Tips for Passing an Audit or

AssessmentRob WaytCISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead AuditorSenior Security EngineerStructured Communication Systems

Who likes audits?

Compliance Requirements• PCI DSS• NERC CIP• HIPAA• FERPA• CJIS• ISO 27001

• FISMA/NIST– SP 800-53 SP 800-171 Cybersecurity Framework

• SOC 1/2/3• GLBA/NCUA• SOX• CIS 20 CSC

Compliance vs. Security• Compliance is the low bar

• Your security controls can and should go well beyond

The Findings

Most common findings on security assessments by our assessors.

Data Inventory • What is your sensitive data?• Where is it?

• If it is a person, process or system that transmits, stores, or processes sensitive information, it’s in scope

Segmentation• By data security levels

– Encrypt when traversing a lower level

• PCI using P2PE• Micro segmentation, zero trust, private vlans

Asset Inventory• Use dynamically updated system

– All hardware in scope• Or manually keep updated with additions and

subtractions• Track owner, purpose, IP address, name and

location if possible

Account Management• Run reports for 90 days of inactivity• Use expiration

– Validate month prior

• Disable on last day• Management approval of access

Multi Factor Authentication• U2F, push, OTP, …………• For all admin access or access to sensitive

information• OWA, VPN, cloud• Multi factor or multi step• Factor independence

Logging• Use a SIEM!

– Not just purchase one

• All in scope systems• Security systems• NTP

Change Management• Document all changes to configurations• Include approvals and roll back plans

Patching• Non OS patches

– JAVA, Flash

• Network devices• End of support = compensating controls

Network Access Control• MAC spoofing• **DHCP is not a security mechanism

Authorized Software• Inventory of applications

– Whitelist the approved, Blacklist the others – Or other form of application control

• FIM executables, system files, application files

Secure Configurations• Use benchmarks for all systems

– CIS, NIST, STIGS

• Apply by GPO• Build into gold disk

Vulnerability Scans• Use authenticated scans• Include all in scope assets

Admin Privileges• No local admins

– Even for IT• Use separate accounts for admin functions

– RunAs, Sudo• Log/alert everything

– Added accounts, failed logins, adds to admin group

IoT• Don’t allow on your network• Change admin credentials for everything

USB Storage• Don’t allow or limit usage• Set to auto scan• Encrypt on use

Firewalls• Only allow authorized ports and protocols

– Inbound AND outbound

• Inbound connections to inside network• Test segmentation• Web content filtering

DLP• Decrypt SSL and send to DLP for in scope data

types• Host based effective for inside threats

Encrypt Sensitive Data• In motion and at rest• Archive systems

– Laserfische, e-mail archive flat files

• Backups

Wireless• Segmentation• Authentication• Rogue access points

Application Development• Separate development environment• Peer review code• OWASP Top 10• WAF

Policies• Worse than the audit itself• Make sure policy is implemented

– And followed

• Don’t forget– Incident Response– Disaster Recovery– Business Continuity Plan

Accounting and HR• Preparation needs to include these areas• Store too much information, never purge

anything• More fun to audit than IT staff

SSL/TLS and SHA-1• Use TLS 1.1 and 1.2

– SSL and TLS 1.0 are weak

• Still see SHA-1 signed certificates

Risk Assessment• Map to controls• Reviewed by Senior Management

Penetration Testing• Not a vulnerability scan• Actual hacking• Should be near the end of your preparation

task list• Pay for social engineering

End User Training• Include phishing campaign• Real life scenarios• Document

Virtual Environment• Separate hypervisor and hardware by

classification level• Validate data, admin, and control planes in

SDN• Cloud environments

That’s All!

Questions?