encrypted tapes

Richard Stiennon richard at stiennon.com
Thu Jun 9 10:44:26 EDT 2005


I spent several years as such a security auditor for PwC.  While yes, they 
do hire a bunch of kids out of MBA school they also have extremely 
experienced senior managers supervising them.    We always delved into 
business processes as well as using "off the shelf" tools. Invariably I 
would find major flaws in the way security was implemented at utilities, 
railroads, major banks, and computer manufacturers.

At Gartner I always advised my clients that if the purpose of the audit was 
to find a bunch of stuff and fix it then you should select a local boutique 
firm  who will do a faster, more in-depth assessment and give you 
actionable items to address at a very reasonable cost. If your purpose in 
doing a security audit is to convince the board of directors that you need 
to invest more in security then go with a big audit firm because their 
opinion holds much more weight.

Stiennon
blog:  www.threatchaos.com

At 10:14 AM 6/8/2005, Perry E. Metzger wrote:

>astiglic at okiok.com writes:
> > One thing that irritates me is that most security audits (that verify
> > compliance with regulations) are done by accountants.  No disrespect for
> > accountants here, they are smart people, but most of them lack the
> > security knowledge needed to really help with the security posture of a
> > company, and often they don't work with a security expert.  I saw allot of
> > requirements by security auditors that looked pretty silly.
> > I believe a mix of accountants with security experts should be used for
> > security audits
>
>It is worse than that. At least one large accounting company sends new
>recruits to a "boot camp" where they learn how to conduct "security
>audits" by rote. They then send these brand new 23 year old "security
>auditors" out to conduct security "audits", with minimal supervision
>from a partner or two. The audits are inevitably of the lowest
>possible quality -- they run automated security scanners no better
>than open source ones you could download on your own, and they run
>through checklists.  If an automated tool doesn't say there is a
>problem, or if you obey the mindless checklist items, you pass.
>
>Of course, for all the good such an "audit" does, you would as well
>roll dice and claim that the output was somehow correlated with the
>quality of your security infrastructure. Such an "audit" is totally
>worthless except as a bureaucratic dodge. "We hired a world class
>accounting company to check our security!" the executives can cry, "so
>these security problems aren't our fault!" (Would that "fiduciary
>responsibility" was not so often equated with "make sure there is
>enough window dressing that we can't be blamed.")
>
>By the way, selling such "audits" is extremely profitable, given the
>discrepancy between the pay for the kids doing the audits and the
>price the customer is charged. What is pathetic is not that companies
>would try to foist such worthless services upon their customers, but
>that their customers would willingly buy.
>
>Incidently, my understanding is that at least some accounting
>companies use similar techniques for doing audits of the bookkeeping
>practices at their customers, which makes them at least somewhat
>consistent, if nearly useless to relying parties. When you hear things
>to the effect that accounting audits can only detect unintended bad
>process and not deliberate malfeasance, that's part of the reason why.
>
>Perry
>
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

Richard Stiennon
The blog: http://www.threatchaos.com 



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list