Category: Information Technology

A way of describing IT audit

Jason Anderson Leave a comment

You know how your day goes? You know how you use all of these widgets and doohickeys, and that’s how you usually converse or get any information? It’s my job to keep all of that stuff working (at least, I would like to). I’m not talking about just making Windows work on your computer, or troubleshooting your iPhone. I’m talking about the systems and processes which are used by those devices. You see, there are complex processes at very large companies which must keep running. You can’t send text messages? You can’t buy stuff off Amazon? You can’t watch cat videos? Something has gone wrong in those services, and it’s up to guys like me to prevent that from happening.

So I’ll check that the servers which provide the videos can still function when they’re running at full tilt, or when there’s barely a trickle coming in.  Regular phone calls and text messaging have complex systems which must  be checked to ensure they’ll do their job every single time. This includes gathering evidence, and assuring that what management claims about the workings of their systems is true. Has the system administrator updated the server’s OS to its latest patches? Did they test to ensure that the patches wouldn’t break anything? Are change controls in place to ensure that they even check that these patches wouldn’t break the system? How about security procedures? Have they been followed? Has the system been hardened to identified threats? These are some of the things IT auditors have to check.

This is not just about checking the hardware, though. Has management performed its due diligence and made sure that the data they have is backed up? How do they know whether the data that was backed up could be restored? Who is in charge of checking that the data is backed up and stored properly? If the servers go down, who’s job is to ensure that they all go up again? More questions can be asked, but I’m sure you get the gist of it.

So you may have heard of company’s getting their data breached, or have announced new services they will provide. However, it’s up to someone at these companies to ensure that governance practices have been followed, that the company can actually provide this service, that the service won’t expose the company to risks (e.g. litigation, huge losses, or data breaches), and will actually be a benefit to the company. And usually, it’s someone who knows about IT audit.

How GNU/Linux is different from other OSes

Jason Anderson Leave a comment

If you’ve heard of GNU/Linux and want to try it out, then congratulations and welcome to the world of open source OSes! I hope that your experience with using GNU/Linux is a joyful and informative one. If you’ve already done a little homework, you’ve found many variations (called “distributions”) of GNU/Linux, and may be mystified by how many there are. I’m sure you’ve come from Windows or Mac OS and have wondered, Why is it that there’s one Windows/Mac OS, and so many different Linuxes? There’s a reason for this, though to understand why there are so many distros (that’s short for “distributions”), we must first explain the purpose of some OSes.

Microsoft makes Windows to be used by the average person, as well as business-oriented people. In fact, they’ve targeted quite a large group (I’d say the entire human race, but that’s just me). MS needs to ensure that Windows works with many desktop and laptop computers, functions in such a way that it makes sense, and that the average person can use it. To that end, they have engineered it to work on many different computer architectures, and that their desktop experience is pretty darn good. For their server offerings, they have developed a version of Windows, Windows Server, which works well on enterprise-level hardware, and works especially well in data centers, along with any application that requires servers. This is different from what Apple has done.

Apple created Mac OS X (along with iOS) to work exceptionally well with their terrific hardware. They have managed to create an OS that synergizes with their hardware, that looks beautiful, and is very well organized. Via the Aqua user interface, the user can easily navigate applications, and get things done. Apple has ensured that their hardware is durable, that their mobile devices last a long time, and that the hardware retains a good amount of value. To this end, Apple designed the Cocoa API to smoothly work with their hardware, and that it’s not that difficult to program. Similar to Microsoft, Apple has a large audience, but they have targeted them a little differently. At first, they strived for simplicity and high value. While it is possible for the average consumer to purchase an iPhone, Apple devices are still quite expensive, and so their audience is usually smaller than Microsoft’s. So where does GNU/Linux fall in all of this? Somewhere in the middle.

GNU/Linux consists of the Linux kernel, utility programs, and other supporting libraries. When a person or organization has a use for GNU/Linux, they may take the kernel and the utility programs, and build up their own OS. Canonical wanted to make a Linux distro which worked well with hardware, and provided a great user experience, so they copied (i.e. “forked”) Debian, added in the Gnome desktop environment, worked with hardware manufacturers to ensure devices functioned as intended on GNU/Linux, and developed a great experience. With this, they made Ubuntu. In the past, companies like Red Hat created a similar distro (in their case, Red Hat Linux). They also created Fedora to be made for server hardware. They, too used, Gnome, and make a nice installer. But GNU/Linux is not restricted to desktop hardware.

Linux has been ported to many platforms, ranging from the traditional x86, to RISC, to ARM, and several architectures in between. A company (or individual) can take the kernel, mix in whatever software they wish (be it open source or proprietary), and put it into their hardware. They can design the distro such that it functions how they want it to function. In these cases, GNU/Linux has a special purpose, and the organization may release their distro with that special purpose in mind. So a software vendor may make a special Internet of Things distro, and release that. Or a small group may release a fork of a desktop distro because they wanted to add their own “spin” to an official distribution. It all depends on what the individual, group, or company wants. And this is what sets GNU/Linux from the other proprietary OSes: you can find the one you want, and tweak it however you wish.

Auditing a charity’s network, and finding something out of place

Jason Anderson Leave a comment

For the past six months or so, I have been helping a local charity with its I.T. needs. This includes updating their computers, designing and setting up a kiosk for its volunteers, and helping other charity members with their IT needs. Now I’m trying to map their network, and help the director of I.T. to ensure that all devices (desktop computers, printers, external hard drives, etc.) are accounted for.

About two or three weeks ago, I used nmap to do a quick scan of the local network, and check the devices on the network for what they were broadcasting, what ports were open, and just what that exact machine is. After finishing that, I met with their director of I.T. to discuss my findings. He verified most of what I found (we had a problem with one of those Western Digital MyCloud hard drives, but that was soon cleared up). But there was one part which baffled the both of us.

Just like many other small organizations, they use old phones. The ones they use are Avaya IP phones (i.e. voice over internet protocol [VoIP] phones), model 1616. I don’t know when they got these phones, but they’re old. When I scanned these phones, I only got their IP addresses; there was no hostname. However, on one particular phone, I found a hostname. It’s not a hostname you would find on any of the other computers on the network (they had hostnames that ended in “.local”). This one had the hostname “6lfb7c1.salmonbeach.com”. How it got this hostname, I am not entirely certain.

At first, I thought these were phones with a few features (voice mail, call fowarding, conference calls, stuff like that). As I have found out, these phones are fully featured, and have upgradeable firmware. The phone in question, the model 1616-1 BLK, gets its firmware from the local Avaya phone PBX server. Since it gets its firmware from the server, how can the hostname be changed? In the settings for the phone, the hostname can’t even be changed. One of the members of the charity’s administration said that they had problems months ago with the voice mail system. But I doubt that’s related to this problem.

So how should I approach this? Has it been hacked? Is it just a software glitch? Hopefully it’s nothing serious. The I.T. director said that he bought a bunch of these old phones on the cheap years ago, and he’ll look into flashing the firmware on the phone. So let’s hope that’s the last we’ll hear of it.

Newer Ways of Audit Reporting on Third Party Companies

Jason Anderson Leave a comment

I went to a recent meeting of the North Texas chapter of ISACA, and there was a presentation on SSAE 18.  For those of you who don’t know, SSAE 18 supersedes SSAE 16, and consolidates Service Organization Controls reporting into something more manageable.  Here, I’ll talk about what I’ve learned about SSAE 18, SOC 1, and SOC 2.

In SSAE 18, more emphasis has been put on testing the design of controls for subservice organizations (e.g. third parties for which the organization has contracted out some process) and whether they are doing what they are suppose to be doing.  The auditor, through Service Organization Control (SOC), has to report on the effective use of these controls.  In the case of a SOC 1 report, they would assist in testing the controls as they pertain to the financial statements.  With SOC 2, the auditor reports on the controls with regards to security, availability, integrity, and confidentiality.

Now the auditor has to look for things such as complementary user entity controls, which are the controls that are assumed to be in place for users.  The auditor will have to look at reports from the subservice company to the main organzation.  They will have to see whether the organization is actually verifying the information in the report.  For instance, the auditor will have to see system-generated reports are being validated by the users of these reports.  The processing integrity principle will be used heavily in this situation.

This audit will look at how management has chosen the suitable criteria for the control, and how well they’ve measured the subject matter (note that “subject matter” means the risk relevant to entities using the subservice company).  So an auditor will look at whether the risk is something related to the entity’s business with the subservice company, then check the metrics of the current control, and see whether they are actually related to the control.

Migrating My Nextcloud Server to Another Server

Jason Anderson 2 Comments

When I saw that my version of Ubuntu could not be upgraded any more (due to Digital Ocean’s system), I had to migrate my Nextcloud installation (version 11.0.2) to a newer version of Ubuntu (16.04). In the documentation for Nextcloud, it details how to exactly migrate your Nextcloud installation to another Linux server, so I tried using that. Sadly, though, they left a couple of things out. So here’s my version of how I migrated my Nextcloud installation to another server.

First of all, they say to back up your data, which is what I did (to some extent). Next, I spun up a droplet which had similar specifications to my previous installation (it uses 512MB and has 20GB of storage, for instance). I made sure to put in my usual ssh key for this new droplet, as well as securing it in other ways. At first, I thought I knew how to easily do this: copy over the /var/www/nextcloud directory to the new server (which was also set up for Nextcloud), change some directory names, and it would be done. However, this was not what I found.

When I tried this method, I couldn’t access the web interface. What was worse was that I had forgotten to change the firewall configuration on the new droplet and accidently “locked” myself out. So, through some more research, I tried it again with another droplet.

This time, I copied the files using rsync, and made sure that I used the proper switches (I used the “-a” and “-t” switches, in order to archive the files, as well as save the timestamps). I saved the files to a new directory on the server, and made sure to back up the old files. I thought that this time I had fixed the issue. But Fate can be cruel.

Even though I had copied over the files in the “correct” fashion, the server still wasn’t accessible from the web. Looking at the /var/log/apache2/error.log file, I found that the webserver couldn’t start due to Nextcloud not be able to read the database. After researching the problem more, I learned that the data can’t be just “copied” over; rather the data has to be copied, and the database has to be imported. So, after scrapping that droplet (I had changed it too much already), I spun up a new droplet, and tried this whole thing all over again.

First, I put the server into “maintenance mode” and stopped the Apache server. Then I extracted the data from the database (via the command mysql -u ownCloud -p password ownCloud > /tmp/dump.sql), copied that over to the new server, and imported it into the new database. For importing the new database, I “dropped” the old database, created a new one, and finally imported the data with the command mysql -u nextcloud -p password nextcloud < /tmp/dump/sql. Then I copied the old Nextcloud as I did before (using the official documentation’s recommendation of the command rsync -Aax) and carefully moved the files into the new /var/www/Nextcloud directory. Even through all of this, it still wasn’t enough.

Looking again at the /var/log/apache2/error.log file, I found that the new Nextcloud install couldn’t read the database due to the new server using the old Nextcloud config.php file (are you still with me?). So, I changed a few values in the config.php file so as to use the new database. What I did was change the dbname to the name of the new database, as well as input the new database login information. Also, I added the new IP address to the “trusted hosts” array in the config.php file. This seems to have fixed most of my problems.

Just in case, I also ran a script that I found in the official Nextcloud documentation for fixing the permissions on the new server. Then I changed some of the security configurations for the Apache server. I copied over previous configurations for SSL into the /etc/apache2/sites-available directory, and enabled them through the a2enmode command. With all that finished, I started up the Apache server again, and took the Nextcloud installation out of “maintenance mode”. Finally, I was able to use the server. Except, it wasn’t exactly to my liking.

You see, I had copied over the “data”, “config”, and “themes” directories. I did not copy over all of my previous apps. When I saw that I had only half of my previous apps, I thought, “I need to fix this,” and copied the contents of my previous Nextcloud’s “apps” directory to the new server. With those out of the way, I saw to using some of Nextcloud’s recommendations, and bumped up the memory (as well as putting in a timeout feature). These were harder to fix, partially because I had these problems with my previous Nextcloud installation. Nevertheless, I sought to fix them.

One of my problems was with the /var/www/nextcloud/.htaccess file, specifically that it wasn’t working. To fix this, I edited the /etc/apache2/apache.conf file and changed the AllowOverride directive for the /var/www section to “All”. This allowed the /var/www/nextcloud/.htaccess to work (at least, it would work since I’m accessing the site over a secure connection). Next, I added a memcache so as to speed up performance. I added in php-apcu and edited the /var/www/nextcloud/config/config.php file to reflect this by assigning memcache.local the value \\OC\Memcache\\APCu. My server was made much faster with this tweak. For added polish, I followed the directions on this tutorial and added Redis support.

This was a tough migration that I thought would have been easy. I figured that it would have taken a couple hours. However, it was stretched out to a numbers of hours (not to mention one night). While it’s great that I have migrated to a more manageable configuration, I should have done more research.

Helping Out a Local Charity

Jason Anderson Leave a comment

I’ve been helping out a local charity with preparing tax returns for the needy and underprivileged for the past few weeks and we’ve run into a problem. Each time we have to print out the tax returns for the clients, we have to take the laptop over to the printer to have it printed out.  This takes a while, and it can be a royal pain.  So I have suggested setting up a small print server so that the laptops on the WLAN can easily print.  My initial set-up looks encouraging: I have set up a Raspberry Pi as a little print server, and have successfully printed from one of the laptops.  With some security measures and other set-up, the other laptops that the tax preparers are using will be able to use this print server, too.

Learning About Setting Controls for I.T. Assets

Jason Anderson Leave a comment

In my pursuit to get into the information technology (IT) audit field, I must learn about setting controls for securing IT assets, minimizing risk, and eventually testing that said controls work.  In major organizations where information flows constantly and is utilized to advance the organization’s goals, ensuring that the information and knowledge are accurate, intact, timely, and secure are important.  To secure them, though, management must know how this information and knowledge can be lost.  Once they understand this, controls must be put into place so as to prevent this loss.  But management cannot always safeguard these assets.

As a company moves along in its financial year, these controls can break down.  For example, backups can be corrupted (losing information), and employees may leave the company (thus losing knowledge).  So it is also good to reassess whether these controls are working as intended.  This is where the IT auditor steps in, to evaluate these controls, and see to it that that continue to do the job.

Though I know of some ways of testing these controls (e.g. vouching, interviews, and walkthroughs), I have never carried them out.  All I have done is study them.  While studying textbooks is fine, some would say the true teacher is experience, and I have not done so.  For the most part, I have managed a couple of websites (this one included) so that they cannot be hacked.  I have put controls in place to ensure that my website is not compromised.  But to make sure they work, I must turn to someone who has had experience in managing a website.  Not just that, but an IT auditor who will teach me what to exactly do so that this website is not damaged.  Eventually, I would learn more from them so that, when I am on an audit engagement, I can ensure that the company’s valuable assets are kept safe.

MyCroft, AI, and how I’m trying to help it

Jason Anderson Leave a comment

The other day, I saw that a version of MyCroft was released for the Raspberry Pi.  I have been following MyCroft for a while now (mostly through the Linux Action Show) and have tried using it.  The software is still in beta, so I found some bugs with it, namely I can’t really use it.  I have tried pairing it, then talking into it with my microphone.  But it can’t understand what I’m saying.  At first, I thought it had something to do with getting a secure connection to the MyCroft backend servers.  Now it could be a problem with my microphone.

I’ll admit that my desktop microphone isn’t the best.  But how much clarity does the microphone require?  Apparently, a lot.  The microphones on the Amazon Echo, for instance, can pick up a bunch of channels of sound.  So it looks like I’m going to have to get a better microphone.

What I’ve also seen is that MyCroft uses Google’s backend for the speech recognition.  It looks like they’ll go to something such as Kaldi, but that doesn’t have a large enough speech model to get the job done.  While it has a model based upon over a thousand hours of speech, it may require thousands of more hours of speech just to get better results.  I’ve been donating to Voxforge and trying to help with their speech corpus.  However, they’ve barely got enough for half of their first release.  So I was wondering how to speed things up and get them more samples.

What they could do is make it fun and interesting to donate.  I was thinking of something like a badge system on the Voxforge website, or even leaderboards.  Then again, would this make it fun to donate?  I need to think more on this.

Interesting video on designing programming languages

Jason Anderson Leave a comment

Yesterday, I started watching this video on programming languages, and it took me over forty minutes to stop watching the video. It’s not because that the video was over an hour long, but rather the subject matter of the video.  It’s a presentation by Brian Kernighan titled “How to succeed in language design without really trying”.  The presentation by professor Kernighan was very well done.  He went through a bit of history with how some programming languages came about, as well as their usees.  He also talked about his time with Bell Labs, and how he, along with two other great programmers, wrote the language awk.  The video had me interested because, for one, I could understand half of what professor Kernighan said, and two, he admitted that he threw the language together out of necessity.  Also, he would, at times, remind the audience of his short comings, such as with functional programming languages, and remembering how to program in C.

Dealing With the Internet of Things

Jason Anderson Leave a comment

The other day, I attended a meeting of the North Texas chapter of ISACA.  There, the information technology veteran, Austin Hutton, gave a presentation on the dangers of the Internet of Things (IoT).  I have written about the IoT and how it can be used to devastating effect.  One of the problems that Hutton talked about is that there are more IoT devices than there are people on earth.   Thousands are being manufactured and sold each day, and each one of these devices can be hacked to assist in an attack.  And the problem is getting bigger.

Most of those devices were poorly designed, and thus have no way of being updated.  The companies who make these devices have thin profit margins, so they cannot afford to make them secure.  In some cases, the manufacturer buy the chips from other companies, so they are not directly responsible for its security.  The average IoT device can be easily hacked: a number of them have easy to crack passwords, or have flaws that were not detected when they were being designed.  There are even programs which can auto-hack some of these devices.  All the hacker needs to do is learn the make and model of the IoT device, select the program, sit back, and gain control over it.  For those devices which are used as intended, they may be doing something illegal.

Hutton gave the example of a Tempur-Pedic bed which can send the user’s data back to Tempur-Pedic for analysis so as to improve the user’s experience.  He then gave an example of someone else (specifically, his 14-year-old granddaughter) sleeping in the bed, and their data being sent to Tempur-Pedic without their permission.  This can be considered breaking the law because she’s a minor.  How would that situation be resolved?  How can we at least minimize the damage from IoT devices?

For one, education.  Though companies are really selling the convenience of IoT devices, consumers must learn how harmful IoT devices can be.  The public needs to learn that these devices can be used to cause harm to our cities, and possibly to themselves.  Recently, the business of a utilities company in Finland was disrupted due to a DDoS attack, resulting in the heating for their customers being disabled.  What if this was the smart thermostats of many of their customers getting hacked?  The attacker could lower the temperatures in these houses, or disable the thermostat, which would be a dangerous situation to homes in Finland during the winter. How else could these devices be attacked?  An attendant to the meeting, David Hayes of Verizon, had one other scenario.

There are utility companies in North America and Europe that use monitors called SCADAs which can remotely control machines vital to a functioning city (one example is the water pumps which keep drinking water flowing through the city).  What if, Hayes suggested, a hacker takes control of these pumps, and threatens to take them offline, or even increases their work to the point of destroying them, unless he is paid $100,000?  Now we’re starting to see the cost of this problem.  This cost will only increase, as malicious hackers devise ways of misusing these IoT devices.

Another way we can minimize the damage from IoT devices is to ensure that your IoT devices can be modified such that only you can control it.  If you can change the password, do it.  Check that a default root password hasn’t been hardcoded into the device.  If you can, find a device that can be updated (though few IoT devices have the capacity to be updated).  On the government side, we’re going to need some form of  oversight.  For instance, no IoT device bought by  the government can lack the ability to be updated.  How about current IoT devices?  There is little we can do about them.  If we’re dependent on them, then it’s going to be difficult to replace them.  Maybe for the average person it’s easy to change their IoT lightbulbs.  But how can a maintenance manager at a company tell his bosses that, due to the threats these IoT devices have to the security of the company, they all have to be changed.  How much will that cost?

This is a growing problem that will grow more as these hacked IoT devices are used to facilitate these attacks.  It is imperative that this problem be addressed now, rather then have some catastrophe occur, and involve the lives of thousands.