Kirt Cathey, NH2GX, JG1FXZ

The fine folks over at passwordrecoverytools.com sent a request for an evaluation about four months ago, and as I was ensconced in a plethora of security work and programming, I never had a chance to test the tool for a good writeup. That was, until I decided to go on vacation last week and a client sent a password protected zip file without forwarding the password!

Share on Facebook

Hi All!! Still alive and kicking. Been a couple weeks since the last posting but have been hard at work putting together another platform iteration of WorkPapers software. So far, I have created the audit working papers management software solution in Cocoa and RealBasic, so this time around thought I would try one more iteration [...]

Share on Facebook

Over the past couple of days I have concluded that enough (bad) breath has been spent ranting about how system and security auditors really are missing the mark. However, one cannot reasonably just point a finger in one direction – it takes two to tango, so it is now time to point out what CIOs and administrators of secure environments should start to consider in order to prevent incidents. And along the way add a rant or two about how the average CIO is (too) an administrative paper-pushing, policy guru that does not really have real systems administration experience – most come from a consulting background and have not had to own a system for more than a year.

Share on Facebook

This is a great article about Saltzer & Schroeder, two 1970′s computer security researchers that published this paper.

Share on Facebook

I’ve tackled this subject a couple of times in recent posts in a cursory manner, but feel that it is probably time to elaborate on the subject. An IT auditor’s challenge out in the field is not getting any less complex. Systems are evolving to become seamless, integrated cloud services to the end-user, while the internals of such systems are integrated in a complex computing architecture. The risks associated with this complexity are amplified when the professionals that are checking the integrity of these systems do not understand the technology, have no practical administration or configuration experience, and do not have the necessary knowledge to understand how these systems interact.

Share on Facebook

A couple of weeks ago I wrote this post because I had just found out that a group of security ‘professionals’ and ‘consultants’ (not from our company) that were assigned to one of my projects did not have the technical ability to download user records, or any other records, from Active Directory (AD) and perform the appropriate ID management analysis. While I am senior management, I do take the pride of being able to do about anything required, including the technical work that is necessary to figure out via Google, MS Support sites, or any other resource – a skill that my Japanese counter-parts don’t seem to possess. Donald Trump’s “Your fired!” expressions cross my mind every time I look at one of these so-called professionals that says, “I don’t know how….”
In this blog posting I will briefly outline what this involves, include the necessary reference links, and provide any insights.

Share on Facebook

This article is not an expression against the many IS and IT auditors out there that really know what they are doing and offer an added value to their clients. It is a voice thrown out into the airwaves that portrays the state of the profession as I have seen it develop within the Big Four over the past ten years. I have worked at all four of these companies and can safely state that I am an expert at how these organizations sell, plan, and deliver their services.
Also, this does not apply to myself and all other IT and IS auditors (Big Four or not) out there that are technical enough to look beyond the surrounding controls and paperwork thrown at them at the outset of an audit. But it does apply to the other 99% out there that have become IT or IS auditors after becoming a CPA or graduating from an MBA program, then getting a warm-over course, sitting for one of the certifications, then coaxing their manager(s) to sign-off on the experience they never achieved.

Share on Facebook

In my new position at a Big Four audit firm here in Tokyo, I will have to lead, coordinate, promote, and execute within the Security & Privacy Services team. STOP! Within a single sentence above, I have provided all the clues any one would need to deduce which Big Four firm I am talking about. [...]

Share on Facebook

Here is the Security Metrics Foundations presentation that yesterday’s blog entry was largely based upon. I look forward to comment on the presentation, since it is still a work in progress. After spending a few more minutes on the English version, will spend some time on the Japanese version and do a write-up on the [...]

Share on Facebook

For Starters… Over the past couple months I have worked to pull a lot of information together on security metrics and creating an implementation guide and implementation kit. Andrew Jaquith’s book, Security Metrics, Replacing Fear, Uncertainty, and Doubt, covers the subject quite well from the metrics definition phase through to an attempt to dashboard with [...]

Share on Facebook