One amongst the issues that we tend to have been addressing extensively lately is the issue of auditing and automation. This has come most typically been raised when we’ve been discussing how to handle automating control assessments in conjunction with implementing the twenty Crucial Controls. One among the core principles of the twenty Essential Controls is that organizations want to have the flexibility to automate security assessments in order to cut back risk detection times and permit for a additional prompt response to detected threats.

One manner to help with the automation of any given assessment is to script your assessments and automate the scripts you write. This manner your tests will work for you and will automatically respond in some method ought to a specific event be discovered. Rather than making a mechanism to perform detection and alerting from scratch, why not use a mechanism that’s already built into most Microsoft Windows versions you’re already running? The Windows Event Log may be a nice place to start.

1st, you’ll use a command such as EventCreate to get new event log entries as a result of a particular action in your scripts. As an example, if you use nmap with PBNJ to look for brand new hosts on your network (assume vital management #one), then you may use EventCreate to generate an event log entry every time a brand new device is discovered. Or, for example, let’s say you use WMIC to list startup items on a machines (think critical control #a pair of), then you may use EventCreate to come up with an occurrence log entry each time a new startup entry is added. Get the idea? Use engineered in Windows tools to support your automation efforts - and all it costs is a very little sweat equity and trial with built in tools!

For a lot of details on a way to use EventCreate, check out these resources to urge started:

Microsoft TechNet Reference on EventCreate:

http://technet.microsoft.com/en-us/library/bb490899.aspx

Microsoft Support article for making custom event log entries:

http://support.microsoft.com/kb/324145

For details on how to use eventtriggers in more depth, here are a couple resources that can facilitate to induce you started:

Microsoft TechNet Reference on EventTriggers.exe:

http://technet.microsoft.com/en-us/library/bb490901.aspx

Petri.co.il Article on EventTriggers.exe:

http://www.petri.co.il/how-to-use-eventtriggersexe-to-send-e-mail-based-on-event-ids.htm

In addition to automating tasks with the eventtriggers.exe command, you’ll additionally need to consider command line e-mail tools that will be used to generate an e-mail as a result of an action in your command line tool. Two such free command line tools that you may wish to consider are:

Blat (http://www.blat.internet/)

Bmail (http://www.beyondlogic.org/solutions/cmdlinemail/cmdlinemail.htm)

To run either of those tools you’ll need to own access to a vigorous mail server, though thankfully it will not would like to pay attention solely on tcp/twenty five - however you are doing must use the SMTP protocol. Whereas security by obscurity is actually no singular way to protect your system, running administrative mail servers like this on alternate ports will never hurt!

Recent Entries

• IT Expertise Serving to In Haitian Revival
• Automating Audit Tests
• IT Controls in my live and their bearing on firm
• Complying With Government Regulations With Data Entry Software
• Data migration services
• BS7799 and ISMS
• BS7799 Accreditation for Certifying ISMS
• GTAG 3 - Implications for Assurance, Monitoring and Risk Assessment
• Certified Internal Auditor® (CIA®) Overview
• Certified in the Governance of Enterprise IT® (CGEIT®) Overview

This entry was posted on Saturday, January 23rd, 2010 at 2:08 am and is filed under IT Audit Articles. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.