Tales from the Audits

I'm Andy our next talk is tells from the audit and we are starting now so here's Justin he G this is obviously the most popular Talk of the day right um so I wanted to do something a little bit loose a little bit um you know something not as a common thing you know when I was thinking about actually submitting for bsides nobody wants to hear kind of the governance risk compliance which is kind of my field of expertise but but the thing that I collect a lot of the times is these awesome stories from Regulators Auditors customers whatever it is and just the shocking nature that you get from all these different people and

actually some of the people in the audience will actually recognize some of those stories and they're just gems uh so supposed to be very light you know and I'm glad everybody's drinking beer so it actually be more funny this time um but a little bit about me I uh actually just uh broke back into the Consulting thing um was Consulting went back into Private Industry running Security Programs and back into Consulting work with uh daveid Kenny a lot of you guys obviously know him and everything uh but we're basically going to be focusing on a number of different areas and I got stories on all of them um and it is just amazing some of the

things that people will say out of this so first up Regulators anybody deal with financial regulators this is mostly on the ffic and some of the different aspects don't you love them so my first story do you monitor for so to set this up uh this is when I was actually working at Debold and at Debold we were labeled as one of the privileged critical service providers it basically means that we service a number of the financial Industries and um got the privilege to get all the organizations the OC C the FDIC ncua all came to our building for about a month-long audit and as we were going through this um it so happens that

the FDIC was actually the lead examiner but everybody was there um was really funny the lead examiner was a spitting image of Bill NY like seriously Bill NY to a te except he had glasses but he was more the Ben Stein attitude like the berer you know like no personality did not get sarcasm at all so we're coming back I was letting them in the building um after uh he went out to lunch and he came back and he's like hey Justin you know on the news I saw there was a bunch of solar flares that were acting up and the news said that uh they could actually interrupt some communication I was like oh yeah I saw that on the news

when I was eating my lunch and everything what does deil do to montra for solar flares and how do you respond to that so literally like we're St at the hallway I'm like oh man like I started cracking up laughing I'm like like a bastard operator from Hell story you know like you know it's solar flares is the problem but literally this is me laughing and the you know the examiner on the other side like yeah man like that's not that funny and then of course you say like this is one of the things that you should never say to an examiner um that I said it's like oh you're serious and then of course I'm trying to

collect myself from laughing even more from this I'm like this guy is serious you can't I cannot believe he wants me to monor for solar flares so I'm collecting myself I'm like let me get with my BCP guy Network architect I I'll get back to you I ran upstairs and I'm like guys you will not believe the question I just got um and then I S an email out our Network architecture guy emailed back he's like guys we already have a plan for this it's called wrapping all our equipment in tinfoil like it's it's good we're all good we're doing it you know and everything um later is actually uh kind of funny we after the solar flares happen we get a

notice from the fsis sack if you guys are familiar with that we get an email notice like 2 Days Later after already happened like hey watch out for these so flares you know and everything like very funny so next one need this in your BCP so to set this up uh this was when I was actually a consultant uh we did a lot of like audit assistance things of that nature and this uh One Credit Union called us up and said hey guys I I really need somebody to help us prepare for an NCA audit um kind of guide us through and kind of be the person person kind of our Point person in front of the NCA auditor

um so I went out there literally it was a one branch Credit Union One building in the middle of a farm field in Ohio like as little as uh Capital as you can actually count this is what this Credit Unit was so going over like some of the stuff from prior um the previous examiner came in and said guys I noce there was a uh airport 5 miles away from your site you need a specific response if a helicopter crashes into your building and she's like really like what are the chances no you they already had one on a fire they needed one if a helicopter crashed into their building like well that's that's crazy he's like

no that's not even the best part she's like then he required that if all the roads were shut down you need to prove that you can get into work like literally all the roads were shut she physically and she showed me the evidence of this had to take a picture of a bicycle out of her garage and prove to them that she had ways to get into work if all the roads were shut down uh she could have taken that probably why they were worried about actually crashing into the building right um like literally if the zombie apocalypse happened she would have to make it into work you know type of thing she honestly said to me she's like this

was the owner of the credit y like if all the roads are shut down I'm not coming into work I'm like I understand that yes so yeah it's just it's amazing to me like some of the regular apologize any regulars in the audience here but that they can kind of be the kings of the kingdom and even though they never ran anything in in their life and say statistically you need a helicopter BCP plan but yeah don't worry about that fire one and have to have a bike so customers this is one that's awesome you know like we do uh a lot of different risk assessments right now my current job and when I was previously

with a a Consulting and sometimes you just got gems of stories with that uh probably more side on the pen testing but with this story here um you know are you looking for policies so that set this up basically we were hired by the CFO of the company and they had some offices is at another different location which is where their main it location was the CFO literally was hiring us to audit their it department so already an adversarial type of thing in fact I think he actually said that um the CIO was an ass and I'm hiring him to do a risk assessment on them and all that stuff so already bad news to start off

with got to be careful of that so anyways we start the engagement and going through my main contact as it manager we're going through uh one of the sections obviously yeah let me see your policies procedures see how thorough complete they are so he literally hands me a user manual and there's nothing in it about security it's just you know creade well some ethics that's it nothing on technical standards nothing on how to run your security program at all and literally as I'm like walking into his uh room seriously this was like a hoarders commercial Edition you know that he had piles of paper no doubt like off this table this High all around his u-shaped

desk and all over the floor and I don't know if you guys ever did this but I'm like nobody in the office is going to believe me I'm like checking email checking email snap so literally I'm like yeah this is awesome so we go through that not really a lot of policies and everything but I'm meeting with the CIO to discuss uh business continuity planning so we're talking about that and all what they're doing and everything so at the end of our conversation he's like Justin I saw one of your sections is policies we have some policies I'm like oh really CU we we talked about it it was only like a user manual nothing really in it and

everything he's like no we got policies he reaches into his desk drawer pulls out a folder hands it to me literally this folder is labeled audit you know and I'm like all right this is going to be awesome you know type of thing so I flip through it and they're literally they're awesome policies there like six pages full content great like hidden on all the topics and everything the problem is like we got in a conversation before I realized he was an ex Visa director or something like that total copy like just a find and replace on this and I don't really ask this question a lot but you know once you get like oh yeah he's hand me a folder with

audit I have my doubts I'm like are these policies actually being enforced in the organization guy the total honesty says oh of course not way too expensive to enforce all the policies you know that that's crazy like literally and I actually looked it up for this presentation this is what I actually wrote in the report for their policy like and I I was reading it again I was like h it was a little harsh to basically say that basically it's only worth the paper that they're printed on you know type of thing but literally uh they had policies that they didn't enforce at all you know type of thing and it just like the brazenness of like

the policies why do we enforce them they're for audit you know so this is a good story uh about um this is when I was at debolt and I don't know if you guys know or not that I actually reported to Dave Kennedy the CSO of dbo at the time and he was famous whenever we did an AIT we did a lot of audits there was customers auditing us different uh regulations that we had to do an audit he come in for we do day two day 3 days month long sometime he come in to uh sit down for the audit just make sure everything's you know going all right he literally P out his

computer and do a set demo for whoever the audience was he would actually do a set demo for whoever we tried to plan it out that if we're like in hot water for an audit that we'd actually have ceny come in and do a set down and was like Hey shiny over here and everything so we're doing an audit with a customer like you know how are you doing with our security what are you monitoring for all that stuff the audit actually came in it's like oh do you know what fishing is asking Dave Kennedy this you know he's like yeah I'm pretty familiar with it you know wrote a couple tools about it he's like oh okay let me tell

you you what fishing is like this is the guy that wrote set and he already had set created at this point this guy went on to tell Kenedy about fishing you know so and after that it's like okay you know like let me show you an example of it like and of course if anybody knows Dave Kennedy this is how he actually gives a demo you don't know how he types what he's one to type literally Lightning Fast across it well the main customer that were he actually came out after Kennedy left he's like I really don't know what he did but that was amazing I had no idea but it was awesome and it was pretty funny uh with

that there so next one employees um so when you're dealing with employees especially when they're confronted with um being under the spotlight with audits sometimes you get some uh funny reactions and I'm going to tell one just because time wise I'm going pretty fast um we were doing uh one of the FF examinations here and one of the things that you always prep your kind of audience of who's going to be audited and tell them hey don't be dishonest you know you want to give uh good answers but don't elaborate don't feel like if there's an awkward pause in the silence that you need to actually give more information you know it's always good uh advice to anybody going

under the spotlight to this we had guy on our team that took that to heart um we had an examiner talking about like user provisioning and all that stuff and he was going over what we did for our Unix Linux systems and it was going over all the details with that and of course you know if anybody's you know familiar with uh you know auding or just you know general questions there open questions and closed questions you know closed questions are you can answer with a yes or no you know one word um open questions like okay you need to give a response you know type of thing so this guy literally said said oh is that the

same to your Windows systems as well as do you provision guy's like yes awkward science like there was no talking in 10 seconds you know and as you're like sitting in an audit you're like okay he's not asking any more questions and everything literally like after that um he's like oh The Examiner okay didn't ask one more question with that there so here's one with uh dealing with PCI so we had a qsa in and he wasn't the most technically minded he came from a law enforcement background um just kind of set this up and everything but we're going through uh we're actually an acquire and talking about where we store card holder data and what the process is

and how we actually interconnect everything so the qsa actually came out and said you know can you show me where the data is stored to one of our Mainframe guys and everything guy came down it's like I I can't show you where the data bored it could be anywhere on the disc like literally he thought like where on the platter is card holder data like it's like asking where the woman in the red dress is on The Matrix like it the guy had no idea and the funniest thing about this is the qsa looked at me like is that right I I don't know like at this point I'm literally doing The Bard like I like John John is his name but

John I think he means the path to where the card holder data is stor stored he's like oh yeah yeah I could show him that yeah like where would your mind go to show plattered like disc level on this everything the this is another great one awareness so we're talking about at uh an organization like what to do to spruce up awareness what other things we can do we did a weeklong awareness thing for uh every week I think it was in uh November and like okay you know what more can we spruce up with our awareness so we're thrown out some different ideas what we can do different from the last year and everything and you know just a

different awareness posters all that stuff and everything so the one guys and there kind of gun nuts and I'm all for guns and everything they're like hey there's a big thing you know there was just an active shooter a few months ago you know type of thing why don't we do awareness like that and I like that's great idea why why don't we do awareness around active shooter he's like why don't we run in in ski masks and take over a conference room as kind of a mock active shooter situation like literally he and another guy was like let's take over a conference room and this will be the awareness bad idea like can you imagine who would get

shot during that if somebody was concealed caring or cops were called they would not be happy with that organization so Consultants these are some of my favorite ones here um because even though like most of the cons Consultants you hire you hire them to perform a job to give you different advice and everything um but sometimes they're just they're crazy you know like they look at stuff and just have a backwards view of things so first story on this is then encrypted another PCI story I got tons of PCI stories so this was when I was at an organization we were getting an audit done so and one of the things uh you do is you show them where the card holder

data is stored I got a lot of card holder data stored stories for some reason so anyway so we're going into the database and looking at where cardo data store actual you know database tables all that stuff and everything and I did a mock example here this is my own database and not showing the actual picture but I'm shown them the database and I'm kind of a sarcastic guy I was like yeah as you can see you know everything's encrypted unless you can read wingdings you know you won't be able to you know read it and everything he's like is that what that is wingdings I'm like no man it's binary your data trying to be rendered on the screen oh oh

that's what that is so after you left and everything I'm I run into our it office like guys I got a great idea for a new encryption strategy we're just changing the font to Wing like this is awesome you type of thing another uh one that we had a customer hired another consultant to kind of audit us against ISO and a number of other different U regulations and stuff of that nature so and one of the things he was a little weird you know everybody in security is a little weird you know type of thing but this guy you know was just a little off but we didn't see it through the audit and everything like that well one of the

things that are pretty common you know you go out to dinner with a customer and you know just have a good time and everything and one girl that was uh on my team younger girl this is her first job and everything um got the pleasure of sitting next to him and I think she was sitting next to me but you know far enough I wasn't hearing their conversation we're all talking and everything and all of a sudden there was like a break a couple people went to the bathroom and he went to the bathroom and she turns to me he's like why did you sit me next to him I'm like what are you talking about like it can't be that bad

and everything he's like no he literally has a doll collection and they all have personalities he told I'm like no no come on it can't be that that weird you know and everything he's like no it's weird so from that point I'm like I want to hear what's going on over here you know so we're talking and everything and he's going on about like oh yeah our anniversary's coming up for you know me and my wife and everything and I think I'm going to get her matching chainsaws and chaps you know like yeah that that that's a good gift yeah do that and it's it even goes beond this guy was a weird guy you know like one of those things

like all right we're not leaving anybody alone with him even me like don't leave me alone with him um and he even uh said at one point like he had a bigger body I'm a fat guy he had a bigger body style to me and he was like yeah I only say at hotels that have 247 gym service I'm like really buddy like you use them at all so yeah it's it's amazing the people that you get with that um this one last one was actually recentish uh a couple years ago and everything so another PCI story love the PCI stories and everything so this is a little bit over an email exchange but we actually had a

qsa uh come in um and this is when I first started with an organization it was what I first started in June the qsa actually came out in March they actually do an audit for us like okay great you know I start in June I'm like are we getting the rock back anytime soon it's been three months and everything he's like yeah he's expecting a couple more documents so we get it all to him I'm like all right buddy uh so when can I we got all the evidence you have all the evidence yeah I have all the evidence okay when can I get my rock I I don't know like it's going to take probably another four months to get

the rock I'm like you're freaking kidding me right like you're not taking seven months to produce a rock for me and everything and of course he comes at me he's like yeah I don't know if if you know anything about the PCI industry but it takes a while you know type thing I was like dude I was a qsa before um it doesn't take this long I expect the rock in a week you know type of thing You' had three months I just gave you some final evidence like oh okay he eventually like gets me the rock like two days from there but in between that time he's like oh by the way I need the version of your

AV on your Linux systems I'm like huh okay that's interesting was like we don't have AVR Linux systems um because we don't commonly affect you know they're not commonly affected by viruses you know type of thing he's like well you need something you know you need that AV on your Linux systems there I'm like dude explain to me why AV is effectively acquired on our uh on our systems when they're not commonly affected by viruses so he comes at me he's like hey they're still vulnerable to malware you know and it won't go past our QA you know type of thing so I don't know if you guys ever done that I basically shoot it back I'm

like dude reread the standard it says commonly affected I was like you need to tell me that Linux systems are commonly affected by viruses or it's an NA you know type of thing um so he comes back never seen an instance of commonly of malware on a Linux machine like yes but there's a separation between security and compliance and I don't equate them to the same thing um so of course I fire back to the company I'm not interested in you pushing an agenda of security controls you know type of thing so at this point he says he was involved with it I I didn't and to top it all off this qsa never came on site once for

this uh audit so which is if your qsa is not allowed you have to be on site at some point during the uh during the issuance of a rock so he comes back qsa or QA has spoke here's what you can do to avoid AV being on your Linux systems he gives me this laundry list of things which some of them actually do apply to PCI which is valid you know they have to be there for uh some of the controls with that and some of them don't you know like not surfing from the internet you know security I'm not arguing security versus compliance but I'm like guys you're not doing your job you know with this

here his boss gets into the email chain and at this point their VP of compliance um actually is CCD into this and this is a large company uh not to name any names uh but it started starts with a t ends in wave and yeah not naming any names you know type of thing so his boss comes in he's like yeah it and it was a lot longer I'm sparing you some of the details and everything but he basically says our criteria for measuring Avon systems is can it get viruses and is there a remediation for it that was their two criteria for it not the commonality of it actually being exposed with them and then he actually gives a

great um thing of what uh they're actually saying they're like hey some card Brands and some big acquir has actually told us that um we want more protection on systems not that it actually is in the PCI standard we just want more protection so can you guys actually push that for us there actually in email actually dog this is verbatim you know with a little bit of some of the stuff cut out and everything so I basically come back to them like guys that's not what the standard says you need to apply the commonality of it and if it is and I don't think I put this in there I was like I want a letter from

you that actually says you're considering systems like this in there now here's here's the gem so I go back to the previous year Rock they actually had in their verbiage in the 5.1 or Linux Unix systems which are not commonly affected by viruses they actually had that in the last year's Rock and I'm like guys if that's the case you know tell me what what what changed you was like either you do consider them commonly affected by viruses great or you don't then it's na you know for the systems so he comes back the qsa boss is like the control sounds like it's the same control as last year I don't understand the problem the problem is we've never had

AV on our Linux systems they actually even had a a different version of Av in the rock that they actually cited us for we were using like kasperski and we uh they cited us like oh yeah they have semanic on their Linux systems and everything like called them out even said like guys your first ones didn't come on site you're the first ones that basically told me that you know it takes like 7 months to actually complet a rock and you're the first ones that actually tell me that AV is effectively on all systems here but the next day they're like oh yeah we need to do a conference call call me up some of their senior

people are like yeah Jon you're right we don't need to do that and oh by the way we need to send somebody out there you know because we're not allowed to issue a rock without sending somebody out there like I know that so they send somebody out there they were literally on there at one hour 1 hour they were there on our site somebody flew out for 1 hour looked at couple of background checks and just talk to me in my office no evidence nothing like that and at the time the company was I was with was both an issuer and an acquir like we actually stored card track data because we were obligated to do that we actually

imprinted card track data on there then look at any of those systems you know and everything so just kind of a a foreshadow don't always trust your qsa I say that I'm a qsa now uh don't always trust your qsa go back with facts and everything and uh kind of do that the last story since I got a little bit of time and everything um that I didn't put in but it is still kind of funny it's not really a customer employee this was actually a boss at the time um so I was out on the road Consulting we're up in uh Seattle I believe it was and we're doing a generalized risk assessment you know

kind of big governance overview with it uh my boss and I were going out and it's not Dave Kennedy by the way so this FYI um so we're going out and we you know the customer was cool so we go out in the town for Seattle and to save on money we're splitting a hotel room and everything so we go and you know we're drunk we're you know going to the hotel room at 1:00 a.m. or something like that both go to bed and everything you know I wake up with an arm raped around me as I'm like sleeping in my my own bed and everything I'm like and of course you wake up and you're like what the hell is

this I look over it's my boss spooning me and I'm like what the hell are you doing he's like oh [ __ ] he gets up and goes like into the bathroom and everything of course me I'm like underwear okay underwear still on all right good good good I wake up the nextboard he's like dude what was going on he's like what are you talking about I'm like you crawled into bed with me like no I didn't like two beds right yeah we did have two beds it wasn't a sharing that Skippy it was two double beds yeah he's like I don't remember that so yeah pretty funny uh with that there I think I did actually share a bed

with candy at one point but totally straight totally straight at everything so that's about it guys um I'm a little bit short in time but uh enjoy the conference and have a good [Applause] [Music] [Applause] one