Information security is the most fascinating and gambling area of computer technology. There is a constant battle of “sword and shield”, means of attack and defense. But even the most powerful protection can be ineffective if you don’t know how to use it.
Cyber attacks on companies and authorities can cause immense damage. In order to contain the risk and be well prepared for an emergency, you as an internal auditor are particularly challenged. In order to really test how well the cybersecurity system works, a special method was developed, which is called a penetration test or pentest.
Cyber Security
The term “cyber security” only came into being a few years ago. Before that, there was the classic “IT security”. One aspect was certainly that the term cyber security is more contemporary and more appealing from a marketing point of view. The content of cyber security largely coincides with the content of “IT security”. In general, cyber security aims to protect the confidentiality, integrity, and availability of information against threats from cyberspace. In other words, it is about detecting cyber attacks as quickly as possible and minimizing the impact of attacks. The methods are largely the same as those used in traditional IT security.
Cybersecurity has been, is, and will continue to be a very important issue in IT testing. To prevent attacks on information systems, most companies perform security audits.
An information security audit is an independent assessment of the current state of security systems, establishing its level of compliance with certain criteria and providing the results in the form of recommendations. Information security audit allows you to get the most complete and objective information about the system, localize all existing problems and develop an effective program to build a system of information security and its organization.
As part of an information security audit or a separate project, testers can perform penetration testing by using special tools, which allows you to check the information system’s ability to withstand attempts to penetrate the system.
Penetration testing is necessary for detecting possible intrusion scenarios into a network with different purposes (hijacking of administrative rights in the domain database, etc.).
This type of testing allows you to get an objective assessment of how easy it is to perform unauthorized access to corporate network resources or company websites, through what vulnerabilities or other system flaws.
Performing penetration testing allows you to check the security level of your systems. An external penetration test is performed from public networks and replicates the behavior of an intruder. External penetration tests vary in scope.
Internal auditing and cyber security
In a world that is becoming increasingly complex due to technological progress and digitalization, both the risk and the impact of cyber-attacks are constantly increasing. According to a survey conducted by the BSI in 2017, around 70 percent of the companies surveyed said that they themselves had already been the victim of a cyber attack. Companies need to counter this risk by operating an IT infrastructure that is secured in line with the risk appetite. There should be processes and systems that provide an overview of the current security situation of the infrastructure at all times. In the event of an attack, the company should have plans in place to contain the attack and restore normal operations.
IT thus has highly complex tasks – errors are very likely. Therefore, there is an urgent need for oversight. In this complex environment, internal auditing is particularly called upon to safeguard the interests of the company. In terms of the “third line of defense,” Internal Audit acts as an additional security line behind IT operations and the CISO with IT compliance.
It is important to test employees on their awareness of the basic rules of information security. This can be done with the help of a social vector pentest. This will reveal how vigilant employees are about attachments, links from unverified sources, and calls from unauthorized people.
Cyber security test area
The essential goal of “cyber security” is to detect and contain a cyber attack as early as possible and then restore normal operations. Accordingly, this process, called the “Security Incident Management Process,” should be a core element of a cyber security audit.
In addition, other areas should be examined as part of an audit:
- The organizational level: it is examined whether the cyber security strategy and the organization fit the company’s aspirations and risk appetite. Other topics include security awareness, use of social media, IT outsourcing, cloud computing, and dealing with external service providers.
- The process level: IT processes that are essential for efficient cyber defense are analyzed: The procurement and management of IT assets, the secure operation of the IT infrastructure, emergency management, or “business continuity management”, to name just a few examples.
- The IT infrastructure: In accordance with the layer model, the IT infrastructure is assessed according to the specific requirements of cyber security. This ranges from applications, systems, and networks to network rooms and the data center.
When it comes to cyber security, you can also take a look at other departments in the company. For example, it is important to train employees so that so-called “social engineering” attacks, such as “CEO fraud,” come to nothing. This is usually the responsibility of human resources management. The physical security of buildings is also usually not the responsibility of the IT department. However, weakly secured buildings or industrial facilities are a popular entry point for cyber attacks by attackers.
This shows that cyber security is a typical “cross-cutting” topic, with a large scope of possible audit topics. Realistic planning of the audit scope is the basis for successful audit execution. There are a number of parameters to consider, depending on the company itself, the environment, legal requirements, and the auditors’ prior knowledge, among other things.