[Dshield] Spam Surge and funny things with auditors

Security security at hudakville.com
Mon Sep 3 15:12:21 GMT 2007


Auditor stories are fun.  :)

My favorite was when I had an auditor examining the security of our
UNIX systems for SOX a few years ago.  He had never looked at a UNIX
system before in his life.  The best part was when I spent 20 minutes
explaining that even though the /etc/passwd file was world-readable,
it was not a security risk because the passwords really weren't kept
in that file.

Don't get me wrong, I've met some really brilliant auditors who know
their stuff, but you still run into the fun ones every so often.

Tyler

Sue Young wrote:
> Auditors are my biggest security problem.  A few weeks ago I checked my
> Snort box in the morning and saw it had 10,000 attempts to send out smtp
> mail.  This was at 9:30 am so now you know why you get so much spam, this
> thing was only up for 20 minutes.  I saw the machine was an outside computer
> on our  internal network.  After searching the whole floor, I found 2
> auditors in a closed office.  One had a badly infected machine.  Of course
> they're from a major auditing firm and were charging big bucks to do  a SAS
> 70 audit.  I moved them to our public network, and gave them one of our
> clean laptops to do the work they needed on our internal network.  I don't
> know if this guy ever got his laptop clean - I told him to have it
> reimaged.  We have a policy of not letting outside machines on our internal
> network but the end users ignore it all the time.
> 
> Last week the people on that floor suddenly started getting ip addresses on
> our public network that is not physically connected to our internal
> network.  It turns out that our very expensive auditors had taken the
> network cable that was plugged in to our internal network, through an IP
> phone, and plugged in the other end to the public network, creating a bridge
> to open our internal network to the less protected public network.  The hop
> to the public dhcp server was a little faster so the internal machines got
> an external address.
> 
> We no longer allow any wired access to the public network.  It's wireless
> only now. I've never had one of my users put two ends of the same cable in
> the wall but I've had auditors do it regularly and a painter did it once.
> 
> Sue Young, CISSP



More information about the list mailing list