IT and Cybersecurity

Kevin Tsuei, Technology Practice Director

Ever since the passage of the Gramm-Leach-Bliley Act (GLBA) in 1999, there has been a sustained focus on Information Security by regulators, legislators and the industry. It’s certainly understandable that its profile should have risen. As the Internet, cloud computing, mobile devices, etc. have become mainstream, so have hacking and other threats. The pertinent risks have grown by orders of magnitude – cybersecurity, pandemic, …

Computing systems and data must be protected from hackers and even insiders. The integrity and availability of data must be maintained, even in the event of a disaster. Consumer privacy is now of the utmost importance given federal, state and local legislation. Simply put, the regulatory, legal, operational and reputational risks surrounding IT and data protection are far too high to take lightly.

AuditOne offers two major services in the technology practices area: Information Technology and Security Audits; and Network Penetration Testing, Vulnerability Assessments and Social Engineering Analysis. But as with our various other practice areas, we have the professional expertise and in-house support resources to customize a solution as more specialized needs arise. That includes any of a wide range of potential consulting/advisory needs through our Insight Risk Consulting affiliate.

Rigorous and Comprehensive IT / Information Security Audits

Our IT / Information Security audit procedures are based on the extensive FFIEC guidelines. We supplement that with other internationally-recognized external standards (such as ISO17799-2005) and, just as importantly, with what we see in the market as sound and prudent practices that take account of the actual risks facing each institution based on its IT architecture, type of business, level of in-house technical support, etc. We have responded to mounting concerns over and attention to cybersecurity by incorporating additional testing into all relevant aspects of our audit program.

The auditors in our technology practice have had hands-on experience with many different institutions’ computing networks, systems and software and they understand the context and nuances of the IT/IS audit process. They take a consultative approach; rather than simply writing up a finding and walking away, we’re able to offer meaningful remedial recommendations, risk mitigation measures, and attainable best-practice suggestions.

Network Penetration Test and Vulnerability Assessment with Social Engineering

We perform independent Network Penetration Tests and Vulnerability Assessments via our Insight Risk Consulting affiliate. With many years’ experience in this arena, we’re able to offer top-tier analysis and testing services at cost-effective prices.

Our penetration testing represents a method of evaluating the security of a client’s internal (local area network) computing systems and its Internet perimeter by simulating an attack by a person with malicious intent (e.g., a hacker or disgruntled employee). The process involves an active analysis of these systems for any weaknesses, technical flaws or vulnerabilities. Our tests are carried out from the perspective of a potential attacker using grey hat hacking methodologies. Unlike an information security audit, which is based on external standards, a penetration test is of variable scope with the aim of compromising a target in any way possible via selective targeting.

Our process follows a structured methodology to ensure a safe and thorough execution. It employs a series of gradually escalating steps to minimize any risks inherent in such testing. Should anything abnormal become evident, the testing is suspended before any damage is caused.

Our testing consists of four phases. We start with information gathering in the discovery phase. Public information is used to enumerate targets. In cases where such information is questionable or lacking, we conduct ping sweeps and restricted port scans to determine potential targets. Second, once potential targets are identified, we obtain as much information as possible about each one in the enumeration phase.

Third, in the port scanning phase, we map the profile of the targets to publicly known vulnerabilities. Only appropriate vulnerability tests are applied to the target hosts (e.g., IIS vulnerabilities are not tested on Apache systems, firewall vulnerabilities are tested only on firewalls, etc.). In cases where the host is indeterminate, several tests for a wide range of vulnerabilities are used.

Finally, we attempt to exploit the identified vulnerabilities to penetrate the target systems. Note that we go beyond simply running a vulnerability scanner program and generating a canned report. In our testing we’ve been able to compromise clients’ critical systems more than 90% of the time. Note, too, that our policy is to not proceed without explicit permission from management if we see any risk of damaging system security.

Results are analyzed for false positives and for applicability to the client’s computing environment. Every attempt is made to ensure the contents of this report are concise and relevant and the scale and scope of recommendations are realistic and achievable. Details regarding the exact timing of the tests are not known to service provider employees. Denial of service and other potentially destructive attacks are not performed.

Social Engineering has also come to receive increased regulatory attention, driven by the proliferation of phishing, pretext calls and other underlying threats. We perform up to three exercises: e-mail, telephone and (though less frequently) physical tests. We have developed tried-and-true verbiage/scripts for our pretext e-mails and calls, but we also modify them from year to year to keep them fresh.