Results 1 to 8 of 8

Thread: conducting a security audit question...

  1. #1
    Member
    Join Date
    Oct 2006
    Posts
    63

    conducting a security audit question...

    I have a question, that I bet lots of people probably have too........when a security professional, or a security analyst conducts an audit on a given company, what are the areas of network security/pentesting that the audit will be based on, and also what are the most common tools employed, would you have to go through huge amounts of log files, and what will the report say?...I know is kind of complex and large question, but if someone with the knowledge and possible the experience could elaborate.

    thanks in advance

  2. #2
    Senior Member WolfeTone's Avatar
    Join Date
    Jun 2007
    Location
    Ireland
    Posts
    197
    It depends on what the company wants and what the pen tester can do.

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    That's like asking someone how to fix a car....

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    but if someone with the knowledge and possible the experience could elaborate.
    Gladly, but only in very general terms as the scope of your question is too large to be answered properly on a forum?

    1. An auditor has a "letter of appointment". This document defines:

    (a) What the auditor will do.
    (b) What the auditor won't do.
    (c) What the auditor can do.
    (d) What the auditor can't do.
    (e) Client responsibilities.
    (f ) Payment terms and conditions.

    This is agreed with the client and forms a formal contract.

    2. There are audits that are either statutorily mandated, or relate to regulatory compliance. In these cases the requirements and activities are defined either by the Law or the rules of the regulatory body. In this context think IRS, SEC, HIAPPA, Sarbanes-Oxley and so forth.

    Non-mandatory audits are very much an individual thing. Remember that the auditor has six prime objectives:

    1. Get in.
    2. Get out.
    3. Get away with it.
    4. Get the money.
    5. Get laid.
    6. Get drunk.

    In order to satisfy #1 & #4 above, and to prepare an acceptable letter of appointment, it is usually a good idea to start with some sort of risk analysis modelling exercise specific to the target of the audit.


  5. #5
    Junior Member
    Join Date
    Dec 2006
    Posts
    28
    nihil. best.answer.ever

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Audits are a puppet show based on what nihil says.

    One & four? Get in and get the money? Let's not
    get carried away.

    There's no substitute for good admin. A good admin
    will take all the help he can get. Including audits.

    There is NO magic (i.e., silver) bullet. Including audits...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Audits are a puppet show based on what nihil says.
    Unfortunately so................. there must have been quite a few "puppet shows" at Enron and TK Max for example, as their problems were not one-offs or overnight events?

  8. #8
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    The first thing to audit is the security policy. If any 'holes' are found then ultimately it is the security policy that is at fault, or the security policy has not been adhered to....

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Ethical Hacker Certification
    By apollovega in forum Newbie Security Questions
    Replies: 41
    Last Post: July 29th, 2004, 04:21 AM
  3. NEWS: This weeks security news
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: September 25th, 2002, 08:53 PM
  4. NEWS: This weeks security news.
    By xmaddness in forum Security News
    Replies: 1
    Last Post: August 15th, 2002, 03:07 AM
  5. Test Your Knowledge of Redhat?
    By smirc in forum AntiOnline's General Chit Chat
    Replies: 3
    Last Post: May 13th, 2002, 03:24 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •