GhostNomad.com

In my previous post I tried to calm your fears about being audited by trying to help you understand the different types of audits you could be facing. However you can feel the fear creeping back in because they are auditors after all. So what can you do next to ensure you are prepared to survive an audit. In one simple word, documentation. I can hear the moaning even in my little post auditor safe house. Trust me, read on and your life will be a lot easier and so will your audit.

When you consider that an audit is looking at the controls around your IT environment, properly documented policies, processes, and procedures are critical. It is a formal way to show you and your staff have a proper understanding of the controls they must adhere to. Documentation is not fun, and your auditors are well aware. A large percentage of what auditors do is document their tests. This means you will find little comfort from them if yours is lacking. All is not lost though, if you start now you can have all the documentation you will need.

The trick is not to throw together stuff for them to read, it is to ensure what you do is precisely written down. This has multiple benefits. First, the auditors know what standard to audit too. If you don’t document controls the worst they can do is write you up and leave early, right? Second, the more you have documented the less time they have to be on-site asking you questions. I know auditors are warm and fuzzy so this may disappoint you, causing you to slack on your paperwork. Finally, if your procedures are well documented everyone should be doing it right and the auditors should find no control failures. No control failures means easy report writing, which means happy auditors.

Documentation shouldn’t be an audit exercise, it should be a control exercise. A well controlled environment means a lot less work doing the little things. In the end the benefits far exceed the pain of having to create documentation. Try it, you just might find the benefits go beyond happy auditors.

I was recently at my 7 year old sons soccer game. Standing on the sideline cheering him on it came to my mind that many sports have lessons for information security professionals. In baseball each team plays offense and defense, but there is a clear line between when you are playing each. For half an inning you play offense, trying to score as many points before you reach three outs. Everyone then leaves the field and changes roles from offense to defense. American football is very similar, however there are times where you defensive players are placed in a role to score which means the other teams offensive players must take a defensive position. In soccer and basketball players take on both defensive and offensive roles with very time of transition.

However, this wasn’t the connection I was making in my mind. You see, I had my 2 year old daughter and 4 year old son on the sidelines with me. For little ones, watching an hour long game were kids are running up and down a field kicking a ball is inspiring. So inspiring, they wanted to run out on the field with their sibling. My 4 year old was being very good and sat cheering for his brother. My daughter on the other hand kept attempting to become part of the game. I could walk away from the field and let my daughter run around the park, but this would mean I couldn’t watch my sons game. Another option was to hold my daughter for the rest of the game, but that would mean having to listen to her be very vocal which could distract the players and other parents. The only logical option then was for me to try and entertain her while watching the game.

No matter how hard you try and keep a toddler from getting out of your grip, it will eventually happen. My daughter would sit on the ground pretending to be all calm, then when I would turn away for a second she would dash towards the field. I had anticipated this and thus had us sitting far enough from the field so I could capture her before she crossed the sideline. However, no matter how calculated our position was she managed to cross onto the field during the game. Fortunately she was not in the zone of action and so I was able avert a major catastrophe. One attempt was not enough and so I spent the rest of the game diverting her from being plowed down by a bunch of 7 year old soccer players. I like to refer to this behavior as the Aggravatingly Persistent Toddler or APT.

The lesson wasn’t in the offense and defense of the game itself, it was the threat to the game that lurked unknown by the players. Had my daughter wandered onto the field while the players were close by, not only could she have gotten hurt but the games integrity could have been compromised. Despite my daughter gaining access to the playing field, the response was quick and prevented the comprise from affecting the game itself. We focus security sometimes so much on the known attack vectors, we forget there are holes we may not know about. The question is do we place other tools in our systems to detect a comprise so we can react before the damage becomes to costly. It is great to know what your defenses have prevented, like seeing the goalie block a goal. The question is, once compromised can you detect unusual behaviors that signal unauthorized access. Can you stop the agrevatingly persistent toddlers in your systems?

You have just gotten off the phone with the auditor who has informed you the audit is ready to begin. Before you allow panic to set in I would like to offer some advice which may alleviate some Fear, Uncertainty, and Doubt.

Tip

The first thing you need to understand is what type of audit is about to be conducted. An “Audit” generally will take a detailed look into your adherence to controls, but which ones. An audit of IT as part of a financial attestation is a general review of IT controls that affect the accuracy of applications that are responsible for material line items on your financial statements. A bit more scrutiny has been added due to SOX requirements, but the goal is to satisfy the auditors your financial statements are materially accurate. A SAS 70 is different, as there is a subset of controls you define which relate to the services your provide that auditors want to review. Defining scope in this review are very important and can be as restrictive as you want them to be. A compliance or regulatory audit defines the controls based on regulations for which you must show compliance. This is probably the most difficult of all audit types as the auditors are very specific in what they want to see and will accept as being compliant. Finally, an internal audit is based on organizational risk. Scope is focused on the highest risks your technology poses and tries to ensure you have appropriately addressed those risks. Generally speaking you want your internal auditors to find issues before the external auditors do, it tends to be less complicated for your organization. These are oversimplifications of the audit types, but i think simplification helps take the fear out of the equation.

Before you lose your cool in a panic, find out what type of audit you are about to experience. Armed with the knowledge of the audits scope, you can better prepare to have someone shine the light on your operations. Take a deep breath, you are one tip closer to surviving the audit.

The Recap

Officers responded to a residents call that a man asked to borrow a computer and then fled on a bicycle. Officers could not locate the suspect.

The Lesson

Not knowing all the details behind this story I can’t say it was unusual for someone to be asking to borrow a computer. What seems strange is that the person asking for the computer was traveling by bicycle. I am assuming it was the suspects bike since the report didn’t say the suspect then stole a bicycle to flee. This reminds me that although traffic we may see on our networks may not be unusual, the method of it’s transport may be out of the ordinary. The job of perimeter security is to stop traffic from connecting through certain  protocols or from certain IP addresses. Knowing that most organizations block traffic, it would only make sense that those trying to gain access to our networks would try to mask themselves as legitimate traffic. However, at some point they have to reveal their true nature and we need to ensure we monitor for this type of behavior within our networks. Like the suspect in the story above, we can’t always assume the most sophisticated methods will be used to hide unauthorized access attempts.

Three weeks fresh out of college and on the job as a auditor I found my self in a very interesting situation. Auditing small governments was the staple for my first few months, and small governments (townships, villages, etc) have some unique office buildings. In Ohio a township is the smallest form of “community” government you can have and is the least restrictive in regulating it’s residents. This is perfect for places like farmlands or low population areas. I was auditing a township and their township hall was a very old building. All the doors creaked when you opened them, paint was falling off the wall, there was very little lighting and if you plugged more than three things in you popped a fuse. If you didn’t know better you might think the place was haunted.

Three days into the audit, a third auditor stopped to drop off some work papers for my supervisor to review. Faintly from the door on the first floor we could hear her calling for us. When I got to the door she looked freaked out, and told me there was no way she was coming into this place. I couldn’t blame her, had I not been so focused on getting my work done and making a good impression I probably would have noticed how creepy the place seemed. My supervisor came out to the parking lot to get the work papers and we all had a laugh about this haunted town hall.

Fast forward three years. I was assigned a township which rented an old school building for a dollar a year as it’s town hall. I sat alone in the old cafeteria, and though it seemed slightly creepy I didn’t think much of it. Just two weeks and I would be on to larger projects. The first week went along normally, and the weekend came. When I got back to the audit site on Monday part of the building had been transformed into a haunted house as it is every October. This would not have bothered me as it was a fairly large building except the restrooms were smack dab in the middle of the haunted house.

Being 25 at the time I should not have been as nervous as I was to find the restroom. Being that it was an old school house, the floors were made of wood and creaked with every step. I looked for a light switch, but there were none I could find. I also forgot to mention that on the first day it was a dreary rainy day making it that much darker in the building. It was silly that a grown man couldn’t just walk right in to the haunted house, but it just didn’t feel right. I gathered my courage and walked in. At first it was easy, the set up actually seemed pretty basic. As I got closer to where I knew the restroom were though I realized I was in complete darkness and I could feel things that didn’t seem natural. When I reached the restroom door I quickly rushed through it and was happy to see the window had not been covered up. My heart was racing and as I turned to make the return trip I was moving a bit faster. Irrational as it may seem I was completely alone in the building and the creepy factor was off the charts.

Just before I reached the exit my pager went off. I would like to say I kept my calm, but I ran like a little boy trying to find his mom and dad’s bedroom door in the middle of a lightning storm. That’s right, I am not afraid to admit that I was scared beyond sanity at the age of 25. My wife and I had a good laugh that night over the tale, and my co-workers ribbed me for weeks. Just goes to show the auditor sitting across from you may put fear in your heart, but they are human and have fears of their own.

The Recap

Two carnival workers called the police for directions across town after the carnival they were working for left town without them.

The Lesson

It seems a bit extreme to call the local police station for directions. I mean, there are plenty of places these two people could have walked to ask for directions. Instead they did the simplest thing they knew to solve their problem, they called 9-1-1. Who knows a community better than the police department right? It should come as no surprise to us then that when people have issues with their computers they call the first person that comes to mind. As security or technology professionals we are the stewards of that which we work to maintain and defend.

It can seem tedious sometimes when we are asked to help with those “help desk” tasks, but in doing those little things we go a long way towards making people comfortable with technology. We ask family, friends, and co-workers to trust us and take the steps we suggest to become more secure. In doing so we have to build a trust, and sometimes the best way to build trust is to help with the little things first. Not only do you build trust, you build confidence in people so they feel like they can handle what they don’t understand. Calling 9-1-1 for directions is not advised as it takes resources away from the real emergencies, however to the two people left in a strange place the idea of emergency probably jumped out the window. If we help with the little things, we may get help solving the bigger issues.

I had an excellent experience today with my family. We took the time today to visit COSI (Center of Science and Industry) for the first time as a family. Despite the varying ages of our kids, it seemed each display had something for everyone, but I digress. Despite the many inspirations you could find in a place about science, I found two items I thought touched on the “science” behind information security. This isn’t to say you couldn’t relate these to other facets of our lives, I just found them very relevant to the infosec community. When you hear people refer to the “science” of infosec, they always talk about the ability to recreate your methods and achieve similar results. I am taking a slightly different approach.

The Foucault pendulum

As a kid I remember the first time I saw on of these large pendulum’s swinging back and forth and knocking over dominoes at certain time intervals. The point of the whole experiment is to demonstrate the fact the earth is rotating beneath us and though it may appear everything in the sky is moving around us, we are actually the objects in motion. Looking at the pendulum at any given time of the day will appear as if the pendulum is not swinging in a straight line, but in a more curved motion. However the pendulum never deviates and thus shows we have moved, our perspective has changed.

As a skilled professional we sometimes lose the fact that we are not moving, it is the world around us which moves. Sometimes we want others to bend to our will, and find we have a gap that never seems to be filled. When we understand the world is moving, setting the pace, we can adjust our methodology and find ways to anticipate where we will end up. In the display of the Foucault Pendulum, the items to be knocked over are purposely placed, in real life when we anticipate where the world around us is going, we set ourselves up to be in the right place at the right time. Then when we knock down each challenge, we move ahead to anticipate the next “right place.”

The Car and The Lever

The idea behind using a lever, or gaining leverage, is to take an object which seems near impossible to move under normal circumstances and multiply the energy available to move the object. Huh? Let me use the experiment to demonstrate. There is a car sitting on a platform which is attached to a very long, and large, lever. The lever is attached to a stand near the car and at two intervals after the stand are ropes hanging down from the lever. Perhaps click here to see what I am describing. The first rope is roughly the same distance from the stand as the car is from the stand. Pulling on this rope will result in a lot of sweat, but not much progress on lifting the car. Now you move to the rope at the end of the lever, which is approximately  two times the distance from the stand as the car and suddenly you find you can actually lift the car which is technically not humanly possible.

The words don’t match the visual, but what struck me was the idea we don’t always leverage all our tools or those skills of people around us. We are constantly trying to solve the days problems, and like in the pendulum example, stay ahead of the curve. It is no wonder we don’t always try to utilize all the tools at our disposal, and in the end try to move the unmovable. This isn’t to say we outright ignore what we have around us, we just don’t always see how we can gain leverage over our challenges. Using minimal energy to achieve a result that seems impossible is a goal we all would love to attain.

Applying Science

We need to stop and assess our tools and resources around us, learning to leverage all those to achieve our goals. This means having the time to make the assessment, but the point of leverage is a little bit of planning means a lot less energy overall will be used and we do the impossible. Given that we can leverage our resources, we are more likely to get ahead and find we can be in the right place at the right time. Since we are there to address the next threat before it occurs we expend less energy and gain more leverage. You may be saying right now “hold on, a perpetual motion machine is not possible”, but that shouldn’t stop us from trying to find one right. I mean, if the no one ever tried to find a way to move the unmovable we wouldn’t be talking about gaining leverage today now would we.

When thinking of science and information security, maybe we need to think more about innovation and not just reproducing results. Just a thought, I am interested to hear yours.

Over the weekend I decided to clean the grout on our kitchen floor, or should I say my wife wanted me too. Either way, it needed done and oddly enough my kids volunteered to do it. They canvassed the floor and in ten minutes declared the job done. Knowing it needed more than a quick once over, I thanked them and then set out to do the task. Getting grout on a kitchen floor clean takes a lot of elbow grease, so I started in the places that looked the worst.

First up was in front of the sink and stove. I pushed the grout brush down hard and made sure nothing could survive my fury. Next was the main entry points from outside to the kitchen, even the best placed rug can’t keep dirty shoes from tracking in the great outdoors. I finished my most focused attack under the kitchen table and counter bar stools, both which collect the various food projectiles from little hands.

Having exhausted most of my strength, I then went to the low traffic areas. The dirt was much less prevalent here and came up with ease. In all the floor looked a lot better, and I used my resources wisely. While surveying my work the analogy to risk management and information security hit me. My kids focus was on getting coverage over the entire floor with even energy. I on the other hand focused my energy where it needed it most first.

This made me wonder how much we rely on a risk based approach to using resources. I am not saying it is an end all be all, but how often do we waste resources to simply say we have coverage. Sometimes it is easier to just cast the net wide, it saves the headache in explaining the approach. However in taking that approach you may not adequately cover the real threats.

Now before you start cursing me for missing the obvious, compliance can muddy the waters. Sometimes you have to cast your net wide to “pass”. However, if you rely on compliance to ensure you are secure you are headed for potential disaster. First off, the definition of compliance changes. So compliance today doesn’t ensure compliance in the future. Second compliance is general, not specific to your organization so you are meeting high level requirements only. I would suggest if you target your resources properly you can still achieve compliance and not just in the short run. That said, don’t blow all your resources on focused solutions, you still need some generalized solutions to cover your lower risk assets.

As I said at the start, this isn’t a guaranteed methodology, but it is one the seems to make sense. The grout In my kitchen wasn’t perfect when I was done, but it was much better and I feel better about those troubled area. Wisely implementing our information security resources using a risk based approach won’t just make us feel better, it should make us more secure.

The Recap

A male was caught urinating behind a vehicle. He told police he could not find a restroom. Police advised against repeating the behavior.

The Lesson

I just couldn’t pass this story up after I read it while looking for a police blotter to comment on. The funny thing is the correlation hit me immediately. Despite knowing they shouldn’t do it, end users install things on their work computers that aren’t always approved. The problem usually stems from a need to complete a task for work that can not be easily achieved with the tools they have. We all know why this is bad. We have to protect our assets (phsycial and intellectual) not only from malicious software, but also software that causes unexpected behavior on the computers.

The question you need to ask becomes “Is the process I have in place to get items approved to complex”. Sure you will have those people who will install anything if you let them, but many times there is a perceived benefit to the persons work performance. So do we make the process as simple and straightforward as possible when the need arises. Do end users have a clear sense of who they need to contact and what information to provide to make the case? Are end users advised of the steps needed to validate software for use, and are they kept notified during the process? When the request is denied is an effort made to work with end users to get them the tools they need?

If you answered all or some of the above questions no you may see where the gap has been created. Taking in to consideration the reason your organization exists (usually to make a profit), you need to ensure policies don’t make you a hinderance. Well defined policies that support both employees job funtions and meet security are the best. Take a look at your policies and procedures and make sure they are clear. Educate employees on not only the hazards of unauthorized software, but the benefits of working to get software authorized. If they see the process as friendly to their needs they will begin to use it. Poorly written policies and poorly executed procedures are like putting up portable bathrooms and not maintaining them. If they are disgusting people will just go some place they are not supposed to, like in a bush or behind a car.

This doesn’t mean you will always approve every request. However, if you take the time and educate end users why you couldn’t approve their request they may better understand what other tools they can use and be more willing to follow procedures going forward. It’s worth a try.

The Recap

A resident reported an elderly female dressed in a bathrobe standing in the tree lawn. She was waiting for a visitor.

The Lesson

Growing up, there were at least three nursing homes in my town. It seemed there was always a report of a resident of the facilities wandering off. In my college years I worked as a painter in a building next to one of those nursing homes. On a weekly basis we would have a visitor who had wandered off, which we would kindly escort back. The street where the above incident took place is across the street from three elder care facilities. The first thing that struck me about the story was that I had seen this event unfold. That night as I passed by, there were already two cars and a patrol car attending to the matter.

As professionals who deal in information security, do we practice responsible disclosure. I know there is a lot of debate around this topic, but I am not focused on new vulnerabilities. I a more focused on our normal interactions with websites that appear to be in their “pajamas”. We have all come across something that just doesn’t seem right, but do we then inform the site owner of our discovery. On one hand there is the fear we open ourselves up to scrutiny as to how we found it, and on the other there is the potential to be ignored. Fear and frustration then lead us to feel it is not our problem so we take our business elsewhere, or we refuse to use the site until someone notices it and finally fixes it.

In the end the answer is difficult. Do you mind your own business and leave the woman in her pajamas on the side of the road late at night? Do you stop your car and try to get a resolution to the perceived problem. In the end there is risk and reward both ways.