I have been reading up on a few of the auditing standards such as COBIT and PCI. I have dealt with audits at clients in the past. Financial institutions take them very seriously. Given the nature of their business and the recent financial crisis last year this approach makes complete sense.
There is a need to ensure audit compliance across the entire banking infrastructure. From a financial perspective, compliance with the various audits is a must if you wish to stay in business. Of course, my background is in network security. Network security is not the same as auditing. Although I have not met anyone that would say if you pass a particular set of audits you are secure, I have noticed across the audit industry in general there seems to be a unstated understanding that if you do pass audits you are secure or more secure than if you don’t.
Passing an audit does not mean you are secure. Here is one of a few, but simple examples I have come across. One of the audits requires that your entire internal network has address translation from inside to outside. Effectively, the idea is that if I as a outside user browse to http://michaeldundas.com, that address would appear to the requester as 216.240.0.43.
From the quick diagram above, you can see how the client thinks that it is directly connected to 216.240.0.43/32, and it is. Based on the audit requirement of having complete address translation with the untrusted Internet, you would have to configure a device that would convert the IP address the client has, to a different IP address.
The second diagram shows a router configured with Network Address Translation (NAT) to convert the IP address in both directions. In this way the client does not know the real IP address of the server. Any attack that you could do without NAT, you can do even if NAT is there. Anyone that is active in attacking servers knows this. It offers no additional security, just extra work.
Auditing does have its place and is necessary. Complying with audit requirements for many industries is not an option and your staff must understand that. But don’t let yourself or your staff be fooled into thinking audits make you more secure. Audits help but they are not a substitute for good and proper security. Passing an audit does not mean you are secure.
