![Page 1: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/1.jpg)
Tips for Passing an Audit or
AssessmentRob WaytCISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead AuditorSenior Security EngineerStructured Communication Systems
![Page 2: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/2.jpg)
Who likes audits?
![Page 3: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/3.jpg)
Compliance Requirements• PCI DSS• NERC CIP• HIPAA• FERPA• CJIS• ISO 27001
• FISMA/NIST– SP 800-53 SP 800-171 Cybersecurity Framework
• SOC 1/2/3• GLBA/NCUA• SOX• CIS 20 CSC
![Page 4: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/4.jpg)
Compliance vs. Security• Compliance is the low bar
• Your security controls can and should go well beyond
![Page 5: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/5.jpg)
The Findings
Most common findings on security assessments by our assessors.
![Page 6: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/6.jpg)
Data Inventory • What is your sensitive data?• Where is it?
• If it is a person, process or system that transmits, stores, or processes sensitive information, it’s in scope
![Page 7: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/7.jpg)
Segmentation• By data security levels
– Encrypt when traversing a lower level
• PCI using P2PE• Micro segmentation, zero trust, private vlans
![Page 8: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/8.jpg)
Asset Inventory• Use dynamically updated system
– All hardware in scope• Or manually keep updated with additions and
subtractions• Track owner, purpose, IP address, name and
location if possible
![Page 9: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/9.jpg)
Account Management• Run reports for 90 days of inactivity• Use expiration
– Validate month prior
• Disable on last day• Management approval of access
![Page 10: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/10.jpg)
Multi Factor Authentication• U2F, push, OTP, …………• For all admin access or access to sensitive
information• OWA, VPN, cloud• Multi factor or multi step• Factor independence
![Page 11: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/11.jpg)
Logging• Use a SIEM!
– Not just purchase one
• All in scope systems• Security systems• NTP
![Page 12: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/12.jpg)
Change Management• Document all changes to configurations• Include approvals and roll back plans
![Page 13: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/13.jpg)
Patching• Non OS patches
– JAVA, Flash
• Network devices• End of support = compensating controls
![Page 14: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/14.jpg)
Network Access Control• MAC spoofing• **DHCP is not a security mechanism
![Page 15: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/15.jpg)
Authorized Software• Inventory of applications
– Whitelist the approved, Blacklist the others – Or other form of application control
• FIM executables, system files, application files
![Page 16: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/16.jpg)
Secure Configurations• Use benchmarks for all systems
– CIS, NIST, STIGS
• Apply by GPO• Build into gold disk
![Page 17: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/17.jpg)
Vulnerability Scans• Use authenticated scans• Include all in scope assets
![Page 18: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/18.jpg)
Admin Privileges• No local admins
– Even for IT• Use separate accounts for admin functions
– RunAs, Sudo• Log/alert everything
– Added accounts, failed logins, adds to admin group
![Page 19: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/19.jpg)
IoT• Don’t allow on your network• Change admin credentials for everything
![Page 20: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/20.jpg)
USB Storage• Don’t allow or limit usage• Set to auto scan• Encrypt on use
![Page 21: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/21.jpg)
Firewalls• Only allow authorized ports and protocols
– Inbound AND outbound
• Inbound connections to inside network• Test segmentation• Web content filtering
![Page 22: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/22.jpg)
DLP• Decrypt SSL and send to DLP for in scope data
types• Host based effective for inside threats
![Page 23: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/23.jpg)
Encrypt Sensitive Data• In motion and at rest• Archive systems
– Laserfische, e-mail archive flat files
• Backups
![Page 24: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/24.jpg)
Wireless• Segmentation• Authentication• Rogue access points
![Page 25: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/25.jpg)
Application Development• Separate development environment• Peer review code• OWASP Top 10• WAF
![Page 26: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/26.jpg)
Policies• Worse than the audit itself• Make sure policy is implemented
– And followed
• Don’t forget– Incident Response– Disaster Recovery– Business Continuity Plan
![Page 27: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/27.jpg)
Accounting and HR• Preparation needs to include these areas• Store too much information, never purge
anything• More fun to audit than IT staff
![Page 28: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/28.jpg)
SSL/TLS and SHA-1• Use TLS 1.1 and 1.2
– SSL and TLS 1.0 are weak
• Still see SHA-1 signed certificates
![Page 29: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/29.jpg)
Risk Assessment• Map to controls• Reviewed by Senior Management
![Page 30: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/30.jpg)
Penetration Testing• Not a vulnerability scan• Actual hacking• Should be near the end of your preparation
task list• Pay for social engineering
![Page 31: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/31.jpg)
End User Training• Include phishing campaign• Real life scenarios• Document
![Page 32: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/32.jpg)
Virtual Environment• Separate hypervisor and hardware by
classification level• Validate data, admin, and control planes in
SDN• Cloud environments
![Page 33: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/33.jpg)
That’s All!
Questions?
![Page 34: Tips for Passing an Audit or Assessment - Structured...Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor. Senior Security Engineer](https://reader034.vdocument.in/reader034/viewer/2022043008/5f994677d786012d205a0a18/html5/thumbnails/34.jpg)