Penetration Testing mailing list archives
Re: Email Security - Pentesters take...
From: Anders Thulin <anders.thulin () sentor se>
Date: Mon, 15 Nov 2010 15:20:26 +0100
On 2010-11-09 12:32, cribbar wrote:
A bit of topic, but finally, I am interested in the role of internal IT Auditors in organisations, and what exactly they do or don’t do when it comes to pen testing or auditing their own IT Systems.
'Exactly'? An auditor is supposed to verify that the rules and regulations in force in a business environment are maintained. What that entails 'exactly' depends entirely on what rules and processes exist, and perhaps also if they are auditable or not. Also, some auditors seem to believe that they can go for anything, but I'm not sure that is true -- at least not in general. Or perhaps it's in cases where the business hasn't bothered about ensuring that their activites can be audited. In such cases 'muscular audits' may wake the right people up, instead of a 'we have found the following rules to be impossible to audit, and therefore, perhaps, may lead to a lack of compliancy ...'.
Are they responsible for checking that the low hanging fruit is not available to attackers (i.e. the IT admin has followed best practice and is applying patches and what not) and then the pen testers come in with your whole armoury of tools to check for more advanced attacks?
Not in general -- or perhaps, not unless there is a rule or regulation that says so. Perhaps there is in the jurisdiction where you operate. In my world, IT security is generally the responsibility of the IT department (and indirectly that of the CISO). That means rules and regulations to ensure that the appropriate level of security is maintained. The IT people (and others) follow those ules and regulations. The auditors verify that those rules and regulations are followed by those who should follow them.. If there is a rule that says that the CISO 'regularly' should evaluate the IS policy, the auditor wants to see proof that that has indeed happened regularly. If there is a rule that says that passwords must be at least 8 characters in length, and so on, an auditor may very well want to verify that that is indeed true. Those tests are white-box tests. In some cases, a pen-test may be a good way to test rules that are difficult to audit. Perhaps there is a rule that says only that 'an adequate level of security must be maintained', but doesn't say who is responsible for it. There are two tests here: 'adequate level of security', and 'must be maintained'. A pen-test can provide raw material for testing the first: is the current level adequate or not? Verifying that it is being maintained is much more difficult -- as there is no clear formulation of whose responsibility it is to do so. The auditor's main problem here is the inauditable rule (due to lack of identified responsibility), which may lead to lack of compliance with the rule. Or so I believe... -- Anders Thulin anders.thulin () sentor se 070-757 36 10 / Intl. +46 70 757 36 10 ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Email Security - Pentesters take... cribbar (Nov 12)
- Re: Email Security - Pentesters take... Michael Bauer (Nov 12)
- Reverse Engineering the source of the ZeroAccess crimeware rootkit Adam Behnke (Nov 18)
- Re: Email Security - Pentesters take... Anders Thulin (Nov 18)
- Re: Email Security - Pentesters take... Michael Bauer (Nov 12)