Canaudit Perspective: Volume 11, Issue 1

Is Your Organization Ready For The Audit Challenges Of 2010?
By Gordon Smith (January 2010)

Download PDF of article at http://www.canaudit.com/Perspectives/Volume11-Issue1.pdf

This year, as I write my Perspective on the New Year, I am very concerned. I have seen a significant increase in organizations that had to report the loss of confidential information (see privacyrights.org for an update on the organizations that reported cyber incidents). In 2009, there was a significant increase in electronic fraud particularly from organized groups. In a previous Canaudit Perspective, I outlined the shift in fraud scams and the techniques used to gain access to account information. Since then, there have been several more payroll frauds, a significant increase in bank wire frauds, and an increase in credit and debit card frauds. Clearly, the situation is getting worse, yet most organizations are not increasing the scope of internal audits to identify flaws that are susceptible to fraud.

When a serious event occurs, I hear a similar mantra from management: “We are SOX Compliant”, “We are PCI compliant”, “We are HIPAA compliant”, “We are COBIT compliant”. Management actually believes that being compliant means that they are secure. Now, do not get me wrong. I believe that complying with these standards is essential. I just want to reemphasize that the standards are weak on real security. The standards often rely on general controls, management review, and some access and patch controls, but they do not go to the depth required to ensure a secure environment. This is not the fault of the standard. Remember that the standards usually set the minimum requirements.

The standards are set at a point in time. They are reviewed and updated periodically based on input to the governing body. Changes to the standard must be studied, drafted, peer reviewed, and released. This is a labor-intensive process, performed primarily by knowledgeable and dedicated professionals. Unfortunately, the process takes time. By the time revised standards are published, the bad guys and gals have invented new tricks to circumvent control structures. If you close one door, they come in through the windows. Close the windows and they come in through the chimney. It is a constant battle to remain compliant and secure.

As I work with a variety of audit and security professionals, I have come to the conclusion that they are looking at the wrong things or wasting a lot of time in interviews. While it is necessary to document control structures, I believe that thorough testing of controls is necessary. At Canaudit, we use a suite of automated software tools that enable us to quickly audit operating systems, databases, network devices, web applications, and Internet sites. This is just a small sampling of our tools and techniques that we have developed over the last 25 years.

There are many publicly available tools that also enable automated or semi-automated auditing. We teach participants in our seminars how to use some of the most popular tools. We also provide them with a CD containing a variety of proven software tools to automate many of the security checks we believe are necessary. The ironic thing is that most of the auditors and some of the security officers in my classes are not permitted to use these tools when they return to their offices. I understand that IT management is concerned with use of the tools on the network. I also know that these same people are concerned that this type of testing will reveal serious gaps in the organization’s IT security structure. To ensure that the status quo is not disrupted, auditors and security personnel are prevented from using the tools. This works well until there is a major security incident. That is when I hear that executives relied on the very security professionals whose hands they tied. The security professionals may be the ones who ultimately pay for the breach with their jobs.

When I am called in after a security event, I like to review budget submission, emails, and other documentation. This often shows that the security professional was not permitted to acquire or use the tools necessary to validate that the required security is in place. Then I make a point to let management know that there is definitely a public relations cost to declining security tools, tying the hands of your security and audit professionals, and generally burying their heads in the “it won’t happen here” sandpit. These are strong words, particularly from me, but they have to be said. We can no longer proceed as if our networks are secure. We must recognize that the threats are real, that additional controls are needed, and security must be rigorously tested on a regular rather than periodic basis.

I have also noticed that the IT Audit skill sets of many audit departments are degrading. Training budgets have been decimated over the last two years. As a result, it has been difficult for auditors to remain cognizant of new threats and the required controls to ensure that their informational assets remain secure. Many IT audit groups continue to use some of the same techniques we used 15 years ago instead of newer tools that can automate risk identification and qualification. Compounding the loss of professional development resources, some audit departments have downsized their IT audit staff over the last few years. As a result, many audit departments are not prepared to respond to the heightened risk of compromised networks and the disclosure of confidential information.

As mentioned in some of my previous newsletters, the hackers have changed techniques. They target databases directly. The shortage of both IT auditors and IT audit skill sets results in the failure to audit critical databases. Recently, I added some live demonstrations to my presentations. These demonstrations show the ease with which databases can be compromised while avoiding intrusion prevention and detection software controls. The participants are shocked to see the simplicity of the methodologies currently in use by cyber criminals and how effectively they beat a sophisticated control structure. The demonstrations have the most impact on senior executives. When they see with their own eyes how easy it is to bypass controls and steal data, they finally understand the need for a modern IT control structure.

Moving on to another topic, it is clear to me that audit reports are not conveying the information executives need to truly understand the risks. I believe that three things cause this information gap. The first is the failure to clearly state the risks in our existing audit reports. The second is failing to do the right audits. The third is failing to do the audits we do perform correctly. Let me explain these in more detail.

In my review of my client’s audit reports, I often see an executive summary that does not communicate the risks to management in a way that enables them to grasp the severity of issues. The executive summary starts out with a short description of the audit scope. Then we have several paragraphs describing how various controls are ineffective. Then we close by stating that controls are adequate. Is it any wonder that management does not fund enhanced control structures? If controls are adequate, why should they worry? Yes, there are some issues, but they believe they can live with them. In my classes, I have a routine I do to explain the futility of existing audit summaries. The typical summary starts by describing the scope. The summary continues by stating that this control sucks, that control sucks, and additional controls suck, etc. Then the summary ends with the statement that overall controls are adequate.

Now let us look at the word adequate. In the dictionary, it states that adequate means “barely sufficient to suitable.” Would you get on an airplane that had an adequate amount of fuel? Would you invest your life savings in a stock that had an adequate probability of appreciating? At Canaudit, we write our audit reports in a way that management understands the issues and the severity of the issues. We do not state that controls are adequate. Instead, we describe the greatest unmitigated risks identified during our audit. Occasionally, our clients have a very effective control structure. When that happens, we state clearly that the controls are effective and that staff did a great job. In any audit report, it is necessary to ensure that management gets the correct message. Do not say that controls suck, but that they are adequate. If controls are bad, state it clearly.

Now let us look at failing to do the right audits. General controls are over-audited. It is amazing to me that internal and external auditors and regulators all tend to audit these. We need to look at a new dimension in auditing: protecting our networks and data from cyber criminals, disgruntled employees, and, yes, employees who make dumb and stupid mistakes. This means that we have to raise the priority of database, network, and operating system audits. At Canaudit, we have combined these audits into a single project, the IT Security Baseline. In four or five days, we sweep the entire network looking for poorly secured machines, databases, and network devices. We perform a full battery of tests on these items. Other items such as technical audits of applications take longer.

The IT staff at our clients is usually very surprised when we come in and do our technical audits. We do not ask the same questions other auditors have repeatedly asked them. Instead, we look at the network, the databases, the applications, and the web applications as a truly technical audit. We audit them with a combination of automated and manual procedures. We do not spend much time interviewing the client staff. Instead, we come in, hook up to the network, and proceed to do the audit using our audit software. After we have completed the majority of the work, we then have the information required to determine the essential controls that need to be implemented and the priority of the control implementation.

We believe that the IT Security Baseline is the most important part of an IT Audit or Security two-year plan. At the beginning of the audit cycle, it identifies the greatest risks and provides a series of metrics that can be used by executives to measure improvements. The baseline also enables audit management to adjust and reprioritize the audit plan. The security baseline gives the audit committee and the Chief Audit Executive the knowledge they need to reassess the audits and the urgency or priority each audit should be given.

As we are now into a new year, it is time for auditors and security folks to focus and concentrate. We need to focus on the projects that need to be done and concentrate on getting them done. As mentioned earlier, our applications, networks, and databases are at risk. Every day, more cyber theft and frauds are reported. Our work on data warehouses, where many of our clients store their critical data, demonstrates that they are often poorly secured. They are a sitting duck to a professional cyber criminal. Many of our clients have off-shored critical operations and support functions. As a result, there are a plethora of network gateways from the outsourcer to their many clients that may not be properly audited or even known to your risk managers. As a result, there is a need to ensure that your staff has the knowledge to operate effectively in these complex environments.

Professional development is essential for the members of our profession. Audit and security professionals need to continuously upgrade their skill sets. Canaudit offered a two-for-one registration special late last year to provide our clients with a vehicle to obtain high-quality professional development at a price that constrained budgets could afford. We will continue to offer incentives to assist our clients obtain the skills they need to face new audit and security challenges.

Another challenge that auditors face is the ever increasing costs of membership in professional organizations. The Institute of Internal Auditors just notified me that membership dues would be increasing by 50 percent. My communications with them about this indicate that the increase is required. Personally, I think this is terrible timing. Many of the members are facing reduced financial support from their companies for professional dues. Others have lost their jobs and are unable to pay for the increase. That said, the Institute claims that their costs are rising and the increase, which was carefully considered, needed to happen. I can only hope that your company continues to support your membership in professional organizations.

The issues I have raised in this article will ensure that each of you has plenty of work to do in 2010. I suggest that you start with a security baseline as soon as possible. Your network, and the machines and databases within it, need to be subjected to a rigorous test. My objective for 2010 will be to help our clients find their security risks, assess those risks, and ensure they are properly fixed. Never before in my 30 years of auditing have I seen the risks we face today. Please contact me if you would like Canaudit to provide your organization with an IT Security Baseline.

Happy New Year from all of us at Canaudit. We look forward to servicing your audit and security needs in 2010 and beyond.

As always, the opinions expressed in this article are mine and mine alone. I look forward to receiving your comments and questions. Please feel free to email me at Gordon@canaudit.com. You may also wish to share this article with your associates and friends. You are more than welcome to forward the article to them with my compliments.

Audit and Security Services

Canaudit specializes in a variety of information system and technology audits, ranging from periodic network penetration testing to full network and operating system security review. Our tailored audits provide an objective, disciplined, and in-depth analysis to evaluate and improve the effectiveness of risk management, control and security within your organization’s technological environment.

For interest in Canaudit to perform an IT audit for your organization, please email Gordon@canaudit.com or Tamra@canaudit.com, or call (805) 583-3723.

Professional Development

Canaudit provides quality seminars to various organizations including audit and security chapters and major corporations. These seminars range from technical information system audit classes to internal audit classes aimed at everyone from an introductory level up to management. With nearly 20 courses to choose from, we are sure to have one that will meet your individual needs. In addition to chapter and private seminars, Canaudit also holds public courses. For more information on upcoming public courses and to register, visit www.canaudit.com/seminars.html. Questions relating to Canaudit professional development or to schedule a Canaudit seminar, please email Brenna@canaudit.com or call (805) 583-3723.