IT Security Audits: A Necessary Evil…

As I prepare to conduct my next IT security audit at a client’s site, I realize some things have not changed in the past few years. The client’s reaction towards the security audit is always amazing the day before the on-site visit as they exhibit a sense of fear. For the most part, it has always been the same issues. The client deciding to wait until the last minute to prepare for the security audit.

From my experiences, the client will start applying required security patches that should have been applied months ago the weekend before the audit. Sometimes, it works out fine, and as you may know, sometimes it does not and causes additional issues for the system administrators. Many times, the Security Point-of-Contact (SPOC) will use a security scanning tool such as Nessus to conduct their own network scan to get a view of how they fair up. Conducting your own security scans are fine, being proactive is a good thing, but the day before an audit may not the best time to do so. Then the disclaimers start rolling in from the client. “Well… We know of this issue and that issue.”

I guess I cannot blame their anxiety. It’s not a good feeling to have strangers (IT Security Auditors) come into your organization to review the controls and practices you put in place and possible tell you that you are doing it wrong.

However, IT Security Audits are a necessary process that needs to occur to ensure compliance to organizational and/or federal regulations. Some of the more notable regulatory compliances are FISMA, HIPAA and the Sarbanes-Oxley Act that specifies how organizations must deal with information.

Unfortunately, many organizations treat security and audit as an after thought rather then a process … Preparation is the key to successfully passing a security audit.

For a full detail review on security assessments and IT security audits, check out

iPad Security

Apple’s new iPad is set to be released on April 3rd and a Washington D.C.-based information security media company has looked beyond the hype into the possible security matters consumers should be concerned about.

Adrian Williams, a Lead IT Security Consultant at stated, “The iPad will be subjected to many of the same security issues as other mobiledevices currently in the market, for example threats such as the wireless man-in-the-middle attack, shoulder surfing and theft are very common.”

In addition to Adrian’s concerns, many experts feel the iPad will inherit many of the same security issues of the iPhone.  For example, weakness in the encryption function and malicious software are major concerns.  If the iPad were to use the same encryption as the iPhone, sensitive personal data would be at risk of being captured and viewed.  Also, the iPad will be at risk of obtaining malicious apps from the Apple AppStore.  The screening process for the applications on the AppStore isn’t always the best.

Othniel Alphonse, the host of a Washington DC-based talk show titled “The Tech Talk Show”, brought up a topic often covered on his radio show. He stated,” The biggest risk pertaining to the iPad has nothing to do with the device itself.  As covered on my radio show in the past.  Hackers usually take these high value topics to implement “poison online searches” to malicious sites.  We have seen it with the death of Michael Jackson, The Haiti Earth Quakes and countless other times.”

What Mr. Alphonse is referring to is a techniques hackers used called Search Engine Optimization (SEO) for malicious purposes.  This ensures their sites show up when consumers conduct a search on the iPad to possibly infect their system with malware.

Personally, my biggest concern stems from Apple’s decision not to use Adobe flash player on its iPad devices.  Flash player is a popular application used on a majority of website to play video and display content.  Many hackers will take the opportunity to offer fake iPad Flash Player applications on the Internet for it to only be malware.

What are your thoughts on this?

SANS WhatWorks in Virtualization and Cloud Computing Summit with Tom Liston, Washington DC, August 19-20

As security professionals, we work in an environment that never stops
changing.  New technologies and innovative new uses for old technologies
seem to appear every day.  Unfortunately, along with the benefits that
every new technology brings, there are new and novel security challenges
that need to be addressed. We’re forced to constantly learn just to keep

Two of the newest and most dynamic areas in Information Technology are
virtualization and cloud computing.  Unless you’ve been living under a
rock for the past few years, your organization is either currently
deploying or planning to deploy these technologies — and you’ve been
trying to figure out what it all means from a security perspective.

Virtualization is everywhere, from the desktop to the datacenter.  Cloud
computing has transformed our datacenters into flexible, elastic
environments that expand and contract to meet our needs.  Data storage
and computing “in the cloud,” has changed our ideas about what
infrastructure really means.

These technologies are being rolled out at a staggering pace in
organizations across the world.  The benefits of having a virtual
infrastructure are unquestionable: lower costs, flexibility, energy
conservation, scalability and reliability, just to name a few.  But what
really is the impact on security?  Do these new technologies make our
networks more secure, less secure, or are they just “different?”

You have questions, and you’re not alone.  Like any new technology, it’s
difficult to separate fact from fiction — reality from marketing hype
— and the media and vendors are of little help.  Where can you go to
find comprehensive, up-to-date answers that go beyond marketing and
truly get to the heart of these new technologies?

Once again, SANS is gearing up for its Virtualization and Cloud
Computing Summit, August 19-20 in Washington DC.  For the past two
years, the Summit has provided a forum for getting past the hype and
answering the questions that security professionals need answered.
Focusing on information you can use when you walk out the door, the
summit format combines topical expert presentations with end-user talks
where your peers who are already working with these technologies explain
both what they did “right” and how to avoid the pitfalls they
discovered.  We even bring in the vendors (and warn them to leave their
marketing-speak at home) so you can hear about what’s just over the

Having acted as conference chair since the Virtualization and Cloud
Computing Summit’s inception, I believe that the summit format offers
participants an unparalleled opportunity to truly learn the information
that they need in a way that they can put to use immediately.  You won’t
be just sitting back and listening: the Summit format is designed to
break down the wall between the presenters and the participants,
encouraging questions and discussion that get you the answers that *you*
need. Every session is unique — filled with interaction, discussion,
and the kind of back and forth dialogue that you won’t find anywhere
else.  You are guaranteed to walk away from the Summit with all your
questions answered.

Here’s what some previous attendees had to say:

“Industry Leaders…discussing leading edge security issues…that’s why
I’m here.” – Major Doug Harold, Information Protection Officer, Canadian
Air Force.

“Finally, a conference dealing with real world security issues
organizations need to confront when moving virtualization into
production environments.” – Iben Rodriques, 4BaseTech

“The event was packed with useful information, speakers, and peer level
dialogue.” – Russell Wood, CenlarFSB

Join us at the Fairmont Washington DC on August 19th and 20th.  Bring
your questions, bring your security problems, and get ready for answers.
Hope to see you in DC!

Tom Liston

SANS Institute’s Virtualization and Cloud Computing Security Summit
Senior Security Analyst
InGuardians, Inc.

The most trusted source for computer security training, certification, and research

(IN)SECURE Magazine Issue 26 released

(IN)SECURE Magazine is a freely available digital security magazine
discussing some of the hottest information security topics.

Issue 26 has just been released. Download it from:

The covered topics include:

– PCI: Security’s lowest common denominator
– Analyzing Flash-based RIA components and discovering vulnerabilities
– Logs: Can we finally tame the beast?
– Launch arbitrary code from Excel in a restricted environment
– Placing the burden on the bot
– Data breach risks and privacy compliance: The expanding role of the IT security professional
– Authenticating Linux users against Microsoft Active Directory
– Hacking under the radar
– Photos: Infosecurity Europe 2010
– Securing the office in your pocket
– iPhone backup, encryption and forensics
– The growing problem of cyber bullying
– Secure collaboration: Managing the inside threat posed by trusted outsiders
– SMS spamming
– A new scalable approach to data tokenization



The Qualys Party at Black Hat 2010

Wednesday 28th July at the Jet Mirage Nightclub.
Get your free all access pass – RSVP now:


(IN)SECURE Magazine is supporting the following industry events:

SOURCE Barcelona 2010
Barcelona, Spain, 21-22 September 2010.
Use discount code SOURCEHN10 to get 15% off your ticket price.

Brucon 2010
Brussels, Belgium. 24-25 September 2010.

InfoSecurity Russia 2010
Moscow, Russia. 17-19 November 2010.

RSA Conference Europe 2010
London, United Kingdom. 12-14 October 2010.


Visit the (IN)SECURE Magazine web site at:

Subscribe to our RSS feed at:

Daily security news RSS feed:

Help Net Security on Twitter:


– For information on contributing to (IN)SECURE Magazine, please contact Chief Editor Mirko Zorz at editor( at )
– For marketing inquiries do contact Marketing Director Berislav Kucan at marketing( at )

Digital Forensic Acquisition

One of the key aspects of conducting digital forensics pertains with the proper collection and authentication of the evidence.  If the evidence is not collected properly, there is a very good chance the results of the examination will be questioned.  Following digital forensic best practices, we typically conduct our examination on copies, often referred to as “forensic images” of the original evidence.  By doing so, the original data is protected from alteration and can be used to verify authenticity of an analysis.
Some of the popular software that can be used to conduct disk imaging are:
1. AccessData Imager
2. LinEn
3. Knoppix
4. Helix
5. DD

Microsoft Office 2008 12.2.5 Update for Mac OS X

Microsoft has released security bulletin MS10-038. This security bulletin contains all the relevant information about the security updates for Microsoft Office 2008 for Mac OS X.  To view the complete security bulletin, visit the following Microsoft website:

This update improves security. It includes fixes for vulnerabilities that an attacker can use to overwrite the contents of your computer’s memory with malicious code. Additionally, this update contains improvements that enhance the stability and performance of Office 2008 for Mac applications.

Improvements that are included in the update

The Office 2008 for Mac 12.2.5 Update includes the following improvements.  Improvements for all Microsoft Office 2008 for Mac applications.

  • Helps improve security
    This update fixes vulnerabilities in Office 2008 that an attacker can use to overwrite the contents of your computer’s memory with malicious code. For more information, see the security bulletin that is listed earlier in this document.
  • Custom dictionary is improved
    This update fixes issues that prevent the custom dictionary from including words from different languages.

Before you install the Office 2008 12.2.5 Update, make sure that the computer is running Mac OS X 10.4.9 (Tiger) or a later version of the Mac OS X operating system.

To verify that the computer meets this prerequisite, click About This Mac on the Apple menu.

Additionally, you must install Microsoft Office 2008 for Mac 12.1.0 Update before you install the Office 2008 for Mac 12.2.5 Update.

To verify the update that is installed on your computer, follow these steps:

  1. On the Go menu, click Applications.
  2. Open the Microsoft Office 2008 folder, and then open any Office application (for example, open Word).
  3. On the Word menu, click About Word.
  4. In the About Word dialog box, compare the version number next to Latest Installed Update.

The Office 2008 12.2.5 Update is also available from Microsoft AutoUpdate. AutoUpdate is a program that automatically keeps Microsoft software up-to-date.

To use AutoUpdate, start a Microsoft Office program. Then, on the Help menu, click Check for Updates.

  • Microsoft Office 2008 for Mac
  • Microsoft Office 2008 for Mac Business Edition
  • Microsoft Office 2008 for Mac Home and Student Edition
  • Microsoft Office 2008 for Mac Special Media Edition
  • Microsoft Entourage 2008 for Mac
  • Microsoft Excel 2008 for Mac
  • Microsoft PowerPoint 2008 for Mac
  • Microsoft Word 2008 for Mac