IT安全审计员不是邪恶的，可以让你找不到砍死

当我坐在这里写我的第一篇博客，而试图从一个星期恢复在拉斯维加斯度过了欣赏风景，声音，精神错乱，只有黑帽和DEF CON可以对凡人造成（机器人和忍者是免疫的，or so I have been told), I can’t help but to be amazed by how many security issues could be prevented with a strong security auditing and assessment program. This year’s con was full of new technology exploits like GSM phone sniffing with off the shelf parts (costing about $1500) and the infamous Hole 196 vulnerability discovered in WPA2’s implementation of group temporal key (GTK) encryption allowing an authenticated client with a modified wireless driver to spoof an access point for man-in-the middle attacks and other wireless shenanigans. While technology vulnerabilities were on display, the part that interested me the most (besides counting the number of mohawks) was how so many of the talks were focused on exploiting fundamental aspects of security that could have been identified and mitigated if network security audits were conducted on a regular basis and the weaknesses and risks found were acted on in a timely manner. It doesn’t take a skilled hacker to perform social engineering or exploit poorly implemented technologies. Most IT pros find the thought of going through an audit not only distasteful, but extremely stressful as well. Images of demonic auditors waving checklists and chanting compliance laws while running wild throughout the network can strike fear and loathing into the hearts of the most veteran of network warriors. But it doesn’t have to be this way! Auditors are not trying to show your boss how stupid you are or get you fired. Their role is to identify risky situations and provide a third party opinion as to how well the organization complies with corporate policies and regulations. At DEF CON there was a heated debate about PCI and its cost versus benefit. I loved the passion that the security community displayed and the conversations brought out both the good and bad of PCI DSS. Regardless of your opinions of PCI, one thing it has done well is to create a minimum standard for compliance, which if used properly, decreases the risk to an organization and its customers from credit card theft. It isn’t perfect and is no guarantee that you won’t get hacked, but it is effective at forcing the requirements for auditing and assessments that can find exploitable weaknesses. No one can argue the value of that. Auditing the network from a security prospective has significant value as well. When a corporate network is first installed, it’s kind of like a shiny new car. While your new car may stay clean for a couple of months the minute the first fast food wrapper hits the floor, things start going down hill. Before long your shinny new car starts to get that “lived in” look and feel, complete with bird poo that requires a paint scrapper to remove and truly horrific odors that assault your sinuses as if the zombie apocalypse began in your back seat. Networks are no different, in that they tend to grow organically and without proper processes and procedures end up becoming a mess of tangled wires and technologies that become extremely difficult to manage let alone secure. Access control rules become full of exceptions for specific, poorly written applications, and become a permanent addition to the rule base because it is often easier to add a rule than delete one. This chaos can provide a foot-hold which attackers can use to gain access to your network and run amok while you attempt to figure out what to do and your boss is breathing down your neck. Auditors can help to identify the weaknesses that can lead to an attack by assessing the controls an organization puts into place in order to reduce the risk to critical assets and IT services. An IT auditor has the opportunity and perspective to look at the network as a system that encompasses security controls around people, process and technology. These three categories are essential to good security and address the following: People- People are users, administrators, data owners, and managers of the organization with all of their varying levels of skill, attitudes, and agendas. If users are not following security policy, there may be a need for stronger administrative controls like security awareness training or penalties for non-compliance (this is the “up to and including getting fired” clause that HR puts in the employee manual). An organization could also implement a detective/corrective control to enforce policies like having the latest Anti-virus updates or operating system patches before the user is allowed on to the network. People also represent the organizational structure and policies that drive security. Process- Process represents how the organization delivers the service of IT. These are the procedures and standards that are put into place to protect assets. Processes must be up to date, consistent, and follow best practices to be effective. Process is one of the most important areas to test, because most attacks that result in significant loss have a component where process has failed. Take for example user account creation and decommission. Someone is hired, and a request is put in to IT to create the appropriate accounts for him or her. Who is allowed to send the request? Is it any hiring manager or HR? How is the request validated as being legitimate? Without strong process and the appropriate controls in place to prevent, detect, and correct, anyone could call up and impersonate a hiring manager and request an account be created. Social engineering techniques like this are significantly easier (and quicker) than trying to run a brute force password cracking tool against a server. Technology- Technology represents the facilities, equipment, computer hardware, and software that automate a business. Technology allows people to accomplish repetitive jobs faster and with less error. Of course technology also allows someone to do stupid things just as efficiently and a whole lot faster. Mis-configurations and poorly implemented software can take a mistake and multiply its impact exponentially. Imagine leaving the door unlocked on a room that houses hardcopy files. Someone could potentially walk into the room and start taking files, but it would take a long time (not to mention effort) to hand carry those documents out to their car. Now imagine mis-configuring a server in the DMZ to allow access from the Internet to a key database server. Someone could download the entire database in seconds and not even leave a trace that they were there. This is why it is so important for a business to standardize on best practices and configurations that are known to work, as best practices tend to anticipate many of these scenarios. Auditing is an essential component of security, and if conducted properly from a combined people, process, and technology perspective can identify weaknesses that could lead to a company experiencing a security incident. What do you think? Can good security audits save the day, or are there other areas of security that need to be addressed first?