27 Aug 2013
Introduction In the course of any given year BAI Security performs hundreds of IT Security Audits for truly security-conscious organizations in highly regulated industries. Our specialization includes in-depth IT Security Audit and Forensic services primarily to the Banking and Finance, Pharmaceutical, Healthcare, and Insurance sectors. In an effort to bring awareness to growing trends related to security risks leading breaches and confidential data loss, BAI Security routinely publishes warnings based on real-world audit results within these industries we focus on. Background Over the past year, BAI Security has reported on numerous occasions about two common security risks that are very often considered “known issues” or common problems that most organizations are aware of and have addressed. The two security issues, which are almost thought of as non-issues because they’ve been addressed, are vulnerability management and social engineering. In fact, both of these topics are hardly the latest buzzwords and since we’ve not specifically mentioned cloud computing or kind of social media in this discussion yet, it may be tempting for many people to stop reading now. However, if your intellectual property, reputation, and overall business health is important to your organization, I can’t stress enough the importance of you to read on. The Problem(s) Frankly, due to use of poor quality testing tools and inadequate audit methodologies, most organizations who think they have security-related patch management under control are actually running with a false sense of security This fact is routinely proven during BAI Security audits where organizations that were already certain this area was under control found out post-audit, it was not. Although a major contributor, this issue alone is not the only factor in our reported risk to intellectual property. Social Engineering is another of the common security risks that those responsible for security have known about for many years. Most would agree it is certainly a valid area of concern and training users often has only minor impacts on improving the problem of users aiding hackers in breaching an environment. Both of these facts are proven true on an alarmingly high percentage of audits conducted annually, but again this fact alone is not the single threat we’re talk about in this warning. The combination of a weak perimeter due to social engineering combined with a multitude of high-risk internal vulnerabilities from poor patch management make an environment truly ripe for a breach. Most internal IT departments and security personnel would agree that this combination could be a serious threat. However, it’s the fact that most of them do not realize their own environment is one those most at risk to this combination threat. Most of you reading this warning right now may very well be completely confident that your organization is at low risk to this combined attack vector. However, the statistics simply don’t support it. Audits conducted to date in 2013 support the fact that around 70% of you are in fact at high risk to breach and unauthorized access due to these two seemingly common and underestimated security risks. Interestingly, this percentage is up from 57% in 2012, likely due to the advances in audit testing tools and improved methodologies to detect risks. In other words, they’ve likely always existed, it’s just that now we are better at finding them. So what should you do? First, do NOT underestimate your own level of risk without performing a truly comprehensive audit process by professional using the latest best of breed tools and proper methodologies. While this may sound a little self-serving coming from an audit company, but there is a reason we found 70% of environments at high-risk when most expected to find they were well secured. As for the tools used, The Gartner Group does an excellent job of evaluating vulnerability testing tools and suggesting which are leading edge, so question your audit vendor and ensure their tools are not some basic freeware products and be wary of something they like to call their proprietary tool-set, which is another common way to hide the name of an inferior product(s) or the lack of a methodology beyond running a basic scan with a freeware tool. While the methodologies may be more difficult to assess while negotiating the audit process, be sure the vulnerability testing process uses “authentication”, which is a more current method of testing that yields FAR more depth and accurate results. Authenticated scanning is a full topic unto itself, but we’ll leave that for another time. Finally, Social Engineering during the audit process should mimic real-world scenarios that incorporate spear-phishing, as well as other techniques that are in the wild at the time of your audit. Ask you vendor how they determine the particular scenarios used in the social engineering evaluation process and attempt to ensure they are based on real world events, so your users are being subjected to tests they are more likely to see from day to day.