New EY · 2016. 9. 21. · potential thesis and internship students. EY IT Risk & Assurance (ITRA)...

EY

Internship ITRA FSO

September 21, 2016

Internship ITRA FSO CONTENTS

Contents

1 Introduction 2

2 What we offer 32.1 Thesis support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.2 Internships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.3 International students . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.4 What we expect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.5 How to apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.6 Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Subjects 73.1 Hijacking VOIP with Raspberry Pi . . . . . . . . . . . . . . . . . . . . . . . . . . 73.2 Evading sandbox/honey pots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.3 Exploring ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.4 GDPR implementation risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.5 Incorporate honeypot data feeds in threat intelligence . . . . . . . . . . . . . . . 113.6 Implementation of an automatic reporting tool . . . . . . . . . . . . . . . . . . . 123.7 PSD2 & API security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.8 BAD USB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.9 Legacy systems security testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.10Collect & improve password cracking methodology . . . . . . . . . . . . . . . . . 163.11Mobile penetration testing integrated guide . . . . . . . . . . . . . . . . . . . . . 173.12Maturity assessment framework . . . . . . . . . . . . . . . . . . . . . . . . . . . 183.13Development of planning software . . . . . . . . . . . . . . . . . . . . . . . . . . 193.14Develop secure coding standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.15Develop integrated checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.16Quantitative Security Risk Management methodology . . . . . . . . . . . . . . . 223.17Awareness Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233.18Privacy Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.19Develop a country website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.20EMEIA Proposal Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.21Building an EMEIA cyber-security forum . . . . . . . . . . . . . . . . . . . . . . . 273.22Legal Watch for Information Security . . . . . . . . . . . . . . . . . . . . . . . . 283.23Enforcing and controlling secure development within organizations . . . . . . . . 293.24Extension hacking challenges framework and creation of workshops . . . . . . . 303.25 Internal and External marketing campaign . . . . . . . . . . . . . . . . . . . . . . 313.26 Information Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 323.27Role-based access - information model . . . . . . . . . . . . . . . . . . . . . . . 333.28 Identity & Access Management (IAM) Managed Service Offering . . . . . . . . . . 34

1

Internship ITRA FSO 1 INTRODUCTION

1 Introduction

The purpose of this document is to explain the services EY IT Risk & Assurance FSO offers topotential thesis and internship students. EY IT Risk & Assurance (ITRA) FSO has been offeringinternships to Belgian and international students since 2006. Interns and thesis students havebecome our main pool of recruitment, as the profiles we look for are so rarely found via otherrecruitment channels. We aim at last year students (Bachelor as well as Master) in the followingsubject fields: Computer Science, Informatics, Information Management, Telecommunication,Multimedia Management, Commercial Science, (Applied) Economics and Finance. However, asan innovative recruiter EY is always open to people with non-standard profiles, whom we wouldlike to encourage applying for internships or theses as well. Students with international in-terests, supported by their college or university’s Erasmus program, may be interested in ourinternship opportunities in Spain (Barcelona) or Ireland (Dublin).

2

Internship ITRA FSO 2 WHAT WE OFFER

2 What we offer

Most undergraduate and postgraduate programs require their students to either write a thesis,or run an internship. EY ITRA FSO offers services for both.

2.1 Thesis support

We support Professional Bachelor theses and Master theses. The biggest advantage of workingas a consultant is the fact that you thoroughly get to study many different environments andtheir workings. We can offer you our client connections for your surveys, our software, hardwareand lab environment for testing purposes, and our extensive experience on the subject matteryou study. After an initial interview to determine our mutual interests, we assign a subjectmatter expert who functions as your primary contact. He or she will either help you with thequestions you have, or provide the persons and resources you need. We can also proof-readdraft versions of your thesis. It is important to note that we do not teach you basic writing orplanning skills: it is your responsibility to deliver your thesis timely and in line with the college oruniversity requirements. Our fields of expertise for thesis support are the following: InformationSecurity, Business Continuity & Disaster Recovery, IT Audit and Risk Management. Further inthis document you will find a list of topics we currently offer. This is however not an exhaustivelist, and any topic you propose that is within our line of expertise will be taken into consideration.We strongly encourage people with out-of-the-box ideas, especially in the field of InformationSecurity, to apply.

2.2 Internships

We support internships for Professional Bachelor students and Master students. Internship du-ration is minimum 8 weeks in Belgium, minimum 12 weeks abroad. In our profession, we workwith confidential data that belongs to high-profile clients. Therefore we do not allow internshipstudents to perform direct client work. Instead, they work project-based: they study a topic oftheir choice or build a tool for us to use. You work in our office in Brussels and on our infrastruc-ture. Students with part-time jobs or other commitments can be allowed to work from home orone of our smaller offices (Ghent, Antwerp, Liège) if their project allows it, and after approvalfrom their university or college. Our fields of expertise for internships are the following: Infor-mation Security, Data Analytics, IT Audit, Business Continuity & Disaster Recovery, and RiskManagement. Further in this document you will find a list of topics we currently offer. This ishowever not an exhaustive list, and any topic you propose that is within our line of expertisewill be taken into consideration. We strongly encourage people with out-of-the-box ideas, es-pecially in the field of Information Security, to apply. Internship students do not earn a fixedwage, but transport costs are reimbursed and you receive a daily lunch allowance. Every year,EY organizes an international conference in the United States for its most prestigious internshipstudents. Every student with an internship of at least 8 weeks stands a chance to be selected.Because generally the quality of our Belgian ITRA FSO internships is quite high, your chancesto be selected are quite high as well. More information can be obtained via the contact detailsbelow.

3


2.3 International students

International students are offered the same as our normal thesis or internship students. EYhas extensive experience in employing people from foreign countries, and can help you with thepracticalities. We however do not provide administrative support, and expect your country’sErasmus program or other international exchange program to take care of this. Upon your ar-rival in Belgium, even before you start your internship, one of the ITRA FSO team members willbe assigned as your “godfather” or “godmother”, to help you with your settlement in Belgium.

2.4 What we expect

We expect enthusiasm, motivation, creative thinking and independence. Especially the latteris very important to us. Because we are highly committed to client work, we are not often inthe EY office, and therefore not always there to hold your hand. Our internship students needthe confidence to ask for us if they need us. We expect that you lead your project, and weguide you. If you ask for help, we will do whatever it takes to get you back on track, but wecannot do your research for you. Our experience taught us that we offer ideal thesis supportand internships for mature students with a high level of independence that are committed totheir studies. Many of our ex-interns and thesis students now work for us, and are willing totalk about their experiences on request. The legend goes that EY interns are expected to workevenings and weekends. This is however not the case: you do not work more than 8 hours aday (and only 6 on Fridays). If throughout the course of your project you realize it will not becompleted timely, we help you in finding a solution. We prefer half-finished quality projects overcompleted but low-quality projects. Of course we will never send you home: if you want to spend16 hours a day on your projects, you may do so using our environment and our equipment. Youwill receive a laptop that you can take home in the evenings.

2.5 How to apply

Students interested in thesis support can contact us for an interview, and if we have a mutualinterest a primary contact will be assigned. This person will further provide answers to yourquestions and will fulfill your requests to the best of his or her efforts. Thesis support can beperformed under contract or without contract. Under contract you receive a company laptopand the possibility to work in our secure environment. Without contract you are not allowedto work in the EY office, nor do you receive a laptop, lunch allowance, or transport cost reim-bursement. We always work with nondisclosure agreements. Students interested in internshipscan contact us for an interview, and if we have a mutual interest are offered a contract. Youreceive an EY laptop, lunch allowance and transport cost reimbursement, and are expected towork full-time in our Brussels office. Working from home or from one of our local offices can benegotiated if your project allows it. Students interested in international internships can contactus for an interview. If we have a mutual interest, we organize a second interview with the in-ternship coordinator in the country of your interest (currently you have a choice between Spainand Ireland). If you pass this second interview successfully, matters are handled further directlybetween you and the internship coordinator of your country of destination. You are then subject

4


to the local regulations for internship students, however the Belgian office can provide supportupon request.

5


2.6 Contact

Please direct all your questions to the EY ITRA FSO Belgium Internship Coordinators. You canfind the contact details below.

Frederik MoonenEY ITRA FSODe Kleetlaan 21831 DiegemBelgiumMobile: 0032 (0) 477 96 96 04E-mail: [email protected]

Dieter VandenbroeckEY ITRA FSODe Kleetlaan 21831 DiegemBelgiumMobile: 0032 (0) 494 90 70 02E-mail: [email protected]

6

[email protected]@be.ey.com

Internship ITRA FSO 3 SUBJECTS

3 Subjects

3.1 Hijacking VOIP with Raspberry Pi

During red team and ethical hacking tests we often leverage social engineering attacks and in-fected USB sticks. One of the attack vectors that could be interesting to get into the targetnetwork, or to extract interesting data out of the target network, is to use the existing VoiceOver IP (VOIP) systems. Many of these systems have a direct outgoing connection to the inter-net, are based on the SIP and RTP protocol, are used as software installations on workstationsand can be associated with a lot of traffic.

The Session Integration Protocol (SIP) is used to establish and maintain sessions. Once thesession is set-up, the Real-time Transport Protocol (RTP) protocol is often used for the voiceand video channel. By nature, the RTP communication is unencrypted; although the securevariant (SRTP) is available, this is often not implemented or enforced.

For RTP channels multiple exploits are available. Because we don’t use these exploits the realbenefit remains unclear. At this point, we want to investigate how easy it would be to hijackexisting SIP and RTP session, to manipulate such sessions and how easy such sessions can beused to siphon out large amounts of data.

This topic is suitable for 1 student in the form of an on-site summer internship.

Required skill

The student has a good understanding of networking protocols and a basic understanding of SIPand RTP, and has experience in programming.

Goals

• Create a proof of concept Raspberry Pi that can be installed in a target network that canautomatically detect the VOIP systems and configuration and streams captured VOIP traf-fic to a back-end.

• Validate the feasibility and what the best way would be to use RTP as a covert communi-cation channel.

• Research possible implementations in existing frameworks.

• Create sufficient documentation on the created material for the team.

7


3.2 Evading sandbox/honey pots

Several (research) organizations have put dedicated honeypot systems online. These systemsare designed to be attacked, and this information is used in malware and vulnerability research,to collect information on attack trends, etc. Attackers don’t want to be discovered and severaltechniques exist to identify honeypots (e.g. by checking the number of CPU cores).

In the Metasploit framework there are specific techniques available to determine if an attack isbeing executed against a honeypot or on an actual target machine. More techniques are beingdeveloped and other frameworks might have such techniques already implemented.

We seek to improve our exploit methodology to recognize honeypots on the fly with advancedand plug and play techniques. A nice addition would be to push this information back to thecommunity and to bring improvements to the current tools and frameworks.


Required

The student should have a strong knowledge of system security and programming concepts.

Optional

Knowledge in utilizing and expanding the Metasploit framework.

Goals

• Research existing honeypot detection and evasion techniques and their implementationsin common frameworks (such as Metasploit).

• Integrate existing techniques in our current exploit methodology.

• Create sufficient documentation for team members

• Define new evasion techniques and test their feasibility.

8


3.3 Exploring ransomware

The growing threat of ransomware is reaching unforeseen levels, and the most concerning factorherein is the simplicity. While the concept is clear, the internal technical aspects of ransomwarestrains are different. In many cases vulnerabilities in the inner aspects arise rendering the mal-ware ineffective (or at least less critical).

Via online research on the inner workings and by reverse engineering selected ransomware,additional insight could be gathered on authors (level of skill) and different techniques used.Additionally this information could help in our ability to deliver high quality attack intelligence.


Required skill

We require someone with a profound knowledge of binary audit, reverse engineering experiencein vulnerabilities and exploitation and a basic knowledge of cryptography. Knowledge in writingassembly and understanding compiling logic is considered a plus.

Optional

A good understanding of ransomware and their different variants (to be able to recognize thedifferences between multiple versions and highlighting key similarities). To be successful youmust have a fundamental curiosity about technology and be able to work completely indepen-dent.

Goals

• Collect extensive information on the most common variants of ransomware.

• Create a sand-boxed virtual environment to be used during the reverse engineering pro-cesses.

• Analyzing the techniques used by the ransomware.

• Elaborate on how to functionally improve a selected ransomware.

• Create extensive documentation on your findings.

9


3.4 GDPR implementation risks

The current regulations involving privacy are sought to be replaced in 2018 via implementationof the General Data Protection Regulation (GDPR). This new privacy regulation enforces com-pliance across multiple countries instead of accepting the different legislations of each singlecountry it is sharing traffic with. Moreover it has the potential to be more concrete and thereforbring more clear instructions on what the implementation should resemble.

The impact of GDPR will have large consequences, however we have no overview of the imple-mentations specifics. What will the consequences be for the ”Safe harbor” principle?


Optional skill

We require someone with knowledge in recent changes in regulations around privacy laws andup to date knowledge on the current status of ”Safe harbor”.

Goals

• Research what the current status is

• Research what type of infrastructures and data flows will be impacted

• Describe the use case of a complete infrastructure environment including cloud based im-plementation

• Summarize the economic benefits

• Create sufficient documentation for participants and moderators

10


3.5 Incorporate honeypot data feeds in threat intelligence

Dynamic threat analysis is built on the input of multiple sources. These sources are often publicand additional logic engines are put to the information to identify different topics and coherentinformation. Another information source is the analysis of honeypots, specifying what attackersare currently looking at and what the current threats are.

Our current framework combines information from multiple data streams, mostly focused onpublicly available data sources. Top priorities on better dynamic threat analysis are adding ad-ditional information sources (such as honeypots and private sources) and adding intelligence tobring together the information towards specific threats.


Required skill

We require someone with a good knowledge of the paradigms of threat intelligence.

Optional

A decent understanding honeypots.

Goals

• Create virtual honeypots based on existing frameworks.

• Create a data feed of actions inside the honeypots: commands executed, malware samplesdropped, exploit targets, etc.

• Test the honeypots in private and public environments.

• Bring together the information from honeypots and public information sources.

• Create sufficient documentation for the security team.

11


3.6 Implementation of an automatic reporting tool

One of the most crucial, but also most time consuming tasks during any security assessment(such as a penetration test or red team test) is creating the report. This report is often the onlyend-result of such an assessment and is presented to management and above. Because such areport details all findings that came up during the assessment and because every environment(and thus findings) is different, a lot of effort goes into each report.

A wide variety of automatic reporting tools that could assist in creating a report exist, but wehave no clear overview of the benefits and downsides of these tools. After a market analysisand selection of the best candidate we expect a complete implementation of a reporting aidthat is capable of handling multiple report templates and is aligned with the SharePoint findingsdatabase.


Required

We expect the student to have a keen eye for detail, a strong knowledge on word formatting /text creation and experience with common programming languages.

Goals

• Research the possible tools and create an overview of benefits and downsides.

• Aid in the selection of a candidate.

• Create an installer / installation with sufficient documentation.

• Ensure all current templates are integrated and can be selected, updated and used.

• Implement a link with the SharePoint findings database.


12


3.7 PSD2 & API security

The Second Payments Services Directive (PSD2) introduces new regulations that will requirebanks to allow secure access to consented third parties who need to collect account informationfrom a customer’s account or to process a payment. A bank customer authorizes these thirdparty providers so that they can receive added value from them, whether that be a global viewof all their finances, or instant payments for their purchases. Banks have an opportunity to bethe platform where customers and third party providers connect and create value.


Required skill

The student preferably has a firm understanding of creating and securing an API.

Goals

• Perform a study on what the impact will be of the new PSD2 directive (privacy, security,fraud, …).

• Evaluate existing security standards & technologies that can be used to implement PSD2APIs

– Auth, UMA, OpenID Connect, JWT, FIDO UAF,– Open Bank project, W3C Payment standard

• Formulate security requirements that can be used as a baseline for designing and devel-oping new PSD2 compatible APIs

• Create a secure POC payment API that fulfills the PSD2 requirements


• Update our pen-testing methodology to include best practices on assessing the security ofpayment APIs

13


3.8 BAD USB

Early 2015 researchers developed a technique to use the free firmware memory on a USB de-vice. While the possibilities are limited due to the size of the memory, a small script can beloaded that would request and load the next piece of payload. Upon connecting the BAD USBthe host will auto-magically load the memory of the BAD USB and thus execute the maliciousscript.

A complete proof of concept is expected to be implemented into the physical penetration testingmethodology.


Required skill

The student preferably has a basic understanding and implementation of firmware-based soft-ware. The completion of this internship is aimed at students who can work independently.

Optional

The student has a basic understanding of protocols and has experience in programming.

Goals

• Collect extensive information on the most common implementations of BAD USB.

• Create a BAD USB with implemented commander & receiver (to be used with a Com-mand&Control server).

• Test vulnerabilities on multiple agents through loading BAD USB related firmware.

• Look for ways to further improve the memory usage of the USB stick.


14


3.9 Legacy systems security testing

IT tends to focus on new systems and technologies, while IT Operations teams within FSO com-panies heavily rely on legacy systems. These systems often represent a large part of the codebase of business critical applications; legacy systems therefor often represent a single point offailure.

New systems are usually subject to periodic patch cycles and applications receive security up-dates, increasing the risk related with unauthorized access to customer data. Because legacysystems weren’t always developed with security in mind, customer data can often more easilybe access through these legacy systems (such as mainframes, old middleware, etc.).

To paint the picture a little better, imagine a network where customer data is ultimately managedby legacy systems using software written 40 years ago, whereby systems running an operatingsystems years past its end-of-life data exchange this data in clear text, leveraging services thathave more holes than Swiss cheese, which should be accessible using internet APIs. Even thoughthis legacy setup has been working rock solid for years, new attacks can change this paradigm.

In the last years, the penetration testing community has been catching up with this issue throughseveral new tools, techniques and methodologies. All of this has been possible without beingforced to learn old programming languages or becoming experts in a mainframe architecture.


Required skill

The student has experience in VM platforms and has basic understanding of legacy systems.

Optional

The student has experience with legacy systems and platforms.

Goals

• Research the most common implementation of legacy systems security testing.

• Create a methodology that houses a cheat-sheet including a list of tools and how to utilizethese.

• Create a VM based on Hercules.

• Test methodology & look for ways to further improve the methodology.

• Create sufficient documentation for immediate use.

15


3.10 Collect & improve password cracking methodology

Every password dump, however embarrassing for the company and inconvenient for the users,provides interesting information on used passwords. Recent password dumps such as the 2016LinkedIn, Tumblr, MySpace and Dropbox dumps could be used both by the offensive and defenseside. Through research in the possible implementations of this information we seek to improveour password cracking methodology.

New developments in secure password storage makes us believe that the current passwordcracking approaches may become obsolete. To ensure we start preparing for dumps using im-proved hashing algorithms (think about bscrypt) and alternate precomputed hash tables (thinkabout finger tables), we’d like an intern to investigate the possible approaches.


Required skill

We require someone with knowledge on password analysis and encryption techniques.

Optional

An up to date knowledge of recent breaches and development surrounding encryption.

Goals

• Collect extensive information on the most common breaches and algorithms

• Analyzing the techniques used by new hashing algorithms

• Validate current implementations of finger tables for password cracking uses


16


3.11 Mobile penetration testing integrated guide

During mobile application vulnerability assessments we use a checklist to keep track of all ele-ments that can make or break the security of a mobile application. We are looking to expand ourknowledge on this subject to have a deeper understanding of all pitfalls. To sustain this idea wewant to build a complete and extensive mobile penetration testing guide that goes beyond com-mon standards (like OWASP) and the currently available checklist; we want to create a guidethat includes variating topics such as use cases or testing in different connection types. Theguide should be implementable on a common utilized SharePoint platform.


Optional skill

An overview of recents changes and markup in information security involving mobile applicationsecurity.

Goals

• Collect al publicly available mobile application security testing guides

• Execute a gap analysis on the previous acquired information and the current checklist

• Research the previously executed mobile vulnerability assessments to identify additionalinformation

• Create a single mobile application security testing guide and accompanying checklist.

17


3.12 Maturity assessment framework

Security management is one of the most fundamental aspects in cyber security. Although theframeworks have matured over time, difficulties in the everyday use are still comon. An imple-mentation of the verinice tool might help in developing a maturity assessment framework thatincludes pre-made report templates, questionnaires, planning and evidence logs. Overall we arelooking to expand an ISO 27000 based framework.

• http://verinice.com/produkte/verinice/produktbeschreibung/

• http://verinice.com/en/products/screenshots/


Required skill

It is recommended to have a basic understanding of IS027K and its implementations.

Goals

• Collect extensive information on a generic implementation of the verinice tool

• Analyze the placement of verinice in an ISO27K assessment

• Implement a proof of concept


18

http://verinice.com/produkte/verinice/produktbeschreibung/http://verinice.com/en/products/screenshots/


3.13 Development of planning software

Our cybersecurity team requires vast flexibility for planning software such as adding team mem-bers to new projects, swiftly adding new clients, mobile accessibility and role based access. Mul-tiple planning tools or planning software are available on the market but are not meeting ourexpectations. An ideal implementation should retain a master version and proposed updatedversion (to be validated / rejected towards the master version), should integrate with Outlook,trigger emails on changes and allow for easy project planning while keeping an overview basedon people. Lastly, changes on a weekly bases should be easily extractable.

To gain these requirements we expect a planning tool developed from the ground up that is ableto be extended to be integrated to other frameworks.

This topic is suitable for 1-2 student(s) in the form of an on-site summer internship.

Required skill

We require someone who has experience with programming and has a basic understanding ofnetwork protocols.

Goals

• Collect all user requirements

• Design an programming scheme and research all needed implementation

• Develop a proof of concept

• Implement and test the tool


19


3.14 Develop secure coding standard

Awareness training revolving around the secure development life cycle (SDLC) starts with ed-ucation on secure coding standards. These standards have to be up to date with the trends ofpopular programming languages and frameworks. We would like to have a clear overview of thepresent standards that are applicable to a snapshot of uprising programming languages.

Other than research we want develop a custom coding standard that is applicable on languagesutilized by our clients and be able to analyze the possible overlapping with other current stan-dards.


Required skill

The student has to have experience with multiple recent programming languages and their com-plementary risks.

Optional

Experience with penetration testing.

Goals

• Research the current standards

• Create a standard for the applicable languages used by clients


20


3.15 Develop integrated checklist

Implementations of GDPR, ISO2700 1 -2, PCI, DSS , HIPPAA and other circulars describe mul-tiple controls to facilitate in becoming compliant with specific regulations. In a generic contextthese processes strive for the same goal or are to be executed in a succeeding order.

We require an integrated control checklist that has the capability of interlinking these processes,which will allow us to stress the importance of the processes and why our clients should worktowards compliance.


Required skill

The student should be able to work on an independent basis and have insight in modern privacylaws.

Goals

• Research candid privacy laws

• Develop checklist which incorporates multiple processes


21


3.16 Quantitative Security Risk Management methodology

There are two ways of calculating (and thus managing) information security risks: using a quan-titative approach (putting real monetary values to the risk) or a qualitative approach (simplifiedapproach, e.g. using high-medium-low classification). Although the second approach is morepopular (it’s easier to implement and easier to be used in a unified approach by multiple people),there is an increasing demand for a proper quantitative methodology.

We’d like a student to design a quantitative security risk management framework, linked intooperational risk methodologies and with a clear focus on being highly quantified rather thanqualitative.


Required skill

• Strong mathematical skills

• Clear affinity with information security risk management

Optional

• Experience with risk management

Goals

• A quantitative security risk management methodology

• An calculation of common information security risks (inherent risk) and controls (includingthe residual risk)

22


3.17 Awareness Catalog

The security awareness material is divided into multiple documents and scattered over outdatedtemplates. We need a collection of this information in a unified platform that is built from theground up. Including functionality that allows to extract and share specific categories and partsof this catalog in multiple formats. While integrating the collected information a specific struc-ture must be maintained wherefore categories/topics can be utilized to achieve a long term andorganized environment.


Required skill

We require someone who has experience handling great amount of clustered information andhas experience working with SharePoint.

Optional

The student must have insight in privacy awareness information and how this should be catego-rized.

Goals

• Collect user requirements

• Research possible implementation

• Build the platform

• Collect and categorize the information

23


3.18 Privacy Catalog

The privacy material is divided in multiple documents and scattered over outdated templates.We need a collection of this information in a unified platform that is built from the ground up.Including functionality that allows to extract and share specific categories and parts of this cat-alog in multiple formats. While integrating the collected information a specific structure mustbe maintained wherefore categories/topics can be utilized to achieve a long term and organizedenvironment.


Required skill

We require someone who has experience with programming.

Optional

The student must have insight in privacy awareness information and how this should be catego-rized

Goals


• Research possible implementation

• Build the platform

• Collect and categorize the information

24


3.19 Develop a country website

We would like to re-develop the www.ey.be - website utilizing standardized development cyclesand utilizing up to date concepts. Furthermore it should incorporate the means to publish all thenecessary information that is agreed with our team from BeNe. The published content has to bereviewed and rewritten. The website should be integrated with a content management systemthat is easy accessible and has to integrate with the current infrastructure.


Required skill

We require someone who has experience in developing website that are integrated with CMS.

Optional

Skills regarding mobile content development are seen as optional

Goals


• Build a POC

• Integrate the necessary information


25


3.20 EMEIA Proposal Platform

We would like to improve our current SharePoint that houses all of the Belgian proposals relatedto cybersecurity. Herein we need to redefine the conventions around how we tag and collectproposals but also how we will include them in a new system. Seeing this influences the way wework, our current and future methodologies should be checked with the rest of our colleaguesof the BeNe team.

A possible integration towards an EMEIA wide SharePoint should not be neglected, as supportfor ongoing initiatives lead us to believe that this need might arise in the future.


Required skill

We require someone with a good knowledge of maintaining and controlling SharePoint instances,has experience with programming and has a basic understanding of network protocols.

Goals


• Create a POC of the SharePoint instance

• Create a tagging schema

• Automatize the tagging schema

• Develop integrations towards possible EMEIA deployment


26


3.21 Building an EMEIA cyber-security forum

Our current methodology to contact the EMEIA Cyber-security related colleagues consists outof the utilization of several mailing lists. This process has the intention to contact a lot of peoplebut very few people can respond due to inconsistent mail threads. Furthermore this processdoes not always reach the necessary - or adequate people.

Thereforewewant to develop a secure and externally accessible forum for technical/non-technicalquestions (resembling http://stackoverflow.com/) in which questions can be asked circular toclient engagements without fearing the NDA breach a public forum might have.


Required skill

We require someone with a strong knowledge in programming and has a basic understanding ofnetwork protocols.

Optional

A up to date knowledge of forum implementations on SharePoint is not required a must, but willeventually aid the student towards an implementation phase.

Goals


• Ceate a POC

• Implement user authentication

• Research possible implementation which are accessible within the EMEIA service lines


27

http://stackoverflow.com/


3.22 Legal Watch for Information Security

Organizations based in Belgium must comply with a plethora of laws and regulations, not onlyon a local level but also in a European context. A violation of information security legislationscan have grave consequences, ranging from reputational damage and a small investigation bythe regulator to enormous financial penalties.

We are looking for a student who can skim through existing and upcoming regulations and applythem to the context of information and IT security. This should result in an overview of applicable(parts of) laws and regulations on a local, Belgian, European, or even global level, applicable toorganizations in the financial sector.

Once completed, we would like our student to translate what is said in the law to concrete state-ments on how an organization can implement certain measures to legally comply.


Required skill

We require someone with excellent English (all our deliverables are in English), Microsoft Word,interest or background in law, interest or background in information security.

Optional

Knowledge of legislation specific to the financial sector (Belgium and Europe).

Goals

• Extensive understanding of the current and upcoming laws and regulations on the differentlevels related to information and IT security.

• A complete overview of laws and regulations on different levels applicable to organizationsin the financial sector.

• An extensive document stating how an organization can implement certain measures tolegally comply.

• (If the opportunity arises and time allows it) Organize a presentation or workshop for all EYcolleagues to inform on all upcoming regulations, separated for all levels. Create a clearpresentation with sufficient notes so that this can also be used in other offices.

28


3.23 Enforcing and controlling secure development within organizations

Companies these days already face the responsibility to be compliant with numerous securitymeasures. Although companies are becoming increasingly aware of their security responsibili-ties, a proactive approach in developing applications in a secure manner is lacking. This topicis research-based, and should result in the description of a manner of enforcing and controllingsecure development by companies.

This topic is suitable for 1 student in the form of a written thesis; a part-time on-site internshipis required.

Required skill

We require someone with excellent programming skills and a basic knowledge of software de-velopment lifecycle management (though experience is not required).

Goals

• Extensive understanding of principles of secure development.

• Extensively describe the principles of secure development in the written paper in an un-derstandable way, both for people with IT technical background and people with a businessbackground.

• Describe the advantages of secure development being enforced within organizations.

• Describe possible disadvantages (especially on the business side) of enforcing secure de-velopment principles.

• Design a model that allows an organization to enforce and especially control secure devel-opment.

• (If the opportunity arises and time allows it.) Apply the theoretical model to a real-lifeorganization as a test, and improve the model based on the results.]

29


3.24 Extension hacking challenges framework and creation of workshops

EY has created a proprietary hacking challenges framework, which will be used during the pro-prietary internal training and external workshops. This framework is developed to be used witha wide variety of challenges and challenge mechanisms, each targeted at specific skills and at aspecific target (including services, DMZ, offline crypto challenges, etc.).

We are looking for an internship student to create a wide array of hacking challenges in multiplecategories and for different levels. These challenges should be easily usable in a workshopformat or in a competition.

This topic is suitable for 1 or2 student in the form of a written thesis; a part-time on-site intern-ship is required.

Required skill

we require someone with experience in programming and (at least) a basic knowledge on vul-nerabilities and exploitation.

Optional skill

An extensive knowledge of vulnerability detection / exploitation in one or more categories is con-sidered a plus (web applications, infrastructure, wireless networking, cryptography, steganog-raphy, reverse engineering, etc.).

Goals

• Create multiple hacking challenges in multiple categories and for different levels.

• If the current framework has limitations, extend the framework.

• Work out workshops aimed at different audiences (e.g. first introduction to web applicationsecurity, red/blue team training, etc.).

• Create challenges that only have 1 solution.

30


3.25 Internal and External marketing campaign

Most people understand the value of proper marketing, usually with regards to a specific productto everyone willing to see (or not able to evade it). The EY FSO security team also understandsthis value, and is looking at a way to create a marketing campaign, targeted internally and ex-ternally.

Many people know EY, and most of them will know EY as ‘one of the big4’, an accounting firm.Although there’s nothing wrong with this, there’s more to EY (and the security team) than this.In order to ensure that colleagues, potential recruits and clients know what we do, the securityteam is looking into launching an internal and external marketing campaign. An intern wouldplay a big role in this story, creating a marketing plan and starting the implementation (thinkabout social media, press coverage, videos, etc.).


Required skill

We require someone with a relevant background (marketing, communication, etc.) and an in-terest in technology.

Optional

Experience in setting up / maximizing the benefit of social media account is considered a plus.

Goals

• Create a marketing plan for both internal and external marketing.

• Set up relevant social media accounts, aligned with a specific strategy on usage and con-tent.

• Creation of press material and a contact list.

• Creation of (animated) videos.

• Other implementations from the marketing plan.

31


3.26 Information Asset Management

Companies manage information assets on different levels: from data to applications and busi-ness processes. Goal of the internship is to perform research on which levels of informationassets need to be controlled / managed by a financial services organization, who should haveownership and what tooling exists to manage each type of information asset.

The topic is heavily research-based. We expect the student to analyze existing best-practiceframeworks to come to a conclusion on how these could be applied in practice.

This topic is suitable for 1 student in the form of an on-site summer internship There is a pos-sibility to combine this subject with the ‘Role-based access - information model’ subject and tolink both subjects. In this case, it could be a combined effort of two students.

Required skill

Basic understanding of IT architecture and ability to work independently.

Goals

• Benchmark different best practice frameworks.

• Summarize and conclude which information asset management model would best suit afinancial services company.

• Describe roles & responsibilities for each information asset layer.

• Research existing tooling and conclude which types of tools exist to manage informationassets.

32


3.27 Role-based access - information model

Best practice model, ownership & tooling

One of Identity & Access Management’s main concepts is Role-Based Access Control (RBAC). Itallows an organization to efficiently distribute accesses based on a person’s job function, ratherthan his individual needs. For large organizations, this often means a large productivity gain,allowing easier attribution of access rights.

Within a role-based access model, there are different layers of access that tie into each other.In effect, access is usually defined on different levels: organizational, departmental, functional,regional,… Goal of this project will be to define which levels are used in a best-practice model,and to describe how they tie in together.

If possible, the link is made to the subject about Information Asset Management, making thelink between the different information asset components, and the way access is defined.


Required skill

Basic understanding of IT security and Identity & Access Management and the ability to workindependently.

Goals

• Describe the concept of role-based access.

• Outline which layers can be built into an RBAC model.

• Describe the advantages and disadvantages of every layer.

• Create a fictive scenario of a financial services company and describe which setup wouldbe best.

33


3.28 Identity & Access Management (IAM) Managed Service Offering

Financial services companies are looking to outsources more and more of their operations tothird parties. This is what they call ‘managed services’. The goal of this internship is to researchand describe if the same concept can be used for Identity & Access Management services. Whichservices are offered or wanted on the market, and to which extent are they interesting for EY tooffer.


Required skill

The student should have a thorough understanding of Identity & Access Management and theability to work independently.

Goals

• Describe the concept of ‘managed services’.

• Describe how the concept could be applied to the Identity & Access Management domain.

• Create an overview of IAM managed services that exist in the market.

• Define managed services that do not exist yet, but that could potentially be interesting.

• Assess which services are interesting for a consulting firm, such as EY.

34

IntroductionWhat we offerThesis supportInternshipsInternational studentsWhat we expectHow to applyContact

SubjectsHijacking VOIP with Raspberry PiEvading sandbox/honey potsExploring ransomwareGDPR implementation risksIncorporate honeypot data feeds in threat intelligenceImplementation of an automatic reporting toolPSD2 & API securityBAD USBLegacy systems security testingCollect & improve password cracking methodologyMobile penetration testing integrated guideMaturity assessment frameworkDevelopment of planning softwareDevelop secure coding standardDevelop integrated checklistQuantitative Security Risk Management methodologyAwareness CatalogPrivacy CatalogDevelop a country websiteEMEIA Proposal PlatformBuilding an EMEIA cyber-security forumLegal Watch for Information SecurityEnforcing and controlling secure development within organizationsExtension hacking challenges framework and creation of workshopsInternal and External marketing campaignInformation Asset ManagementRole-based access - information modelIdentity & Access Management (IAM) Managed Service Offering

New EY · 2016. 9. 21. · potential thesis and internship students. EY IT Risk & Assurance (ITRA)...

Documents

Transcript of New EY · 2016. 9. 21. · potential thesis and internship students. EY IT Risk & Assurance (ITRA)...