© Institute of Internal Auditors 2019 CONNECT …...AlienVault, Splunk Audit Considerations: The...
Transcript of © Institute of Internal Auditors 2019 CONNECT …...AlienVault, Splunk Audit Considerations: The...
© Institute of Internal Auditors 2019 1CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977
Auditing Cyber Defense TechnologiesSTEPHEN HEAD | EXPERIS FINANCE
APRIL 1, 2019
© Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 2
AgendaTopic
Cyber Risks
Endpoint Protection
Next-Generation Layer 7 Firewalls
Multifactor Authentication
Email Filtering
Vulnerability Scanning
Penetration Testing
© Institute of Internal Auditors 2019 3CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977
Security Information and Event Management (SIEM)
Intrusion Detection (IDS)/Intrusion Prevention (IPS)
Security Operations Center (SOC)
Threat Intelligence
Computer Forensics
Cloud Security
Summary
Headlines Highlight Increased Risk
Pundits extoll the costs of breaches and cyber attacks, but few offer anything beyond anecdotal data collected through surveys. According to the Ponemon Institute, as of 2018:
The only cost that truly matters is the one your organization must deal with!
$3.86 million is the average total cost of a data breach
6.4% increase in the total cost of a data breach since 2017
$148 is the average cost per lost or stolen record
Not IF, but WHEN You Will Be Attacked
Source: Ponemon Institute
Source: http://www.emc.com/collateral/other/emc-trust-curve-es.pdf
Data Losses Are Only One Aspect of a Broader Issue
Organizations Are Dealing With Multiple Impacts
What Regulators are Saying
• Cybercriminals can cause significant financial losses for regulated entities as well as for consumers whose private information may be revealed and/or stolen for illicit purposes.
• The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.
• Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted.
Source: New York State DFS 23 NYCRR 500
German Steel Mill – Hackers struck a steel mill in Germany by manipulating and disrupting control systems resulting in “massive” damage
Hollywood Presbyterian Medical Center –Ransomware locked doctors out of patient records for more than a week. Hackers demanded $3.6M
“ . . . we fully expect a business to fail due to the financial consequences of a cyber-attack.”1
Cyber-attacks are costing businesses $400 -$500 billion a year2
Cyber resiliency should be part of BCM efforts
1Source: Lloyd’s insurer Aegis London2 Source: Forbes, “The Business of Cybersecurity:2015 Market Size, Cyber Crime, Employment and Industry Statistics, October 2015”
Emerging Global Risk and Trends
Source: https://www.secureworldexpo.com/industry-news/cyber-risk-is-business-risk
Threat Actors RisksAttack TargetsMotives
Nation State
Hactivists
Lone Wolves
Insiders
Criminal Underground
• Political Agenda• Military Agenda• Economic Harm
• Theft• Fraud• Ransom
• Political Agenda • Personal Agenda• Social Change
• Thrill Seeking• Personal Gain• Social Status
• Financial Gain• Social/Political Gain• Revenge
• Intellectual Property• Sensationalism• Critical Infrastructure
• Personal Information• Credit Card Data• Device Manipulation
• Corporate Sensitive• Key Employee Information
• Device Control• Vandalism• Harassment
• Device Control• Vandalism• Harassment
• Competitive Impact• Service Disruptions• Design Disclosure
• Regulatory Sanctions• Lawsuits• Loss of Reputation
• Brand Damage• Business Disruption• Loss of Reputation
• Competitive Impact• Business Disruption• Loss of Reputation
• Business Disruption• Brand Damage• Personal Safety
Attackers, Targets and Motivations are Evolving
The right sensors when monitored and acted upon can prevent or detect attacks at each critical phase
Each attack type is unique, but most have a similar structure
Anatomy of an Attack
Planning/Information Gathering
Initial Attack and Breach
Establish Command and Control
Additional ExploitationData Exfiltration and
Persistence
Identify Employees and Contact Information
Information available on the internetInformation coerced via various means
Create a spoofed web site
Send malicious linkWait for results
Identify vulnerable systems, services, processesGain access to internal network or systems
Establish a means of controlling “base” for gathering more network details and exploitationMalware takes effect
Search for information sourcesAdditional credentials/ authorizationsAttempt additional exploits
Remove or extract data obtainedAvoid discovery
Test for access, connectivity, conduct
scans, identify resources
Identify additional vulnerabilities, execute
exploits, collect information
Identify additional vulnerabilities
Phases
Example
Endpoint ProtectionThis category consists of software that is designed to provide the necessary protections to prevent the endpoint (server, client, mobile device, etc.) from attacks by malware, bots, or intruders.
Modern endpoint protection software uses multiple methods to determine the identity of hostile or unknown software packages.
Symantec, for example, has a Host Intrusion Prevention System (HIPS) component.
Cylance uses a proprietary database of malware attributes and blocks such from executing when it detects the software.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 12
Endpoint ProtectionExamples:
Symantec, McAfee, Cylance
Audit Considerations:
Distribution to all endpoints
Endpoint detection settings
Alerts generated from endpoint software
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 13
Next-Generation Layer 7 Firewalls“Layer 7” capabilities indicate that the device can efficiently examine application code and report any anomalies or malicious indicators.
According to Gartner, 75% of attacks now take place at the application layer.
A majority of recent vulnerabilities affect web applications.
Next generation devices often incorporate features normally found in separate devices such as intrusion detection, malware detection, sandboxing, etc.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 14
Next-Generation Layer 7 FirewallsExamples:
Palo Alto, Checkpoint, Cisco and Fortinet
Audit Considerations:
Failure to implement key features
Proper sizing of hardware, features installed, and network throughput to ensure adequate capacity
Lack of log retention or no aggregation and correlation of logs
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 15
Multifactor AuthenticationMultifactor Authentication (MFA) prevents identity theft by using two or more methods to confirm the identity of the user.
Many of the solutions perform MFA by providing a secondary “check” of the user’s identity by communicating to the user some form of code that the user must enter after successfully submitting an ID/password combination. The user must enter this code into some sort of portal or application that is provided by the solution. The code is verified on the backend to confirm the identity of the user.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 16
Multifactor AuthenticationExamples:
Google authenticator, LastPass authenticator,
Microsoft authenticator, Okta
Audit Considerations:
Exempting certain classes of users
Access paths that bypass multifactor
Authentication that pretends to be but is not truly multifactor
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 17
Email FilteringThis involves filtering incoming mail, identifying whether such mail is part of a phishing campaign, and automatically removing email even if received by users after the fact.
This would occur if the email was not identified as malicious when it was initially received by the organization’s email server, but was later flagged by the security industry as part of a criminal effort.
Filtering may also involve egress filtering of PII.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 18
Email FilteringExample:
Proofpoint
Audit Considerations:
Administration procedures should be formalized
Filtering should encompass the entire enterprise and not just certain business units
Filtering is tuned to minimize type 1 and 2 errors
Is PII subject to filtering?
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 19
Vulnerability ScanningThere are many commercial vulnerability scanners. Most of these are well designed and have robust research organizations supporting them. The best scanners not only indicate what vulnerabilities exist, but also provide guidance regarding the software company’s recommended fix for these issues.
Vulnerability scanning software allows the user to mark certain findings as either false positives or as accepted risk. Unfortunately, this feature is sometimes used to mask vulnerabilities that should be remediated .
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 20
Vulnerability ScanningExamples:
Nessus, Qualys, Nmap
Audit Considerations:
Scan should not omit key infrastructure components
Incorrectly designating vulnerabilities as “false positive” or “accepted risk” without proper vetting
Scans should be periodically conducted (at least quarterly) and actionable items acted upon promptly
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 21
Penetration TestingPenetration Testing, also called Ethical Hacking, is the process of ensuring that adequate security controls have been applied to technological components of a system by attempting to subvert such controls.
With some of the newer pen testing tools, the user is not required to have any additional skills other than to learn the commands that must be run from the user interface – no programming, system administration, network administration, or other skills are needed. This may be an overselling our their capabilities.
Testers should hold a Certified Ethical Hacker (CEH) certification or have equivalent real-world experience.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 22
Penetration TestingExamples:
MetaSploit, Rapid7, Kali Linux
Audit Considerations:
Sufficient time should be provided to perform the testing, otherwise it is not a true test
Designating parts of the infrastructure as out-of-scope results in a less than complete pen test (usually omitting the worst offenders)
Pen tests should be performed at least annually
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 23
Security Information and Event Management (SIEM)
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 24
Typically, log data is collected from every kind of technology possible in order to accumulate the maximum amount of data – firewalls, routers, smart switches, wireless access points, intrusion detection/protection systems, antivirus/endpoint protection solutions, etc.
The result is: Real time monitoring of all IT infrastructure Correlation of events Analysis and reporting of security incidents Integrated with threat intelligence Centralized storage of logs
Security Information and Event Management (SIEM)
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 25
Examples:
AlienVault, Splunk
Audit Considerations:
The SIEM needs to be connected to all key infrastructure elements in order to be effective.
The SIEM needs to be tuned with proper rules or “use cases” set up to that instruct the SIEM on what to do with the data and how to label it with regard to the degree of risk.
Lack of log retention or aggregation.
Escalation procedures for notifications from the SIEM should be formalized.
Intrusion Detection (IDS) / Intrusion Prevention (IPS)These devices have grown significantly in capability and complexity over the years, to the point where they can no longer be considered simply technology that detects and/or blocks traffic based upon certain attributes, but also has many other features that allow for prevention and analysis.
Modern deployments in this area are often categorized as “IDPS”, since it intends to meet both the detection and prevention requirements. The value-add of IDS/IPS is the richness of the data that it can send to the SIEM.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 26
Intrusion Detection (IDS) / Intrusion Prevention (IPS)Examples:
Products offered by McAfee, Darktrace, Trend Micro, Cisco
Audit Considerations:
Sensors are not appropriately placed
IDS/IPS is not being updated regularly
IDS/IPS is not properly tuned (i.e., too many false positives caused the System Administrator to turn down the sensitivity thereby negating the usefulness of the detective component)
Lack of log retention or aggregation
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 27
Security Operations Center (SOC)The focus of a SOC is to monitor for security incidents that occur and react to them in a timely manner.
Often, the SOC receives alerts about incidents from the SIEM, although there may be other channels through which data flows.
Once they receive a notification, the SOC analysts will examine the data received and try to determine a cause for the incident.
SOCs can be staffed in a number of ways. In many cases, a third-party security company is hired to provide coverage from a professional SOC facility.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 28
Security Operations Center (SOC)Examples:
Can be internal or outsourced
Audit Considerations:
Processes for triaging potential vulnerabilities and handling escalation of communications should be formalized
Since this is a 24x7 operation, formal procedures for handoff of issues during shift change is important
Service Level Agreements (SLAs) should be in place with escalation depending on the severity of the event
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 29
Threat IntelligenceThreat intelligence provides access to technical and adversary intelligence collected by a vendor through thousands of monitored sensors and other proprietary mechanisms to give early warning of potential attacks.
It may also be integrated with sensors deployed at the perimeter of the organization’s own network, to provide a more complete picture of what is happening to other organizations and how that correlates with early signs that may be showing up in IDS/IPS alerts and firewall messages.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 30
Threat IntelligenceExamples:
FireEye, Deepsight, LookingGlass
Audit Considerations:
Threat intelligence should be integrated into the SIEM and SOC in order to be useful
Intelligence should be updated continuously as attacks often appear first in time zones where the business day is just getting started
The provider should have a sufficiently large footprint for its information to be useful
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 31
Computer ForensicsComputer forensics is the practice of using digital data and records to support an investigation into that behavior, be it criminal, civil, or corporate.
There are many categories of computer forensics. What they have in common is the gathering and correlation of evidence without destroying or otherwise tainting its usefulness if law enforcement is brought into the investigation.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 32
Computer ForensicsExamples:
EnCase, FTK
Audit Considerations:
Users should have proper training in how to handle evidence and exercise proper chain-of-custody.
In reviewing digital evidence, one must take special care to not taint the original. Often this means reviews should be performed against a copy of the media and never against the original.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 33
Cloud SecurityCloud providers will often have security services that either are included as part of the agreement or can be purchased separately.
Some of the areas that should be focused on when setting up service agreements include: Governance Compliance Availability Data Security Identity and Access Management Disaster Recovery and Business Continuity
Planning
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 34
Cloud SecurityExamples:
AWS, Azure
Audit Considerations:
What type of SOC report is available?
What optional security features have been included in the contract (or omitted)?
Have all contracted for security features been implemented?
How are cloud security features into the SIEM and SOC?
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 35
Questions and Answers?END OF PRESENTATION
© Institute of Internal Auditors 2019 36CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977
Stephen HeadDirector, IT Risk Advisory Services
Experis Finance704.953.6688
Thank you for your time and attention!IIA CHAPTER CHICAGO | 59TH ANNUAL SEMINAR
© Institute of Internal Auditors 2019 37CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977
Stephen HeadDirector, IT Risk Advisory Services
Experis Finance704.953.6688