Tools & Tricks of the Trade

Tips for Admins: How (NOT) to Have an Good IT Audit

Over the years, I’ve gotten used to the people I “visit” trying really hard not to make faces when I’m introduced. Nobody likes to see an auditor roll in the door. I try to make it as easy as possible, and whatever I can to fit into the schedules of busy engineers and managers. But I’ve also gotten used to some tell-tale signs that the audit is not going to go well:

Don’t prepare any information in advance and tell me you’re very busy
We send out requests for information a month in advance and offer custom scripts to help get the information easily. It’s usually information you should have at your fingertips - user lists, MBSA scans, router configurations, etc. Database queries take a little more time. I know you’re really busy - what admin isn’t? When I don’t get any information, it doesn’t make you look busy, it makes you look incompetent.

Don’t answer my emails or phone calls
If your manager has told you to do this, route my requests directly to him, and cc me. Then you’re off the hook and your manager can look bad. That’s what they’re there for. If you’re just avoiding me, well, see the note above.

Be condescending about technical issues
Yes, I know IT Auditors don’t know your systems as well as you do, and we never will. We have to ask for dumb things. Be patient and tolerant, and we’re much more likely to be helpful.

Don’t allow my laptop on your network because “it’s a security issue.”
Please don’t embarrass yourself this way. A competent engineer can route us directly out the firewall without ever touching the network. This statement means you’re either incompetent, lazy, or hiding something. Not to mention the fact that I’ve been vetted, ’scoped and checked across multiple continents AND my company has a boatload of liability insurance. I break it, I own it. Smile, your network is safe due to your competence, isn’t it? Make it look easy.

Stonewall giving me access to critical systems because “you might break something.”
Other than questioning my technical competence, (thanks!) it tells me that you’re afraid I’m going to find something you don’t want me to see. Truly secure and resilient systems can recover from almost anything an admin can do to them. If your systems aren’t that secure or able to fail over, acknowledge it upfront. We’ll work out what I need to see together.

Lie outright.
I can count on the fingers of one hand (and not use all the fingers) the systems I’ve seen where the engineers and managers have been proud to walk me through and show me what they are doing. I love being “wowed.” I don’t get that very often, and I really enjoy seeing a well run network.

I’ve also had engineers take me aside and reveal security issues they were concerned about that weren’t being addressed, and I keep those sources as confidential as I can. If you tell me where the problems are, then I know you are not the problem. If you are losing sleep over some issue, share the pain - I can lose sleep, too. You can use an auditor’s report to get management to pay attention to security issues.

Make the most of my visit. Ask lots of questions. Understand why I’m asking what I’m asking for. It will make your job easier, and I’ll be out of your hair sooner. And who knows, you might want to be an IT Auditor someday. You’d probably be really good at it, because you would know where to look.

A YUMMY New (FREE) Tool for Looking at Packet Captures

I don’t know about you, but looking at packet captures is right up there with looking at Cisco PIX firewall configuration files. Nonetheless, it’s part of my job, on occasion, and although I enjoy the “capturing” part, the “looking through it” part tends to make my eyes cross.

So, a nifty new FREE tool “rumint.” (Short for rumored intelligence - why the name - who knows) Anyway, when you load a capture file (it will run a number of formats, including tcpdump) and select “Text Rainfall” from the View pulldown, and Voila! A screen that pulls ASCII text from each packet in the capture. Oh my. What a thing of beauty. I had an epiphany, it was so easy to read. You can set it for looping, as well.

This tool is part of an emerging field of “Security Data Visualization.” When I first heard of this topic, I thought of dashboards and graphs, but that’s not what this seems to be about, except in a peripheral way. I’ve just bought the first book out on the subject, Security Data Visualization And so far it’s gotten some very good reviews from at least one big name in the field. It’s also written by the author of rumint.

I think what they are shooting for is a new way of looking at data flow that uses the best part of the human brain. Computers can do a lot of things around computation and correlation, but they are basically only as good at it as we tell them to be.

You and I can look at a dataset in a certain way, and it comes together in a gestalt. Computers are not yet able to do this. Like looking at enough pieces of a puzzle, suddenly we will see the picture. I had that exact experience with rumint, which, by the way, can also run with real time packet captures.

And in any case, if it makes your life easier reading packet captures, enjoy! Kudos and thanks to the author.