june 13 meeting notice - ISACA – Los Angeles Chapter

Transcription

ISACALA.org
LA Chapter
Inside
Meeting Notice ..........1
President’s Message ...2
Academic Relations ....3
News Update ............4
Monthly Article .........7
New Members .........13
Employment ...........15
Board ....................17
Chapter Officers
President
Cheryl Santor
CISSP, CISM, CISA
CCNA, CNE
Metropolitan Water District
of Southern California
[email protected]
(213) 217-6081
Vice President
Anita Montgomery
CISA, CIA
Countrywide Financial
Corporation
[email protected]
(805) 520-5482
Secretary
Amanda Xu, CISA, PMP
KPMG LLP
[email protected]
(213) 955-8552
Treasurer
Martin Rojas
Corporation
[email protected]
(805) 955-8731
Information Systems Audit and Control Association
June 2006
JUNE 13 MEETING NOTICE
MEETING TOPIC:
Conducting an IT Governance Assessment
SPEAKER:
Ed Chavannes, Senior Manager Technology and Security Risk Services, Ernst & Young,
LLP
Debbie Lew, CISA, Manager Technology and Security Risk Services, Ernst & Young, LLP
ABSTRACT:
For this evening’s dinner topic, Debbie Lew and Ed Chavannes of Ernst & Young will be
presenting information on how to conduct an assessment of an IT governance program.
Included in the presentation will be a Capability Maturity Model (CMM) based diagnostic
tool (COBIT4) which will assist in assessing the “risk management” focus area of IT
governance. After the initial presentation, a case study will be handed out to each table
where the participants will have the opportunity to apply the diagnostic tool to the
case study to determine the current level of maturity of the case example and develop
recommendations for improvement. Information will be shared between the participants on
the results of the assessment.
ABOUT THE SPEAKER:
Ed Chavannes is a Senior Manager in Ernst & Young’s Technology and Security Risk Services
and has over 20 years of information technology industry experience. Ed has been with Ernst
& Young since January 2002 and has led a broad range of advisory engagements involving
IT internal controls, IT security, and IT risk management and governance.
Debbie Lew, CISA, is a Manager at Ernst & Young LLP in the Technology & Security Risk
Services. She has held several positions with International ISACA and is currently a member
of the Audit Committee, and is involved in the implementation of ISACA’s ERM.
AGENDA:
5:00 PM to 5:30 PM Registration and Social
5:30 PM to 6:30 PM Dinner
6:30 PM to 8:30 PM Program
(2 hours CPE)
LOCATION
Monterey Hills Steak House
3700 West Ramona Blvd.
Monterey Park, CA. 91754
(323) 264-8426
Rates
Reserved
Walk-Ins or
After June 9th
ISACA
Members
$5
$25
NonMembers
$30
$40
Full-Time
Students
$5
$15
Payment Methods: Cash and Checks (made payable to
ISACA-LA) only. Reserve A.S.A.P.
President’s Message
June 2006
President’s
Message
BY
CHERYL
SANTOR
T
he Los Angeles Chapter’s annual
Spring Conference was bigger
and better than ever. Comments
and evaluations indicate those
who attended were appreciative of
the subjects and information they
garnered from the conference. We are
pleased to provide quality education
opportunities for our members,
including monthly meeting topics,
seminars on specific subjects and
the Spring Conference. Each year
the board, directors and committee
chairs dedicate their time and efforts
to bring exciting new events and
presentations for your benefit.
them during our planning meetings
when we develop future activities..
Interchange of ideas was beneficial
to new chapter officers and came
from chapters over the country.
Ideas were discussed that may
be beneficial to the Los Angeles
chapter and will be discussed for
future enhancement of activities and
chapter business.
A
s we wind down this chapter
year I want to express my
continued dedication to the Los
Angeles Chapter of ISACA. I have
grown and expanded my intellect
from being part of an ever increasing
environment of quality provided by
Page 2
the chapter volunteers. I appreciate
the people I work with and their
efforts toward this organization. I
look forward to continued service to
ISACA in any capacity to enhance
the community it serves.
D
uring the months off, the chapter
leaders will be planning next
year’s meetings, events, and spring
conference. Have a great Summer!
Sincerely,
Cheryl Santor
Los Angeles Chapter President
[email protected]
I
am pleased to announce the Los
Angeles Chapter is again the
recipient of the K. Wayne Snipes
award as the Best Very Large Chapter
in North America, for the second year
in a row. The award was presented
at the annual Leadership Conference
in Orlando, Florida, May 6-7, 2006.
This is due to the hard work and
dedication of the volunteers who
work on chapter business each
year. We will continue to strive to
be the best in offering education,
affiliation with other organizations
and continued quality events for our
members.
A
At the Leadership Conference,
I was part of a panel discussion
for new chapter officers. We shared
ideas that the Los Angeles Chapter
incorporates into our yearly activities.
Other ideas came from chapters
throughout the country. Some of
these ideas may be beneficial to our
own chapter, and we will discuss
CISA REVIEW COURSE
The CISA Review course is complete for the Spring Session, the last domain
was presented on May 20, 2006. The exam is June 10, 2006. Please join me
in wishing those sitting for the exam the best. The exam takers will get their
results over the summer. We look forward to announcing those receiving their
certifications when we begin our next year in September. Please note: Upon
receiving your CISA certification you will receive a letter of congratulations
and an invitation to a complimentary monthly meeting of the Los Angeles
Chapter to be presented with a CISA pin and acknowledged for your efforts.
Best wishes to all those taking the CISA and CISM exams!
June 2006
Academic Relations and
Research
BY
STEPHEN SHAR AND JAMES KOH
Congratulations Cal State
Northridge student Vania Jara!
Congratulations to Vania Jara. She
was recently presented an academic
award, sponsored by the ISACA
Los Angeles Chapter, at the CSUN
Annual Awards banquet. She was
selected based upon a combination
of notable academic achievements,
leadership qualities, and involvement
in University and community
activities. Vania is currently pursuing
her Undergraduate degree at Cal
State Northridge, specializing in
Information Systems/Information
Technology. Congratulations, Vania!
Student Liaison Program / ISACA
Student Chapter
ISACA LA is searching for one or
two student representatives from local
colleges and universities to promote
ISACA LA events (dinner meetings,
spring conference, CISA review,
social events, etc.) and to assist with
forming ISACA Student Chapters.
Academic Relations offers free
student membership for the selected
student representatives. E-mail acad
[email protected] for more
information.
ISACA Student Membership (Only
$25)
Two years ago, the ISACA
International Board of Directors
approved the reduction of ISACA
Student Membership Dues. The
International dues for students have
reduced from US $60 to US $25
annually. Also, student fees are
waived for the Los Angeles Chapter.
Please visit ISACA’s student site at
http://www.isaca.org and click on the
link “Students & Educators” for more
information.
Academic Relations
Best Paper Contest
The ISACA LA Chapter is offering
one or more awards totaling up to
$1,500 to promote knowledge in
Information Systems. Papers will be
accepted from April 1, 2006 through
June 30, 2006. Recipients will be
selected in the summer, and winners
will be announced in a Fall 2006
dinner meeting of the Los Angeles
Chapter of ISACA.
Papers should be typed, a minimum of
2,500 words and follow the Chicago
Manual of Style using endnotes, rather
than footnotes, to credit sources.
Entry forms can be downloaded from
the ISACA website at www.isacala.
org, and completed papers can be
emailed to academicrelations@isacal
a.org.
Minimum criteria for the paper are:
•
Original material on a current
topic related to Information Systems
•
Well researched with the
majority (>50%) of the references less
than 2 years old
•
Paper must be well-organized
and free from grammar and spelling
errors
•
Preference will be given to
papers that are presented in a format
that is easy to read and understand.
All award recipients are subject to
approval by the Board of Directors of
the Los Angeles Chapter. Awards will
not be given if candidates do not meet
minimum qualifying criteria.
Send entries, questions or comments
to [email protected]
Academic Scholarships
One or more scholarships totaling up
to $2,000 are being offered to promote
information systems. Candidates
should submit a letter defining their
qualifications for the scholarship,
three letters of reference (school or
work), and a copy of their transcript.
Page 3
The minimum qualifications for the
scholarship are a Minor or Major in
Information Systems Auditing, CIS,
or related major AND a GPA of 3.0 or
greater (undergraduate) or 3.5 or greater
(graduate).
Preference will be given to those currently pursuing a career in Information
Systems Auditing or who have published in the field of IS. Grade point
average, number of articles published
and level of professional involvement
will also influence the selection.
Entries for the scholarship will be accepted from April 1, 2006 through June
30, 2006.
Recipient(s) will be selected following
the entry deadline and the scholarship(s)
will be presented at a Fall 2006 dinner
meeting of the Los Angeles Chapter of
ISACA. All award recipients are subject to verification and approval by the
Board of Directors of the Los Angeles
Chapter.
Send entries, questions or comments to
[email protected]
June 2006
News Update
Page 4
Another successful conference with Senator Jackie Spier providing the keynote speech
on privacy.
From left to right: Everett Johnson, International President of ISACA and IT Governance
Institute; Cheryl Santor, L.A. Chapter President; Senator Jackie Spier; Debbie Lew, Conference
Chair; and, Thomas Phelps, L.A. Chapter, Immediate Past President.
During its meeting in February 2006, the COBIT
Steering Committee decided to revise the current
draft Assurance Step material to be independent
of the Control Practices material and relate them
directly to the Detailed Control Objectives in COBIT
4.1. To complete this task they invited experts in IT
assurance from various industries, to participate in
a COBIT4 development workshop in L.A. from 5-7
April. The workshop was hosted by Ernst & Young.
Thank you Ernst & Young for your support!
June 2006
News Update
business.
LEADERSHIP CONFERENCE
K. WAYNE SNIPES AWARD FOR 2005
At the Leadership Conference in
Orlando, Florida May 6-7, 2006,
it was my privilege to accept on
behalf of the Los Angeles Chapter
the K. Wayne Snipes award for the
second year in a row. The K. Wayne
Snipes award is given to chapters
for fulfilling requirements such as:
promoting and achieving growth of the
chapter, providing member education
opportunities, affiliating with other
associations, e.g., IIA, ISSA, promoting
and providing certification review
courses for CISA and CISM to name a
few.
The presentations were given out at
lunch at the Leadership Conference.
The Leadership Conference provides an
opportunity to meet with like chapters to
share and assist in promotions, chapter
business methodologies, concerns and
efforts. The large chapter discussion
centered on marketing methods,
working with universities’ faculty
and students to promote programs
geared toward information technology
auditing and security, how meetings are
held and conducted and other chapter
A panel discussion held on Sunday
was geared toward assisting new
chapter officers to orient them in
chapter methods of performing their
position responsibilities. Interactive
participation was lively and ideas
shared with lots of questions by new
officers and directors. International
participation by Megan Moritz and
Steve Thorsted provided headquarter’s
ideas while my participation was a first
hand experience having held several
positions in the chapter.
At the end of the conference there was
a marketing display where the Los
Angeles Chapter had many items of
interest from our various marketing
programs. On display were the CISA
and CISM review course brochures, the
brochure from the Spring Conference,
the conference bag, portfolio and pens,
the spring conference CD with the
sessions, web pages from our website,
pictures from the spring Conference
Keynote speaker – Senator Jackie
Speier and the 35th Anniversary party
pictures as well as the COBIT workshop
pictures. The Los Angeles Chapter
display was three dimensional and
well received by conference attendees.
Questions were posed and answered
for ideas for marketing and cards
exchanged to communicate further
about methods of marketing.
CONGRATULAIONS!!!!!!
ED CHAVANNES
Of the 19,000 professionals around the
world who registered for the June 2005
Certified Information Systems Auditor
exam, the highest score was achieved by
Page 5
Los Angeles member, Ed Chavannes, a
Technology & Security Risk Services
(TSRS) senior manager with Ernst
& Young. This widely recognized
certification indicates excellence in the
areas of Information Systems auditing,
control and security.
Ed’s accomplishment was honored at
the North America Computer Audit,
Control and Security Conference in
Orlando, Florida, on May 8, 2006.
Ed will also be recognized in the
Information Systems Audit and
Control Association (ISACA) Global
Communique newsletter as well as the
ISACA Journal that’s distributed to
over 50,000 ISACA members.
Congratulations to Ed
impressive achievement!
for
this
Let’s Celebrate Success - 2006 Spring
Conference!
We had another successful conference
with over 250 participants.
We
appreciate the support provided by
our sponsors, the membership and the
positive feedback that we received
from participants. Thanks again to the
conference committee for their time
and effort:
Aleksandra
Davis,
Countrywide
Financial,
Sandy
Geffner,
Valacon, Larry Hanson, Southern
California Edison,
Jane Hu,
PricewaterhouseCoopers, LLP, Lisa
Kinyon, Countrywide Financial, Frank
Ness, Honda North America,
David
Lowe, Sony Pictures, ThomasPhelps,
PricewaterhouseCoopers, LLP, Cheryl
Santor, Metropolitan Water District,
Stephen Shar, KPMG, LLP, Amanda
Xu, KPMG, LLP.
See News Update, page 6
June 2006
News Update,
continued from page 5
A special thanks to the designer of
our conference brochure - Gretchen
Kirsch, PricewaterhouseCoopers, LLP,
Visual Communications Network.
See you all next year! Our conference
theme will be IT Governance and Risk
Management.
Call For Volunteers
Are you interested in networking,
gaining new skills, contributing
to the profession and having fun?
Look no further - volunteer for the
Los Angeles Chapter. The chapter
is seeking volunteers for the new
chapter year in the areas of website
design/development,
CISA/CISM
coordination, newsletter design and
delivery, programs and meetings,
and marketing. We are also seeking
speakers for the new program year and
the 2007 Conference next April. If
you’re interested in volunteering, send
an email to [email protected].
IT Control Objectives for SarbanesOxley, 2nd Edition
ITGI, ISACA and the contributors to
IT Control Objectives for SarbanesOxley, 2nd Edition, have designed this
publication primarily as a reference for
executive management and IT control
professionals, including IT management and assurance professionals, when
evaluating an organization’s IT controls
required by the US Sarbanes-Oxley Act
of 2002. An exposure draft of the second edition is available for review and
comment at www.isaca.org.
CISA and CISM Among DoD-approved Certifications
The US Department of Defense (DoD)
News Update
Directive 8570.1, officially approved in
December 2005, requires DoD information assurance (IA) workers to obtain a
commercial certification accredited under ISO/IEC standard 17024. ISACA’s
CISA and CISM certifications, accredited by the American National Standards
Institute (ANSI), are among only 13
certifications approved by the DoD.
The DoD’s IA professionals are classified into two broad categories—information assurance technical (IAT)
and information assurance managerial
(IAM)—that are each divided into three
levels. CISA is among the four approved
baseline certifications for professionals
in IAT level III, and CISM is among the
three approved certifications for professionals in IAM levels II and III.
COBIT® Mapping Overview of
International IT Guidance, 2nd Edition
CIOs, CFOs, information security
managers, auditors, and those involved
in corporate and IT governance need
a framework to compare international
standards and guidance for managing
the IT function. This second edition
offers a global overview of the following important international standards
and guidance for IT control and IT
security in relationship to COBIT 4.0:
COSO, ITIL®, ISO/IEC 17799:2005,
FIPS PUB 200, ISO/IEC TR 13335,
ISO/IEC 15408:2005, PRINCE2®,
PMBOK©, TickIT, CMMI, TOGAF
8.1, IT Baseline Protection Manual and
NIST 800-14. It can serve as a road map
to implementing guidance supporting
IT governance. For each of the international standards/guidance examined,
the document provides a classification,
a short overview of the contents, the
business driver for implementing the
Page 6
guidance and the risks of noncompliance. This publication is posted for
complimentary download at www.itgi.
org and www.isaca.org/downloads.
CobiT User Convention
22-23 June 2006
Chicago, Illinois, USA
Specifically designed for users of
CobiT, this two-day event features
case studies and facilitated discussion
groups that address CobiT usage. The
first day of the event will focus on case
studies, and the second day will focus
on user feedback, problem solving,
question-and-answer opportunities, and
future solutions. For more information
and to register, please visit www.isaca.
org/cobituserconvention.
International Conference
30 July-2 August 2006
Adelaide, South Australia
The 34th Annual International
Conference and Annual General
Meeting of the Membership will include
the following streams: IT Governance,
IT Audit Management, IT Security
Management and IT Risk Management.
Pre- and postconference workshop
topics will include implementing
CobiT, intrusion detection and incident
response, Linux, information security
governance, web-enabled applications
security, and cybercrime. For more
information and to register, please visit
www.isaca.org/international.
June 2006
The Modern Librarian – Hacking Google
and other Search Engines – Part VII
The URL operators
In the previous section we looked at
performing google searches and switching
the languages of the google links, the web
pages, and also the country of origin of
the web site. These are just a few of the
operators that can be used inside of the
google search URL.
See if you can determine the google search
being performed with the query string
below:
www.google.com/search?hl=es&lr=lang_
es&restrict=countryES&q=isa
ca&as_qdr=y&num=100&as_
filetype=pdf&as_ft=e&as_nlo=2001&as_
nhi=2004&as_sitesearch=isaca.org&as_
dt=e
In the next section we will start using
advanced operators for more in depth
searches.
and other Search Engines – Part VIII
Things to remember about google searches
When it comes to searching google there
are many keys that can help you out. These
are some of the more common pieces of
advice:
1. Google is not case sensitive. JUSTIN
PELTIER and justin peltier or even JuStIn
PeLtIeR will all return the same results
through google.
2. Google will exclude common words.
Primarily these words are articles of
speech that are used very commonly and
the inclusion of these words will not yield
better results. For example the search query
of:
www.google.com/search?q=now+is+the+t
ime+for+all+good+men+to+com+to+the+
aid+of+their+contry
Will have the following words excluded
Monthly Article
from the search: (is, the, to, the, of, their)
3. Google uses wildcards. The * character
can be used to represent any word in a
search string. The . character can be used
to represent any letter.
4. Google will truncate your search. For
example:
google yahoo dogpile search engine overlap
pittsburg pen state educational study msn
jeeves amanda spink
Will actually only search for:
Yahoo search engine overlap pittsburg pen
state educational study msn
This is only ten terms – the limit for
Google.
5. Google will look for variations of words
for you automatically. For example:
w w w . g o o g l e . c o m /
search?q=sell+my+home
Will also search for the variation on home
– house.
6. Google only needs some Boolean
searches. The phrase AND is already
included with Google searches. The other
Boolean phrases OR and NOT can be used
with google. These Boolean operators can
be shortened using the pipe symbol | for
OR and the minus – for the NOT Boolean
operator. The search string ‘sell my home
|house’ will search from sell my and either
home or house. Where the search string
‘sell my home –house’ will search for sell
my home without the word house in the
site.
7. Google can use synonyms. This is
done using the tilde ~ character before the
search word. For example the search string
‘sell my ~home’ will search for home and
house.
8. Google strings need to be inside of quotes.
The search of ‘sell my home’ searches for
Page 7
sell AND my AND home. Where “sell my
home” finds that exact phrase in the search
results.
Beyond the basic google searches are the
searches with the advanced operators.
These operators allow you to search for
different types of information and also to
refine you google search for more targeted
results. (Examples of these operatpors
include Cache, Link, Related, Info, Define,
Stocks, Site, Inur, etc.)
In the next section we will break down the
function of each of these search operators
and begin to search using these key google
components.
and other Search Engines – Part IX
Advanced Operators
In previous sections we have discussed
using advanced operators for searching
google, now we will begin dissecting them
in greater detail. There are a number of
these advanced operators that are truly
useful, some that provide some use, and
other which are not truly useful. To get
the most of the google advanced operators
it is important to understand where the
operators can be use.
Cache Operator
Let’s begin by breaking down some of the
most commonly used operators for google
searches. Perhaps the best operator to start
with is the cache operator. Using this string
will tell google to look in the local google
cache as opposed to pulling the information
from the true website. These web pages
many not be the most up to date versions of
the web pages. In fact a search of:
Cache:peltierassociates.com
In late October pulls up a version of the
page from July 15. The entire site of Peltier
Associates has changed from the date that
google last cached the web page. Also
See Monthly Article, page 8
June 2006
if you perform a packet capture of your
connection to the google cache you will
notice that some of the traffic actually goes
to the target site (in the example above
peltierassociates.com). This is because
google will still pull the images from the
target web page. In order to browse a site
without sending any packets to the target
the best course of action is to set ‘strip=1’
at the end of your search string. This would
look something like the following:
w w w. g o o g l e . c o m / s e a r c h ? q = c a c h e :
peltierassociates.com&strip=1
The URL query strip tells google to get the
images on the web page. By setting this
value to one, google does not download
the images. You can combine the cache
operator with other searches as we have
seen with other operators used before. An
example of this would be:
w w w. g o o g l e . c o m / s e a r c h ? q = c a c h e :
peltierassociates.com+FRAP&strip=1
This search string will tell google to search
the google cache for the Peltierassociates.
com web site and the work FRAP
must appear on the web page and that
graphics will not be downloaded from the
peltierassociates.com web server.
Monthly Article
w w w. g o o g l e . c o m / s e a r c h ? q = l i n k :
peltierassociates.com
Link searches always require the TLD or
top level domain such as .org, .net, or .com
to be included in the search. Failure to
include the TLD will give erroneous and
poor results that usually point to sites that
do not exist. For example:
peltierassociates
Will return no results. When this search
is performed with a larger site – like as an
example Ebay® you will get a number of
links that do not point anywhere. In the next
section we will continue with the advanced
operators and their functions on google.
The Modern Librarian – Hacking
Google and other Search Engines – Part
XI
Advanced Operators Continued
In the last section we looked at the cache
and link operators. These operators can
be used on a number of the google search
interfaces to find information that a regular
search will not find. In this section we will
look at the related, info, define and stocks
advanced operators.
Link Operator
Related Operator
The next search operator to discuss is the
link operator. The link operator will tell
google to search for all pages that include
links that have your search string in it. For
example the following search string will
look for sites that link to pelttech.com:
w w w. g o o g l e . c o m / s e a r c h ? q = l i n k:
pelttech.com
The more of the URL that you are able to
put into the link search the more precise the
results will be. For example this search:
www.google.com/search?q=link:www.
Will return fewer results than:
The first advanced operator that we will
look at for this section is the related
operator. This operator is designed to find
web pages that are “similar” to a specified
web page. For example the following
google URL query:
Page 8
includes other google advanced operator
searches that can be done with google.
Here is what the URL query would look
like:
www.google.com/search?q=info:pelttech.
com
Define Operator
If you need to find a definition to a word of
the internet the easiest to find the definition
is to use a google advanced operator. This
operator is the define operator and using
this operator will cause google to search
from definitions at common Internet web
sites.
The response to this search should provide
you with information about the arcfour
(RC4) cryptosystem.
Stocks Operator
The last operator for this section is a
handy operator, but does not do much for
the information security professional. The
stocks operator will look for information
about the stock handle the follows the
operator. The stocks operator is expecting
the ticker symbol to be used and not the
company name. The nice part of this
operator is that multiple organizations
stocks can be pulled up by adding the
ticker after the operator.
www.google.com/search?q=stocks:
ebay+yhoo+intc
This query should return stock information
for eBay, Yahoo, and Intel.
In late October pulls up a version of
the page from July 15. The entire site
of Peltier Associates has changed from
the date that google last cached the web
Will yield information on other information page. Also if you perform a packet
technology and information security sites.
capture of your connection to the google
cache you will notice that some of the
Info Operator
traffic actually goes to the target site (in
the example above peltierassociates.
The next operator is the info operator. This com).
will give information that google has about See Monthly Article, page 9
a web page. This information usually
www.google.com/search?q=related:
pelttech.com
June 2006
This is because google will still pull the
images from the target web page. In
order to browse a site without sending
any packets to the target the best course
of action is to set ‘strip=1’ at the end
of your search string. This would look
something like the following:
www.google.com/search?q=cache:
peltierassociates.com&strip=1
The URL query strip tells google to
get the images on the web page. By
setting this value to one, google does not
download the images. You can combine
the cache operator with other searches as
we have seen with other operators used
before. An example of this would be:
www.google.com/search?q=cache:
peltierassociates.com+FRAP&strip=1
This search string will tell google
to search the google cache for the
Peltierassociates.com web site and
the work FRAP must appear on the
web page and that graphics will not be
downloaded from the peltierassociates.
com web server.
Link Operator
The next search operator to discuss is the
link operator. The link operator will tell
google to search for all pages that include
links that have your search string in it.
For example the following search string
will look for sites that link to pelttech.
com:
www.google.com/search?q=link:
pelttech.com
The more of the URL that you are able to
put into the link search the more precise
the results will be. For example this
search:
www.google.com/search?q=link:www.
Will return fewer results than:
Monthly Article
Link searches always require the TLD
or top level domain such as .org, .net, or
.com to be included in the search. Failure
to include the TLD will give erroneous
and poor results that usually point to
sites that do not exist. For example:
peltierassociates
Will return no results. When this search
is performed with a larger site – like as an
example Ebay® you will get a number of
links that do not point anywhere. In the
next section we will continue with the
advanced operators and their functions
on google.
Google and other Search Engines
– Part X
Advanced Operators Continued
In the last section we looked at the cache
and link operators. These operators
can be used on a number of the google
search interfaces to find information that
a regular search will not find. In this
section we will look at the related, info,
define and stocks advanced operators.
Related Operator
The first advanced operator that we will
look at for this section is the related
operator. This operator is designed to
find web pages that are “similar” to a
specified web page. For example the
following google URL query:
www.google.com/search?q=related:
pelttech.com
Will yield information on other
information technology and information
security sites.
Info Operator
The next operator is the info operator.
This will give information that google
Page 9
has about a web page. This information
usually includes other google advanced
operator searches that can be done with
google. Here is what the URL query
would look like:
w w w. g o o g l e . c o m / s e a r c h ? q = i n f o :
pelttech.com
Define Operator
If you need to find a definition to a word
of the internet the easiest to find the
definition is to use a google advanced
operator. This operator is the define
operator and using this operator will
cause google to search from definitions
at common Internet web sites.
The response to this search should
provide you with information about the
arcfour (RC4) cryptosystem.
Stocks Operator
The last operator for this section is
a handy operator, but does not do
much for the information security
professional. The stocks operator will
look for information about the stock
handle the follows the operator. The
stocks operator is expecting the ticker
symbol to be used and not the company
name. The nice part of this operator is
that multiple organizations stocks can be
pulled up by adding the ticker after the
operator.
www.google.com/search?q=stocks:
ebay+yhoo+intc
This query should return stock
information for eBay, Yahoo, and Intel.
In the next section we will look at more
advanced operators and their function in
our google searches.
– Part XI
Advanced Operators Continued – Site
Operator
June 2006
In the last section we looked at several
advanced operators. In this section we
will look at operators used for gaining
information about a target company or
web site. The first operator to look at is
the site operator. This operator restricts
responses to those websites in a given
domain. This means that if we want
information on wireless networking
from Microsoft we would perform the
following search:
www.google.com/search?q=wireless
+networking+site:microsoft.com
This is part of the search that we used
in an earlier section to look for SSNs
from educational or military sites.
The leading dot does not have to be
used before the mil or edu extensions.
However including the leading period
does not affect the results of the query.
This query is one that can be used in
normal google searches to make the
results more effective.
Allintitle and Intitle Operators
The next search to look at is the
allintitle operator. This search and its
related operator intitle search will look
for information in the title bar of a web
site. The allintitle will look for any of
search words that follow the operator.
For example:
w w w . g o o g l e . c o m/
s e a r c h ? q = a l l i n t i t l e :
wireless+networking
Will look to the google search database
to pull all of the sites that have these
words appear in the very top of the web
browser.
The related search to the allintitle is the
intitle. The advantage to using intitle
as opposed to the allintitle operator is
that the allintitle operator cannot be
used with other operators. This is due
to the fact the allinurl operator will treat
all additional operators as if they are
search terms that should be listed in the
title of the web page. The following is
a common example of a URL search
Monthly Article
query that uses the intitle operator:
Page 10
www.google.com/search?q=intitle:
wireless
The inurl operator functions in much
the same way, but it tends to play nicer
with other search operators. For the
query below:
If we were to perform the following
search:
h t t p : / / w w w . g o o g l e . c o m/
search?q=inurl:passwd+site:edu
www.google.com/search?q=intitle:
wireless+networking
Will look for URLs that contain passwd
and the results come from educational
domains.
Google would look for sites that have
the word wireless in the title space of
the page and the word networking in
the page itself. You can also perform
string searches with the intitle operator.
This would look something like the
search below:
www.google.com/search?q=intitle:”
wireless networking”
This search above would look for
titles of web pages that have the word
wireless immediately before the word
networking.
Allinurl and Inurl Operators
Both of these operators compare your
search string with the URL for the page
and will then give the results. This is
very useful when you are looking for
information about a specific product or
service that has been web enabled and
has common web addresses associated
with it. These searches can also be
used for directory browsing to see if a
specific directory exists on a system.
Common allinurl and inurl searches
look for products like Microsoft ®
Exchange®, Apache Webservers, and
other third party products like php
based web boards. Just as above the
allinurl operator assumes that any
words following the operator are part
of the search query and therefore this
operator should be used alone. The
following example shows a google
search that is looking for the words
private and passwd in the same URL:
h t t p : / / w w w . g o o g l e . c o m/
search?q=allinurl:private+passwd
Numrange Operator
The numrange operator is used for
searching google for a string of numbers
that fall between a high and low
number. This search can be performed
without the numrange operator and in
fact this is what we were doing in the
original identity theft searches. One of
the earlier searches that we performed
was:
http://www.google.com/search?q=0
00000000..999999999+SSN
This search tells google to look for
the numbers 000000000 through the
numbers 999999999. This search by
itself will return 8.9 trillion sites. The
way that we reduced our search was
through the additional search query
of SSN. This meant that not only did
the numbers have to fall in the range
of 000000000 through 999999999
but the web page also needed to have
the phrase SSN in it. The numrange
operator can yield the most damaging
information for identity thieves. Look
at the example search below:
www.google.com/search?q=401100
0000000000..4011999999999999+vis
a
This search will look for all numbers
that are 16 characters in length and
the web page also has the word visa in
it. This search has the ability to yield
valid credit card numbers.
June 2006
Monthly Article
Page 11
Remember what we discussed in
previous sections that the period and
the asterisk can be used as wildcards in
search strings. With some playing you
can make your searches target exactly
what you want to.
This will search all urls for the string
config.txt that end with the .gov
extension. This can be a fun thing
to look for. Try several different
documents that you might think would
be value to an attacker.
Daterange Operator
Here are some search strings to try:
The daterange operator is used to
look for pages that have been indexed
within a certain period of time. The
daterange must be the first date that you
are interested in and the last date. This
will define the range. The difficulty
is that the dates need to be displayed
in Julian format and the conversion
process is not an easy one. The best
way to truly perform a date search is
to use the Goofresh site at http://www.
researchbuzz.org/2003/09/goofresh.
shtml
“Index of /admin”
– Part XII
Apache:
Proxy and Terminal (RDP) servers:
“It Worked!” +” Test Page for Apache
Installation on Web Site “
inurl:8080
Things to try
This is the final section of our
exploration of search engines and the
world of google. To leave you off with
some fun I have listed some common
searches that you can perform through
google. In any cases you will get some
very interesting results from these
searches.
allinurl:passwd.txt site:purdue.edu
This should yield at least one result
for a student at Purdue University that
saved his password in a text file on his
web site. What a naughty student!
You can also specify not just one single
domain to search with the command
above, but you can search all top level
domains like .com, .net, .edu, .org . This
type of search would look something
like the following:
allinurl:config.txt site:.gov
“Index of /secret”
“Index of /cgi-bin” site:edu
Those search strings listed above
attempt to locate directories that allow
directory browsing on web servers.
Directory browsing allows us to see
files on the system and not just the
HTML web page that most visitors
usually see.
Passwords Files Disclosure:
inurl:password.txt
allinurl:passwd.txt site: website name
“index of/” + passwd. txt
“index of/” +users.pwd +authors.pwd
+administrators.pwd
Bulletin Board System password file
disclosure:
allinurl:/wwwboard/passwd. txt
HTTP Credentials Disclosure:
http://admin:*@www
Sensitive Files Access:
allinurl:/.bash_history
Sensitive Directories Access:
“index of /members” + “Parent
Directory”
“index of
Directory”
“index
of
Directory”
/private”
+
/admin”+
Microsoft Outlook
Anonymous Logon:
Web
“Parent
“Parent
Access
inurl:exchange/root.asp?acs=anon
Confidential Information’s Leak:
“Do not distribute”
“Internal use only”
“Internal use only” filetype.pdf
inurl:tsweb site.edu
For fun try this search at Yahoo:
Source:input=hidden
Google used to also allow source
operator searches, but the functionaility
has long since been removed from
google. As of October Yahoo still
allows this type of search. This search
actually looks at the HTML of a web
page not the displayed information.
This allow an attacker to look into the
actual code of a web page for security
holes.
These are sections 7-12 of a 12 part
article.
Justin Peltier
Senior Security Consultant
Peltier Associates
email: [email protected]
June 2006
Name
Welcome New Los Angeles Members
Company
Anslem
Oshionebo
Bhaskar Manam
Stanley Belotinsky Siemens
Kim Iannone
Shahidul Mannan Aames Financial Corp.
Francis Morelos
Jacqueline
Ndiforchu
Rohan Thacker
David Blackett
Michael Do
Joseph Guintu
Pamela Rosendale
Anand Joshi
Eri Ogura
David Kolchins
Cornelia Watkins
Robert Davis
Frank Villarreal
Russell Rapp
Wesley Read
Sasitorn Siripimol
Vicky Hare
Devang Thacker
Angel Navarro
Paul Yu
Brenda Chau
Joseph Soriano
DreamWorks Animation
SKG
Amgen, Inc.
UCLA Audit and Advisory
Deloitte & Touche
UCLA Audit & Advisory
Services
Perot Systems
PriceWaterhouseCoopers,
LLP
KPMG
Walt Disney Company
Kaiser Permanente
Ernst and Young LLP
BT Infonet
The Capital Group, Inc
ANC Network Integration
Amgen
Lisa Fetters
Tracy Liang
Noel Heredia
Mattel
Ernst & Young
Heredia Associates
Paul Kowal
Lindsey Kudo
Erik Pampalone
Cydcor
KPMG
Page 13
Name
Company
Albert Cheung
Healthnet Inc.
Riju Parakh
Arpi
Shakhbandaryan
Kristin Van Der
Velden
Israel Nemany
Cecily Alangaden
Christopher
Anderson
Tracy Chiang
Brian Mclamore
KPMG
PricewaterhouseCoopers,
LLP
WellPoint, Inc.
Ernst & Young
Farmers Insurance
Deloitte & Touche, LLP
Deloitte & Touche, LLP
Argonne National
Laboratory
Siddharth Thakkar KPMG
Peter Lam
Union Bank of California
Sherry Cross
Corp
Mohsen El-Raheb
Beth Jones
Southern California Edison
Rebecca Mamos
Debra DelMar
Disney
Disney Worldwide Services
Dave Kythe
Zurich Financial Services/
Farmers Insura
Jose Mathew
Monica Jain
Karen Kato
Vadim Zdor
Kristina Antonyan
Laotong Ea
Carmina Amor
Driz
Michael Carrier
David Wong
Mark Jacoby
Arthur Lessard
Nathaniel Clark
Jie He
Christy Shum
Covansys Corporation
Robbins Bros
AIG
UCLA Audit & Advisory
Services
Macerich
TWDC
PricewaterhouseCoopers
LLP
Farmers Insurance Group
June 2006
Name
Aurora McNabb
Chukwumah
Biosah
Steve Chung
Charles Corpuz
Welcome New Los Angeles Members
Company
CEB ABL Audit Group
Loyola Marymount
University
Katherine Fortune Deloitte & Touche
Jonathan Huynh
John Georger
Ion Gott
University of Southern
Younghak Lee
California
Name
Company
Christopher
Schroeder
Mike Vong
Gordon Eng
Keenen Milner
Canaudit, Inc.
Carol Henderson
Sushma Vittalarao
Panchalam Seshan
Page 14
Cal Poly, Pomona
BDO Seidman, LLP
GHC Information Systems,
LLC
June 2006
Employment Opportunities
Employment Ads
SOUTHERN CALIFORNIA
EDISON
IT Auditor
Rosemead, California
JOB DESCRIPTION
• While your day-to-day responsibility
will be to ensure overall IT infrastructure
viability, your continuing focus will be to
assess business/management implications
of control issues in relation to broader
strategic concerns. This will entail
auditing computer applications/operations,
information security and continuity
processes; performing fieldwork including
risk assessment, program development
testing and controls evaluations; writing
summary reports and following through
on evaluations.
EXPERIENCE
• The qualified candidate will have a
B.A. in IT or Business Administration;
3-6 years’ experience each in IT and
internal auditing plus relevant in-depth
knowledge; strong understanding of
mainframe or multiplatform, networked
computing environments; and proven
project management and risk analysis/
evaluation skills. Requires approximately
30% domestic travel. CIA, CISA or
CISSP certification preferred.
CONTACT EMAIL: To learn more
about this opportunity and/or to apply,
visit us at:
www.edisonjobs.com
Over 20+ Opportunities
Auditor 1 (Financial Audit), JP23288
Auditor 2 (Financial Audit), JP23290,
JP23291
JP23293
JP29295
Manager (Operational Audit), JP23400
Auditor (Operational), JP22917, JP22918,
JP22919
Auditor (IT), JP22533
Sr. Product/Project Manager, Tivoli
Security Systems, JP21978
Information Security Analyst, JP22776,
JP22837
Information S ecurity S pecialis t,
JP22360
IT Security Engineer, JP23751
Sr. Information Security Analyst, JP22775,
JP22777
Sr. Security System Engineer, JP23601
Page 15
management. More….
EXPERIENCE
• •
Certification (CPA, CIA, or
CISA) with 5+ years of progressive
IT audit experience in Big 4 or private
industry internal audit department.
• Business or Computer Science
degree.
• Excellent oral/writing skills required.
Experience with ACL, Peoplesoft, and/or
MBA preferred.
• 20-30% travel expected.
CONTACT EMAIL •
[email protected]
CONTACT PHONE • FAX: 818-7350941
• Joe Borcover, Director of Recruitment
818-735-8800 x2576
===========================
TOYOTA FINANCIAL SERVICES
IT INTERNAL AUDITOR
TORRANCE, CA
EQUAL OPPORTUNITY
EMPLOYER
===========================
GUITAR CENTER
Inetrnal IT Audit Manager
Westlake Village, California
JOB DESCRIPTION
• Responsibilities include a wide range
of integrated and risk-based financial,
operational, compliance, and IT audit
reviews, including risk assessment, audit
planning and budgeting, technical reviews
of security, networks, operating systems,
microcomputers, applications, SOX
compliance, business continuity planning.
Report development/ presentations to
JOB DESCRIPTION
• Conducting information technology
audits.
• Developing and refining the TFS
internal audit program.
• Developing and maintaining strong
working knowledge of internal and IT
Audit best practices.
• Perform tests of IT related controls
over financial reporting required under
SOX Section 404.
• Evaluating audit results and developing
final recommendations for Internal Audit
Manager review.
EXPERIENCE
• CISA preferred.
• B.A./B.S.
• 5+ years of IT audit or related
June 2006
Employment Opportunities
experience.
• IT experience in networking, distributed
systems, and security preferred.
• Working knowledge of Microsoft
Office products (Word, Excel, Access,
etc.).
CONTACT To apply for this position,
please visit www.toyotafinancial.com/jobs
and enter job number TFS00247 in the
Keyword Search area.
Page 16
V
ALACON, INC.
“We Practice Quality”
We live in an ever-changing marketplace where new opportunities come and go at
a rapid pace. How can you identify opportunities that are right for you? How can
you attract qualified employees to the opportunities you offer?
Outstanding career moves and outstanding candidates don’t usually just appear
out of the blue. They are a result of effort and careful screening and matching. In
addition to his 14 years of recruiting experience, Sandy Geffner was an IT Audit
director and manager for eight years and a Big 4 consultant prior to that. He has
passed the CISA and CPA exams.
If you are looking for an opportunity that’s right for you, or a person who’s right for
your opening, let him put his 20+ years of experience to work on your behalf.
PARTIAL LIST OF JOB POSTINGS
•
Senior IT Audit Manager - Entertainment Company. Diverse environment.
Experienced management skills. Strong IT/Business/Risk understanding.
Combo of Big4/Private exp is pref. Need excellent communication skills.
$110-130k.
•
Financial Services Co. – Unique position. Work with IT groups to reduce /
eliminate control weaknesses. Controls background necessary. IT experience
+++. Call for more details
•
IT Audit Director – Financial Services Co. Oversee staff of 6 – 9. Wide range
of IS audits. Provide vision, mentoring, and direction. Need leadership,
communication and risk/controls skills with a history of management exp.
Salary $120 to $140k+ DOE
•
IT Audit Managers and Seniors – Big 4 and other Public Firms. Diversified
skillsets needed. Good interpersonal/communications skills necessary. Salary
$70s - $100s
•
Call for other openings in Southern California.
•
Northern California: IS Audit Manager, Senior, and staff
Sandy Geffner
Phone: (626) 296-2751
Fax:
(626) 296-2760
Email: [email protected]
Valacon, Inc., P.O. Box 6136, Altadena, CA 91003-6136
www.valacon.com
Information Systems Audit
and Control Association
Los Angeles Chapter
PO Box 712726
Los Angeles, CA 90071
www.isacala.org
ISACA LOS ANGELES CHAPTER
BOARD OF DIRECTORS
Thomas Phelps IV, CISA
Chief Operations Officer - Past
President
PricewaterhouseCoopers LLP
[email protected]
(626) 590-9995
Debbie Lew, CISA
Spring Conference Chair Director
Ernst & Young LLP
[email protected]
(818)703-4728
Larry Hanson
CPA, CISA, CIA
Director &
Chief Technology Officer Director
[email protected]
(626) 302-9956
David Lowe
CISA, CISSP
Seminars Chair Director
Sony Pictures
Entertainment
[email protected]
(310) 665-6630
Greg Ash, CISA
CISA Review Course
Chair - Director
Southern California
Edison
[email protected]
(626) 302-9959
Edson Gin
CISA, CFE, SSCP
Co-Webmaster ChairDirector
City National Bank
[email protected]
ASSOCIATE DIRECTORS & VOLUNTEERS
Roger Lux
Employment Chair
Farmers Insurance
[email protected]
Constance Slack
Membership Committee
Ingram Micro
[email protected]
Chauncey Tse
Co-Webmaster
WellPoint
[email protected]
John Barger
Newsletter Editor
Countrywide
[email protected]
Luke Kwo
Seminar Chair
Frank Ness, CISA
Spring Conference and
Marketing - Associate
Director
Honda North America
[email protected]
(310) 781-4673
Sandy Geffner
Registrations Chair Associate Director
Valacon, Inc.
[email protected]
(626) 296-2751
Michelle Quan, CPA
Audit Chair
PricewaterhouseCoopers
Mark Stanley, CISA
[email protected]
Membership Chair - Associate
Director
Stephen Shar
Toyota Financial Services Academic Relations Chair
[email protected]
KPMG LLP
(310) 468-8587
academicrelations@isacala.
org
Jane Hu
Marketing Committee Chair
PricewaterhouseCoopers LLP
[email protected]

june 13 meeting notice - ISACA – Los Angeles Chapter

Transcription

Similar documents

ChiroMatrix – Published in Chiropractic

Coventry Local School District to Waterloo High School

Google Play - Emmanuel College

Diophanti Alexandrini Opera omnia