Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Transcription

1 Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI 1

2 Auditing Cyber Defense Technologies STEPHEN HEAD EXPERIS FINANCE APRIL 1, 2019 Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI 2

3 Agenda Topic Cyber Risks Endpoint Protection Next-Generation Layer 7 Firewalls Multifactor Authentication Filtering Vulnerability Scanning Penetration Testing Security Information and Event Management (SIEM) Intrusion Detection (IDS)/Intrusion Prevention (IPS) Security Operations Center (SOC) Threat Intelligence Computer Forensics Cloud Security Summary Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI 3

4 Headlines Highlight Increased Risk

5 Not IF, but WHEN You Will Be Attacked Pundits extoll the costs of breaches and cyber attacks, but few offer anything beyond anecdotal data collected through surveys. According to the Ponemon Institute, as of 2018: $3.86 million is the average total cost of a data breach 6.4% increase in the total cost of a data breach since 2017 $148 is the average cost per lost or stolen record The only cost that truly matters is the one your organization must deal with! Source: Ponemon Institute

6 Organizations Are Dealing With Multiple Impacts Data Losses Are Only One Aspect of a Broader Issue Source:

7 What Regulators are Saying Cybercriminals can cause significant financial losses for regulated entities as well as for consumers whose private information may be revealed and/or stolen for illicit purposes. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted. Source: New York State DFS 23 NYCRR 500

8 Emerging Global Risk and Trends German Steel Mill Hackers struck a steel mill in Germany by manipulating and disrupting control systems resulting in massive damage... we fully expect a business to fail due to the financial consequences of a cyberattack. 1 Cyber-attacks are costing businesses $400 - $500 billion a year 2 Cyber resiliency should be part of BCM efforts Hollywood Presbyterian Medical Center Ransomware locked doctors out of patient records for more than a week. Hackers demanded $3.6M 1 Source: Lloyd s insurer Aegis London 2 Source: Forbes, The Business of Cybersecurity:2015 Market Size, Cyber Crime, Employment and Industry Statistics, October 2015

9 Source:

10 Attackers, Targets and Motivations are Evolving Threat Actors Motives Attack Targets Risks Nation State Political Agenda Military Agenda Economic Harm Intellectual Property Sensationalism Critical Infrastructure Competitive Impact Service Disruptions Design Disclosure Criminal Underground Theft Fraud Ransom Personal Information Credit Card Data Device Manipulation Regulatory Sanctions Lawsuits Loss of Reputation Hactivists Political Agenda Personal Agenda Social Change Corporate Sensitive Key Employee Information Brand Damage Business Disruption Loss of Reputation Lone Wolves Thrill Seeking Personal Gain Social Status Device Control Vandalism Harassment Business Disruption Brand Damage Personal Safety Insiders Financial Gain Social/Political Gain Revenge Device Control Vandalism Harassment Competitive Impact Business Disruption Loss of Reputation

11 Anatomy of an Attack Each attack type is unique, but most have a similar structure Planning/Information Gathering Initial Attack and Breach Establish Command and Control Additional Exploitation Data Exfiltration and Persistence Phases Information available on the internet Information coerced via various means Identify vulnerable systems, services, processes Gain access to internal network or systems Establish a means of controlling base for gathering more network details and exploitation Malware takes effect Search for information sources Additional credentials/ authorizations Attempt additional exploits Remove or extract data obtained Avoid discovery Example Identify Employees and Contact Information Create a spoofed web site Send malicious link Wait for results Test for access, connectivity, conduct scans, identify resources Identify additional vulnerabilities, execute exploits, collect information Identify additional vulnerabilities The right sensors when monitored and acted upon can prevent or detect attacks at each critical phase

12 Endpoint Protection This category consists of software that is designed to provide the necessary protections to prevent the endpoint (server, client, mobile device, etc.) from attacks by malware, bots, or intruders. Modern endpoint protection software uses multiple methods to determine the identity of hostile or unknown software packages. Symantec, for example, has a Host Intrusion Prevention System (HIPS) component. Cylance uses a proprietary database of malware attributes and blocks such from executing when it detects the software. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 12

13 Endpoint Protection Examples: Symantec, McAfee, Cylance Audit Considerations: Distribution to all endpoints Endpoint detection settings Alerts generated from endpoint software Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 13

14 Next-Generation Layer 7 Firewalls Layer 7 capabilities indicate that the device can efficiently examine application code and report any anomalies or malicious indicators. According to Gartner, 75% of attacks now take place at the application layer. A majority of recent vulnerabilities affect web applications. Next generation devices often incorporate features normally found in separate devices such as intrusion detection, malware detection, sandboxing, etc. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 14

15 Next-Generation Layer 7 Firewalls Examples: Palo Alto, Checkpoint, Cisco and Fortinet Audit Considerations: Failure to implement key features Proper sizing of hardware, features installed, and network throughput to ensure adequate capacity Lack of log retention or no aggregation and correlation of logs Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 15

16 Multifactor Authentication Multifactor Authentication (MFA) prevents identity theft by using two or more methods to confirm the identity of the user. Many of the solutions perform MFA by providing a secondary check of the user s identity by communicating to the user some form of code that the user must enter after successfully submitting an ID/password combination. The user must enter this code into some sort of portal or application that is provided by the solution. The code is verified on the backend to confirm the identity of the user. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 16

17 Multifactor Authentication Examples: Google authenticator, LastPass authenticator, Microsoft authenticator, Okta Audit Considerations: Exempting certain classes of users Access paths that bypass multifactor Authentication that pretends to be but is not truly multifactor Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 17

18 Filtering This involves filtering incoming mail, identifying whether such mail is part of a phishing campaign, and automatically removing even if received by users after the fact. This would occur if the was not identified as malicious when it was initially received by the organization s server, but was later flagged by the security industry as part of a criminal effort. Filtering may also involve egress filtering of PII. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 18

19 Filtering Example: Proofpoint Audit Considerations: Administration procedures should be formalized Filtering should encompass the entire enterprise and not just certain business units Filtering is tuned to minimize type 1 and 2 errors Is PII subject to filtering? Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 19

20 Vulnerability Scanning There are many commercial vulnerability scanners. Most of these are well designed and have robust research organizations supporting them. The best scanners not only indicate what vulnerabilities exist, but also provide guidance regarding the software company s recommended fix for these issues. Vulnerability scanning software allows the user to mark certain findings as either false positives or as accepted risk. Unfortunately, this feature is sometimes used to mask vulnerabilities that should be remediated. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 20

21 Vulnerability Scanning Examples: Nessus, Qualys, Nmap Audit Considerations: Scan should not omit key infrastructure components Incorrectly designating vulnerabilities as false positive or accepted risk without proper vetting Scans should be periodically conducted (at least quarterly) and actionable items acted upon promptly Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 21

22 Penetration Testing Penetration Testing, also called Ethical Hacking, is the process of ensuring that adequate security controls have been applied to technological components of a system by attempting to subvert such controls. With some of the newer pen testing tools, the user is not required to have any additional skills other than to learn the commands that must be run from the user interface no programming, system administration, network administration, or other skills are needed. This may be an overselling our their capabilities. Testers should hold a Certified Ethical Hacker (CEH) certification or have equivalent real-world experience. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 22

23 Penetration Testing Examples: MetaSploit, Rapid7, Kali Linux Audit Considerations: Sufficient time should be provided to perform the testing, otherwise it is not a true test Designating parts of the infrastructure as outof-scope results in a less than complete pen test (usually omitting the worst offenders) Pen tests should be performed at least annually Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 23

24 Security Information and Event Management (SIEM) Typically, log data is collected from every kind of technology possible in order to accumulate the maximum amount of data firewalls, routers, smart switches, wireless access points, intrusion detection/protection systems, antivirus/endpoint protection solutions, etc. The result is: Real time monitoring of all IT infrastructure Correlation of events Analysis and reporting of security incidents Integrated with threat intelligence Centralized storage of logs Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 24

25 Security Information and Event Management (SIEM) Examples: AlienVault, Splunk Audit Considerations: The SIEM needs to be connected to all key infrastructure elements in order to be effective. The SIEM needs to be tuned with proper rules or use cases set up to that instruct the SIEM on what to do with the data and how to label it with regard to the degree of risk. Lack of log retention or aggregation. Escalation procedures for notifications from the SIEM should be formalized. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 25

26 Intrusion Detection (IDS) / Intrusion Prevention (IPS) These devices have grown significantly in capability and complexity over the years, to the point where they can no longer be considered simply technology that detects and/or blocks traffic based upon certain attributes, but also has many other features that allow for prevention and analysis. Modern deployments in this area are often categorized as IDPS, since it intends to meet both the detection and prevention requirements. The value-add of IDS/IPS is the richness of the data that it can send to the SIEM. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 26

27 Intrusion Detection (IDS) / Intrusion Prevention (IPS) Examples: Products offered by McAfee, Darktrace, Trend Micro, Cisco Audit Considerations: Sensors are not appropriately placed IDS/IPS is not being updated regularly IDS/IPS is not properly tuned (i.e., too many false positives caused the System Administrator to turn down the sensitivity thereby negating the usefulness of the detective component) Lack of log retention or aggregation Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 27

28 Security Operations Center (SOC) The focus of a SOC is to monitor for security incidents that occur and react to them in a timely manner. Often, the SOC receives alerts about incidents from the SIEM, although there may be other channels through which data flows. Once they receive a notification, the SOC analysts will examine the data received and try to determine a cause for the incident. SOCs can be staffed in a number of ways. In many cases, a third-party security company is hired to provide coverage from a professional SOC facility. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 28

29 Security Operations Center (SOC) Examples: Can be internal or outsourced Audit Considerations: Processes for triaging potential vulnerabilities and handling escalation of communications should be formalized Since this is a 24x7 operation, formal procedures for handoff of issues during shift change is important Service Level Agreements (SLAs) should be in place with escalation depending on the severity of the event Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 29

30 Threat Intelligence Threat intelligence provides access to technical and adversary intelligence collected by a vendor through thousands of monitored sensors and other proprietary mechanisms to give early warning of potential attacks. It may also be integrated with sensors deployed at the perimeter of the organization s own network, to provide a more complete picture of what is happening to other organizations and how that correlates with early signs that may be showing up in IDS/IPS alerts and firewall messages. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 30

31 Threat Intelligence Examples: FireEye, Deepsight, LookingGlass Audit Considerations: Threat intelligence should be integrated into the SIEM and SOC in order to be useful Intelligence should be updated continuously as attacks often appear first in time zones where the business day is just getting started The provider should have a sufficiently large footprint for its information to be useful Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 31

32 Computer Forensics Computer forensics is the practice of using digital data and records to support an investigation into that behavior, be it criminal, civil, or corporate. There are many categories of computer forensics. What they have in common is the gathering and correlation of evidence without destroying or otherwise tainting its usefulness if law enforcement is brought into the investigation. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 32

33 Computer Forensics Examples: EnCase, FTK Audit Considerations: Users should have proper training in how to handle evidence and exercise proper chain-ofcustody. In reviewing digital evidence, one must take special care to not taint the original. Often this means reviews should be performed against a copy of the media and never against the original. Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 33

34 Cloud Security Cloud providers will often have security services that either are included as part of the agreement or can be purchased separately. Some of the areas that should be focused on when setting up service agreements include: Governance Compliance Availability Data Security Identity and Access Management Disaster Recovery and Business Continuity Planning Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 34

35 Cloud Security Examples: AWS, Azure Audit Considerations: What type of SOC report is available? What optional security features have been included in the contract (or omitted)? Have all contracted for security features been implemented? How are cloud security features into the SIEM and SOC? Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER JOIN 35

36 Stephen Head Director, IT Risk Advisory Services Experis Finance Questions and Answers? END OF PRESENTATION Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

37 Stephen Head Director, IT Risk Advisory Services Experis Finance Thank you for your time and attention! IIA CHAPTER CHICAGO 59 TH ANNUAL SEMINAR Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI