Research findings gathered by global cybersecurity firm Varonis paint a fairly startling picture of the state of information security as we head further into 2020. These findings include over 100 cybersecurity statistics gathered by industry noteworthies such as IBM, Verizon, Accenture and Symantec. The 2019 Verizon Data Breach Investigation report, which was examined and summarized by Varonis, revealed that approximately 70% of security breaches were financially motivated and over 50% were the direct result of hacking activities. Additional insights from IBM and its Security Intelligence wing report that the average cost of a security breach in 2019 topped US$3.9 million, took an average of 206 days to identify and have an average breach lifecycle (identified to contained) of 300+ days. This alarming set of statistics may be highlighting a series of resource and/or talent gaps that are contributing to these breach factors.
I usually strongly dislike quoting Wikipedia, but in this case I feel that its Information technology audit page succinctly defines a core purpose of IT audit where it states, “The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information.” If we hold this definition of IT audit to be true, then it is fair to ask management and the associated IT audit functions why the above numbers are as bad as they seem. It is true in many cases, such as with the 2017 Equifax breach, that high-profile cybersecurity vulnerabilities such as weak system patching processes were identified by the audit function then subsequently ignored by management, but should we fall back to excuses such as this?
We as IT audit professionals know all too well that common control weaknesses are typically identified that possess relevant risks, but management may often choose to accept or ignore the findings of the audit report. This can happen, but how many other breach-worthy vulnerabilities exist within the enterprise that IT audit hasn't found and reported to management because it has not evolved the technical skillsets within the function? While training and education is not a silver bullet to cure the breach statistics mentioned above, my argument is that having more competent security professionals within the enterprise can facilitate better security than what is in place today, leading to fewer breach opportunities.
IT audit and security assurance professionals may potentially bridge the security skills gap by learning to think as malicious attackers do, by understanding their methodologies and by being proficient, or at least competent, in the use of common hacker toolkits like Kali Linux, Metasploit, nmap, etc. The most popular training providers for penetration testing right now include Offensive Security, eLearn Security, CompTIA and general use hacking platforms like Hack the Box (HTB) or Hackme. I've completed both the CompTIA PenTest+ and eLearnSecurity junior penetration tester courses. I highly recommend anyone looking to gain sound fundamental penetration testing experience to pursue the eLearnSecurity course as it fully teaches students the full penetration testing methodology, provides in-depth, hands-on labs to build real penetration testing skills and requires students to hack a simulated lab environment in order to become certified during the final exam. IT audit and assurance professionals could also choose to learn real pen-test skills by pursuing the coveted Offensive Security Certified Professional credential, which consists of a capture the flag (CTF)-style final exam requiring users to hack a variety of machines (some of which may be present on your network) in order to elevate permissions, successfully read embedded files and submit a penetration testing report.
Adding penetration testing skillsets to the IT audit and assurance function may increase enterprise visibility into the vulnerabilities present in the environment, provide greater value to business stakeholders through increased awareness and communication of additional or newly identified vulnerabilities, and even allow the enterprise to leverage the IT audit and assurance functions as an independent penetration testing provider. As an enterprise possibly looking to do more with less, why are you going to shell out a ton of money for an external agency to come and perform a vulnerability assessment when a fully independent organization already exists within your enterprise that could cycle in every two or three years to provide a similar service and value?
IT audit may know a little more about the in-use technology and how some of the controls work, which does negate some of the value of an external enterprise coming in to perform a black-box penetration test, but the enterprise is likely not paying the IT audit team (which is traditionally small in number of staff) hundreds of dollars per hour to execute their engagement. According to penetration testing firm Secure Ideas, the average base cost of a penetration test is between US$10,000 and US$45,000 and does not include travel for the firm’s staff (if any), with hourly rates for security consulting services typically running anywhere from about US$200-$500 per hour. How many directly employed IT auditors do you know making even US$100 per hour?
Your IT audit and assurance functions are poised to provide a tremendous security value to the organization. It might be time to train them and trust them to do so.
