By the end of this topic, you will understand:
- the role of cyber security threat audits and the auditing process
- practices to identify cyber security threats in the workplace.
The process to audit a business for cyber security threats relies on digital tools, observation and reporting.
The ambition of an audit is to assess the internal compliance of a business with its own cyber security policies and with external regulatory government compliance requirements. An audit examines:
- the current policies in use, to ensure there are no missing prohibitions and determine whether tightening of restrictions is required (such as to comply with changes in cyber security legislation)
- the current work practices, by performing compliance checks in the workplace
- the running of vulnerability scans, to ensure user and operational software is updated as required
- the authentication of any access to systems and whether access is provided only to appropriate staff.
Before conducting a formal audit of a business, senior management should be made aware that an audit will be undertaken, to ensure the wider business understands that the audit is important, supported and to be assisted as a process.
Tools such as vulnerability scanning should be run more often than an audit. An audit is a complete review of a business’s cyber security and operation, and relies on multiple data points. An audit may, in large businesses, focus on specific areas rather than address an entire company’s infrastructure.
Audits do not address specific threats. Rather, an audit is a proactive measure to discover potential cyber security issues before a threat emerges.
Audits comprise cyber security activities that should be performed individually as well as when combined into a formal audit.
A cyber security audit is a detailed point-in-time assessment of a workplace’s physical, technical and operational practices using a range of cyber security tools.
Before Auditing
Ensure that research has been undertaken to:
- Identify and understand any changes in government cyber security compliance requirements. While this task is a requirement in cyber security frameworks as a part of continually strengthening cyber security, it should be performed before an audit to ensure currency of the business’s cyber security policy.
- Update vulnerability scanners with the latest libraries of cyber security patches (such as for Microsoft products).
- Identify and understand the latest security patches for the systems and network applications (e.g. SAP [Systems Applications and Products] security updates or Cisco router updates).
By performing these tasks, the baseline software release that should be on digital devices will be known, vulnerability scanning will provide a current assessment, and policy can be reviewed.
An audit touches on a wide range of areas in a business:
- Data security - how data is moved, edited, deleted and accessed
- Network/system security - the patch levels on users' digital devices and the business's systems; and the anti-malware software in use, and patch levels on firewalls and routers, for example
- Physical security - how access to digital devices is managed and how physical assets (such as mobile phones) are protected
- Operational security - the governance provided by policy, and whether and how policy is compplied with or whether policy requires change
An audit should not be a long exercise. It should be an assessment over as short a period of time as possible to evaluate a business at a point in time. As a result, it is unlikely, except in some smaller businesses, that any one person will deliver an audit. An audit team will comprise people from across the business who have the appropriate skills.
Working as a cyber security manager or officer in a business, in an audit you will rely on:
- Network engineers to check patch levels on network devices.
- Systems engineers to check patch levels on enterprise level applications (such as sales databases).
- Access coordinators to verify that staff have access only as required for their job description. In a large company, users are provided local area network access, enterprise access and remote access as needed. The job of managing these users falls to an access coordinator.
- Department and team managers to coordinate a meeting to gather their insight and perform onsite compliance checks (such as observing for lax password security, e.g. using sticky notes on screens, with passwords visible).
- Senior management to provide time/budget as needed to perform the audit for the various involved parties.
Running vulnerability software slows performance across a network and on hardware. So, you may require a window of time from change management to run the scan. In some cases, only authorised staff will be able to run a scan, as admin access will be required across multiple devices/applications. In which case, a business’s PC network team and systems team will run vulnerability scans at a time provided by change management. Updating the vulnerability scanner software may also be a function of the PC network team.
Researching current cyber security requirements to review policy, performing on-site cyber security compliance checks, and setting expectations for patch levels are tasks that a cyber security manager delivers.
Creating the audit plan and communicating to senior management the results of the recommended next steps are also tasks of cyber security managers.
Penetration Testing
A cyber security audit can be performed by a business’s staff (internal audit) or may make use of an independent third-party company (external audit). In both cases, a business may choose to perform penetration testing. Penetration testing is a series of cyber security attacks using known exploits. Attacks can be digital or may use physical means to breach a business’s cyber security defenses.
A penetration test is not a vulnerability scan. A vulnerability scan looks for patch levels that indicate a weakness or exploit that may exist as software has not been updated. A penetration test uses various means to attempt to gain access, including exploiting unpatched software.
A penetration test is a more rigorous audit element but requires more time and cost. An external audit is chosen by businesses looking for an impartial audit that is removed from bias.
Of note, cyber security audits do not follow the same format as financial audits, where an internal audit is provided to management, and an external audit is provided to business owners (e.g. reporting to shareholders).
Case Study
Cyber Security Audit
ACE Pty Ltd has a scheduled cyber security audit that will examine only the accounting team, focusing on the devices, work practices and cyber security that affects the team.
As the cyber security manager, you have:
- Informed senior management that an audit is required. Cyber security audits are required to be conducted every six months in accounting at ACE. This is stipulated in the cyber security monitoring policy at ACE.
- Researched required cyber security patch levels.
- Reviewed government regulatory policy to identify compliance gaps if any.
As the cyber security manager, you schedule:
- Network and system engineers to identify the patch requirements on enterprise assets that the accounting team access.
- Access coordinators to review the accounting staff’s access, to ensure it is appropriate.
- PC support to update the vulnerability scanning software and schedule a time to run. You have identified a day to perform the audit and asked that the scan occur when change management provides a window.
- A compliance check with the accounting team manager – the check involves using a checklist that ensures usage, access and data cyber security workplace policy is being followed. For example, not storing data on USB (Universal Serial Bus) sticks is a requirement of the data storage policy at ACE.
Over two days, the audit is performed, and the results are as follows:
- All software is patched as required.
- Roles are allocated as required, and accounting staff have the appropriate access. • A compliance check finds some staff were using portable hard disks – all other checks were okay.
- Policy did not require modification as government requirements had not changed. Furthermore, workplace behaviours were not found to exploit gaps in policy that required closing.
You take the results to senior management and request that a budget for an external penetration test be allocated to provide greater cyber security.
Activity 1
While an audit is a larger undertaking, identifying specific threats is a regular activity. The Centre for Internet Security (CIS) framework identifies the provision of malware defences as a priority. The National Institute of Standards and Technology (NIST) framework notes:
- For the respond factor and improvements, there needs to be a process to create a response plan that evolves to reflect new threats, improved technology and lessons learned.
- For the identify factor and risk assessment, there needs to be risk assessments of threats.
A cyber security role requires focus on continued research to identify physical and technical threats as part of an ongoing cycle of activity.
Threats exist due to:
- Non-compliance with cyber security policy
- Policy that does not address a known exploit used by hackers
- Vulnerabilities in user and enterprise systems (e..g. browsers and databases)
- Emerging trends in cyber crime that are as yet unmanaged (zero-day exploits)
As the CIS framework is extensive, the 18 controls map all types of specific threats. For that reason, the CIS framework is used to identify a threat and to indicate the appropriate remedy, as demonstrated below. The descriptions of requirements are from CIS.
| CIS Framework Element | Requirement | Threat Managed |
|---|---|---|
| CSC 1 Inventory and Control of Hardware Assets | ‘Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/ Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.’ |
By having an inventory, any unknown devices will be blocked, as only known devices are permitted to connect to the business network. The permission relies on a ‘whitelist’. A whitelist permits only devices documented in a device registry from accessing a business’s network. To learn more, visit the link below: Notifiable Data Breach (NDB) - Privacy Act 1988 (Privacy Act) - YouTube |
| CSC 2 Inventory and Control of Software Assets | ‘Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.’ | Having an inventory and control of software assets can help to stop untrusted software attempting to breach cyber security – such as key trapping/recording passwords of users, and sending the information to hackers to access the system using the account details they ‘key trapped’. |
| CSC 3 Data protection | ‘Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.’ | Measures – such as encryption, data access controls, documentation of data types and data flows, segmented data with multiple layers of security, and a log of data access – are employed to ensure attempts to steal confidential data are blocked. |
| CSC 4 Secure Configuration of Enterprise Assets and Software | ‘Establish and maintain the secure configuration of enterprise assets (enduser devices, including portable and mobile; network devices; non-computing/ IoT devices; and servers) and software (operating systems and applications).’ | If cybercriminals can modify configurations, they can gain access and control to perform attacks. |
| CSC 5 Account management | ‘Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.’ | Account management blocks attempts to acquire admin rights and other rolebased privileges to modify configurations. If a user’s access is compromised, the damage to a business’s digital platform is limited. |
| CSC 6 Access Control Management | ‘Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.’ | Access control management ensures that users do not have permissions outside the minimum required to perform their role. |
| CSC 7 Continuous Vulnerability Management | ‘Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.’ | Cyber security continually evolves to respond to new cyber threats, and improve tactics and develop strategies to grow cyber protection. |
| CSC 8 Audit Log Management | ‘Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.’ | Monitoring builds insight and early detection of threats. |
| CSC 9 Email and Web Browser Protections | ‘Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behaviour through direct engagement.’ | Phishing attacks are often the pre-cursor of cyber attacks. A phishing attack can attempt to acquire username and password access or obtain confidential a data or information. Protection can be provided by specific user training, blocking attachments and removing access to websites not related to the business. |
| CSC 10 Malware Defences | ‘Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.’ | Installing anti-malware software on digital devices blocks malware. If malware attempts to infect a digital device, anti-malware software will block the malware from loading. |
| CSC 11 Data Recovery | ‘Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.’ | In the event of a successful cyber attack, to ensure the integrity of data, a recovery from a backup can restore to a point in time before the attack. When backups are taken, they should be stored off-site from the business’s digital platform. Hackers can look to infect backups as a tactic. |
| CSC 12 Network Infrastructure Management | ‘Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.’ | Cybercriminals identify and look for network devices with known exploits. Businesses that do not keep their network devices patched are attractive to hackers. Regular vulnerability scans (monthly) should be undertaken to detect vulnerable devices to update network software. |
| CSC 13 Network Monitoring and Defence | ‘Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.’ | Many hackers look to remain undiscovered. If a cybercrime can be committed without detection, cybercriminals can return to commit the same crime again. Monitoring for suspicious activity identifies attacks and allows a business to react to threats. |
| CSC 14 Security Awareness and Skills Training | ‘Establish and maintain a security awareness program to influence behaviour among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.’ | Cyber awareness is critical in a business. If a business has the best cyber security money can buy, but has a workforce that is uninformed and untrained on dealing with cyber security, it is likely that a cyber attack will be successful. For example, a phishing attack can be successful, as a user has to only click on a link in an email to, despite anti-malware, infect their device. This is the case with zero-day attacks. |
| CSC 15 Service Provider Management | ‘Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.’ | Third parties outside the direct control of a business present and external challenge. A business may have numerous clients and suppliers with access to their systems. While the business may have effective cyber security, third parties may not. In this case, cybercriminals can use the third parties’ access to attack the business. Auditing and safe cyber security requirements for clients and suppliers is needed to ensure a business remains cyber safe. |
| CSC 16 Application Software Security | ‘Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.’ | Businesses that develop their own software need to do so with documented and known best practice cyber security in mind. |
| CSC 17 Incident Response and Management | ‘Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.’ | In the event of a cyber security breach, prepared and tested response plans are needed. Crisis management without a plan to recovery will delay recovery and may lead to compounding the impact of the cyber attack. |
| CSC 18 Penetration Testing | ‘Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.’ | It is possible that a cyber security gap exists in any business. Research, education and the application of a cyber security framework mitigate this risk. To be sure that typical and documented cyber attacks are being managed as needed, a penetration test will identify gaps in security and provide recommendations to close these gaps. |
Technical and Non-Technical Threat Responses
Cyber security in a business will be a team effort. Cyber security managers work with the information technology (IT) department, management, change control, training departments and staff across the business to leverage skills to identify and manage threats (either to stop the threat or mitigate the risk).
The CIS framework is a complete response to the range of threats a business faces from cybercrime. Some activities will require detailed, expert knowledge or authority that will not be a part of a cyber security manager’s role. For example, an IT LAN (local area network) engineer will create and maintain the device settings across a business network. However, the cyber security manager architects what will be included or excluded in the device settings to ensure cyber security is maintained.
A cyber security manager does not need to be a technical expert across all facets of a business’s digital operations. They are responsible for organising cyber security activity and validating a business’s cyber security approach as appropriate. They are responsible for instigating change when audit and regular threat evaluation finds gaps that require technical/policy change and also the enforcement of cyber security policy. Additionally, some activities are directly performed by cyber security managers. The following table includes some of these activities:
| Activity | Description |
|---|---|
| Continuous vulnerability assessment |
|
| Development of incident response plans |
|
| Review of monitoring reports |
|
| Compliance checks |
|
| Leading the organisation’s cyber security response |
|
Case Study
Continuous Vulnerability Assessment
As the cyber security manager at ACE Pty Ltd, you review CIS security threat alerts daily and read the latest advisory. You do this at the link below:
Cybersecurity Threats (cisecurity.org)
Today, you read that a potential threat exists to mobile devices with an Android patch level prior to 2022-09-05. The risk to business and government is high. The exploit could be used to:
- gain admin access to a device
- allow data to be accessed/deleted/changed/copied on the mobile device
- run malware on a device to gather credentials to access a business’s network.
The report on the website provides the following technical detail:
Tactic: Execution (TA0002):
Technique: Exploitation for Client Execution (T1203):
- A vulnerability in MediaTek components BT firmware could result in remote code execution due to a missing bounds check. User interaction is not needed for exploitation. No exploitation of this vulnerability has been observed in the wild. (CVE-2022-26447)
- Details of lower-severity vulnerabilities are as follows:
- Multiple vulnerabilities in Android runtime that could allow for escalation of privilege. (CVE-2022-22822, CVE-2022-23852, CVE-2022-23990, CVE-2022-25314)
- Multiple vulnerabilities in Framework that could allow for escalation of privilege. (CVE-2022-20218, CVE-2022-20392, CVE-2022-20197)
- Multiple vulnerabilities in Framework that could allow for information disclosure. (CVE-2022-20393, CVE-2020-0500)
As a part of your role as cyber security manager, performing continuous vulnerability assessments has identified the exploit.
The recommended remedy by CIS is as follows:
- Apply appropriate patches provided by Google to vulnerable systems, immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources. (M1017: User Training)
- Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.
Reading the recommendations, you then request the IT department to ensure that all mobile devices are patched to be on a higher Android release (later than 2022-09-05).
You already run vulnerability scans and automate patch application with testing, and ACE already has anti-malware protection.
As per cyber security frameworks such as NIST and CIS, you inform senior management and circulate an email to staff reminding them not to visit non-business websites directly or from links sent in emails. Shortly after, the IT department confirm that all devices are patched to be higher than 2022-09-05.
As a result, ACE is not open to be exploited using this code error. You inform senior management that ACE is not exposed to the issue. However, you note in your email that partner companies’ mobile devices may become infected.
You advise that all ACE staff using mobile devices be blocked from receiving emails with URLs (Uniform Resource Locators) embedded in the text.
While awaiting management’s approval, you monitor for news on the exploit from multiple sources, such as the Australian Cyber Security Centre
Note
Intrusion detection software (IDS) can be purchased by a business to inspect network traffic data packets at the boundary of and across the business’s network. Data packet inspection looks for data that matches intrusion data signatures. If any matches are found, the data is blocked and reported. Intrusion detection software (IDS) can be purchased by a business to inspect network traffic data packets at the boundary of and across the business’s network. Data packet inspection looks for data that matches intrusion data signatures. If any matches are found, the data is blocked and reported. Network hardware and network application companies such as CISCO provide integrated SAR reporting.
Watch
Watch the video below for a short explanation of the CIS framework:
CIS Critical Security Controls (cisecurity.org)
Activity 2
