Most companies have external auditors come in to ensure that regulator measures and processes are in place for a variety of reasons.
In the case of auditors, they need to seem validate and have access to some immensely critical and valuable company data, even to the point they have to access and review the crown jewels of your company.

Similar to penetration testing there are a set of rules put in place on what the auditors can and can’t do. These are agreed before the work takes place.

Here’s something to think on the next time auditors turn up at your company.

We have one of the big four auditing firms turn up to do the end of financial year checks. This is greeted with the normal groans and eye rolling as different departments have to stop what they are doing and spend quality time talking over check list and best practices.

Normally, I don’t get involved, other than to my veiled comments on how pretty they managed to make a Nessus scans look of our external systems and gee wasn’t that worth the money. This time I had a much more hands on role.

I received an alert that one of our systems had detected two rather nasty pieces of malware from a USB drive. What made this different was the machine wasn’t on our regular asset list. A quick bit of checking pulled up this was a loan machine and was being used by the auditors and an auditing account was logged in. Then the same system alerted again with the same two pieces of malware. Now, we have a clean or kill policy on malicious software with the AV software, so the USB drive would have be cleaned, so the spider-sense alert jumped up by a factor of four. Either someone had a number of infected USB drives or something else was going on.

A quick jog up stairs, with the trusty incident response kit, to the location of the machine put me face to face with one of the financial system auditors. This happy chap was logged in to our major finance system doing “stuff”.
“Have you just used a USB drive in this computer?” I politely questioned after noticing no USB drive anywhere in sight. “Not me” replied smiling auditor.
“Has anyone from your team plugged on here in the last few minutes?”
After contemplating the higher meaning of my question and possibly calculating Pi to 2000 digits, he slowly responded perhaps his colleague just did.  I asked him to stop what he was doing, and take me to this colleague.

This group of auditors had been using one of the nearby meeting rooms, and fortunately they were all here at the same time. I found another nice, polite, smiling auditor with the USB drive that had just been used in our company PC plugged back in to his laptop.

I told him and the room of auditors that USB drive had a piece of financial data stealing malware on it, the smiles in the room suddenly vanished. I got a chorus of “but we have antivirus software on our machines so it can’t be possible” and “I’ve never plugged this into anything other than our computers”. A very quick demo to the room proved them all horribly wrong. On my response laptop, I inserted the USB drive (in read only mode) and showed them the obfuscated autorun.inf file plus the hidden folder containing the malware on the USB drive. Then I got one of them to plug in a clean formatted USB drive from my response kit in to his laptop. As if by magic an autorun.inf file appeared on the USB drive. Again on the response laptop I show them the hidden files and malware.

Whoops. This meant the malware had subverted their AV on all five laptops. Not a good sign, especially as one of the malware copied itself over via shares and they had VPN back to the home office.

This was the point when in to containment mode. I called in our internal audit team, confiscated all the auditors USB devices and asked them to contact their IT team. After a very brief conversation with management, I had to escort the auditors and their infected systems out of our offices.

Once they were out of the office, the pc the alerts can from was analysed as was any internet traffic from or to it. A quick report was then fired off to various audit and management teams. After a number of communications and with freshly built computers, the auditors came back on site to finish their work the next day.

Some of points from this worth mentioning:
•   The AV on our systems clearly displayed a clear “You’re infected!” alert each and every time an infected USB stick was plugged in. This was ignored and not reported.
•   The auditors did not have permission to use USB devices in our system; however they had no statement from my company not to.
•   We do have a policy of no USB drives, but it’s a paper policy only, despite repeatedly issues.
•   The auditors are all very smart people, but showed little tech/security knowledge savvy.
•   I bagged up the USB drives in a custody bag, but they were still properly of the auditing company, so I couldn’t do any forensics on the drives.
•   The auditors were only allowed back on site after a written letter of assurity was provided to our company that they their systems and devices were clean and they were not to plug any devices into to our network. Data was to be transferred by only audited methods only.
•   Kicking auditors out in mid audit has a large dollar amount assigned to it, so not done lightly or without management approval.
•   Our incident response plan ensured no data was leaked and we had the situation under control in less than 30 minutes after the first detection of malware.

Again take from this what you will.

Wow that sounds harsh indeed. But I certainly understand the decision. Looks like a fast incident response, nicely done.

I've experienced way too many 'incapable' auditors (both internal and external) that have caused more grief than good.  It's a shame, but is definitely something to be aware of, any time you are letting someone else touch your network and machines.  Just like anything else, when you discuss and plan your security plans and layout your 'security posture,' you need to have measures in place and methods for validation, for auditors, just like for anyone else.

Definitely worth keeping in mind.

@kennut

The core reason to eject them was based on risk. I couldn't control what they might do or might happen. Getting them out of the office removed that risk. The incident response phase at the time was all about containment and admittedly it was fun to evict people from the office ;-)

We have a couple hundred offices over a number of countries, so physical security isn't going to happen. I was just lucky they happened to be in the main office at the time.

>> 1) all thumbdrive must be surrender for virus/malware scanning
we only a paper policy on USB devices. This last as long as it not inconvenient or if the person isn't in a hurry.

>> 2) notebooks must be installed with anti virus with latest definition etc
The auditors' laptops did have the current AV defs on them. Shame the malware had subvert it :-(

>> 3) the office or meeting room used by the auditors must be on a separate VLAN or the network port must be disabled until needed
Too main port and not enough IT staff or budget to manage that type of Network access control

>> 4) access to the Internet must be authorized by the company before it's given to the auditors
The one thing I do control absolutely. If you're not registered and approved, no Internet for you!

@ChrisJ

The one and, so far, only worm outbreak I've had on my watch at my current workplace cost us a massive amount of effort to lock down and clean up. They (the business) learned the hard way malicious software isn't just something that makes funny pop up appear and rude noises. We cut off large parts of the network to contain it, when machines on those sites started attacking the core data centres. They realised pretty quickly this wasn't a joke and was costing major dollars in down time and lost productivity. Helps focus the mind when you waves lost revenue under their noses :-)

Thanks for you report, What90. It's sad that such a fatal move happened by a professional pentesting team, though there is always the possibility, that something goes wrong. That it happened to professionals reminds me on Murphy's Law.


That's why I am used to not only define what should be done and what's within the scope, but also what's not in the scope and which things have to be inhibited. Of course it's hard to think about all possible options, but at least the major ones can be taken care of. When doing such audits on a regular basis new points can be added easily to get as close as possible. This not only applies to pentest contracts, but also to general projects.

The good point here is, in my opinion, that you could successfully apply your incident response plan so fast and with success. That proves that it's useful and necessary to have such plans available.