About Craig


A computer scientist, a businessman, and an inventor.



















































All ArtArtificial IntelligenceAuditBitcoinBlockchainColonialismCommerceCommunismConstitutionCryptocurrencyCryptographyCulturesCybercrimeDataDecentralisationDecolonisationDeveloperDigital ForensicsDiplomacyDocument ManagementEconomicsEducationEnforcementFreedomGlobalisationGovernmentHardwareHistoryHowey TestInformation SecurityInternational RelationsLawLibertyLiteratureMythologyPhilosophyPolitical SciencePsychologyPsychometric TestingPsychotherapyReflectionRelativityScienceSecuritySocial MobilitySocietyStatisticsSteganographyTheory of MindTimeTuring Complete
Chapter 13 – Analyzing the Results
AuditInformation Security

This chapter illustrates a few simple methods to baseline the network at a high level. All external attacks and many internal ones will be initially based on the exploit of a network service. Breaking this process into manageable sections is the key to successfully completing it. Each stage of the overall process of creating a secure and compliance network is then “projectized” into controllable chunks. The SANS audit strategy is defined using the following steps: determine areas of responsibility, research vulnerabilities and risks, secure the perimeter, secure the DMZ and critical systems, eliminate externally accessible vulnerabilities, eliminate internally accessible vulnerabilities, and search for malware. These stages allow the organization to move from the outside in. Starting at the perimeter, the organization can test and provide a deeper level of defense of its systems in the most effective manner, locking external attacks out and reducing noise as the testing proceeds.

Chapter 14 – An Introduction to Systems Auditing
AuditInformation Security

This chapter provides an introduction to system auditing. It overviews the processes needed to audit a system. Systems are a combination of hosts and processes. A system can be a host or even multiple hosts. Even when focused on a single application, it is a rare case where the auditor can ignore the network. Network security is more important than host security, rather that they are essential each in there own manner. They are also a factor of their environment. Ensure that good practices are in place and will go a long way to creating a secure and compliant system. In the long term, this will save the organization money and make management easier. The term audit is too general to use in referring to a work step. When auditing a system, the process should be broken down into its component phases that are gathering information, checking compliance to policy, investigating anomalies, and reporting on findings.

Chapter 15 – Database Auditing
AuditDataDigital ForensicsInformation Security

This chapter explores database auditing and the three of the primary database systems that are available today are focused. These database systems involve MySQL, Oracle, and Microsoft Sequel server. Database systems are both the most overlooked and the most crucial areas in need of securing. Most of the reasons for compliance come down to information stored on databases and in many instances all the critical information held by a company will be found on its database. 

Chapter 16 – Microsoft Windows Security and Audits
AuditDataDigital ForensicsInformation Security

This chapter discusses the concepts necessary in the performance of a technical audit of Microsoft Windows systems. The initial step in any audit is defining the scope. Most initial audits of Windows or any other system boils down to obtaining basic system information, checking the system and application patch levels and vulnerability status, checking which services that are running, verifying which applications are installed, validating the security systems and controls on the system, and assessing the overall risk. For Windows-specific guidance to the low-level controls, it is necessary to use tools and techniques that are included both as features available within Windows or with additions to Windows or available from third party vendors. An audit of a Windows not only involves auditing it at a point in time to see whether it is properly configured and secured and meets the business requirement, but more so would need to encompass how the system is being monitored and maintained over time.

Chapter 17 – Auditing UNIX and Linux
AuditInformation Security

This chapter introduces the concepts of auditing UNIX and Linux. One of the key secrets to auditing UNIX or Linux is to ensure that one must have knowledgeable people available for the audit. The UNIX administrator should know the aspects of system that is configured. This provides a wealth of information that was not necessarily readily available. Various UNIX checklists when coupled from sources such as the Centre for Internet Security (CIS) and NIST, the development of a comprehensive UNIX audit program becomes simple. The primary point to remember is that UNIX was designed for programmers. The default UNIX shells are in effect miniature program interpreters and the system is a development environment with a simple and open default security model. UNIX shells are in themselves powerful scripting engines with programming capabilities that range from the ability to implement simple filters and searches and create program batches through to the ability to run complex programs such as Web servers.

Chapter 18 – Auditing Web-Based Applications
AuditInformation Security

This chapter introduces the concepts necessary to audit Web applications. The Web application would have to be set up in such a way that it acts as a server for all requests to the client. Some of the main areas that are commonly overlooked to audit Web applications include: input validation and sanitization, error checking and handling, and vigorous session management. The secret to creating secure Web applications lies with implementing multi-tiered solutions. The auditor should verify that the Web application uses the presentation, application and persistent tiers correctly. The chapter describes that Web and its related technologies have matured, constant changes, additions and evolutions in methodologies combined to create a significant problem for the auditor and developers and IT people in general. One of the difficulties derives directly from the nature of testing.

Chapter 19 – Other Systems
AuditInformation Security

This chapter reviews a number of other audit systems and compliance issues. Auditing mainframe and other legacy systems is far simpler than auditing modern client/server systems. These systems are around far longer and extensive programs exist to manage. It is common for many IT audits to exclude the most critical systems. Through a combination of misunderstanding and aversion to older technologies, legacy systems and mainframes are frequently bypassed. AuditNet is one of the best repositories of audit and compliance programs. It provides both free and subscriber-based access to a large number of audit programs for many systems and compliance structures. Mainframes are considered a legacy system. The resilience of these systems-coupled with the high processing capacity and throughput-means that they have their proponents and are unlikely to disappear anytime soon. They are particularly widespread in environments that use complex, large-scale databases that require high-volume processing available all day, every day. Many auditors avoid mainframes. The combination of specialist skills and a perception of old technology leave these systems at risk.

Chapter 1 – Introduction to IT Compliance
AuditInformation Security

This chapter introduces comprehensive methodology, enabling the staff charged with an IT security audit to create a sound framework. It allows meeting the challenges of compliance in a way that aligns with both business and technical needs. A way of interpreting complex, confusing, compliance requirements within the larger scope of an organization's overall needs are also provided here. The goal of the chapter is to define an economical and yet secure manner of meeting an organization's compliance needs for IT. The purpose of the information security is to preserve confidentiality (data is only accessed by those with the right to view the data), integrity (data can be relied upon to be accurate and processed correctly), and availability (data can be accessed when needed). IT security is not about making a perfect system, it is about making a system that is resilient and that can survive the rigors it is exposed to.

Chapter 20 – Risk Management, Security Compliance, and Audit Controls
AuditInformation Security

This chapter deals with the risk management, security compliance, and audit controls. Major methods of risk measurement and audit are discussed. One must understand the risk management process as a whole and how controls may be implemented to eliminate or mitigate the risk of individual events. Risk assessment is fundamental to the security of any organization. It is essential in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed. The risk analysis process is outlined that allows the organization to determine risk based on threats and vulnerabilities. The process of risk analysis has the following steps: threat analysis, vulnerability analysis, business impact analysis, and likelihood analysis. The auditor with the help of risk analysis will be able to classify the severity of the risk and assign importance to each risk.

Chapter 21 – Information Systems Legislation
AuditLaw

This chapter reviews the legislation and regulations impacting audit and other issues of electronic law. The foremost dilemma with the study of electronic law is that it is difficult to confine its study to simple parameters. Internet and e-commerce do not define a distinct area of law as with contract and tort law. Electronic law crosses many legal disciplines and existing laws address the majority of cybercrimes. The chapter defines that the Internet and digital networks create new vulnerabilities and methods that criminals can exploit for their own gain. 

Never miss a story from Craig Wright (Bitcoin SV is the original Bitcoin)