-
August 31st, 2007, 05:36 AM
#1
Member
conducting a security audit question...
I have a question, that I bet lots of people probably have too........when a security professional, or a security analyst conducts an audit on a given company, what are the areas of network security/pentesting that the audit will be based on, and also what are the most common tools employed, would you have to go through huge amounts of log files, and what will the report say?...I know is kind of complex and large question, but if someone with the knowledge and possible the experience could elaborate.
thanks in advance
-
August 31st, 2007, 09:00 AM
#2
It depends on what the company wants and what the pen tester can do.
-
August 31st, 2007, 12:41 PM
#3
That's like asking someone how to fix a car....
-
August 31st, 2007, 02:58 PM
#4
but if someone with the knowledge and possible the experience could elaborate.
Gladly, but only in very general terms as the scope of your question is too large to be answered properly on a forum?
1. An auditor has a "letter of appointment". This document defines:
(a) What the auditor will do.
(b) What the auditor won't do.
(c) What the auditor can do.
(d) What the auditor can't do.
(e) Client responsibilities.
(f ) Payment terms and conditions.
This is agreed with the client and forms a formal contract.
2. There are audits that are either statutorily mandated, or relate to regulatory compliance. In these cases the requirements and activities are defined either by the Law or the rules of the regulatory body. In this context think IRS, SEC, HIAPPA, Sarbanes-Oxley and so forth.
Non-mandatory audits are very much an individual thing. Remember that the auditor has six prime objectives:
1. Get in.
2. Get out.
3. Get away with it.
4. Get the money.
5. Get laid.
6. Get drunk.
In order to satisfy #1 & #4 above, and to prepare an acceptable letter of appointment, it is usually a good idea to start with some sort of risk analysis modelling exercise specific to the target of the audit.
-
September 6th, 2007, 08:14 PM
#5
-
September 7th, 2007, 02:44 AM
#6
Audits are a puppet show based on what nihil says.
One & four? Get in and get the money? Let's not
get carried away.
There's no substitute for good admin. A good admin
will take all the help he can get. Including audits.
There is NO magic (i.e., silver) bullet. Including audits...
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
September 11th, 2007, 10:28 AM
#7
Audits are a puppet show based on what nihil says.
Unfortunately so................. there must have been quite a few "puppet shows" at Enron and TK Max for example, as their problems were not one-offs or overnight events?
-
September 12th, 2007, 11:51 AM
#8
The first thing to audit is the security policy. If any 'holes' are found then ultimately it is the security policy that is at fault, or the security policy has not been adhered to....
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By apollovega in forum Newbie Security Questions
Replies: 41
Last Post: July 29th, 2004, 04:21 AM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: September 25th, 2002, 08:53 PM
-
By xmaddness in forum Security News
Replies: 1
Last Post: August 15th, 2002, 03:07 AM
-
By smirc in forum AntiOnline's General Chit Chat
Replies: 3
Last Post: May 13th, 2002, 03:24 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|