Maybe it would be best to start with what it isn’t. An IT security auditor is neither a hacker nor a penetration tester. The term hacker is often used incorrectly, especially in the media, where it is often used to describe malicious individuals targeting critical systems. In actuality, a hacker is simply someone who tinkers with computers, networks, or other electronic devices, often taking them apart to learn more about them. A penetration tester, or pen tester, is a security professional who breaks into networks using any means necessary, in order to identify holes in security. Pen testers usually run exploits that they find on the Internet or that they create themselves against a network, computers, or software. These exploits can bring a system down in a variety of ways, including crashes and unintentional information exposure. Pen testers use these and other sophisticated methods in an effort to mirror those used by sophisticated attackers or seen in sophisticated malware.
IT security auditors, by contrast, typically look at broader spectrum controls and do not run packaged exploits against the networks they test. IT audits are typically designed to identify ’low hanging fruit’ or easily identifiable weaknesses in systems, networks, or operations. The end goal of an IT security audit is not to breach a network and pull out sensitive data. Instead, it is to help identify controls that, when implemented, will protect against unsophisticated attacks. This is why an IT security audit and a pen test can compliment each other; one is more narrowly focused, yet deep, and the other is more broadly focused, and only goes a little below the surface. As the Annual Verizon Data Breach Investigations Report points out, most victims of breaches are targets of opportunity and most of the attacks are not highly sophisticated. In other words, identifying and implementing simple or intermediate controls, or removing the ’low hanging fruit‘ can significantly increase an organization’s security posture.
A lot of emphasis is placed on attack sophistication. Sophistication, however, is a fuzzy concept. A truly sophisticated attack should use only the resources necessary to achieve the end goal. Thus, writing, testing, and running exploits do not necessarily equate to a sophisticated attack; indeed, too much time spent on these activities can simply be wasteful. Instead, sophistication should be viewed in terms of attack success, attack detection, and overall effect. Regardless of the attack vector, did the attacker achieve his goal? In other words, did a system, network, or data breach occur? Or, if the goal was to cause a crash, did the crash occur? If the answer to any of these questions is yes, then a sophisticated (or sophisticated enough) attack has occurred.
Breaches can happen through password guessing, password cracking, social engineering, phishing attacks, authentication bypass, physical access, or any number of other vectors, and can be carried out by expert attackers and newbies alike. The objective is not sophistication but success.
Many attacks go undetected for months or even years. Some of these attacks result in exfiltration of data and others do not. Some of them are present for long periods of time but the purpose is unknown. Regardless, undetected unauthorized access to systems for any period of time, regardless of sophistication, is a successful attack in and of itself. For this reason, IT security audits should focus on detection methods such as logging, reviewing, and intrusion detection techniques.
Lastly, the effect of an attack can range from almost no impact on personal, business, or financial operations to complete devastation. Depending on the organization, a blemish to reputation as the result of an attack can cause more damage than the attack itself. For these reasons, it is not pragmatic to look only at the sophistication of the attack itself. One must also look at the lasting effect of the attack. It can take days, weeks, months, or even years for some individuals and organizations to recover from a successful attack. Thus, it is important for security audits to assess the response and recovery process, including compensating and recovery controls, following an attack, not simply the detective and preventive controls.
All things considered, attack sophistication as it is typically portrayed is not the key concern for IT security audits. Instead, audits need to look at the entire picture, focus on simple and intermediate controls, including detection, and be sure to address response and recovery in order to minimize overall effect. Whether the attacker be a state-sponsored cyber gang with disposable resources or a script-kiddie sitting in his mother’s basement eating cold pizza and punching keys, we should not ask “How sophisticated was the attack?” but “What is the effect?” Additionally, a good security audit ends with practical, cost-effective, and useful recommendations that address the cause and not the effect.
For more information on IT security auditing, look into CISSP and CISA resources, such as: