Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Email Security - Pentesters take...

From: Anders Thulin <anders.thulin () sentor se>
Date: Mon, 15 Nov 2010 15:20:26 +0100
On 2010-11-09 12:32, cribbar wrote:

A bit of topic, but finally, I am interested in the role of internal IT
Auditors in organisations, and what exactly they do or don’t do when it
comes to pen testing or auditing their own IT Systems.


  'Exactly'?  An auditor is supposed to verify that the rules and regulations
in force in a business environment are maintained. What that entails
'exactly' depends entirely on what rules and processes exist, and perhaps
also if they are auditable or not.

  Also, some auditors seem to believe that they can go for anything, but
I'm not sure that is true -- at least not in general. Or perhaps it's in
cases where the business hasn't bothered about ensuring that their
activites can be audited. In such cases 'muscular audits' may wake
the right people up, instead of a 'we have found the following rules to
be impossible to audit, and therefore, perhaps, may lead to a lack of
compliancy ...'.


                                                  Are they responsible
for checking that the low hanging fruit is not available to attackers (i.e.
the IT admin has followed best practice and is applying patches and what
not) and then the pen testers come in with your whole armoury of tools to
check for more advanced attacks?


  Not in general -- or perhaps, not unless there is a rule or regulation that
says so.  Perhaps there is in the jurisdiction where you operate.

  In my world, IT security is generally the responsibility of the IT department
(and indirectly that of the CISO). That means rules and regulations to ensure that
the appropriate level of security is maintained.

  The IT people (and others) follow those ules and regulations.

  The auditors verify that those rules and regulations are followed by those who should
follow them..

  If there is a rule that says that the CISO 'regularly' should evaluate the IS
policy, the auditor wants to see proof that that has indeed happened regularly.
If there is a rule that says that passwords must be at least 8 characters in length,
and so on, an auditor may very well want to verify that that is indeed true.
Those tests are white-box tests.

  In some cases, a pen-test may be a good way to test rules that are
difficult to audit.  Perhaps there is a rule that says only that 'an adequate level
of security must be maintained', but doesn't say who is responsible for it.
There are two tests here: 'adequate level of security', and 'must be maintained'.
A pen-test can provide raw material for testing the first: is the current level adequate
or not?  Verifying that it is being maintained is much more difficult -- as there is no
clear formulation of whose responsibility it is to do so.

  The auditor's main problem here is the inauditable rule (due to lack of identified
responsibility), which may lead to lack of compliance with the rule.

  Or so I believe...

-- 
Anders Thulin      anders.thulin () sentor se      070-757 36 10 / Intl. +46 70 757 36 10

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: