 characters. Password complexity is enabled.

Password Controls Example: 6 Character Password, No Complexity Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ Lower Case (26) abcdefghijklmnopqrstuvwxyz Numbers (10) = 62 possibilities for each character 62 ^ 6 = 56,800,235,584 unique password permutations

Password Controls Example: 6 Character Password, No Complexity Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ Lower Case (26) abcdefghijklmnopqrstuvwxyz Numbers (10) = 62 possibilities for each character 62 ^ 6 = 56,800,235,584 unique password permutations Permutations Combinations

Password Controls Example: 8 Character Password, w/Complexity Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ Lower Case (26) abcdefghijklmnopqrstuvwxyz Numbers (10) Symbols (32) !"#$%&'()*+,-./:; = 94 possible characters 94 ^ 8 = 6,095,689,385,410,816 unique password permutations

Password Controls Brute Force Attack Cain & Abel –

Password Controls Brute Force Attack Try every possible permutation in a given keyspace. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac ………………………………………………………………… zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

Password Controls My slow, crappy laptop = 3,000,000 guesses per second 6 characters, Upper/Lower/Numbers (62) –62 ^ 6 = 56,800,235,584 unique password permutations 8 characters, Upper/Lower/Numbers/Symbols (94) –94 ^ 8 = 6,095,689,385,410,816 unique password permutations

Password Controls My slow, crappy laptop = 3,000,000 guesses per second 6 characters, Upper/Lower/Numbers (62) –62 ^ 6 = 56,800,235,584 unique password permutations 8 characters, Upper/Lower/Numbers/Symbols (94) –94 ^ 8 = 6,095,689,385,410,816 unique password permutations 5 Hours 64 Years

Password Controls Medium Sized Cluster = 1,000,000,000 guesses/second 6 characters, Upper/Lower/Numbers (62) –62 ^ 6 = 56,800,235,584 unique password permutations 8 characters, Upper/Lower/Numbers/Symbols (94) –94 ^ 8 = 6,095,689,385,410,816 unique password permutations

Password Controls My slow, crappy laptop = 3,000,000 guesses per second 6 characters, Upper/Lower/Numbers (62) –62 ^ 6 = 56,800,235,584 unique password permutations 8 characters, Upper/Lower/Numbers/Symbols (94) –94 ^ 8 = 6,095,689,385,410,816 unique password permutations 57 Seconds 71 Days

Password Controls Where do you stand? Medium Sized Cluster = 1,000,000,000 guesses/second No Complexity (62 characters) Complexity (94 characters) 4 characters.01 seconds.08 seconds 5 characters.92 seconds7.34 seconds 6 characters57 seconds11.5 minutes 7 characters59 minutes18 hours 8 characters2.5 days71 days 9 characters6.5 years276 years 10 characters405 years25,975 years Great! So-So Doo-Doo Legend

Password Controls What can we do? >= 8 Characters Enable Password Complexity

Password Controls What else can we can do? Maximum Password Age < days

Password Controls Any more that we can do? Enforce Password History Minimum Password Age Password Expires: (xyz) Change Password: (abc) Change Password again: (xyz) Password Expires: (xyz) Change Password: (abc) Change Password again: (xyz)

Kodak Moment There are good reasons to enforce password controls: >= 8 Characters Enable Password Complexity Maximum Password Age < days Enforce Password History Minimum Password Age

Where Are Your Risks? It’s a big ocean…

Where Are Your Risks? It’s a big ocean… How fast can I paddle? Why is the sky blue? What year was my kayak made? Do I taste like chicken? How fast can the shark swim? How close am I to shore?

Where Are Your Risks? Evaluating IT Risks IIA (Institute of Internal Auditors) Guide to Assessment of IT Controls (GAIT) ISACA (Information Systems Audit and Control Association) IT Control Objectives for Sarbanes-Oxley 2nd Edition ID=29763&TEMPLATE=/ContentManagement/ContentDisplay.cfm

Where Are Your Risks? Evaluating IT Risks IIA (Institute of Internal Auditors) Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners

Where Are Your Risks? Password Controls User Access Controls New Hire Procedure Termination Procedure Program Changes (SDLC) Physical Security / Data Center Retention Backups Disaster Recovery / Business Continuity Network Security

User Access Controls Administrators Network Shares/Folders Financial Applications

New Hire Procedure “Welcome to XYZ Corporation”

Termination Procedure “Goodbye from XYZ Corporation”

Program Changes (SDLC) In-house Software Development?

Physical Security/Data Center Physical Access to the Server Room Environmental Controls

Retention Litigation Federal Rules of Civil Procedure

Backups Data Loss

Disaster Recovery/Business Continuity St*ff Happens

Network Security Hackers and Evil-Doers

16485 Laguna Canyon Road 3rd Floor Irvine, CA T (949) F (949) High Bluff Drive Suite 200 San Diego, CA T (858) F (858) IT Auditing So easy, a caveman can do it… Lee Barken, CPA, CISSP, CISA, CCNA, MCP Questions?