Auditing the Auditors

Auditing the Auditors
You know how you always assume that you’re getting ripped off by your auto mechanic?  That there’s no way your car could really use a new camshaft rotator gear housing hose – but you’re not really sure what it is, or what it does, or how much it costs, but you have to trust him anyhow? 
Don’t let your network security audit be that way.
With a little knowledge and a lot of common sense, you can make sure that you’re getting the best network security audit you can, and that you’re not paying extra just because, “Our pentesting tools show that port 139 is open on laptop 57, and port 141 is open on laptop 32.  You need to buy some solutions.  We can sell them to you.â€�
Know Who You’re Hiring
The best way you can make sure you’re getting the security audit you need is to do a little advance homework.  There are three key things to look for in a network security audit company:
1. Independence.  Your audit company should not be a part of another IT company (and especially not related to the firm already doing your IT), regardless of whether or not it’s “another division in the company.â€�  You don’t want your auditors either grading their own work, or offering to sell you a solution after they find the problem.  You want nothing but objectivity – like having a trusted, competent friend tell you the real problem with your car before you take it to a mechanic to get it fixed.
2. Experience.  You should find a security auditor who knows your industry, and focuses on the unique problems associated with it.  Don’t take your Mercedes to the Kia dealer.
3. Reputation.  Make a couple calls to find out whether or not the security auditor you’re considering has done solid work in the past, and has a quality team of auditors.  Also, if possible, determine whether or not they have a good relationship or reputation with regulators.  It can’t hurt.
Know What You’re Buying
There are two reasons to get a security audit, and they’re both good ones.  First off, you’re required to because of regulations.  No getting around that one.  Second, getting a regular security audit is a good thing – it protects your valuable data, reassures you of its safety, and brings accountability and oversight to your IT processes. 
To maximize the usefulness of your security audit, there are three common audits you’re going to want.  They are:
1. External Network Security Assessment.  This is an audit of everything that connects your network to the outside world, and takes a look at all the security devices you have in place to protect you from outside incursions.  A good auditor will consider your routers, firewalls, e-mail systems and dial-up modems.  The benefits of an External Network Security Assessment include protections from viruses and other malware, and identification of unknown vulnerabilities.
2. Internal Network Security Assessment.  This is an audit of everything that goes on inside your network, and takes a look at the policies and procedures you have in place to make sure that security is as tight as you assume it is.  A good auditor will have a clear understanding of your specific operational environment, and will consider things like your security policy, network & data segmentation, network architecture, patch management, and the security of workstations and servers on your network.
3. Website Security Assessment.  This is an audit of everything associated with your website, and makes sure that your public face on the web is not vulnerable to mischief.  A good auditor will check server configuration, input validation, SQL injection attacks, and cross-site scripting.
Know What You Bought
Now that you’ve hired a good auditor and they’ve done a thorough audit, what do the findings mean to you?  There are three things you should look for in an auditor’s report:
1. Real Analysis.  The report you get should be relevant and useful to you.  It should contain real analysis of any vulnerability you have, and focus on the issues that are important to your operations.  If you get a 100 page printout filled with page after page listings of open ports, then you probably didn’t do your hiring homework in the beginning.
2. Solutions.  You’re going to want your auditor to point you in the right direction for correcting relevant vulnerabilities they find.  Just as important, you’re not going to want your auditor to offer to fix your problems – for an additional fee.
3. Thoroughness.  You’re going to want to make sure that your auditor covered everything they said they would, and that there are no surprises.  This involves not only understanding what’s in an audit, but also who’s doing the security audit. You want to make sure that the auditor you get is not only experienced, but is also comfortable on the bleeding edge of technology.
With these relatively simple steps, anyone should be able to feel comfortable with what can otherwise be an aggravating experience.  Auditing the auditors doesn’t take a PhD in computer science, any more than knowing that if you replace the (fictional) camshaft rotator gear housing hose in your car, you’re not spending your car dollars wisely.