Canaudit Perspective: Volume 11, Issue 5

Motivating Executives to Fund Enhancements to IT Controls
By Gordon Smith (July 2010)

Download PDF of article at www.canaudit.com/Perspectives/Volume11-Issue5.pdf

I am often puzzled by Management’s reaction to major IT audit issues we discover. In most cases, they tolerate them. Even when we gain administrative access to the Windows domain and discover serious control issues, they do not demand remediation efforts. These issues may include 2,000 unpatched machines, 300 accounts with missing or simplistic passwords, and uncontrolled two-way trust relationships. Management seems concerned, but not enough to do anything.

So what makes Management jump out of their seats to begin remediation? When we take the administrative access we have gained a few steps further and demonstrate what can be done with the access gained. The most effective demonstrations are accessing executive email, BlackBerry phones and documents, and discovering malware and remote control software on the internal network.

Let us start with email. With domain administrative access typically achieved during the project timeframe and the email server connected to the domain, we usually have access to executive email. This includes the ability to send or delete email from an executive account. This usually gets Management realizing why we auditors have been advocating a reduction in the number of people with domain-wide administrative access. What also gets their attention is showing them that we can view, alter or delete their address book. All of their contacts can be destroyed or copied by anyone with administrative access to the exchange or email server.

Next we move on to the executive BlackBerry phones. If the BlackBerry server is poorly configured and part of the Windows domain, we can administer all of the organization’s BlackBerry phones. Imagine Management’s reaction when they realize with the domain access gained, we can now disable their BlackBerry just as an administrator would do if it were lost. We can also alter the email account sending and receiving mail from the BlackBerry. This means we could send the lawyer’s email to the executive or the executive’s email to the lawyer or to anyone else, say a member of the press or some dissident shareholders. While we do not actually do this, we can prove the ability to do it.

Next we go to either their shared drive or that of their Administrative Assistant. We show them that we have access to browse, copy, alter or delete their documents. Again, we do no harm, but showing that we can, demonstrates a risk they may not have considered.

Our next step is to use our administrative access to find machines running malware. When we demonstrate that malware and other Trojans are on machines in the internal network, Management understands the risk. More often than not, their first question is why we were able to identify them and their IT or security department did not. The answer is simply because we looked. Many times, IT and security staff rely wholly on their anti-virus and anti-malware software and do not look for malware instances within their network. To be thorough, they should be scanning and testing all machines within the network several times a day.

Last but not least, we check for remote control software. I have talked about LogMeIn and similar products in my past newsletters. Let me emphasize again that these products create a pathway into your network for users who know the related account and password. In our Windows audit segment, we check for and often find these products running on the inside of the network. When we provide Management a demonstration of how these products can jeopardize security if not properly controlled, they want to remediate this issue immediately.

Some of our competitors say we use scare tactics. This is not the case. We provide valid examples of control weaknesses that Executives and Senior Management can understand. They understand when their command and control structure can be disrupted and when BlackBerry phones and email are compromised. They understand when their confidential or secret documents can be disclosed, altered or destroyed. They understand when malware and remote control software compromise their networks. Using concrete examples of the effects of control weaknesses, they finally comprehend why controls need to be improved and with such a high priority.

Once Executives truly understand the risk, they are willing to finance investments in control enhancement. In addition, they want to see immediate progress. Several of our clients request follow-up mini audits every quarter to ensure IT and security staff are focusing on improvements and succeeding. While this puts extra pressure on the staff, it is necessary. As an auditor, I do not appreciate SSDD (same stuff, different date) audits. I like to see continuous improvement. Unfortunately, on several of our first and second tests following an IT Security Baseline or Penetration Audit, we do not see much change. Once this lack of progress is reported to Management, improvements are made. This common scenario demonstrates the need for Executive awareness and Senior Management involvement in the remediation process.

As many of you know, I love sharing our techniques with the audit and security community. The best way to transfer this type of knowledge and skill is hands-on training. Because of this, we are pleased to have one or two of the client’s staff sit and work alongside us as we conduct our audits in order to observe our techniques. We truly believe that skills transfer is the best way to improve client security. Once we leave, the client is equipped to do the follow-up work required to evaluate the remediation process.

If you are interested in more information concerning our Windows Security Assessments, Network Penetration Audits or IT Security Baselines, please contact Tamra at Tamra@canaudit.com.
 

As always, the opinions in this article are mine and mine alone. Please send me your comments, both positive and negative, to Gordon@canaudit.com.

Audit and Security Services

Canaudit specializes in a variety of information system and technology audits, ranging from periodic network penetration testing to full network and operating system security review. Our tailored audits provide an objective, disciplined, and in-depth analysis to evaluate and improve the effectiveness of risk management, control and security within your organization’s technological environment.

For interest in Canaudit to perform an IT audit for your organization, please email Tamra at Tamra@canaudit.com, or call (805) 583-3723.

Professional Development

Canaudit provides training for IIA and ISACA chapters, in-house training for corporations as well as public training for all to attend. Our variety of courses offers training appropriate for introductory level employees all the way up to management. Attendees are awarded 8 CPE credits per day.

A list of our available courses, course descriptions and outlines can be found at www.canaudit.com/course.html. For more information on upcoming public training and to register, visit www.canaudit.com/seminars.html. For more information or to schedule an event, please email Brenna at Brenna@canaudit.com, or call (805) 583-3723.