Security Resources for Auditors
AntiOnline is a megasite devoted to the subject of computer security. Site includes a virtual library based on user level, archives, special reports, a local file search engine and more.
Audit Software and Security Utilities Site provides downloadable demos of audit related software and security programs including a Random Password Generator, NT and Netware Security, Software Inventory and more.
AS/400 Security Assessments by SekChek Information Protection Services - site for automated host-computer security reviews covering all non-mainframe platforms. Site provides sample review reports for all major platforms and downloadable “client” software explaining how security control settings are extracted without impacting target system.
AS/400 Security Page is an excellent resource for security and disaster recovery information. The site has links to AS/400 and IBM sites, general resources for security and disaster recovery, security vendors and more.
Australian Computer Emergency Response Team AUSCERT is funded by the Australian Academic Research Network (AARNet) for its members. Located at The University of Queensland within the Prentice Centre, AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service at ftp://ftp.auscert.org.au. This archive contains past SERT and AUSCERT Advisories, and other computer security information.
Binomial International site for Disaster Recovery Planning contains valuable information for auditors. Also includes links to over 400 DRP sites. A free monthly newsletter is available by sending a message "subscribe disaster-recovery" to majordomo@magmacom.com or via the homepage.
CERIAS is the Web site for the Center for Education and Research in Information Assurance and Security. There are links to the various programs supported by the Center including COAST.
Comprehensive Info-Surety Database Site maintained by Dr. Frederick Cohen, with a potpourri of security related information including numerous articles related to IT audit, lists of attack and defense methods, studies of emerging information protection technologies, national infosecurity technical baselines, and other information to aid the auditor in keeping current and effective on leading edge security issues.
CERT the Computer Emergency Response Team Coordination Center site is a focal point for computer security concerns of Internet users. There are links to CERT advisories, the CERT ftp archives, FAQs and more.
Computer and Network Security Netsurfer Focus addresses the issue of computer and network security. This electronic magazine is available on the Web site and via email. To obtain Netsurfer Focus directly via email send message to nsdigest-request@netsurf.com. In the body of the message type subscribe nsdigest-html or subscribe nsdigest-text .
Computer Operations, Audit, and Security Technology (COAST) Project - computer security research project in the Computer Science Department at Purdue University. Exploring new approaches to computer security and computer system management. COAST has a comprehensive archive containing tools, papers, technical reports, documentation, announcements, alerts, security patches, and newsletters. Areas of interest include, but are not limited to, access control, authentication, criminal investigation, e-mail privacy, firewalls, incident response.
Computer Security Assessments by SekChek Information Protection Services - site for automated host-computer security reviews covering all non-mainframe platforms. Site provides sample review reports for all major platforms, and downloadable “client” software explaining how security control settings are extracted without impacting target system.
Computer Security Resource Clearinghouse (CSRC) - The NIST Computer Security Division maintains an electronic clearinghouse to encourage the sharing of information on computer security. The CSRC contains computer security awareness and training information, publications, conferences, software tools, as well as, security alerts and prevention measures. The CSRC system, available 24 hours a day, seven days a week. NIST does not charge a usage fee for this service.
Computer Security Publications from NIST - send email to
docserver@csrc.ncsl.nist.gov with the message "send index" for a
list of NIST computer security publications. To retrieve copies of the
publication via email, send message "send
ERE-Information Security Auditors - ERE was created to focus on vendor neutral, totally impartial security and compliance audits.
Federal Best Security Practices is an educational resource from the Security Practices Subcommittee of the CIO Council designed for Federal security professionals.
Firewalls Mailing List - This is a listserve devoted to the subject of Firewalls and Internet Security. Any auditor concerned with Information Security and the issue of firewalls should subscribe to this list. The list generates a great deal of traffic on the subject of Internet Security and the construction of firewalls. Subscriptions should be sent to Majordomo@GreatCircle.com with the message subscribe firewalls-digest. I would recommend the Digest version rather than the direct mail (non digest) version.
Generally Accepted System Security Principles from The International Information Security Foundation (I2SF) provides uniform organizational guidance for security issues.
Guide to NIST Information Security Documents
Hacked provides reproduced copies of hacked Web sites. This is a good site for auditors that are looking at the risks of connecting to the Internet and setting up organizational Web sites.
ICAT Metabase a product of the Computer Security Division of NIST, is a searchable index of information on computer vulnerabilities.
Infowar.com Winn Schwartau's comprehensive Web site on information security. Premier site for information security resources and links. Categories include tools, utilities & jobs, resources, survey & studies, discussion and chat groups, the Journal of Infrastructural Warfare and more.
Information Security Handbook There is an excellent information security handbook available from Harvard University. The page includes the following menu items: Information and Security Policy Statement, Personal Computing, Data Management Operations, Access Control, Network Security Policy and Acceptable Use, High Speed Data Network Security and Management, Misuse of Computing Resources, Overview of Legal Issues, Sample Statements, Personal Computer Security Practices, Sample Documents, Other Security Resources.
InfoSec Heaven Web site of Dr. Fred Cohen provides a comprehensive database of information security links and articles separated into categories of attacks and defenses and viewpoints. There is also a link to the InfoSurety Database at Sandia Labs.
ISSA Site of the Information Systems Security Association provides information about this international organization of information security professionals. There are links to security related sites, security tools and utilities, and security related list servers.
Internet Security Systems Vendor of network security software. This site provides information on their products and FAQs on security, a list of security discussion groups and links to other security sites. There are also downloadable free security tools available from ISS. The site contains an article on the threat of hacking which is worthwhile reading for an understanding of the threats present on the Internet.
Internet Firewall Evaluation Checklists is a vendor neutral guide to help a company select a firewall. The checklist is provided by Fortified Network Inc., a firewall vendor.
Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls NIST Special Publication 800-10 provides auditors with an excellent Introduction and overview of firewall issues. Useful document in planning audit reviews of Internet connections.
LAN Security Guidelines Site provides checklists for administrators to evaluate and adjust LAN security. This is a comprehensive document that covers everything from access controls to virus protection. Includes a section on LAN Audit considerations.
International Computer Security Association TruSecure® Corporation is a worldwide leader in managed security solutions for Internet-connected organizations. Hundreds of leading companies rely on TruSecure to help them identify, correct, and continuously manage risks to critical systems and information. TruSecure's cost-effective programs generate improved ROI on security investments, and provide the assurance that organizations can confidently and safely pursue their Internet-based initiatives.
Network-1 Security Related Links - Consulting firm with links to security related Web pages and security related newsgroups.
New Technologies Inc. is a security consulting firm that offers, training and tools for computer forensics. Site provides articles, software, visual aids and more.
Online Security Services : Archive Box Storage Specialists in archive security, document destruction, data security, disaster recovery, secure storage & distribution services.
PeopleSoft Security, Audit, and Control Discussion Group (PSSAC-L). A listserv devoted to PeopleSoft Security, Audit, and Control has been created. For those of you interested in subscribing to this list send an email (with your signature feature turned off) to: listproc@listserv.acns.nwu.edu. Include no subject line. In the body of the message, type: subscribe PSSAC-L yourfirstname yourlastname (example: subscribe PSSAC-L Jane Doe).
RACF-L (RACF-L@UGA.CC.UGA.EDU) is a Discussion List devoted to the topic of Remote Access Control Facility. Auditors in organizations that use this security tool should consider subscribing to this e- mail discussion group. You can join this group by sending the message "sub RACF-L your name" to listserv@uga.cc.uga.edu. Note: This is a high volume list specifically designed for audit and security personnel using RACF.
Rothstein Associates Homepage for industry's primary source of information on disaster recovery. Contains an extensive index of material on disaster recovery and links are planned to resources for business continuity and disaster recovery professionals.
Security Articles provided by Intrusion Detection Inc. The articles are on subjects such as NT network security, help desks, sniffers and more. The site includes links to other security sites.
Security Newsletter, authored by noted security expert Winn Schwartau, provides latest security tips, product news and analysis to help reduce your network's vulnerability. Free subscription to this e-mail newsletter available at Network World Web site.
Security Resource Net site of the National Security Institute provides information on security related topics including computer alerts, products, a virtual security library and more.
Site Security Handbook Product of an Internet Engineering Task Force work group. This document provides auditors with guidance on how to deal with Internet security issues. Useful for designing audits and reviews of Internet security.
Software Security Solutions provides computer security products, updates and information for all types of computer users.
Symantec AntiVirus Research Center Web site from an AntiVirus software vendor provides a comprehensive database of computer virus related information. The site provides updates to their software, information about virus hoaxes and more.
Unix Net for Computer Security in Law Enforcement - U.N.C.L.E managed by J.W. Cooke & Associates Ltd., provides links to information on computer security reports and software for information security professionals concentrating on UNIX OS. Includes disaster recovery planning information.
UnixWorld Online provides articles on aspects of Unix systems including security and auditing Unix systems.
Windows NT Security Guidelines from Trusted Systems Services provide guidelines for securely configuring the Windows NT operating system. The 110 page guidelines were the result of a 1-year project for the National Security Agency (NSA) Research Organization.