From: Yassir Ab (pentesters@hotmail.com)
Date: Wed Mar 10 2004 - 15:59:05 EST
Neale,
I work for an audit firm, and have managed a number of IT audits myself.
Allow me to give you the auditor's perspective.
Here are a few things that can help make the distinction between the
responsibilities/qualifications of an auditor and those of a straight IT
employee.
1- Auditors are individuals with good knowledge of IT AND business
practices. They have to be able to see the big picture and assess the impact of the IT practices on the financial results. Typically, an auditor is required to absorb a large amount of information related to 10's of
technologies, and may not have the time or the luxury to specialize. On the
other hand, we do have highly-knowledgeable individuals (on the consulting
side) that provide support and review the auditing methodology and findings
for technical correctness. In short, auditors are mostly focused on the
process, and may rely on you to translate the high-level security
requirements to application or OS-level configurations, and provide proof
that you have the appropriate controls in place.
2- Auditors have to have good communication skills, and always project a good and professional appearance. Note that they have to adhere to a strict dress code, and not necessarily look "sexy". With that said, if the audit team members are usually young and attractive, it's not because "sex sells", but because staff auditors are usually recent college graduates in their 20's, and that they are trying to convey trust and professionalism (just like bankers, stock traders, etc.).
3- Auditors ask to have access to sensitive information because they are required by law (Enron?) to be able to support their findings at all times, and not because they are social engineering to prepare an attack. All information obtained in the course of the audit is organized and stored in secure file rooms. File rooms are not accessible to the auditors, and requests to access audit information have to be authorized by the engagement manager/partner. Also, keep in mind that any information exchanged in the course of the audit is protected by a Non-Disclosure Agreement. Finally, the fact that IT employees feel "played" in my opinion, reveals a data classification issue more than the auditor social engineering skills.
As a side note, let me add that the auditors that you portray as "evil" and
"nosy" (and in this case, "selling sex") are doing their job, and ultimately contributing to securing your IT environment. I personally enjoy dealing with IT managers who understand this point, and are clever enough to use the audit findings to justify large scale IT projects, and secure higher security budget.
Hope this helps.
-Yassir
Disclaimer: the above is the author's personal opinion and is not the
opinion or policy of his employer or of the little green men that have been
following him all day.
>From: "Green, Neale S" <neale.green@eds.com>
>To: pen-test@securityfocus.com
>Subject: Papers on Sex as an audit tool?
>Date: Wed, 10 Mar 2004 08:10:28 +1100
>MIME-Version: 1.0
>X-Mailer: Internet Mail Service (5.5.2657.72)
>Content-Type: text/plain;
> charset="iso-8859-1"
>
>
>No, I'm not referring to the act ( as far as I know ), I'm referring to the
>common practice of the Big Audit Firms (and others) to pepper/"flesh out"
>their audit teams with young, attractive people (male and female, but
>predominantly female due to the predominantly male base of the IT Industry )
>with little or no skills or experience in technical, security or audit
>fields, to get information more easily through taking the proven "sex sells"
>sales tool, and using it as a social engineering tool to more easily get the
>information they want out of an organisation.
>
>This trend has been increasing for years, and I have been trying to get the
>point across to our customers of what is happening, with little or no
>success, so I was wondering whether anyone knows of any papers on the
>subject that would help me get them to take it seriously.
>
>From my observation, external audit teams quite easily get information that
>they should not have access to ( or at most, controlled, monitored, access
>), by using the young, attractive, members of the team to charm it out of
>the business or IT people who control the information. When queried on the
>process issues, the business or IT people in question can very rarely, if
>ever, see that they have been "played" and will invariably create excuses as
>to why they gave out the restricted information so readily.
>
>Obviously, we have a scenario whereby the average person would much rather
>believe that the people like them and/or are interested in them for
>themselves, and will refuse to accept that they have been used to get what
>the outside parties want ( especially if they are ordinary, middle aged,
>married men who's egos are titillated to have a young, attractive appear to
>be interested in them, it is an unfortunate fact of life that many men are
>susceptible to this ). The social engineering exercise and impact is no less
>notable because the external audit firms are supposedly "white hats" ( or at
>most, Grey hats" ), rather than a "black hat" cracker who uses this
>mechanism for an outright attack, in that, no matter the final outcome, a
>significant degree of deception and social engineering is involved.
>
>Therefore, given that it is almost impossible to gain acceptance of the
>situation directly, and I have found no papers on the subject in personal
>searches, I was interested whether others in the Security community have any
>knowledge of papers on this subject?
>
>Thanking you in anticipation.
>
>NB: Standard disclaimer, the views expressed are personal views of the
>author, and are in no way indicative of the views or policies of EDS as a
>Corporate entity.
>
>Regards,
>
>Neale Green CISSP
>Information Security
>Phone: +61 2 937 80225
>Mobile: 0414 979 627
>Fax: +61 2 9312 6116
>Email: neale.green@eds.com
>
>
>---------------------------------------------------------------------------
>Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
>any course! All of our class sizes are guaranteed to be 10 students or less
>to facilitate one-on-one interaction with one of our expert instructors.
>Attend a course taught by an expert instructor with years of in-the-field
>pen testing experience in our state of the art hacking lab. Master the skills
>of an Ethical Hacker to better assess the security of your organization.
>Visit us at:
>http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>----------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT