Security Audit Weaknesses Offer a Silver Lining

Technology and security pros generally view audits as bad news, especially when material findings are released to the public. Nevertheless, audit reports can also offer unique opportunities to improve. Here are some silver linings to consider.

by / October 14, 2018

Very disappointing, some might even say demoralizing, security findings were made public this week in a report from a U.S. Government Accountability Office cybersecurity study regarding the Defense Department’s newest weapons systems.

Why was this audit report created, and what was the scope? According to the report highlights:

“DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems. Potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems. Cybersecurity—the process of protecting information and information systems—can reduce the likelihood that attackers are able to access our systems and limit the damage if they do.

GAO was asked to review the state of DOD weapon systems cybersecurity. This report addresses (1) factors that contribute to the current state of DOD weapon systems' cybersecurity, (2) vulnerabilities in weapons that are under development, and (3) steps DOD is taking to develop more cyber resilient weapon systems.

To do this work, GAO analyzed weapon systems cybersecurity test reports, policies, and guidance. GAO interviewed officials from key defense organizations with weapon systems cybersecurity responsibilities as well as program officials from a non-generalizable sample of nine major defense acquisition program offices. …”

While the GAO did not make any recommendations at this time, the results of this study are quite alarming. Put more bluntly, all of the arguments about cybersecurity “return on investment” or “more justifications needed for stronger action” go out the window when this eye-opening report is read in detail.  

Media coverage of the GAO report was widespread and (not surprisingly) harsh.

National Public Radio (NPR) offered major coverage starting with the headline, “Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says.”

Here’s an excerpt: “Passwords that took seconds to guess, or were never changed from their factory settings. Cyber vulnerabilities that were known, but never fixed. Those are two common problems plaguing some of the Department of Defense's newest weapons systems, according to the Government Accountability Office. …

Drawing data from cybersecurity tests conducted on Department of Defense weapons systems from 2012 to 2017, the report says that by using ‘relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected’ because of basic security vulnerabilities. …”       

Silicon Angle went even further with the headline: “Audit finds Defense Department weapons are easy to hack.”

TheHill.com wrote: “The Department of Defense’s (DOD) weapon systems feature cyber vulnerabilities that leave them susceptible to attack, according to a new government report released Tuesday.

The Government Accountability Office (GAO) found in its audit of the Defense Department’s weapon systems that test teams were easily able to bypass measures meant to keep hackers out, and that in some instances just scanning for the vulnerabilities was enough to shut down the systems altogether.

The report also found that some agencies in the department were aware of some of the cyber vulnerabilities, but did not take steps to resolve them.

It was also determined that DOD not know the extent of the cyber vulnerabilities, as some of the tests on the systems were limited or cut off early. …”

 

Need for Security Audit Lessons for All 

No doubt, this new GAO report is not viewed as “good news” for most people in the military nor in the defense contractors that built these weapons systems nor in the halls of Congress nor in the White House. But I am not ready to “throw stones” in this blog or call for firings or individual accountability. I’ll leave that for others at another time.

So why highlight this audit report now?

We can all learn from this GAO report. Read it. Afterwards, wait a day or two and read it again.

Yes — everyone in the technology and security industries and even in the general business community needs to take notice.

  • I am talking about public and private sectors.
  • I am talking about defense and civilian agencies within government.
  • I am talking about CxO leaders and workers on the front-lines.
  • I am talking about external auditors and internal auditors and those being audited.

Some readers are no doubt thinking: Wait! This report is about billions of dollars being spent on the most sophisticated weapons systems in the world — with the latest high-tech computers and artificial intelligence, robotics, smart systems and much, much more. How does this relate to my situation or to state government or local government or in my medium or small-size company?       

Simply stated, if these vulnerabilities, hacking opportunities, weaknesses, human errors, management denials, process problems and systematic oversights and worse can happen in billion dollar systems, how much more are these same problems happening on your local office network(s)? How much more is this occurring in everyday life or in lower cost systems?

Answer: A LOT. We all need to pay attention. AND NOW!

These same challenges exist worldwide on networks small and large. No organization is exempt. While the attacks are no doubt different against the DoD, every network is being targeted by hackers and facing cyberattacks daily — even hourly or more.

Nevertheless, there is also still hope. There is a silver lining to these cybersecurity audit findings and reportable weaknesses. Let’s explore.

Quick History on Audit Lessons

First, this is not the first time, nor will it be the last, that this topic has come up. Back in 2011, when I was the Michigan government’s enterprise-wide chief technology officer (CTO), I wrote this article on how government agencies need to rethink their approach to audits. Based upon my experiences over my initial seven years as Michigan’s chief information security officer, I wrote about the vital role of these cybersecurity audits — even if you don’t like the outcomes.   

Here’s an excerpt from that piece, “The breadth and depth of these challenges covered multiple agencies, programs and business areas. The scope seemed overwhelming and expensive. Staff complained that they couldn’t keep up with audits and day-to-day tasks. We needed a new strategic approach to legal and policy compliance. …”

Several others have written about learning from security audit findings. I like this small business blog from Randy Johnson. “In relationship to technology, Bill Gates has said, “We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next 10 years. Don’t let yourself be lulled into inaction.” It is definitely wise to apply this thinking to security. Security will improve in the next 10 years, but the state of our computer security now is worse than it was 20 to 30 years ago. In the short term, expect many more bad events to happen to others, your clients, and possibly even you. …”

I also like the words of Jack Danahy of Barkly in the guide, Cybersecurity Made Simple, that today’s top cybersecurity issues are as follows:

  • Not knowing that a problem exists creates a security blind spot
  • Not knowing how to break down a problem
  • Not having the expertise to address the problem
  • Not having the resources necessary to carry out an action plan
  • Your arch nemesis is always organizational inertia

I also like these top 5 findings from many security audits conducted by Securit360:

  1. The “major issues” do not change
  2. Security is a moving target
  3. Most people like the “idea” of being secure

It holds true that almost everyone likes the “idea” of being secure. However, far less actually want to take the steps to become “secure,” usually due to one or more myths:

Cost – they believe they require an expensive “widget” to achieve their security goals

Effort – the time/manpower simply does not exist (and cannot be prioritized)

Impact – the changes proposed will affect the user population too greatly

Denial – that will never happen to us OR we are already secure

  1. (False premise) That’s not “security” related…
  2. Gadgets and gizmos will not make you secure

Five Don’ts and Five Do’s Related to Security Audit Findings

So how do we take this lemon and make lemonade, based on my 30+ years of cybersecurity experience in the public and private sectors? I have gone through (and helped others traverse) many dozens of federal, state and local audits. I have seen all of these tactics used at various times — for better or worse. 

 Here are five things you should NOT do:

  1. Shoot the messenger. Overcome the natural temptation to see the auditors and authors of the report as enemies to be fought and disproven. Although painful, they are trying to help. You are on the same team.
  2. Ignore the audit findings or delay or “run out the clock” to try and get out of town quick before public disclosure. Others will make you the scapegoat if you do.
  3. Minimize the security findings by finding audit process faults and/or saying that the public (final) findings are untrue. If there are real audit issues, use these facts during discussions and negotiations on the problems (see below).
  4. Simply accept all findings and move on without truly understanding or properly addressing the weaknesses. Often this approach is accompanied by a “that was then, this is now” approach which says “that happened x years ago” and no longer applies. While sometimes this is true, don’t say it’s fixed if it is not.  
  5. Consistently give cybersecurity audit finding action items a low priority or no funding or no staff time by quietly placing “operational concerns first.” While this sometimes may need to happen for a time, many organizations never “build a better firehouse or better process” because they are always “putting out fires.” This can become a catch-22 when the best people are always put on the biggest fires. To the contrary, have your best cyber pros building the best innovative processes and implementing tools that include a strategy that “kills many birds with one stone.” Include the closing of audit findings as part of these innovative projects.

Here are five things you SHOULD do:

  1. See the positive side of audits as a healthy check. See audit findings as a part of a healthy cyber ecosystem. Have a positive attitude. As stated above in the Jack Danahy cybersecurity guide, embrace the fact that you know now about these weaknesses — and can fix them.
  2. Work closely with the auditors and have constructive discussions, before, during and after audits. Negotiate the draft versions and cut ethical deals as necessary throughout the entire process.
  3. Build long-term, positive relationships with internal and external auditors to address past and current weaknesses. Think long-term. Look at trends. What’s best for the organization? I still get together with auditors all over the country years after changing jobs. I even get invited to speak at auditor’s training events regarding building cybersecurity culture.
  4. Build an audit action plan and make sure it is being worked and holes are being fixed. Leverage security audit findings and material weaknesses to get budget and priority and staff and other resources. New projects should be closing holes and include cybersecurity as part of the innovation process.
  5. Learn from others who have undergone audits — This includes peers, competitors, former auditors, associations, etc. Read case studies and see how others in the public and private sectors addressed similar problems. Benchmark with others as appropriate.    

Final Thoughts

Over seven years ago, I ended the article on the benefits of security audits this way:

“Remember that although it may not feel like it, auditors can be helpful to your organization. Early audit findings surrounding cyber-security helped steer enterprise priorities. This audit action data allowed us to obtain funding for key security and infrastructure initiatives during difficult budget times. We even gave our auditor general the results of internal security assessments. By developing positive relationships and building trust with auditors, you can solve problems simultaneously — like obtaining compliance and strengthening security.

Leaders must follow through with audit remediation plans. Corporate memory is often lost with staff turnover, but remember compliance because the auditors won’t forget.”

After reading this latest GAO report on DoD weapon systems, I’d say we all need to refocus (and perhaps reprioritize) our cyber efforts. Just like in (U.S.) football  it may be back to the basics of (cyber) blocking, tackling, running, catching and throwing.

Sure, you may already know the basics. Nevertheless, it’s not happening nearly as much as most think. This GAO security audit is another wake-up call. But there is a potential silver lining.   

Will you hit the snooze button?