IDS & Corp Auditing - dysfunctionality?

[Tiger Shark]

Vesconovo: Really I think we need to know _what_ it is they are auditing before we can tell you what the appropriate actions should be on your part.

If they are trying to see how much disk space there is available to the network then there might be a, somewhat questionable, reason to turn off the IDS. However, if these systems are open to the world then tell them to turn up at the console at a given time and you'll show them.

If they are doing a security audit then the are "cheating" by having you remove some of your defenses.

So, what are they trying to audit and we can give you better advice?

[snowcrash101]

What type of auditing do they plan on doing is of the utmost importance. Is this a securiyt audit? Are they just checking your network assets? It sounds like they could be checking you for "Social Engineering" by asking you to disable IDS.

My philosophy is that under NO circumstances will I disable IDS unless a director or above will take responsibility in writing.

Snow

[GandalfTheGray]

I have done a fair amount of auditing in the past. I believe a good audit consists of at least two parts -- attempts to exploit your system from outside and from inside. Once they convince themselves that they can't get in from outside -- and announce it formally to whoever commissioned the audit -- then they should evaluate what a person with approved access (a disgruntled employee, a Nosey Parker, etc.) could do. They should perform the second from a terminal inside your net -- not outside with the protections turned off.

I would never ask you to turn off your protection systems. If I can beat them and gain legitimate access, that is the time to validate that with you and help you stop up the holes. Then I might ask for a user account with the same priviledges that I was able to obtain from the outside to demonstrate (if necessary) what else I could do.

Even if your perimeter is demonstrated to be strong, it is important to also verify what an insider could do. However, this should be done very carefully to avoid blocking out legitimate users and compromising any vital operations and information on the network. There should be a LOT of preliminary coordination between yourself and auditors to assure that tests are fair, that everyone agrees with the performance measures employed, how the results are to be interpreted, who will get a report, and that vital operations are not disrupted by the audit.

[vescovono]

They have a list of about 12 things they are checking on. I have not seen the full list, but it what I have comprises:

1) Account management - cleaning up old accounts

2) Passwords - if they can get access to one account, they download the password file and run crackers against it.

3) Ports and services - using nmap or its similiar to a port scan of various ips to. They are looking for what is 'unnecessary,' but after a two year battle on the definition of 'unnecessary' we are at a stalemate, so a few of us were documenting what we were going to have open and closed & compare that to the audit results. We are moving to shutdown every service, opening only what the system or applications directly need, documenting those open ports/services per server and enacting a scanning/action feedback loop to check ourselves.

4) File permissions: shutting down any world-writeable files and directories.

5) ...

I will post more when I have the results - from what I have seen, we have improved from last time, but will still fail. I am somewhat embarassed as I have heard we will fail from the 'stupid' things, like passwords that have not been changed in the last 90 days or are considerably weak. So while I am toting this IDS flag and moving towards more advanced security lockdowns for the "windows of the house" while the "front door" is still somewhat open. Arrrggh! So in this audit they did not even need for us to "lower our shields." If this does happen, then we got some re-work to do here.