On the Frontlines: Avoiding Cyber Hell
Blogs Christopher Kelly, DProf, FCA, PFIIA Dec 14, 2022
About 40% of Australia's population, including Prime Minister Anthony Albanese, recently had their personally identifiable information and sensitive health insurance claims stolen by cyber intruders. As the host organization, Medibank, refused to pay the reported US$10 million ransom demand, customer and employee data has been leaked onto the dark web where it can be used by yet more threat actors for phishing attacks, harassment, and blackmail. Australia's Medibank joins a long list of organizations that have suffered headline-grabbing cyberattacks, including Sony Pictures (2014), Ashley Madison (2015), Maersk (2017), Solarwinds (2020), JBS (2021), and Colonial Pipeline (2021).
Cyber now inhabits the military gray zone, with civilian organizations in the crosshairs. State-level cyber threat actors are skilled at finding ways to penetrate IT networks through technical exploits and social engineering. They aim big, and the results of their attacks are devastating. If you are a CAE at an organization that suffers a well-publicized cyberattack, expect to be quizzed by the board, executives, and, perhaps, the recruiter interviewing you for your next role.
Fortunately, due to internal audit's wide organizational remit, it is likely few in management can match our encyclopaedic knowledge of the same terrain cyber threat actors wish to exploit.
Internal audit has a valuable upstream role in spotting vulnerabilities and reducing the likelihood of a successful attack. So where to start?
While some may be tempted to recommend switching on a checklist of all available network cyber controls and installing layers of monitoring applications, doing so can create too many obstacles for users in sending emails and attachments, accessing the network, sharing files, using smart devices, and working from home.
In any case, even if all available controls are switched on, vulnerabilities would likely remain if over-constrained users find workarounds to bypass them to do their job, thereby further weakening cyber defenses.
A better approach follows the U.S. National Institute for Standards & Technology Cybersecurity Framework advice to baseline the current cybersecurity profile and then conduct a risk assessment and gap analysis to prioritize the controls needed. The value of this exercise is amplified by engaging the board, risk management team, the IT department, external specialists, and insurers.
In baselining the current cybersecurity profile, while the core business might be widely understood, organizations often have other business activities on the periphery or outsourced to external parties in the supply chain. This is where internal audit's wide remit is advantageous. If non-core business activities are not on management's radar, they may create weak entry points. These could include something as simple as databases managed by third parties for newsletters and customer loyalty schemes. We have found such databases lacking encryption, invisible to management, and holding more personal data fields than needed. Such data can be useful to cybercriminals for identity theft, derivative phishing attacks, and dissemination on the dark web at reputational cost to the host organization.
Once the business context is understood, it can be mapped onto the IT network diagram and IT asset register. This can illuminate the existence of end-of-life operating systems, firewalls, and applications. Since legacy systems often cannot be patched with up-to-date cyber controls like multifactor authentication, they make it easier for intruders to gain access using only an intelligently guessed login and a password reset by the friendly guys on the IT helpdesk — or through similar social engineering tricks. An up-to-date IT network diagram and asset register cross-checked against internal audit's intimate knowledge of the organization will help to bring these peripheral and legacy vulnerabilities to light.
A simultaneous benefit of this mapping process process is that it can illustrate what an intruder could potentially access if they had global administrator privileges. An entirely flat network could allow a privileged administrator to access all folders, files, email, intellectual property, back-ups, the access rights of all other users, and the ability to install new software. This is why global administrator privileges are a cyber threat actor's golden ticket.
Yet board members may be oblivious to the weaknesses of administrator accounts, which can include:
- Not being secured with multifactor authentication.
- Providing greater privileges than needed to junior IT personnel.
- Accounts that are not cancelled when administrative staff members leave the organization.
- Accounts generically shared for convenience between multiple administrators, sometimes including outside IT service providers.
Administrator account security can be hardened by ensuring each account is assigned to a named individual for a specific purpose and deleted once those privileges are no longer needed.
While appreciating the experiential insights outside consultants can bring, internal audit's inside familiarity with the organization, its supply chain, and peripheral business activities, means it has a vital edge in reducing the likelihood of successful cyberattacks.