Security

Pharmaceutical spam hides under Google mask

Selena Mann — Thu, 17 Feb 2011 14:45:00 GMT

There is a new pharmaceutical spam brand out there, disguising itself as something created by Google, according to Message Labs Ltd. a part of Symantec Corp.

The spam promotes an accredited Google online pharmacy, Google does not operate a pharmacy site. The spam e-mail message promotes a drug for hair loss prevention with links to a spammer's blog.

"In the last two days alone, we have automatically blocked over 250 similar spam-created blogs," said Nick Johnston, a software engineer, in a blog post on Symantec's website.

The spam blog has the Google logo with pills as the "O"s. I understand how a person would be fooled by this, even I might have fallen for it, since it uses the Google logo, giving it a look of legitimacy. The doodles that Google is famous for, marking holidays and special dates in history by changing the Google lettering and adding relevant graphics to its logo, makes it more legitimate looking. But everyone should know by now, if it's an e-mail from someone you do not know and looks like it's trying to sell you something, it's probably spam.

"Google has a track record of fighting similar types of scams, and we also recommend that users carefully review online offers that look too good to be true before entering any of their information," a Google spokesperson said on a blog, http://googleblog.blogspot.com/2009/12/fighting-fraud-online-taking-google.html.

The new MSRC is a good thing

Rafael Ruffolo — Wed, 07 Jul 2010 15:08:00 GMT

A newanti-Microsoft security watchdog grouphas popped up in response to the way the software giant has negatively treatedresearchers in the past.

The organization is dubbing itself the Microsoft-Spurned Research Collective -- a play on the Microsoft Security Response Center. Last week, the group published information abotu an unpatched Windows flaw in Vista and Server 2008.

"Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective," the group said via a message posted to theFull Disclosure security mailing list. "MSRC wil fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

Tavis Ormandy is a Google security engineer who publicly disclosed a Windows bug last month after Microsoft failed to commit to a patching deadline.

The group's posting on Fully Disclosure indicates that it has six members, but is operating anonymously.

Some may have a problem with that fact, but I do not. It might even attract some researchers within Microsoft to join and disclose serious flaws that can impact both consumers and businesses.

I don't agree with Microsoft's practice to restrict the disclosure ofbugs while it is still trying to fix them. The quicker news of the bugs spread, the quicker consumers and businesses can be on alert.You can bet somemalicious hackers will already know about these flaws, so there's no point is keeping the public unaware.

The benefit of fully disclosing these security flaws far outweigh the harm that might be done by the malicious hackers who learn about these bugs in the press.

Here's hoping the group continues to expand. It will certainly help Microsoft improveits security fix response time.

The upside of G8/G20 for security pros

Rafael Ruffolo — Wed, 02 Jun 2010 20:11:00 GMT

This month’s G8/G20 summits could be quite helpful for IT leaders looking to justify their security spending.

The latest estimates have the government spending $1.1 billion on security measures for the three-day conference. This has predictably led to outrage among opposition parties and many Canadians.

But it could present an opportunity for security professionals. Let’s say senior management gets on your case about some new “encryption software” you plan to purchase, just point to the G8/G20 summit.

In fact, take it one step further.

MyComputer Dealer News colleague Jeff Jedras (who moonlights as a political blogger) came up with a new unit of measurement called the MGS, or minute of G8/G20 security.

Just 1 MGS is equal to $231,484 in Canadian currency.

So, even if you unwisely spent $2,000,000 on some new security gadgets, you can put a positive spin on things by transferring it to 8.6 MGS.

If you want to do this yourself at home, just divide any purchase you need to make by $231,484.

Still skeptical on cloud security

Rafael Ruffolo — Fri, 14 May 2010 19:43:00 GMT

Just got back from this year’s EMC World in Boston. It was a good show, but there was one negative for me.

EMC and its RSA security division keeps hammering home the idea that a private/public cloud-based IT infrastructure can have the potential to be even more secure than today’s traditional data centres.

RSA chief Art Coviello stressed to journalists at the conference that the rise of the cloud is giving developers the chance to bake security in from the start. He called it a “security do-over.”

I call “marketing hype” on that one.

Back when I spoke with RSA last year, an executive told me that RSA added that cloud security will not be tied to OSs, networks, and applications as an afterthought anymore, as security protocols can be built into the virtualization layer. This will embed security policies deep into the technology stack and spread them throughout the cloud.

But as I argued at that time, I still don’t see how this demonstrates the cloud’s great potential to surpass our current levels of data centre security.

I stick by my thoughts, which you can read here. Also be sure to check out RSA’s rebuttal to my column here.

Want a job with Facebook?

Rafael Ruffolo — Wed, 14 Apr 2010 19:46:00 GMT

At a presentation from this week’s Black Hat security conference in Las Vegas, Facebook security chief Max Kelly said more and more staff members are being assigned to the role of stopping hackers.

The social networking giant, which now has 400 million registered users, faces a constant barrage of scams from cyber criminals looking either to spam users or steal their data.

According to a story from the IDG News Service, Kelly said Facebook’s security team has risen from just a few people in 2005 to as many as 10 per cent of its 1,200 employees.

IDG’s Jeremy Kirk reports that:

Facebook's security teams tends to worry less about vulnerabilities, focusing instead on the actual attacks, Kelly said. It allows Facebook to focus on the individuals behind the attacks and trying to frustrate those attackers.

The site is also rewarding individuals who responsibly disclose security problems by giving them credit on its security page. "If it's a really good hack, we'll probably end up hiring you," Kelly said.

I’d say it’s a good time to start brainstorming ways to make Facebook safer. It seems like a lot of these social networking sites are listening nowadays.

Take a deeper look at ISACA

Rafael Ruffolo — Fri, 05 Feb 2010 20:54:00 GMT

This week`s resource selections highlight ISACA’s long-term effort to provide leading guidance to IT audit and control professionals. Some of the more significant web pages are highlighted below and I encourage you to also explore the many other sections within the ISACA web site.

Check out - http://www.isaca.org/template.cfm?section=home

Have a great weekend.

- Dan Swanson

K-NET
K-NET contains over 6,000peer-reviewed web site resources pertaining toknowledge coveringITGovernance, Assurance, Security and Control. Full access toK-NET is reservedfor association members. In addition, a personalized tracking feature,that notifies users on a weekly basis of new references within their areas of focus, is also reserved for members (see 'track-updates' link throughout K-NET). Reference items are organized into logical categories of interest and concern.
http://www.isaca.org/Template.cfm?Section=K-NET1&Template=/gir/girMenu.cfm

Val IT Overview
Val IT is a governance framework that consists of a set of guiding principles, and a number of processes conforming to those principles that are further defined as a set of key management practices.
http://www.isaca.org/Template.cfm?Section=Val_IT4&Template=/ContentManagement/ContentDisplay.cfm&ContentID=39994

The COBIT Focus newsletter
http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=31703&TEMPLATE=/ContentManagement/ContentDisplay.cfm

COBIT Publications and Products
The components of COBIT each address uses and applications of COBIT from differing perspectives. From the framework, which outlines the basis of the COBIT philosophy, to the management guidelines, which addresses the concerns of upper management, and through all the other components, each component adds a unique layer of understanding to COBIT.
http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders1/COBIT6/COBIT_Publications/COBIT_Products.htm

ISACA Downloads
This page provides convenient access to some of our most frequently requested downloadable material. Each file is associated with a colored key that indicates the level of access required to download the document.
http://www.isaca.org/Template.cfm?Section=Downloads10&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=63&ContentID=13742

ISACA’s Bookstore
The association offers its own bookstore to assist members and others in the field of IS assurance, control, security and governance keep current on the most recent developments within the profession.
http://www.isaca.org/Template.cfm?Section=Bookstore&Template=/eCommerce/EcomDefault.cfm

Risk management tips

Rafael Ruffolo — Mon, 25 Jan 2010 14:51:00 GMT

This week`s resource selections combines risk thought-leadership with a touch of enterprise architecture and a comprehensive quality management resource repository.

Have another great week.

- Dan Swanson

1. The NIH Enterprise Architecture
This is the design for how information technology (IT) supports the mission and business of all of NIH. The NIH enterprise architecture program consists of the set of processes that create, update, and manage the NIH Enterprise Architecture.

http://enterprisearchitecture.nih.gov/ArchLib/AT/TA/SecurityPrinciples.htm

2. Command and Control Thinking vs. Systems Thinking

Systems thinking is a better way to make work work. It is diametrically opposed to command and control thinking. (Editor’s note – don’t entirely agree its an either/or)

http://newsystemsthinking.com/about_command_v_systems.asp

3. Six Sigma and Quality Methodologies

http://finance.isixsigma.com/me/

4. Re-thinking Risk Management: Why the Mindset Matters More Than the Model

Forecasting used to be straightforward. Over the years, by the end of the first quarter, managers usually had a fairly reliable sense of how the business was shaping up and whether targets would be met, missed or exceeded. Confidence in quarterly and annual predictions was so high that coming in above or below by even the smallest amount was considered a surprise and set off moves in stock prices. This year, however, things have changed. Companies like Unilever, Union Pacific and Visteon are declining to make any predictions at all for their performance over the months ahead. In other words, all bets are off.

http://knowledge.wharton.upenn.edu/article.cfm?articleid=2205

5. Systemic risk capital

We have seen what can happen when the size of financial institutions rivals – or even surpasses – that of their home countries. It may be time to limit the size of institutions through imposition of systemic risk capital requirements, argues David Rowe

http://www.sungard.com/~/media/financialsystems/whitepapers/cmib/david_rowe/200903systemicriskcapital.ashx

6. Risk Management - Is It Permanently Broken? - An Investment Management Perspective

A new white paper considers the assessment of risk management processes in the financial-services industry by examining leadership, frameworks, culture and reporting systems.

http://www.kpmg.com/aci/docs/Rick_Management_Investment_Managers.pdf

More risk mangement strategies

Rafael Ruffolo — Thu, 14 Jan 2010 15:18:00 GMT

This week`s resource selections focuses on accountability frameworks, covering risk-based management and performance reporting. Several excellent pieces on risk management plus strategies in dealing with people’s biases round out this week’s resource blog.

- Dan Swanson

1. May 2009 - Global Perspective on Risk

Tone at the Top provides executive management, boards of directors, and audit committees with concise, leading-edge information on such issues as ethics, internal control, governance, and the changing role of internal auditing; and guidance relative to their roles in, and responsibilities for, the internal audit function. http://www.theiia.org/periodicals/newsletters/tone-at-the-top/

2. Seven Strategies for Disabling Dogmas or Biases

By taking time to identify dogmas (or biases) and dominant logic, companies can bust the behaviors that limit their views of opportunities. By understanding and confronting dogmas, a business can stimulate dialogue and analysis that is free from bias and constraints, and is more likely to generate truly innovative approaches to capturing new value. This is the second in a series of articles identifying dogmas and how to conquer them.

http://www.realinnovation.com/content/c090302a.asp

3. On risk and Black Swans

Scarce data is a well-recognised problem for the assessment of operational risk. In such circumstances, David Rowe argues, it is necessary to blend professional judgement with the available data. In doing so, however, it is crucial to counter some well-documented psychological biases in our subjective estimates of probability – and a healthy dose of humility is also advisable

http://www3.sungard.com/SunGardFinancial/menus/documents/risk_managers/200409%20operational%20risk%20and%20black%20swans.pdf

4. Top 10 Governance Priorities

Changing business and economic conditions provide an opportunity to reassess board priorities and re-focus the agenda.

http://www.kpmg.com/aci/docs/insights/Top10GoverancePrioritiesACI_UKquarterly.pdf

5. Preparing and Using Results-based Management and Accountability Frameworks

This Guide replaces the "Guide for the Development of Results-based Management and Accountability Frameworks" (August 2001). It is the result of lessons that the Centre of Excellence for Evaluation (CEE) has learned in working with departments to develop, review and approve Results-based Management and Accountability Frameworks (RMAFs).

http://www.tbs-sct.gc.ca/eval/pubs/RMAF-CGRR/guide/guide_e.asp

6. Performance Reporting - Good Practices Handbook

As part of the government's efforts to improve reporting to Parliament, the Performance Reporting: Good Practices Handbook has been developed to help public servants who prepare their department's departmental performance report (DPR).

http://www.tbs-sct.gc.ca/rma/dpr3/06-07/handbk-guide/gph-gbp_e.asp

Malware strains headed into the billions

Rafael Ruffolo — Wed, 06 Jan 2010 20:45:00 GMT

A week rarely goes by without some kind of security report making headlines.

This week's token report, which just surfaced from security firm PandaLabs, says that about 25 million new strains of malware were created throughout 2009. PandaLabs actually said that it identified more new malware strains last year than it has during its entire 20-year company history.

The company also said that two thirds of these malware strains were banking Trojans. The next most popular type of malware was adware, which includes scareware (sometimes referred to as fake or rogue antivirus software).

While this news might be shocking to some, it really isn’t shocking to me. Actually I’m surprised the number of new malware strains is actually so low. PandaLabs said it expects 2010 to lead to an even bigger output of new malware strains. I don’t think we’re very far off from reaching numbers that hit the billions.

I’m going to predict that will see billions of new strains every year before the decade is up.

Let’s think about this for a second.

The IT security industry has never been bigger. Even a recession didn’t slow down the security spend in 2009. Also, one of the biggest stories of the year was the Conficker virus.

These factors guaranteed security vendors continued to do big business in 2009. This also meant that the vendors did their jobs and actually shut down most of these attacks. As more of these banking Trojans were stopped, the cyber criminals had to retreat back to the drawing board and come up with something slightly different.

And those slight differences create new malware strains. While PandaLabs obviously doesn’t list all of these different pieces of malware, it’s safe to assume many of them are simply slight variations on the same core design.

This is definitely true for many of these banking attacks andI’d argue the same goes for those rogue or fake antivirus scams you see on the Internet.

I was recently talking to a Symantec security expert Marc Fossi, who told me that anytime one of these fake antivirus programs are discovered, numerous more fake ones are created that claim to fight against it. Many of them are actually the same program, with some minor front-end changes to trick the user.

According to a report from Symantec last October, over 250 fake anti-virus programs are spread across nearly 200,000 domain names currently operating on the Web. These numbers will only get bigger as users get smarter at avoiding them and security vendors get more efficient at stopping them. The last thing I want to say is that none of this should be cause for any concern.

In almost all cases, the reason a security vendor such as PandaLabs decides to this study is to get IT leaders and CIOs thinking about security, and in turn, security spending. And while the 25 million new malware strains might seem like a lot now, it’s just the evolution of this market.

As more computing devices permeate into the world, more variants of malware will as well. Just as a predator evolves to gets faster at catching its prey, the prey will continue to get faster at evading it.

The same principles applies to technology. Every new technology will fix a few problems and add a few other problems.

All you have to do as an IT leader is hit that middle ground when you’re deciding how much to spend on security.

How you can do that? Well that’s the topic of another blog…

The state of IT auditing

Rafael Ruffolo — Fri, 27 Nov 2009 16:41:00 GMT

This week’s resource selections focus on audit, building security into all our IT solutions, and finally being more effective in delivering IT solution (making information systems work!).

Have another great week.

Dan Swanson

The State of IT Auditing

One of my favorite articles over the past several years was written by Gary Hinson, a close colleague out of New Zealand. Gary has pulled together the critical issues facing the profession and put forth some insightful recommendations to improve IT Audit performance. I highly recommend a read of Gary’s landmark view of the future.

http://www.auditnet.org/articles/DSIA200811.htm

Building Security In! (is needed)
We need to implement effective security by building it into our IT solutions. Some resources to assist your understanding of the issues involved and recommendations to move us forward are provided below. Does your organizationincorporate security as part of its software acquisition process and system development life cycle (SDLC) process?

http://www.auditnet.org/articles/DSIA200902.htm

Privacy – Our Next Organizational Challenge?

The reality of business operations today includes an increasing oversight of data privacy and information protection. Although the protection of sensitive and personal data has always been good business strategy, implementation has often been tactical and opaquely managed by IT departments. New laws, rules, and contractual obligations are changing all of this. Even as information privacy and protection objectives grow more critical and complex, they are also increasingly subject to scrutiny by both internal and external auditors. http://www.auditnet.org/articles/DSIA200905.htm

Improving Corporate Risk Management!

Has your organization completed a comprehensive review of its corporate risk management practices lately?Richard Anderson new study regarding leading practices to adopt would be a great place to start. http://www.auditnet.org/articles/DSIA200907.htm

What lens do you use to evaluate your governance efforts?
Over the past few years I have debated and learned from a very diverse group of senior professionals. In improving our governance practices it is absolutely vital to consider the different perspectives of the various stakeholders in good governance.There has been much debate about principles-based versus rules-based governance. There is also much concern on whether our focus should be on strategy or control. Many believe, myself included, that risk management is at the intersection of good governance by promoting well defined strategic goals and objectives and then the management of risks in achieving them. Improving governance involves the board, executive management, the accountants, the auditors (both external and internal), the investor, and others. Everyone’s views are valid and contribute in moving forward and improving governance, in fact the engaged involvement of all stakeholders is part of good governance. So next time you grit your teeth when someone else expresses a position you are uncomfortable with take the time to try to understand that person’s view and learn why they are talking as if they are from Mars. http://www.auditnet.org/articles/DSIA200809.htm

Making Information Systems Work
(towards the bottom of the newsletter --in the right column)
New technology has transformed the way we interact with one another and do business. However, as systems become ever-more complex, the challenges of effective implementation are greater than ever. These are challenges to whole the business, not just IT, and require engagement from all across the organization in the effective management and use of technology. The Making Information Systems Work program considers these opportunities and challenges, engaging all sectors of the economy in the debate. http://www.auditnet.org/auditnet-l%202009-04.htm

Teaching staff to fish

Rafael Ruffolo — Fri, 20 Nov 2009 16:34:00 GMT

This week's resource selections covers staff development, effective communications, risk, and auditing security.

Today’s security professional should be knowledgeable in all of these subjects and today’s resources will fast-track your understanding.

Have another great weekend.

- Dan Swanson

Management Matters with Mike Myatt: Teach Them to Fish
Do you feed your employees, or do you teach them how to fish? Do you like to swoop in and save the day? Do you see yourself as the white knight that can solve any problem or challenge?
http://cpnmhn.typepad.com/management_matters/2008/11/management-matters-with-mike-myatt-teach-them-to-fish.html

The Seven Crucial Conversations in Healthcare

All too often, well-intentioned people in healthcare institutions choose not to speak
up when they’re concerned with behavior, decisions, or actions of a colleague.
http://www.silencekills.com/Download.aspx

Management Matters with Mike Myatt: Dealing with 'Corporate Crazies'
You can run, but regrettably you cannot seem to hide from the "corporate crazies." Over the years, I've simply come to a conclusion that many otherwise savvy business people have yet to grasp; you can’t argue with crazy.
http://cpnmhn.typepad.com/management_matters/2009/01/management-matters-with-mike-myatt-dealing-with-corporate-crazies.html

Bringing Back Best Practices in Risk Management Banks’ Three Lines Of Defense
http://www.booz.com/media/file/Bringing_Back_Best_Practices_in_Risk_Management_LO32.pdf

Frequently Avoided Questions about IT auditing
The FAQ explains IT auditing to someone with limited prior knowledge of the topic (a.k.a. the Clueless But Interested).Reading the whole FAQ will give you a good overview of the whole subject and should help put it into context but don’t feel too embarrassed about being bored stiff by the tenth line (or earlier if you are a quick reader).It’s not everyone’s cup of tea.
http://www.isect.com/html/ca_faq.html

ISO 27001 Security
The ISO/IEC 27000-series numbering (“ISO27k”) has been reserved for a family of information security management standards derived from British Standard BS 7799.
http://www.iso27001security.com/html/iso27000.html

Being prepared and in control

Rafael Ruffolo — Fri, 13 Nov 2009 21:27:00 GMT

Continuing last week selections from my various columns for Jim Kaplan, this week I highlight resources that have a “governance” focus. In addition, I want to enforce the importance of being prepared (e.g. implementing a security incident response capability) and being “in control” (i.e. we must have have effective change management). It really is endless!

Have another great week.

Dan Swanson

Board Oversight of IT Is Needed

Traditionally, and rightfully so, the board has focused on governing the organization, that is, the board is ensuring the right CEO is in place, that the right business strategies have been developed, that performance is reported regularly and trending properly, and that the right questions are being asked of management. Nowadays, the board also needs to ensure that the organization's human resources are being positioned for future requirements, that digital information and assets are being appropriately protected, and that the organization is always progressing!

http://www.auditnet.org/articles/DSIA200706.htm

Performance Measurement and Reporting is a Silver Bullet!

Steven Covey, author of The Seven Habits of Highly Effective People, and many others quite rightly recommend that when you start any kind of new project, you should begin with the end in mind. What does that involve? 1) Deciding where you want to be in the future (that is, what your “end state” will be); 2) Defining your key goals and objectives in getting there (to guide your various efforts along the way); and 3) Building and then implementing your plan to get there (the means to reach your desire end state).

This planning cycle works for all individuals, in both their professional and personal lives. It is even more important for organizations, where an understanding across the whole enterprise is vital in obtaining broad support across a workforce faced with numerous, and many times conflicting, priorities.
http://www.auditnet.org/articles/DSIA200705.htm

Is Governance Effective Within Your Organization?
What dialogue is occurring within your organization regarding organizational governance? Is everyone on the same page re what organizational governance is and what we are trying to accomplish? I believe its time for all stakeholders to discuss and agree to the many roles and responsibilities that are involved with organizational governance.See below for some leading resources to assist in your discussion.
http://www.auditnet.org/articles/DSIA200710.htm

Auditing Change Management
IT Compliance Institute has published a new IT Audit checklist covering Change Management. This paper, "IT Audit Checklist: Change Management," supports an internal audit of the organization's change management policies in order to verify compliance and look for opportunities to improve efficiency, effectiveness, and economy. The paper includes advice on assessing the existence and effectiveness of change management in project oversight, development, procurement, IT service testing, and IT operations; guidance for management and auditors on supporting change management; and information on ensuring continual improvement of change management efforts.
http://www.auditnet.org/articles/DSIA200708.htm

Have you assessed your information security program lately?

Does your organization’s information security program reflect the business environment it operates in? Have you reviewed the latest guidance – to improve your information security program. Its time – to assess the improvement opportunities. Click here for leading resources.
http://www.auditnet.org/articles/DSIA200712.htm

Creating a Computer Security Incident Response Team

Safeguarding assets has been an important objective of all organizations for centuries. Protecting an organization’s assets has evolved from mainly physical and personnel safeguards, to a combination of physical, personnel, procedural, and software-based asset management that must be clearly and completely stated in the organization policies, standards and guidance, and monitoring of asset values. With a high percentage of market value now accounted for by intangible assets such as intellectual property, reputation, brand, and electronic records, information continues to be (ever more so) a vital business resource.
http://www.auditnet.org/articles/DSIA200712.htm

The importance of internal audits

Rafael Ruffolo — Fri, 06 Nov 2009 14:23:00 GMT

This week`s resource selections originate from a monthly internal audit column I write for Jim Kaplan, for going on more than three years now.

Each month in Jim’s internal audit newsletter (http://www.auditnet.org/) I highlight leading audit and security resources to assist auditors and security practitioners.

Have another great week.

Dan Swanson

Disaster Recovery (DR) and Business Continuity Planning (BCP) resources

This web page provides resources and articles on the subject of DR and BCP that you can use for reviews and planning for audits in this area. http://www.auditnet.org/drp.htm

Auditing IT Initiatives “Thought Leadership”- Particularly Useful When an IT Project Failure is NOT An Option!

Some key questions to consider:

- Does the proposed IT solution work & will it meet the needs of the organization?

- Does the security aspect of the IT solution work?

- Will the privacy of the organization’s information be maintained?

- Will the staff know how to perform “productively” and accurately?

- Have we done everything necessary to be prepared?

- Are we ready to implement and how do you know it'll work?

Some leading resources to assist your “readiness” assessment effort are available here.

http://www.auditnet.org/articles/DSIA200702.htm

Auditing for Fraud “Thought Leadership” - Because bad things are happening

Some companies have significantly lower levels of misappropriation of assets and are less susceptible to fraudulent financial reporting than others. Why? Because they aggressively take steps to prevent and detect fraud, end of story (it’s that simple). At these exemplary companies, management is responsible for designing and implementing systems and procedures for the prevention and detection of fraud—and, along with the board of directors, for ensuring a culture and environment that promotes honesty and ethical behavior.
http://www.auditnet.org/articles/DSIA200703.htm

Security Management resources

A variety of information security management resources have been gathered at this one web page
http://www.auditnet.org/SecurityMgmt.htm

Auditing Risk Management is strongly recommended

Some resources to assist your risk management efforts are available at this one web page.

http://www.auditnet.org/articles/DSIA200701.htm

Auditing security using the PCI standard and related guidance - (Because personal information must be protected)
We need to protect personal information much more than ever before and extensive help from the PCI Security Standards Council and numerous other organizations does exist.
http://www.auditnet.org/articles/DSIA200704.htm

All about the IIA

Rafael Ruffolo — Fri, 30 Oct 2009 15:58:00 GMT

This week`s resource selections highlight IIA’s long-term effort to provide leading guidance to internal auditors and risk management professionals.

Some of the more significant web pages are highlighted below and I encourage you to also explore the many other sections within the IIA web site.

Check out - http://www.theiia.org/

Have another great week.

Dan Swanson

The IIA Bookstore offers hundreds of educational products that provide internal auditing practitioners with current information and guidance. All products are reviewed by internal auditors, for internal auditors – making The IIARF Bookstore a one-stop shop for internal auditing practitioners and those with an interest in internal auditing. http://www.theiia.org/bookstore/

The IIA Research Foundation - Research Reports and Publications
The Foundation maintains a strong belief in research and in publishing reports that aid the practitioner as well as the profession. For 30 years, The IIA Research Foundation has committed to and supported the internal audit profession. http://www.theiia.org/research/research-reports/

Professional Guidance
The IIA is internationally recognized as a trustworthy guidance-setting body. This is documented by its due diligence in regard to processes and procedures it has put in place for the establishment, transparency, timeliness, accountability, and oversight of its authoritative guidance. This section provides a variety of internal audit guidance, including The IIA's International Professional Practices Framework (IPPF). http://www.theiia.org/guidance/

Information Technology Audit Guidance and Resources
http://www.theiia.org/guidance/technology/

Practice Guides provide detailed guidance for conducting internal audit activities. They include detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, as well as examples of deliverables.
http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/

“Tone at the Top” governance newsletter
Mission - To provide executive management, boards of directors, and audit committees with concise, leading-edge information on such issues as risk, internal control, governance, ethics, and the changing role of internal auditing; and guidance relative to their roles in, and responsibilities for the internal audit process. http://www.theiia.org/periodicals/newsletters/tone-at-the-top/

Metasploit acquired by Rapid7 – My $0.02

Brian Bourne — Thu, 22 Oct 2009 20:01:00 GMT

Early yesterday the news became official first by press release, then by a very well done podcast over at Risky Business. The very popular Metasploit project was acquired by Rapid7.

Metasploit is the largest and most widely used penetration testing framework and collection of publicly available exploits. The project founder, HD Moore is a well known and respected member of the security community. Rapid7 is a provider of commercial vulnerability management software, which is a fancy way to say they do network scans for vulnerabilities and generate reports.

At first glance, detection and exploitation sound like very similar efforts. The truth is that detection and exploitation are very different efforts. Let’s imagine that Microsoft releases a patch. The folks at Rapid7 will immediately begin reverse engineering the patch. They need to understand what changes between a patched and unpatched machine and more importantly how the heck you can remotely detect a behavioural difference without crashing the target machine. Using a variety of techniques, they detect if the machine is “likely” to be vulnerable and include that in a report.

Metasploit has a much different purpose. The same reverse engineering process goes in to figuring out what changed between the patched and unpatched machine – but with a much different purpose. The purpose here is to figure out what was fixed, and once you’ve isolated what got fixed, find out how the “broken” code was exploitable. Hopefully, it’s possible to write an exploit that works with some consistency. Certainly worrying about the target machine’s stability isn’t a concern.

Aside from the research overlap, bringing Metasploit into the Rapid7 fold makes plenty of sense for the folks at Rapid7. The inclusion of the Metasploit intelligence will help them provide their customers with more realistic risk analysis. Understanding what’s “theoretically a problem” versus “what’s easily and consistency exploitable” changes risk substantially. The real risk of a single machine’s security posture may depend on a variety of prerequisites and dependencies involved in getting an exploit to work.

From the Metasploit perspective, there’s no commercial interest behind the project. So the fit is harder for folks to see. Certainly the community will have fears that Rapid7 will make the source closed and proprietary, that Rapid7 may alienate the community or that any of the useful Metasploit features will only be available at a cost. A good example of this is the Nessus project, which went to a closed source model shortly after the Tenable acquisition. Certainly the joining of open source and commercial interests has been accomplished while maintaining the community aspects as illustrated by the SourceFire maintenance of the Snort project.

I think what makes this acquisition substantially different is that the Metasploit project is led by HD Moore. He has dedicated his time and personal funds to the project for the last 6 and a half years and cares about the project deeply. When asked about the acquisition, HD responds “Acquisitions are all about folks getting tired of what they are doing. They want to change gears. They want to move on to something else. This is the opposite. I love Metasploit”. In his new role as Chief Security Officer at Rapid7, HD will get to focus his time on the development he loves and hopes to find more time with his family. He also gets a team of 5 dedicated developers.

Bottom line, I don’t really care what the PR department says, but if HD says the project will stay open source and continue with even more momentum and community involvement – I believe him. His credibility is rock solid and as anyone who knows him knows – he’s one of the most sincere people you’ll meet. Some disclosure here, HD also custom built the netbooks we gave away for the SecTor awards with no personal benefit or interest other than supporting the community. This move to Rapid7 will also be for the benefit of the community.