When the Auditor is Tricking Your Business

scottalanmiller

So, if you have someone who is unethical scamming your business for money to run a fake audit (a common business practice, I know) you have, essentially, a breach. How do you really address that? What do you do when the auditor themselves are the security breach and you can't trust them and they cast doubt on the person who let them in the door and is failing to show them the door now that they are found out?

DustinB3403

Wouldn't you at this point sue before the auditor can sue you.

Since the auditor isn't there to sue, but is there to point out security risks. If the auditor can't be shown, what is and is not a security risk. You fire them and hire another auditor.

scottalanmiller

@DustinB3403 said in When the Auditor is Tricking Your Business:

Wouldn't you at this point sue before the auditor can sue you.

Since the auditor isn't there to sue, but is there to point out security risks. If the auditor can't be shown, what is and is not a security risk. You fire them and hire another auditor.

If YOU have the authority. In the case in point, someone higher up let the auditor in, is the problem as well.

Dashrender

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

Dashrender

An example, we are audited by Medicare every 3 years. They are checking things against check boxes you love so much. Do they understand why a power strip that was completely fine last year is suddenly not fine this year simply because a new UR code isn't stamped on the box, oh... because the code didn't exist last year when the strip was purchased.. of course not.

The same goes for any of these typical non IT personal doing the audits for OCR.

TAHIN

There was a reddit article a while back about a completely legit HIPAA auditor demanding domain logons and passwords for every user in the company to prove that IT kept track of the stuff. So they went through this guy's company directory, found his boss, and talked to him. The auditor in question was 'confused' and rescinded the demand.

I'm starting to wonder if security audits are conducted like house appraisals..... "I have no idea what the rules are so I'll just do what the guy next to me did".

scottalanmiller

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

scottalanmiller

@Dashrender said in When the Auditor is Tricking Your Business:

The same goes for any of these typical non IT personal doing the audits for OCR.

All you are saying is that the audit is fake. But that we already knew. That's actually the issue, not an excuse for it, right?

Dashrender

@TAHIN exactly right - and we end up with the problems that my other thread was there to resolve.

Auditors for the OCR are the ones that basically get to decide if you are guilty or not. The appeal process for most of these situations are horrible at best, impossible at worse.

My friend worked for a publicly traded company - oddly enough, Sarbanes Oxly require that companies perform their own audits. I'm not sure how this really works, but I'll tell you what his company did.

They hired Deloitte and Touche to do a pre-audit, they would then fix all of those things. This was their 100-lb gorilla. Then they would hire a middle of the road, basically no name, but still authorized Sarbanes Oxly compliant auditing firm to audit them. If that second company found that the company in question had any violations, the company would first run them by D&T - if D&T felt the auditing company was just being pushy, they'd push back with the might of D&T, and that was usually the end of it.

For this flexibility, they paid over $1 million a year.

Now of course, one might think that the company was basically finding ways to skate by, but I do believe that my friend (who was in charge) was trying to do the right thing, and was having D&T do a real and complete audit in the first place.

scottalanmiller

@TAHIN said in When the Auditor is Tricking Your Business:

There was a reddit article a while back about a completely legit HIPAA auditor demanding domain logons and passwords for every user in the company to prove that IT kept track of the stuff. So they went through this guy's company directory, found his boss, and talked to him. The auditor in question was 'confused' and rescinded the demand.

How does "legit" and that go together? That his boss was able to cover doesn't make it legit. Could someone be confused to that degree? Maybe. Was it likely? not very.

scottalanmiller

@TAHIN said in When the Auditor is Tricking Your Business:

I'm starting to wonder if security audits are conducted like house appraisals..... "I have no idea what the rules are so I'll just do what the guy next to me did".

I truly believe that nearly all are scams. Some are scams just to take your money for not doing the audit that they promised to do. but a lot could be a lot worse. Using the audit as a means of stealing data. I mean look at this case in point... once the OCR and this auditor are willing to do something unethical to force money from the medical practices, why stop there? What ethical situation causes them to be willing to pressure practices to go through a fake audit but would not be willing to steal PHI if the opportunity presented itself?

scottalanmiller

@Dashrender said in When the Auditor is Tricking Your Business:

Auditors for the OCR are the ones that basically get to decide if you are guilty or not. The appeal process for most of these situations are horrible at best, impossible at worse.

Is that really true? If you sue the auditor I bet you'd find otherwise. Especially if this goes much farther to the point of social engineering, like the one requesting logins. If someone does that, you don't call the OCR, you call the FBI. Let the FBI talk to the OCR about it.

scottalanmiller

Having worked under HIPAA, SARBOX, PCI and others, one of the big lessons that was drilled into us was that we, not the auditors, were the security line of defence. Sure, auditors could cause problems, but at the end of they day an auditor would be like anyone else, if they pressured us to violate security (not quite the case here, but it could turn into that easily) we had to take legal action and in the US social engineering includes just pressuring people to violate security and that's a serious federal charge.

Dashrender

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.

scottalanmiller

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.

Corruption. Is there really no published process for letting the OCR know that something is amiss?

Dashrender

@scottalanmiller said in When the Auditor is Tricking Your Business:

Having worked under HIPAA, SARBOX, PCI and others, one of the big lessons that was drilled into us was that we, not the auditors, were the security line of defence. Sure, auditors could cause problems, but at the end of they day an auditor would be like anyone else, if they pressured us to violate security (not quite the case here, but it could turn into that easily) we had to take legal action and in the US social engineering includes just pressuring people to violate security and that's a serious federal charge.

Agreed!!

Dashrender

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.

Corruption. Is there really no published process for letting the OCR know that something is amiss?

I haven't had to deal with the OCR about this, so I don't know.. but was have had to deal with Medicare audits, every three years. They made us replace several pieces of gear because the old gear didn't have the new that year UL codes on them. The equipment was fine last year, suddenly not fine this year.

scottalanmiller

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.

Corruption. Is there really no published process for letting the OCR know that something is amiss?

I haven't had to deal with the OCR about this, so I don't know.. but was have had to deal with Medicare audits, every three years. They made us replace several pieces of gear because the old gear didn't have the new that year UL codes on them. The equipment was fine last year, suddenly not fine this year.

That stuff is different. Ridiculous, of course, but not a security violation. And this isn't technically either, but gets pretty close. But basically you have an auditor threatening to fail you based on criteria that he can't state AND he has access to your systems when he can't be trusted. Checking out extension cords doesn't compromise security.

Dashrender

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.

Corruption. Is there really no published process for letting the OCR know that something is amiss?

I haven't had to deal with the OCR about this, so I don't know.. but was have had to deal with Medicare audits, every three years. They made us replace several pieces of gear because the old gear didn't have the new that year UL codes on them. The equipment was fine last year, suddenly not fine this year.

That stuff is different. Ridiculous, of course, but not a security violation. And this isn't technically either, but gets pretty close. But basically you have an auditor threatening to fail you based on criteria that he can't state AND he has access to your systems when he can't be trusted. Checking out extension cords doesn't compromise security.

that wasn't about security specifically, it was about all aspects of the business, up to and including security - but their check sheet currently doesn't have much on it for IT security, so they don't ask much there.

TAHIN

@scottalanmiller said in When the Auditor is Tricking Your Business:

How does "legit" and that go together? That his boss was able to cover doesn't make it legit. Could someone be confused to that degree? Maybe. Was it likely? not very.

By legit I meant not a social engineer. He represented a legit company, though he was not reputable himself. Maybe he wanted it so he could sell it later, who knows