Blog
SecuringAIX

« RBAC on AIX: Why Bother? Part 2 | Main | Using RBAC With Scripts »

October 09, 2012

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83545a5d153ef017ee409eb4c970d

Listed below are links to weblogs that reference How to FAIL a Security Audit:

Comments

Why does no one ever mention actually having your security tested? Setting up policies and running syslog and audit are great but without a penetration test is like an untested backup; how do you know that you've closed the right holes and are gathering enough of the right information about breaches?

Hi Ian,

Thanks for your comment. No one mentions it, I expect - because they are concerned about the results - regardless of the results. Saying we are ready or not ready are both inviting to potential attackers.

Currently most assessments I do are concerned with preparing for an audit that will show compliance. These customers are looking to documents such as PCI DSS v2 (see https://www.pcisecuritystandards.org/security_standards/documents.php) to identify the right holes.

Regarding auditors and compliance - too many "pass" audit and syslog if they are both enabled. The additional fact that neither of their configurations could be used effectively for forensics (after the fact) or real-time detection goes unnoticed.

In short, you pose a very valid question. My approach is to start with ensuring there are audit records of key components. Additionally, I start with a wide collection of auditable events. As time passes I filter out events that appear to have neither predictive nor forensic value. There is no "one size fits all" approach. If it were that easy I might not have a job :)

The comments to this entry are closed.