Download - Final presentation january iia cybersecurity securing your 2016 audit plan

January IIA MeetingTopic: Cybersecurity - Securing Your 2016 Audit Plan

January 5, 2016

Agenda

• 2015 Major Published Cybersecurity Incidents• 2015 Global Threat Index• 2016 Threat Predictions• Facts & Figures• Potential Risks of Cyber-Attacks• 10 Cybersecurity Areas to Consider Auditing• Questions

2

3CrossCountry Confidential1/6/2016

What is Cybersecurity?

“Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.” - TechTarget.com

• Confidentiality: Protecting information from unauthorized disclosure

• Integrity: Protecting information from being modified by an unauthorized party

• Availability: Ensuring information is available to authorized parties when needed


2015 Major Published Cybersecurity Incidents

Q1• February – Anthem healthcare insurance firm databases hacked, containing 80 million customer’s personal data

• March – State Dept. is breached by Russian hackers and shuts down to remove malware

Q2• June – Office of Personnel Management hearings occur as result of 21.5 million names, addresses and social security numbers

hacked, some entire background checks were stolen.

Q3• July – Fiat Chrysler remote hack vulnerability affecting transmission and steering (recalled 1.4 million vehicles)

• July --The UCLA Health System discovered that hackers had access to 4.5 million patient’s health records

Q4

• November – Hilton acknowledges that customer’s credit card information was breached via malware on the point of sale system

• November – Pearson VUE credential system was successfully targeted, law enforcement and forensics are still analyzing


World Economic Forum2015 Global Threat Index

Technological (Purple):

• Critical Information Infrastructure Breakdown

• Cyber Attacks• Misuse of

Technologies• Data Fraud or Theft

Other:

• Failure of critical infrastructure

• Failure of Financial Institutions

• Terrorist Attack


Top Cybersecurity Risk Predictions for 2016

• Internet of Things (IoT) – Gartner predicts 21 billion online by 2020 (FitBitsto Refrigerators, Cars to Thermostats)

• Operational Technology (OT) – systems that operationalize utilities, power systems, water, etc. increasingly networked

• Artificial Intelligence (AI) – IT cognitive functions advancing in 2016, difficult to know human from computer communications

• Insider Threat – Roughly 75% of IT professionals are most concerned about malicious or negligent employees, and the FBI and DHS agree

• Cloud Provider Target – Increasing hacker targets beyond businesses and web servers

• Mobile Malware – “Malvertising”, injecting malicious adverts into legitimate online advertising networks

• eCommerce Banking – Google Wallet, ApplePay present new targets for hackers

• Healthcare Provider Data – Children in particular are lucrative targets, given the long-range benefit to hackers of a lifetime of identity theft


Facts & Figures

• 73% - Americans who have fallen victim to cybercrime (GadgetsAndGizmos.org)

• $3 trillion – the total global impact of cybercrime (ISACA)

• 556 million – people who fall prey to cybercrime annually, resulting in more than 232 million identities exposed (FBI Cyber Crime)

• 15 million – mobile devices—mostly Android—that are infected with malware (Alcatel-Lucent’s Kindsight Security Labs)

• 37.9% – US Web pages infected with malware (Inspired eLearning)

• 600,000 – Facebook accounts that are compromised each day (FBI Cyber Crime)

• 38% – smartphone users who have been a victim of cybercrime (2013 Norton Report)

• 1 in 5 – mature organizations that do not have a cybersecurity framework (FINRA Cybersecurity Report, 2015)


Potential Risks of Cyber-Attacks

• Major Risks include:• Loss of intellectual property• Breach of customer data privacy• Service and business interruptions• Damage to Information Technology infrastructure• Loss of brand value• Recovery and response costs• Loss of stock market value• Regulatory inquiries and litigation• Management distraction


Top 10 Cybersecurity Audit Considerations for 2016

1. Cybersecurity Framework2. Vulnerability Assessments3. Insider Threats4. 3rd Party Management5. Business Continuity & Disaster Recovery6. Data Governance7. Network Monitoring8. Cloud Security9. Mobile Security10. Security Awareness & Training


The stories you are about to hear are mostly true…

Names have been changed to protect the innocent.


1. Cybersecurity Framework

• What is it: A supportive cybersecurity structure that leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like National Institute of Standards and Technology (NIST) and the International Standardization Organization (ISO).

• Why you should care: Cybersecurity frameworks provide an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs.


Case Study: Cybersecurity Framework

“I thought having a cybersecurity framework would be a costly and time consuming process to adopt and implement. Things move so fast that we often don’t have time to consider yet another set of processes. Instead, we sustained a major data breach in a business area that we didn’t even realize was vulnerable, and the costs were exponentially higher than any framework would have been.”

Wellina Intentioned (CISO, Investment Group)

13

Cybersecurity Framework Audit Considerations

Stakeholder Cybersecurity Framework – Questions to Consider

Board/Audit Committee • What is the communication plan for cybersecurity issues and “tone at the top”?

• What cybersecurity or risk framework governs the organization?

Information Technology (IT)

• What cybersecurity or risk framework governs IT activities related to IT assets and staff, policies and procedures?

• How often are IT assets and documentation reviewed to ensure holistic risk assessment occurs related to a framework?

CISO • What cybersecurity or risk framework governs CISO activities related to IT assets and staff, policies and procedures?

• How often are IT assets and documentation reviewed to ensure holistic risk assessment occurs related to a framework?

Business Units • When selecting new systems or tools, do you engage with a change control board?

• What sort of approval is required to stand up new systems, tools or data types?


Cybersecurity Framework – Benefits & Considerations

• Benefits:• Reduces risk by identifying areas for improvement• Increases efficiencies and reduce the possibility of

miscommunication within your information security program and with other organizations such as partners, suppliers, regulators, and auditors

• Aids in holistic view of organizational cybersecurity risk

• Considerations:• It’s a framework, not a prescription • It provides a common language and systematic methodology for

managing cyber risk• It does not tell a company how much cyber risk is tolerable• Having a common lexicon to enable action across diverse set of

stakeholders


2. Vulnerability Assessments

• What are they: A process that defines, identifies, and classifies the security vulnerabilities in a computer, network, or communications infrastructure. In addition, vulnerability assessments can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use. (http://searchmidmarketsecurity.techtarget.com/definition/vulnerability-analysis)

• Why you should care: Hackers can exploit vulnerabilities in your network and gain access to data. Common vulnerabilities are often widely know and easily exploited. Data breaches and other incidents are often crimes of opportunity, meaning hackers look for targets with specific vulnerabilities.


Case Study: Vulnerability Assessments

“We didn’t think we needed to perform monthly vulnerability assessments on all of our end user equipment, we have anti-virus and that should have caught all issues. We didn’t realize that there were vulnerabilities that our anti-virus software couldn’t detect, or that specialized tools existed to perform more in-depth security inspections.”

Ineda Clue (VP of IT, Non-Profit)

17

Vulnerability Assessments Audit Considerations

Stakeholders Vulnerability Assessments – Questions to Consider

Board/AuditCommittee

• Does your organization perform periodic vulnerability assessments?• Are you aware of any instances where vulnerabilities were exploited and

adversely affected your organization?


• How often do you perform periodic vulnerability assessments?• Are assessments performed internally or by external vendors?• Are there separation of duties between system owners and assessment

teams?• What mechanism are you using to keep track of open vulnerabilities?• Do the assessments consist only of vulnerability scanning or do they include

detailed penetration testing?

CISO • Do you regularly review the results of vulnerability assessments? • Do the results of vulnerability assessments drive changes in security

measures?• Are there separation of duties between the system owners and assessment

teams?• How are tools selected, relative to IT environment and CISO objectives?

Business Units • Are you aware of any open vulnerabilities in any of the systems that you utilize?

• Are you aware of any instances where vulnerabilities were exploited and adversely affected your group?


Vulnerability Assessments – Tools & Techniques

• Network Security (Routers, Firewalls, OS and Patch) Tools:• Tenable Nessus, Retina Security Scanner• Nmap, Wireshark• NIST & DoD Guides and Controls

• Operating System (Windows, Unix, Linux, Mac OS) Tools:• NIST & DoD Guides and Controls• Various automated scripts• Password Crackers (John the Ripper, Brutus, Medusa)

• Web Server (IIS, Apache, WebLogic, Web apps) Tools:• WebInspect, AppScan• NIST & DoD Guides and Controls

• Database (Oracle, MySQL, SQL) Tools:• AppSentry, AppDetective• NIST & DoD Guides and Controls


3. Insider Threats

• What is it: The risk that an internal user, maliciously or accidently, performs an action that compromises the confidentiality, availability, and/or integrity of an organization’s data.

• Why you should care: Since insiders inherently have easier access to data, losses resulting from insider threats are often more damaging than those posed by external parties.


Case Study: Insider Threat

“A vengeful employee recently reset a large number of our servers to factory settings after he found out he was losing his job. We could not conduct normal business operations for about 30 days, resulting in lost revenue totaling more than $500,000.”

Losta Lottawork (CISO, Oil and Gas Industry)

21

Insider Threats Audit Considerations

Stakeholders Insider Threats – Questions to Consider


• Have you been informed of the risks posed by Insider Threats?• Does your organization perform periodic security risk assessments with

consideration of Insider Threats?


• Do you utilize data loss prevention tools?• Is logging and monitoring performed on accounts with elevated access?• Do you have a process for controlling access to removable media?• Do you limit administrative access based on job responsibilities?• Is data appropriately encrypted?

CISO • Have you established a mechanism for reporting security issues?• Have there been any security issues related to Insider Threats?• Are you aware of common threat actors for your industry?

Business Units • Is separation of duties enforced for key activities?• Do you perform background checks on new hires?• Are you aware of warning signs for disgruntled employees?• Do you have a mechanism to report concerns of insider threat warning

signs?


Insider Threat – Data Loss Prevention Tools

• Data Loss Prevention Tools use automated means to detect and prevent data loss (offerings from Symantec, Intel, Websense, etc.)

• They can assist in identifying where sensitive data is stored and/or prevent senstive data from being transmitted via unauthorized means (e.g., email, thumb drive)

• These tools are often used to comply with standards such as HIPAA, PCI-DSS, and HITECH

• Tools can be perimeter-based or client-based

• Installing these tools requires a balance of cost, system performance, and effectiveness


4. 3rd Party Risk

• What is it: The potential risk that arises from institutions relying upon outside parties to perform services or activities on their behalf

• Why you should care: May reduce management’s direct control and can present risks if not properly managed

3rd Party Relationships

Reputation

Operational

TransactionCredit

Compliance

Other

Strategic


Case Study: 3rd Party Risk

“One of our outside service provider’s employees had some of our client data on an iPad that was stolen, and now it looks like we’re going to have to report this event to regulators in 40 countries. I hate to think what the impact of this is going to be.”

Ima Needajob (CISO, Media Company)

25

3rd Party Risk Audit Considerations

Stakeholders 3rd Party Risk – Questions to Consider

Board • How are vendors selected?• Who manages contracts, and how are cybersecurity considerations included

in contract language in event of data breach or loss?


• How often do you engage vendors?• How proactive are vendor system updates made?• How do vendors gain access to internal systems?• Who within IT reviews vendor systems for vulnerabilities?

CISO • Who are your vendors? • How well do you know and understand products and contracts?• What top risks are inherent to each vendor technology? • Who monitors these risks?

Business Units • Who are your vendors? • How well do you know and understand products and contracts?• Do you engage Board, IT and CISO when making vendor buying decisions? • What criteria is used in selecting vendors? Are criteria set across business

functions to ensure all requirements are met?


Managing 3rd Party Risk – Best Practices

• Develop a inventory of 3rd parties and classify them by potential risk

• Define governance and ownership • Build Service Level Agreements (SLAs) to hold vendors

accountable• Clearly define what data 3rd parties can and cannot access• Include audit rights clauses in contracts• Obtain and review independent service auditor’s reports if

applicable


5. Business Continuity & Disaster Recovery

• What is it: The processes and procedures an organization puts in place to ensure that essential functions can continue during and after a disaster. The term Disaster Recovery is often associated with the recovery of IT Infrastructure.

• Why you should care: Without Business Continuity and Disaster Recovery plans, there is a risk that data could be unavailable and potentially irretrievable in the event of a disaster, disrupting or permanently damaging business operations.


Case Study: Business Continuity Plan

“Our employees are competent, and I thought they would know what to do in an emergency. We did not have a Business Continuity Plan and the data center was flooded during Hurricane Sandy. It took us weeks to resume normal operations and a large amount of company data was unrecoverable.”

Tü Confident (CIO, Software Vendor)

29

Business Continuity Audit Considerations

Stakeholder Business Continuity – Questions to Consider


• Is there an organization-wide Business Continuity program that involves the key business areas?

• Have Business Continuity Plans been reviewed by management?


• Do you regularly test and update Business Continuity or Disaster Recovery plans?• Do you back up data to an offsite location, and have you tested the ability to restore from

those backups?• Do you have an off-site location that could be used to host your organization’s IT

infrastructure?

CISO • How are security considerations integrated into the Business Continuity strategy?• Would the integrity and/or availability of your data be compromised in the event of a

disaster?• What is the physical distance between primary and failover/backup location?

Business Units • Are you involved in the Business Continuity planning process?• Have you performed a business impact analysis (prioritization of business functions)?• Do you have a plan for resuming business in the event of a disaster?• Could your business functions resume without access to IT Infrastructure?• Do you have a chain of command or call list for use in a disaster?


Creating a Business Continuity Plan

Define the Scope

Identify Critical Business Functions, Key Processes, and Dependencies

Determine Acceptable Downtime for Business Functions

Develop a Recovery Plan (or Plans)

Periodically Test and Update the Plan(s)


6. Data Governance

• What is it: Data governance is a framework of roles and responsibilities, decision-making models, and standards/processes governing the management and use of data. Data governance addresses:• Who can take what actions • With what types of data• At what times • Under what circumstances (e.g., processes, requirements)• For what intended purposes

• Why you should care: Data is everywhere and it is important to consistently prioritize, assess, and manage risk associated with data across an enterprise. Consistent definitions of data and how data can be used will help to ensure good data quality and a balance between securing data and using data as a valuable asset.


Case Study: Lack of Data Governance

“We had inconsistent systems of record (SORs) and too many sources of data. We did not know where all of our data was located, and who had access to what, why or when. Additionally, historical data was determined to have been lost or disorganized during post merger or acquisition activities.”

Sam Dataman (CISO, Exploration & Production Company)

33

Data Governance Audit Considerations

Stakeholder Data Governance – Questions to Consider


• Is there a clearly defined and communicated vision and objective for the Data Governance program?

• How are the organization’s strategic mission and business objectives aligned with Data Governance objectives?

• Are there metrics to measure the success of Data Governance?• Has Data Ownership been clearly defined?


• Do automated tools facilitate Data Governance?• How do you ensure that Data Governance requirements and initiatives are

supported by technology?• How do you assist business units with ensuring that third parties meet Data

Governance requirements?

CISO • How do you collaborate with the Chief Privacy Officer?• Is security integrated into the Data Governance program?• Is Data Governance a driver for security?• Have Data Governance Roles and Responsibilities been clearly defined?

Business Units • Is it clear to your group what data you own?• Do you have retention policies for data in your group?• How do you communicate Data Governance requirements to third parties?


Data Governance – Best Practices

• Understand your data• Who utilizes it (need to know, confidentiality, separation of

duties)• What the data is (definition, integrity)• When it is required (availability)• Where it is located (System of Record (SOR)) • Why it is needed (need to know, role based access, value of

data and loss)• Understand your risk• Value of Data (Trade Secret, Loss, Corruption)• Sensitivity (Top Secret, Confidential, Public)


7. Network Monitoring

• What is it: The use of a system that continuously monitors a computer network for slow or failing components and that notifies the network administrator (usually via alert, email or other notification mechanism) in case of outages. Commonly measured metrics are response time, availability and uptime. Network monitoring tools can also be used to identify and/or prevent network security issues.

• Why you should care: Network Monitoring can save money in network performance, employee productivity, and infrastructure cost overruns. 24x7 monitoring and knowledge of network health and status information is critical to many businesses. Additionally, information gleaned from this capability area provides valuable insights into attack vectors, threats and trends for further investigation.


Case Study: Network Monitoring

“We didn’t think our network was big enough to justify using Network Monitoring tools and staff. Our system administrators were not able to respond rapidly enough to proactively respond to system failures in real time. We lost two weeks of work. We are still working on establishing lost revenue and work productivity.”

Nat Werk (CISO, Financial Services)

37

Network Monitoring Audit Considerations

Stakeholder Network Monitoring– Questions to Consider


• Are you aware of any network monitoring of IT assets?• Do you know how many times systems have failed or breaches have

succeeded?• Are these activities outsourced to a 3rd party?


• What network monitoring tools do you use?• Do you utilize Intrusion Detection Systems and/or Intrusion Prevention

Systems?• Have you established who will receive network alerts and defined an

escalation protocol?• Is network monitoring holistic to the entire IT enterprise, or are aspects of

systems segmented?

CISO • Are you made aware of issues identified through network monitoring?• How often do security and IT teams meet to discuss threats, trends and

failures related to infrastructure and network monitoring?

Business Units • To what extent do you rely on the network to function?• Are you aware of any of your critical IT assets requiring 24x7 access?• What impact would result in system failure?• Are you aware of network monitoring occurring on any of your critical

systems?


Network Monitoring – Best Practices

• Baseline Network Behavior• Understand normal network to tune alerts to anomalies

• Escalation Matrix• Policies and Procedures to escalate up management chain

• Report at Every Layer• Monitoring should occur at all layers of OSI Model

• Implement High Availability with Failover Options• Remove single point of failure, replicate to failover site

• Configuration Management• Proactive planning and prevention of common network

issues• Capacity Planning for Growth• Ensure network monitoring scales with IT as it expands


8. Cloud Security

• What is it: A broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.

• Why you should care: Cloud computing typically means that data will be hosted on external servers and databases, possibly in many physical locations and by multiple vendors. If any one of those servers or databases is not adequately protected, your data could be in jeopardy.


Case Study: Cloud Security

“We consider ourselves a technically progressive company utilizing the latest Software as a Service (SaaS) applications. Unfortunately, an HR employee was able to transfer confidential employee files from our trusted, sanctioned cloud environment (Amazon Web Services) to her own unsanctioned cloud storage tool to work at home. We had to self-report to Legal Council that employee information had left the company’s control, as we had no idea where else that confidential information could have been seen.”

Ava Pennysava (CISO, Software Vendor)

41

Cloud Security Audit Considerations

Stakeholder Cloud Security – Questions to Consider


• Does your company have a policy governing usage of the cloud?• Does the company utilize private, public or a hybrid cloud environment?


• How prevalent is usage of cloud computing in your organization?• Are there plans to move assets or systems to the cloud?• Are any 3rd Party vendors cloud-based, or have backend systems supporting

your organization that utilize the cloud?

CISO • How do you verify the security of data that is hosted in the cloud?• Do you obtain and review external audit reports, such as Service

Organization Controls (SOC) Reports, for your cloud vendors?• Do you utilize a framework for managing risk related to cloud providers?

Business Units • Does your business use any software that is externally hosted? • Are you looking at any new systems or technologies that are cloud-based?• If you did decide to procure or contract cloud-based solutions, how would

you request permission to implement the services?


Cloud Security Best Practices

• Learn what cloud applications are being used in the organization, including sanctioned (approved by business) and unsanctioned (personal or not approved)

• Understand work and data flows and information being passed

• Monitor cloud applications using commercial or custom tools

• Understand security mechanisms available, including Identity Management, Role Based Access and Single Sign On

• Ensure that policies and procedures are understood by organization, and extend through cloud environment


9. Mobile Security

• What is it: A comprehensive set of policies, procedures, and infrastructure that manages the usage of mobile devices in a business setting. These devices include cell phones, tablets, and PDAs.

• Why you should care: Mobile devices are becoming increasingly prevalent, and bring your own device (BYOD) is becoming increasingly common as well. Mobile devices provide additional means of data loss, including additional attack points. Mobile security is a means to harness the increased productivity that comes with mobile devices, while minimizing the risk of their usage.


Case Study: Mobile Security

“We implemented BYOD at the corporate offices at our firm. We then realized that while iPhones and other Apple devices are widely used throughout the organization, that an iOS 9 password hack had been released. We no longer have confidence that our information or devices are secure. I worry at night that we have external threat actors alive and well, in our internal infrastructure.”

Ivanna Fon (CISO, Health Care Provider)

45

Mobile Security Audit Considerations

Stakeholder Cloud Security – Questions to Consider


• Does your organization have a policy for mobile device usage?• Do you use your mobile device to download work files?


• Are mobile devices controlled by enterprise-wide settings?• Have you implemented remote management software, including the ability

to remotely wipe data and locate devices?• Is data on mobile devices encrypted?

CISO • Have you performed a mobile security review?• Do mobile devices require strong authentication mechanisms?• Do you allow employees to bring their own devices and if so, how are you

managing the associated risk?

Business Units • Do your employees use mobile devices?• Is mobile device use in line with company policies?


Mobile Security – Managing BYOD

• Develop a BYOD policy with input across the business• Be sure to clearly define what the organization has control over

and what it doesn’t• Define what devices can be used by employees• Require employees to sign an acceptable use policy• Consider using tools that help to manage the risk of BYOD –

these can enable remote-wipe and device tracking• Put extra focus on upper-management and executive’s devices,

as they have more access to sensitive data


10. Security Awareness & Training

• What is it: Security Awareness & Training is a formal process for educating employees about various important security risks.

• Why you should care: Employee and contractor behavior is amajor source of costly data breaches. An effective security awareness training program decreases the likelihood of a number of common vulnerabilities.


Case Study: Security Awareness & Training

“Russian hackers gained access to the White House by way of a phishing email. White House staff declined an optional 90-minute training session on online security offered in advance of the attack.”

Skip D’Training (CISO, Federal Government)

49

Security Awareness & Training Audit Considerations

Internal Audit Interest Area

Security Awareness & Training – Questions to Consider


• Have you received Security Training?• Is there an organization-wide approach to Security Awareness & Training?


• Are employees required to periodically participate in Security Training?• Are you involved in developing the content of Security Training?

CISO • Have you established a Security Awareness & Training program?• Are roles and responsibilities defined for Security Awareness & Training?• Do you raise security awareness through periodic reminders to employees?• Is there is a mechanism for reporting security issues?• Is Security Training content periodically reviewed and refreshed to confirm

that it is relevant?

Business Units • Are employees required to periodically participate in Security Training?• Do your employees know what to do in the event of a security incident?


Security Awareness & Training – Phishing

• Security Awareness & Training is a preventative measure for Phishing, Spear Phishing, and Whaling.

• Phishing is a type of fraud where the attacker masquerades as a reputable entity vie email or other communication method in order to gain sensitive information such as login credentials

• Spear-Phishing targets a specific individual• Whaling targets a high profile target such as a CEO or high-

ranking politician• Vishing, also called Voice Phishing, refers to Phishing

performed over a phone


Questions


Contact Information

Cameron Over, CISSPDirector, CrossCountry [email protected]: 703-899-6486

Zach Walker, CISSP, CISA, CPAManaging Consultant, CrossCountry [email protected]: 410-610-8194

mailto:[email protected]

mailto:[email protected]