2018 August KBA One of the challenges community banks face in selecting an IT audit partner is the confidence they are comparing apples to apples when reviewing security-testing proposals. Not only do the definition of terms vary, some audit firms sell an "IT Audit" that is nothing more than a GLBA regulatory compliance audit. Though confirming your Information Security Program meets your examiners' expectations is important, an audit without a thorough internal network assessment really is not an IT audit. Your technical controls like patch management, malware protection, user access controls, Internet content filtering, file access controls, etc. are where the rubber meets the road. If these controls are not functioning as intended, it becomes a moot point you have them faithfully listed in your InfoSec Risk Assessment and Policies.

Assuming your IT Audit includes an internal vulnerability assessment, there are still vast differences in the nature and results of scans.

Authenticated Scans vs Unauthenticated Scans

Security testers worldwide routinely use vulnerability scanners to perform unauthenticated scans to find network threats. These scans find basic weaknesses and detect issues within operating systems, open network ports, services listening on open ports and data leaked by services. Unauthenticated scans provide insight into what an intruder without credentials could see. While this is a valuable perspective, it does not identify every weakness or vulnerability. Additionally, many ports and services do not like this interrogation process (by design) and will simply refuse to respond to the scanners' queries. An authenticated scan eliminates the need to probe. The vulnerability scanner can just log in, ask the operating system what's installed, what's running and where.

Oliver Rochford (https://www.securityweek.com/z-vulnerability-management-authenticated-scanning) offers this excellent non-technical illustration. Imagine you have a choice between opening a box and looking inside, or shaking and prodding it from the outside to guess what it may contain. Imagine further, if you fail to successfully guess the contents of the box, something bad may happen…something damning, damaging or dangerous. Which choice would you make?

So it is with unauthenticated vs. authenticated scans. Also called credentialed, logged-in or trusted scanning, an authenticated security scan is performed as a logged-in (authenticated) user. "Authenticated scans determine how secure a network is from an inside vantage point. The method finds many vulnerabilities that cannot be detected through an unauthenticated scan." (Margaret Rouse – https://whatis.techtarget.com/definition/authenticated-security-scan)

Authenticated Vulnerability Scanning Advantages

If the value of authenticated scanning is still unclear, here are some benefits:

  1. Authenticated vulnerability scans identify vulnerabilities which are often undetected by unauthenticated scanning.
  2.  Authentication allows the scanning tool to do its job better.
  3.  Data harvested by authenticated scans is more accurate.
  4.  Authenticated scans usually have less impact on a system – since the scanning tool is running with elevated privilege, ports and services respond without hesitation.
  5.  Regulatory examiners are beginning to recommend authenticated scanning.

Now What?

First, you need to determine if your existing IT audit firm performs authenticated scans. If you have not been providing your IT auditor with a Windows Active Directory account with elevated privileges (such as Domain Admin group), your scans have been unauthenticated scans.

As you select an IT audit firm, in addition to performing authenticated vulnerability scans (confirm they will require the type of account described above), look for a firm:

  • Whose auditors are certified and experienced
  • Who will be a partner with you, patiently explaining previously unreported technical findings
  •  Who will provide some guidance/recommendations for mitigating these new deficiencies

An IT Audit without an authenticated internal network vulnerability assessment is like fishing with a teeny, tiny hook or a shooting a bow with crooked arrows. While you might catch a minnow or hit the target somewhere, you will surely miss the trophy fish and the bullseye.