Internet and Network Vulnerability Scanning Through ISS

By Bruce H. Nearon

Does your audit client have a website, intranet or use e-mail? Are the computer servers for these applications on the same network as the payroll, human resources and financial information systems used to prepare the financial statements? Then, according to Generally Accepted Accounting Standards (GAAS), you should consider control weaknesses in these systems that could lead to material misstatements due to unauthorized changes to data, destruction of information, or breach of confidentiality.

Learn about the features and benefits of using ISS Internet and system scanners on your audits by attending the June 11 continuing professional education (CPE) presentation organized by the New York State Society of CPAs Emerging Technologies (ET) Committee. You also will learn the basics of how to set up ISS, plan scanning procedures, read scan reports (including the elements of the scan reports), and interpret and present scan information, as well as pitfalls to avoid when using the scanners.

The presentation consists of two parts. During the first part, the evolution of computer security will be discussed. The history of control over computer information will be explored, starting with the earliest systems, which were tightly controlled, through today’s open systems, which by default are often loosely controlled. The logical reasons as to why today’s systems are extremely vulnerable will be covered, as will the common ways hackers learn how to break into systems. Also, common nontechnical vulnerabilities will be discussed, along with easy ways to assess computer security risks and control them.

The second part of the presentation will answer the question of how to discover control weaknesses in computer servers. In the past, auditors used checklists that typically checked 100, at most, potential weaknesses on one or two computers within the time budget allowed for an audit. Today, best practice requires auditors to use automated vulnerability scanning tools such as ISS Internet and system scanners that can check more than 1,000 potential vulnerabilities on hundreds of servers in the time it would take to do one checklist audit.

Date: Tuesday, June 11, 2002
Time: 5:30 p.m. to 6:00 p.m.: registration, networking, refreshments; 6:00 p.m. to 8:30 p.m.: CPE session
Presenters: Thomas McDermott, senior IT auditor, J.H. Cohn LLP, Roseland, N.J., tmcdermott@jhcohn.com;
Harvest Malone, network security administrator, AICPA, Harborside, N.J., hmalone@aicpa.org;
Bruce H. Nearon, director of information security auditing, J. H. Cohn LLP, Roseland, N.J., bnearon@jhcohn.com
Location: NYSSCPA Headquarters, 530 Fifth Ave, Fifth Floor, New York City

Additional Information

This NYSSCPA/FAE CPE evening presentation is $45 for NYSSCPA members and $50 for nonmembers to qualify for three hours of CPE credit. At the session you will get the chance to network with the profession’s and the industry’s IT leaders. Free sandwiches and soft drinks will be provided by J.H. Cohn LLP.

Advance registration is recommended because seating is limited.

For presentation information, contact Gary Carpenter at (315) 487-4567 or gcarpenter-cit@worldnet.att.net or Bruce H. Nearon at (973) 403-6955 bnearon@jhcohn.com.

To register: Visit the Society website at www.nysscpa.org or call (800) 537-3635.

For more information on the ET Committee, visit www.nysscpa.org, click on the committees tab on the left-hand side of the page and then scroll down to the ET Committee link.