Carol Who? - · PDF file• Disaster Recovery Planning ... • Disaster Recovery...

3/6/2017

Carol Rapps 1

Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT

IT AUDITING:From The Ground Up

Carol Rapps CISA, CIA, CCSA, CRMA, GLIT, CFE, ACUA Faculty

[email protected] 210-458-4679

Mohammed (Ali) SubhaniCISA, CIA, CNE, ………[email protected]


Carol Who?CISA, CIA, CCSA,CRMA, CFE, GLIT.....

30+ Years

Started on mainframes

Seen the rise and fall of email

Various Industries


Ali Who?CIA, CISA, GSNA

10+ Years

Masters Accounting & Information Management

Special Interest is Data analytics

Professional Associations

President Elect TACUA

Board of IAA (not to be confused with IIA)

3/6/2017

Carol Rapps 2


Now You Know UsWho Are You & Why Are You Here? • Interview & Present

1. Why did you register for this class and what is your main goal for attending

2. Do you have a CISA or other IT related certification?

3. How long have you been performing IT Audits

4. How mature is your IT Audit function (start‐up<2 years, new=2‐5 yrs, moderate=5‐8 yrs, mature>8yrs)

5. Do you have an IT Audit Universe & standard risk assess methodology?

6. What are the top 3 IT audits on your current plan?

7. One fact about you that summarizes you as a person FUN….


RULES OF THE GAME(S)• MYTH or REALITY

– Honesty counts don’t make me audit your score

• KEY PRINCIPLES

• CASE STUDIES

• TERMINOLOGY / ACRONYM BINGO


AGENDADay 1

• Introductions (Carol)

• What is IT/IS, The Universe & Risk Assessment (Carol)

• IT Governance (Carol)

• Intro To Logical Security (Carol)– AD (Ali)

– UNIX (Carol)

– Oracle (Carol)

– Banner Student (Carol)

3/6/2017

Carol Rapps 3


AGENDADay 2

• Intro Application/Integrated Auditing (Carol)

• Elearn (Ali)

• Data Center (Physical Sec & Envir) (Carol)

• Intro to Networks (Ali)

• Intro to Operating Systems (Ali)

• Terminology Bingo (Both)


AGENDADay 3

• Data Analytics (Ali)

• Cloud Computing (Carol)

• Conclusion (Carol)

3/6/2017

Carol Rapps 1


WHY ARE YOU HERE?


WHY ARE YOU HERE?

This ought to be

good….


IT AUDIT(OR)• ISACA ‐ IT Audit is the process of collecting and evaluating evidence to determine

whether a computer system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively, and uses resources efficiently.

• KEY TRAITS OF AN IT AUDITOR– Self‐motivated – Ability to dig into technical details without getting lost– Analytical skills (Critical Thinking)– Communication skills (tech to English, English to tech)– Ability to learn key concepts of technologies quickly– Willingness to not touch specific technology daily.

• KNOWLEDGE AN IT AUDITOR NEEDS– Knowledge of IT (business processes, operations, technical, facilities, etc...) – Knowledge of IS (business processes, operations, technical, etc… ) – Knowledge of the IT & IS Professional (Geeks)

3/6/2017

Carol Rapps 2


UNDERSTANDING GEEKSBaseline article 2008 by Ericka Chickowsk

• Geeks are a “self‐selected” group• The nature of geek work is “different”• Power is “useless” on geeks• Geeks are more attached to the “technology” than they are to “you”.• Geeks are “judgmental”• Geeks are “introverted”• Failure is “normal” to geeks• Geeks at the keyboard “know more” about the technology than their

managers do.• Geeks are “goal‐oriented” not “task‐oriented”• IT creativity springs from the “environment” not “incentives”


WHAT DO THEY THINK OF AUDITORS?


MYTH or REALITY

IT & IS Professionals can be managed just like other employees?

3/6/2017

Carol Rapps 3


“IT & IS” A BUSINESS SERVICE

• Objectives

• Governance, Processes/Operations, Infrastructure/Technical, Business Systems/Applications.


KEY PRINCIPLE

YOU CANNOT GOVERN, MANAGE OR SECURE (or Audit)

WHAT YOU DON’T KNOW YOU HAVE


IT AUDIT UNIVERSE

3/6/2017

Carol Rapps 4


LEADERSHIP / GOVERNANCE / MANAGEMENT

Information Technology

• Organizational Management

• IT Asset Management

• IT Funding

• Program/ Project Mgmt

• Decentralized Computing Oversight & Governance

• IT Communications

Information Security

• Program/Org Management

• Data Ownership

• ISA Management

• Purchasing Security Reviews

• PCI‐DSS Compliance

• TAC202 Compliance


BUSINESS PROCESSES

Information Technology• Data Center Management• Change Management• Problem Management /

Customer Support• Job Scheduling• Backup & Recovery• Desktop Management• Student Computing Services

(Virtual Labs?)• Identity / Access Management • Disaster Recovery Planning


• Incident Response & Reporting

• Security Reviews / Auditing

• E‐discovery

• Risk Assessment

• Disaster Recovery Planning


OPERATIONS/INFRASTRUCTUREThe Techie Stuff

Information Technology• OPERATING SYSTEM MANAGEMENT

– Windows– Unix / Linux– Virtual Environments

• NETWORK MANAGEMENT– Cisco– Juniper– Mgmt. Systems (TACACS, Brocade, etc..)

• STORAGE MANAGEMENT– Tape Management– Disk (SANS)

• DATABASE MANAGEMENT– Oracle– SQL


• Vulnerabilities Management– Penetration Testing

– Malware Avoidance (anit‐virus)

– Patch Monitoring

• Network Monitoring

• Computer Forensics

• Firewall Management & Monitoring

• IDS / IPS

3/6/2017

Carol Rapps 5


MYTH or REALITY

IT & IS are not the same?


BUSINESS SYSTEMS / APPLICATIONS• Facilities Mgmt (HVAC)

• Blackboard

• Ellucian Banner Student

• Early Alert System

• Global Advising

• Library Systems

• Cloud Academic Research Platform

• ERP / HR

• Grant Management

• Conflict of Interest

• Financial (PeopleSoft, BANNER)

• Effort Certification

• Parking

• Bookstore

• Cafeteria Mgmt Systems


EXAMPLE DOMAINSEDUCAUSE

• Admin/Mgmt

• IT Support Services

• Education Technology

• Research Computing Service

• Communications Infrastructure Services

• Enterprise Infrastructure Services

• Information Security

• Information Systems & Applications

• Other

COBIT• Evaluation, Direct, Monitor (EDM)

• Align, Plan, Organize (APO)

• Build, Acquire, Implement (BAI)

• Deliver, Service, Support (DSS)

• Monitor, Evaluate, Assess

3/6/2017

Carol Rapps 6


YOUR DOMAINS• Look At Your Organization and IT Org Chart

• Mine– IT Leadership & Governance

– IT Operations

– IT Infrastructure

– IS Leadership & Governance

– IS Operations

– Research Computing & Applications

– Academic Computing & Applications

– Business Computing & Applications


IT AUDIT UNIVERSE EXERCISEPart 1

• Template – How It Works– Columns– Creating Universe (think domains, categories, scope)– Risk Assessment Criteria– Roll‐up to Overall Audit Risk Assessment/Plan

• GET TO WORK (Fill in Template)– Auditable Areas/Processes (think domains, categories, scope management) – Risk Assess one domain/category per table (base on one university)

• Present ‐ 1 per table– Domain/Categories You Used– Risk for the one Domain/Category You Risk Assessed


BACK AT HOME• How & Where To Get Information To Complete Universe

– Other Risk Assessments– External Audits– Surveys Interviews– Brainstorming– Other Departments

• Planning Your Risk Assessment– Strategy– Meetings

• Questions/Comments/Complaints?

3/6/2017

Carol Rapps 7


MYTH or REALITY

I WILL HAVE TO CONTINUALLY UPDATE

MY IT UNIVERSE?

3/6/2017

Carol Rapps 1


GOVERNANCE


IT GOVERNANCEA set of processes, strategy, and culture by which theuniversity can make institutional IT decisions to minimizerisk, improve the use of limited resources and strategicallyposition the university.


GOVERNANCE RISKS• IT Position in University Culture / University Politics

• Uninformed decisions– strategic decisions made with incomplete/inaccurate info

– Non‐strategic decisions

• Communications (lack of)

• Providing Wrong Service (Not a Strategic Partner)

• Providing Poor Service

• Unable To Sustain What is Implemented

• New Technology Introduces Unwarranted or Unacceptable Risk

• Paying Too Much (not leveraging buying power)

3/6/2017

Carol Rapps 2


BREAK IT DOWN(Simple English)

• WHERE DOES THE UNIVERSITY WANT TO GO?

• WHAT DOES THE UNIVERSITY HAVE?– (assets, resources, funding)

• WHAT DOES THE UNIVERSITY NEED?– (Academic, Research, Staff/Administration)

• ARE OBJECTIVES BEING MET?


WHERE DOES THE UNIVERSITY WANT TO GO?AUDIT ENLIGHTENMENT

• Strategic Plans (University, IT, IS, Departmental)– Are they aligned?– Do they include IT components?– IT Requirements communicated to IT and Funded– Existing IT Operations to support needs?

• No Plans?– Management Interviews– Exec Committee Minutes– Web‐Sites– Mission / Goal Statements


WHAT DOES UNIVERSITY HAVE?Need To Know

• Hardware

• Software

• Outsourced

• Central IT Resources / Staffing

• IT Professionals Outside Central IT

• Current Known Risks

• IT Funding & Expenditures

Audit

• IT Asset Management

• IT Approval of IT Outsourced Services

• IT Staffing Skill Set & Training

• IT / IS Risk Assessments

• IT Funding

• Metrics

3/6/2017

Carol Rapps 3


WHAT DOES THE UNIVERSITY NEED?

CIO

• Gap Analysis (Want vs Have)– ID Technology Needed

• Current Infrastructure / Staff Support?

• Can be used to meet multiple objectives

– ID Funding Sources

– Prioritization

– Metrics

Audit

• Compare Budget to Need– Support infrastructure

– Support new initiatives

• Clear understanding of who pays for what and where the $ are coming from.


ARE OBJECTIVES BEING MET?Objectives

• Maximize the value of IT investments while reducing risk

• Keep IT investments on track with the university goals

Audit

• IT Performance Metrics– Accountability divided between units

and central IT

– What is measured (Dashboards)

– What is reported

– Measurement Integrity

– Use of measurements in governance and management

• Interviews (didn’t I do this in the beginning?)


MYTH or REALITY

Any IT Auditor can audit IT Governance?

3/6/2017

Carol Rapps 4


REAL WORLD GOVERNANCE

RIGHT INDIVIDUALS HAVE THE RIGHT INFORMATION TO MAKE THE RIGHT DECISIONS AT THE

RIGHT TIME.

3/6/2017

Carol Rapps 1


LOGICAL SECURITY• Identification & Authorization

– objective is to determine that the system employs methods to identify, validate and track individuals accessing or using the system that ensures individual accountability.

• Access Management– objective is to determine that the appropriate processes and security measures are in

place to ensure that access to information is only granted to authorized/known individuals for performing official UTSA tasks or services.

• Security Administration– objective is to determine that the area has established effective security techniques to

segregate security, administrator and application functionality, the enforcement of strong access management processes, and the ability to monitor access to help determine that the system has the ability to function unimpaired, free from deliberate or inadvertent unauthorized manipulation


CONCEPTS & TERMINOLOGY• Accounts / UserIDs / IDs = Unique symbol or character string used

by an information system to identify a specific user.

• Objects/Forms/Databases/Fields = Items to be secured

• Groups / Roles / Profiles / Class = Way to group IDs and permissions. They let you assign the same security permissions to large numbers of users in one operation

• Administrative Account / Root / Super User = A user account with full privileges on a computer


INFORMATION SECURITY LAYERS

• Network

• Host/Platform/ (OS)

• Applications

• Data (Databases)

3/6/2017

Carol Rapps 2


KEY PRINCIPLE

“IS” = MOTHER OF ALL “IT” CONTROLS

3/6/2017

1

A U D IT IN G A C T IV ED IR E C T O R Y

A LI S U B H A N I , C IA , C I SA , G S N A

M A R C H 2 0 17

A C U A M I D - Y E A R

DE LIV E R Y

3/6/2017

2

3A D

servers, workstations, users, printers

authentication, authorization

W H AT IS AC TIV E DIR E CTOR Y ?

CE N TR AL LY M AN AG E D DAT AB AS Ewith information about AD objects such as :

C O M P U T E R

D IR E C T O R Y E X A M P L E S

O P E R A T I N G S Y S T E M V E R S I O N

L O G G E D I N T O

S E R V I C E P A C K L E V E L

L A S T T I M E T H E C O M P U T E R

D O M A I N

U SE R A C C O U N T

L A S T N A M E

F I R S T N A M E

L A S T L O G I N T I M E

G R O U P M E M B E R S H I P ( S )

P H O N E N U M B E R

A D F U N CT IO N A L ITY

Access Control

Security Policy appl icat ion

Aud i t ing

Data Protect ion

3/6/2017

3

O B J E C T SA D B A SICS

A S I N G LE ' E N T I TY ' A N D I T S

A TT R I B U T E S

E X A M P LE : S E R V E R S , U S E R A C C O U N T S ,

P R I N T E R S , S H A R E D D I R E C T O R I E S E T C

D O M A IN

A D B A SICS

B A S I C U N I T O F O R GA N I Z A T I O N A N D S E C U R I TY

O R GA N IZA T IO N A L U N IT A D

B A SIC S' C O N TA I N E R ' W I T H I N A D O M A I N W H I C H CA N

H O LD U S E R S , G R O U P S A N D C O M P U T E R S .

B E N E F IT S : B E T TE R O R GA N IZA T IO N

A S S I G N G R O U P P O LI C Y S E T T I N G S O R

A C C O U N T P E R M I S S I O N S

D E LE GA T I O N O F A D M I N I ST R A T I V E

R E S P O N S I B I L I T I E S CA N B E

R E S T R I C T E D T O PA R T I C U LA R O U ' S

3/6/2017

4

TR E E

A D B A SICS

M U LT I P LE D O M A I N SP A R E N TD O M A IN

CH IL DD O M A IN S

TR E E

A D B A SICS

C O N T I G U O U S

N A M E S PA C E

U T SY ST E M.E D U

U T D A L A S

. U T SY ST E M . E D UU TSA

. U T SY ST E M . E D U

T R U STS

A D B A SICS

A LLO W FO R S H A R I N G O F

N E T W O R K R E S O U R C E S

A C R O S S D O M A I N S

3/6/2017

5

T R U ST TY P E S

A D B A SICS

O N E - W A Y T R U ST

D O M A I N B T R U ST S D O M A I N A

D O M A I N A

D O M A I N B

T R U ST TY P E S

A D B A SICS

T W O - W A Y T R U S T

B O TH D O M A I N S T R U ST EA C H O TH E R

D O M A I N A

D O M A I N B

A CT IV ITY

A TR U STS

O R GAN IZAT IO N AL U N ITS( OU ' S )

N O N E O F TH E AB O V E

Organization of objects in the followingmanner is an example of which concept

in AD :

B

C

3/6/2017

6

A CT IV ITY

A PR IM AR Y DO M AI N

PA R E N T DO M AI N

SU PE R M O M DO M AI N

The domain that is created first is known

as the

B

C

D O M A INC O N T R O L L E R

A D B A SICSM O S T C R I T I CA L A D H A R D W A R E

A LLO W S H O ST S T O A C C E S S D O M A I N

R E S O U R C E S

ST O R E S U S E R A C C O U N T S

E N F O R C E S S E C U R I TY R E Q U I R E M E N T S

IMAGE SOURCE:http://www.mcmcse.com/

A D B A S I C S

GR OUP PO LICY

allows for security settings to be applied to resources in AD

IMAGE SOURCE:https://technet.microsoft.com/en-

us/library/gg416505.aspx

3/6/2017

7

A D B A S I C S

GR OUP PO LICY

default policy applied to domain

delegation to limit management of GPO to particular OU



A D B A S I C S

GR OU P PO LICY IN H E R TAN CE

GPO's can be applied to multiple sets of machines, OU 's

order is domain , OU , and child OUs.

Group Policy applies GPOs from the top down , overwriting

settings along the way.



3

AU DIT

STE PS TO

CON SIDE R

3/6/2017

8

A U D I T S T E P SS U R V E Y I N G T H E LA N D

Obta in l ist ing of servers and workstat ions .

Review the operat ing system , version and service packs in use.

Determine the locat ion where d o m a i n control lers are be ing main ta ined .

If DC's exist in locations w i t h poor physical controls ; evaluate use of read-only DC's

Evaluate whe the r the n u m b e r of DC's are in l ine w i t h your inst i tut ion 's risk appet i te .

A U D I T S T E P SP R O T E C T I N G T H E C R O W N J E W E L ( S ) - ( D C ' S )

Determine , i f d o m a i n control lers are physical ly instal led in ded icated secure racks or

cages tha t are separate f r o m the general server popu la t ion .

Evaluate whe the r volumes in the d o m a i n control ler servers are protec ted via BitLocker

Drive Encrypt ion .

Determine the process for ' lock ing d o wn ' DC u p o n ini t ia l bui ld .


Determine use of app l ica t ion whi te l is t ing too l to conf igure services and appl icat ions

tha t are perm i t ted to run on d o m a i n control lers (DC's)

A l low RDP connect ions only f r o m author ized users and systems .

Restr ict in ternet browser usage on DC's. No browsers m u s t be instal led .

3/6/2017

9


Best practices detai ls a t - https : / / technet .microsof t .com /en-us /windows -server -

docs / identi ty/ad-ds /plan /secur i ty-best-practices /secur ing-domain-control lers-against-

at tack

AU DIT STE PSU S E R S , P R I V I LE G E S , A N D G P O

Evaluate the users tha t are current ly active and ensure indiv iduals are current ly

aff i l iated w i t h the ins t i tu t ion

Evaluate g roup membersh ip of the fo l lowing groups at a m i n i m u m :

Enterprise Admins , Domain Admins ,Administrators , Schema Admins , Accoun t

Operators , A l lowed RODC Password Repl icat ion Group

ht tps : / / technet .microsof t .com /en -us /windows -server -docs / ident i ty /ad -

ds /plan /securi ty-best-pract ices /appendix-b- -priv i leged-accounts-and-groups- in-

active-directory


Interv iew technical staff t o de te rm ine fi le shares where conf ident ia l da ta is retained .

Validate tha t 'everyone ' group and 'authent ica ted users' group d o n o t have privileges

t o shares w i t h conf ident ia l data

3/6/2017

10


Gain an unders tand ing of GPO's tha t be ing enforced . Analyze tha t the appropr iate

controls are be ing enforced

Pay at tent ion to GPO inher i tance b lock

AU DIT STE PSLO G G I N G

Ensure h igh risk activities are be ing logged , inqui re abou t fo l lowing at m i n i m u m :

User Accoun t Changes

Password Resets by Admin is t ra tor

Securi ty Group Membersh ip Changes

Logons by a Single User f r o m Mul t ip le Endpoin ts

Group Policy Changes

3/6/2017

11

3/6/2017

12

3/6/2017

Carol Rapps 1


UNIX/LINUX?


etc/passwd Filecat /etc/passwd

1. Username2. Password: An “x” or “*” character indicates that encrypted

password is stored in /etc/shadow file. Except Linux “*” disables direct logins to an acct.

3. User ID (UID): internal numerical user id.4. Group ID (GID): The primary group ID (stored in /etc/group file)5. User ID Info: The comment field. 6. Home directory path where user will be in when they log in. 7. Command/shell path


1. User name : It is your login name 2. Password: It your encrypted password. The password should be minimum 6‐8 characters

long including special characters/digits 3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last

changed 4. Minimum: The minimum number of days required between password changes i.e. the

number of days left before the user is allowed to change his/her password 5. Maximum: The maximum number of days the password is valid (after that user is forced to

change his/her password) 6. Warn : The number of days before password is to expire that user is warned that his/her

password must be changed 7. Inactive : The number of days after password expires that account is disabled 8. Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying

when the login may no longer be used

/cat /etc/shadow

3/6/2017

Carol Rapps 2


etc/group Filecat /etc/group

1. Groupname

2. password (x means stored in shadow file, * means there is not password

3. GID (numerical group ID)

4. Membership (comma separate list of users in the group)


File / Directory Permissionsls –l<directory>

drwxr‐xr‐x 8 chip xyzrrr 102 Oct 6 2006 evidence

1 2 3 4 5 6 7 8

1. dash ("‐") = file, "d" = directory, “l” = link 2. Permissions

a. 1‐3 = owner's permissions.b. 4‐6 = group permissions.c. 7‐9 = world/anyone permissions

3. Indicates the levels of directories.4. indicates the owner (Username) of the file. 5. indicates the group (Groupname) to which this file belongs. 6. Indicates the file's size. Will change, depending upon the size of the file.7. Indicates the date and time the file was modified. Will change when file modified. 8. Indicates the name of your actual file.


More On Permissions

The three actions you can perform on a file/directory:– read (view the file

– write (create, edit or delete)

– execute (run a script/program or enter a directory)

3/6/2017

Carol Rapps 3


Yes, here is an exampledrwxr‐xr‐x 3 chip blue 102 Oct 6 2006 evidence

• This is a directory; the owner (chip) can read, write and execute the file; folks in the “blue” group can read and execute the file (not write to it); and everyone else on the system can read and execute the file (not write to it)

‐rw‐r‐‐r‐‐ 1 pest green 50417 Sep 15 2006 fink_Read Me.pdf

• This is a regular file; the owner (pest) can read and write (not execute) the file; folks in the “green” group can only read the file; and everyone else on the system can only read the file.


KEY PRINCIPLE

Rule of Least Access Should Always Be Applied


Exercise File/Directory Permissions

1. drwxr‐xr‐x 3 finger system 102 Oct 6 2006 evidence2. ‐rw‐r‐‐r‐‐ 1 joy holiday 50417 Sep 15 2006 fink_Read Me.pdf3. ‐rw‐r‐‐r‐‐ 1 boss green 0 Dec 22 2007 first.dd4. ‐rw‐r‐‐r‐‐ 1 fred orange 58 Sep 15 2006 hello.c5. ‐rw‐r‐‐r‐‐ 1 sarah Infra 3690 Jul 5 2007 Installed6. ‐rw‐‐‐‐‐‐‐ 1 raul Web 30208 Sep 19 2007 installmw.xex7. ‐rw‐r‐‐r‐‐ 1 laura AF 222918 Sep 16 2006 list8. ‐rw‐r‐‐r‐‐ 1 printer Infra 3642 Aug 31 16:18 outdated9. ‐rw‐r‐‐r‐‐ 1 root chip 499 May 22 2007 ports10. drwxr‐xr‐x 4 root dev 136 Dec 14 2006 programs

A. Who has access to what? B. Based on access what do you think is in the directory or type of file it is?C. Any questions you would ask about the access?

3/6/2017

Carol Rapps 4


What to Review

• Operating system files

• Database System files

• Any application files

• Anything else that “the business” indicates are critical

• “root” access – do not forget to ask about (sudo, su) there are logs

3/6/2017

Carol Rapps 1


ORACLE• Detailed Audit Program will be provided

– Audit Test Objective

– Background

– Risk

– Test (sometimes multiple options)

– Potential Recommendation


ORACLETop Authentication Items to Look at 1st Review

• Default Passwords on delivered accounts

– View DBA_USERS_WITH_DEFPWD

• Individual Accountability

– Table SYS.DBA_USERS

• Profile Settings

– Password & Resource Parameters

– Table SYS.DBA_PROFILES


ORACLETop Access Items to Look at 1st Review

• Privileged User IDs– V$pwfile_users

• User Privileges– DBA_ROLE_PRIVS describes the roles granted to all users and roles in the database– DBA_SYS_PRIVS ‐ describes system privileges granted to users and roles. This view does not display the USERNAME

column– DBA_COL_PRIVS ‐ describes all column object grants in the database.– DBA_TAB_PRIVS ‐ describes all object grants in the database.– USER_TAB_PRIVS ‐ describes the object grants for which the current user is the object owner, grantor, or grantee. Its

columns are the same as those in DBA_TAB_PRIVS– ALL_TAB_PRIVS – describes objects for which the current user is the object owner, grantor or grantee AND object

grants for which an enabled role or PUBLIC is the grantee

• Public Role– Request the DB Public Table Grant Report from DBA

• Oracle Special Users (SYS, SYSTEM)– Who knows the password?

• DBA Role• Data Access by 3rd Party Software (backend)

3/6/2017

Carol Rapps 2


ORACLETop Config & Ops Items to Look at 1st Review

• Segregated Environments

– Separate prod, test & development environments

• Trusts/DBLinks

– SYS.DBA_DB_LINKS

• Intialization Parameters

– Init<sid>.ora


KEY PRINCIPLE

IF YOU DON’T NEED IT,

DON’T KEEP IT,

YOU MAY LOSE IT

3/6/2017

Carol Rapps 1


BANNER ACCESS• Application Security Tables

– GURUCLS

– GURUOBJ

– GURUTAB

– GOBEACC

• Oracle Table

– SYS.DBA_USERS


GURUCLS•Provides Classes and the assigned Users

• Fields GURUCLS_USERID: end user

GURUCLS_CLASS_CODE: Banner Class

GURUCLS_ACTIVITY_DATE: last date record was changed

GURUCLS_USER_ID : who made the change


GURUOBJ• Provides Classes and the assigned Objects

• Fields GURUOBJ_OBJECT: Banner form, table, report, etc.

GURUOBJ_ROLE : Privileges assigned

GURUCLS_USERID : end user or Class

GURUOBJ_ACTIVITY_DATE: last date record was changed

GURUOBJ_USER_ID: who made the change

3/6/2017

Carol Rapps 2


GOBEACC• Matches Users to Oracle IDs• Fields

• GOBEACC_PIDM: end user unique identifier• GOBEACC_USERNAME: Oracle ID used to access Banner

AND

• SYS.DBA_USERS– Use to see account status in oracle (i.e. is it locked)

JOIN to SPRIDEN to identify name of User


3 HIGH RISK OBJECTSBanner Student

• SPAPERS – SSN’s

• SPAIDEN ‐ SSN’s

• SHAINST – Change grades

3/6/2017

Carol Rapps 1


APPLICATIONS / BUSINESS SYSTEMS


KEY PRINCIPLE

GARBAGE IN

GARBAGE OUT


APPLICATION PROCESSINGObjective

• determine the following:– Data is entered into the application

correctly;

– Processed accurately;

– Errors are detected, corrected and reprocessed; and,

– Interface files and reports contain complete and accurate information.

Areas • Segregation of duties• Input / Edits / Integrity• Operations / Scheduling• Interfaces• Reports / Outputs

• Other to consider (no covering now)• Audit (Transactions) Trails• Documentation• Training• Backups• Change Management

3/6/2017

Carol Rapps 2


MYTH or REALITY

Integrated auditing is adding an IT auditor

to every audit?


What is Integrated Auditing? • Adding IT Auditor to every internal audit to look at IT Systems?

• Training Internal Auditor to look at IT Systems in every audit?

• Training one auditor to do every type of audit, operational, financial, IT, security, compliance?


IIA ‐ Practice Guide Integrated AuditingJuly 2012

• Difference between Integrated and Non‐integrated Audit Approach– An integrated audit differs from a non‐integrated audit in terms of scope and overall

complexity

• Complexity Directly Related to Broader Nature of Integrated Audit Requires:

– Use of Multiple Audit Techniques

– Increased use of external resources or increased knowledge of staff

– Enhanced project management skills

– Balanced approach to risk identification & ratings

– Increased oversight & creativity by the auditor

– Changes to current staffing model

3/6/2017

Carol Rapps 3


Where To Do Integrated Auditing Operational Audits / Application Audits:

Financial Audit / Application Audit

Physical Security / Access Controls

Governance / Mgmt / IT Processes

Technical Audits - NO

1

U N D E R S T A N D I N G Y O U R B L A C K B O A R D L E A R N T M

E N V I R O N M E N T S O T H A T Y O U C A N A U D I T I T E F F E C T I V E L Y

IA COUNCIL

Objectives & Agenda

After attending this presentation, participants will:

1. Provide a general understanding of the architecture that may be in place

2. Identify key functions within the application.

3. Understand how integrations are set up.

4. Introduce Building Blocks, and the risks that come along with their implementation.

5. Identify potential areas of concern that an audit team should be mindful of related to the Learn environment.

6. Identify controls that can be implemented to enhance the overall security of the environment.

Introduction

What is eLearning?

Why/How Did We Audit It?

Blackboard’s Use Within UT System

Application Overview

Access Controls

Application Inherent Weaknesses

Intro to Controls

Results: Value Added

2

April 2015IA Council

What is eLearning / Distance Learning?3

Use of electronic technology to offer course material


2

Why We Audited the eLearning Application?

March 6, 2017TeamMate User Forum 2009

4

eLearning

Provost

Info Resources

Compliance Training

Registrar

Faculty

Students

Risky Process?5


Annual Audit Plan – IT Risk Assessment6

ActivitiesControls* 1 2 3 4 5

Policies HH TAC 202 HM UTS 165 Security Policy HMIT Security Policies and Procedures MH I/R Policies and Procedures

Standards HMSystems Development Process MH

Application Development Standards MH Data Definitions MH

Documentation Requirements for Applications MM Configuration Management

Organization and Management HH I/R Planning and Governance HM Change Management HM Risk Assessment HMProject Management and Quality Assurance MH Organization Structure

Physical and Environmental Controls HH Backup and Recovery HM Data Centers MH Cloud ComputingInformation Resources HM Unix HM Networking HM Active Directory MM Web Services MM Email

Systems Development Controls HMSystems Development Controls HM

Application Maintenance Processes HM

Vendor Review Process and Purchased Software

Application-Based Controls HM Gemini (HR/Finance) HM eLearning/Blackboard HM OnBase HL Orion (Student) MM Comet Cards

IT Security HH Encryption HH Identity Management HM

Access Controls: Firewall/Intrusion Prevention and Detection System HM Patch Management HM Vulnerability Assessment


3

Use of Blackboard within UT System7

Academic Institutions

UT Arlington

UT Austin Tranisitioning to Canvas August 31

UT Brownsville

UT Dallas

UT El Paso

UT Pan American

UT Permian Basin

UT Rio GrandeValley

?

UT San Antonio

UT Tyler

Health Institutions

The University of Texas Southwestern Medical Center

utsouthwestern.mrooms3.net

The University of Texas Medical Branch at Galveston

The University of Texas Health Science Center at Houston

The University of Texas Health Science Center at San Antonio

The University of Texas MD Anderson Cancer Center

?

The University of Texas Health Science Center at Tyler

?


The Audit…How Did We Get Started?

Audit Objective:

To ensure adequate controls existed over the application to ensure compliance…effectiveness and efficiency…reliability

and integrity of information…safeguarding of assets.

Planning

Interviews

Review of Blackboard contract

TAC 202, UTS 165, FERPA

Blackboard user manuals, documents

8


eLearning/Blackboard Risk Assessment9

Governance Operations Access Management

Compliance

Policies & procedures

Building Block Management

Passwords FERPA

SystemDevelopment & Maintenance

DatabaseConfiguration & Management

Access controls Confidential Data

ChangeManagement

Encryption TAC 202, UTS165

Logs: Monitoring, Maintenance, and Retention


4

How Do You Audit Blackboard Learn?10


Access Controls

Inherent Weaknesses

Introduction to Controls


11



Architecture/Hardware


12 Load Balanced Configuration:

BENEFITS

Typical high performance/ high availability

configuration

Scale as environment grows

1. Web/ App Server

2. Collaboration Server

3. File System Server (Content Storage)

4. Database Server

5

Architecture(less common)13

No redundancy Suitable for development or test

environments


Architecture -considerations14

Ability to run on a Unix or a Windows Operating System.

Assess General Controls on the servers BEFORE assessing security around the application: Identify Administrators

Validate Services and Applications

Open Ports

Patching

Age of Hardware


Key Processes15

Category Process

Authentication • Setup of authentication

Courses • Creating Courses• Course enrollments• Course Archive• Course bulk delete

Grading • Grading Schema• Grading

User / Role Creation

• Creating Users within the application

• Designing Roles• Assigning roles to

Users https://help.blackboard.com/


6

Integrations16

Allow for automation of specific tasks .

Five types of integrations are available.

Type of integration used is based on the type of data format produced by the source Student Information System.

https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/120_System_Integration/006_Student_Information_System_(SIS)


Integration Setup Process17

1. User Name and Password Setup

Location: System Admin>Building Blocks> Data Integration> Student Information>Systems Integrations

sample


Integrations –Data Transfer

18

https://www.youtube.com/watch?v=IE5eWBzz9aw

CURL- A utility to transfer data from one location to the other.

Sample CURL File Clear text password


7

19

Integrations –Flow


20

Integration –Logging

https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/120_System_Integration/006_Student_Information_System_(SIS)/SIS_Framework_Overview


21

• Document data flow from SIS into Blackboard

• Access to setup and inactivate integrations

• Access to integration password within the application (PATH: System Admin > Data Integration> Integration Password) OR > Data Integration>Student Information System Integrations>’edit’)

• Determine the location where the CURL file is saved

• Determine if appropriate to limit integration process to be only initiated from an authorized site/IP address.

• Review integration logs.

Integration –Suggested Audit Procedures


8

22

• Extend functionality of the application.

• Developed both by BlackBoard and third party developers.

• Have access to user data that is being maintained within the application.

• Permissions are ‘setup’ at the time a building block is installed.

• Critical that a process is in place for review of BB privileges prior to installation.

• Building blocks require periodic updates that are installed separately from the application service packs.

Building Blocks (BB)


23

Building Blocks


24

• Security privileges for BB’s can also be reviewed via ‘bb-manifest.xml’.

• One bb-manifest file for each BB that has been installed.

Building Blocks

• <permission type="java.io.FilePermission" name="lt;lt;ALL FILESgt;gt;" actions=“read,write"/>

https://help.blackboard.com/en-us/Learn/9.1_2014_04/Administrator/080_Developer_Resources/020_Develop/000_Building_Blocks/005_Building_Blocks_and_Java_Permissions

WILD CARD

NOTATION


9

25

Building Blocks

MENU PATH: BUILDING BLOCKS>INSTALLED TOOLS>Global settings

Global Configuration Setting

List of Installed Building Blocks

MENU PATH: System Admin>Building Blocks>Building Blocks>Installed Tools


26

Administrative Building Blocks

LoginAs - http://projects.oscelot.org/gf/project/loginas/

Allow individuals with access to login as another users within the application without knowing the

other users password.

Designed to assist administrators with troubleshooting, but opportunity for abuse.

Effectively allows for impersonation as another user.


27


LOGIN AS

APPLICATION PATH: System Admin>Building Blocks>Building Blocks>Installed Tools>LOGIN AS Configuration


10

28



29


Impersonate - http://projects.oscelot.org/gf/project/impersonate/frs/

Another BB similar to LoginAS

APPLICATION PATH: System Admin> Tools and Utilities


30

Building Blocks- Suggested Audit Procedures

Generate a listing of BB’s that are installed;

evaluate there is a strong business need

Ensure all BB’s are up to date

Review BB permissions

Evaluate process for approval/review of BB’s

permissions prior to installation

Ensure access to the administrative BB’s (such as

Login AS) is restricted

Review audit logs for administrative BB’s to determine if they are being misused


11

31

Access Controls


32

INSTITUIONAL HIERARCHY

Organize users, courses and organizations

Delegate administration

Flexibility on ‘power’ of administrative privileges

Texas Tier 1 University

Richardson Campus

Admin user FOX

Dallas Campus

School of Engineering

Admin User Romo

School of Business

Admin user Nash Accounting

Course Creator user

Ali

Admin user Mickey

Finance

Denton Campus

Spring Courses

Admin user Mike

Fall Course

Admin user Steve

Course Creator user

FOX

APPLICATION PATH: System Admin>Institutional Hierarchy


33

TYPES OF ROLES

System Roles

• Control the administrative privileges assigned to a user.

Course and Organization Roles:

• Control access to the content and tools within a course or organization. Each user is assigned a role for each course or organization in which they participate.

• For example, a user with a role of Teaching Assistant in one course can have a role of Student in another course.

Institution Roles

• Control what brands, tabs, and modules users see when they log in to Blackboard Learn.

• Institution roles also grant or deny access to Content Collection files and folders.


12

34

TYPES OF ROLES

System Roles

• System Administrator

• System Support• Course

Administrator• User

Administrator• Support

Course and Organization

Roles:

• Instructor • Teaching

Assistant• Course Builder• Grader• Student

Institution Roles

• Faculty• Staff• Alumni


35

INSTITUIONAL HEIRARCHY

March 2015TACUA Conference 2015

INSTITUIONAL ROLE

COURSE ROLE

36

PRIVILEGE REVIEW

Vendor Master Role Spreadsheet

https://help.blackboard.com/@api/deki/files/77249/Administrator_Privilege_Descriptions.xlsApril 2015IA Council

13

37

PRIVILEGE REVIEW

System Roles

• In the Administrator Panel in the Users section, click Course/Organization Roles.

• On the System Roles page, access the role's contextual menu.

• Click Privileges.• Click Show All.• Highlight both columns, and

copy.• Open up excel and use paste as

text to get a listing of all the privileges that are allowed within the role.

• Repeat for all the course roles.

Course and Organization Roles:

• In the Administrator Panel in the Users section, click Course/Organization Roles.

• On the Course/Organization Roles page, access the role's contextual menu.

• Click Privileges.• Click Show All.• Highlight both columns, and

copy.• Open up excel and use paste as

text to get a listing of all the privileges that are allowed within the role.

• Repeat for all the course roles.


38

USER ROLE ASSIGNMENTS

SYSTEM ROLE

•SELECT users.user_id, users.lastname, users.firstname,•CASE • WHEN system_role = 'Y' THEN 'Community Administrator'

• WHEN system_role = 'C' THEN 'Course Administrator'• WHEN system_role = 'Course_Coordinator_Bb' THEN 'Courser Coordinator Bb'

• WHEN system_role = 'Z' THEN 'System Administrator'• WHEN system_role = 'H' THEN 'System Support'• WHEN system_role = 'S' THEN 'System Support II'• WHEN system_role = 'A' THEN 'User Administrator'• WHEN system_role = 'N' THEN 'None'• WHEN system_role = 'O' THEN 'Observer' • ELSE 'Undefined'•END as Role•FROM users•order by user_id;

Course Roles

•SELECT cm.course_id, users.user_id, users.lastname, users.firstname,users.batch_uid,

•CASE • WHEN course_role = 'B' THEN 'Course Builder'• WHEN course_role = 'E' THEN 'Course Guest'• WHEN course_role = 'G' THEN 'Grader'• WHEN course_role = 'I' THEN 'UG Teaching Intern'• WHEN course_role = 'P' THEN 'Instructor'• WHEN course_role = 'S' THEN 'Student'• WHEN course_role = 'T' THEN 'Teaching Assistant'• WHEN course_role = 'Inc' THEN 'Incomplete'• WHEN course_role = 'CCta' THEN 'Course Coordinator'• WHEN course_role = 'PU' THEN 'Portfolio User'• WHEN course_role = 'U' THEN 'Guest'• WHEN course_role = 'v' THEN 'Visitor'• ELSE 'Undefined'•END as Role•FROM course_main cm, course_users cu, course_roles cr, users

•where cu.crsmain_pk1 = cm.pk1 and cr.course_role = cu.role and cu.users_pk1 = users.pk1 and cm.course_id like '2142%' and cm.available_ind = 'Y'


39

*Some CRITICAL AREAS to CONTROL

PATH FUNCTIONALITY RISK

System Admin>Building Blocks>Authentication

Ability to setup and disable authentication against a directory service

If a user inactivates the authentication service that is utilized by user essentially all non local users are locked out.

System Admin>BuildingBlocks>Data Integration

Ability to setup and disable integrations , and setup and view the integration password

System Admin>Tools and Utilities> System Logs>

Set the frequency and timing of log rotation

Log frequency can be set to 0 days meaning no logs will be retained.

System Admin>Tools and Utilities> Logs>

Ability to view and purge logs

Users with update access can purge the logs.


14

40

*Some CRITICAL AREAS to CONTROL

PATH FUNCTIONALITY RISK

System Admin>Security>Privileges

Ability to modify privileges that are being provided by each role

Ability to modify role privileges is not restricted.

System Admin>Security>Safe HTML Filter

Ability to enable/disable filtering of ‘unsafe’ HTML

SystemAdmin>Courses>Course Settings>Default Grading Schema

Allows to setup the configuration that turns exam scores into grade letter equivalent, example 90=A80=B

Bulk Delete

Batch enroll/quick enroll


41

*CRITICAL DIRECTORIES

Blackboard Learn includes a set of system administration tools that must be run from the command line.

blackboard_home/tools/admin

blackboard/apps/bbcms/bin

https://help.blackboard.com/en-us/Learn/9.1 SP 12 and SP 13/Administrator/150 System Management/050 Command Line Tools


42

DEFAULT APPLICATION ACCOUNTS

1. Administrator- The account has full Blackboard Learn administrator privileges.

2. root_admin- The account has full administrative privileges.


15

43

ACCESS CONTROLS SUGGESTED PROCEDURES

Role Design; confirm ‘critical/sensitive’ privileges are only provided to privileged roles .

Ensure roles are attached in line an individual’s job responsibilities

Data analysis; query listing of faculty members and course enrollments from Student System and join with data from Blackboard to identify potential ‘issues’

Validate access to critical directories is restricted

Determine if default application accounts are enabled; who has access to them (aware of password)


44

ACCESS CONTROL – SUGGESTED PROCEDURES

Role Design; confirm ‘critical/sensitive’ privileges are only provided to privileged roles

Ensure roles are attached in line an individual’s job responsibilities

Data analysis; query listing of faculty members and course enrollments from Student System and join with data from Blackboard to identify potential ‘issues’

Validate access to critical directories is restricted

Determine if default application accounts are enabled; who has access to them (aware of password)


45

INHERENT WEAKNESSES


16

VIRUS DETECTION46

Does not support anti-virus scanning on files uploaded by

users into the system. “This feature is on the Blackboard Learn Product Security Roadmap. Any statements about

future expectations, plans and prospects for Blackboard represent the Company’s views as of

January 1, 2013. Actual results may differ materially as a result of various important

factors. The Company anticipates that subsequent events and developments will cause the

Company’s views to change. However, while the Company may elect to update these

statements at some point in the future, the Company specifically disclaims any obligation

to do so.”

Ensure management is aware of the risk of malicious files

being delivered through Learn.

Virus detection critical on machines that are utilized by

faculty, TA’s and admin staff.

https://help.blackboard.com/en-us/Learn/9.1_SP_12_and_SP_13/Administrator/050_Security/000_Key_Security_Features/040_System_and_Information_IntegrityApril 2015IA Council

LOCKOUT RECOVERY

Vendor offers an ‘Emergency One-time Login URL Tool’ which allows for creation of a temporary session for any user account.

Located in blackboard/tools/admin/ folder.

Script name AuthenticationOneTimeLogin.sh|bat

47

https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/070_Authentication/Recovering_From_a_Lockout_or_Bad_Configuration


INTRO TO CONTROLS48


17

CONTROLS

SSL functionality

Choice on where encryption is enabled

49

Location: System Admin>>Security and Integration>SSL Choice


GRADING SECURITY50

Location: System Admin>COURSES>COURSE SETTINGS>Grading Security Settings


GRADING SECURITY51

Location: System Admin>COURSES>COURSE SETTINGS> Default Grading Schemas


18

Blackboard allows limits to be setup for courses.

Reporting capability available to identify courses that may be close to or over the threshold.

COURSE SIZE52

Location: System Admin>SYSTEM REPORTING>DISK USAGE


AUDIT RESULTS: VALUE ADDED

1. FERPA Data

2. Integration Security

3. System and Information Integrity

4. Database Controls

5. Authentication Controls

6. Building Blocks

7. User Access Management

8. Operational Efficiency

9. Audit Logging

10. Policies & Procedures

53


Ali Subhani

CISA, CIA, GSNA

Ali Subhani

CISA, CIA, GSNA

Toni Stephens

CPA, CIA, CRMA

Toni Stephens

CPA, CIA, CRMA

[email protected]

972-883-2540

[email protected]

972-883-4876

CONTACT INFORMATION54


3/6/2017

Carol Rapps 1


DATA CENTERShttps://www.google.com/about/datacenters/gallery/#/


KEY PRINCIPLE

Bad Data Center

=

Bad Infrastructure


GOOD

3/6/2017

Carol Rapps 2


BAD


UGLY


PHYSICAL SECURITY

KEYSCOMBINATIONS

CARD ACCESS

GUARDSCAMERAS

ALARMSVISITORS

LOG

AFTERHOURS

3/6/2017

Carol Rapps 3


ENVIRONMENTAL CONTROLS

Type text here

FIRE

ELECTRICAL AC / HEAT

HOUSEKEEPING WATER

MAINTENANCE


ELECTRICAL


TRANSFORMERMore than meets the eyes

3/6/2017

Carol Rapps 4


UPS


GENERATOR


EMERGENCY SHUTOFF• Need emergency power off (EPO) button

• Located near all exits – clear plastic safety cover

3/6/2017

Carol Rapps 5



Type text here

FIRE


HOUSEKEEPING WATER

MAINTENANCE


OH NO THERE IS A FIRE IN THEDATA CENTER


HALON / INERT GAS

3/6/2017

Carol Rapps 6


SPRINKLERS



Type text here

FIRE


HOUSEKEEPING WATER

MAINTENANCE


AIR CONDITIONING

3/6/2017

Carol Rapps 7


AIR CONDITIONING



Type text here

FIRE


HOUSEKEEPING WATER

MAINTENANCE


WATER

3/6/2017

Carol Rapps 8



Type text here

FIRE


HOUSEKEEPING WATER

MAINTENANCE


MAINTENANCE



Type text here

FIRE


HOUSEKEEPING WATER

MAINTENANCE

3/6/2017

Carol Rapps 9


HOUSEKEEPING


EXERCISES• Walkthrough

• AC

• Generator

3/6/2017

1

A U D IT IN G N E T W O R K S


M A R C H 2 0 17

A C U A M I D - Y E A R

2

Key Terminology

Key Concepts

Audit Steps to Consider

AG E N DA

W H AT IS AN E TW OR K ?

3/6/2017

2

3

W H AT IS A N E TW OR K ?

A group of computers or other devices (printers ,

storage ) l inked together to facil itate sharing of

resources.

N E T W O R K TY P E S

connects ne twork devices over

a relatively short distance.

spans a physical area larger than a LAN;

operated and managed by one entity.

spans a large physical distance; geographical ly

disbursed.

LA N

M A N

W A N

SW IT C H E SC R IT IC A L

H A R D W A R EU S E D T O C O N N E C T M U LT I P LE D E V I C E S O N T H E

SA M E N E T W O R K

S E R V E S A S A C O N T R O LLE R , A LLO W I N G T H E

V A R I O U S D E V I C E S T O S H A R E I N F O R M A T I O N A N D

TA LK T O EA C H O T H E R .

3/6/2017

3

R O U T E R SC R IT IC A L

H A R D W A R E

U S E D TO TI E M U LT I P LE N E T W O R K S

T O G E T H E R .

U S E D T O C O N N E C T Y O U R N E T W O R K E D

C O M P U T E R S T O T H E I N T E R N E T A N D

T H E R E B Y S H A R E A N I N T E R N E T C O N N E C T I O N A

M O N G M A N Y U S E R S .

R O U T E R S A C T A S ' A D I S P A T C H E R ' ,

C H O O S I N G T H E B E ST R O U T E F O R Y O U R I N

F O R M A T I O N T O T R A V E L S O T H A T Y O U R E

C E I V E I T Q U I C K LY .

F IR E W A L LC R IT IC A L

H A R D W A R EA D E V I C E C O N F I G U R E D T O P E R M I T O R

D E N Y , A LL C O M P U T E R T R A F F I C B E T W E E N

D I F F E R E N T S E C U R I TY D O M A I N S B A S E D

U P O N A S E T O F R U LE S

R U LE S TA K E O N E O F T W O A P P R O A C H E S : P

E R M I T A LL B Y D E FA U LT

S P E C I F I C R U LE S T H A T D E N Y A C C E S S R

E ST R I C T A LL B Y D E FA U LT

S P E C I F I C R U LE S T H A T P E R M I T A C C E S S

T Y P E S O F F IR E W A L L C R IT IC A L

H A R D W A R EA D E V I C E C O N F I G U R E D T O P E R M I T O R

D E N Y , A LL C O M P U T E R T R A F F I C B E T W E E N

D I F F E R E N T S E C U R I TY D O M A I N S B A S E D

U P O N A S E T O F R U LE S

3/6/2017

4

IP A D D R E SS

T E R M IN O L O GY

D E V I C EN U M E R I C I D E N T I F I E R F O R E A C H

A TTA C H E D T O T H E N E T W O R K

E X A M P LE :

7 2 .16 . 2 5 4 .1 ( I P V 4 ) , O R

2 0 0 1:D B 8 :0 :12 3 4 :0 :5 6 7 :8 :1 ( I P V 6 )

E X T E R N A L I P V S . I N T E R N A L I P A D D R E S S

S U B N E T - A N I D E N T I F I A B LE S E PA R A T E P O R T I O N

O F A N O R GA N I Z A T I O N ' S N E T W O R K . TY P I CA LLY , A S

U B N E T M A Y R E P R E S E N T A LL T H E M A C H I N E S A T O N E

G E O G R A P H I C LO CA T I O N , I N O N E B U I LD I N G , O R A D

E PA R T M E N T ,

M A C A D D R E SS

T E R M IN O L O GY

U N I Q U E S E R I A L N U M B E R B U R N E D I N T O

E T H E R N E T A D A P T E R S T O I D E N T I F Y T H E

N E T W O R K CA R D F R O M O T H E R S .

CA N B E U T I L I Z E D T O O N LY A LLO W D E V I C E S

T H A T H A V E B E E N A U T H O R I Z E D T O C O N N E C T T O T

H E N E T W O R K

N E FA R I O U S U S E - CA N B E U S E D T O T R A C K U S E R

A C T I V I TY

F IN D IN G IP /M A C

T E R M IN O L O GY

3/6/2017

5

B R IN GIN G IT A LL T O GE T H E R

A CT IV IT Y

W O R K I N A T EA M A N D D E T E R M I N E T H E I P

A D D R E S S A N D M A C A D D R E S S A S S I G N E D T O T

H E LA P T O P Y O U A R E U S I N G

O P E N U P A B R O W S E R A N D N A V I GA T E T O

W H A T I S M Y I P .C O M .

N O T E D O W N T H E I P A D D R E S S Y O U H A V E

B E E N A S S I G N E D ; D O E S I T M A T C H W I T H T H E

I P A D D R E S S Y O U SA W I N S T E P 1 A B O V E ?

W H A T W O U LD E X P LA I N F O R T H E

D I F F E R E N C E ?

SO U R CE

T E R M IN O L O GY

A N O R I G I N A T I O N P O I N T F O R D A TA

D E ST IN A T IO NT H E E N D I N G P O I N T F O R D A TA

P A CK E T S

T E R M IN O L O GY

A F O R M A TT E D B LO C K O F D A TA U S E D I N A

C O M P U T E R N E T W O R K

H T T P S : / / Y O U T U . B E / T P J U C 4 B B Z O 0 ?T = 12 S

3/6/2017

6

A CT IV ITY

open u p c o m m a n d prompt :

1.Type p ing google .com

2. W hat address d id you send packets to?

3 . H o w many packets d id you send?

T E R M IN O L O GY

DN SA S Y S T E M F O R C O N V E R T I N G H O S T N A M E S A

N D D O M A I N N A M E S I N T O I P A D D R E S S E S

C : \ >N S LO O K U P G O O G LE . C O M

S E R V E R :

A D D R E S S :

14 .S U B - 6 9 - 7 8 - 9 6 .M Y V Z W .C O M

6 9 .7 8 .9 6 .14

N O N - A U T H O R I TA T I V E A N S W E R :

N A M E : G O O G LE .C O M

A D D R E S S E S : 6 4 .2 3 3 .18 7 .9 9 , 7 2 .14 .2 0 7 . 9 9 ,

6 4 .2 3 3 .16 7 .9 9

A U D I T S T E P SN E T W O R K D I A G R A M

physical d iag ram - Ident i fy h o w ne twork devices are connected

Logical d iag ram - describe f l ow of in format ion and segregation of cri t ical areas/assets

of the ne twork f r o m the general network .

Ident i fy hardware tha t cou ld be single po in t of failure; discuss w i t h management .

3/6/2017

7

A U D I T S T E P SI N V E N T O R Y N E T W O R K D E V I C E SCompi le a list of cri t ical ne twork devices, along w i t h the m o d e l # and pa tch informat ion.

Ident i fy the user accounts tha t current ly exist on the devices; ensure only active

employees have access

Ensure no generic accounts exist

Ensure patches are appl ied.

A U D I T S T E P SR E M O T E A C C E S SEvaluate remote access in to the ne twork ; de te rm ine if controls such as two- fac tor

authent ica t ion are in place

Determine whe ther remote admin is t ra t ion of ne twork devices f r o m outs ide the

ne twork isenabled.

A U D I T S T E P SC R I T I C A L N E T W O R K A C T I V I TY

Inquire wh a t activ i ty is be ing logged? w h o is moni tor ing? how? frequency?

Inquire if any mon i to r i ng in place to detec t data sets leaving the network?

Firewal l rule rev iew

3/6/2017

8

A U D I T S T E P SF I R E W A L L R U L E R E V I E W T I P S

Verify tha t the rules are needed (driven by a business need)

Verify tha t the rules m a k e sense

Verify tha t the rules are used and rev iewed for relevancy

Verify there is a change process for rule updates

A U D I T S T E P SF I R E W A L L R U L E R E V I E W T I P S

A U D I T S T E P SO P E N S H A R EShareScan - ht tps: //www.mcafee.com/us/downloads/free-tools/ index.aspx

identi f ies open shares on the internal network .

3/6/2017

1

O P E R A T IN G SY ST E M S


M A R C H 2 0 17

A C U A M I D ‐ Y E A R

2

What is an O/S

OS Types

Function of an O/S

Audit Considerations for O/S

AG E N DA

W H AT IS ANOPE R AT IN G SY STE M ?

An operat ing system is the program

that , after be ing initially loaded in to th3e

compu te r by a boo t program , manages

all the other programs on the

compu te r

Midd le Man ‐ ‐ ‐ in the m i d d l e of

everything

This is the interface be tween the user

and the c o m p u t i n g components like

printers , disks and USB devices

3/6/2017

2

M Y T H O R R E A L ITY

All operat ing systems are no t the same?

3

O /S TY PE S

3

U N IX V S . W IN DOW S?

Capabil i ty to only

'enable ' funct ional i ty

tha t is required

Less frequent pa tch ing

Enhanced security due

to smaller at tack vector

Functionali ty enabled by

defaul t consistent ; less flexible

t o 't u rn in g off ' fun ct ion alit y

tha t is no t required

More f requent patch ing

3/6/2017

3

MYTH or REALITY

All operating systems are not the same?

O /S FU N CTION SIN TE R AC TIO N S B E TW E E N U SE R & CO M PU TE R

Doing stuff

Pr int ing stuff

Saving stuff

Moving stuff a round

Looking at stuff (Web )

Creating n e w stuff

Delet ing stuff

Encrypt ing stuff

H AN D LE S TH E CO M PU TE R “ IN TE R N AL S ”

3

Memory

Disk usage

Network usage

Processes

Enforce the security

W H A T D O I

L O O K A T

A S A N

IT A U D IT O R ?

C O N F ID E N T IA L IT YW H E R E C A N I L O G I N ?

W H A T C A N I S E E ?

W H A T CA N I D O ?

IN T E GR IT YW H A T C A N I C H A N G E ?

W H A T C A N I D E L E T E ?

L O G G I N G C O N S I D E R A T I O N S

A V A IL A B IL IT YM A I N T A I N I N G H A R D W A R E

P A T C H I N G

R E S O U R C E M A N A G E M E N T

3/6/2017

4

A CT IV ITY

open u p c o m m a n d prompt :

1.Type p ing google .com

2. W hat address d id you send packets to?

3 . H o w many packets d id you send?

C O M M O N R E V I E W A R E A S

Verify “high” risk conf igurat ion sett ings (example : password cont ro l sett ings )

Verify services runn ing have leg i t imate business need

Verify tha t the latest OS main tenance (patches ) are app l ied (or scheduled )

Verify tha t appropr iate change m a n a g e m e n t is be ing fo l lowed

Verify proper segregation of dut ies is be ing fo l lowed

Review w h o has elevated or administrat ive access

Review w h o has access to the data

Verity anti ‐virus / malware protec t ion

TERMINOLOGY / ACRONYM BINGO

3/6/2017

1

Improving Your Data Analysis Program 1

Agenda

Introduction Benefits and ChallengesRoadmapReal World Examples

2

Introduction

BackgroundPeopleSoft IDEAStaffing

3

7 departmental users

2 Designated Champions

3/6/2017

2

Data Analysis Definition

Data analytics is defined as the process of inspecting, cleaning, transforming, and modeling data with the goal of highlighting useful information, suggesting conclusions, and supporting decision making.

4

Source: Pune University, Vishwakarma Institute of Technology

Points of Contention

BenefitsMore Comprehensive AssuranceEfficiencyReporting

Challenges Time TrainingData

5

Use of Analytics6

SOURCE : PWC 2013 State of the Internal Audit Profession Study

3/6/2017

3

Use of Analytics7


Plan to expand use of data analytics but do not have a well developed plan

69 %

Data analytics are used regularly

Are we failing our stakeholders?8


Roadmap9

Vision Structure Data Pull Methodology Talking to IT

Standard Query Language

(SQL) BasicsFinding DataDeveloping a

ProcessReady to Start

3/6/2017

4

Vision

Agree on what is most important Formal discussion with CAE

10

Structure

Define a structureDesignated Analytics Champion within the

department? OR

Each Project Manager expected to lead analytics? Identify key contacts for each source systemGet access to data dictionary if it exists

11

Data Pull Methodology

How are you going to pull Data from source systems?

From within the application?From the database?Open Database Connectivity (ODBC) ?Relying on auditee to give you a file

12

3/6/2017

5

Data Pull: Application13

Benefit Challenge

No additional licensing cost Normally results limited to a certain maximum number of records

Auditors do no not have to structure SQL themselves

Can potentially ‘burden’ application server

Results dependent on access

Data Pull: Database14

Benefit Challenge

Free form ability to structure SQL allows more flexibility

Additional licensing cost

No limitation on number of records that are pulled in

Initial buy in from IT to get read-only access to databases.

Learning curve if unfamiliar with SQL

Data Pull: ODBC15

Benefit Challenge

Data imported directly into data analytics tool

Limited to tables exist within the database.

No query to create; easiest Need to get IT to create custom views for each unique need

No cost generally

3/6/2017

6

Talking to IT

Schedule a discussion Request read-only accessProduction Vs. Test EnvironmentSecurity of data

16

Roadmap17

Vision Structure Data Pull Methodology Talking to IT

Standard Query Language

(SQL) BasicsFinding DataDeveloping a

ProcessReady to Start

What is SQL?

Structured Query Language Language utilized for getting information from and

updating a database.Can get complex ……….. BUT3-4 main sections normally for our purposes

18

3/6/2017

7

SQL Basics19

SQL STATEMENT ‘ SECTION BRIEF DESCRIPTION

SELECT Defines the fields that will be displayed within the results

FROM identifies tables where fields are stored within the database

WHERE specifies limiting criteria (if any)

GROUP BY

ORDER BY

Groups information

Used for sorting

Sample Query20

SELECTA.EMPLID, A. DEPT, B.ADDRESS, B.ZIPCODE

FROMPS_Employee A, PS_BIO B

WHEREA.EMPLID=B.EMPLOYEEAND A.EMPLID=123456789

Identify PeopleSoft Page with Data 21

3/6/2017

8

Finding Data PeopleSoft

CTRL+SHIFT+J

22


Query Table PSPNLFIELD

23

SELECT PNLNAME,LABEL_ID,LBLTEXT,RECNAME,FIELDNAME FROM PSPNLFIELDWHERE PNLNAME='JOB_DATA3'


Result

24

PeopleSoft Page Database Values

3/6/2017

9

Finding Data Banner

Go to the form with the informationMove cursor to field you are interested inHelp menu >Dynamic Help Query

25

Developing Data Analytics Process26

Understand Business Process

Understand How Business Process Data Stored in ERP

‘Interesting’ questions can

you answer with the data?

Pull Data

Validate you have right

sources BEFORE beginning

analysis

Engagement: Procure to Pay27

Source: “Automating the Audit” Price Waters House Coopers July 2010

3/6/2017

10





How do I start?

“Quick Wins” to gain confidence Identify critical processes/areas for reviewRinse/Wash/Repeat

30

3/6/2017

11

Purchasing Card Analysis

Starting Approach Identify Cardholders and their transactionsReview monthly limitsDetermine the average expense amount

31


Intermediate Approach Identify possible split purchasesPerform analysis on MCC codesDetermine if Cardholder is active employee

32


Advanced ApproachHigh Risks Activities (holiday travel, luxury purchases)Keyword SearchCredit Limit UtilizationAutomation

33

3/6/2017

12

Keywords34

Keyword Script35

(@Isini(""Barney"", Merchant_Name )

@IsiniIt searches for the occurrence of a specified string or piece of text in a Character field, Date field, or string.

Syntax@Isini(String1, String2)

Keyword Script36

(@Isini(""Barney"", Merchant_Name) .OR. @Isini(""Bergdorf Goodman"", Merchant_Name ).OR. @Isini(""Dicks"", Merchant_Name ).OR. @Isini(""Dillards"", Merchant_Name ).OR. @Isini(""JCPenny"", Merchant_Name ).OR. @Isini(""Lord & Taylor"", Merchant_Name ).OR. @Isini(""Macy"", Merchant_Name ).OR. @Isini(""Neiman Marcus"", Merchant_Name ).OR. @Isini(""Nordstrom"", Merchant_Name ).OR. @Isini(""Saks Fifth"", Merchant_Name ).OR. @Isini(""Sears"", Merchant_Name ).OR. @Isini(""Von Maur"", Merchant_Name ))

3/6/2017

13

Purchasing Card Tests Developed

Consistent purchases at same vendor by one cardholderWeekend purchases International purchasesDormant CardsPurchasing Trends

37

Live Demonstration38

Example 2: Return to Title IV Audit

Audit Objective: To ensure that institution was fully complying with R2TIV regulations.

Return of financial aid funds when a recipient ceases to be enrolled prior to the end of a payment period or period of enrollment.

39

3/6/2017

14

Requirements

The Institution Must: Determine date of student’s withdrawal Calculate percent of period completed Determine amount earned by applying percent completed to total of

amounts disbursed and amounts that could have been disbursed Return unearned funds to Title IV programs, or pay student post-

withdrawal disbursement Determine Title IV overpayment, if any

40

Withdrawals

Withdrawal Date Date student began the formal withdrawal process or notified… Mid-point, if no notification Date of illness, accident, etc. Beginning of an approved LOA if student does not return Last date at an academically-related activity

41

Calculation42

3/6/2017

15

Student System Background43

SQL

SELECT A.EMPLID,A.AID_YEAR,A.BGT_ITEM_CATEGORY,A.STRM,A. BUDGET_ITEM_AMOUNT ,B.TOT_TIV_AID_RTRN,B.INST_CHRG_BOARD,B.INST_CHRG_OTHER,B.INST_CHRG_TUIT_FEE , B.RTRN_TIV_CAL_PCT

FROM PS_STDNT_BGT_AD_VW A , PS_STDNT_RTN_TIV B

WHERE A.EMPLID=B.EMPLID AND A.AID_YEAR=B.AID_YEAR AND A.STRM=B.STRM

44

Test Performed

Validate accuracy of calculationVerified completeness of calculations Timeliness of calculation Timeliness of returns

45

3/6/2017

16

Value Added

Highlighted progress department made in achieving compliance with regulations

Institution able to return money to the respective programs without being penalized during a federal review

Random sampling would not have been able to identify all potential students with compliance issues

46

Example 3: Executive Travel Background

Audit Objective: To ensure that executive travel expenses made by executives, or on behalf of executives, were in compliance with travel and entertainment policies and procedures

Our Process –Corporate Travel Planners (CTP) booking for flights, hotels, and car rentals, Citibank Purchasing Card expenses, Expense Reimbursements issued after travel

Critical Data Elements: Source Data

47

Key Takeaways48

Talk to your CAE

Designate Data Analytics Champion(s)

Data Pull Methodology

IT Access

3/6/2017

Carol Rapps 1


THE CLOUD


?• Level Set on What is “Cloud”

• Understand why risks are different in the Cloud

• What can Internal Audit do?

• Understand how a Service Organization Control (SOC) report maps back to your organization’s specific risks

• Identify requirements that Internal Auditors should be engaging with cloud service providers early on in their organization’s procurement/design phase


Cloud Computing

Permission to use granted by CloudTweeks.com

3/6/2017

Carol Rapps 2


IT Audit


Cloud Computing

IT CAPABILITIES PROVIDED BY THE CLOUD ARE CHARACTERIZED BY:

• Usually pay as you use, can be subscription

• Geographic independence

• Shared physical infrastructure not visible to the customer

• On demand allocation of resources

• Provided over the internet • Highly scalable

The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling “…… convenient, on‐demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”


Service Models & Responsibilities

3/6/2017

Carol Rapps 3


Service Model & Responsibilities


Deployment Models & Uses

Deployment Model Description

Private Cloud • Operated solely for an organization• May be managed by the organization or a third party • May exist on or off premise

Public Cloud • Made available to the general public• Owned by an organization selling cloud services

Hybrid Cloud • A composition of two or more clouds (private, community or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting for load balancing between clouds).


Service Levels

Service Level Description

Unmanaged Cloud • Managed by the organization• Organization is responsible for the environment

architecture, build, and ongoing operations• May be public or private cloud

Managed Cloud • Managed by a third party• Assists with the environment architecture and build• Manages ongoing operations such as configuration

management and backups• Maybe public or private cloud

3/6/2017

Carol Rapps 4


Benefits to the Business• Manage costs – Utility model (pay as you go)

• Accelerated deployment

• Maximize performance

• Highly scalable

• Leverage external operational expertise

• Enables university to focus on core competencies


Why Things are Different in the Cloud


How Cloud Threats are Different

3/6/2017

Carol Rapps 5


Identify / Discover

• What are the “sanctioned services” at your organization? (Inventory)


Monitor and Response


SOC Reports

• Service Provider Control: “Backup software is used to schedule and perform backups on customer servers.”

• Customer Responsibilities:– Identify data to be backed up– Provide backup schedule and update as necessary– Ensure backup is rotated/sent off‐site if desired

SOC reports do not eliminate CUSTOMER RESPONSIBILITIES

3/6/2017

Carol Rapps 6


Top Cloud Threats• Data Breaches• Data Loss• Account Hijacking• Insecure APIs• Denial of Service• Malicious Insiders• Abuse of Cloud Computing• Shared Technology Issues• Insufficient Due Diligence


MYTH or REALITY

The CIO Controls IT

https://insight.utsa.edu/Account/Login.aspx


Next Evolution• Internal Audit involvement in Procurement Process

– Validation of business case

– Right to Audit Clause and/or SSAE 16

– Impact of regulation on data security

– Stability/viability of service providers

– Contractual data protection responsibilities and related clauses

– SLA (including security breach escalation protocol)

– Ask for CSP transparency to provide near real‐time access that addresses auditing requirements

3/6/2017

Carol Rapps 7


Next Evolution(per Carol)

• Need third party to collect self‐report data to look at all these vendors (i.e. 3Pass)

• Need third party to do some non‐evasive ethical hacking research on these vendors – providing a dashboard that we can monitor (i.e. scorecard)

• Clearly Defined:– Inventory– Data Backups & Locations– Recovery if Provider goes Bellyup– Incident handling processes and reporting– Data Security Admin Processes


Additional Resources• Cloud Security Alliance – Comprehensive Cloud Control Matrix (CCM) framework covering 16 domains

• Helps identify Service Provider responsibilities vs Customer responsibilities

• Maps to many common frameworks including: – COBIT 5.0

– NIST SP800‐53 Rev 3 Appendix J

– ISO/IEC 27001: 2013

– HIPAA

– PCI DSS v3

3/6/2017

Carol Rapps 1


BACK AT HOME• Build Your Audit Universe• Risk Assessment

– Do Not Forget – EMERGING RISKS

• IT Audit Skills Assessment• Training Needs

– Outside– Self‐Study

• Outside Resources– Partnering with…… / On The Job Training

• FIRST AUDIT YOU WILL PERFORM?


MYTH or REALITY

You can learn IT Auditing in 2 ½ days?


MYTH or REALITY

SCORING

Who is the winner?

How Many Key Principles?

3/6/2017

Carol Rapps 2


YIPEE WE SURVIVED

Carol Who? - · PDF file• Disaster Recovery Planning ... • Disaster Recovery...

Documents

Transcript of Carol Who? - · PDF file• Disaster Recovery Planning ... • Disaster Recovery...