Get best of the week

We insert sticks into the wheels at the audits, or How to make IS audit as uncomfortable for the auditor as possible

Hello, Habr! After 9 years on security audit projects behind me, I unbearably want to take and write the book “1000 and 1 Attempt to Trick the Auditor”. I’ll start, perhaps, from the first chapter - I will share bad advice on how to “successfully” pass the audit, having received the minimum number of comments from the auditor.

Why do companies conduct an information security audit? There may be several reasons:

  • to get an objective assessment of the state of information security (for yourself);
  • because audit is mandatory (for regulators);
  • because the audit is required by partners or the parent organization (for others).

Any of these types of audits pursues the main positive goal - to make the company better by localizing current problems. Most of our customers are interested in the effective conduct of such work. However, sometimes there are cases when the criterion for the success of the ordered audit is the absence of identified problems in the audit report (if there are any). The reasons are different, but the most common are the following.

  • The audit is “imposed” by a higher organization.
  • Failure to audit (e.g. PCI DSS) entails sanctions by regulatory authorities
  • The IB service is afraid to get a "cap" from the leadership.

In all these cases, the regular audit turns into a battlefield, where the company seeks to maintain the maximum boundaries without showing “excess”, and the work of the auditor becomes more like a detective story.

PS Listed under the cut is not fiction, all this has happened and occasionally occurs on real projects.


Getting ready for an audit


We train staff - we teach you what to say and what not to show


The key to successful sabotage training of personnel (especially in the context of future hostilities) is thorough preliminary training. As a rule, it is aimed at:

  • raising awareness of the auditor’s current weapons, his techniques, techniques and pain points;
  • development and improvement of team skills in obfuscating, hiding traces, as well as honing the “switchman” technique.

Obviously, the less information the auditor finds out, the less discrepancies it will find, and where there are few discrepancies, there are few problems (and work). This means that the maximum objective of the audited company is to hide possible problem areas (information systems, individual elements of IT infrastructure, etc.) by training specialists in what can be shown and what is not needed.

Often, we have to guess about the conduct of such trainings by indirect signs, but there are also annoying “punctures”. For example, during a PCI DSS compliance audit, one of the banks printed a network diagram for us in a draft, and on its reverse side there was ... a letter from the IS service with a detailed memo on systems that can, of course, be shown, but not this time. The Forward button in the mail client also repeatedly let experienced fighters down, when together with audit certificates (screenshots / uploads), internal agreements flew to us.

Does this trick work? Bad: we use various comprehensive checks - and harmonious arrangements begin to “crumble”.

Ignore preliminary request for information


Any audit begins with a preliminary request for information: auditors try to find out in advance how the company lives and how its processes are structured in order to optimally plan meetings and their duration. Therefore, an important task of this stage is to destroy the pink dreams of auditors about an easy audit. The scenario of a perfect first date with a company should be unexpected. We use the following time-tested arguments:
  • "The prelude is not for us, pieces of paper can be read later."
  • "We still have nothing, the truth is the truth (not the truth)."
  • "We have everything on the portal, we will now quickly (in two weeks) make an account, come and read."

There are many examples, one result: many have to be dealt with on the spot, discovering new things already during the audit. Is such a tactic successful? No, you just have to spend more time "overtime".

Only one-time passes, only hardcore!


A good morning starts with a coffee pass. Another great trick is to demoralize the enemy in advance. We get up early, take a queue at the reception or at the pass office, paint a pen. If you still do not know the series and number of your passport, now you will definitely remember.

Sometimes there are completely forbidden tricks. For example, a condition for admission to the site of one of the customers was the development of regulations for its provision. Who needed access? Us! So we wrote how we will receive it and with whom to coordinate.

Do such "difficulties" lead to anything? Obviously not: we love getting up early (if we still go to bed).

Making Project Management More Complicated


You need - you organize. Hard version for experienced




Another important military trick: to shift the responsibility for organizing all meetings on the experienced shoulders of the project manager.
“Here is the portal, here is the phone - arrange meetings yourself. The report can be sent here to this address, only first agree with everyone by mail. ”
The result, as a rule, is not long in coming: due to the lack of a curator, specialists will never have time for meetings.

A good attempt to delay the deadlines, but it works poorly with our managers and a built-in escalation system :-).

We tried, but we didn’t succeed. Light version for beginners


More tar - less honey. We make the schedule as uncomfortable and unpredictable as possible. The ideal auditor's day on the site should look like this: a conversation for an hour at 9.00, then for 30 minutes at 13.00 and the next at 18.00. Information about the meetings scheduled for the next day is sent strictly at 23.55. The more chaos, the higher the chance that auditors will forget about the very printout of a draft letter with internal training .

The auditor must be flexible, so another life hack is to swap interviews right on the day of the meeting. The interview plan itself always follows a certain logic, for example, first the system’s functionality is studied, and then its components are checked (DBMS, etc.). But this is Sparta, and logic is for wimps, because:
“We wanted to talk with you on Friday with the DBA, but our specialist had 15 minutes of free time, he’ll come now.”
Will the enemy be defeated? No, this is what we often see and are able to deal with it.

Photography Audit - The Most Honest Audit


We increase the chances of success. We turn the “on-site” audit into a “documentary” one. Remember:
“It is wrong to distract people from work, we have highly qualified personnel who will fill in everything and attach screenshots. Send the questionnaires. "
It is impossible to compile a universal questionnaire for all cases; depending on the answers, the auditor always conducts the conversation in different ways. The problem of detailed questionnaires comes down to the lack of flexibility in them: the more questions they contain, the less desire arises to answer them in detail. Therefore, as a rule, such an audit subsequently looks as follows:

  • Preparing a bunch of questionnaires with a memo to fill them out.
  • Getting a huge amount of unstructured material (everyone can understand the question in different ways).
  • Phones with specialists to clarify information.
  • Building a harmonious picture out of all the material.
  • Care for a new circle of refinement.

Has the company's goal of reducing quality been achieved and is it possible to demoralize the enemy? No: we love to call, and to check what they sent to us even more.

Conducting an interview


The theater begins with a hanger - we choose the best places for conversation


If you still couldn’t fight back and meetings with auditors cannot be avoided, here is the TOP of the best places to conduct an interview. Auditors will definitely like it - don’t give thanks.

  • On the playground near the fungus.
  • In the toilet room, converted into an additional switching room.
  • In the car (at night).
  • In the dining room.

In fact, there are much more strange places where we conducted the interview. But then you have to live with it. In general, this is even more interesting, so this is more a plus than a minus.

Aren't you an hour spy?


During the audit, each employee of the company should be on the alert: what if it is social engineering, and instead of an auditor a spy has made his way to us? Calculating a spy is simple - make it unexpectedly show in the following order:

  • NDA for the company where the auditor works;
  • personal NDA auditor with you;
  • work pass;
  • a copy of the work book;
  • a letter brewed by the head of the company;
  • passport.

Only then give out "military secrets." I don’t have a copy of the labor with me - well, I’ll have to schedule a meeting again.

Reception is rare, it works flawlessly for exactly one meeting, then all the documents are quickly collected in the right number of copies.

We take in bulk, or the more, the more interesting (no)


How to make a business meeting as useless as possible? The recipe is simple: we open any article on the Internet on effective meetings and turn useful into non-useful:

  • Always decide on the meeting agenda in advance. Never inform colleagues of the purpose of the meeting. Say that this is PRO SECURITY, and THERE WILL BE TALKED TO YOU by NEEDED PEOPLE (did you feel goosebumps?).
  • , 7 . -. , ().
  • , . , .
  • , . — . HR, DBA, : , .

The practice of organizing such meetings is not uncommon (although such moments are always spoken to by the customer), and we get out of the situation in different ways in order to engage all the experts in the conversation and not let them get bored.

Works? Bad, but a good try.

We play Danetka, or I will guess this melody from one note




We activate the secret weapon - we remember the rules of the game in Danetka.

The task of the employee: to minimize the psychological torture of the auditors, to force them to correctly formulate questions so that they can only be answered with “Yes” or “No”.

The auditor's task: to guess why a man enters the bar and asks for a glass of water, the bartender suddenly takes out a gun and points it at the man. The man says "Thank you" and leaves the answers to his questions:
- What means of automation of application management do you use?
- Yes!
- What virtualization technologies are used in the company?
- All!

It is extremely difficult to conduct such audits; information has to be obtained in grains. I love this game.

Add censorship


Did you think that censorship is a system of supervision over the content and dissemination of information, printed materials, musical and stage works and other things? No. Censorship is an information security officer exposed on time behind the auditor's back. In such an important event as an audit, there is no place for the imagination and speculation of the auditor. Therefore:
“This is not wrong with us, you misunderstood it, and your questions are wrong.”
The censor’s task is to help the employee not fail the exam. Help may include the following:

  • We filter out the “wrong” questions to our taste. We appeal by the boundaries of the audit or by questions not addressed or not substantively.
  • We are responsible for the auditee (all of a sudden he forgot what they had time to negotiate with him before).
  • We look in the notes of the auditor and give comments.

Surrealism? He is. However, such an experience was also in our practice. Frankly speaking: it turned out badly at the customer, although the idea is fire!

We leave in a cycle and translate the arrows


It is important to confuse the enemy so that he cannot make a dangerous audit report and harm you. Another nuclear weapon, like Danetka. Write down a universal formula.
Worker N: “I don’t know this, I am worker N, another worker N + 1 knows this.”

Employee N + 1: "I am an employee of N + 1, you were deceived, this is the responsibility of employee N".

IS employee: “Unfortunately, we have run out of free slots for employees N and N + 1, you need to work with the information that is.”
It is difficult to work in this mode, which means that the goal is achieved? No, it is possible and necessary to fight: we pre-call specialists, keep minutes of meetings and so on.

Hold the mouse, I’ve gone, or if you want to know the system better - do it yourself!


Any auditor is a specialist with a capital letter. So he must know in absentia absolutely all the technologies you use at the administrator level, be able to rebuild the Linux kernel in 5 minutes and know your SAP by heart. Therefore, the best way to make him nervous is to let him “steer”. Let him understand the architecture of your systems, built over the years. You can just sit next and shut up.

By the way, it doesn’t work very well, because we often know how to “steer”, but during the audit, staff competency is also evaluated. As a result, we can conclude that specialists do not know their systems.

Quickly corrected - that means there wasn’t


Do you know the five second rule? Great, use it on audit too. Distract the auditor and boldly make changes to the security settings. Or do not distract at all and bring it with him: they quickly corrected it - that means there wasn’t. You can not explain - does not work.

We complicate the procedure for obtaining certificates


We have top-secret information


A popular technique, trouble-free, like a Kalashnikov assault rifle. All developed documentation is intellectual property. All network equipment configurations are a trade secret. To study the necessary information, make the auditors work at a dedicated workplace, turn off the Internet, and disable flash drives. Let it either rewrite everything you need on paper, or depersonalize and leave the file on the desktop, and you already leave the desired one in the file to your taste. As for the documents, let the auditor read them in printed form.

Separately, several cases are recalled.

  • Somehow, we were printed out the configuration of network equipment on a pair of Snegurochka packs without permission to remove material from the site.
  • Another time, we were required to justify each requested screenshot.
  • On another project, all certificates could only be transmitted on paper.

Someone reasonably objected: probably, these companies had a strict regime of commercial secrets? No. He was not at all.

Will it help to somehow reduce the quality of work? Debatable. We do not have this experience either: for example, creating a report through the customer’s VDI with a closed buffer, ports and the Internet with obtaining certificates on a CD marked with a courier. How do you like it, David Blaine?

Using the magic of a graphical editor




As the great Sun Tzu said in The Art of War:
“War is a way of deception. Therefore, if you can do anything, show the enemy that you cannot; if you use anything, show him that you don’t use it. ”
In war, all methods are good, so using a graphics editor increases your chances of winning. All the "inconvenient" evidence in your hands, it remains to bring a little makeup before sending. This vector has a small chance when remotely requesting information or poor auditor memory. Less: it turns out awkward when the auditor decided to check the previously provided screenshots on the site. But who did it stop?

In our practice, there was a case when we received a randomly sent chain of letters from the customer with the following contents:
- Corrected a little screenshot, it seems to be true?
- Send, suddenly a ride.
By the way, it didn’t.

We tighten the approval of the report


Commas are important


The final stage of the confrontation: interviews conducted, evidence sent, draft report received. It's time to tackle the most important thing: commas and periods. It doesn’t matter that the normative control of the document is the final stage (and this was agreed), everything should be fine in the report. The more comments, the greater the impression that the audit was performed poorly. Delay as much as possible the substantive comments and the timing of the approval of individual sections of the report.

The inclusion of a large number of specialists in the coordination chain also works great. Our motto: “An audit for six months, we will agree for one and a half!”. Pull longer, and there the degree of incandescence will drop, and part of the work will become irrelevant (a new one will appear, the old will be decommissioned).

It works poorly, read above about managers.

***

Of course, most of our audit projects take place as usual, and here are the most striking examples of how such work can be turned into a long event. Everyone will draw conclusions himself: to adopt and “successfully” pass the checks, or make your next joint audit with an integrator a little better.

Smile more often :-)

More articles:


All Articles