{"id":3249,"date":"2011-07-28T09:58:16","date_gmt":"2011-07-27T23:58:16","guid":{"rendered":"http:\/\/nsrd.info\/blog\/?p=3249"},"modified":"2018-12-11T14:58:42","modified_gmt":"2018-12-11T04:58:42","slug":"auditing-should-be-done-only-by-the-experts","status":"publish","type":"post","link":"https:\/\/nsrd.info\/blog\/2011\/07\/28\/auditing-should-be-done-only-by-the-experts\/","title":{"rendered":"Auditing should be done only by the experts"},"content":{"rendered":"<p>I&#8217;ve said it before \u2013 auditing should only be done by the experts. I first realised this when a security auditor from one of the (then) &#8220;Big 5&#8221; accounting companies audited the Solaris servers I was administering 11 years ago. Having checked \/etc\/passwd, the auditor noted in the report:<\/p>\n<blockquote><p>All user passwords are set to *, which is highly insecure and should be addressed immediately to ensure continued security compliance.<\/p><\/blockquote>\n<p>The fallout from that was briefly atrocious, and resolved only by convincing a manager to try to log onto a list of user accounts using * as the password.<\/p>\n<p>It appears that there&#8217;s still room for security auditors who don&#8217;t really understand security, as evidenced by &#8220;<a href=\"http:\/\/serverfault.com\/questions\/293217\/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants\">Our security auditor is an idiot, how do I give him the information he wants? &#8211; Server Fault<\/a>&#8220;. The system administrator was told he had to handover the following as part of the audit:<\/p>\n<blockquote>\n<ul>\n<li>A list of current usernames and plain-text passwords for all user accounts on all servers<\/li>\n<li>A list of all password changes for the past six months, again in plain-text<\/li>\n<li>A list of &#8220;every file added to the server from remote devices&#8221; in the past six months<\/li>\n<li>The public and private keys of any SSH keys<\/li>\n<li>An email sent to him every time a user changes their password, containing the plain text password<\/li>\n<\/ul>\n<\/blockquote>\n<p>Up until this point, I thought that it would be impossible for anyone to have an experience to trump my &#8220;all user passwords are set to *&#8221; experience.<\/p>\n<p>It turns out I was wrong.<\/p>\n<p>What&#8217;s this got to do with backups, I hear you ask?<\/p>\n<p>Well, everything. If your company is getting in auditors who aren&#8217;t subject matter experts (or at least product experts), then your audit isn&#8217;t worth the paper it&#8217;s written on. Maybe you&#8217;ll get a compliance rubber stamp. Maybe you won&#8217;t. But it won&#8217;t make one iota of difference as to whether there&#8217;s been any valid checking of your environment.<\/p>\n<p>Please, ensure that if you want your backups audited you ask some experts in. Knowing the sorts of prices the &#8220;big&#8221; auditing companies charge, it&#8217;ll likely not only cost you less, but actually give you more!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve said it before \u2013 auditing should only be done by the experts. I first realised this when a security&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5,12,13,16],"tags":[126,155,430,1254],"class_list":["post-3249","post","type-post","status-publish","format-standard","hentry","category-backup-theory","category-general-technology","category-general-thoughts","category-networker","tag-auditing","tag-backups","tag-health-check","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pKpIN-Qp","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/3249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/comments?post=3249"}],"version-history":[{"count":1,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/3249\/revisions"}],"predecessor-version":[{"id":7502,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/3249\/revisions\/7502"}],"wp:attachment":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/media?parent=3249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/categories?post=3249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/tags?post=3249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}