Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

5/1/2013
10:37 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Learning From Auditor War Stories

Stories of IT missteps and unforeseen disasters while auditors are on-site can point to important lessons for preparing for compliance and security

Sometimes the best lessons come from cautionary tales lived by those before us who didn't get things right the first time around. And in the IT compliance world, no one is more prepared to offer up those stories than the auditors and assessors tasked with checking up on IT practices.

"These types of war stories are really the opportunity for people to learn and recognize that sometimes the extraordinary can be ordinary, and businesses need to be prepared for that," says Brian Christensen, head of global internal audit for Protiviti. "There are a plethora of these stories, and they're a great learning opportunity."

Dark Reading recently spoke with Christensen and a number of other auditors and assessors to get the lowdown on some of the biggest mistakes or disasters they've witnessed firsthand. Here are a few of their accounts, along with their insights on the lessons other organizations can take from them.

Expecting The Unexpected
People might talk about a particular audit being a disaster, but how many organizations can say they've experienced an actual disaster while the auditor was on the premises? According to Christensen, he has been around long enough to witness it happen firsthand. And as chance would have it, he and the CIO of the company he was working with were actually discussing business continuity management when it happened.

"Imagine a warehouse type of environment and his office was there, and in the background you could see a big transformer," he says, explaining that as they talked, a bird landed on the transformer, which blew up. "The power for the entire facility went out. And I remember chuckling and saying, 'This is an opportunity for you to demonstrate that your business interruption planning really works. This is not a test.'"

[Think insiders can't hurt your firm? Think again. See 8 Egregious Examples Of Insider Threats.]

According to Christensen, that was a prime example of how IT organizations should be prepared for unforeseen events to throw a wrinkle in the process. In the same vein, they should also be at a ready state in case they're subject to unanticipated observation.

"When we do surprise inspections, they're often shocked when we're able to kind of walk in," he says. In one instance when he was engaged with a global organization to do surprise inspections of remote data center locations, Christensen and his team were able to observe the parking lot for traffic patterns so that they were able to follow in workers through the doors of a sensitive site during the post-lunch rush.

"The advice that we’ve learned from that type of instance is always be prepared for the unexpected," he says.

Auditors Have Eyes And They're Always Watching
While some simple social engineering tricks often show whether employees really are living up to written policies with regard to physical access, auditors don't necessarily have to resort to gaming the system to find physical security blunders. Sometimes it's just a matter of keeping their eyes open. For example, Laura Raderman, director of security assessments for Gemini Security Solutions, discussed a facilities assessment she recently conducted on a data center that was undergoing construction.

"The construction site had one construction person on duty letting workers in and out of the site [based on a list of approved workers], but not checking photo IDs," she says. "So, basically, almost anyone could easily walk into the construction site and then into the data center."

At the same time, the main security entrance was well-guarded with numerous security guards who were checking for two forms of identification and multiple "man-traps" to enter the data center hallways.

"There was no reason to bother with the main entrance if you could get in through the construction entrance," she said.

All of this was pretty evident with a quick look around the facilities, which goes to show that often the most likely way an auditor will flag an organization isn't through any kind of complicated test, but through simple observation.

Because of that, organizations need to remember that if an auditor is on-site, they're always on the lookout for practices that give them hints that things are amiss. One big hint could be the way that IT workers make changes in response to audit queries -- "The really silly things assessors see happen when someone says, 'Oh, I'll just change that for you,'" says Walt Conway, a QSA for audit firm 403 Labs.

He recounts an episode where his audit uncovered a firewall rule that seemed out of place. The person he was working with was eager to help the audit, and so he offered to change the rule on the spot -- a big no-no given that the company had change management policies in place for an approval and ticketing process. It was what he called "a problem of excellence."

The person was qualified, good, knew what he was doing and did the right thing, "sort of," Conway says. "But it wasn't the right thing from a security point of view. It wasn't documented, there was no trail, and when he disabled the rule there wasn't a comment put that this was disabled on such and such a date."

A better alternative would have been for the employee to have told Conway that he'd write down the issue and address it during a regularly scheduled firewall update or initiate an emergency change process. As Conway puts it, organizations should be following the procedures all of the time, but "at the very least when the assessor is sitting there."

Papers, Please
During any audit, documentation is always critical to getting a compliance sign-off. So it's no surprise that many auditors relate that some of their most frustrating experiences revolve around poor preparation of documentation of procedures or architectures.

"I cannot tell you how difficult it is sometimes getting a network diagram," Conway says. "I can get wire-in diagrams, I can get lots of inventories, but a real solid, logical network diagram is something that is so basic that they sometimes overlook it," he says. "As an assessor, I don't care if they draw it on a white board and take a picture and send it to me. I just need something that will determine what's in and out of scope." As organizations dot their i's and cross their t's through the documentation and audit process, they should remember that seemingly small differences in nomenclature can make all the difference in compliance and the risk management activities that the auditor is there to help drive. For example, Christensen relates the experience of one audit client he had that learned the hard way the difference between fireproof and fire-resistant.

"Unfortunately, a large fire took place in the community and encapsulated an entire city block; much of the facility was destroyed," he says. "Even though all the documentation they had was in what they thought was a 'fireproof' cabinet, it had all been incinerated because it was so hot, and it was only fire-retardant."

No Assumptions Are Safe
One auditor Dark Reading spoke to would only recount his experiences anonymously, for fear things would get back to his client. This auditor says that the worst cases he sees usually are the product of assumptions being invalid.

"I had one client that insisted that the scope of the audit based on regulated information was limited to a single system. When we got on-site, we found the regulated information was everywhere: email, backup systems, CRM, accounting," he says. "The effort of the audit is based on the number of systems, controls, interviews, and data samples required. The effort on this one exploded to three to five times the originally estimated effort."

Similarly, just assuming that if some computers in a group are being updated and patched properly, then all of them can get an organization into trouble. Conway recounts a routine check-up at one client site of simple tasks, such as updating antivirus, installing patches, and securely configuring machines. As part of the assessment process, he asked to do a quick spot-check of six or seven computers within a much larger group of endpoints. Out of "just dumb luck" he found that one of the machines was an exception to the general group: Because it was used by a user who had another main machine and traveled a lot, it was never brought online with the rest of the machines during the patch roll out process. As a result, it was badly out of compliance.

"Nobody bothered [with] updated antivirus [or] put it on a list to be patched or anything else," he says. "As a result, everything else was being patched, and this machine was just invisible."

Conway says that this is emblematic of the mistakes that most organizations make. Generally, IT organizations are honest and willing to work with the auditors. They're just not as ready as they thought they were. He reiterates Christensen's warning about expecting the unexpected.

"Do people lie? No. I haven't had someone that said, 'Don't look at the man behind the curtain,'" he says. "Do they miss things because they're too close to them? Yeah. It's not that people are hiding things. In fact, it's quite the opposite. We find unexpected things."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14821
PUBLISHED: 2019-09-19
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->l...
CVE-2019-15032
PUBLISHED: 2019-09-19
Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information.
CVE-2019-15033
PUBLISHED: 2019-09-19
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
CVE-2019-16412
PUBLISHED: 2019-09-19
In goform/setSysTools on Tenda N301 wireless routers, attackers can trigger a device crash via a zero wanMTU value. (Prohibition of this zero value is only enforced within the GUI.)
CVE-2019-16510
PUBLISHED: 2019-09-19
libIEC61850 through 1.3.3 has a use-after-free in MmsServer_waitReady in mms/iso_mms/server/mms_server.c, as demonstrated by server_example_goose.