Cyber risk is prevalent in almost every business today. Any business which has a web page, keeps information online, or uses the cloud is at risk for a cyber breach. It’s very interesting to me that these risks are so significant and widespread, but are rarely considered in an audit or internal audit engagement. The AICPA is working on a much awaited framework for evaluating and reporting cyber risks. In the meantime, auditors should begin to familiarize themselves with ways to identify and mitigate cyber risks.
Currently one of the more effective ways to evaluate cyber risks for a client is to perform a penetration test. These tests, which can be automated or manual, evaluate the potential weaknesses in the cyber control environment. But not all pen tests are created equal. For example, many clients have a “pen test” performed which is in fact more of a vulnerability assessment. These tests are performed by people with a few weeks of training and uses an automated tool. This tool takes a list of publicly available and known weakness for a particular system and scans the client system for those known vulnerabilities. The resulting report summarizes which previously known vulnerabilities exist in the system. A vulnerability assessment is like hiring someone to walk around your house to ensure that the doors and windows are closed. Because of the automated nature of the test, many false positives are identified as risks that don’t have any potential business impact. While a vulnerability assessment does not take the place of a penetration test, the assessment can be used to identify vulnerabilities in systems that are lower risk and have not been customized in any way.
The next level of pen test is a vulnerability scan. In this approach, the pen test team uses the same tools as those in a vulnerability assessment and then manually tests the vulnerabilities detected by the scan. The good news is that this approach reduces the number of false positives and can help identify business impact. The bad news is that these scans can’t identify any new weaknesses introduced into a system which has been customized. Continuing the house metaphor from above, a vulnerability scan is like having someone walk around your house, verify the doors and windows are closed and testing a few to see if they are locked. Vulnerability scanning should be conducted routinely by the IT staff at organizations in order to identify known vulnerabilities in systems with little to no customization.
The final type of pen test is advanced penetration testing. In this approach, a team of computer scientists and technology specialists hack a network or system using the same tools we all hear about on the evening news. This team of “white hat” hackers tests for both publicly know vulnerabilities as well as new vulnerabilities introduced by customization of software. This approach is the most effective way to identify vulnerabilities especially for higher risk applications, those internally developed or those with significant customization. The advanced penetration teams will test all the doors and windows, taps on the glass, gets inside the house and then tests every internal door and lock. It is a holistic and comprehensive approach.
One item to note: any client with significant industrial control systems (ICS) should be very cautious about pen tests performed via a scan. The scans can cause significant damage to the ICS and actually shut down the system.
Auditors (whether internal or external) should begin to consider potential cyber risks and plan for how these risks can be addressed for their clients. The type of pen test performed should be determined based on the risk associated with the underlying system. As companies become more and more automated, the need for cyber risk evaluation and mitigation will become more significant to each engagement.
For weekly insights into cybersecurity, please sign up here: