Following up on Mari's earlier post about "Surviving a third party audit", here's one more pointer: If you've ever been on the receiving end of an audit, you probably found out that the core competency of an auditor seems to be in comparing two lists: Accounts in AD with the leaver list from HR. Implemented authorization with approved authorization. Issued patches with installed patches. Basic stuff all in all, and in the eye of many techies, proof that the auditor doesn't have the clue to find the real risks.
Well, maybe. But it is up to us all to raise the bar. Recently, in an audit at a third party site, I found that they were carefully patching their Unix systems, and had been doing so for years - good! But nobody ever thought of comparing the list of "Servers known to the patching tool" with "servers on the network". Consequence: Two dozen of their servers never got any patches. And nobody noticed - their lovely "status dashboard" turned "green" as soon as the patching tool reported "completion". Written up for things like these, an auditee usually gets annoyed with the auditor - but really should be annoyed at himself: Nobody should need an auditor to find obvious gaps like this one.
When was the last time you checked that all your systems have an up-to-date anti-virus without relying on what the anti-virus software's "management console" tells you? Start with just comparing the server names from the anti-virus console with those from, for example, Active Directory. Match? Then take it to the next level: query with some other tool (SMS/SCCM, WMIC, scripts, etc) to collect the version of the pattern file installed across all systems. Still a match?
To check your protection, compare two lists every now and then. It ain't that hard - even an auditor can do it :).
Aug 19th 2009
9 years ago