Assessing Bandwidth Use as a Function of Network Performance

Performing ongoing assessments of an organization's network bandwidth use can help IT departments to enhance the quality of network services and identify problem areas before they hinder work productivity. 

Nikhil Wagholikar
Information Security Analyst, NII Consulting

Most corporate networks consist of different applications without which an organization would be unable to perform critical business functions. Unfortunately, these networks are often taken for granted due to their "behind-the-scenes" role, thus increasing the need for network administrators to prevent any breakdowns in network performance. To help their organization ensure proper safeguards and controls exist to monitor and respond quickly to network issues and threats, internal auditors need to conduct ongoing performance assessments that measure the network's quality of service and determine whether the programs, hosts, and applications that are installed on the corporate network function properly. (Refer to figure 1 for an illustration of a basic corporate network.) More specifically, these network performance audits need to examine the network's bandwidth use.

Figure 1. Diagram of a typical corporate network 

THE AUDIT

Before conducting a network performance audit, internal auditors need to understand how the network operates. The best way to do this is by requesting a copy of the company's network diagram. In organizations with larger networks, multiple diagrams may exist. Regardless of the network's size, diagrams need to illustrate the local area network (LAN), any demilitarized zones (DMZs), and the company's virtual private network (VPN). In addition, auditors need to identify any critical business applications that reside within the network and the network components that support them, as well as determine each application's network bandwidth use.

Network Bandwidth Use. When assessing  the application's network bandwidth use, the auditor should conduct a network traffic analysis that identifies:

1. The average amount of data flowing within the network (i.e., overall bandwidth use).
2. The data's packet size distribution.
3. The type of data flow within the network.
4. The data's error rate.

Ideally, network bandwidth use should be monitored on regularly scheduled intervals that provide a sample of normal daily activity — that is, during hours of peak use (i.e., normal business hours), hours of moderate use (i.e., at the start of the business day), and hours of low use (i.e., after normal business hours). Auditors may wish to avoid a 100 percent monitoring approach as it can result in unmanageable amounts of data. For instance, in just 10 minutes of monitoring, network administrators can obtain as much as 300 MB of data for a computer network consisting of 10 to 15 computers and four to five network devices.

Network use also should be monitored for a considerable period of time (i.e., for a minimum of 15 minutes at regular 30-minute intervals) during the above mentioned business hours to get a clear picture of the company's total network bandwidth use. For easier understanding, results should be presented in a graph format, rather than in a text or Internet protocol (IP) format. Figure 2 shows three graphs illustrating the network bandwidth use of a mid-size IT organization during business hours.

As the examples in figure 2 show, average network use during the start of the business day (i.e., during hours of low-use) is almost 0 percent. Use during normal business hours (i.e., in the afternoon or during hours of peak-use) is between 25 percent and 40 percent, while use after business hours (i.e., in the evening or during hours of moderate use) is between 5 percent and 15 percent. Typically, network use that is between 50 percent to 75 percent is considered normal, depending on the network size (i.e., a LAN consisting of 100 to 110 computers, 10 servers and applications, 100 clients, five to 10 switches, and one or two routers).

If any discrepancies are found when assessing the performance of the company's network bandwidth use, auditors should proceed by:

• Reviewing the LAN's topology.
• Determining whether Trojans, worms, or viruses are present that might infect a particular computer or group of computers.
• Checking for faulty cabling on the network device by manually reviewing the proper pair of color codes on either side of the cables and identifying whether all cables are touching the cable connector using a cable tester.

Figure 2: General network use (in percentages) during low-use (top left), peak (top right), and moderate (bottom center) business hours

Furthermore, auditors need to review the configuration of all network devices (e.g., routers and printer settings) and the configuration of network applications (e.g., determining whether the server application is excessively querying clients). When reviewing the configuration of network devices, auditors need to:

1. Check for routes that cause bandwidth choking or clogging of network traffic due to the use of only one gateway .
2. Identify all network users and their level of network access.
3. Determine if access control lists (ACLs) are configured properly and are enabled.
4. Identify whether network administrators are monitoring and tracking changes made to ACLs.
5. Determine whether the company uses a switch port analyzer or remote network monitoring specification.
6. Identify if network administrators are tracking and limiting changes to the overall network.

In terms of reviewing the configuration of network applications, auditors need to:

1. First understand the importance and role of the network device within the organization's network topology.
2. Be aware of best practices for network devices in general.
3. Identify whether each component and sub-component of the network are missing, applied incorrectly, or used inappropriately.

To rectify network bandwidth use problems, auditors can recommend that organizations use a virtual LAN (VLAN) — a switched network that is logically segmented by functions, project teams, or applications without regard to the physical location of users. VLANs help organizations reduce the use of the broadcast domain — a network in which any computer can send data directly to another computer in the same domain without having to pass through a routing device, as long as both computers reside under same subnet mask. Besides VLANs, the deployment of up-to-date antivirus and anti-spam programs is recommended.

Packet size distribution. The network's packet size distribution shows the size of digital blocks of data flowing through the network and, thus, is a direct indicator of network bandwidth use. Maximum packet flows during the course of a typical business day follow those of the company's network bandwidth use in terms of their frequency and size (e.g., during hours of peak bandwidth use, packet sizes are at their highest levels for the day).

There are many factors that affect a network's packet size distribution, some of which include the applications installed (e.g., Microsoft SQL server), the kind of services running on the network (e.g., a dynamic host configuration protocol that lets network administrators centrally manage and automate the assignment of IP addresses in a network), and the policies implemented (e.g., Windows Active Directory Group policies). Results obtained from network bandwidth use audits can help internal auditors identify additional factors that are impacting the network's packet flows. For example, in a Windows-based domain environment, normal packet sizes may vary from 65 to 127 bytes to 512 to 1,023 bytes. However, if the organization uses a server-client-based application, then the normal packet size may be greater than 1,518 bytes.

Type of data flows. A protocol analysis enables network administrators to employ proper software or hardware tools that capture, decode, interpret, and react to the contents of data packets (i.e., the types of data) as they flow through a network. Thus, protocol analyses are an essential part of any network performance audit since they help identify how much network bandwidth is being used. For instance, protocol analysis can help network administrators determine the service or application that is consuming large amounts of the network's bandwidth.

In addition, protocol analysis information, along with the application's working technology documentation, can help auditors to determine whether the data flowing through the network is genuine traffic (i.e., necessary business information) or is redundant or unnecessary information that could lead to network congestion and, therefore, hamper the network's performance.

Reasons why unnecessary or redundant traffic can flow in the network from a particular application include:

1. A malfunction or misconfiguration of the application, service, or hardware that is originating the data.
2. A bug in the code of the application or hardware that is originating the information.
3. Improper routing of the traffic from the application or hardware that is originating the data to the client requesting the data or any other network component.

Figure 3 examines a protocol or data flow analysis for the same organization. As shown in the illustrations, the network's transmission control protocol (TCP) — a transportation protocol that provides reliable delivery of data bytes — and NetBIOS — which allows applications on separate computers to communicate over a LAN —use the maximum number of network resources.

Because the factors affecting protocol statistics might be difficult to determine, manual intervention might be necessary when identifying the applications that are using each protocol maximally. For instance, if the auditor notices that the lightweight directory access protocol — a protocol that computer programs use to look up information from a server — is used, then some of the activities related to the domain controller, such as Group Policy updates, might be taking place on a regular basis. Besides manual intervention, auditors can use programs such as Wireshark to determine which IP addresses are using what protocols. Results obtained from these programs can help augment manual analyses.

Figure 3: Protocol analysis results during morning (top), afternoon (middle), and evening (bottom) business hours

Data error rates. Data errors, as they apply to network packets, can be defined as those data packets that lost their accuracy during their transmission through a network cable before they reached their final destination. Consequently, as these packets arrive at their final destination, they are simply discarded by the recipients (e.g., a computer host or network device). A simple reason why data errors occur is due to any losses of packets flowing within the network. For instance, network cables may experience productivity problems due to heat loss, power transmission loss, or cable material resistance damages. Though these problems have been reduced to a great extent with the latest Ethernet technology, which has error detection capability, improper or non-structured network cabling can still lead to data errors.

When analyzing data error rates, internal auditors should compare the ratio of normal packets to data error packets as this will give a clearer picture of how many error packets are moving within the network. Normal packet flow within the network can be based on:

1. Information from previous network performance audits reports.
2. General packet flows observed by the auditor during low-use, moderate, and peak business hours for a considerable period of time (i.e., four to five days) using data sniffing tools.
3. The auditor's knowledge on how to use the application that is sending and receiving the data packet.
4. The auditor's knowledge on and experience with network activities and performance.

MOVING FORWARD

Network performance audits can help IT departments to better measure a network's quality of service. To this end, internal auditors can work with network administrators to obtain information regarding the network's bandwidth use. Doing so will enable organizations to identify any break downs in network performance and rectify problems that may hinder the organization's day-to-day activities. Besides collecting and reviewing this information, auditors can examine the network's Internet use, cable performance, and e-mail server activities, which may also hinder network performance.

For additional information about network performance audits, internal auditors can visit the following Web sites:

• The Mathworks' Web page on data error calculation.  
• Wikipedia's Protocol analysis Web page.
• Colasoft's Network ABC Web page.
• ICSD Science Zone's Percentage Error Formula Web page.
• Network Cabling Help's Cabling Basics Web page.

The following two articles also provide useful information on network bandwidth use:

• Novell's "Using Packet Size Distributions to Uncover Hidden Network Utilization Bottlenecks." 
• InformIT's "Understanding Protocol Analysis."  

Nikhil Wagholikar, CEH, is an information security analyst with Network Intelligence India (NII) Pvt. Ltd., an IT security consulting firm located in Mumbai, India, that offers ethical hacking, computer forensics, security auditing, ISO-27001 compliance and business continuity management services. As part of NII's team, Nikhil has worked on multiple security projects and audits dealing with all aspects of IT, and conducts penetration tests and vulnerability assessments for clients. Nikhil holds the certified ethical hacker designation.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

Key Points to Keep in Mind When Conducting a Software Audit

Learning about the problems associated with software audit tools, as well as determining who will perform the audit, will enable organizations to better identify their software holdings and minimize their risks.

John Silltow
Managing Director, Security Control and Audit Ltd.

Many IT auditors will be faced with the task of conducting a software audit at some point in their careers. The purpose of these audits is often simple: Determine whether the software installed on company-owned computers was obtained legally and was authorized for use by the appropriate staff. Sometimes software audits are conducted for legal reasons (e.g., to verify that there are sufficient licenses to cover software use, as in a software copyright audit) or to make sure staff are using the same software versions or there are no surplus licenses.

Regardless of why a software audit review takes place, once it is completed, the audit needs to provide information that can help senior managers understand the purpose of the software and its value to the organization, the risks posed by the software program, and, particularly, whether it is necessary to have or use that software. Gathering this information is usually played down by vendors of software tools as something that the software audit program will do for the organization, but, in reality, it is probably the hardest and most time-consuming part of the entire software management process. Therefore, learning about the problems associated with software audit tools will help internal auditors and IT departments choose the audit tool or service that best captures information regarding the organization's software holdings.

SOFTWARE AUDITS — A BIRD'S EYE VIEW

There are different kinds of software audits. For instance, a software licensing audit is performed to determine whether an organization is in compliance with user license agreements, while a software quality audit is performed to examine the software program's quality and effectiveness. In general, a software audit involves ascertaining which software programs are loaded on company-owned computers or are residing within the network and comparing this information with existing software licenses, proofs of purchase documents, and contracts. The end result of the audit is to show that software has been legally and legitimately obtained and its use is of benefit to the organization.

As part of the software audit, the person conducting the audit (i.e., the internal auditor, designated in-house employee, or third-party vendor) needs to identify software holdings by name, after which all programs need to be identified based on their:

• Function (i.e., is it a business tool or a music, video, or game program?).
• Version (i.e., does the organization support multiple versions, which can lead to potentially costly support and data movement processes?).
• Risks (i.e., will this software attract an attacker?).
• Continued need (i.e., does the organization need this software to perform day-to-day functions or special activities?).

In practice, there is no standard approach for conducting a software audit. Some software audit programs may only identify executable applications by comparing these with their internal databases of software signatures, while others recognize only executable programs or program files from their extensions (e.g. EXE, COM, and DLL files). Finally, more advanced software audits may read all files to distinguish between actual programs and executables files and identify whether they have been renamed.

COMMON PROBLEMS ASSOCIATED WITH SOFTWARE AUDITS

One of the keys to a successful software audit is the audit tool's selection and proper use. This is because different software audit tools will generate different views on a company's software holdings. As a result, it is important for internal auditors to be aware of the tool's capabilities, especially if the organization wants to confirm whether its software holdings are legal or appropriate. Otherwise, the organization could be making assumptions on insufficient or misleading data.

Although in many cases identifying current software holdings during the review can be easily achieved by comparing the software in use with existing licenses, contracts, and other kinds of proofs (i.e., purchase invoices and service-level agreements), sometimes the auditor will not be able to identify all software holdings. Situations like these may occur because the software audit tool used to perform the review:

• Fails to identify an executable file or does not recognize it (e.g., it is not in the tool's internal database).
• The software was renamed or hidden in the recycle directory, which not all software audit tools search.
• The tool may not be able to link files that are found in general or shared company directories to a particular software product that may be residing in someone's computer. 

Besides identifying the software products currently in use, another problem is finding out what the software actually does. Simply clicking on an executable and running it might be the intuitive action to take, but what if the unidentified file is a virus, Trojan, or a stub program (i.e., software that is only partially installed or deleted) that causes the computer or, worse, the network to crash? As a result, many auditors may simply list unknown files in their audit reports without properly identifying what they do or write comments such as, "We couldn't determine what the file is, but when we tried to delete it the machine crashed" or "The system identifies this as a shared file and, as such, it would be unwise to delete it."

Additionally, the person conducting the audit needs to consider how the tool is to be used. Are users going to be involved or will the whole audit take place from a single machine in the audit or IT department? Another aspect that needs to be considered before using or selecting an audit tool is the purpose of the audit. For instance, software audits may be used to identify all MP3, graphic, or video files, as well as trace sensitive documents or spreadsheets. As can be expected, the whole purpose of the audit can be undermined if the software audit tool does not recognize different file formats from its internal database.

TO OUTSOURCE OR NOT — WHICH IS BEST?

As discussed earlier, different software audit tools may differ based on their cost and how they work, so auditors should evaluate the tool before recommending or purchasing one that best meets the organization's needs. Therefore, the audit needs to be performed with a software audit tool the organization is comfortable with. Besides selecting the appropriate software audit tool, organizations need to consider whether the audit will be conducted in house or by a third party (i.e., outsourcing the audit). The differences between using a third-party or in-house staff to perform the audit mostly relate to cost (i.e., an in-house audit is usually cheaper), experience (i.e., outsourcers generally have more experience), and time (i.e., an outsourced audit is usually completed faster). Below is additional information on things to keep in mind when either outsourcing the audit or conducting it in house.

Outsourcing the Audit

To make sure software audit reviews properly identify all software holdings and what they do, many organizations outsource or sub-contract the software audit process to other providers who have the necessary skills and expertise. Besides having access to a larger database of software signatures than the client organization, thus being able to identify what the software is and does, sub-contracting this part of the audit makes the outsourcer responsible for identifying the software holdings and not the organization.  

However, it is virtually impossible for any outsourcer to have information on every software package in the market. In addition, the software audit tool used may not be able to identify all software holdings as explained previously. As a result, the outsourcer may not be able to document all of the software products currently in use by the organization. When this occurs, the outsourcer may simply provide a list of the software products they were able to identify and disregard the small amount they could not document or list them as unknown. While this approach may not be entirely effective in identifying all software products, it may be a satisfactory approach for organizations that lack the financial resources to identify all software holdings, especially if the unidentified software is only present in a handful of computers.

On the negative side, by not identifying all software holdings, even the ones the audit tool wasn't able to recognize, the organization will be completely unaware of their presence and the risks they pose. A good example of this is the inability of many audit tools used by third-party vendors to identify the sheer number of software products that are downloaded directly from the Internet without the need to purchase a hard copy. While the downloaded programs may have been purchased from a legitimate Web site, many free software products are full of malicious adware or spyware that can adversely affect a computer's performance.

Conducting the Audit In-house

If the organization wishes to further mitigate the risks created by software use or prefers to keep the whole process in house, options become somewhat limited. When selecting a software audit tool, the organization may wish to contact reference sites or other tool users to document any of the unidentified software that was found. While the organization might be able to identify all of its software holdings, it will have to spend valuable company time and resources tracing the software by conducting online searches and staff interrogations.

A good point to keep in mind when trying to obtain references is that many audit tool providers do not like to share their client lists. Although one or two clients may be named and used as site references for potential buyers, most organizations do not want their software choices broadcast; hence, they do not encourage software publishers to list their names. In addition, publishing the name of smaller organizations may also not be meaningful in any way to the wider community. This does not mean that contacting other users isn't ideal; it simply may not be possible to do so. Nevertheless, other sources exist, such as different discussion boards and forums that may be able to provide further help (refer to the end of this article for examples of discussion boards). The use of these services enables organizations to more effectively manage their software holdings by providing information that is either freely available or within easy reach.

One such source is a free software audit service from the United Kingdom called Liken. Developed for smaller organizations with scant resources in mind (i.e., those with 300 computers or less), Liken enables its members to share their knowledge on software products used in the field. Thus, the service may be a good alternative for internal auditors of all levels who would like to understand how to deal with software identification, what software signatures are, and how these signatures can improve their audit process. In addition, Liken provides information to help auditors and IT staff who are about to start their first software audit and need support and advice.

MOVING FORWARD

Software audit reviews have become more mainstream over the years and are now a regular feature on many internal audit plans. However, challenges remain, many of which are related to choosing the tool that best meets the organization's audit and assurance needs and the needs of the person who performs the audit (i.e., a third-party vendor or an internal IT or internal audit staff member). In addition, internal auditors and organizations need to remember that software publishers are still the owners of the product and, as a result, can ask for and expect users to account for how they are managing the software. This is a risk that is never going to go away.

For additional information about software audit reviews, internal auditors can visit the following Web sites:

•  Wikipedia's software audit review Web page.
• The UK's Federation Against Software Theft, which provides a software audit process for organizations and a membership group for software publishers similar to Liken.
• Microsoft Software Inventory Analyzer (MSIA), which locates only Microsoft software downloaded in a computer.
• The Institute of Internal Auditors' Discussion Group message boards, where members and nonmembers can post questions on a variety of topics, including IT auditing.
• ITAudit's Reference Library and Auditnet.org, which provide links to vendors and organizations that offer software audit tools and services.  

In addition, the following articles published on ITAudit discuss the software audit and management process, as well as how to review different software tools:

• "Reporting Capabilities of Software-audit Tools" (Oct. 15, 2003 issue)."Customizing Software-audit Tools" (Sept. 1, 2003 issue).
• "Tools for Software Inventory Audits" (Sept. 1, 2003 issue).
• "Using Audit Tools to Audit Software Assets" (Aug. 1, 2003 issue).
•  An 11-part software management article series published from 1999 to 2001. To access these articles, visit the ITAudit Previous Issue Web page and select "Software" on the "Browse archives by category" menu, which is the third drop-down menu on the page. Once the page opens, scroll all the way down to read the first article in the series. Please note: All articles have the words "Software Management" as part of the title.

John Silltow has more than 20 years' experience working with government and financial information systems in England, focusing on computer audit and security. He is now managing director of his own company, Security Control and Audit Ltd., and specializes in Internet security, software management, and IT and audit training.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

Facing the E-discovery Challenge: A Proactive Approach

As e-discovery continues to play an increasing role in corporate litigation, internal auditors need to develop data retention policies that ensure the safe storage and accurate retrieval of electronic data.

Shawna Scharf
Contributing Staff Writer

The modification of the Federal Rules of Civil Procedures in 2006 sent U.S. companies scrambling to retain, classify, label, and compartmentalize the vast amounts of data that had, until this point, been retained or deleted haphazardly. Corporate litigators were now faced with relying on IT departments to aid in e-discovery, which can include all types of electronically stored information (ESI) such as database archives, e-mails, instant message (IM) logs, Word documents, scanned documents, and more. As a result, many IT departments and internal auditors are struggling to keep up with the stricter guidelines and are now becoming more familiar with case law surrounding e-discovery. However, by studying e-discovery law, recommending the implementation of sound data retention policies, investing in the right software tools, and working with the company's legal counsel, auditors can reduce the risk of coming up empty handed in the e-discovery process.

LANDMARK CASES

Litigation remains a daunting fact of doing business. Lawsuits with US $20 million or more at stake are on the rise, according to a recent Litigation Trends Survey of in-house council in the United States and United Kingdom. According to the survey conducted by international law firm Fulbright Jaworski LLP, e-discovery is playing an increasing role in the outcome of these multi-million dollar cases, placing those responsible for data retention and production — namely litigators and IT professionals — in the hot seat. In fact, several landmark rulings addressing failure to comply with e-discovery requests influenced the amendments to the Federal Rules of Civil Procedures.

Zubulake v. UBS Warburg is considered to be one of the most important cases, partly because of the e-discovery expertise of Judge Shira A. Scheindlin. In this case, Laura Zubulake sued her former employer, UBS Warburg, for gender discrimination and retaliation. Much of the critical evidence in the case centered around e-mail correspondence that turned up deleted or missing from UBS backup tapes. As a result, the court granted an adverse inference instruction that instructed jurors to assume the missing e-mails would have negatively impacted UBS' case. Ultimately, the jury found that UBS had discriminated against Zubulake, who was awarded more than US $29 million in damages. This decision had far-reaching legal implications in that it allows courts to deduce facts from missing or destroyed data.

A second landmark case was that of Arthur Anderson v. The United States, in which Enron's accounting firm (i.e., Arthur Anderson) instructed its employees to destroy documents relating to Enron after Anderson officials knew that they were about to be investigated by the U.S. Securities and Exchange Commission (SEC). Although Arthur Anderson was convicted of obstruction of justice, the U.S. Supreme Court overturned the ruling stating that while the firm did instruct employees to destroy documents, these actions were within their document retention policy. Therefore, the firm was not knowingly in violation of the law. The outcome of this case reinforced the need for organizations to have well-documented retention policies and procedures.

HOW MUCH DATA IS ENOUGH?

How can internal auditors determine how much and which data to retain? As a general rule, a reasonable destruction and retention policy should not require the retention of everything. As Francis Bueb, a CPA and technology professional at Ueltzen & Company LLP, explains, the industry itself is the best indicator of what data should be retained and for how long.

"As part of the securities trading industry, online brokers, for example, may retain data by the minute or a fraction of a minute, whereas a construction company focused on long-term projects can back up data much less often without assuming risk." He adds that most industries have a range for what is acceptable and what is not, and auditors should make sure that their organization falls within that range.

Another important factor for data retention, according to Bueb, is consistency. "If a company's data retention policy requires the back up of a certain function every month, and then for some reason, skips a month, they could be in trouble if that information is required for litigation."

Finally, the actual content that needs to be retained should be considered as well. As Bueb explains, this content will change when the company is aware of a pending lawsuit in which ordinary document destruction is suspended. "Your data retention policies might be the same. For instance, the company backs up its data everyday on tapes, but instead of reusing those tapes, the company is required to save them for possible inclusion in the discovery of the lawsuit." Failure to do so can result in serious consequences including monetary sanctions.

E-DISCOVERY TOOLS

These hefty judgments and complex e-discovery rules have created a boom for the electronic data discovery business. Dozens of companies have positioned themselves as a "one-stop shop for all e-discovery needs," while other vendors have been capitalizing on the fear surrounding e-discovery in more of a "buy now or pay later" pitch, with allusions to the huge monetary damages companies can expect without the proper software  — or hardware or consultants — in place. Taking the approach that the right tool will fully satisfy a company's requirements for e-discovery is short-sighted, according to Dave Canfield, managing consultant for KrollOntrack.

"The first thing auditors need to understand is that an effective e-discovery approach involves three things: a combination of tools and software, effective processes and procedures, and education." What ends up happening, Canfield says, is that auditors purchase a tool, and it works fine — it searches data in the way that it is supposed to — but it doesn't handle all of the processes around it — it doesn't collect the data in a forensically-sound manner or in a way that will stand up in court, for example. Therefore, once a gap analysis is performed to determine what went wrong, Canfield says, IT managers realize that they need another tool to fix what the first tool didn't, and the process continues until what started out as a few tools in a small department ends up with 100 people supporting dozens of tools and pieces of software. Because most companies don't consider that there is a potential risk anytime a company brings a search tool in-house, auditors must ask themselves how much money, time, and effort they will expend in creating a control data set around the new tool.

"We find that a lot of search tools will stop processing data whenever they hit certain types of HTML code or certain types of formatting characters, especially in legacy content, such as older WordPerfect documents and Lotus spreadsheets. All the while, this auditor may be asked to defend the tool in court by saying 'Yes, your honor, our tool picked up everything required in this discovery.'"

Canfield says most of these situations can be avoided with the implementation of a comprehensive program up front that uses tools the company already has combined with processes and procedures or an outsourcing agreement with a vendor.

Another dilemma facing IT auditors is how much of the e-discovery can be done in-house. Canfield says auditors should objectively consider a series of questions when deciding what can and cannot be done in-house: What is the IT department capable of doing? Is the staff trained in preserving the data correctly, as well as running and testing the search tools? And, ultimately, who is the company going to put on the stand? If, after an objective risk assessment, the auditor is not comfortable with the in-house scenario, he or she should say so during the planning phase.

E-DISCOVERY AND LITIGATION

Ensuring that adequate controls and data retention tools are up and running is only the first step in the legal process. As Bueb explains, internal auditors with the necessary background and experience may be called on to aid the organization's attorney and information systems personnel by:

• Planning for discovery.
• Determining accessibility of ESI.
• Developing a list of records to be requested from opposing parties.
• Identifying files and records that may contain privileged information.

The production and discovery of privileged information is an especially sticky area for litigators and auditors. When documents are produced for discovery, Bueb comments, privileged records are not discoverable, such as board meeting minutes with correspondence involving the organization's counsel on the pending litigation. In cases like these, there is often a "clawback," or non-waiver, agreement, under which inadvertently produced material is returned without a waiver. However, it may be disastrous to allow certain documents to be viewed by the opposing parties. Because the process of producing documents must be managed in conjunction with the ability to identify records deemed to be privileged, auditors must examine the controls that are in place to identify what material is or is not considered privileged information.

LOOKING FORWARD

"E-discovery is not just an IT issue, it is a business issue. It affects every part of an organization to the highest levels," states Robert Hallberg, a manager at Chicago-based IT consulting firm Acquity Group. "What is often lacking in a company's methodology is a governance risk compliance overview and a proactive approach." Companies should take a risk-based approach to e-discovery policies and procedures and then make decisions based on its risk assessment," he adds.

When considering current case law, being unprepared can be a costly mistake. Hallberg cites an example of a company that was ordered to produce ESI over a six-week period it was unprepared to retrieve. Consequently, the company spent US $10 million on disclosure in a US $50 million fraud investigation. As Hallberg explains, well-crafted retention policies could have limited this company's exposure to seemingly endless disclosure. Ultimately, Hallberg says, auditors need to establish a close relationship with the company's legal team. This will enable auditors to help senior managers understand every facet of the law and its implications, as well as provide recommendations that meet e-discovery compliance requirements.

In the largely untested waters of e-discovery, evolving case law is confirming that it is imperative for IT, legal, and internal audit departments to cooperate to ensure the safe storage of electronic documents and data, while guarding against deletion or periodic destruction. With so much at stake, a risk-based proactive approach to e-discovery is well worth the effort.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

Report Addresses State of IT Compliance Accountability

In today's world of security breaches and sophisticated online threats, compliance with IT policies and procedures — as well as ensuring employees are held accountable for their actions — is a must. To this end, the IT Compliance Institute (ITCi), an IT education, research, and analysis services organization, recently released The State of Accountability report, which explores best practices for creating conditions that support accountability and exposes the gaps between the current state of IT governance and business compliance practices.

More specifically, the report of 218 IT, compliance, and business managers from Romania, Saudi Arabia, The Netherlands, and the United States, discusses four critical factors that must be present for accountability to take place:

Besides these best practices, the report discusses the overall state of IT compliance accountability. According to the study, most of the organizations surveyed have a hard time holding employees accountable for IT compliance. More than 60 percent of respondents say their organization does a less-than-effective job at holding employees accountable for compliance, while only 8 percent report that they do a "very good" job of holding employees accountable. This is because many organizations do not have an effective approach for IT compliance accountability. Furthermore, the study found that leadership fails to model accountability in their decisions or behavior. Nearly three out of five respondents report a lack of leadership focus on accountability in their organizations, and only 7 percent note that leaders are doing a good job of modeling accountability.

Finally, responses reveal that gaps exist between the current state of compliance accountability and best practices in the area. More than 50 percent of respondents say that employees in their organization clearly understand the reasons behind compliance policies and procedures; know what to do and how to do it; and have the knowledge, skills, and training needed to comply. However, only 39 percent or survey participants report that employees understand how their performance is measured.

"Driving compliance is a leadership imperative," concludes the study. As a result, "it is incumbent on leadership to change the compliance outlook."

To read the full study, visit the ITCi Web site, (PDF, 349 KB).

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

Annual Survey Discusses Latest Information Security Trends

Out of every dollar spent, 15 cents goes to security. What's more, the hiring of security staff is at an all-time high. Unfortunately, companywide security efforts are not getting any better. These were among the main findings of the fifth annual Global State of Information Security survey conducted by CIO and CSO magazines and PricewaterhouseCoopers (PWC) LLP. The survey compiles the responses of 7,200 vice presidents and directors of IT and information security, as well as chief executive, financial, information, and security officers from Asia, Europe, the Middle East, North America, South America, and South Africa.

According to the worldwide survey, organizations are able to identify information security problems more effectively than before because they have the tools and systems to do so. Organizations are "undergoing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them," explains CIO magazine. For instance, many organizations have added processes (e.g., enterprise risk assessments), deployed technology (e.g., firewalls, intrusion detection systems, and encryption), and hired employees (e.g., internal or external information security staff) to enhance the company's existing security infrastructure.

In addition, this year marks the first time employees beat hackers as the most likely security threat to corporate IT assets. In fact, executives were even more likely to name employees as the source. "Recognition of the insider threat is a sign that awareness is increasing, largely due to the controls that have been put in place over the past five years," explains the magazine. However, insider threats have remained relatively constant and are usually worse than most executives realize. As CIO magazine points out, employers don't want to think they've hired an untrustworthy person.

On the other hand, those involved in information security admitted they are unaware of the number and nature of security incidents. More specifically, nearly 50 percent of respondents didn't know what was going on in their organizations and nearly one third of chief security officers (CSOs) and chief information security officers (CIOs) said they didn't know how many incidents their organization suffered or how these incidents occurred. The reasons behind this lack of knowledge are twofold. First, while security tools can inform IT departments that a virus or worm is present, the tool is unable to explain how and why it happened. Second, even though security tools are becoming more and more sophisticated, so are the ones used by disgruntled employees and hackers.

Other trends and key results found in the survey include:

• The transfer of security responsibilities back to the IT department. This year, there was a 12 percent rise in the number of security executives reporting to IT.
• Chief executive officers (CEOs) and IT and security staff are not communicating effectively. This is evident in the disconnect found in what CEOs think of their organization's security state and what CIOs and security leaders know.
• Companies are improving their privacy practices, such as separating privacy from security activities and also separating security governance from tactical security initiatives (e.g., the people in charge of monitoring security tools are not the ones responsible for drafting user policies for those tools).
• Latin America is one of the areas of the world where the focus on information security has intensified. This is because the presence of less-than-secure online transaction methods and fewer controls and regulations on banking activity have the made the region the banking center of choice for online criminals.

To read this and other information security survey trends, visit the CIO magazine Web site.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

NIST Releases Four Information Systems Security Guidelines

The U.S. Department of Commerce National Institute of Standards and Technology (NIST) recently released four information systems security-related guidelines, one as a final document and three in draft from for public comment. Below is a summary of each.

• Guidelines on Securing Public Web Servers (SP 800-44 version 2) provides guidance to help organizations install, configure, and maintain secure public Web servers. The publication also presents recommendations to secure Web server operating systems, applications, and content. Guidelines on Securing Public Web Servers can be downloaded from the NIST Web site. 
• Performance Measurement Guide for Information Security (Draft SP 800-55 revision 1), which is available for public comment through Nov. 16, provides guidance on establishing key performance indicators for developing, selecting, and implementing performance measures to be used with information systems and programs. The report is designed to supersede the Guide for Developing Performance Metrics for Information Security (Draft SP 800-80).
• The second public draft of SP 800-82, Guide to Industrial Control Systems Security, provides information on how to secure industrial control systems such as supervisory control and data acquisition systems, distributed control systems, and other control system configurations, while addressing their unique performance, reliability, and safety requirements. SP 800-82, which is available for public comment through Nov. 30, also identifies typical threats and vulnerabilities to these systems and provides recommended security countermeasures to mitigate the associated risks. 
• Finally, draft publication Information System Security Reference Model Draft SP 800-110) is intended to serve as a guideline for software tool developers and federal agencies that wish to develop an automated process for managing an information security program. The guide also enables greater interoperability between information system security tools, resulting in more practical and cost-effective information security program management. Information System Security Reference Model is available for comment through Nov. 16 and can be downloaded from NIST’s Web site.

NIST asks that interested parties submit comments via e-mail and refer the publication reference in the URL address (e.g., 800-61comments@nist.gov).

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

Financial Fraud Replaces Virus Attacks as the Leading Cause of Financial Loss

The latest statistics from this year's 12^th Annual Computer Crime and Security Survey are in. The annual survey conducted by the Computer Security Institute (CSI) found that for the first time since 2002, organizations reported an increase in average annual losses due to cyber crime. According to responses obtained from 494 information security practitioners in the United States, financial fraud overtook virus attacks as the leading source of the greatest financial losses. In fact, the average annual loss reported in this year's survey increased by nearly 110 percent since last year — from US $168,000 to US $350,424.

"Not since the 2004 report have average losses been this high," states CSI.

Virus attacks, which had been the leading cause of financial losses for seven years in a row, fell to second place. Another significant cause of financial losses identified in the survey was systems intrusion by outsiders and insider threats. This year, insider abuse of network access or illegal use of e-mail systems, such as surfing pornography Web sites or downloading pirated software, dethroned virus attacks as the most prevalent security problem. However, respondents feel that the presence of insider criminals is somewhat exaggerated. In fact, while some respondents believe that a significant portion of financial losses are due to insider attacks, more than half state that only a small amount of these are due to inside jobs.

In addition, the survey found that of the respondents who suffered one or more security incidents, 32 percent had a targeted attack (i.e., a malware attack aimed exclusively at their organization or at companies within a small subset of the general population). As the study notes, this is a significant finding given that only five years ago the notion of targeted malware attacks was hypothetical. Furthermore, when asked whether their organizations suffered a security incident in general, 46 percent of respondents said yes. This number is down from 53 percent last year and 56 percent in 2005. "Even though average losses are up markedly this year, computer security incidents apparently occur with less frequency within organizations," the report explains. "Overall, this is down from a peak of 70 percent in 2000."

As done in previous years, survey participants were asked to identify the types of IT security tools used to deter or identify threats and vulnerabilities. The most commonly used technologies this year are firewalls, antivirus software, anti-spyware tools, and virtual private networks. Finally, organizations employed the use of security audits by internal and external staff, penetration testing, and Web activity and e-mail monitoring software to evaluate the effectiveness of currently used security tools.

For a full copy of the annual report, visit the CSI Web site (PDF, 1.86 MB).

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

IT and Audit News

Privacy advocates ask U.S. government for a Do Not Track list;security experts discuss top 10 security gaps; Microsoft launches e-health service; survey offers tips on managing change.

______________________________________

GOVERNMENT GRAPEVINE

Privacy Advocates Ask U.S. Government for a Do Not Track List
Nine privacy groups asked the U.S. Federal Trade Commission to implement a Do Not Track list similar to the currently used Do Not Call list, which will prevent consumers from having their online activities unknowingly tracked and used by marketers and advertisers.
http://www.eweek.com/article2/0,1895,2210389,00.asp

Gov. Schwarzenegger Signs Law Prohibiting RFID Implants
The state of California has enacted legislation that prohibits employers and others from asking people to use radio frequency identification (RFID) tags. Other states, including Wisconsin and North Dakota, have adopted similar laws against RFID implants in humans.
http://www.informationweek.com/security/showArticle.
jhtml?articleID=202402856

Panel Endorses Bill to Stop Online Censorship
The U.S. Congress endorsed legislation that could bar Internet companies in the United States from cooperating with authorities in China and countries with similar political regimes.
http://news.scotsman.com/latest_technology.
cfm?id=1694812007

Government Mishap Reveals Sensitive Information
A recent reply all e-mail sent to 7,500 people from the U.S. Department of Homeland Security flooded mail servers with more than 2 million e-mails, which revealed subscribers personal information, including telephone numbers and other classified data. 
http://www.computerworld.com/action/article.do?command=
viewArticleBasic&articleId=9040878&intsrc=hm_list

Bill Could Enable ID Theft Victims to Seek Financial Restitution
The U.S. Senate recently introduced a bill that would allow victims of identity theft to seek restitution for money and time spent repairing their credit history.
http://www.informationweek.com/news/showArticle.jhtml;
jsessionid=JJ0B5VIB3ML5UQSNDLPSKHSCJUNN2J
VN?articleID=202403735

______________________________________

SECURITY UPDATES

Security Experts Discuss Top 10 Security Gaps
Reviewing policies and procedures and enhancing physical security are two of the 10 security gaps experts have observed time and time again.
http://www.itcinstitute.com/display.aspx?id=4348

Authorities Seize US $2 Billion in Fake Checks
An Internet financial scam crackdown yielded more than US $2.1 billion in seized fake checks and 77 arrests in The Netherlands, Nigeria, and Canada.
http://www.news.com/Spam-scam-crackdown-nets-2-
billion-in-fake-checks/2100-7348_3-6211585.html?
tag=cd.top

Three Steps to Securing Virtual Machines
Keeping operating systems and applications patched, deploying intrusion detection software, and patching virtual machines will help to increase the security of virtual IT environments.
http://security.itworld.com/4367/nlssecurity071009/
page_1.html

Smaller Botnets Are on the Rise
Criminals are decreasing botnet sizes to make it harder for security companies to track and contain their illegal operations.
http://www.news.com/F-Secure-sees-smaller-botnets-
on-the-rise/2100-7349_3-6210900.html?tag=cd.top

Trojan Poses as Software Plug-in to Steal Usernames
The PWS-Pykse Trojan is tricking victims into executing malicious code by disguising itself as a Skype plug-in.
http://www.informationweek.com/security/showArticle.jhtml
?articleID=202403942

Hackers May Be Intercepting Internet Phone Calls
A security firm discovered that Internet phone service from Vonage Holdings Corp. is vulnerable to attacks by hackers who are able to intercept calls to the company's subscribers.
http://news.scotsman.com/latest_technology.cfm?
id=1698512007

Security Expert Discusses Hijacked Domain Name Servers, Among Other Threats
Roger Thompson, chief technology officer of Exploit Prevention Labs, discusses the threats he is most concerned about and what organizations can do to protect their networks.
http://searchsecurity.techtarget.com/qna/0,289202
,sid14_gci1280366,00.html

Company Invents Programming Language for Mass Surveillance
Researchers at AT&T developed Hancock, a C variant, to mine the company's telephone and Internet records for surveillance activities.
http://blog.wired.com/27bstroke6/2007/10/att
-invents-pro.html

______________________________________

SOFTWARE UPDATES

Microsoft Launches E-health Service
The software giant has launched an online health-care service that allows users to share health records online to help patients take control of their records and monitor their medical conditions.
http://www.computerworld.com/action/article.do?
command=viewArticleBasic&articleId=9040999&
intsrc=hm_list

Virtual Rootkits Do not Pose Security Threats
Researchers from Carnegie Mellon and Stanford universities say that rootkits that use virtualization techniques cannot remain undetected on a system.
http://www.news.com/Virtual-rootkits-not-a-problem%2C-
say-researchers/2100-7349_3-6211166.html?tag=cd.top

Startups Are Offering Tools to Better Contain Insider Threats
Startup security companies are offering tools that give IT departments greater control over who's accessing corporate data.
http://www.informationweek.com/security/showArticle.
jhtml?articleID=202403843

Choosing the Right Software Vendor
The software-as-a-service model can help small and mid-size companies to benefit from software applications that save time and money.
http://smallbusiness.itworld.com/4394/071018smbsaas/
page_1.html

Gmail Can Synchronize With iPhones and Desktops
Google mail, or Gmail, now uses technology that can synchronize with Outlook Express, Outlook 2007, Outlook 2003, Apple Mail, Windows Mail, and Thunderbird 2.0.
http://www.informationweek.com/software/showArticle.jhtml;
jsessionid=Y3UUE4STOIGGUQSNDLPSKHSCJUNN2JVN
?articleID=202601159

Cracking Software Could Make it Easier to Recover Passwords
New software uses a computer’s graphics and central processing units to decrease the amount of time required to recover forgotten passwords.
http://www.informationweek.com/software/showArticle.jhtml;
jsessionid=Y3UUE4STOIGGUQSNDLPSKHSCJUNN2JV
N?articleID=202601180

Software Vendors Address Security Flaws
Security software vendors Symantec Corp. and McAfee Inc. have addressed vulnerabilities criminals can exploit in their products to cause a denial-of-service attack or run malicious code.
http://searchsecurity.techtarget.com/originalContent/
0,289142,sid14_gci1280365,00.html

______________________________________

OTHER IT AND AUDIT NEWS

Survey Offers Tips on Managing Change
In partnership with Tripwire, the IT Process Institute has identified best practices in change management. http://www.itweek.co.uk/itweek/news/2201187/itil-
offers-tips-managing

U.S. Residents Have a Misconceived Notion of Security
A recent poll found that most U.S. residents have outdated or disabled security software that could lead to a virus or spyware attack.
http://www.news.com/Poll-Americans-wrong-about-computer-
security/2100-1029_3-6211093.html?tag=cd.top

UK Firms Lack Adequate Disaster Recovery Plans
A survey commissioned by Symantec found that organizations in the United Kingdom lack effective disaster recovery plans, thus leaving them vulnerable to fines and prosecution due to their inability to properly prepare for system outages.
http://www.itweek.co.uk/itweek/news/2201373/storage
-stats-paint-disastrous

Enhancing Encryption for PCI DDS Compliance
The IT Compliance Institute discusses five steps for overcoming encryption hurdles that may hinder compliance with the Payment Card Industry Data Security Standard, also known as the PCI DDS.
http://www.itcinstitute.com/display.aspx?id=4383

ID Thieves May Avoid Prison Charges
According to a study by the U.S. Secret Service, identity thieves have a 50 percent chance of avoiding jail time.
http://security.itworld.com/5010/071023idtheft/
page_1.html

Non-technical Glossary of Malware Terms
CIO magazine defines some of the most commonly used IT terms.  
http://www.cio.com/article/135453/

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

Tech Practices Update

Here is the latest technology news from The Institute of Internal Auditors (The IIA):

Vote on Your Top IT Initiatives

This year, The IIA is collaborating with the American Institute of Certified Public Accountants (AICPA) to determine the AICPA's 2008 Top Technology Initiatives list. Each year, organizations refer to the top technology list to learn about the IT initiatives that certified public accountants (CPAs) and the technology experts who work with CPAs anticipate will have the greatest influence on IT strategy, investment, and implementation in the next 12 to 18 months.

To vote on the IT initiatives that will have the most impact on strategic IT decision-making visit http://www6.intellisurvey.com/run/toptech2008. The online survey should take approximately 15 minutes to complete. Please note that the entire survey does not need to be completed all at once; answers will be stored so participants can return and complete the survey before Nov. 16, 2007. For additional information about the survey, visit the AICPA Web site.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

Exciting Membership Opportunity for ITAudit Subscribers

For the past nine years, ITAudit has provided its readers with news and information tailored to the needs of internal auditors. The publication's online archives are filled with articles that have given readers an edge on their day-to-day audit engagements, answered pressuring questions, and highlighted emerging trends. Although The Institute of Internal Auditors (The IIA) will continue to provide this expertise, on Jan. 10, 2008, ITAudit will be become a benefit of IIA membership.

Because your commitment to ITAudit is extremely important to us, we would like to make you a special IIA membership offer. If you join The IIA between now and December 9, you will get half off our regular membership price of US $130, giving you access to The Institute's member benefits for just US $65. In addition to ITAudit, as an IIA member, you will also receive:

• Discounts on conferences that provide invaluable tips on the latest technology and internal audit trends through sessions and networking opportunities.
• Savings on seminars — 12 IT-focused programs to choose from held throughout the United States — that provide in-depth information designed to produce immediate results in your organization.
• Free continuing professional education (CPE) reporting.
• Discounts on e-learning offerings, such as webcasts and more than 800 online courses, all from one convenient location.
• Information-sharing opportunities with other members interested in IT topics through The IIA's online networking tool, Member Exchange (ME).
• Participation with other global thought leaders regarding the latest IT initiatives through The IIA's Advanced Technology Committee.
• Bi-monthly copies of the award-winning Internal Auditor magazine, available in hardcopy and online.

To take advantage of this special offer, click here. This offer is valid for internal auditors residing in Canada, the Caribbean, and the United States. Auditors residing in other countries are encouraged to join our IIA institutes. To find an IIA institute near you, please visit www.theiia.org and click on "Chapters & Affiliates."

As we move forward with this new chapter in ITAudit's journey, I would like to thank you for your continued support throughout the years and look forward to a long future providing you with information on the latest trends, techniques, and research in IT.

Sincerely,

Raquel Filipek
Editor, ITAudit

_________________________________________________________________________

In This Issue

This month's feature articles include:

Assessing Bandwidth Use as a Function of Network Performance
Nikhil Wagholikar
Information Security Analyst, NII Consulting
Performing ongoing assessments of an organization's network bandwidth use can help IT departments to enhance the quality of network services and identify problem areas before they hinder work productivity. 

Key Points to Keep in Mind When Conducting a Software Audit
John Silltow
Managing Director, Security Control and Audit Ltd.
Learning about the problems associated with software audit tools, as well as determining who will perform the audit, will enable organizations to better identify their software holdings and minimize their risks.

Facing the E-discovery Challenge: A Proactive Approach
Shawna Scharf
Contributing Staff Writer
As e-discovery continues to play an increasing role in corporate litigation, internal auditors need to develop data retention policies that ensure the safe storage and accurate retrieval of electronic data.

Also, check out our regular departments for the latest IT and audit information:

New Developments
Report addresses state of IT compliance accountability; annual survey discusses latest information security trends; NIST releases four information systems security guidelines; financial fraud replaces virus attacks as the leading cause of financial loss.

IT and Audit News
Privacy advocates ask U.S. government for a Do Not Track list;security experts discuss top 10 security gaps; Microsoft launches e-health service; survey offers tips on managing change.

Tech Practices Update
The IIA collaborates with the American Institute of Certified Public Accountants on 2008 Top IT Initiatives list.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.