[Dshield] Spam Surge and funny things with auditors

Barry Fawthrop barry at isscp.com
Sat Sep 1 19:54:19 GMT 2007


A sight that is sadly seen way to often.

The problem comes from auditors who are not technical.
Too many times you find auditors come from a financial background,
instead of an IT or technical background. Leaving IT security in a worst
state during and afterward, as well as not truly identifying true
security problems.

I question why SAS 70 is seen as a security audit. A SAS 70 audit is
about control objectives vs. control performance.  I have not come
across a SAS 70 audit calling for a full vulnerability analysis/audit
and corresponding penetration testing.

CASE in Point:
If you don not have a password policy, you receive a favorable SAS 70
report.
If you have an adhered to password policy (says password shorter than 4
characters, is acceptable) you would receive a favorable SAS 70 report.
The only unfavorable SAS 70 report would be an un-adhered to password
policy.

None of this addresses, the security the password policy is supplying
and whether or not the password has an acceptable strength level.

Might just be my small circle, would love to hear other's input on this
matter.

Barry Fawthrop B.Sc , CISSP , GCIH



Sue Young wrote:
> Auditors are my biggest security problem.  A few weeks ago I checked my
> Snort box in the morning and saw it had 10,000 attempts to send out smtp
> mail.  This was at 9:30 am so now you know why you get so much spam, this
> thing was only up for 20 minutes.  I saw the machine was an outside computer
> on our  internal network.  After searching the whole floor, I found 2
> auditors in a closed office.  One had a badly infected machine.  Of course
> they're from a major auditing firm and were charging big bucks to do  a SAS
> 70 audit.  I moved them to our public network, and gave them one of our
> clean laptops to do the work they needed on our internal network.  I don't
> know if this guy ever got his laptop clean - I told him to have it
> reimaged.  We have a policy of not letting outside machines on our internal
> network but the end users ignore it all the time.
> 
> Last week the people on that floor suddenly started getting ip addresses on
> our public network that is not physically connected to our internal
> network.  It turns out that our very expensive auditors had taken the
> network cable that was plugged in to our internal network, through an IP
> phone, and plugged in the other end to the public network, creating a bridge
> to open our internal network to the less protected public network.  The hop
> to the public dhcp server was a little faster so the internal machines got
> an external address.
> 
> We no longer allow any wired access to the public network.  It's wireless
> only now. I've never had one of my users put two ends of the same cable in
> the wall but I've had auditors do it regularly and a painter did it once.
> 
> Sue Young, CISSP


More information about the list mailing list