Ok. Not looking to post a tutorial, rather a checklist for something I want to deploy for myself and other IT auditors. I was thinking that trying to follow a type of hacker methodology might work best to try and show our auditees what possible risks they are exposing our company to. I would have the methodology and then within each step of the methodology, the controls to look for in each OS we support. Before posting the whole thing, this is the thought I had:

Example of adapting a hacker methodology to an IT audit checklist.

Note that step 1A will be taken care through a survey we send to the auditee - meaning they know we are coming, which we want:

0. OS/OE to include: RH Linux, WINNT, W2K, W2K3
1. Footprint
A. Site contacts, server/workstation, ip ranges, domains (if applicable). Check computer survey
B. Review auditee's HTML, if applicable.
B. Review HTML for additional information, if applicable
C. Check public sites for information about our company(?)
(1) Google ( http://www.google.com )
(2) Netcraft ( http://www.netcraft.com )
(3) Big Brother ( http://www.bb4.com )
D. Check to see if reverse dns lookup is enabled - does it need to be?
(1) Explanation on how to check for zone transfers...
E. Check to see


...

Actually - before I go on, I think I cannot use this type of methodology for an internal audit. I am going back to the drawing board as I just remembered some SANS training I had as well, and I will combine the above Foundstone ideas with the SANS and just post for comments and see what shakes loose.

Thanks anyway.