[Dshield] Spam Surge and funny things with auditors

Tomas L. Byrnes tomb at byrneit.net
Sun Sep 2 00:02:55 GMT 2007

You are all under the mistaken assumption that the purpose of an auditor
is to improve your security and/or catch errors in accounting. Their
purpose is to do neither. In fact, their purpose is to find nothing
wrong, or at least nothing of substance that happened on current
management's watch. They have to find the usual minor things, and it's
OK, even salutary for them, if they find something huge that happened
under prior management and dismissed auditors.

Their sole purpose is to allow those in the exec suite to CYA by being
able to point to the audit if/when the books turn out to be wrong, or
your network gets cracked.

In fact, incompetent auditors are more useful to management than
competent ones. Since they are unlikely to catch anything, they allow
management to spend less on controls.

This plays very nicely into the auditing firms' business model, which is
to maximize profit for the partners by paying the associates as little
as possible. Inexperienced, marginally competent, overworked junior
associates make the partners more money than experienced, well trained,
sharp ones, because they cost less, and work harder, longer hours, in
the usually vain hope that they may get promoted.

The whole auditing and consulting business is a circular game of "the
emperor's new clothes". It works until one sharp tack says the emperor
is naked, but the result is all the populace gets mad at the person who
stated the truth, instead of the emperor.

If you don't believe me. Attend one of the many management oriented
"compliance" conferences, and simply listen to what the execs and
managers are looking for. What they see as "compliance" and what those
of use who would like to be really compliant with the letter and spirit
of regs would see as "compliance" are totally different things.

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Sue Young
> Sent: Saturday, September 01, 2007 10:57 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Spam Surge and funny things with auditors
> Auditors are my biggest security problem.  A few weeks ago I 
> checked my Snort box in the morning and saw it had 10,000 
> attempts to send out smtp mail.  This was at 9:30 am so now 
> you know why you get so much spam, this thing was only up for 
> 20 minutes.  I saw the machine was an outside computer on our 
>  internal network.  After searching the whole floor, I found 
> 2 auditors in a closed office.  One had a badly infected 
> machine.  Of course they're from a major auditing firm and 
> were charging big bucks to do  a SAS 70 audit.  I moved them 
> to our public network, and gave them one of our clean laptops 
> to do the work they needed on our internal network.  I don't 
> know if this guy ever got his laptop clean - I told him to 
> have it reimaged.  We have a policy of not letting outside 
> machines on our internal network but the end users ignore it 
> all the time.
> Last week the people on that floor suddenly started getting 
> ip addresses on our public network that is not physically 
> connected to our internal network.  It turns out that our 
> very expensive auditors had taken the network cable that was 
> plugged in to our internal network, through an IP phone, and 
> plugged in the other end to the public network, creating a 
> bridge to open our internal network to the less protected 
> public network.  The hop to the public dhcp server was a 
> little faster so the internal machines got an external address.
> We no longer allow any wired access to the public network.  
> It's wireless only now. I've never had one of my users put 
> two ends of the same cable in the wall but I've had auditors 
> do it regularly and a painter did it once.
> Sue Young, CISSP
> On 8/31/07, Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu> wrote:
> >
> > On Fri, 31 Aug 2007 11:37:50 +0200, Ulf Bahrenfuss said:
> > > direct recommendations. Among them the most glaring "immediate 
> > > action point" was the report about my internal DNS servers. They 
> > > were obviously outdated and a security risk because they 
> answered to 
> > > a version request with "their" version number. The number I 
> > > configured to give back was
> > > 6.6.6 and that is well below known secure numbers :-) The 
> > > recommendation was to update and change the config to give back a 
> > > false number or no number, hmmmm okay
> >
> > If you tried the snarf-the-version trick against the NSA's 
> > public-facing nameservers a while back, they'd report the 
> version string:
> >
> > "These are not the nameservers you are looking for..."
> >
> > (And yes, a *high* fraction of "security auditors" are 
> bozos who can't 
> > even run Nessus and interpret the results for themselves - 
> looking at 
> > a version number 6.6.6 and not cluing in is about par for the 
> > course....)
> >
> > _________________________________________
> > SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS 
> > top instructors, and a great tools and solutions expo. 
> Register today!
> > http://www.sans.org/info/4651 (brochure code ISC)
> >
> >
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 
> courses, SANS top instructors, and a great tools and 
> solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)

More information about the list mailing list