With increased focus on cyber-security and consequently efforts by enterprises to ensure resilience against cyber-attacks and data breaches, it is critical that Information Systems (IS) audit techniques evolve to ensure its continued importance and effectiveness as an independent assessor of an organisation’s control environment. The days where a checklist approach would be sufficient to identify and assess the effectiveness of controls are obsolete. In environments where this approach is still being used, it will not reflect the absolute security posture of those entities. The diverse, adaptive techniques being employed by threat actors to exploit various attack vectors within organisations are constantly evolving, and it is paramount that audit techniques evolve expeditiously.
EUROPEAN UNION GENERAL DATA PROTECTION REGULATION
The significance of IS audit techniques need to evolve is exacerbated by the European Union’s (EU) new Data Protection Reform Package which includes the General Data Protection Regulation(GDPR), effective May 2018. This is applicable to European companies and businesses based outside of the EU who offer goods and services within the EU market.
The GDPR stipulates that “the data controller or processor should evaluate the risks inherent in the processing of personal data and implement measures to mitigate those risks. (Art. 32 of the GDPR).” If methods are not being utilized to effectively evaluate inherent risks, then proceeding controls would not sufficiently mitigate risk exposures and in these scenarios, the implications might be dire. The GDPR establishes a range of tools for enforcing the new rules, including penalties and fines.
The regulation has implemented two tiers of fines if rules are breached, see an excerpt from European Commission Fact Sheet on Data Protection Reform Package below.
"The first ceiling sets fines up to a maximum of €10 million or, in case of an undertaking, up to 2% of worldwide annual turnover. This first category of fine would be applied for instance, if data controllers do not conduct impact assessments, as required by the Regulation. The higher ceiling of fines reaches up to a maximum of €20 million or 4% of worldwide annual turnover. An example would be an infringement of the data subjects' rights under the Regulation. Fines are adjusted according to the circumstances of each individual case.” (European Commission Press Release Database, 2017)
As regulatory frameworks evolve to ensure adaptation and the protection of citizens from the various threats being faced in today’s global economy, the evolution of IS auditing techniques will no longer be an option but a requirement.
Realistically, there is no fool-proof method to protect against cyber-attacks. However, the attack surface for exploitation can be minimized, which makes it increasingly difficult and costly for threat actors to infiltrate an organisation. IS audit plays a key role in helping an organisation reduce its attack surface by effectively testing security controls, before a potential attacker.
Attack Path Mapping
Various methods may be employed, however, IS auditors should ensure they use an adaptive, effective and efficient approach, that acknowledges an organization’s operating/business environment and key business processes (that may be exposed to cyber-attacks and other exploitation) with the objective of assessing and improving overall information security posture.
The Attack Path Mapping technique will be covered in this article, with others being discussed in subsequent articles. The procedures of the aforementioned technique are as follows:
Listing IS assets by criticality, that potential attackers could target
Identifying paths an attacker could take to access IS assets
Validating attack paths identified through focused technical testing
Identifying controls to decrease the likelihood of attackers exploiting weaknesses and increase the probability of detection
Assessing how preventive controls can reduce opportunities and create ‘choke points’
Identifying opportunities and recommending controls that will make attacks more arduous and present a higher chance of detection.
This tailored approach has many inherent benefits including:
Identifying key risk mitigation
Uncovering new vulnerabilities or legitimate processes that could be exploited
Saving time on implementing controls or embarking on remediation that does not materially reduce risks
Verifying the effectiveness of overall information security controls, to determine true exposure
Providing assurance by testing extant controls against modern attack techniques
The onus is now on audit leaders in ensuring their approach to information systems audit isn’t a one size fits all approach but one that is adaptive and effective. Hypothetically speaking, imagine purchasing a new house without knowing how many access points are there on the property. You then proceed to implement the best security for the one door that you can see without doing an adequate walk-through of all possible access points. An attacker then walks by and see the window to your most prized asset wide open. Your perceived sense of security results in the attacker taking the asset with minimum effort. As far-fetched as it may seem, this is happening in multiple environments across various industries internationally. It is worth noting that an organization’s information security posture and threat resilience, is usually a reflection of the strength of the organization’s leadership.