Penetration Testing mailing list archives
Re: [PEN-TEST] Evaluating Auditors Abilities
From: Edward Slusarski <Eslusars () NACCOIND COM>
Date: Thu, 7 Sep 2000 15:26:14 -0400
Hello Derrick, This one has struck a nerve with me too. I was in the big 6 at one point in my career and did IT auditing for various companies. I was instructed by the partner to only address the senior management group of the company and not the administrators. As usual, I did not follow the orders and would always talk with the administrator about any issues I noted. If I did not learn anything in life, I learned that you need to talk with the person running the show and not the person or people trying to direct the show. I moved into private sector and still hold this methodology to heart. All findings are discussed with the administrator to determine if he or she is aware of the finding, is it a valid finding, and how can we work together to address the risk that is beneficial to both of us (especially the users). Unfortunately, any type of designations are not going to give you this type of open communication unless you ask for it ... demand it ! Learning is a two way street ! If the facts come from a BIG 4 or Consulting group, it has to be law, but it is not. Most of the IT auditors that I deal with in the public arena view things at 20,000 feet and most of them are new out of school. The really heavy hitting IT auditors are their own consultants, trainers or intrusion aids. I am not knocking all public or consultants, but the market is so hot that anyone with a little bit of knowledge and interpersonal skills is being yanked out of the public firms and most consulting firms to go into Dot Com Companies or high powered consulting firms. This means it will only get worse as the time goes on. As for who top management will believe, it will always be the outsiders. How can companies decide which auditors really do a decent job and are worth their value ? YOU NEED TO ASK AROUND AND GET OTHERS TO LET YOU KNOW WHO THE BETTER ONES ARE. Are there any certifications or Industry groups out there or on the horizon that will evaluate and endorse auditors ? CERTIFICATIONS OR INDUSTRY GROUPS CANNOT VOUCH FOR OR KNOW IF THE PERSON AUDITING YOU HAS INTERPERSONAL SKILLS OR CLASS. What is the best approach from a Network Admin position to counter end results delivered by auditors if they seem to be in error ? 1) TRY TO TALK WITH THE AUDITOR FIRST TO DISCUSS THE FINDINGS - DO SO OVER LUNCH OR BEERS. 2) WORK UP THE CHAIN OF COMMAND SO THAT YOU HAVE AS MUCH BUY IN FROM THE BOTTOM UP. THIS GIVES YOU STRENGTH IN NUMBERS AND RESPECTABILITY WITH YOUR SUPERIORS ON UP. Has anyone else been through this, and is destined to get worse before getting better ? I CAN SEND YOU A LIST. That is my rambling two cents. Ed THE OPINIONS EXPRESSED IN THIS EMAIL ARE THOSE OF MY OWN AND NOT THAT OF THE COMPANY THAT I WORK FOR. -----Original Message----- From: Derrick [mailto:Derrick () ANEI COM] Sent: Thursday, September 07, 2000 12:46 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Evaluating Auditors Abilities Dear Pen-Testers, Recently I underwent something that had me thinking about Security Auditing companies and others (Big accounting firms that offer a side service of auditing). Management decided that we needed to be audited by an outside firm, which I am in full favor of. The problem came about in what an un-named auditor did. Firewalls tend to cause false positives in some tests and other anomalies that many auditors may not be aware of. So they performed this audit which we did pick up and were aware of. What happened next is what baffles me. The auditors did not understand the results that nmap and other tools gave them. Near the end of the business day they contact management proclaiming they have found numerous security issues and even some backdoors in our network. After a long couple of days of testing we found none of these issues were correct, and we then spent many hours and several meetings explaining that the firm hired didn't seem to know what they were doing. Management made the default comment of "We are paying them a lot so they must be right, fix these problems". After several days of explaining why they results were wrong and verifying the network we came out to show that the auditors did in fact improperly interpret the results. The end result is management walks away wondering if they got ripped off or if we were just trying to cover problems. It also caused a lot of overtime and extra work for us to explain and prove the network to management. So the end questions are these. How can companies decide which auditors really do a decent job and are worth their value ? Are there any certifications or Industry groups out there or on the horizon that will evaluate and endorse auditors ? What is the best approach from a Network Admin position to counter end results delivered by auditors if they seem to be in error ? Has anyone else been through this, and is destined to get worse before getting better ? Thanks for any thoughts or comments, Derrick
Current thread:
- Re: [PEN-TEST] Evaluating Auditors Abilities Emeigh, Mike (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities topher hughes (Sep 08)
- <Possible follow-ups>
- Re: [PEN-TEST] Evaluating Auditors Abilities Tansey, Don (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Benjamin P. Grubin (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Kuss, Kenneth (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Edward Slusarski (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities David Hopkins (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Khan, Mansoor (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Meritt, Jim (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Dunker, Noah (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Gallicchio, Florindo (2282) (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Hill, Mark (Sep 08)