Pub. 13 2018-2019 Issue 3

WWW.NEBANKERS.ORG 18 O NE OF THE CHALLENGES COMMUNIT Y BANKS FACE IN selecting an IT audit partner is the confidence they are comparing apples to apples when reviewing security-testing proposals. Not only do the defini- tion of terms vary, some audit firms sell an “IT Audit” that is nothing more than a GLBA regulatory compliance audit. Though confirming your Information Security Programmeets your examiners’ expectations is important, an audit without a thorough internal network assessment really is not an IT audit. Your technical controls like patchmanagement, malware protection, user access controls, Internet content filtering, file access controls, etc. are where the rubber meets the road. If these controls are not functioning as intended, it becomes a moot point you have them faithfully listed in your InfoSec Risk Assessment and Policies. Assuming your IT Audit includes an internal vulnerabil- ity assessment, there are still vast differences in the nature and results of scans. Authenticated Scans vs Unauthenticated Scans Security testersworldwide routinely use vulnerability scanners to perform unauthenticated scans to find network threats. These scans find basic weaknesses and detect issues within operating systems, open network ports, services listening on open ports and data leaked by services. Unauthenticated scans provide insight into what an intruder without credentials could see. While this is a valuable perspective, it does not identify every weakness or vulnerability. Additionally, many ports and services do not like this interrogation process (by design) and will simply refuse to respond to the scanners’ queries. An authenticated scan eliminates the need to probe. The vulnerability scanner can just log in, ask the operating system what’s installed, what’s running and where. Oliver Rochford (https://www.securityweek.com/z-vulnera- bility-management-authenticated-scanning) offers this excellent non-technical illustration. Imagine you have a choice between opening a box and looking inside, or shaking and prodding it from the outside to guess what it may contain. Imagine further, if you fail to successfully guess the contents of the box, something badmay happen…something damning, damaging or dangerous. Which choice would you make? So, it is with unauthenticated vs. authenticated scans. Also called credentialed, logged-in or trusted scanning, an authenti- cated security scan is performed as a logged-in (authenticated) user. “Authenticated scans determine how secure a network is from an inside vantage point. The method finds many vulner- abilities that cannot be detected through an unauthenticated scan.” (Margaret Rouse – https://whatis.techtarget.com/defini- tion/authenticated-security-scan) IS YOUR IT AUDIT FALLING SHORT? TECH TALK Keith Laughery, CISA, CISSP, CoNetrix