Easy IT Audit Engagements

Transcription

1

2

3 Easy IT Audit Engagements Fellen Yang Risk Advisory Services Senior Manager Nikhila Shankar Risk Advisory Services Manager

4 Disclaimer This material was used by Elliott Davis during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis.

5 Agenda Privileged User Access Authentication Technical Controls Staff Training on Social Engineering and Reporting

6 Privileged User Access Objectives of Administrative Access Controls To determine whether superuser access, including delivered and system user IDs are restricted to authorized individuals to mitigate the risk of unauthorized/inappropriate access to the relevant programs or data.

7 Privileged User Access Test steps should include: Reviewing a system generated listing of roles that have administrative access for appropriateness. Reviewing a generated listing of users who have administrative access for appropriateness. Reviewing a generated listing of generic/system accounts that have administrative access for appropriateness. For generic/system accounts, identifying whether those accounts are interactive or non-interactive and who has knowledge of the password (if interactive).

8 Privileged User Access Scope of testing should include the application, network and database layer. Network Host Application Data

9 Privileged User Access Scope, continued Network (Active Directory) Database (SQL) Core Application Internet Banking/Mobile Banking Remote Deposit Capture ACH/Wire

10 Authentication Objective: To determine whether authentication controls provide reasonable measures to protect against unauthorized access.

11 Authentication Testing should include: Obtaining password parameters (e.g., length, complexity, expiration, history) and comparing output to organizational standards or best practices. Identifying any users and accounts that are not subject to the standard password policy and determining whether those are appropriate or not (system accounts etc.)

12 Authentication Scope of testing should include the application, network and database layer. Network Host Application Data

13 Authentication Scope, continued Network (Active Directory) Core Application Internet Banking/Mobile Banking Remote Deposit Capture ACH/Wire

14 Password Security The following best practices are recommended to be applied to password security and account lockout parameters: Minimum password length 6 to 8 characters Maximum password age 60 to 90 days Minimum password age 1 day (or more) Password history no password re-use for the trailing 12 months Password complexity enabled (at least require one alpha and one numeric) Unsuccessful log on attempts 5 invalid attempts before user lock out Lockout duration at least 15 minutes Reset lockout counter at least 15 minutes Domain inactivity timeout setting 15 to 30 minutes

15 Other Authentication Methods Multifactor (Two Factor or Three Factor) Something you know (i.e. username, PIN, password, security questions) Something you have (i.e. smartphone, token, one-time passcode, smart card) Something you are (i.e. biometrics fingerprint, retina, voice recognition) Password Vault Multifactor + Encryption

16 Technical Control A technical control is one that uses technology to reduce vulnerabilities. An administrator installs and configures a technical control, and the technical control then provides the protection automatically.

17 Technical Control Example Intrusion Detection Systems (IDSs) Firewalls Antivirus Software Vulnerability Assessments Security Log Reviews Least Privilege, System Accounts, Shared Accounts Encryption

18 Compliance Impact 3 Technical Controls for Ongoing GDPR Compliance Protecting Personal Data Continuous Monitoring and Threat Detection Breach Response and Notification

19 Other Testing Areas In addition to Privileged Access, Authentication and Technical Controls, below are some of the areas to include in IT Audit: Business Continuity Planning (BCP) and Disaster Recovery (DR) Change Management

20 Staff Training on Social Engineering and Reporting Deception, psychological manipulation of people to perform actions or provide information Common Types Phishing Spear Phishing Vishing Physical Play on fear and urgency

21 Phishing (Example) From: California Bank and Trust Subject: Irregular Activity Notification Date: May 20, :55:32 PM EST To: Undisclosed recipients:; Reply-To: Dear member: We detected unusual activity on your California Bank and Trust debit card on 05/20/2018. For your protection, please verify this activity so you can continue making debit card transactions without interruption. Please sign in to your account at to review and verify your account activity, After verifying your debit card transactions we will take the necessary steps to protect your account from fraud. If you do not take action immediately, limitations will be placed on your debit card California Bank and Trust Company. All rights reserved.

22 Phishing (Example) From: California Bank and Trust Subject: Irregular Activity Notification Date: May 20, :55:32 PM EST To: Undisclosed recipients:; Reply-To: Dear member: We detected unusual activity on your California Bank and Trust debit card on 05/20/2018. For your protection, please verify this activity so you can continue making debit card transactions without interruption. Please sign in to your account at to review and verify your account activity, After verifying your debit card transactions we will take the necessary steps to protect your account from fraud. If you do not take action immediately, limitations will be placed on your debit card California Bank and Trust Company. All rights reserved.

23 Phishing (Example) From: California Bank and Trust Subject: Irregular Activity Notification Date: May 20, :55:32 PM EST To: Undisclosed recipients:; Reply-To: Dear member: Would include capitalized name We detected unusual activity on your California Bank and Trust debit card on 05/20/2018. For your protection, please verify this activity so you can continue making debit card transactions without interruption. Please sign in to your account at to review and verify your account activity, After verifying your debit card transactions we will take the necessary steps to protect your account from fraud. If you do not take action immediately, limitations will be placed on your debit card California Bank and Trust Company. All rights reserved.

24 Phishing (Example) From: California Bank and Trust Subject: Irregular Activity Notification Date: May 20, :55:32 PM EST To: Undisclosed recipients:; Reply-To: Dear member: Would include capitalized name We detected unusual activity on your California Bank and Trust debit card on 05/20/2018. For your protection, please verify this activity so you can continue making debit card transactions without interruption. Please sign in to your account at to review and verify your account activity, After verifying your debit card transactions we will take the necessary steps to protect your account from fraud. If you do not take action immediately, limitations will be placed on your debit card. Grammatical Error 2018 California Bank and Trust Company. All rights reserved.

25 Phishing (Example) From: California Bank and Trust Subject: Irregular Activity Notification Date: May 20, :55:32 PM EST To: Undisclosed recipients:; Reply-To: Dear member: Would include capitalized name We detected unusual activity on your California Bank and Trust debit card on 05/20/2018. For your protection, please verify this activity so you can continue making debit card transactions without interruption. Please sign in to your account at to review and verify your account activity, After verifying your debit card transactions we will take the necessary steps to protect your account from fraud. If you do not take action immediately, limitations will be placed on your debit card. Grammatical Error 2018 California Bank and Trust Company. All rights reserved.

26 3 Ways to Stop 95-99% Phishing Inbound sandboxing Real-time analysis and inspection of web traffic Employee behavior/awareness/training - CSO Online Additional Recommendations: Two Factor Authentication [EXTERNAL] subject line prepend

27 Reporting Information Security Program Incident Response BCP Testing with Cyber Scenario

28 Fellen Yang, CISA Phone: Nikhila Shankar, CISA Phone: Elliott Davis provides comprehensive assurance, tax and consulting solutions to diverse businesses, organizations and individuals. With a network of forward-thinking professionals in major U.S. markets and alliance resources across the globe, the firm ranks among the top 40 and fastest-growing accounting firms in the U.S. Visit elliottdavis.com for more information.

29