Reading the unreadable, and a PS RFC

Reading the unreadable (and a PS RFC)

By Eh’den (Uri) Biber

Psychologists believe they rule the world; they are 25% of the prison population,  4% of corporate CEOs and 1% of the world population. They affect us all, most of us can’t identify them at all – yet there is a way to find out if you know one of them. No, I’m not talking about The Illuminati, I’m talking about psychopaths.

Monday & Tuesday were a true delight, as BRUCON 2011 took place once more in the Brussels. It was not only the great speakers who covered multiple domains of security or the wonderfully dedicated team of volunteers (and sponsors) that made it all possible – it was the atmosphere. As one of the key speakers told me – “I gave the same speech in other places, but here the vibe was with the audience was so cool, I really loved it here”. Continue reading

Advertisements

I ♥ AUDIT

I ♥ AUDIT

Some people hate them, most people don’t even know what they do, yet auditors are essential part of the information security world. Here’s my attempt to try and debunk some of the misconceptions people have on the audit process, as well as on the profession itself.

Written by Eh’den (Uri) Biber, CISA, CISM, CISSP, CRISC.

The auditors are coming, the auditors are coming!

I was reading yesterday the New York Times article about the ComodoHacker, a hacker who claims to be 21 years old, student of software engineering in Teheran that decided to break into multiple companies that their digital identities are used by all of us when we want to make sure that the server we connect to belongs to the organization we are trying to reach.

Hidden in the article was a paragraph that caught my attention because it was talking about a much more deadly group of people, one of the most feared group of individuals that walk among us. Don’t let their looks deceive you – they can be extremely deadly. I’m not talking about religious extremists and not even about cyber-terrorists. I am talking about auditors, one which way too many CEOs tumble in fear in memory of.

 “Fearing the prospect of other breaches similar to those carried out by this hacker, Mozilla, the maker of the Firefox Web browser, last week issued a warning to certificate authority companies to audit their security systems or risk being booted off Firefox.”

(NYTimes, “Hacker Rattles Security Circles”)

Yet many people don’t know what the heck is an audit or the work of an auditor, so here’s my perspective, one you’re most likely not hear anywhere else 🙂

The outsiders

We live in a world which digital information has a huge impact on our lives. To some of us, this could mean if we will be living freely or being thrown to prison if we’re lucky or being shot in the head if we live in the wrong country.  That’s already probably known to most of us – this is why information security is becoming more and more crucial. However there is still one group of people whose work enable information security but they are considered as “outsiders” – I’m talking about information security auditors.

Even though information security auditors are educated in information security there’s still a much bigger chance of meeting hackers in ISSA chapter meetings then in ISACA chapter meetings. That’s a shame because I think it’s time to change the perception of audit and the work of auditors.  I feel that for way too long the perception of audit and especially information security audit has been considered by many people as the most anal work on earth (To any fellow auditor – if you never heard about it before then I’ve just proven it). This viewpoint is not only counter-productive to the audit process itself (more about it later) but wrong. The result of the widespread perception is that a lot of cool and creative people will not even think of audit as a career path and it’s a shame.

Conducting an audit can be an enlightening experience, an experience that can transform not only you but also the organization you are auditing in a level that can be far more reaching then many positions most cool people usually crave for.

The ability to influence something from the inside is always way greater then influencing from the outside. Auditors are the outsiders that can make a difference.

Coming out

Recently I’ve been quoting Wikipedia so many times that I think it’s time to come out of the closet and admit: I love audit, but I’m in love with Wikipedia. I don’t care her values can be deviously wrong, and that I sometimes ask myself if that’s the best I can aspire to. I’m in love Wikipedia because it/she is always there for me.

So what does an IT auditor do? He does audits. Take it from here, dear:

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization’s goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

IT audits are also known as “automated data processing (ADP) audits” and “computer audits”. They were formerly called “electronic data processing (EDP) audits”.

Already sleeping?

For some people even reading the brief Wikipedia definition of what is an IT audit is equivalent to taking a big dose of sleeping pills. If your vision started to be blurred when you were reading it, don’t worry – I will try to explain it a bit differently.

What is the work of an IT auditor? As Robert R. Moeller wrote “they are independent outside representatives to observe and comment on that process”. (COSO enterprise risk management: understanding the new integrated ERM framework, 2007)

An audit is a way of trying to look at a process or people and decide whether or not the actions and results of that someone or something are as expected.  An auditor is a person that comes in and supposes to tell you that from his objective opinion based on the evidence he discover.

CSI, AKA Corporate Security Investigations

In the decade when CSI is still one of the most popular TV shows you would assume that people will want to do the same in their line of work. You will assume people will want to work in a position that will allow them to have the right to go into a given situation in an organization, practice their knowledge by trying to identify if the processes which are being reviewed are OK and if there are no major flaws. After all, isn’t that what white hackers do most of the time?  So how come it’s not considered as cool to say “I’m an auditor” then to say “I’m a programmer in a start-up company”, or “I’m a penetration tester?”

I knew a few hackers who work as penetration testers that if you will ask if they wish to work in audit and they will look at you as if you just smoked their entire weed/mushroom stack, or you’ve been drinking way too much alcohol.

Tell you the truth? I can totally understand them. Auditors have…hmm…a unique way of singing?

Over the years, audit had developed a reputation as the most uncreative job in the world. Compared this to working in Facebook or as a pen test is like comparing Hogwarts (the enchanted boarding school of Harry Potter, grandpa!) with how a real-life British boarding school looks like. The following chapters will hopefully tackle those claims.

Out of scope

Let’s first look at the subject of scope. In audit, you have a predefined scope that you are focusing in. In comparison to that, penetration testing for example looks like a huge freedom, and writing code seems so much Hollywood story telling. In reality, the truth is actually less so romantic. Most companies know that when a code is not being developed in an organized method it would mean they will have a serious problem to support it when the person who wrote the code will leave, so it means you’re not as free as you like. Then there is the assumption that when you work as penetration tester you are free to do what you like. It’s sort of true but with a catch – Many companies will limit the level of penetration testing you will be allowed to perform in fear of risking their production environment, and at the end of the day, if the people on the institute that hires your services will tell you that you cannot do some actions, you will not do them. Audit scope is very similar in the sense of restriction but here it is the matter of scope. In audit however you are being provided ta very different freedom – you get to interact with people and the process via as many directions as you think – so if you’re smart enough you can have a very interesting scope to work within.

Mama, ooh ooh ooh ooh

Another reason why people don’t like auditors is because it reminds them too much of their own mothers. There is way too much in common between auditors and a Jewish mother:

  • Usually they are being referred to by their title, not their private name (“My/Your mother” vs. “The auditor”).
  • Surprise visits scares the $hit out of you, when they finally arrive you usually feel you just lost the ability to speak, You never really know if they come for a brief visit or they will stay for months – and you can’t kick them out.
  • They come and ask the most embarrassing questions
  • You’re not allowed to hide anything from them or else if they will find out you’re dead
  • they sometimes makes you realize you were/are a fool and make you confess you were to everyone around you,
  • And whether you like or not you already know that “Resistance is Futile. Your life, as it has been, is over. From this time forward you will service us.” (Captain JeanLuc Picard, AKA Locutus of borg from TV series Star Trek, the Next Generation).

Living jokes aside (I love you mom! 🙂 ), the human interaction that is indeed required by auditors sometimes scare some of the more introvert personalities out there. First I actually think that this experience can be very beneficial to people whose natural tendency is to be quiet because it helps them expand and experience human interaction. Second, a good auditor is not someone who spread fear but someone whom you feel you can trust in telling him what’s working and what’s not working so at the end of the day things will change. This brings me to the next subject:

The fear factor

I have witnessed fear from audit in many organizations. This is due to perception that our daily work in an office is like “What happens in Vegas stays in Vegas” versus the concept of audit where everything is being challenged, and the perception is that “What’s being discovered in an audit will go straight to the board’s meeting agenda”.

In reality none of those visions are true. Any position in any organization requires you both personal and professional manoeuvres, and way too many times other people feedback on you could have grave implications on your future career. While final audit reports are being reviewed at a very high level – those are the final reports. Before that there are drafts, and a negotiation phases, and at the end of the day you are actually being given via audit way more opportunities then you can imagine.

Some organizations do not encourage free thinking and consider anyone who challenges the mindset as a threat. To those, an outsider who is being given a mandate to come, asks what he wants, come to conclusion and tells them about it is sort of a mental rape. If this is the common perception within your organization then I don’t think auditors are the real problem. Auditors collect evidences, so if for example your processes or system had design flaws then instead of hating the auditors for it maybe it’s better to re-think your design flow?

Creativity, or, Are you auditing me or you’re just happy to see me?

Audit with its pre-written rules seems like a no-win to many creative people, yet the truth is that when organizations – and especially the management – look at audit as a way to innovate forward, as a way to bring a wing of change – audit can be a positive enabler that allows an objective perspective on processes that matters to the business.

I know this is not the common perception of audit, mainly because audit had been historically oriented in the financial domain, and we all know that accounting is the most exciting work in the world.  This has already changed – almost every organization on earth depends on its IT for all business operations, and while many audits are conducted within the “old-school” domains there is an ongoing understanding that the risks organizations are facing are expanding into new territories that in the past were considered a fantasy (take for example social network and mobile application auditing).

Audit provides creativity from a different direction then the one we are used to. For many people the concept of creativity is of someone who comes up with a cool idea and makes tons of money (Mark Zuckerberg -> Facebook, Bill Gates -> Microsoft, Sergey Brin and Larry page -> Google, and finally Steve Jobs and Steve Wozniak -> apple). Yet creativity is a very unique process, one in which being an outsider is one of its key enablers for creativity. And auditors, as you already noticed, are the perfect outsiders. Wait a minute – aren’t hackers are usually naturally born outsiders? You got my point 🙂

Closing words, or, Audit 2.0, or, Process Penetration Tester

So what do you think? Will hackers start to look for jobs as auditors? Will the use of new technologies by many organizations means they will be required to re-think their strategies in order to attract talented people into audit?

You don’t really need to convince shareholders that audit is good. For shareholders that have a vested interest in an organization an independent audit is probably the best way (if not the only way) to make sure their investment is being taken care, and that the controls they were promised indeed function.

Yet in my career I have seen way too many people who would never even think of combining audit as part of their own career path, and that’s a shame. Maybe if ISACA  change its certification name from Certified Information Security Auditor (CISA) to Certified Information Security Process Penetration Tester (CISPPT) it could help, I don’t know 🙂

That’s it. I wrote this blog to hopefully give a different perspective on audit and auditors. If you would like to read more, I strongly suggest taking a look at PWCs 2011 state of the internal audit profession study – It can give you more insight on current trends in audit. I will leave you with two quotes from that report:

Quote #1:

“How to audit is simple, the question is ‘what to audit?’ You have to audit risk. There are
four levels—risk that is unique to the process, to the organization, to the industry, and to the environment. Whether you are an eight-person or an eighty-person department, every audit you do should reconcile to one of these risks.
Every internal auditor needs to know what can bring the organization to its knees.”

Joel Kramer, managing director, MIS Training Institute

Quote #2:

“What we need are people in IT who can also be project manager thinkers
and challenge what’s going on within the company. Do we have some of
those people? Yes. Do we have enough of them? No.”

A leading CAE (Chief Audit Executive)

Interesting, isn’t it?

© all rights reserved, 2011.

Remembering 9/11

Remembering 9/11

Or – what’s the link between conspiracy theories and information security?

A blog in honour of the victims of 9/11.

It’s 1:35 AM, and I just finished watching both 3 episodes of Californiacation then watched a BBC special on the never-ending conspiracy theories about 9/11. I feel I must write, so I do.

Earlier yesterday my beautiful and intelligent 12 years old daughter had told me she had learned about the attack in school. She described to me the story as we all heard it. “Oh, how little does she know; How little does she know that in the eyes of so many people she is nothing but a fool” I thought to myself as I looked sadly over the headlines of all the world leading newspapers of 12/11, the day after, that I found on some website.

For so many people my reality is just a fake. For them 9/11 was nothing more than a carefully planned conspiracy, for them, everything you heard was a lie. For them, it’s all about the perfect plan. After watching the BBC program I can only say that this virtual reality that those people live in reminded me why information security fails so many times.

What strike me so clearly is the fact obviously none of the people who believe in the conspiracy theories have ever been involved in information security.

Why? Because there is no such thing is a perfect plan.

Let’s start with keeping the whole plot secret. I have been involved in many projects throughout my career. IF there was such thing as a planned 9/11 and if they were forced to implement any discipline of information security, then the size of such project would have been SO huge that the chances of no information leakage is simply unrealistic. We talk about an event that requires so much secrecy that the ability of predicting a 100% success in maintaining such secret by a very large group of people is simply not realistic. There is no way such a secret would have stayed for so long, and a sudden death of a large group of people who were supporting such an operation in order to silence everyone is simply unrealistic in our days when information is so fluid. It was just another reminder that my reality has nothing to do with the way other human beings perceive the world. Sure, we probably could agree that the earth is turning around the sun, but other than that I’m pretty sure we don’t really share a lot in common with people who claim that 9/11 was a master plan.

What else can we learn from 9/11? That there is no perfect plan – neither to the attackers (United 93 who failed to reach the congress or the Whitehouse) and neither to the way the USA had constructed its aviation security. Still for many people this is all a fake. After many years in the field of information security I can testify I saw more events in which the organization I worked for had chosen to take the easier path and ignore security concerns then I would have wanted to see. Way, way too many events. Why? Because we are only humans and because most of us don’t really understand what it means. “The organization had failed to identify the threats”, “there was lack of awareness”, “security controls did not function when they were required to” – It was true in 9/11, but I’ve also heard it all before so many times in my line of work. Why do we believe what we believe in, why do we perceive what we perceive in, why do we do the things we do – those questions many times will be disregard by organizations, not understanding that our own perception sometimes construct our biggest risk.

I am sending my condolences to the families of the victims that have died in 9/1, and to everyone in the United States of America who will mourn today.

May love be forever in your hearts

Uri Biber

Brussels, Belgium

© All rights reserved, 2011