

Our security auditor is an idiot. How do I give him the information he wants? - ashwin_kumar
http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants

======
rdl
The last time this got discussed, I thought the consensus was he was trolling
-- the point being the correct answer is to explain why you don't have these
(technical controls, hashing of passwords, etc.).

The other reason would have been if he wanted login access to servers to
validate configs himself, but there are much better ways to accomplish that
(I'd be very reluctant to give an auditor anything but read-only access to any
production infrastructure, but it is valid to want to know that what is being
given to you matches production; there are ways to accomplish both).

~~~
wernercd
From the follow ups that were posted, it sounds like the "Auditor" wasn't
trolling. (Assuming the OP is/was on the up-and-up)

And this is a blast from the past... July 2011. Almost 3 years ago.

------
Zenst
WOW, "A security auditor for our servers has demanded the following within two
weeks: •A list of current usernames and plain-text passwords for all user
accounts on all servers •A list of all password changes for the past six
months, again in plain-text"

That right there would be a security breach/issue and for it to be created as
part of an audit is unbelievable.

I have never met any security auditor who has done that or ever would and
having done audits myself for FTSE 100 companies, well if I did that I'd be
out of a job. Certainly audit the passwords, though there should be rules to
prevent silly passwords and that is what should be audited.

In such a situation I would not panda to such a auditor and would approach a
director about the security risk the auditor was and good night veanna for
them. Such people should not be doing audits, ever and clearly not qualified
in the role/task they have been given.

It would be a security issue too carry on supporting or allowing such a person
to carry on auditing as they are clearly a security risk without a doubt.

~~~
auxbuss
That'll be "Goodnight, Vienna".

------
avaku
This is a trick. The correct thing to say to them - we don't have passwords
because they are hashed and salted. Then you successfully pass the security
audit :)

------
DigitalSea
This cannot be real, but sadly it appears as though it is. A "professional"
security auditor request plain text passwords? A security auditor that thinks
PCI is something you install onto your server? Wow. I am literally speechless.

Can we please get the name of this company somehow? This company should not be
allowed to give anyone security advice whatsoever, they quite clearly do not
know what they are talking about. I'd hate to think how many businesses have
been affected and or are vulnerable as a result of their auditing practices
and guidelines.

~~~
pmorici
This sounds like a plausible situation to find oneself in in a large corporate
or government environment.

------
ChuckMcM
I read that and it read like a troll, or that the 'auditor' was socially
engineering the firm (also possible). It is useful to have passwords
explicitly unknown by anyone except their owners and run password cracking
software on the password database continuously to weed out 'weak' passwords.

------
mkonecny
My heart sank as I read that. There are too many people in our field that
don't have a basic grasp on the most fundamental concepts, and yet are in the
position to direct those that have a clue.

~~~
yulaow
It is worse than that. These people not only don't know shit about what they
are doing, but do not even try to learn or recognize their errors, even when
they are THAT big.

This is really depressing.

------
ppierald
I hope this is a troll and if it is not, you should read through your
contract, look for a breach clause, and exercise that clause. Otherwise, you
should eat the cost of getting a new security auditor. A good relationship
with a qualified auditor can be really beneficial to your organization. If you
don't have that, you are not getting any value out of the dollars spent.

------
aaron695
This is either made up or the auditor has a mental health issue.

Either way nothing to see here unless you want to discuss mental health issues
or truthfulness on the Internet and how to improve it.

~~~
Nizumzen
Just because a person may have a mental health condition that has no bearing
on their intelligence. You'd know that if you actually knew what the fuck you
were talking about.

It's a bit like saying "This is either made up or the auditor has AIDS".
Implying that people with AIDS are retards which as we all know is completely
untrue (well they might be but this has no relation to them having AIDS).
Please get a clue before posting shit on the web.

------
autodidakto
An idiot... like a fox. He was up to something, using bullying tactics to
social engineer.

