I frighten people. I don’t mean to, but I do. It usually happens when I tell them what I do for a living. I hack corporate networks, and then show them how to keep me from succeeding next time. It’s a more glamorous and descriptive way of saying “information security auditor.”
But while it’s part of our lives in the public sphere to be a little unnerving to the uninitiated, among our audit subjects we must be seen as colleagues who audit for their benefit.
I have seen two basic causes for auditors to take less-than-modest stances. One is that they do not want to work without administrative or root privileges to the systems they audit, and the other is that they impress themselves with having technical proficiency that others don’t have.
Regarding the first cause, a common precedent to becoming a security auditor is being a systems administrator. Systems administrators are used to having elevated privileges and experience a feeling of power (and hopefully responsibility) as a result. When they transition to the role of auditor, however, they must relinquish this power. They give up root and administrative privileges. Dropping their privileges is necessary because an auditor must not have the ability to administrate what they audit. The conflict of interest is apparent and makes their audit findings unreliable. Some security professionals hold onto their privileges jealously, psychologically unprepared to relinquish power, as if doing so would be a demotion of sorts. But other than the appropriate segregation of duties, there are other great reasons for information security auditors to maintain nothing more than normal user or guest privileges to the systems they audit:
Audit results are very impressive when vulnerabilities and exploits are demonstrated with normal user access. For a knock-out example of this principle, watch this presentation by Marcus Murray on how to own a Microsoft network without needing an administrator account.
It’s a great opportunity to teach systems administrators the principles of security. If you rely on administrators to conduct tests that require administrator access, then you’ve got a great opportunity to increase their security and risk awareness. When you sit with a database administrator with a well-developed audit plan, for instance, your conversation can go something like this; “We want to prevent user accounts from executing arbitrary code on your database server, so let’s see if xp_cmdshell is enabled. Here’s where the setting is, and here’s the SQL injection code we’ll use to test it. You keep a copy of the test script so you can run this whenever you set up a new database service.” Voila! An educated administrator with a tool set.
Regarding the second cause for immodesty among information security auditors, some technical people just like to be elite. They like having some superiority over others. This is a bad tendency. The auditor is the conscience of the organization, not the bully. Auditors must see themselves as the people who educate, coach, remind and even recommend. But also, auditors need to be really good at listening. An auditor’s recommendations may make little sense or be of little value to some organizations. I was in a situation recently in which a third party auditor insisted that their audit subjects encrypt a database to meet a certain security standard. The database did not contain sensitive information. Encryption of that dataset would have come at a high and unnecessary cost to the company. The firm more clearly defined their data classification standards rather than encrypt non-sensitive information and got the auditors to withdraw their requirement. Days of hand-wringing and wasted time and effort were spent because the auditors were sticking to their “superior” and “strict” standards. Had the auditors started by understanding their audit subject’s use of data and considered the less glamorous, less elite solution of a better defined data classification method, the problem would have been solved much quicker.
Finally, your audit subjects will more willingly come to you if they spot trouble (in the form of an incident or a control that is not working as intended) if they think of you as a reasonable and approachable person. They tend to want to spend less time helping people who are cranky and superior.
Now my recommendations likely are not universal. Can you think of exceptions to this general rule?