Although the hype around the SolarWinds breach is slipping into distraction. The need to do something about the security situation remains. The focus on one company, even a high-profile vendor like Solarwinds sensationalizing long known supply chain breaches shows a critical weakness. The best of breed products and the best talent alone are not enough alone to secure an organization. External IT auditing is necessary for all business using internet technology.
All large organizations produce financial statements. These statements are created by accountants and finance professionals based upon information provided to them by staff at the organization. This information consists of such things as inventory levels, sales, appraisals of real estate and other assets, and cash flows.
The accuracy of financial statements is critical, not only to the organization itself but to its investors and creditors. Markets must have absolute confidence in those financial statements. Any lack of trust will substantially increase financial risk.
Because accuracy of financial statements is seen as so critical, the data underlying them is regularly audited by two teams. One team of auditors is internal, doing physical counts of inventory, reviewing banking and other financial documents, confirming the value of assets, and ensuring that accounting is done in accordance with generally accepted accounting practices. These internal auditors are independent of the accounting professionals who prepare the statements and are empowered to question any data which might tend to make the financial statements inaccurate or misleading.
But checks on the preparation of financial statements do not stop there. Large organizations also hire external auditors who report directly to the board of directors. The external auditor is usually a major accounting firm, which produces a report of its findings. For publicly traded companies, the report of the external auditors is made public and any exceptions to the company produced financial statements are noted.
The combination of internal and external auditing is essential to market confidence. It is absolutely required for any firm that wishes to sell equity or debt. Even so, financial scandals can occur, but they are rare, and the perpetrators are always detected. When those systems fail the results can be devastating, such as the Barings Bank collapse, or the Great Recession.
Young Female Engineer Uses Tablet in System Control Center. In the Background Her Coworkers are at Their Workspaces with many Displays Showing Valuable Data.
All large organizations have IT departments staffed with professionals. One of the tasks of an IT department head is to keep data secure. They all employ some form of internal auditing of IT analogous to internal audit of financial statements. Just like their counterparts on the financial auditing staff, they monitor the data produced by IT systems and look for anomalous activity that might indicate the presence of a security risk.
External auditing of IT systems seems to be quite rare, however. It is not clear why, but it seems that there is a tragic lack of understanding of the importance of external IT auditing. One of the reasons may be that IT software is proprietary and takes a considerable investment of resources. Engineers and programmers do not like to give up secrets and do not work closely enough with internal IT auditing to allow needed oversight.
IT also changes at a rapid pace, as compared with accounting. It is a challenge for a CEO or a board of directors to remain current with the latest trends in IT security. This is where tighter internal and external IT auditing really pays off.
No IT system is immune from attack by an adversary with sufficient time and resources, such as a nation state. The bad guys can concentrate their attack on a small part of an IT system, while the IT administrator must manage the entire infrastructure. It is asymmetrical warfare, and the hackers will always score some victories.
The good news is that a system breach always leaves evidence. A burglar can’t pry open a window without leaving a damaged frame behind to show the point of entry. But many homeowners employ external security to detect such a breach as soon as possible so that damage can be minimized. The bad news is that not only are the internal IT auditors incredibly busy, but if they designed and implemented the system, they will tend to have blind spots regarding its vulnerability. This phenomenon is common, as when a person living near a busy highway stops noticing traffic noise after a while.
The recent FireEye breach shows us how critical external auditing is to any IT department. FireEye is a piece of software that performs internal audits of IT systems. Its purpose is to detect anomalous activity in a system. Hackers who were apparently working for the Russian government managed to insert a piece of malware onto a series of system updates performed from March until June of last year, and hackers were able to remotely control the malware for the purpose of gathering data from victims using the FireEye software.
FireEye was an extremely tough target, with a history of successfully doing battle with Russian government hackers. According to Wired Magazine:
The company was the first, for instance, to tie the hacker group known as Sandworm—responsible for blackouts in Ukraine in 2015 and 2016 as well as the hyperdestructive worm NotPetya the following year—to Unit 74455 of Russia’s GRU military intelligence agency. FireEye also provided the first public evidence that the same GRU unit was responsible for the attempted sabotage of the 2018 Winter Olympics. All those attacks were later named in a US indictment of six Sandworm hackers unsealed in October.
Retaliation may have been part of the motive for targeting FireEye, but the fact remains that if FireEye can be hacked, anyone can be hacked.
We still do not know why the FireEye software was unable to detect the addition of malware to its update, but it is undisputable that the malware activity left clues in its wake. But with no apparent external auditing to detect those clues as they occurred, the hackers were able to infiltrate the systems of some 18,000 customers.
Tekmar provides both internal and external auditing service for organizations (but, obviously, not both for the same client). When we are engaged as external auditors, our proprietary software is used to detect network activity resulting from breaches so they can be isolated and eliminated as soon as possible. We work seamlessly with your IT department to help prevent and minimize damage caused by those who would do you harm.
Some businesses believe they are relatively safe from hacking because they don’t consider themselves valuable targets. This is a misconception. The 18,000 affected businesses weren’t the direct targets of the hack; the breach occurred because their internal auditing software was the target. An uncompromised external auditing suite of software could have minimized the damage caused by the Russian government.