We find that many IT departments within our clients’ organizations have very talented IT staff, but all too often they don’t have an information security and compliance staff member on board. All too often this role is not in place. So the question is, how can they meet compliance and maintain security of their vital business assets? We believe it’s difficult with a yearly IT audit, Let’s face it, IT audits done this way go back many decades, to when cyber threats were nonexistent.
Our CEO recently decided it was time to offer a continuous total audit solution. As you know, IT audits are often done on a yearly basis, and that leaves IT departments scrambling to fix everything once a year. Imagine an IT audit that starts with an initial risk assessment that determines the yearly continuous audit plan. Enter continuous auditing. For a little more than the cost of a yearly audit that only looks at your People, Process and Technology once a year, now audit teams can be engaging with your IT team monthly.
It starts with a risk assessment that sets the audit scope for the year, next auditor’s custom tailor an IT audit plan based on your business risk. For example: A HIPAA organization signs up for a yearly service, and it’s determined that they have firewall issues as their number one risk. Auditors begin the first month’s audit focusing on this critical priority; the next month they will target the next-highest risk area. It might be Active Directory permissions issues.
Auditors follow through each month, focusing all their effort on the next technical element. Some elements include: mobile devices, workstations, servers, intrusion prevention, email protection, web filtering, anti-virus, OS, network and applications patching, network infrastructure, policies, vulnerability scanning, and any critical business application that contains electronically protected health information (ePHI).
If an organization has multiple critical issues that can be addressed immediately and lower priorities that can be addressed throughout the year, we believe both industry executive leadership and IT staff will fully embrace this new shift in IT audit, as it’s continuously looking at all the major elements in depth vs a quick once-a-year audit.
Why continuous IT auditing is necessary
1. The majority of phishing cases feature phishing as a means to install persistent malware. As detailed in Verizon’s 2016 Data Breach investigations Report, “What we have here is a failure to communicate.” Apparently, the communication between the criminal and the victim is more effective than the communication between employees and security staff. Thirty percent of phishing messages were opened by the target across all campaigns. About 12 percent went on to click the malicious attachment or link and thus enabled the attack to succeed. A static once-a-year IT audit is not proactive and will not see this trend until it’s too late.
2. Mitigation is often just as useful as remediation – and sometimes your only option, according to Verizon’s latest repost. This gets at a core and often-ignored vulnerability management constraint: sometimes you just can’t fix a vulnerability, be it because of a business process, a lack of a patch or incompatibilities. At that point, for whatever reason, you may have to live with those residual vulnerabilities. It’s important to realize that mitigation is often just as useful as remediation – and sometimes it’s your only option. A static once-a-year IT audit is not proactive and can’t address the latest vulnerabilities and how to mitigate them if a patch can’t be applied.
3. Sixty-three percent of confirmed data breaches involved weak, default or stolen passwords, Verizon states. The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge and is not glamorous, but boy howdy it works. Static authentication mechanisms have been attacked for as long as we can remember. Password guessing from an InfoSec perspective has been around at least as long as the Morris worm, and has evolved to prominent malware families like Dyre and Zeus that are designed to (among other bad things) capture keystrokes from an infected device. All those efforts to get users to use special characters, upper/lower case numbers and minimum lengths are nullified by this ubiquitous malware functionality. A static once-a-year IT audit is not proactive and thus will only ask for an additional character added to password length when what’s needed is a plan to implement two-factor authentication.
4. The great complexity of their infrastructure makes web application servers a target for attackers. Verizon brings up a good point: web sites are not static pages anymore; they are highly interactive and more complex. Users are not merely reading a homepage and clicking on a couple of links to basic information about store hours, but are increasingly more interactive and issue various types of inputs to be read and acted upon by the web infrastructure. The greater complexity, including the web application code and underlying business logic, and their potential as a vector to sensitive data in storage, or in process, makes web application servers an obvious target for attackers. A static once-a-year IT audit is not proactive and will not focus on website vulnerabilities and how they translate to business risk.
5. You can’t effectively protect your data if you don’t know where it resides. It does you little good to know where it is but then pay no attention to who has access to it. Make sure that you are aware of exactly where your data is and be careful who you give privileges to and to what degree. It makes sense to give the valet attendant your keys to park your car, but not to hand over your credit cards as well. A static once-a-year IT audit is not proactive and will not be there continuously and thus will miss the many opportunities to identify and protect data.
Static once-a-year IT audits started at a time when computers were not on a public internet. A once-a-year or bi-yearly IT audit snapshot was adequate. Now the entire globe is connected via the internet, and each one of your corporate computers is just waiting to be attacked 24×7. This is why we need continuous IT audits. Your systems are being targeted every minute of every day, so why only spot check your critical IT systems yearly?
The headlines: 70 percent of mobile devices of top networks vulnerable, GiftGhostBot botnet stealing retailer gift card balances, W2 phishing scam, hack of ABC’s Twitter account. I could go on, but with 390,000 new malicious programs released daily per AV test, you can see that it’s a very dynamic threat landscape, one that has outgrown yesterday’s static yearly IT audits.
It’s time to raise the bar once again, just as my colleague Mark Wolfgang has done with continuous PEN testing. We can no longer afford to be reactive; we must be proactive, and that means a cyber strategy that includes 100 percent compliance and Advanced Persistent Security, as outlined in my colleague Ira Winkler’s latest publication.