encrypted tapes
Adam Shostack
adam at homeport.org
Thu Jun 9 10:02:55 EDT 2005
On Thu, Jun 09, 2005 at 08:57:51AM +0100, lists at notatla.org.uk wrote:
|
| From: "Perry E. Metzger" <perry at piermont.com>
|
| > It is worse than that. At least one large accounting company sends new
| > recruits to a "boot camp" where they learn how to conduct "security
| > audits" by rote. They then send these brand new 23 year old "security
| > auditors" out to conduct security "audits", with minimal supervision
| > from a partner or two. The audits are inevitably of the lowest
| > possible quality -- they run automated security scanners no better
|
| The worst security audit point I have ever seen came from KPMG and
| said that logging on as a particular non-root unix account got root
| access, based on the "WARNING! YOU ARE SUPERUSER" message seen at login.
| What they'd never done was check something like "sum /etc/shadow" to
| see whether it was permitted or denied, nor run "id" or similar checks.
| So when this user's home directory is absent and he ends up using
| / and /.profile (where the warning was in an echo statement) he gets
| this message on the screen. So where they should be writing
| "misleading warning in some circumstances" they write "root access
| immediately available for common users".
|
| I'm planning to teach a class of 5 existing internal auditors
| next month on some security s/w and I am going to include:
| - focussing on the more important stuff
| (a long-running problem where I work)
| - you must prove it before you can report it
| - you must be able to state what is wrong with the observed state;
| usually expressed as the policy point(s) violated
| (just appearing in scanner output is not enough)
| - you should have some idea of one way reasonable way to fix it
"oh, no, that's a reasonable treatment of those revenues. You have to
prove its not before you can report on it."
So, while I am sympathetic to what you are saying, the job of audit is
to audit. If the system says "You're root," fine, note it and move
on.
If as an auditor, I need to "prove" each problem I find, then I'm
going depth-first, not breadth first, and will miss important stuff.
I suggest a better fix is to have an interim audit report, which, with
the participation of senior technical people on both sides, becomes a
final audit report. In that process, you could probably win the
/.profile argument. However, auditors MUST be allowed to point out
whatever the hell they want.
Adam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list