July 1, 2008 3:08 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
Data Breaches,
Database,
Database security,
Development,
IT audit,
Security,
Tools & Tricks of the TradeIn the course of many audits and pentests, I can't tell you how many times I have found flaws and openings based on bad development practices. It's downright painful. And yet software keeps coming out with the same problems. I know WHY this is happening, but I can't stop it. YOU can.
Have...
June 12, 2008 7:18 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
IT audit,
SAS 70I noticed a recent post on the boards questioning the value of SAS 70 Reports. Given that I do about 15 a year, I thought I'd venture an answer to that question.
First, it's important to understand what a SAS 70 is NOT:
It's not a checklist;
It's not a certification;
It's not a...
June 3, 2008 3:01 PM
Posted by: Arian Eigen Heald
Compliance,
Eigen's Rules of Thumb,
IT audit,
Security,
Steps to an Easy Audit,
Tools & Tricks of the Trade,
Tools for Auditing and SecurityRule #1 - You can pay now, or you can pay later, but if you choose to pay later, you will pay MORE.
Rule #2 - You can outsource function, but you cannot outsource...
May 29, 2008 1:44 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
IT audit,
Security,
Security Devices,
Steps to an Easy Audit,
Tools & Tricks of the TradeWho guards the guardians? Good IT governance mandates oversight of all IT functions. The firewall tends to be neglected, because it appears to be such a back-office function that only engineers or admins actually see and work on.
However, it is one of the most critical pieces of the IT...
May 26, 2008 12:05 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
IT audit,
Security,
Security Devices,
Steps to an Easy AuditWhen all is said and done, a configuring a firewall comes down to creating a set of rules. Firewalls are bi-directional - they control traffic going out (outbound) to the Internet (or the DMZ) and they control traffic coming in (inbound) to the network or the DMZ. You are configuring for WHO,...
May 23, 2008 6:55 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
IT audit,
Networking,
SecurityThere are some amazing firewall appliances out there - application-level firewalls that monitor for web attacks, intrusion prevention features where the...
May 23, 2008 12:20 AM
Posted by: Arian Eigen Heald
Compliance,
Eigen's Rules of Thumb,
IT audit,
Networking,
Security,
Security DevicesIn the northern part of Maine, (north of Portland, where I live) folks go about their business without locking their doors or even leaving their cars running while they go into the store. (When it's -10 degrees, it's good to have the car run a little more). This describes the fundamental trust the...
May 15, 2008 5:54 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
Database security,
IT audit,
PCI DSS,
Security,
SOX,
Steps to an Easy Audit,
Tools & Tricks of the Trade,
Tools for Auditing and SecurityThese two magic words should be in every network manager and system engineer's lexicon. It's your get-out-of-jail (not necessarily free) card with an IT Auditor.
Every IT shop has an application, a device, a configuration that breaks good security rules and usually corporate policy, as well. ...
May 13, 2008 4:38 PM
Posted by: Arian Eigen Heald
Compliance,
Database,
Database security,
IT audit,
PCI DSS,
Security,
SQL Server,
Steps to an Easy AuditRemember that commercial (I'm dating myself, I know) where the little old lady lifts the top of the burger bun and says, "Where's the beef?" All things considered, we have to ask the same sorts of questions about data.
Usually we're...
