After a month or two of pretty regular study I finally got my Certified Information Systems Auditor (CISA) test done a week ago and then promptly took a much-deserved week off for vacation. Now comes the 10-week wait for the results. You would think in this day and age they could get you the results a little faster, but such is life I guess. 
The test itself was one of the more difficult ones I’ve taken due to the subjectivity of the questions. There were too many questions where you had to make a decision on the “most right” answer, and it seemed to me like it tests your ability to decide what ISACA wants you to say more than your actual knowledge of the material. I’ve yet to fail a cert test, but I’m really unsure as to my success on this one.
As an FYI, I used the Sybex CISA Study guide and found it to be an excellent guide of the material. I also used the official ISACA CISA Test Question CD for review.
The world of forensics has been getting more difficult over the past year or so. There has been a rash of new antiforensic tools that are so easy to use that my 9-year old could run them. And it’s getting worse. Scott Berinato has an excellent article on www.cio.com detailing how the ease of use and increased effectiveness of antiforensic tools is making forensic tools obsolete.
Five years ago, you could count on one hand the number of people who could do a lot of these things,” says one investigator. “Now it’s hobby level.
It’s gotten to the point that hackers are no longer worried about covering their tracks.
Researcher Bryan Sartin of Cybertrust says antiforensic tools have gotten so easy to use that recently he’s noticed the hacks themselves are barely disguised. “I can pick up a network diagram and see where the breach occurred in a second,” says Sartin. “That’s the boring part of my job now. They’ll use FTP and they don’t care if it logs the transfer, because they know I have no idea who they are or how they got there.” Veteran forensic investigator Paul Henry, who works for a vendor called Secure Computing, says, “We’ve got ourselves in a bit of a fix. From a purely forensic standpoint, it’s real ugly out there.” Vincent Liu, partner at Stach & Liu, has developed antiforensic tools. But he stopped because “the evidence exists that we can’t rely on forensic tools anymore. It was no longer necessary to drive the point home. There was no point rubbing salt in the wound,” he says.
As with all things security, it’s always easier for the blackhat to figure out how to get around one weakness then it is for the whitehat to figure out how to cover all the bases, and I don’t see that changing anytime soon.
For those of us that have to deal with the mess that is SOX compliance, there may be some help on the way. SOX compliance is an expensive process that (IMHO) can cripple smaller companies with little in the way of payback. After over a year of wrangling, the SEC recently approved guidelines “that would allow executives to focus their attention on factors most likely to trigger financial misstatements.”
The agency’s guidelines, combined with a revised auditing standard from the Public Company Accounting Oversight Board are aimed at ending more than a year of debate over whether the law’s costs outweigh its benefits.
The SEC guidance will be coordinated with changes to audit rules that the Public Company Accounting Oversight Board will vote on Thursday. The board, an independent panel formed under Sarbanes-Oxley, wants to reduce auditor testing by encouraging accountants to rely on work companies have already done.
With SOX Compliance becoming big business in recent years I’m sure there are some people not excited about the news, but hopefully the rest of us can benefit from a reduced cost in audit compliance and more budget available for other things.
This is Jeff Bolden’s little corner of cyberspace and will be home to my professional life of Information Security in the upcoming months.
