In the case of auditors, they need to seem validate and have access to some immensely critical and valuable company data, even to the point they have to access and review the crown jewels of your company.
Similar to penetration testing there are a set of rules put in place on what the auditors can and can’t do. These are agreed before the work takes place.
Here’s something to think on the next time auditors turn up at your company.
We have one of the big four auditing firms turn up to do the end of financial year checks. This is greeted with the normal groans and eye rolling as different departments have to stop what they are doing and spend quality time talking over check list and best practices.
Normally, I don’t get involved, other than to my veiled comments on how pretty they managed to make a Nessus scans look of our external systems and gee wasn’t that worth the money. This time I had a much more hands on role.
I received an alert that one of our systems had detected two rather nasty pieces of malware from a USB drive. What made this different was the machine wasn’t on our regular asset list. A quick bit of checking pulled up this was a loan machine and was being used by the auditors and an auditing account was logged in. Then the same system alerted again with the same two pieces of malware. Now, we have a clean or kill policy on malicious software with the AV software, so the USB drive would have be cleaned, so the spider-sense alert jumped up by a factor of four. Either someone had a number of infected USB drives or something else was going on.
A quick jog up stairs, with the trusty incident response kit, to the location of the machine put me face to face with one of the financial system auditors. This happy chap was logged in to our major finance system doing “stuff”.
“Have you just used a USB drive in this computer?” I politely questioned after noticing no USB drive anywhere in sight. “Not me” replied smiling auditor.
“Has anyone from your team plugged on here in the last few minutes?”
After contemplating the higher meaning of my question and possibly calculating Pi to 2000 digits, he slowly responded perhaps his colleague just did. I asked him to stop what he was doing, and take me to this colleague.
This group of auditors had been using one of the nearby meeting rooms, and fortunately they were all here at the same time. I found another nice, polite, smiling auditor with the USB drive that had just been used in our company PC plugged back in to his laptop.
I told him and the room of auditors that USB drive had a piece of financial data stealing malware on it, the smiles in the room suddenly vanished. I got a chorus of “but we have antivirus software on our machines so it can’t be possible” and “I’ve never plugged this into anything other than our computers”. A very quick demo to the room proved them all horribly wrong. On my response laptop, I inserted the USB drive (in read only mode) and showed them the obfuscated autorun.inf file plus the hidden folder containing the malware on the USB drive. Then I got one of them to plug in a clean formatted USB drive from my response kit in to his laptop. As if by magic an autorun.inf file appeared on the USB drive. Again on the response laptop I show them the hidden files and malware.
Whoops. This meant the malware had subverted their AV on all five laptops. Not a good sign, especially as one of the malware copied itself over via shares and they had VPN back to the home office.
This was the point when in to containment mode. I called in our internal audit team, confiscated all the auditors USB devices and asked them to contact their IT team. After a very brief conversation with management, I had to escort the auditors and their infected systems out of our offices.
Once they were out of the office, the pc the alerts can from was analysed as was any internet traffic from or to it. A quick report was then fired off to various audit and management teams. After a number of communications and with freshly built computers, the auditors came back on site to finish their work the next day.
Some of points from this worth mentioning:
• The AV on our systems clearly displayed a clear “You’re infected!” alert each and every time an infected USB stick was plugged in. This was ignored and not reported.
• The auditors did not have permission to use USB devices in our system; however they had no statement from my company not to.
• We do have a policy of no USB drives, but it’s a paper policy only, despite repeatedly issues.
• The auditors are all very smart people, but showed little tech/security knowledge savvy.
• I bagged up the USB drives in a custody bag, but they were still properly of the auditing company, so I couldn’t do any forensics on the drives.
• The auditors were only allowed back on site after a written letter of assurity was provided to our company that they their systems and devices were clean and they were not to plug any devices into to our network. Data was to be transferred by only audited methods only.
• Kicking auditors out in mid audit has a large dollar amount assigned to it, so not done lightly or without management approval.
• Our incident response plan ensured no data was leaked and we had the situation under control in less than 30 minutes after the first detection of malware.
Again take from this what you will.