Tips for Passing an Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor Senior Security Engineer Structured Communication Systems
Who likes audits?
Compliance Requirements PCI DSS NERC CIP HIPAA FERPA CJIS ISO 27001 FISMA/NIST SP 800-53 SP 800-171 Cybersecurity Framework SOC 1/2/3 GLBA/NCUA SOX CIS 20 CSC
Compliance vs. Security Compliance is the low bar Your security controls can and should go well beyond
The Findings Most common findings on security assessments by our assessors.
Data Inventory What is your sensitive data? Where is it? If it is a person, process or system that transmits, stores, or processes sensitive information, it s in scope
By data security levels Segmentation Encrypt when traversing a lower level PCI using P2PE Micro segmentation, zero trust, private vlans
Asset Inventory Use dynamically updated system All hardware in scope Or manually keep updated with additions and subtractions Track owner, purpose, IP address, name and location if possible
Account Management Run reports for 90 days of inactivity Use expiration Validate month prior Disable on last day Management approval of access
Multi Factor Authentication U2F, push, OTP, For all admin access or access to sensitive information OWA, VPN, cloud Multi factor or multi step Factor independence
Use a SIEM! Not just purchase one All in scope systems Security systems NTP Logging
Change Management Document all changes to configurations Include approvals and roll back plans
Non OS patches JAVA, Flash Patching Network devices End of support = compensating controls
Network Access Control MAC spoofing **DHCP is not a security mechanism
Authorized Software Inventory of applications Whitelist the approved, Blacklist the others Or other form of application control FIM executables, system files, application files
Secure Configurations Use benchmarks for all systems CIS, NIST, STIGS Apply by GPO Build into gold disk
Vulnerability Scans Use authenticated scans Include all in scope assets
Admin Privileges No local admins Even for IT Use separate accounts for admin functions RunAs, Sudo Log/alert everything Added accounts, failed logins, adds to admin group
IoT Don t allow on your network Change admin credentials for everything
USB Storage Don t allow or limit usage Set to auto scan Encrypt on use
Firewalls Only allow authorized ports and protocols Inbound AND outbound Inbound connections to inside network Test segmentation Web content filtering
DLP Decrypt SSL and send to DLP for in scope data types Host based effective for inside threats
Encrypt Sensitive Data In motion and at rest Archive systems Laserfische, e-mail archive flat files Backups
Segmentation Authentication Rogue access points Wireless
Application Development Separate development environment Peer review code OWASP Top 10 WAF
Policies Worse than the audit itself Make sure policy is implemented And followed Don t forget Incident Response Disaster Recovery Business Continuity Plan
Accounting and HR Preparation needs to include these areas Store too much information, never purge anything More fun to audit than IT staff
SSL/TLS and SHA-1 Use TLS 1.1 and 1.2 SSL and TLS 1.0 are weak Still see SHA-1 signed certificates
Map to controls Risk Assessment Reviewed by Senior Management
Penetration Testing Not a vulnerability scan Actual hacking Should be near the end of your preparation task list Pay for social engineering
End User Training Include phishing campaign Real life scenarios Document
Virtual Environment Separate hypervisor and hardware by classification level Validate data, admin, and control planes in SDN Cloud environments
Questions? That s All!