encrypted tapes
    Adam Shostack 
    adam at homeport.org
       
    Thu Jun  9 10:02:55 EDT 2005
    
    
  
On Thu, Jun 09, 2005 at 08:57:51AM +0100, lists at notatla.org.uk wrote:
| 
| From: "Perry E. Metzger" <perry at piermont.com>
| 
| > It is worse than that. At least one large accounting company sends new
| > recruits to a "boot camp" where they learn how to conduct "security
| > audits" by rote. They then send these brand new 23 year old "security
| > auditors" out to conduct security "audits", with minimal supervision
| > from a partner or two. The audits are inevitably of the lowest
| > possible quality -- they run automated security scanners no better
| 
| The worst security audit point I have ever seen came from KPMG and
| said that logging on as a particular non-root unix account got root
| access, based on the "WARNING! YOU ARE SUPERUSER" message seen at login.
| What they'd never done was check something like "sum /etc/shadow" to
| see whether it was permitted or denied, nor run "id" or similar checks.
| So when this user's home directory is absent and he ends up using
| / and /.profile (where the warning was in an echo statement) he gets
| this message on the screen.  So where they should be writing
| "misleading warning in some circumstances" they write "root access
| immediately available for common users".
| 
| I'm planning to teach a class of 5 existing internal auditors
| next month on some security s/w and I am going to include:
|    - focussing on the more important stuff
|      (a long-running problem where I work)
|    - you must prove it before you can report it
|    - you must be able to state what is wrong with the observed state;
|      usually expressed as the policy point(s) violated
|      (just appearing in scanner output is not enough)
|    - you should have some idea of one way reasonable way to fix it
"oh, no, that's a reasonable treatment of those revenues.  You have to
prove its not before you can report on it."
So, while I am sympathetic to what you are saying, the job of audit is
to audit.  If the system says "You're root," fine, note it and move
on.
If as an auditor, I need to "prove" each problem I find, then I'm
going depth-first, not breadth first, and will miss important stuff.
I suggest a better fix is to have an interim audit report, which, with
the participation of senior technical people on both sides, becomes a
final audit report.  In that process, you could probably win the
/.profile argument.  However, auditors MUST be allowed to point out
whatever the hell they want.
Adam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
    
    
More information about the cryptography
mailing list