Posted by: Arian Eigen Heald
Admins and Auditors, IT audit, Security
I had a great discussion today with the head of auditing for a regional bank. He talked about the need for IT Auditors to understand the systems they were auditing. But how much knowledge of technical environments should an IT Auditor have?
Quick answer: As much as possible.
I have met numerous CISAs and CISSPs that cannot audit systems without a checklist or a software tool. I’m not saying we have to know everything about each operating system; we don’t have to be engineers. (But it sure helps!) If we’re only as good as our tool, we’re doomed.
We have to know how users, groups, access controls to files and directories are created, maintained and changed. If an engineer says he can’t get something from a system for me (like a list of etc/password) I need to be able to show him what I want. Otherwise I don’t know what I’m talking about, and he can get rid of me by playing dumb.
I worked with an Oracle DBA not long ago who didn’t know about being able to turn off the TNS Listener if it wasn’t password-protected. He didn’t believe me when I said I could turn it off. So we agreed to run a test, and I turned off his TNS Listener service remotely, with no password. (Needless to say, we did this on the DEVELOPMENT server).
His attitude towards me did a total 180 degree turn. After a pregnant moment of silence over the phone, in a whole different tone of voice, he asked where I had gotten my information and what I did. From then on we had a very good relationship – he no longer treated me like a pain in the anatomy. (PS, this only works on Oracle 9i and below).
If you don’t know about this exploit, and why it’s important, read the whitepaper from here.
There’s nothing like a demonstration to clarify the point. If I hadn’t done that, he would have dismissed my finding. I frequently have to make my geek bones with engineers when I go on an audit, but I don’t mind because we can then operate from a position of mutual respect.
So many audit departments don’t have the depth to truly partner with their IT departments. It should be a match made in heaven, but it doesn’t work if one group has more knowledge than the other.
When I did a PCI exam for a Tier 1 merchant who had outsourced their IT functions, I ran an MBSA scan to determine if the systems were patched. Their outsourced vendor claimed that the servers were all patched, and he had the change control documents to prove it. I went on a sample of twenty servers and confirmed that the servers were not patched by looking in the file system, and I returned the results to him. Unfortunately, somebody got fired, but now the servers are patched and they check to confirm.
What would the response have been if I couldn’t prove the finding? That’s why IT audit needs to know systems.