有时, it can feel as 虽然 auditors get the short end of the stick when it comes to the tools available to assist in the work that they do. It seems like they are always strapped for budget to acquire tools, while adjacent professionals such as security operations folks, have a wealth of tools available—many of them freely available—to help support everything from vulnerability scanning to log file analysis to sorting through malware.
然而, 信不信由你, sometimes these tools overlap with those that might directly advance an audit in certain situations. 在正常的审计情况下, an auditor requests evidence to establish that given controls are operating effectively. 例如, 审计员可能会, 作为系统管理员, 拉出配置屏幕, 请求运行一个工具并检查输出, or he/she might review a report or log file information. There are good reasons why auditors are not usually the ones in front of the keyboard firing off commands, 虽然. 具体地说, having the operations (ops) staff actually do the ops work helps preserve the independence of the auditor (i.e., it helps maintain a separation between those performing and those reviewing). 也, 坦率地说, those closest to the business systems under evaluation are probably those best able to navigate them.
然而,这是在一个理想的世界里. 在现实世界中, depending on the type of audit or assessment being performed, sometimes things do not go as planned and flexibility is required. 考虑, 例如, the situation where a larger organization is conducting an on-site review of a much smaller (think small or medium-sized business [SMB] or “mom and pop” shop) service provider. Will that SMB have the technical expertise to supply everything 审计员可能会 want? 也许. 但也有可能不是. 它在这里, if direct interaction between the examiner and the systems is permissible (not in every situation will it be), getting a little “hands on” on the auditor’s part can spare everyone some time and energy.
But where are some good places to find tools that an auditor might need should this situation occur? 确定, they can go out and research on the Internet what they might need in response to a given situation, 但这非常耗时. One approach is for auditors to look to catalogs of tools that already exist, are already bundled together in a highly portable format, 并且可以随时打开包装使用.
One fruitful location that has all those properties? Penetration testing (pen testing) Linux distri但ions. 对于那些不熟悉这个概念的人, penetration testing (sometimes referred to as “red team” exercises) is a type of security testing whereby the tester emulates the same methods and tradecraft that would be employed by an adversary against an environment. In essence, testers are trying to get in the same way that an attacker would. 来支持这类工作, these testers typically employ a specialized testing environment that is “kitted out” with a wide variety of attack tools to accomplish that goal. 随着时间的推移, specialized Linux distri但ions have emerged as de facto standard options for that environment: distri但ions such as Kali (http://www.kali.org/)、BlackArch (http://blackarch.org/)和Samurai Web测试框架(www.samurai-wtf.org/),例如.
If the idea of using a pen testing environment to directly support an audit sounds bizarre, 考虑以下几点. 这些环境是可移植的, usually being downloadable as a virtual machine image ready to be run on a platform such as VMWare Player or VirtualBox (directly on an auditor’s field laptop.同样), 它们都是百元装的, 如果不是成千上万的话, of versatile tools that can accomplish a wide variety of tasks, many of which are directly applicable to collecting or reviewing evidence needed for an assessment. Will every tool on there be directly applicable to the project the auditor is working on right now? 当然不是. 但是能够, 例如, 查询国际银行帐号(IBAN), search a gigabyte of data for Permanent Account Numbers (PANs) or Social Security numbers (SSNs), 快速解析日志文件数据, 镜像一个网站, or perform any number of other things with a few keystrokes can greatly increase the efficiency of how evidence is reviewed. 和, in some situations, it can help the auditor collect those data in the first place.
现在, note that no one is saying every auditor needs to go out and become fully versed with every pen testing tool out there. 和, 正如前面提到的, care should be exercised and diligence employed when considering directly interfacing with a production system (remember, 让运维人员做运维工作吧), 但, 如果是“放弃或者自己做”,“自己动手是一个有用的选择.
Ed鹤嘴锄
Is director of 虽然t leadership and research at ISACA. 在加入ISACA之前, Moyle was senior security strategist with Savvis and a founding partner of the analyst firm Security Curve. 在他近20年的信息安全工作中, he has held numerous positions including senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers, 也是Trintech的高级安全分析师. Moyle是 面向开发人员的加密库 and a frequent contri但or to the information security industry as an author, 演说家和分析师.