june 13 meeting notice - ISACA – Los Angeles Chapter
Transcription
june 13 meeting notice - ISACA – Los Angeles Chapter
ISACALA.org LA Chapter Inside Meeting Notice ..........1 President’s Message ...2 Academic Relations ....3 News Update ............4 Monthly Article .........7 New Members .........13 Employment ...........15 Board ....................17 Chapter Officers President Cheryl Santor CISSP, CISM, CISA CCNA, CNE Metropolitan Water District of Southern California [email protected] (213) 217-6081 Vice President Anita Montgomery CISA, CIA Countrywide Financial Corporation [email protected] (805) 520-5482 Secretary Amanda Xu, CISA, PMP KPMG LLP [email protected] (213) 955-8552 Treasurer Martin Rojas Countrywide Financial Corporation [email protected] (805) 955-8731 Information Systems Audit and Control Association June 2006 JUNE 13 MEETING NOTICE MEETING TOPIC: Conducting an IT Governance Assessment SPEAKER: Ed Chavannes, Senior Manager Technology and Security Risk Services, Ernst & Young, LLP Debbie Lew, CISA, Manager Technology and Security Risk Services, Ernst & Young, LLP ABSTRACT: For this evening’s dinner topic, Debbie Lew and Ed Chavannes of Ernst & Young will be presenting information on how to conduct an assessment of an IT governance program. Included in the presentation will be a Capability Maturity Model (CMM) based diagnostic tool (COBIT4) which will assist in assessing the “risk management” focus area of IT governance. After the initial presentation, a case study will be handed out to each table where the participants will have the opportunity to apply the diagnostic tool to the case study to determine the current level of maturity of the case example and develop recommendations for improvement. Information will be shared between the participants on the results of the assessment. ABOUT THE SPEAKER: Ed Chavannes is a Senior Manager in Ernst & Young’s Technology and Security Risk Services and has over 20 years of information technology industry experience. Ed has been with Ernst & Young since January 2002 and has led a broad range of advisory engagements involving IT internal controls, IT security, and IT risk management and governance. Debbie Lew, CISA, is a Manager at Ernst & Young LLP in the Technology & Security Risk Services. She has held several positions with International ISACA and is currently a member of the Audit Committee, and is involved in the implementation of ISACA’s ERM. AGENDA: 5:00 PM to 5:30 PM Registration and Social 5:30 PM to 6:30 PM Dinner 6:30 PM to 8:30 PM Program (2 hours CPE) LOCATION Monterey Hills Steak House 3700 West Ramona Blvd. Monterey Park, CA. 91754 (323) 264-8426 Rates Reserved Walk-Ins or After June 9th ISACA Members $5 $25 NonMembers $30 $40 Full-Time Students $5 $15 Payment Methods: Cash and Checks (made payable to ISACA-LA) only. Reserve A.S.A.P. President’s Message June 2006 President’s Message BY CHERYL SANTOR T he Los Angeles Chapter’s annual Spring Conference was bigger and better than ever. Comments and evaluations indicate those who attended were appreciative of the subjects and information they garnered from the conference. We are pleased to provide quality education opportunities for our members, including monthly meeting topics, seminars on specific subjects and the Spring Conference. Each year the board, directors and committee chairs dedicate their time and efforts to bring exciting new events and presentations for your benefit. them during our planning meetings when we develop future activities.. Interchange of ideas was beneficial to new chapter officers and came from chapters over the country. Ideas were discussed that may be beneficial to the Los Angeles chapter and will be discussed for future enhancement of activities and chapter business. A s we wind down this chapter year I want to express my continued dedication to the Los Angeles Chapter of ISACA. I have grown and expanded my intellect from being part of an ever increasing environment of quality provided by Page 2 the chapter volunteers. I appreciate the people I work with and their efforts toward this organization. I look forward to continued service to ISACA in any capacity to enhance the community it serves. D uring the months off, the chapter leaders will be planning next year’s meetings, events, and spring conference. Have a great Summer! Sincerely, Cheryl Santor Los Angeles Chapter President [email protected] I am pleased to announce the Los Angeles Chapter is again the recipient of the K. Wayne Snipes award as the Best Very Large Chapter in North America, for the second year in a row. The award was presented at the annual Leadership Conference in Orlando, Florida, May 6-7, 2006. This is due to the hard work and dedication of the volunteers who work on chapter business each year. We will continue to strive to be the best in offering education, affiliation with other organizations and continued quality events for our members. A At the Leadership Conference, I was part of a panel discussion for new chapter officers. We shared ideas that the Los Angeles Chapter incorporates into our yearly activities. Other ideas came from chapters throughout the country. Some of these ideas may be beneficial to our own chapter, and we will discuss CISA REVIEW COURSE The CISA Review course is complete for the Spring Session, the last domain was presented on May 20, 2006. The exam is June 10, 2006. Please join me in wishing those sitting for the exam the best. The exam takers will get their results over the summer. We look forward to announcing those receiving their certifications when we begin our next year in September. Please note: Upon receiving your CISA certification you will receive a letter of congratulations and an invitation to a complimentary monthly meeting of the Los Angeles Chapter to be presented with a CISA pin and acknowledged for your efforts. Best wishes to all those taking the CISA and CISM exams! June 2006 Academic Relations and Research BY STEPHEN SHAR AND JAMES KOH Congratulations Cal State Northridge student Vania Jara! Congratulations to Vania Jara. She was recently presented an academic award, sponsored by the ISACA Los Angeles Chapter, at the CSUN Annual Awards banquet. She was selected based upon a combination of notable academic achievements, leadership qualities, and involvement in University and community activities. Vania is currently pursuing her Undergraduate degree at Cal State Northridge, specializing in Information Systems/Information Technology. Congratulations, Vania! Student Liaison Program / ISACA Student Chapter ISACA LA is searching for one or two student representatives from local colleges and universities to promote ISACA LA events (dinner meetings, spring conference, CISA review, social events, etc.) and to assist with forming ISACA Student Chapters. Academic Relations offers free student membership for the selected student representatives. E-mail acad [email protected] for more information. ISACA Student Membership (Only $25) Two years ago, the ISACA International Board of Directors approved the reduction of ISACA Student Membership Dues. The International dues for students have reduced from US $60 to US $25 annually. Also, student fees are waived for the Los Angeles Chapter. Please visit ISACA’s student site at http://www.isaca.org and click on the link “Students & Educators” for more information. Academic Relations Best Paper Contest The ISACA LA Chapter is offering one or more awards totaling up to $1,500 to promote knowledge in Information Systems. Papers will be accepted from April 1, 2006 through June 30, 2006. Recipients will be selected in the summer, and winners will be announced in a Fall 2006 dinner meeting of the Los Angeles Chapter of ISACA. Papers should be typed, a minimum of 2,500 words and follow the Chicago Manual of Style using endnotes, rather than footnotes, to credit sources. Entry forms can be downloaded from the ISACA website at www.isacala. org, and completed papers can be emailed to academicrelations@isacal a.org. Minimum criteria for the paper are: • Original material on a current topic related to Information Systems • Well researched with the majority (>50%) of the references less than 2 years old • Paper must be well-organized and free from grammar and spelling errors • Preference will be given to papers that are presented in a format that is easy to read and understand. All award recipients are subject to approval by the Board of Directors of the Los Angeles Chapter. Awards will not be given if candidates do not meet minimum qualifying criteria. Send entries, questions or comments to [email protected] Academic Scholarships One or more scholarships totaling up to $2,000 are being offered to promote information systems. Candidates should submit a letter defining their qualifications for the scholarship, three letters of reference (school or work), and a copy of their transcript. Page 3 The minimum qualifications for the scholarship are a Minor or Major in Information Systems Auditing, CIS, or related major AND a GPA of 3.0 or greater (undergraduate) or 3.5 or greater (graduate). Preference will be given to those currently pursuing a career in Information Systems Auditing or who have published in the field of IS. Grade point average, number of articles published and level of professional involvement will also influence the selection. Entries for the scholarship will be accepted from April 1, 2006 through June 30, 2006. Recipient(s) will be selected following the entry deadline and the scholarship(s) will be presented at a Fall 2006 dinner meeting of the Los Angeles Chapter of ISACA. All award recipients are subject to verification and approval by the Board of Directors of the Los Angeles Chapter. Send entries, questions or comments to [email protected] June 2006 News Update Page 4 Another successful conference with Senator Jackie Spier providing the keynote speech on privacy. From left to right: Everett Johnson, International President of ISACA and IT Governance Institute; Cheryl Santor, L.A. Chapter President; Senator Jackie Spier; Debbie Lew, Conference Chair; and, Thomas Phelps, L.A. Chapter, Immediate Past President. During its meeting in February 2006, the COBIT Steering Committee decided to revise the current draft Assurance Step material to be independent of the Control Practices material and relate them directly to the Detailed Control Objectives in COBIT 4.1. To complete this task they invited experts in IT assurance from various industries, to participate in a COBIT4 development workshop in L.A. from 5-7 April. The workshop was hosted by Ernst & Young. Thank you Ernst & Young for your support! June 2006 News Update business. LEADERSHIP CONFERENCE K. WAYNE SNIPES AWARD FOR 2005 At the Leadership Conference in Orlando, Florida May 6-7, 2006, it was my privilege to accept on behalf of the Los Angeles Chapter the K. Wayne Snipes award for the second year in a row. The K. Wayne Snipes award is given to chapters for fulfilling requirements such as: promoting and achieving growth of the chapter, providing member education opportunities, affiliating with other associations, e.g., IIA, ISSA, promoting and providing certification review courses for CISA and CISM to name a few. The presentations were given out at lunch at the Leadership Conference. The Leadership Conference provides an opportunity to meet with like chapters to share and assist in promotions, chapter business methodologies, concerns and efforts. The large chapter discussion centered on marketing methods, working with universities’ faculty and students to promote programs geared toward information technology auditing and security, how meetings are held and conducted and other chapter A panel discussion held on Sunday was geared toward assisting new chapter officers to orient them in chapter methods of performing their position responsibilities. Interactive participation was lively and ideas shared with lots of questions by new officers and directors. International participation by Megan Moritz and Steve Thorsted provided headquarter’s ideas while my participation was a first hand experience having held several positions in the chapter. At the end of the conference there was a marketing display where the Los Angeles Chapter had many items of interest from our various marketing programs. On display were the CISA and CISM review course brochures, the brochure from the Spring Conference, the conference bag, portfolio and pens, the spring conference CD with the sessions, web pages from our website, pictures from the spring Conference Keynote speaker – Senator Jackie Speier and the 35th Anniversary party pictures as well as the COBIT workshop pictures. The Los Angeles Chapter display was three dimensional and well received by conference attendees. Questions were posed and answered for ideas for marketing and cards exchanged to communicate further about methods of marketing. CONGRATULAIONS!!!!!! ED CHAVANNES Of the 19,000 professionals around the world who registered for the June 2005 Certified Information Systems Auditor exam, the highest score was achieved by Page 5 Los Angeles member, Ed Chavannes, a Technology & Security Risk Services (TSRS) senior manager with Ernst & Young. This widely recognized certification indicates excellence in the areas of Information Systems auditing, control and security. Ed’s accomplishment was honored at the North America Computer Audit, Control and Security Conference in Orlando, Florida, on May 8, 2006. Ed will also be recognized in the Information Systems Audit and Control Association (ISACA) Global Communique newsletter as well as the ISACA Journal that’s distributed to over 50,000 ISACA members. Congratulations to Ed impressive achievement! for this Let’s Celebrate Success - 2006 Spring Conference! We had another successful conference with over 250 participants. We appreciate the support provided by our sponsors, the membership and the positive feedback that we received from participants. Thanks again to the conference committee for their time and effort: Aleksandra Davis, Countrywide Financial, Sandy Geffner, Valacon, Larry Hanson, Southern California Edison, Jane Hu, PricewaterhouseCoopers, LLP, Lisa Kinyon, Countrywide Financial, Frank Ness, Honda North America, David Lowe, Sony Pictures, ThomasPhelps, PricewaterhouseCoopers, LLP, Cheryl Santor, Metropolitan Water District, Stephen Shar, KPMG, LLP, Amanda Xu, KPMG, LLP. See News Update, page 6 June 2006 News Update, continued from page 5 A special thanks to the designer of our conference brochure - Gretchen Kirsch, PricewaterhouseCoopers, LLP, Visual Communications Network. See you all next year! Our conference theme will be IT Governance and Risk Management. Call For Volunteers Are you interested in networking, gaining new skills, contributing to the profession and having fun? Look no further - volunteer for the Los Angeles Chapter. The chapter is seeking volunteers for the new chapter year in the areas of website design/development, CISA/CISM coordination, newsletter design and delivery, programs and meetings, and marketing. We are also seeking speakers for the new program year and the 2007 Conference next April. If you’re interested in volunteering, send an email to [email protected]. IT Control Objectives for SarbanesOxley, 2nd Edition ITGI, ISACA and the contributors to IT Control Objectives for SarbanesOxley, 2nd Edition, have designed this publication primarily as a reference for executive management and IT control professionals, including IT management and assurance professionals, when evaluating an organization’s IT controls required by the US Sarbanes-Oxley Act of 2002. An exposure draft of the second edition is available for review and comment at www.isaca.org. CISA and CISM Among DoD-approved Certifications The US Department of Defense (DoD) News Update Directive 8570.1, officially approved in December 2005, requires DoD information assurance (IA) workers to obtain a commercial certification accredited under ISO/IEC standard 17024. ISACA’s CISA and CISM certifications, accredited by the American National Standards Institute (ANSI), are among only 13 certifications approved by the DoD. The DoD’s IA professionals are classified into two broad categories—information assurance technical (IAT) and information assurance managerial (IAM)—that are each divided into three levels. CISA is among the four approved baseline certifications for professionals in IAT level III, and CISM is among the three approved certifications for professionals in IAM levels II and III. COBIT® Mapping Overview of International IT Guidance, 2nd Edition CIOs, CFOs, information security managers, auditors, and those involved in corporate and IT governance need a framework to compare international standards and guidance for managing the IT function. This second edition offers a global overview of the following important international standards and guidance for IT control and IT security in relationship to COBIT 4.0: COSO, ITIL®, ISO/IEC 17799:2005, FIPS PUB 200, ISO/IEC TR 13335, ISO/IEC 15408:2005, PRINCE2®, PMBOK©, TickIT, CMMI, TOGAF 8.1, IT Baseline Protection Manual and NIST 800-14. It can serve as a road map to implementing guidance supporting IT governance. For each of the international standards/guidance examined, the document provides a classification, a short overview of the contents, the business driver for implementing the Page 6 guidance and the risks of noncompliance. This publication is posted for complimentary download at www.itgi. org and www.isaca.org/downloads. CobiT User Convention 22-23 June 2006 Chicago, Illinois, USA Specifically designed for users of CobiT, this two-day event features case studies and facilitated discussion groups that address CobiT usage. The first day of the event will focus on case studies, and the second day will focus on user feedback, problem solving, question-and-answer opportunities, and future solutions. For more information and to register, please visit www.isaca. org/cobituserconvention. International Conference 30 July-2 August 2006 Adelaide, South Australia The 34th Annual International Conference and Annual General Meeting of the Membership will include the following streams: IT Governance, IT Audit Management, IT Security Management and IT Risk Management. Pre- and postconference workshop topics will include implementing CobiT, intrusion detection and incident response, Linux, information security governance, web-enabled applications security, and cybercrime. For more information and to register, please visit www.isaca.org/international. June 2006 The Modern Librarian – Hacking Google and other Search Engines – Part VII The URL operators In the previous section we looked at performing google searches and switching the languages of the google links, the web pages, and also the country of origin of the web site. These are just a few of the operators that can be used inside of the google search URL. See if you can determine the google search being performed with the query string below: www.google.com/search?hl=es&lr=lang_ es&restrict=countryES&q=isa ca&as_qdr=y&num=100&as_ filetype=pdf&as_ft=e&as_nlo=2001&as_ nhi=2004&as_sitesearch=isaca.org&as_ dt=e In the next section we will start using advanced operators for more in depth searches. The Modern Librarian – Hacking Google and other Search Engines – Part VIII Things to remember about google searches When it comes to searching google there are many keys that can help you out. These are some of the more common pieces of advice: 1. Google is not case sensitive. JUSTIN PELTIER and justin peltier or even JuStIn PeLtIeR will all return the same results through google. 2. Google will exclude common words. Primarily these words are articles of speech that are used very commonly and the inclusion of these words will not yield better results. For example the search query of: www.google.com/search?q=now+is+the+t ime+for+all+good+men+to+com+to+the+ aid+of+their+contry Will have the following words excluded Monthly Article from the search: (is, the, to, the, of, their) 3. Google uses wildcards. The * character can be used to represent any word in a search string. The . character can be used to represent any letter. 4. Google will truncate your search. For example: google yahoo dogpile search engine overlap pittsburg pen state educational study msn jeeves amanda spink Will actually only search for: Yahoo search engine overlap pittsburg pen state educational study msn This is only ten terms – the limit for Google. 5. Google will look for variations of words for you automatically. For example: w w w . g o o g l e . c o m / search?q=sell+my+home Will also search for the variation on home – house. 6. Google only needs some Boolean searches. The phrase AND is already included with Google searches. The other Boolean phrases OR and NOT can be used with google. These Boolean operators can be shortened using the pipe symbol | for OR and the minus – for the NOT Boolean operator. The search string ‘sell my home |house’ will search from sell my and either home or house. Where the search string ‘sell my home –house’ will search for sell my home without the word house in the site. 7. Google can use synonyms. This is done using the tilde ~ character before the search word. For example the search string ‘sell my ~home’ will search for home and house. 8. Google strings need to be inside of quotes. The search of ‘sell my home’ searches for Page 7 sell AND my AND home. Where “sell my home” finds that exact phrase in the search results. Beyond the basic google searches are the searches with the advanced operators. These operators allow you to search for different types of information and also to refine you google search for more targeted results. (Examples of these operatpors include Cache, Link, Related, Info, Define, Stocks, Site, Inur, etc.) In the next section we will break down the function of each of these search operators and begin to search using these key google components. The Modern Librarian – Hacking Google and other Search Engines – Part IX Advanced Operators In previous sections we have discussed using advanced operators for searching google, now we will begin dissecting them in greater detail. There are a number of these advanced operators that are truly useful, some that provide some use, and other which are not truly useful. To get the most of the google advanced operators it is important to understand where the operators can be use. Cache Operator Let’s begin by breaking down some of the most commonly used operators for google searches. Perhaps the best operator to start with is the cache operator. Using this string will tell google to look in the local google cache as opposed to pulling the information from the true website. These web pages many not be the most up to date versions of the web pages. In fact a search of: Cache:peltierassociates.com In late October pulls up a version of the page from July 15. The entire site of Peltier Associates has changed from the date that google last cached the web page. Also See Monthly Article, page 8 June 2006 if you perform a packet capture of your connection to the google cache you will notice that some of the traffic actually goes to the target site (in the example above peltierassociates.com). This is because google will still pull the images from the target web page. In order to browse a site without sending any packets to the target the best course of action is to set ‘strip=1’ at the end of your search string. This would look something like the following: w w w. g o o g l e . c o m / s e a r c h ? q = c a c h e : peltierassociates.com&strip=1 The URL query strip tells google to get the images on the web page. By setting this value to one, google does not download the images. You can combine the cache operator with other searches as we have seen with other operators used before. An example of this would be: w w w. g o o g l e . c o m / s e a r c h ? q = c a c h e : peltierassociates.com+FRAP&strip=1 This search string will tell google to search the google cache for the Peltierassociates. com web site and the work FRAP must appear on the web page and that graphics will not be downloaded from the peltierassociates.com web server. Monthly Article w w w. g o o g l e . c o m / s e a r c h ? q = l i n k : peltierassociates.com Link searches always require the TLD or top level domain such as .org, .net, or .com to be included in the search. Failure to include the TLD will give erroneous and poor results that usually point to sites that do not exist. For example: w w w. g o o g l e . c o m / s e a r c h ? q = l i n k : peltierassociates Will return no results. When this search is performed with a larger site – like as an example Ebay® you will get a number of links that do not point anywhere. In the next section we will continue with the advanced operators and their functions on google. The Modern Librarian – Hacking Google and other Search Engines – Part XI Advanced Operators Continued In the last section we looked at the cache and link operators. These operators can be used on a number of the google search interfaces to find information that a regular search will not find. In this section we will look at the related, info, define and stocks advanced operators. Link Operator Related Operator The next search operator to discuss is the link operator. The link operator will tell google to search for all pages that include links that have your search string in it. For example the following search string will look for sites that link to pelttech.com: w w w. g o o g l e . c o m / s e a r c h ? q = l i n k: pelttech.com The more of the URL that you are able to put into the link search the more precise the results will be. For example this search: www.google.com/search?q=link:www. peltierassociates.com Will return fewer results than: The first advanced operator that we will look at for this section is the related operator. This operator is designed to find web pages that are “similar” to a specified web page. For example the following google URL query: Page 8 includes other google advanced operator searches that can be done with google. Here is what the URL query would look like: www.google.com/search?q=info:pelttech. com Define Operator If you need to find a definition to a word of the internet the easiest to find the definition is to use a google advanced operator. This operator is the define operator and using this operator will cause google to search from definitions at common Internet web sites. The response to this search should provide you with information about the arcfour (RC4) cryptosystem. Stocks Operator The last operator for this section is a handy operator, but does not do much for the information security professional. The stocks operator will look for information about the stock handle the follows the operator. The stocks operator is expecting the ticker symbol to be used and not the company name. The nice part of this operator is that multiple organizations stocks can be pulled up by adding the ticker after the operator. www.google.com/search?q=stocks: ebay+yhoo+intc This query should return stock information for eBay, Yahoo, and Intel. In late October pulls up a version of the page from July 15. The entire site of Peltier Associates has changed from the date that google last cached the web Will yield information on other information page. Also if you perform a packet technology and information security sites. capture of your connection to the google cache you will notice that some of the Info Operator traffic actually goes to the target site (in the example above peltierassociates. The next operator is the info operator. This com). will give information that google has about See Monthly Article, page 9 a web page. This information usually www.google.com/search?q=related: pelttech.com June 2006 This is because google will still pull the images from the target web page. In order to browse a site without sending any packets to the target the best course of action is to set ‘strip=1’ at the end of your search string. This would look something like the following: www.google.com/search?q=cache: peltierassociates.com&strip=1 The URL query strip tells google to get the images on the web page. By setting this value to one, google does not download the images. You can combine the cache operator with other searches as we have seen with other operators used before. An example of this would be: www.google.com/search?q=cache: peltierassociates.com+FRAP&strip=1 This search string will tell google to search the google cache for the Peltierassociates.com web site and the work FRAP must appear on the web page and that graphics will not be downloaded from the peltierassociates. com web server. Link Operator The next search operator to discuss is the link operator. The link operator will tell google to search for all pages that include links that have your search string in it. For example the following search string will look for sites that link to pelttech. com: www.google.com/search?q=link: pelttech.com The more of the URL that you are able to put into the link search the more precise the results will be. For example this search: www.google.com/search?q=link:www. peltierassociates.com Will return fewer results than: w w w. g o o g l e . c o m / s e a r c h ? q = l i n k : Monthly Article peltierassociates.com Link searches always require the TLD or top level domain such as .org, .net, or .com to be included in the search. Failure to include the TLD will give erroneous and poor results that usually point to sites that do not exist. For example: w w w. g o o g l e . c o m / s e a r c h ? q = l i n k : peltierassociates Will return no results. When this search is performed with a larger site – like as an example Ebay® you will get a number of links that do not point anywhere. In the next section we will continue with the advanced operators and their functions on google. The Modern Librarian – Hacking Google and other Search Engines – Part X Advanced Operators Continued In the last section we looked at the cache and link operators. These operators can be used on a number of the google search interfaces to find information that a regular search will not find. In this section we will look at the related, info, define and stocks advanced operators. Related Operator The first advanced operator that we will look at for this section is the related operator. This operator is designed to find web pages that are “similar” to a specified web page. For example the following google URL query: www.google.com/search?q=related: pelttech.com Will yield information on other information technology and information security sites. Info Operator The next operator is the info operator. This will give information that google Page 9 has about a web page. This information usually includes other google advanced operator searches that can be done with google. Here is what the URL query would look like: w w w. g o o g l e . c o m / s e a r c h ? q = i n f o : pelttech.com Define Operator If you need to find a definition to a word of the internet the easiest to find the definition is to use a google advanced operator. This operator is the define operator and using this operator will cause google to search from definitions at common Internet web sites. The response to this search should provide you with information about the arcfour (RC4) cryptosystem. Stocks Operator The last operator for this section is a handy operator, but does not do much for the information security professional. The stocks operator will look for information about the stock handle the follows the operator. The stocks operator is expecting the ticker symbol to be used and not the company name. The nice part of this operator is that multiple organizations stocks can be pulled up by adding the ticker after the operator. www.google.com/search?q=stocks: ebay+yhoo+intc This query should return stock information for eBay, Yahoo, and Intel. In the next section we will look at more advanced operators and their function in our google searches. The Modern Librarian – Hacking Google and other Search Engines – Part XI Advanced Operators Continued – Site Operator See Monthly Article, page 10 June 2006 In the last section we looked at several advanced operators. In this section we will look at operators used for gaining information about a target company or web site. The first operator to look at is the site operator. This operator restricts responses to those websites in a given domain. This means that if we want information on wireless networking from Microsoft we would perform the following search: www.google.com/search?q=wireless +networking+site:microsoft.com This is part of the search that we used in an earlier section to look for SSNs from educational or military sites. The leading dot does not have to be used before the mil or edu extensions. However including the leading period does not affect the results of the query. This query is one that can be used in normal google searches to make the results more effective. Allintitle and Intitle Operators The next search to look at is the allintitle operator. This search and its related operator intitle search will look for information in the title bar of a web site. The allintitle will look for any of search words that follow the operator. For example: w w w . g o o g l e . c o m/ s e a r c h ? q = a l l i n t i t l e : wireless+networking Will look to the google search database to pull all of the sites that have these words appear in the very top of the web browser. The related search to the allintitle is the intitle. The advantage to using intitle as opposed to the allintitle operator is that the allintitle operator cannot be used with other operators. This is due to the fact the allinurl operator will treat all additional operators as if they are search terms that should be listed in the title of the web page. The following is a common example of a URL search Monthly Article query that uses the intitle operator: Page 10 www.google.com/search?q=intitle: wireless The inurl operator functions in much the same way, but it tends to play nicer with other search operators. For the query below: If we were to perform the following search: h t t p : / / w w w . g o o g l e . c o m/ search?q=inurl:passwd+site:edu www.google.com/search?q=intitle: wireless+networking Will look for URLs that contain passwd and the results come from educational domains. Google would look for sites that have the word wireless in the title space of the page and the word networking in the page itself. You can also perform string searches with the intitle operator. This would look something like the search below: www.google.com/search?q=intitle:” wireless networking” This search above would look for titles of web pages that have the word wireless immediately before the word networking. Allinurl and Inurl Operators Both of these operators compare your search string with the URL for the page and will then give the results. This is very useful when you are looking for information about a specific product or service that has been web enabled and has common web addresses associated with it. These searches can also be used for directory browsing to see if a specific directory exists on a system. Common allinurl and inurl searches look for products like Microsoft ® Exchange®, Apache Webservers, and other third party products like php based web boards. Just as above the allinurl operator assumes that any words following the operator are part of the search query and therefore this operator should be used alone. The following example shows a google search that is looking for the words private and passwd in the same URL: h t t p : / / w w w . g o o g l e . c o m/ search?q=allinurl:private+passwd Numrange Operator The numrange operator is used for searching google for a string of numbers that fall between a high and low number. This search can be performed without the numrange operator and in fact this is what we were doing in the original identity theft searches. One of the earlier searches that we performed was: http://www.google.com/search?q=0 00000000..999999999+SSN This search tells google to look for the numbers 000000000 through the numbers 999999999. This search by itself will return 8.9 trillion sites. The way that we reduced our search was through the additional search query of SSN. This meant that not only did the numbers have to fall in the range of 000000000 through 999999999 but the web page also needed to have the phrase SSN in it. The numrange operator can yield the most damaging information for identity thieves. Look at the example search below: www.google.com/search?q=401100 0000000000..4011999999999999+vis a This search will look for all numbers that are 16 characters in length and the web page also has the word visa in it. This search has the ability to yield valid credit card numbers. See Monthly Article, page 11 June 2006 Monthly Article Page 11 Remember what we discussed in previous sections that the period and the asterisk can be used as wildcards in search strings. With some playing you can make your searches target exactly what you want to. This will search all urls for the string config.txt that end with the .gov extension. This can be a fun thing to look for. Try several different documents that you might think would be value to an attacker. Daterange Operator Here are some search strings to try: The daterange operator is used to look for pages that have been indexed within a certain period of time. The daterange must be the first date that you are interested in and the last date. This will define the range. The difficulty is that the dates need to be displayed in Julian format and the conversion process is not an easy one. The best way to truly perform a date search is to use the Goofresh site at http://www. researchbuzz.org/2003/09/goofresh. shtml “Index of /admin” The Modern Librarian – Hacking Google and other Search Engines – Part XII Apache: Proxy and Terminal (RDP) servers: “It Worked!” +” Test Page for Apache Installation on Web Site “ inurl:8080 Things to try This is the final section of our exploration of search engines and the world of google. To leave you off with some fun I have listed some common searches that you can perform through google. In any cases you will get some very interesting results from these searches. allinurl:passwd.txt site:purdue.edu This should yield at least one result for a student at Purdue University that saved his password in a text file on his web site. What a naughty student! You can also specify not just one single domain to search with the command above, but you can search all top level domains like .com, .net, .edu, .org . This type of search would look something like the following: allinurl:config.txt site:.gov “Index of /secret” “Index of /cgi-bin” site:edu Those search strings listed above attempt to locate directories that allow directory browsing on web servers. Directory browsing allows us to see files on the system and not just the HTML web page that most visitors usually see. Passwords Files Disclosure: inurl:password.txt allinurl:passwd.txt site: website name “index of/” + passwd. txt “index of/” +users.pwd +authors.pwd +administrators.pwd Bulletin Board System password file disclosure: allinurl:/wwwboard/passwd. txt HTTP Credentials Disclosure: http://admin:*@www Sensitive Files Access: allinurl:/.bash_history Sensitive Directories Access: “index of /members” + “Parent Directory” “index of Directory” “index of Directory” /private” + /admin”+ Microsoft Outlook Anonymous Logon: Web “Parent “Parent Access inurl:exchange/root.asp?acs=anon Confidential Information’s Leak: “Do not distribute” “Internal use only” “Internal use only” filetype.pdf inurl:tsweb site.edu For fun try this search at Yahoo: Source:input=hidden Google used to also allow source operator searches, but the functionaility has long since been removed from google. As of October Yahoo still allows this type of search. This search actually looks at the HTML of a web page not the displayed information. This allow an attacker to look into the actual code of a web page for security holes. These are sections 7-12 of a 12 part article. Justin Peltier Senior Security Consultant Peltier Associates email: [email protected] June 2006 Name Welcome New Los Angeles Members Company Anslem Oshionebo Bhaskar Manam Stanley Belotinsky Siemens Kim Iannone Shahidul Mannan Aames Financial Corp. Francis Morelos Jacqueline Ndiforchu Rohan Thacker David Blackett Michael Do Joseph Guintu Pamela Rosendale Anand Joshi Eri Ogura David Kolchins Cornelia Watkins Robert Davis Frank Villarreal Russell Rapp Wesley Read Sasitorn Siripimol Vicky Hare Devang Thacker Angel Navarro Paul Yu Brenda Chau Joseph Soriano DreamWorks Animation SKG Amgen, Inc. UCLA Audit and Advisory Deloitte & Touche UCLA Audit & Advisory Services Perot Systems PriceWaterhouseCoopers, LLP KPMG Walt Disney Company Kaiser Permanente Ernst and Young LLP BT Infonet The Capital Group, Inc ANC Network Integration Amgen Lisa Fetters Tracy Liang Noel Heredia Mattel Ernst & Young Heredia Associates Paul Kowal Lindsey Kudo Erik Pampalone Cydcor KPMG Page 13 Name Company Albert Cheung Healthnet Inc. Riju Parakh Arpi Shakhbandaryan Kristin Van Der Velden Israel Nemany Cecily Alangaden Christopher Anderson Tracy Chiang Brian Mclamore KPMG PricewaterhouseCoopers, LLP WellPoint, Inc. Ernst & Young Farmers Insurance Deloitte & Touche, LLP Deloitte & Touche, LLP Argonne National Laboratory Siddharth Thakkar KPMG Peter Lam Union Bank of California Sherry Cross Countrywide Financial Corp Mohsen El-Raheb Beth Jones Southern California Edison Rebecca Mamos Debra DelMar Disney Disney Worldwide Services Dave Kythe Zurich Financial Services/ Farmers Insura Jose Mathew Monica Jain Karen Kato Vadim Zdor Kristina Antonyan Laotong Ea Carmina Amor Driz Michael Carrier David Wong Mark Jacoby Arthur Lessard Nathaniel Clark Jie He Christy Shum Covansys Corporation Robbins Bros AIG UCLA Audit & Advisory Services Southern California Edison Macerich TWDC PricewaterhouseCoopers LLP Farmers Insurance Group June 2006 Name Aurora McNabb Chukwumah Biosah Steve Chung Charles Corpuz Welcome New Los Angeles Members Company CEB ABL Audit Group Loyola Marymount University Katherine Fortune Deloitte & Touche Jonathan Huynh John Georger Ion Gott University of Southern Younghak Lee California Name Company Christopher Schroeder Mike Vong Gordon Eng Keenen Milner Canaudit, Inc. Carol Henderson Sushma Vittalarao Panchalam Seshan Page 14 Cal Poly, Pomona BDO Seidman, LLP GHC Information Systems, LLC June 2006 Employment Opportunities Employment Ads SOUTHERN CALIFORNIA EDISON IT Auditor Rosemead, California JOB DESCRIPTION • While your day-to-day responsibility will be to ensure overall IT infrastructure viability, your continuing focus will be to assess business/management implications of control issues in relation to broader strategic concerns. This will entail auditing computer applications/operations, information security and continuity processes; performing fieldwork including risk assessment, program development testing and controls evaluations; writing summary reports and following through on evaluations. EXPERIENCE • The qualified candidate will have a B.A. in IT or Business Administration; 3-6 years’ experience each in IT and internal auditing plus relevant in-depth knowledge; strong understanding of mainframe or multiplatform, networked computing environments; and proven project management and risk analysis/ evaluation skills. Requires approximately 30% domestic travel. CIA, CISA or CISSP certification preferred. CONTACT EMAIL: To learn more about this opportunity and/or to apply, visit us at: www.edisonjobs.com Over 20+ Opportunities Auditor 1 (Financial Audit), JP23288 Auditor 2 (Financial Audit), JP23290, JP23291 Auditor 3 (Financial Audit), JP23292, JP23293 Auditor 4 (Financial Audit), JP23294, JP29295 Manager (Operational Audit), JP23400 Auditor (Operational), JP22917, JP22918, JP22919 Auditor (IT), JP22533 Sr. Product/Project Manager, Tivoli Security Systems, JP21978 Information Security Analyst, JP22776, JP22837 Information S ecurity S pecialis t, JP22360 IT Security Engineer, JP23751 Sr. Information Security Analyst, JP22775, JP22777 Sr. Security System Engineer, JP23601 Page 15 management. More…. EXPERIENCE • • Certification (CPA, CIA, or CISA) with 5+ years of progressive IT audit experience in Big 4 or private industry internal audit department. • Business or Computer Science degree. • Excellent oral/writing skills required. Experience with ACL, Peoplesoft, and/or MBA preferred. • 20-30% travel expected. CONTACT EMAIL • [email protected] CONTACT PHONE • FAX: 818-7350941 • Joe Borcover, Director of Recruitment 818-735-8800 x2576 =========================== TOYOTA FINANCIAL SERVICES IT INTERNAL AUDITOR TORRANCE, CA EQUAL OPPORTUNITY EMPLOYER =========================== GUITAR CENTER Inetrnal IT Audit Manager Westlake Village, California JOB DESCRIPTION • Responsibilities include a wide range of integrated and risk-based financial, operational, compliance, and IT audit reviews, including risk assessment, audit planning and budgeting, technical reviews of security, networks, operating systems, microcomputers, applications, SOX compliance, business continuity planning. Report development/ presentations to JOB DESCRIPTION • Conducting information technology audits. • Developing and refining the TFS internal audit program. • Developing and maintaining strong working knowledge of internal and IT Audit best practices. • Perform tests of IT related controls over financial reporting required under SOX Section 404. • Evaluating audit results and developing final recommendations for Internal Audit Manager review. EXPERIENCE • CISA preferred. • B.A./B.S. • 5+ years of IT audit or related June 2006 Employment Opportunities experience. • IT experience in networking, distributed systems, and security preferred. • Working knowledge of Microsoft Office products (Word, Excel, Access, etc.). CONTACT To apply for this position, please visit www.toyotafinancial.com/jobs and enter job number TFS00247 in the Keyword Search area. Page 16 V ALACON, INC. “We Practice Quality” We live in an ever-changing marketplace where new opportunities come and go at a rapid pace. How can you identify opportunities that are right for you? How can you attract qualified employees to the opportunities you offer? Outstanding career moves and outstanding candidates don’t usually just appear out of the blue. They are a result of effort and careful screening and matching. In addition to his 14 years of recruiting experience, Sandy Geffner was an IT Audit director and manager for eight years and a Big 4 consultant prior to that. He has passed the CISA and CPA exams. If you are looking for an opportunity that’s right for you, or a person who’s right for your opening, let him put his 20+ years of experience to work on your behalf. PARTIAL LIST OF JOB POSTINGS • Senior IT Audit Manager - Entertainment Company. Diverse environment. Experienced management skills. Strong IT/Business/Risk understanding. Combo of Big4/Private exp is pref. Need excellent communication skills. $110-130k. • Financial Services Co. – Unique position. Work with IT groups to reduce / eliminate control weaknesses. Controls background necessary. IT experience +++. Call for more details • IT Audit Director – Financial Services Co. Oversee staff of 6 – 9. Wide range of IS audits. Provide vision, mentoring, and direction. Need leadership, communication and risk/controls skills with a history of management exp. Salary $120 to $140k+ DOE • IT Audit Managers and Seniors – Big 4 and other Public Firms. Diversified skillsets needed. Good interpersonal/communications skills necessary. Salary $70s - $100s • Call for other openings in Southern California. • Northern California: IS Audit Manager, Senior, and staff Sandy Geffner Phone: (626) 296-2751 Fax: (626) 296-2760 Email: [email protected] Valacon, Inc., P.O. Box 6136, Altadena, CA 91003-6136 www.valacon.com Information Systems Audit and Control Association Los Angeles Chapter PO Box 712726 Los Angeles, CA 90071 www.isacala.org ISACA LOS ANGELES CHAPTER BOARD OF DIRECTORS Thomas Phelps IV, CISA Chief Operations Officer - Past President PricewaterhouseCoopers LLP [email protected] (626) 590-9995 Debbie Lew, CISA Spring Conference Chair Director Ernst & Young LLP [email protected] (818)703-4728 Larry Hanson CPA, CISA, CIA Director & Chief Technology Officer Director Southern California Edison [email protected] (626) 302-9956 David Lowe CISA, CISSP Seminars Chair Director Sony Pictures Entertainment [email protected] (310) 665-6630 Greg Ash, CISA CISA Review Course Chair - Director Southern California Edison [email protected] (626) 302-9959 Edson Gin CISA, CFE, SSCP Co-Webmaster ChairDirector City National Bank [email protected] ASSOCIATE DIRECTORS & VOLUNTEERS Roger Lux Employment Chair Farmers Insurance [email protected] Constance Slack Membership Committee Ingram Micro [email protected] Chauncey Tse Co-Webmaster WellPoint [email protected] John Barger Newsletter Editor Countrywide [email protected] Luke Kwo Seminar Chair Frank Ness, CISA Spring Conference and Marketing - Associate Director Honda North America [email protected] (310) 781-4673 Sandy Geffner Registrations Chair Associate Director Valacon, Inc. [email protected] (626) 296-2751 Michelle Quan, CPA Audit Chair PricewaterhouseCoopers Mark Stanley, CISA [email protected] Membership Chair - Associate Director Stephen Shar Toyota Financial Services Academic Relations Chair [email protected] KPMG LLP (310) 468-8587 academicrelations@isacala. org Jane Hu Marketing Committee Chair PricewaterhouseCoopers LLP [email protected]