At the beginningof each year, Itry to summa-

rize the newest auditissues that my compa-ny, Canaudit Inc.,identified during theprevious year’s worthof audits. The biggestsingle issue uncovered for 2005was the requirement to notifyclients in California if theirpersonal information has beendisclosed to unauthorized indi-viduals or groups. Your statemay have a similar require-ment—now or in the future.These public disclosures arevery embarrassing to an organi-zation that has reportable secu-rity incidents. So, in this arti-cle, I have listed the top tenquestions that a CEO shouldask the internal auditor—andthe CIO—to determine if theprocessing environment isproperly protected. At the endof these ten questions is onefinal question that should beasked. The answer to this lastquestion may startle the CEO.

I believe that our primaryobjective in 2006 should be theprotection of corporate informa-tion assets. Clearly, this is wherethe next battle will be fought.

ARE THE ORGANIZATION’SDATABASES SECURE?

One of the biggest issues in2005 was poor database control.This can be broken down intoseveral categories. The mostdangerous, in my mind, is poorlysecured backup or export files.Databases are usually backed upat least once a day to ensure thatthe database can be recoveredafter a processing interruption ordisaster. When the backups arecompleted, the backup files arealmost always in a “world read-able” state. This means that any-one who can log in to themachine can copy the database.Once they have the database,they can simply download thedatabase software onto their PCor a machine they control. Whencompleted, they can import orrestore the pilfered data into thedatabase they control and willhave full system databaseadministrator rights. This will

enable them to view allthe data, extract per-sonal or confidentialinformation, and usethe information in anymanner they choose.To prevent the theft ofthe database by anyuser who gains access

to the system, have the databaseadministrators (DBAs) modifythe program or script that createsthe export. The program or scriptshould make the permissions onthe export or backup file so thatonly the DBAs can access thissensitive file.

Another common issue wediscovered last year, relating todatabases, was the failure toimplement account lockout.Users who attempt to log in tothe application or database andmistype the password threetimes should have their accountlocked. If a hacker attempts toguess a user’s password and failsthree times, the account will belocked. If an alert is coded intothe lockout function, an e-mailcan be sent to the security staffevery time an account is locked.This will enable security to thencall the user to see if he or she isexperiencing difficulties loggingin. If the user is not attempting

The author suggests ten key questions you shouldask your auditor—and the CIO—to see if you areproperly protected. And if you pass this test, thereis one more big final question. But the answer maystartle you. © 2006 Canaudit Inc. and Gordon Smith

Gordon Smith

Ten Questions for Your Auditor

featu

reartic

le

3

© 2006 Canaudit Inc. and Gordon Smith Published online in Wiley InterScience (www.interscience.wiley.com).DOI 10.1002/jcaf.20209

to log in, a probable computerincident is in progress andshould be investigated.

Oscanner is a simple soft-ware tool used by attackers togain access to a database. Thistool enables them to gain accessby trying default passwords orby using brute force to guess thepassword. Most of our clients in2005 were susceptible to exploitby this tool, which could be usedby anyone who gains access tothe network.

My last issue with databasesconcerns software products, suchas those from PeopleSoft, Ban-ner, Cerner, and Lawson. Pur-chased software often comeswith default passwords.These passwords are wellknown and are readilyavailable on the Internet. Itmay even be possible todownload the manuals forthese database softwareproducts, which may con-tain accounts and pass-words, from the Internet. It iscritical to information securitythat default passwords arechanged.

Even with the best of DBAs,some things fall through thecracks. I believe that a full data-base security audit should beperformed annually by a skilledprofessional.

HOW GOOD IS MY PHYSICALSECURITY?

Many of our clients havespent dearly to protect theirfacility. Key cards, access turn-stiles, guard services, cameras,and other devices are costly—yetmay not be effective. The ques-tion to answer is not how muchwas spent on physical security,but how effective is it. In 2005,all of our attempts to defeatphysical security succeeded. Youmight want to stand by the secu-

rity desk on a Monday morningduring the last-minute rush toget to work on time. Watch tosee if everyone uses or showstheir badges. Some of our clientshave systems that display thebadge holder’s picture when thecard is swiped. Is anyone actual-ly looking at the picture andcomparing that to the personentering? This is often difficultto do during the morning rush.Periodically, send someonethrough security with a borrowedbadge. If they get in, then thecontrol is not working.

Another technique that isvery successful is to attempt toenter as an EMT or power or

phone company employee.Smokers create another signifi-cant vulnerability. They tend tocongregate outside. A personwho stands out in the cold withthem for a few days becomesknown to them, and they usuallyhold the door open so that he orshe can enter the building.

Regardless of the technique,once we get into a facility itdoesn’t take long to locate amachine that is unattended or alive network jack that a systemcan be plugged into. We can theneasily place a system on the net-work or load software onto amachine on the network that willlet us establish an inside-out,outside-in session. Another trickthat can be used is to place aWord document or an airlinereservation document onto aflash drive (also called thumbdrives—small devices that hookinto the USB port and can store

up to 5 GB of data). All anattacker would have to do is askif he could print out a file. Hecould then plug in the flash driveto print the file, while reallyloading the logmein.com soft-ware to establish an inside-out,outside-in connection. While theprobability of this occurring issmall, a breach like this can bedisastrous to your organization.

CAN REMOTE CONTROLSOFTWARE BE USED TODEFEAT THE FIREWALL?

The inside-out, outside-inexploit worked with every clientwe tried it with last year. The

object of this software is toenable people to accessanother PC even if accessis normally blocked by afirewall. You may have seencommercials for GoTo-MyPC.com or other similarproducts. The commercialstates that you can get at

your files at home even if yourcompany has a firewall. Oncethis software is loaded on aninternal machine, a session canbe initiated from a machine out-side the network, say at a hack-er’s home. The software has beendesigned to enable a remotemachine to control an internalnetwork machine. Once the con-nection is established, a hackercan use the connection to attackthe internal network, slidingright through the firewall.

My intention is not to banthis type of software. It certainlyhas its uses. It is a great tool toenable an administrator or sup-port person to gain desktopaccess to a remote machine. It isalso useful for retrieving criticalfiles on demand. (My PC justcrashed, but I have my filesbacked up. I have been usinglogmein.com to retrieve thesefiles so I could teach a class and

4 The Journal of Corporate Accounting & Finance / May/June 2006

DOI 10.1002/jcaf © 2006 Wiley Periodicals, Inc.

I believe that a full database securityaudit should be performed annuallyby a skilled professional.

do an audit without having toship the files to me.) All I ask isthat this software be controlled.Only authorized staff should useit. Be careful of staff or contrac-tors who may use it without per-mission to transfer your criticaldata to an offsite machine.

We should also not forgetabout other remote controlsoftware such as VNC,PCAnywhere, and Microsoft Ter-minal Services. VNC is general-ly very poorly secured. It typi-cally has a simple password thatcan be easily acquired andcracked using a freely availabletool called NBTEnum. Onceonto a machine with poorlysecured VNC, it is a simplematter to take critical files,passwords, and other infor-mation that may be usefulto attack other machines.There is a securable ver-sion of VNC that requiresboth an account and a pass-word to authenticate; howev-er, a majority of our clients in2005 did not appear to be usingthis secure version.

Microsoft Terminal Servicescan also be used for remotelycontrolling workstations, lap-tops, and servers. Once anattacker has gained administratoraccess to the domain or theActive Directory, he has com-plete control to all the machineson the domain runningMicrosoft Terminal Services. Weurge our clients to use accesscontrol lists to determine whocan use Microsoft Terminal Ser-vices, as well as two-factorauthentication for all administra-tors.

PCAnywhere can also beused to remotely controlmachines. We actually notedfewer poorly secured implemen-tations of this product in 2005.The recommended implementa-tion of this product is to use

account and password authenti-cation and to use an encryptedsession. This way the data willbe encrypted as it traverses thenetwork or the internal network.In conclusion, remote controlsoftware can be a great tool toyour organization, provided thecorrect product is selected andthe controls are implemented.

CAN WE REALLY TRUST OUREMPLOYEES ANDCONTRACTORS?

The old-school philosophywas to protect the network fromexternal penetration. Some ofthe quotes I have heard in the

last few years are as follows:“The bad guys are all on theoutside.” “It is okay to havepoorly secured machines on theinternal network because wehave a firewall.” “We do nothave to monitor our consultantsas they are with a reputablefirm.” “We only need to protectourselves from external penetra-tion.” “We are willing to acceptthe risk.” A quick visit tohttp://www.privacyrights.org/ar/ChronDataBreaches.htm willprovide you with many exam-ples of insiders who stole orsold corporate information. Thelist includes organizations suchas Bank of America, Wachovia,PNC, Commerce Bancorp,Georgia DMV, the University ofHawaii, and Atlantis Hotel.Clearly, when the opportunitypresents itself, some people willtry to steal your data, particular-ly client information.

Now is the time to startsecuring the network, themachines within the network,and your business applicationsand data. Staff and contractors’access and use of data must bemonitored. Network activitymust be monitored and unusualactivity investigated. A full inter-nal network vulnerability assess-ment should be performed by anexternal independent firm to testthe exposure to insider securitybreaches and suggest improve-ments. If your midlevel man-agers “are willing to accept therisk,” then I suggest they be heldaccountable for an incident whenit occurs. Many managers are

willing to accept the riskbut not the consequences.When estimating the con-sequences, don’t forget toinclude the public relationscost and the lost profits ascustomers close accountsor take their business else-where. This is 2006, not

1990. We need strong internalcontrol to protect our informa-tion assets.

ARE OUR INTERNAL AUDITORSPERMITTED TO DO REALSECURITY TESTS?

I really love my job, which isvery apparent to my audit clientsand those who attend my trainingsessions. Last week, I was askedwhat frustrated me the most inmy long audit career. The answerwas not the work, the long hours,or the travel. I have auditorscome to my classes so they canlearn how to identify network,server, or application securityissues. I show them what to lookfor. I give them the software tofind issues. I even show themhow to safely use the software ina lab environment at my IT Audit& Security Boot Camp. Lately,I’ve been asking the participants

The Journal of Corporate Accounting & Finance / May/June 2006 5

© 2006 Wiley Periodicals, Inc. DOI 10.1002/jcaf

Now is the time to start securingthe network, the machines within thenetwork, and your business applica-tions and data.

if they will be running the toolswhen they get back to the office.Surprisingly, about half of theauditors in my classes will not bepermitted to use the networkscanners, password crackers, orother vulnerability discoverytools. The IT folks will not per-mit the use of the tools on thenetwork. When I ask them aboutthe audit mandate, each of themsays the mandate empowers themto perform such testing as theauditors deem necessary. So theaudit mandate is not the issue.Upon further questioning, theyanswer, invariably, that using thetools is not politically correct;the IT folks may have someexplaining to do if the test-ing reveals serious networkflaws. This is what frus-trates me the most.

I find this both shock-ing and disappointing.Imagine if the CFO saidthat the auditors would notbe permitted to test thegeneral ledger or cashreceipts! How about this: “Youcannot use audit software to ver-ify that the ledger balances tothe control accounts.” Why is itthat some IT departments try tohide their poor controls by hand-icapping the auditors? If anattacker can use a tool to pene-trate your security, then yourauditors had better find out first!Otherwise your organization is asitting duck!

I understand that the ITfolks may not want to have falsealarms regarding intrusion detec-tion software that may be run-ning. For that reason, I have per-fected a procedure that permitsthe auditors to test independentlywhile ensuring that the IT folksdo not waste valuable time track-ing intrusion events that reallyare audit testing. Our mechanisminvolves loading the requiredsoftware tools onto a special lap-

top. This laptop is not on thenetwork unless the auditors aretesting the network or download-ing security and softwareupdates or patches. The IT andsecurity staff are provided withthe MAC (hard-coded computeraddress) of the test machine. If itshows up on the network, theycan call internal audit to deter-mine if a test is in progress. Thisworks at several of my clients.

If your auditors are not per-mitted to test the network, thenattackers have an open invitationto exploit unidentified securityissues. Internal audit must bepermitted to do such testing asthey deem necessary, as stated in

the audit department mandate, toverify the presence of controlsand, more important, the absenceof controls. Only through identi-fying how data can be stolen canwe implement new controls toprevent the loss of confidentialdata and to ensure early discov-ery of incidents.

IS THE DATA ON OURCOMPUTERS PROTECTEDFROM THEFT?

As of January 17, 2006,there were 26 reported incidentsof computer or laptop theft onhttp://www.privacyrights.org/ar/ChronDataBreaches.htm. Boeingreported that approximately161,000 identities may havebeen compromised as a result ofa stolen laptop. Other companiesreporting potential identity theftthrough lost computers or lap-

tops include Bank of America,UC Berkeley, the Department ofJustice, MCI, and San Jose Med-ical Group.

Laptops can be easily mis-placed when going through air-port security and screening. Roadwarriors often leave their laptopsin their hotel rooms when goingout to dinner or to the gym.These machines could beaccessed by anyone with a mas-ter key card to hotel room doors.Airline clubs are also a goodplace to lose a laptop. Many ofus work in the airport lounge.When we leave our workstationto get a snack or to visit the rest-room, we lock our computers.

But this does not preventthem from being stolen orthe hard drives removed,copied, and returned. Yourorganization may want toconsider installing PCLoJack on all laptops.When a laptop is thenstolen and hooked into theInternet, it can be tracked

and recovered. This is good soft-ware to consider for every execu-tive and all staff with sensitiveinformation on their laptops.

If I had my choice, I wouldencrypt all data on all comput-ers. Unfortunately I’m fightingan uphill battle, at least withthose who have not had confi-dential data stolen on a laptop(yet). After the data is gone,everyone wants to start encrypt-ing data. This is closing the barndoor after 10,000 horses haveleft. I strongly suggest that allsensitive data be encrypted onall workstations and laptops. Ifpossible, this data should also beencrypted on the servers. Thereare several inexpensive productsthat will encrypt data. XP andWindows server editions comewith the capability to define anEncrypted File System (EFS).This is free! Other tools such as

6 The Journal of Corporate Accounting & Finance / May/June 2006

DOI 10.1002/jcaf © 2006 Wiley Periodicals, Inc.

Only through identifying how datacan be stolen can we implement newcontrols to prevent the loss of confi-dential data and to ensure early dis-covery of incidents.

PGP are very inexpensive andeasy to use. It is best to assumethat a laptop or workstation willbe stolen and to encrypt the databefore it actually is stolen. Staffshould also be warned that theyare personally responsible forany data they download. Periodictesting should be performed todetermine what confidentialinformation is exposed to theft.

ARE OUR PORTABLE DEVICESSECURE?

Portable devices includeBlackberry communicationdevices, PDAs such as Palmsand iPAQs, and cell phones.Let’s address them in order.Blackberries pose a signifi-cant threat if they are notproperly secured. They arenormally used by seniorexecutives and other impor-tant staff. The most com-mon failing is the lack of apassword on a Blackberry.In 2005, this was pervasivethroughout our client base. Asimple test I use is I ask a personto pull out their Blackberry andshut it off. Then I ask them toturn it back on. If it does notprompt them for a password,then this device can be easilycompromised.

Blackberries are often car-ried in a jacket pocket. The jack-et may be hung on a door wheresomeone can steal the devicefrom the pocket. I’ve also seenpeople in a bar place the Black-berry on the table or the floorunder their feet as they don’t likeit vibrating on their belt. Again,it is easy to steal. Another issuewith Blackberries is the bberryserver that processes the e-mails.In several audits last year, weidentified an administratoraccount on the server calledbberry with a password of bber-ry. Using this account, we could

reconfigure the Blackberry set-tings. Think of the damage thatcould be done if copies of allexecutive e-mails were automati-cally sent to a competitor! Makesure this password is changed.

PDAs and some cell phonesalso contain sensitive data. Thenew Palm Treo combines a cellphone with a PDA and is verysimilar to a Blackberry. Manypeople use their personal PDAsor cell phones with Pocket PC,such as the Treo, for businesspurposes. When they leave thefirm, this corporate informationgoes with them. Add in the like-lihood that Secure Digital (SD)chips can greatly increase the

storage capacity, and we have ascenario for large amounts ofcorporate data being in thehands of a disgruntled terminat-ed employee. At Canaudit, weprovide these devices to our staffand retrieve them upon termina-tion. We also have a strong poli-cy on confidential informationand how it is to be protected.Clearly, the use of personalPDAs, cell phones, and othersimilar devices for business useshould be prohibited.

CAN OUR DATA BE STOLENAND TRANSPORTED OUT OFTHE FACILITY?

The easiest way to transferdata from the internal network toan external device or server is totransmit the data out over theInternet. Another method is tocopy the data onto a portablestorage device and walk it out of

the building. I use my PDA tostore information I need. Toincrease my storage capacity, Iuse the 1-gigabyte SD cards.These devices are about three-quarters of an inch square andwafer-thin. Some of our clientswith highly sensitive data orresearch actually inspect laptopsthat are leaving the facility. Whatbetter way to beat the inspectionthan to transfer the data onto 50,100, or even 200 SD cards, placethem in a briefcase, and walk outof the building?

I recently bought another100-gigabyte hard drive the sizeof a deck of cards. I use this forcarrying an image of my PC

around with me in case Ineed to restore it. I haveseveral others for backupand other storage purposes.A dishonest employee orcontractor could easilyconceal 50 of these devicesin his laptop case. I alsohave several Maxtor drives

that we use for forensics work.These drives are the size of astandard hardcover book andstore 400 gigabytes of data.Again, it would be easy to putfour of these drives into a brief-case and sneakernet it out of thebuilding. In addition to smug-gling the data out of the build-ing, it could be easily courieredor mailed to Mail Boxes, Etc., ora similar service. If your organi-zation has sensitive data, thenregular random inspections ofpersonal belongings upon leav-ing the facility are an option.Also, scrutiny of outgoing couri-er packages and mail should beconsidered.

IS OUR DATA SAFE WHENTRANSPORTED TO OTHERLOCATIONS?

Lost tapes have also resultedin serious information disclosure

The Journal of Corporate Accounting & Finance / May/June 2006 7

© 2006 Wiley Periodicals, Inc. DOI 10.1002/jcaf

The easiest way to transfer datafrom the internal network to anexternal device or server is to trans-mit the data out over the Internet.

issues. According toPrivacyrights.org, there havebeen eight occurrences wheretapes have been lost in transit.There were two incidents wheretapes were lost while in transit toan offsite backup location. Sev-eral tapes were lost in transit tocredit bureaus. If tapes containsensitive information, theyshould be encrypted. If a tape islost, the data are reasonably pro-tected from unauthorized accessor disclosure. I have been rec-ommending this for over 20years. Now, with these eightreported incidents, my warningsare being taken seriously.

IS TWO-FACTORAUTHENTICATION USED FORSENSITIVE OR POWERFULACCESS?

For years, the battle hasraged over the length and com-plexity of a password. Let’s getreal. Newer password crackerssuch as RainbowCrack can crackthe most complex passwords inless than 30 minutes. Obviously,passwords are not a control inthemselves. For this reason,auditors have been suggestingtwo-factor authentication. Inaddition to a password, a user isrequired to have a second formof authentication. This caninclude a token such as RSASecurID or Identix. Both ofthese popular devices are inex-

pensive and reliable. Biometricauthentication using fingerprintor iris scanners is also veryeffective. Digital certificates arealso excellent tools. Two-factorauthentication has been availablefor several decades. When acompany has a computer inci-dent, it quickly understands whyit needs these additional con-trols.

In a previous article avail-able online (http://www.canau-dit.com/Perspectives/Volume6_Issue9.pdf), I mentioned the seri-ous exposures relating to Webmail. I remain very concernedabout Web mail and administra-tive access to servers and data-bases. I strongly urge yourorganization to implement two-factor authentication for all thosewith sensitive access, includingsystem administrators, databaseadministrators, executives, andany other staff or contractorswith sensitive access.

THE FINAL QUESTION

If the answers to the abovequestions suggest that your com-pany does not have any issueshere, then I have one last ques-tion that the CEO should pose tothe General Auditor and theCIO: If an airplane was builtfrom the controls in the IT envi-ronment, would you board theaircraft? The answer I receiveevery time I pose this question is

the same—no, they would notboard. A single serious controlfailure can cause a plane tocrash. I believe a single seriousIT flaw can cause organizationdisruption or public embarrass-ment.

If I pose this question inanother way—Are we Sarbanes-Oxley-compliant?—the answerwould be yes. Is it possible tocomply with Sarbanes-Oxley, yetstill have serious control issueswithin the IT environment? TheCEO often asks what value thecompany received from theSarbanes-Oxley process. Myanswer is that these are two dif-ferent issues. You can be Sar-banes-Oxley-compliant accord-ing to the audits performed bythe external auditors and con-sultants, yet still have a poorlysecured network. You have tofund both the SOX audit and thebroad-scope VulnerabilityAssessment audits.

As you can see from thisarticle, 2005 brought new auditand security risks. The questionsI pose in this article focus man-agement’s attention on theserisks, as they are the new securi-ty “hot buttons.” These itemsneed to be addressed. But asauditors and security profession-als, we must ensure that weemphasize all of the essentialcontrols in the audit and securityuniverse, not just those men-tioned here.

8 The Journal of Corporate Accounting & Finance / May/June 2006

DOI 10.1002/jcaf © 2006 Wiley Periodicals, Inc.

Gordon Smith, president of Canaudit Inc., a consulting firm in Simi Valley, California, has over a quarter-century of progressive audit experience. Specializing in high-tech auditing, Mr. Smith is a recognizedexpert on auditing complex networks, operating systems, databases, and forensic auditing. He pioneeredthe integrated audit concept. He is the published author of Network Auditing: A Control AssessmentApproach and the recently released Control and Security of E-Commerce, both published by John Wiley &Sons. You can contact him at gordon@canaudit.com. The author encourages feedback from readers.