Are your IT auditors using best-of-breed commercial grade products or do they use freeware and open source IT Assessment tools? Based on BAI Security’s review of previous IT auditor’s results, the majority of banks are being left exposed with potentially serious undiscovered vulnerabilities. The most common underlying factor in these environments is the actual testing tools and testing methodology. To fully understand the risks to your organization, you need to have your auditors use tools and processes capable of identifying all threats to your systems.
Simply stated, traditional network-based vulnerability assessment tools send requests to systems/software running on the target machine and look at the responses to determine if particular vulnerabilities exist. The only systems/software testable in this manner are those that actually respond to network communication requests (i.e., network systems such as: webservers, email servers, etc.). Unfortunately, the majority of desktop applications, which often have major security risks that lead to compromises, do not even respond to these traditional network-based vulnerability assessment scans.
Applications such as Microsoft Office, Adobe Acrobat, CRM systems, accounting systems and many similar programs do not respond to network-based scans used by most freeware and open-source vulnerability testing tools. Malicious hackers are increasingly focusing on these applications since they provide the proverbial low hanging fruit due to the fact that they are often not being tested and therefore are not remediated.
If the base testing tools used are not able to identify these serious threats, it’s clear that the deliverables of the audit process itself are at least suspect, if not flawed and/or completely inadequate. This clearly leaves many organizations living with a false sense of security about their true risks. Everyone loves to see a clean audit report, but not at the risk of a system compromise or actual breach within the organization.
It is imperative that auditors utilize a more modern-day assessment tool solution that utilizes an Authenticated Vulnerability Assessment (AVA) testing approach, such as those used by BAI Security. These tools actually log into the target system to scan the file system, Windows registry, and specific application configuration files to fully identify all the applications running on the target system (not just the network systems/software).
Only using this authenticated logon method can the testing tool properly detect all the installed applications, fully test these applications for vulnerabilities, and determine the inherent security risks to your systems. With these facts in mind, it’s also clear that only auditors utilizing these tools can produce audit findings that accurately represent your organizations true risks.
As you plan your next IT Security audit are you considering, in your vendor due diligence, an evaluation of the IT Audit tools used? As part of the IT Assessment proposal process, request a list of the tools your IT Auditor plans to use to complete the audit. Are they best-of-breed, freeware, or open source? Do they utilize the AVA approach to ensure an accurate final deliverable?