
How do I give our security auditor the information he wants? (2011) - jewbacca
https://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants
======
madaxe_again
Birmingham? I think I know this guy - we have a client based there and are
three years into a war with their PCI auditor, who are dangerously
incompetent. They were adamant that we should be able to decrypt PANs (credit
card numbers) - we still haven't complied, as we quite deliberately don't
store them and just transit them.

It's not a phishing scam, this is pretty much state of the art in the UK - and
try being a 32 year old "kid" company director while the 55 year old "security
engineer" who seems to have never used a computer and thinks a network is a
maritime term plays the "seniority" card in front of a client of the same
generation.

The sad thing is I've seen two retailers drive themselves hard into the ground
over the last eighteen months by listening to this variety of chumbly wotsit
rather then someone who actually knows what the hell they're talking about.

One spent about £8M on their PCI auditor over six months, then went bust,
blaming us, the platform provider - who are PA-DSS and ISO certified. The
auditor blamed us too, then folded up shop and moved to Spain.

PCI experts are the new SEO experts.

~~~
abritishguy
Name and shame, this auditor is actively damaging security and should be shut
down.

~~~
madaxe_again
I've worked with about eight or nine. Two of them are _jaw drops in horror_. A
bunch are "err, what?", but get the job done vaguely competently if in a very
procedural fashion. Quite often it's totally nontechnical people with
backgrounds in finance/filing who do the assessment. Finally, there are two
outfits we've worked with that we liked - one well enough to come audit us.

Oh, also, the big automated platforms like SM and TW are pretty poor.

The way it's set up right now, if you're lucky enough to be deemed a QSA by
the PCI council, congratulations, you are now legally welcome to blackmail and
extort. Zilch oversight, it's the Wild West, and snake oil salesmen abound.

~~~
tomblomfield
Who were the two you liked? We're looking at various PCI stuff at the moment.

~~~
hn_user2
We had a very good experience with the folks at Security Metrics in Utah. Very
reasonable people. And. We had some compensating controls and non standard
things to be done. They were very much willing to work with us instead of
against us.

~~~
madaxe_again
I had a mixed experience with them - their automated scanner can be painful
with misdetection, but their support usually makes up for it, even if they're
slow to respond. I've not used them for anything other than the quarterly
scans.

------
jonsg
Well, if the auditor wants to play willy-measuring tactics: I've been using
Unix since 1982 (Bell Labs Version 7, since you asked), and I rather suspect
that I've more experience than he has.

UNIX and derived/lookalike systems like Linux have _always_ stored passwords
one-way encrypted. I have precisely no idea how he expects the sysadmin to
provide a list of plaintext passwords, short of replacing the passwd utility
with a hacked one that stores the pre-crypt version somewhere for retrieval,
or asking staff to email their plaintext passwords to the poor sap he's
badgering.

Either way, a massive security breach. The whole point of one-way encryption
is that there is no persistent trace left of the original plaintext password.
This guy's way of auditing security recalls the Spanish Inquisition's way of
auditing witchcraft. Damned if you do; damned if you don't.

His company's far better off using a payments provider with a clue - and a
competent auditor.

~~~
dbg31415
I see responses like this from developers, and -- no offense -- it really
doesn't advance the conversation.

The guy asking these questions is a bureaucrat, he's running his game book.
Just telling him he's dumb and you're smart won't get you the certification
your company needs.

In this case, yes I think these questions are insane. But you could respond
like:

> A list of current usernames and plain-text passwords for all user accounts
> on all servers

We use Linux servers that store passwords using a one-way encryption. If we
show you how we validate that all passwords are 16 characters long, contain
special characters, are not passwords previously used, and are changed every
30 day, would that suffice for the password complexity scan we assume you are
trying to perform with this password data you requested?

> A list of all password changes for the past six months, again in plain-text

See answer 1, we require all users to change their password every 30 days;
passwords older than 30 days expire and can not be used.

> A list of "every file added to the server from remote devices" in the past
> six months

We use XYZ System for change management. Here are the change logs. We monitor
log ins using ABC System. Here are the logs.

> The public and private keys of any SSH keys

Providing this information would violate our security policies. Our policies
can be found in the attached PDF. Please let us know what compliance issue you
are attempting to verify here so we can brainstorm alternate methods of
providing the details. We change keys yearly.

> An email sent to him every time a user changes their password, containing
> the plain text password

See previous response, giving this would violate our security policies. We
programmatically ensure complex passwords, and that passwords expire every 30
days. We can show you how the server is configured if you'd like.

End with, "For next steps, can we get someone from your technical team on the
phone with one Security Lead to discuss these responses?" If they aren't game,
just find another service provider. These questions are batshit, but they
strike me as "first pass" questions sent over by someone junior. Find a way to
get up the ladder a bit and everyone will be happier.

~~~
strommen
The StackExchange post shows some back-and-forth conversation along these
lines. The auditor doesn't budge an inch, and gets defensive.

~~~
dbg31415
There are other service providers. Sorry I didn't read the comments in the
StackExchange post.

There are other vendors. I think that'd be my next step -- go to my legal team
or C-team, explain that answering these questions would put the company in
danger, and suggest we consult with another vendor from the approved PCI list.

(Sorry I don't know if this is actually the list to go off of -- scans vs.
audits, just my point is that there are public lists of approved companies to
choose from.)

* [https://www.pcisecuritystandards.org/assessors_and_solutions...](https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors)

I had a client who just had some random dude telling them he could certify
them as PCI Compliant... he was in no way authorized to do that. Was fairly
hilarious how it played out; he'd been "certifying them" for years and even
went so far as to give them a graphic they could display on their website.
There are people who pray on ignorant businesses, but with a little research
it's not terribly hard to educate yourself on what's real and what's BS.

EDIT: Just read the StackExchange post... Yeah, run. Guy is a nut job, like
the random dude who had been advising one of my old clients. That call with
him -- around how he wasn't really someone who could certify PCI Compliance --
was one of my favorite calls ever. He basically melted into a rant about, "I
know good security, I have never had any of my servers hacked... well only
like 2 but those weren't my fault!" Then said he'd get off the phone to do
some research... and never called again, didn't even bother sending my client
a bill for his services. Wish I had recorded it.

BUT... just because there are nut jobs out there, doesn't mean this is
something companies should ignore. PCI Compliance is important.

------
rajadigopula
"I'm going to assume you do not have PCI installed on your servers as being
able to recover this information is a basic requirement of the software."

I already fell off my chair.

~~~
sokoloff
We used to have plain PCI installed. Now, most of our servers have been
upgraded to PCI Express. Shall I provide you a hardware report proving that
PCI Express is installed and functioning?

------
sfifs
Hmmm... perhaps the auditor should be informed that if he persists in
requesting for user account and passwords in the guise of a security audit,
you will have no choice but to report him to the FBI or MI5 as a suspected
phishing scam operator who may have already compromised prior clients in
similarly.

~~~
hehheh
Why wait?

------
peterwwillis
Does nobody find it unprofessional, perhaps even untrustworthy, to not only
discuss the private dealings you have with other companies but also copy+paste
e-mails? Even if they're idiots? I don't think you want to go down that
road... _" Well I thought the guy from Company X was an idiot, so why was it
wrong for me to repost our private conversation?"_

~~~
pja
In this case, the company in question is run by _dangerously incompetent
idiots_ who’s advice, if followed, would result in their clients not only
exposing themselves to serious risk if they ever were targeted by a real hack
but would result in instant compliance failure if they were ever put through
the compliance procedures of a competent agency. If a major contract was on
the line, that kind of thing could put a company out of business.

~~~
PuffinBlue
Ordinarily I'd agree with GP but you are right that this is an unusual
situation with potential for very detrimental legal consequence.

What's being asked for is absolutely a breach of the UK Data Protection Act
and the providing company would be immediately legally liable for revealing
this information.

I see this public discussion (bearing in mind no names have been revealed)
quite invaluable in raising awareness of this sort of harmful request.

------
gtf21
This looks more like a phishing scam than a security audit. Anyone asking for
things like plain-text passwords sounds a bit fishy to me.

~~~
richman777
Almost all security audits in an enterprise/corporate setting are done in good
faith. This is a person they hired and I'm assuming have spoken on the phone
with so it's not unsolicited.

Trust me, I've had similar things happen. I don't know how there can be
security auditors who don't even understand how password encryption works but
I've had to explain it a few times. It's awful.

------
lamontcg
Its likely this isn't a troll post.

The security community has a whole lot of idiots in it who figured out that
they can get a CISSP and turn themselves into a security auditor and get paid
extremely well while getting to enjoy acting like tyrants. In reality they're
not fit to manage a McDonalds.

------
aaron695
2011 and still as fake, HN version of the outrage train.

At least it's a little nerdy :)

------
jonsg
Worth mentioning, BTW, that the original article is five years old. It's ready
to go to primary school.

------
beachstartup
this is either a fictional troll, or a phishing scam. come on.

------
0xmohit
It seems that the auditor wanted a fancier designation and decided upon
"security auditor".

It is also possible that the auditor in question worked in a (physical)
security agency in past life and failed to understand that computer security
is not quite the same.

That seems to be the only plausible explanation for demanding actual plain-
text passwords (past/present/whatever) and so on.

~~~
madaxe_again
Oh, that old chestnut. Actually have exactly that at a client, guy used to run
physical security at their stores and is now head of infosec but he's a lovely
bloke and knows he's out of his depth, and has chosen good expert outside
advice - we actually met the QSA we like through them.

Thing is in some regards PCI _is_ quite analogous to physical security, as a
lot of it is about documented process and auditability. Hell, a chunk of it
_is_ physical security.

So that progression isn't so bad, and as usual, you just get people who are
willing to acknowledge their own shortcomings and work with others to resolve
or mitigate against them, and those who don't.

------
nicky0
Makes me so mad, I have to to think this is some kind of joke or wind-up.
Hopefully it is...

------
tillinghast
A brilliant troll / piece of entertainment. The author basically reveals it
here in Update #3:

> Our software has now moved onto PayPal so we know it's safe.

~~~
SilasX
How does that make it a troll? PayPal has a bad reputation in some respects,
but not for having weak data security, right? It's mainly for always siding
with someone requesting a chargeback.

~~~
richman777
Yeah, this person doesn't seem to understand that PayPal is a huge merchant
provider for a lot, and I mean, a lot, of people. And that doesn't mean "using
paypal" when you go to a website. They handled invoicing at my last job.

------
rngesus
Dangerous, especially the request(s) for plain-text passwords.

