admin
This user hasn't shared any biographical information
Posts by admin
SEC guidance: Material information regarding cyber security risks and cyber incidents is required to be disclosed
Oct 31st
SEC has issued a new guidance on October 13, 2011 regarding disclosure of material information regarding cyber security risks and cyber incidents. This corporate finance disclosure guidance is not a rule, regulation, or statement of the Securities and Exchange Commission(SEC). The guidance requires one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should inform SEC.
http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
CPU Security Patches for Oct’ 2011 – Oracle Database Executive Summary
Oct 19th
October 2011 Critical Patch Update(CPU Security) contains 5 new security fixes for the Oracle Database Server. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.
Oracle Database Server Risk Matrix
|
CVE# |
Component |
Protocol |
Package and/or Privilege Required |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
||||||
|
Base Score |
Access Vector |
Access Complexity |
Authen- |
Confiden- |
Integrity |
Avail- |
|||||||
|
CVE-2011-3525 |
Application Express |
HTTP |
APEX developer user |
No |
6.5 |
Network |
Low |
Single |
Partial+ |
Partial+ |
Partial+ |
3.2, 4.0 |
|
|
CVE-2011-3512 |
Core RDBMS |
Oracle NET |
Create session, create procedure, create table |
No |
5.5 |
Network |
Low |
Single |
Partial+ |
Partial+ |
None |
10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2 |
|
|
CVE-2011-2301 |
Oracle Text |
Oracle Net |
Execute on CTXSYS.DRVDISP |
No |
4.1 |
Local |
Medium |
Single |
Partial+ |
Partial+ |
Partial+ |
10.1.0.5, 10.2.0.3, 10.2.0.4, 11.1.0.7 |
|
|
CVE-2011-3511 |
Database Vault |
Oracle Net |
Privileged Account |
No |
3.6 |
Network |
High |
Single |
None |
Partial |
Partial |
10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2 |
|
|
CVE-2011-2322 |
Database Vault |
Oracle Net |
SYSDBA |
No |
3.6 |
Network |
High |
Single |
None |
Partial |
Partial |
11.1.0.7 |
|
CPU Security Patches for Oct’ 2011 – Oracle Applications Executive Summary
Oct 19th
October 2011 Critical Patch Update(CPU) contains 16 new security fixes for the Oracle Applications divided as follows:
- 5 new security fixes for the Oracle E-Business Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. This is critical and if you’re running this version patch it now!
- 1 new security fix for the Oracle Supply Chain Products Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
- 7 new security fixes for Oracle PeopleSoft Products. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password.
- 3 new security fixes for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle E-Business Suite Risk Matrix
|
CVE# |
Component |
Protocol |
Sub- |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
||||||
|
Base Score |
Access Vector |
Access Complexity |
Authen- |
Confiden- |
Integrity |
Avail- |
|||||||
|
CVE-2011-3513 |
Oracle Application Object Library |
HTTP |
HTML Pages |
Yes |
4.3 |
Network |
Medium |
None |
None |
Partial |
None |
11.5.10.2, 12.0.6, 12.1.2, 12.1.3 |
|
|
CVE-2011-2308 |
Oracle Application Object Library |
HTTP |
Online Help |
Yes |
4.3 |
Network |
Medium |
None |
None |
Partial |
None |
12.0.6, 12.1.2, 12.1.3 |
|
|
CVE-2011-2302 |
Oracle Application Object Library |
HTTP |
Single Sign On |
Yes |
4.3 |
Network |
Medium |
None |
None |
Partial |
None |
11.5.10.2, 12.0.6, 12.1.2, 12.1.3 |
|
|
CVE-2011-2303 |
Oracle Application Object Library |
HTTP |
Attachments / File Upload |
No |
3.5 |
Network |
Medium |
Single |
None |
Partial |
None |
11.5.10.2, 12.0.6, 12.1.2, 12.1.3 |
|
|
CVE-2011-3519 |
Oracle Applications Framework |
HTTP |
REST Services |
No |
3.5 |
Network |
Medium |
Single |
Partial |
None |
None |
12.1.2, 12.1.3 |
|
Oracle’s one-off security alert CVE-2011-3192
Sep 16th
Oracle has released a one-off security alert for their Apache tech. stack. Read more at http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html
However, it doesn’t seem to have any direct database impact though …
Reduce Auditing Cost
May 31st
Cutting cost is on top of everyone’s mind these days – Especially, when you pay for services in hundreds of dollars per hour(not knowing what you going to get) while hyper-competitive global workforce is available at your finger tips. Checklist 2.0 sincerely thinks there’s a room for improvement in the auditing marketplace for what the companies pay and what is being rendered as part of the service. We found a useful document which provides general guidelines for companies to reduce auditing cost.
https://cfo.executiveboard.com/public/documents/CTLR_14_Ways_to_Reduce_External_Audit_Fees.pdf
Don’t forget to check out our pre-audit assessment list on some of the IT audit topics at http://www.checklist20.com/bestpractices.html.
If you are interested in contributing to our “FREE” audit/assessment checklist, please send it to info@checklist20.com
Audit Best Practices Conference – SuperStrategies 2011
May 3rd
MIS Training Institute has announced audit best practices conference in Chicago from May 11 to 13.
CISA and CISM Job Trends on Indeed.com
Apr 18th
Indeed.com searches millions of jobs from thousands of job sites. This job trends graph shows the percentage of jobs that contain CISA and CISM searches …
Intern – Technical writing and editing
Nov 2nd
Job Description
Are you interested in the entrepreneurial opportunity to work for a startup and make a change in the industry, and will give you the experience and exposure you need to build your career? If you are, then Checklist 2.0 (www.checklist20.com) – Organized Best Practices – is the firm for you. Checklist 2.0 is a web platform to help clients meet the challenges and opportunities of the global IT marketplace in the areas of audit, compliance, security and benchmarking.
At Checklist 2.0, you will be part of a learning culture, where teamwork and collaboration are encouraged, entrepreneurship is rewarded, and diversity is respected and valued. We offer a flexible career progression model that allows for a variety of challenging opportunities throughout your career. We provide unparalleled coaching, mentoring, and career opportunities; and state of the art technology-driven methodologies to help you provide quality service to our global customer base.
Our practice collaborates with subject matter experts, auditors, assurance professionals, standard bodies(ISO, ISACA, ISSA etc.,) so that the best practices they have identified is shared with the community for peer-review and reference. When we fulfill our role as organizing and peer-reviewing platform, by standing firm on up-to-date and specific practices, we have a direct impact on how well the world’s IT system functions. Join us and we will help you implement a successful career strategy, as you explore the many career opportunities in Checklist 2.0 practices.
The Checklist 2.0 services function requires an understanding of an organization’s objectives, risks, risk management priorities, regulatory environment, and the diverse needs of critical stakeholders.
We can assist organizations that require help improving the quality and effectiveness of their internal audit processes in a number of ways. First, we can advise and assist in the development of internal audit and risk management methodologies, including assessing whether the internal audit function is delivering effectively to stakeholders. Second, we can provide internal audit resourcing solutions, including full outsourcing or complementing in-house functions with specialist skills or geographical coverage. Third, we can support internal audit functions with software to enhance and support their work. In addition, we can develop training for internal auditors using our extensive peer-reviewed knowledgebase to create highly-tailored solutions.
Job Duties:
* Play a role as an intern in Checklist 2.0’s audit plan, best practices, checklist development practice assisting with the development, technical editing and publishing for different technology topics.
* Responsibilities may include, but are not limited to, the following: assisting with the development of risk assessments and audit plans; assisting in writing, moderating, editing from different public resources like ISACA.org, NIST.gov and other leading web sources to Checklist 2.0 format to address IT auditors’ need.
* Passion for IT, Security, Audit and Writing; demonstrate creative thinking and individual initiative.
* Cultivate teamwork dynamics through working as a team member: understand personal and team roles; contribute to a positive working environment by building solid relationships with team members; proactively seek guidance, clarification and feedback.
* Demonstrate flexibility in prioritizing and completing tasks; communicate potential conflicts to a supervisor.
* Interest in all aspects of internal auditing and a desire to pursue a career in IT auditing and Security.
* Ability to demonstrate strong problem solving skills and the ability to prioritize and handle multiple tasks.
* Ability to interact with various levels of client and firm management in both written and verbal form.
* Ability to self-motivate and take responsibility for personal growth and development.
* Flexibility and desire to travel, as client assignments require
* Pursuing a Bachelor degree in computer science or engineering and passion for writing.
Company Description
Checklist 2.0 – Organized Best Practices – is a collaborative and customizable web platform for generating up-to-date and peer-reviewed audit plans, audit programs, and best practices in different technology domains. Checklist 2.0 content is contributed to, and organized by, trusted experts and authoritative sources around the world. Checklist 2.0 covers a diverse range of requirements including SOX, HIPAA, PCI-DSS, ISO etc.
Leverage best practices to build effective IT audit plans
Sep 15th
We have been getting lot of enquiries on why and how to use best practices to build effective IT audit plans. We thought of publishing this blog to address our approach to building an effective IT audit plan. In order to explain our approach, let’s set the context first:
To understand how best and why to use Best Practices to build effective IT audit plans, we need to put the concept of Best Practices in context and explain our approach.What are Best Practices?
Best Practices evolve, and continue to evolve, over time. When Best Practices are used under specific conditions or circumstances they will produce the maximum output. Therefore, we can build an arsenal of Best Practices based on the input of domain experts, vendors and other organizations.
Best Practices evolve, and continue to evolve, over time. When Best Practices are used under specific conditions or circumstances they will produce the maximum output. Therefore, we can build an arsenal of Best Practices based on the input of domain experts, vendors and other organizations.
One of the best places to learn the definition for Best Practices is Wikipedia:
- “A best practice is a technique, method, process, activity, incentive, or reward which conventional wisdom regards as more effective at delivering a particular outcome than any other technique, method, process, etc. when applied to a particular condition or circumstance. The idea is that with proper processes, checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen complications.
- Best practices can also be defined as the most efficient (least amount of effort) and effective (best results) way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people.”
In particular, at Checklist 2.0 we focus on the definition of Best Practices as explained in the second bullet point. Our belief is “Don’t reinvent the wheel”. Everyone – no matter what their profession – wants to apply the best approach to accomplish a task utilizing the minimum available resources.
In fast changing and complex domains like IT, Best Practices can be leveraged effectively as the underlying technology framework and methodologies. The IT house is dominated by few major vendors like Microsoft, Oracle, SAP, Google and others. The huge similarities of system installation and functionality requirements by the customer base make Best Practices technology management a huge attraction. There are several key advantages of having a Best Practices based IT approach is :
1) Benchmarking operations with industry peers to calculate the real return on investment
2) Leverage expensive human capital without time consuming trial and error approach
3) Reduce the total cost of operation by using the collective knowledge of leading edge sources
4) Identify and target well-known gaps or vulnerabilities
How to build multi-dimensional Best Practices
You may understand the value of Best Practices, but the key question is how do you identify, organize and create specific Best Practices to solve business problems and provide end-to-end business solutions?
Best Practices, when captured need to be associated with several dependent factors which would help the consumers to apply and filter based on their specific situation.
For example, a house built in a tropical climate will be designed to reflect the local environment, utilizing local materials, have different a foundation, and connect to local utilities different to a house built in Alaska. Though each house serves the same purpose, they will vary based on local factors such as climate, weather, local resources and need.
Identifying these different requirements at the beginning and tagging the Best practices based on climatic condition, materials used, plumbings and electrical, local codes, statutes and regulations, etc. is going to help a larger audience to manage and generate specific best practices to be applied during a construction.
Another key factor is the need to keep Best Practices up-to-date. You may not want to reference a Best Practice white paper published several years ago or read a book outdated even before it goes to press. Building a Best Practices unit which has logical distinction from another unit is the key. You need to identify and tag the different requirements to build the proper Best Practices.
Who needs to build the Best Practices and when?
In the increasingly connected world the best ideas and practices can come from anywhere. The key to leveraging best practices is to get an up-to-date details of the practices that has several dependency factors and share it globally for users. For example, a doctor in India, where the population is large, operates on at least 10 to 20 patients a day. Best practices used by the doctors to have operate many patients with higher success rate is only can be developed in places like this one. In case of natural disasters in the other part of the world, these practices can be effectively leveraged to handle more number of patients. The key two things to make this process effective is:
1) Sharing of the practices on a global platform
2) Categorizing the practices for different conditions like large number of patients, small number patients etc.,
So, by building a platform to identify, organize, and update Best Practices you will improve efficiency and leverage expertise.
Why IT Audit Planning is using Best Practices
IT Governance and Strategy are critical to an organization’s success. IT plays a major role in the technology dominated business processes. A Best Practice based audit plans to evaluate risk uses an 80-20 rule. This allows you to eliminate all the low-hanging fruit with the global Best Practice knowledge base and helps organizations quickly achieve its desired business objectives. Key to the risk assessment and audit plan process is breaking down the IT Universe into smaller more manageable sub-components. Typically, the IT sub-components are defined as infrastructure, and applications. Contained within the infrastructure sub-component are servers, routers, communications, desktops, etc.
This hardware controls the flow and processing of information throughout the organization. The second sub-component is applications. This is the software used to record and store business transactions. Examples would be database, enterprise resource planning, or business intelligence software. These controls consist of security applications, disaster recovery
plans, and service level agreements (SLAs). By leveraging the best practices developed at the sub-components level an IT auditor can quickly build an audit plan based on specific criteria of his/her need and provide a risk assessment report of the IT environment. Checklist 2.0 is built using the principles highlighted above and we would love to hear your thoughts.
IT Auditing Trend – A Google perspective …
Sep 8th
An old marketing adage says that a response rate of one half of one percent is a good response to a marketing mailing. Given such a poor response, is it any surprise that it is difficult to gauge the climate of IT Audit and chart market trends with surveys, feedback and reviews from participants at conferences, meetings and in e-mails? Several obvious reasons account for this:
1) Participation percentage is low – sampling is based on those who choose to respond.
2) Data is not reliable as participants rarely have real motivation to share their opinions.
3) Survey questions fail to capture many dimensions of a customer’s needs.
1) Participation percentage is low – sampling is based on those who choose to respond.
2) Data is not reliable as participants rarely have real motivation to share their opinions.
3) Survey questions fail to capture many dimensions of a customer’s needs.
This is where big brother Google can help. Google has made public search terms readily available using a free utility called Google’s Insights for Search. With Google Insights for Search, you can compare search volume patterns across geographic regions, subject categories, time frames, and differing sources. Google Insights for Search produces data based on people’s search patterns, demonstrating customer demand in real-time.
The above chart for demonstrates the response for the search term “IT Audit”. It tells us the story of how the market for IT Auditing is evolving, revealing market trends. If you spend some time analysing Rising Searches, Regions and View Change over time, Google Insight provides a wealth of information. What a great market intelligence tool!
I recently spent some time with the Google Insights for Search tool, and here are some insights I discovered about trends in the market for IT Auditing:
1) Interest in IT audit is declining slowly. I know you don’t want to hear this, but numbers don’t lie. When SoX was introduced the market for IT Auditing was red hot. Opportunity was everywhere. However, as more customers transition from design and implementation of IT controls to more of a maintenance mode, the demand for IT Audit resources has declined. Additionally, the evolving advancement and complexity of technology has changed the landscape. Accelerated adoption of inexpensive virtualizied servers and cloud computing is making it tricky for IT auditors. While security concerns exist and in some cases are on the rise, the management of the cloud computing space creates an environment difficult to navigate from an IT Audit perspective. This space is managed by the cloud service providers, or the technology behind VMware and other virtualization framework. The consolidation of computing resources into large cloud farms will ultimately create downward pressure in the IT Audit fees charged by Big 4 auditors.
2) The requirement for IT audit related services are increasing at a breakneck pace outside the U.S.
This is a no-brainer for the people who are up-to-date on the general market trends as GDP is growing approximately 10% per year in the BRIC (Brazil, Russia, India and China) zone and other developing economies. Internal IT demand in these countries is faster than the GDP percentage creating several pockets of demand for IT Audit services. We can correlate from the Google Insights for Search graph that not a single country on the list is in the developed or more matured economies of the world. Additionally, growing outsourcing trends to India, the Philippines, and other countries require outsourcing vendors to be compliant with the IT controls requirements of their clients in the U.S. and Western European countries.
3) There is an increasing number of people trying to transition or enter into IT audit marketplace.
A weak job market in developed countries reveals an increasing trend for the number of people seeking jobs in the IT audit. This will create an interesting situation over the next 2 to 4 years as the IT Audit market is matures. One trend we can immediately interpret from the chart is there is going to be less and less dedicated IT Auditors, and more multi-skilled or part-time members of our workforce involved in IT Auditing.
4) Demand for Audit Checklists and Best Practices is growing.
Given the speed of technology development, it is not surprising that Google Insights for Search customers predict there will be demand for security audit and checklist requirement in the IT audit domain. At Checklist 2.0, we foresee a continuous sharp surge in the importance of sharing best practices to help build a customizable audit plan. By leveraging the resources of Checklist 2.0 to identify, organize and generate customizable best practices, controls and audit plans to pre-audit, self-assess or audit organizational technology risk areas, our customers are better armed in advance of internal control breakdowns and enable CAEs(Certified Audit Examiners) to initiate audits in those areas.
With these changes evident, what trends do you see which Google Insights for Search has not revealed? How is the current market climate effecting you and your company? What impact is virtualization and cloud computing having on you and your company?
Your questions and comments are always welcome.
