John Pescatore - SANS Director of Emerging Security Trends
Active Auditing: The Value of Auditors Doing More Than Data Calls and Document Reviews
This week’s Drilldown will focus on one item (included below) from NewsBites Issue 74, detailing the results of an active and deep assessment by the U.S. Department of the Interior Office of Inspector General (DOI OIG) in regard to Wi-Fi security at the DOI. This assessment exposed several critical vulnerabilities.
One important truism over the years has been: Compliance does not equal security. Compliance is at best a subset of adequate security.
One reason for this is that compliance audits all too often consist solely of the auditors requesting documentation and then reviewing that documentation. Compliance is mostly an indication that all documentation was provided and all requirements for compliance were mentioned in the provided documentation.
Sometimes data-call-driven audits provide some level of value-add on the quality (vs. quantity/completeness) of the documentation, and they are often augmented with some form of interviews of responsible managers and employees. But most audits don’t go beyond this. The level of inspection is both shallow and always out of date. That is why so many breaches happen when the compromised organization was previously found to be fully compliant.
Organizations like the American Institute of CPAs (AICPA) do give out guidance that says auditors should routinely do more active testing, for example:
The auditor should perform tests of controls when the auditor's risk assessment includes an expectation of the operating effectiveness of controls or when substantive procedures alone do not provide sufficient appropriate audit evidence at the relevant assertion level. (AICPA: AU Section 318, Tests of Controls .23)
However, in cybersecurity it is rare to see this actually happen.
That is why, in 2019, SANS gave Jefferson Gilkeson, Director of IT Audit, U.S. Department of the Interior, a SANS Difference Makers Award. Gilkeson was a driving force in increasing the effectiveness of cybersecurity audits that are typically performed by Inspectors General (IG) in the U.S. government. He actively advocates these advancements to IG special interest groups so that other auditors can achieve similar success. Gilkeson has pointed out that acquiring the skills and tools needed for active auditing requires management support but not high levels of additional funding.
Take a look at the DOI team presentation on active auditing here.
US Department of the Interior OIG Audit Report Details Wireless Network Security Problems
(September 17, 2020)
According to an audit report from the U.S. Department of the Interior Office of Inspector General (DOI OIG), "the Department did not deploy and operate a secure wireless network infrastructure, as required by the National Institute of Standards and Technology (NIST) guidance and industry best practices." Penetration testers were able to access the DOI's internal wireless network with a smartphone and about $200 of equipment stashed in a backpack. They were able to intercept and decrypt traffic. DOI employees did not detect the attacks that the pen testers conducted.
[Paller] This story is in "The Top of the News" not so much because the results are remarkable, but because the organization is remarkable. This is one of only two audit groups in government that have developed the technical skills to perform hands-on audits that go beyond checklists and questionnaires.
[Neely] While there are always trade-offs between security and usability, particularly with Wi-Fi, having an independent entity perform an active test is an important component to verifying the resulting security meets expectations for protecting services available from that network. Also, make sure that you are able to detect these activities, which may necessitate the deployment and integration of a wireless IPS, which can also help detect use of wireless in areas where it is not permitted, rogue networks, and unauthorized devices.
[Pescatore] This is an example of the value of active testing by auditors/IGs that I mentioned in the NewsBites 73 item about the USPS audit results. In the DOI report, the authors pointed out that doing active testing is not beyond the capabilities of audit team budgets, though it definitely requires investment on the technical skills side. Here's the quote from the report:
We conducted reconnaissance and penetration testing of wireless networks representing each bureau and office. To do this, we assembled portable test units for less than $200 that were easily concealed in a backpack or purse and operated these units with smartphones from publicly accessible areas and locations open to visitors. Our attacks simulated the techniques of malicious actors attempting to break into departmental wireless networks, such as eavesdropping, evil twin, and password cracking.
Read more in:
The Register: Feeling bad about your last security audit? Check out what just happened to the US Department of Interior
Cyberscoop: The Interior Department OIG clearly had some fun hacking the agency's Wi-Fi networks
The Hill: Interior Department watchdog 'highly successful' at hacking agency's networks
DOIOIG: Evil Twins, Eavesdropping, and Password Cracking: How the Office of Inspector General Successfully Attacked the U.S. Department of the Interior's Wireless Networks (PDF)