IT Admins and Security Auditors
Recently, I was working with a company to perform their annual Windows server and Active Directory audit. This company is not unique to the companies I do work with, rather they epitomize the common issues that arise during an annual audit. I have yet to understand the egotism that IT admins have when it comes to an audit. Where on the other hand I also don’t understand the lack of effort that auditors want to give to completely understanding what they are auditing, nor the breadth they should be auditing. This article is not meant to be anything but an eye opener to both entities, in hopes that each will be more cordial and understanding during the audit, so the organization can become better secured in the event of an attack on the computing environment.
Work With Each Other
First off, admins and auditors need to become a team, instead of the opposite. We all understand sport analogies and I think using an easy sport analogy is key. Consider a football team - every football team is made up of defensive and offensive roles. The offense is designed to strategically attack the defense to score touchdowns. The offense must have an arsenal of plays, positions, roles, and weapons to achieve their goal. In a similar way, the admins in an organization are the offense. Most IT departments are made up of different admins with a variety of specialties and experiences. For example, there might be the following IT admins:
- Active Directory
- Firewall/Perimeter security
Without the knowledge of each, the network would not be administered correctly. If an Exchange issue were to come up, there would be a hole in the attack on ensuring that the users had everything they needed. Just like if you were to have a tight end missing in your offense that would be a huge hole in your offensive attack.
The auditors are the defense, in a similar way to the defense of your football team. The defense is designed to defend against all attacks and vulnerabilities in your defense of your goal. The defense is designed to protect, similar to what the auditors are designed to do.
Granted, the auditors are defending against what the admins are controlling. However, the key strategy is the same. The admins goal is not to secure, rather to ensure things are available. The auditors are not designed to ensure things are available, rather they are ensuring that the settings are secure, in case of an attack.
In the end, the offense might get upset with the defense if the defense does not protect the goal. There is nothing more frustrating for a football team's offense to put up 35 points, only to be beaten 35-42! Likewise, when the defense has 3 interceptions and limits the opposition offense to only 3 points, but the offense of your own team can’t even put up more than 3 points that is frustrating.
Don’t Be Difficult
The moral to the analogy above is that everyone should be doing their own job well, plus understanding the role of the other teammates. Audits are going to occur! Audits need to occur. Trust me, I have seen some of the most disgusting security configurations in networks!
Therefore, understand they are coming and work within the rules of engagement. Being difficult to try and be a roadblock in the process is like hiding the quarterback's playbook only to try and prove that you can show that he is an idiot! You should be holding the playbook for him to ensure that he can score more points.
As examples from both sides of the fence, look at these situations:
Auditor being difficult:
- The Active Directory infrastructure has 100 organizational units (OUs). The auditor knows that delegation can open up security such that the wrong delegation can allow a lot of power over some objects in AD. Instead of the auditor investigating the OU structure and the contents of the OUs, the auditor asks for the security ACLs for every OU!
Admin being difficult:
- The auditor has asked for 15 different reports to be generated. The auditor has placed all of the commands in a spreadsheet to detail the breadth of what needs to be generated. The admin generates the reports, but in an email states that the commands should be have provided in a notepad file so the admin can simply copy and paste the commands from the file to the CMD prompt to make the generation easier!
Most admins and auditors have been around the block. Unless it is your first audit, everyone knows what “should” be done and how to accomplish the tasks. The generation of additional information without cause is a waste of time. The generation of wrong information to prove it was not asked for correctly is also a waste of time. Just work together as a team and the audit will be completed faster and more efficiently.
Therefore, as an auditor, know what you are asking for and be precise when possible. For example, when asking for information from AD, don’t ask for it from more than one domain controller per domain.
As an admin, don’t punish the auditor for not asking for the information with 100% accuracy. To generate a report with wrong information is just going to cause you to generate a second report with the correct information. For example, when the auditor omits the fact that a command provided fails to include the switch to gather information for more than 10,000 objects, just add the switch to include all objects, as you know this is what the auditor needs to complete their job task.
The audit is rarely “sprung” upon an admin. Admins are fully aware the audit is coming and can plan for the work that needs to be done. So, admins should plan for time to generate the reports required to complete the audit. This will require flexible schedules and time to work with the auditors to ensure the correct information is going to be generated.
Auditors need to understand that admins are busy people. Admins do more than wait for problems to occur. Admins are constantly working on new projects, optimizing systems, evaluating the performance of systems, etc. Not leaving out the day in and day out administration of systems, users, groups, resources, etc. Auditors should ensure that all admins know what the scope of the audit is, approximately how detailed the audit will be, and the time frame the auditor has to complete the audit.
In the end, we need to all work together. I work with both admins and auditors. I find that both are very petty when it comes to their complaints. Each likes to flex their knowledge, power, and control over the audit. Instead, both need to understand the work being done is for the company, not for their own benefit. The company is the one that benefits, which means higher raises if the audit goes smooth, under budget, and systems are secured better as a result. No one wants their company to be on the front page of the Wall Street Journal due to a security breach!