Page 39 of 40

Strange Tales from Auditing IT

“Hi, I am your IT auditor,” says the young lady before me. She is well dressed with unassuming colors, pencilskirt shaping her just enough without looking too informal. Beside her is an equally well dressed man. Or boy, more precisely. With those fashionably tall hair, waved as if he had just came out of a nearby hair salon, with those slightly tight pants, ending with shiny shoes with tips sharp enough to stab someone.

“Just show us where is our place, and your IT group, and we’ll be on our way!” she chirps merrily. After introducing her to my bleary-eyed IT manager, I went back into my austere chambers, decorated minimally, with plenty of space for the stacks of ring-files that documented my entire career as an Head Internal Auditor of XXYY company. And I waited. Surely one of these well dressed, articulate, young IT auditors will be asking me for a sit-down session on some of the perceived challenges of IT aligning with our business, and how we can improve. Surely, once she’s done mapping out the technical areas with my IT manager, she would surely come and talk to me about how the IT audit will be done, and how as the Head of Internal Audit, I should be aware of the findings and recommendations, since I was the one who hired her firm in the first place.

One day passed. No sighting. Maybe IT was really complicated after all, although the company’s usage of IT would have been pretty minimal, seeing that we only used e-mail mainly. We only had 3 guys in the IT shop running everything.

Day two, day three passed and finally, I decided to go down to IT and see what the heck was going on. My IT manager was there, as usual, obsessively browser surfing 10 different windows on his large monitor.

“Where are the auditors?”

“They’ve already packed up and gone yesterday.”

Flabbergasted, I went back to my room. So 3 days was all it took to do an IT audit? Who did they interview? Who did they talk to in order to understand the business needs, risks and processes? How did they communicate with the business without me knowing? What were we measuring? How?

They must have bypassed me and went straight to the business owners. That must be it.

Tapping the phone in front of me, I got hold of several of the stakeholders of the IT applications running in our company. All of them denied seeing anyone in a pencilskirt accompanied by a wavy hair boy. Some of these stakeholders would definitely remember anyone in a pencilskirt, so I guess they were telling the truth.

So the IT auditors were almost like phantoms. Ghosting in, and in 3 days, ghosting out again, never talking to any of the key stakeholders. How on earth did they do their audits then?

The above is a fictionalised account of an experience that was shared to me, on IT auditing. Although somewhat humorous, I still find it alarming that IT audits are still being conducted in this way: go in, talk to IT, sit them down with a checklist and get them to implement the checklist. There’s no context of the audit, no risk analysis, no understanding of the business flows, or how it interacts with IT. No comprehension of critical processes, or the role that IT plays in the broader aspects of business. They carry with them a pen and paper and a checklist, and goes in to the poor IT manager’s room and shoots him when he answers, “Umm, what’s a BCP?”, and shaking their collective IT auditor heads until the manager feels like a donkey in front of this pair, young enough to be his kids.

Checklists and irrelevant benchmarking.

IT auditors who do not take time to understand the context of their audits are wasting their time. Worse, they are disrespecting the customer. If a client has 3 people in his IT and generally use IT only for automation of processes, without too much dependence on it, why do you insist to flag a red flag of non-compliance to COBIT by saying they need to come up with an IT Strategic Plan? Or have a IT Steering committee? And what on earth is a non-compliance to COBIT? COBIT isn’t even a compliance standard!

We’ve seen our share of these “quack auditors” we call them, in our landscape. Of course, for every quack, we also find very good, self-respecting ones. But the quacks are the ones that gives IT audit a bad name. Suddenly people want to know if we do COBIT compliance. I even saw a proposal as thick as the Bible, expostulating to the client that they need to have all 318 control objectives in place, and the audit will cover ALL control objectives in a unified regulatory software. Which is a glorified checklist on excel.

It’s tough, and sometimes we compare our adventures in IT audits to wild wild western movies, where law and order was non-existent. Until we start educating and creating awareness in our clients on how to apply COBIT as a framework or as a compliance to a standard, and not a standard in itself, we’ll be seeing these quack auditors all over the place. It’s like someone exalting the miraculous cure of radioactive medicines in the 1920s, only for the patient to die from these quackery.

Entering into 2013, we would love to see some regulation on how IT audits should be done. In fact, as I always say, remove the “Technology” and just call it Information Security Audit. Now, who would you talk to about “information”, not “Technology”?

 

 

 

Bring Your Own Destruction

There’s a little side bet going on between a few of us.

In 2013, two tech giants will be pitted against one another. No, not Apple and Samsung. Those are the Manchester United and Manchester City clashes. We’re talking about the Southampton and QPR clashes. The battle for survival. The clash for the wooden spoon.

RIM vs Nokia.

It’s hard to believe that not many years ago, these were the darlings of the mobile industry. Blackberries were everywhere. Nokia was the king of the crop. Now, both of them are fighting for their lives. It’s pretty sad to see it. Nokia selling off their headquarters to have money. RIM betting the farm on BB10, and seeing their stock rise a little, but still no where close to the heydays of almost tipping USD150 per share. Now Nokia just won a court ruling regarding the use of WiFi on Blackberries. The whole story can be found on the net, but basically, Nokia is just arguing about RIM having to pay them to put WiFi capability on the BB sets.

It’s like two scrawny kids fighting over a biscuit, when the two fat boys in the park had taken over their lunch sets.

Back in the heydays, Blackberries used to be the defacto enterprise mobile devices. It wasn’t that long ago. 3 – 4 years back. I remember it was the rage back then. Any executive worth his salt would be carrying one of those babies, that looked like ancient handsets with keypads so tiny that guys with fat fingers like me and Homer Simpson would spend longer time typing an SMS than Paris Hilton spends without her makeup per year. Sorry, I ran out of useless, quirky similes.

Anyway, there was a reason why BBs were so good at the enterprise. Security. And of course, Data Compression. The whole deal about running through the Blackberry enterprise server and push email, and data compression through the Blackberry Internet server? It sounds like stone age technology now, especially the global outage that caused outrage a year back….but back then everyone says it was a great idea, and that iPhone with mickey mouse security phones will not be accepted on the enterprise till the second coming….well, I just bought my mum a Hello Kitty Samsung Limited Edition and I bet my house I can take that to work right now without any question.

But of course, there comes a whole new load of pain. BYOD. Bring Your Own Device. To drinkers, this sounds fun, because BYOB has always been in their vocab. Unfortunately BYOD causes a lot more pain for the enterprise than a couple of drunken stooges after a night of partying after closing a big deal. With BYOD comes the crushing annoyance of having spent millions in securing the perimeter, only for one stubborn executive to insist on putting all the nice confidential PDFs into iBooks and then lose it in a cab. Or having taken pictures of his latest enterprise VPN password so that he can remember it, only to lose the phone in the bar. There could be a zillion permutations of how data can be lost, compromised or destroyed through the wonderful habit of human forgetfulness and carelessness.

Whether your phone is locked or not is irrelevant. It’s like saying I locked my laptop, now nobody is going to get to my data. It’s like saying, I locked my Ashton Martin. Now I’m just going to leave it at the city area where the highest crime rate for stolen cars, and the largest population of stores selling crowbars, are.

There are ways to counter BYOD issues, and we’ll explore it in further articles. But as of now, companies that ignore BYOD do so at their own peril.

Nope, BYOD is here to stay, and with the imminent death of Blackberry, the last vestige of enterprise security as we know it will go down with it. Security experts will mourn for it.

A new cadre of Hello Kitty Samsung Limited Edition smartphones with Mickey Mouse security will rise up and overwhelm the enterprise landscape. We’ve been warned.

 

So much for confidentiality

Everyone has a similar story.

You print out something, then walk over to to your printer located 20 meters away, shared by the four departments on your floor. Instead of your print out, you have a whole stack of other people’s printout and the paper has run out. You look at the task, groan as you see another 120 pages pending. And the one who printed out that stack is nowhere to be found.

Looking further, you see, well, the stack had some pretty interesting information. Apparently it’s the entire year’s worth of financial information and also a few pages detailing employee’s pay and salary. Now you know how much your annoying colleague who just bought an Audi A8 earns, and you are really, really peeved, because you know he doesn’t do anything but play golf and suck up to upper management.

Where is the problem here?

Whatever confidentiality classification a company has put in place is out the window, when an irresponsible employee just prints out 150 pages and goes out for lunch and says, “I’ll grab it on the way back.”

An interesting article here talks about how some secret files from UK has gone missing or destroyed. According to the article: “The Foreign and Commonwealth Office is unable to confirm whether 170 boxes of classified documents which were returned to the UK at the end of the colonial era have been destroyed.”

Oops.

The article continues on detailing some of the acts that were done during the british rule in Kenya, where prison warders apparently clubbed prisoners to death and blamed it on “Drinking too much water.”

As in, seriously. I’m not sure if that’s British humor involved in the drinking too much water part, but it’s pretty humiliating for the FCO any way you look at it.

In an application audit we did, the team found pretty good controls overall, but flagged an issue: Invoices and documents containing confidential information on partners and payment details were left in a box in a common area before moving to a more secured location. The common area was where many people on that floor walked by. Now, our client reason, nobody would be looking into the box without any business with it. Also, they were all employees of the same company. And finally, it was only a temporary storage, and each day, the stack will be moved to the supervisor’s cubicle for filing.

We insisted on flagging it. The assumption of above’s argument was that all employees can be trusted. And along with that assumption comes: all employees are nice people who does what is best for the company.

Um. That’s very idealistic, like me winning American Idol and going on to become a global superstar. And chilling with Bono at a cafe. Of course we didn’t put that in our audit report.

But here’s the thing, if you’re going to spend millions on technical controls, but not look into the process and people controls, we’re defeating the purpose of holistic security. The weakest link is the people, either through deliberate malicious acts, or just plain unawareness, the company takes the brunt of the oversight. Security should be approached in that holistic fashion, and that’s why IT Audits are still relevant in a world where security companies have invented automated “IT Audits” by installing their software and they would probe for software weaknesses and “Outdated patches”. That only tells part of the story. The other part is breaking down the critical processes and human interaction between systems and technology. Any IT Audit that does not take time to understand the business process of a company isn’t complete.

So back to the FCO, we don’t know what happened. Maybe somebody printed out the whole bunch of secret stuff and went for lunch and somebody picked up the documents and went, “Jeez, this is going to make the honchos in UK look like a bunch of clowns”. And also, what do you know, reveal some seriously critical military secrets. Somewhere along the way, somebody dropped the ball. It’s a human issue. Or it’s a process issue. Unfortunately, when we hear people doing “IT Security Audits” they take the “IT” word too literally and the “Security” word too frivolously. That in itself is worth another article.

So for now, please grab everything you print out before you head out to lunch!

What’s so bad about Windows 8 Picture Password?

The jury is still out on Windows 8.

I mean, from what I see from countless youtubes out there, there are those who like it, and those who wished it would completely die a slow and horrible death. On the whole, almost everyone agreed there would be a learning curve involved even for the experienced users. For those who are like my dad, who is still mastering the art of mouse usage, using windows 8 would be as easy to understand as interpreting Mesopotamian hieroglyphs.

However, there is an interesting feature in Windows 8 called the Picture Password. You can google it and see how it works. Basically, you choose a picture then do a sequence of gestures on it as your password. Gestures are limited to circles, lines and taps. Taps means what it is. Tap. So if I had my dog’s picture there, I could draw glasses on him, put a smiley on his snout and tap his cute little nose.

Obviously in IT security circle, it has been bashed to bits. The inventor of RSA SecurID token, Kenneth Weiss took the concept into centre court and smashed it into tiny bits with a sledgehammer. And then ran a lawn mower over it. Before feeding it to a pool filled with piranhas.

To be honest, I thought it was a wee bit over-reactive from a guy who didn’t have a great track record himself of late. I mean, it wasn’t cool. You are obviously a genius, Kenneth. To label Windows’ attempt at authentication a “Fisher Price Toy” is like me looking at my son’s attempt at writing his name and smacking him in the head because he can’t write in a straight line. My son is 5 months old. It’s unwarranted, and in some ways, makes him look like a petty old man who knows his time in this world is over and can’t stand the sight of new, and obviously inferior ideas overtaking his.

First of, is the picture password revolutionary? Of course not. Android has already adopted gestures as authentication, and probably the pilgrims did it as a way of communicating with the natives when they landed on the Plymouth Rock in 1620. Is it secure? Of course not. Not anymore than typed passwords are. Is it fun and interesting? Depending. Microsoft is hoping it is.

You see, this was never meant to take over secure authentication. It’s just a means to get to your desktop. Yes, you can definitely see the gestures from far away, or through whatever ‘smudges’, taking into account most computer users probably eat fried calamari and then proceed to touch their screens after. Or that it’s so guessable, than most people would draw a spectacles, smiley face, beard, moustache on a picture anyway? But so what? Is it anything better or worse than having a password called ‘password123’ or ‘iloveyou’ or ‘Jesus’? It doesn’t detract or add anything to what we are already doing, except that using gestures is a whole lot more organic than typing on the keyboard.

The only plus thing is that Microsoft seems to understand the future of Human computer interaction lies in this organic movements. In 5 years, the use of mouse and keyboard will be replaced by gestures. In the future, interacting with computers will not be limited to screens or physical hardware, but by probably holograms placed all across the home, all smart devices interacting with each other. This is a future reality, and Microsoft seems to be gearing up for it. Whether they succeed or not, that’s another question. The competitive landscape has changed a lot since the days when Microsoft would be the king of the playground and smash kids like Netscape into smithereens. There’s still a few more years before we know if Microsoft rightfully belongs in this new landscape of Google, Facebook, Apple or Angry Birds.

Until then, while they might be a tech giant, Microsoft is a runt in the new tech landscape where consumer coolness is key and Apple is still the benchmark. So let’s give them an A for effort, although the idea is pretty stale.

And as for the Father of RSA SecurID, don’t punch the new kid in the face for having a nice looking cover over the same old school bag that everyone is using. Give the guys at Redmond a chance and they might spring a surprise for us consumers.

And I don’t mean a bad surprise like their Blue Screen of Death.

 

 

Stopping Insider Scans

I’ll admit it. I’ve knocked on doors before, while sitting at Starbucks.

“Knocking on doors” here means running port scanners like Nmap, or vulnerability scanners like Nessus or Nexpose, to see if that guy in the suit across the room is using a laptop that’s vulnerable to exploits. I was much younger then. WiFi was just introduced, and to a guy born with a curious mind like mine, this was exciting stuff. I wasn’t a hacker or cracker by any means, neither did I dwell too much in doing malicious scripts, but it was just curiosity that got me going.

I did find myself on the good side of the law soon, running DHL’s global security group in Asia, and there faced monumental challenges like random denial of services,and naughty scans from external.

However, it is usually the insiders that do us in.

I’m sure you heard before, a secured perimeter is only as strong as its weakest link. And the weakest link is usually inside. A disgruntled employee. A corporate spy. A curious, idle employee with too much time on his hands, and reading too much Network Security Online articles. Whatever the case, every company will have its day in the sun. It’s just a matter of when.

For instance, we ran our penetration testing services for a network. We usually don’t have too much issues in the scanning phase, where we enumerate services and probe a little for vulnerabilities. Our standard process was to inform our client when we were doing exploits. One thing we’ve learnt in almost every project we’ve done.

Not everything goes according to plan.

It was an internal penetration testing, but we weren’t given much details on the network or servers as agreed and we ran several IPs scan at once. Soon, our technical client came back to inform that their servers were not doing too well, and one of the virtual servers running HA has rebooted. We immediately stopped the scans and realised that the IPs given were all running on VM. Nessus and VM does not play nice. Do a search on nessus on communities.vmware.com and pick your poison.

Thankfully, nothing serious occurred, which shows us again how important it was to have people ready and standby especially in PenTest and to follow certain set procedures and standards. We continued the pentest exercise with greater care, taking into account the vulnerabilities of Nessus and VM, and using alternative scanners.

Which shows, how simple it is for someone to DOS (Denial of Service) a network, with just a vanilla Nessus running. What can a company do about it?

Well several options are there:

1) IPS/IDS (Intrusion Prevention/Detection System). These babies usually run on the network points and works wonders to detect scans and stop them, among other thing. We used to run Tipping Point a lot in my previous companies. The problem here is that for a flat network, how do we want to run this? The server needs to be segregated into its own server segment, and an IPS laid out in front of the network point. In a flat network where everything is plugged into a single IP address space, it still can be done, I suppose, but probably not the best way.

2) HIPS/HIDS (Host IPS/IDS). It’s like a mini gun compared to a gatling gun. It runs on critical servers and works about the same way, except that the network interface gets hit before the intrusion prevention services kicks in. It’s pretty effective and we ran a lot of Symantec previously.

3) If those don’t do the trick, then we could probably secure every end point. If we want to secure internal attacks, the best way is to properly guard your asset. Control all your laptops through proper asset management, no administrative capability to install Nessus and an asset scan to ensure nothing naughty has been somehow installed on by enterprising employees. You might want to control/choke up the USB ports as well.

4) Finally, set corporate policies. Many companies fail to do this and we don’t know why. Document what will happen if activities like scanning is done. Make sure employees understand their obligations to the company and sign acceptable use policies before giving them corporate-owned assets, bought by corporate owned money. Sometimes a little awareness works better at prevention.

There are probably other ways I’ve missed out, but generally this would be how we’d deal with idle employees with too much time on their hands scanning our network. That, and putting them on a cold-storage project to wash out their curiosity, maybe.

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑