Auditors Just Don’t Understand Security
Part of my new role as the Information Security Program Owner at NI is taking care of our regulatory compliance concerns which means I spend quite a bit of time dealing with auditors. Now auditors are nice people and I want to preface what I’ll say next by saying that I think auditors do perform a great service to companies. I’m sure that most of them are hard-workers and understand compliance requirements probably better than I do, but they just don’t understand security.
As a case in point, we’re in the middle of our annual audit by one of those “Big Four” audit firms which I won’t name here to protect the innocent. I sent an email checking in with our auditors to make sure that they had everything they needed before we went into our four-day holiday weekend. They said that they had received everything they needed except for documentation on “privileged users from the current OS and Database environments” as well as “evidence of current password settings from the application servers, OS, and Database”. We go through a round of translation from Auditorese to Techie and figure out that they want exports of some specific user, profile, role, and privilege tables from the database and copies of /etc/passwd, /etc/shadow, and /etc group from the servers.
So we obtain the requested documentation and I shoot them back an email message to find out their proposed method for transferring the files. Secure FTP? No. PGP encryption? Nope. Their response back was astonishing:
How large do you think they’ll be? Email should be fine.
Seriously? These are the guys that we’re paying to verify that we’re properly protecting our systems and they’re suggesting that sending our usernames and password hashes via cleartext email is an appropriate method of file transfer. I respond back:
I’m not really concerned about the size of the files, but rather, the data that they contain. Sending files containing the users, groups, and password hashes for our financial systems via cleartext is probably not a good plan considering the point of this process is protecting that data.
And they respond with:
Whatever you’d like Josh. As long as you have the files as of today, we’re good.
So now I’m convinced that auditors (or at least these auditors) view security as nothing more than a checklist. The people telling me what I need to do in order to protect my systems really have no clue about the fundamentals of security. If it’s not on their checklist, then it must not be of importance. In this particular situation it may be easier or more convenient to send the documents via email, but any security professional worth their salt would tell you that’s not secure nor appropriate for that data. Either our auditors hold themselves to a very different standard than the rest of us security professionals or they just don’t understand security unless it’s on a checklist.
July 12th, 2010 at 11:31 am
Josh,
First let me narrow down your comment… in “most” cases IT Auditors really do not understand the Systems that they are auditing, which is why your company should have a person that is between them and you, the “techie” making sure that everyone does understand what the other needs. I say this because when I was tossed into Information Security one of my first headaches was dealing with auditors who were accountants and had no prior training in IT. So I had to learn how to be an auditor and how to translate between both worlds, I stood between own engineering people and the Internal/External audit functions.
Looking at what you said the auditors was requesting, (my opinion is) you misunderstood what was needed. I would have read this statement to mean:
“… they needed except for documentation on “privileged users from the current OS and Database environments” as well as “evidence of current password settings from the application servers, OS, and Database”. We go through a round of translation from Auditorese to Techie and figure out that they want exports of some specific user, profile, role, and privilege tables from the database and copies of /etc/passwd, /etc/shadow, and /etc group from the servers.”
First documentation is the key word there, “documentation on “privileged users from the current OS and Database environments”, I would only have sent them a list of the names of individuals with that level of access and when that access had been requested, by whom, and the last time that it had been verified. That’s it.
Second, “evidence of current password settings from the application servers, OS, and Database”, that’s easy enough, depending on what system utilities that you use, lets just say AD, send them a screenshot (which I hate doing) or a registry report depicting the system password settings backed up with a copy of the company password policy.
Next, “they want exports of some specific user, profile, role, and privilege tables from the database and copies of /etc/passwd, /etc/shadow, and /etc group from the servers.” I don’t see that, but I’m not privileged to your phone conversations. Anyway, there is no way I’m giving ANYBODY the type of information that can allow anyone other the authorized company employee possible access to any system. Later, my sister graduated with an accounting degree, but couldn’t get a job, so I steered her into IT audit, but first I helped her get into training for A+, Network+, MCSE, Linux and Security+… she’s doing just fine getting ready for here CISSP.
Good Luck.
Don Jackson CISSP, CISA, IA
July 12th, 2010 at 12:03 pm
Sorry I forgot to add, as far as getting the information to them… encrypted zip file or encrypted cd/dvd.
July 12th, 2010 at 12:24 pm
I actually am the guy who’s responsibility it is to stand between the audit world and the techie world. I definitely did come from the techie world (BS in Computer Science, CCNA, CISSP, GWAS), but recently took on a new role in InfoSec as the Information Security Program Owner for National Instruments. There was another guy doing the audit stuff when we first started talking about this role, but he left back in March and I took on this new web of compliance fun in his absence.
It sounds like we’re more or less arguing semantics here. Many of these auditors are, as you said, former accountants thrown into an IT world. And you’re totally right; they are coming in with little knowledge about our systems and functions, but that’s kind of my point. I wouldn’t think someone is capable of auditing a system from more than a checklist (ie. Does the system do X, Y, and Z?) if they have no security training whatsoever. Your advice to your sister is dead on. If you’re an auditor with the intent to audit IT systems, then you should make sure that you have the skills and training to do so. Don’t tell me that you need a copy of my if you have no clue what that is, what it does, or why you need it.
The file transfer method was really what my post was about and I just thought it was crazy that they think it’s appropriate to send those types of files via e-mail. You’re probably right that I shouldn’t send them that information, but when asked for clarification, that is specifically what they said they were looking for so I was asking for a way to transfer it safely. Encryption is certainly the way to go.
July 12th, 2010 at 2:10 pm
I hear you, my background before infosec was sysadmin, I wanted to grow up to be a network engineer, but because of SOX, I got kicked over into security and I haven’t looked back, so I do understand why techies believe that auditors are wasting their time (they are) and I also understand why auditors believe that techies take everything to personal (they do)… ain’t it fun being in the middle!
Most of the time, they’re just repeating back to you what they were told to ask for by a “senior” or the Partner for your company engagement, and they will not take the time to research or ask a “4 year old” type question about what it is they actually need or want because usually they are working on multiple companies at the same time.
One thing that I’ve learned from dealing with these people is that you keep and track a detailed list of EVERYTHING you give them and make them return it at the end of the audit. If you give them anything, make them sign for it in a way that it is understood that they are responsible if that data is lost, stolen or otherwise because it has happened (http://www.privacyrights.org/data-breach ) check this link and “search” for your Big Four auditor. If you give them any documentation in e-format make sure that it is password protected so they cannot copy and use it on the next engagement, check any documentation they may have developed for you to see who really did it.
May 16th, 2011 at 6:42 pm
IMHO the problem is that most auditors come from a finance background where the problems are analog and amenable to sampling techniques and arbitrary boundaries (such as “material difference”). Audting an IS isn’t necessarily like that. For instance, I’ve worked with auditors who wanted to sample a very large user authentication database and assume that if they took a statistically valid sample the site had no user id’s with extra permissions. But a compromised system will usually only have one or two “bad” UIDs (a login “leet” with UID 0 or whatever) and your chances of missing one UID out of 10,000 are pretty good. Why NOT look at all of them? (Because we don’t know how to write a perl script and our audit programs say “sample” 🙂
IMHO you can’t audit information systems the way you audit accounts receivable but that’s often the approach. That leads to poorly executed audits by otherwise excellent auditors.
May 17th, 2011 at 1:45 pm
Lou, I agree completely and have taken this approach with our auditors as well now on several of our processes. In my opinion a 20% sample size is tantamount to saying that either we only care to catch 20% of the issues or that we’re effectively just counting on luck that the problem child lies within those bounds. I wouldn’t take those odds in Vegas. As security professionals we should be looking for ways to automate issue discovery and hopefully get the sample size up to 100%. I doubt you’ll hear much complaints from the auditors either provided that you can show the processes effectiveness.
October 27th, 2011 at 2:29 pm
7-zip with AES is free and simple (for Windows).