Focus on Cyber Security Compliance to Operationalise the Risk Program. Hans Henrik Berthing Aalborg University

Transcription

1 Focus on Cyber Security Compliance to Operationalise the Risk Program Hans Henrik Berthing Aalborg University

2 Hans Henrik Berthing Married with Louise and dad for Dagmar and Johannes CPA, CRISC, CGEIT, CISA and CIA ISO 9000 Lead Auditor Partner and owner for Verifica Financial Audit, since 1994 and IT Assurance since 1996 Member of FSR Cybersecurity Board Former member of various international ISACA Task Forces/work groups Instructor, facilitator and speaker Associated professor Aalborg University (Auditing, Risk & Compliance)

3 Key Messages Cybercrime Cyberrisk and Cyber Security Cyber Security and data breaches impact Understand the basic 8 security principles to address cyberrisk

4 Cybercrime Cyber Compliance Cyber Security Cyber Governance Cyber Risk Cybercrime is a fast-growing area of crime. Criminals are exploiting the speed, convenience and anonymity of the Internet. Criminal activities no borders, either physical or virtual. Interpol Cybercrime Attacks against computer hardware and software, for example, botnets, malware and network intrusion; Financial crimes, such as online fraud, penetration of online financial services and phishing; Abuse, especially of young people, in the form of grooming or sexploitation. Cybercrime reports continue to rise. Second most reported economic crime PWC s 2016 Crime survey. Cybercrime is not just a technology problem. It is a business strategy problem. Oil and energy industry in Norway is under attack, August 30, 2014 Novozymes Attacked by Foreign Cyber Spionage, September 2014 Cyber Security for Nuclear Power Plants, US, January 2012 updated April 2015 Police are investigating a "significant and sustained cyber-attack" TalkTalk website, Oct Convention on Cybercrime, As of March 2017, 52 states ratified and 17 observer Danish Water Plants potential attack, November 2015 Webshop attack (NETS: Creditcard), September 2016 Yahoo Hacked in million accounts stolen, September 2016 Nine out of ten kommuner hit by Cyber Attack, October 2016 Tesco, unexpected cyber attack in banking area, November hacked, February Dozens of Twitter accounts were hacked Wednesday, large-scale cyber-attack, March 2017

5 IT Risk/Reward Barometer Europe Source: ISACA 2015 IT Risk/Reward Barometer Europe Results, October 2015

6 Source: A Global Look at IT Audit Best Practise, ISACA & Protiviti December 2015 Top Technology Challenges 6

7 Cybersecurity in Financial Report Issue Cybersecurity disclosure: Required to Issue: Impact on total hours: Source: Protiviti Sox Compliance Survey,

8 Board and Cybersecurity A primary responsibility of every board of directors is to secure the future of the organization. The very survival of the organization depends on the ability of the board and management not only to cope with future events but to anticipate the impact those events will have on both the company and the industry as a whole. Tom Horton, Directors & Boards 8

9 Cyber Security in Financial Sector Best in class against Cyber Crime Secure & Effective Infrastructure Trust in digital solutions Increase knowledge sharing in the Sector and stakeholder National and International Awareness and knowledge about Cyber Security Increased Cyber Risk/Threat Cyber Attack root against Financial Stability Operational risk Nordic Finance CSIRT Source: FSOR Vision 2020, Nationalbanken december 2016

10 Cyber Security for Nuclear Power Plants Critical safety, security and emergency preparedness systems at nuclear energy facilities are isolated from the Internet. Protected by cyber security and physical security plans Nuclear power plants are designed to shut down safely Industry began addressing cyber security after Sept. 11, Enhance SEC in several areas and codified new requirements in New cyber security requirements. NRC-approved cyber security program. Mandatory, enforceable cyber security standards 2014 revised cyber security rule to align protect public health and safety preventing radiological sabotage. Source: Nuclear Energy Institute, July 2016

11 Cyberattack ISACA Survey When was your last Cyberattack/Breach: Greater than 18 months months 6-12 months 2-6 months Last 60 days Never Respondent:136 partipants. Source: Poll at EuroCacs/ISRM 2015, November 10, % 11.03% 8.09% 14.71% 38.97% 16.18%

12 Talktalk Attack, October 2015 Number of customers (personal details) 156,959 15,656 bank account numbers and sort codes were accessed; 28,000 obscured credit and debit card numbers that were accessed cannot be used for financial transactions, and were orphaned, meaning that customers cannot be identified by the stolen data. Forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected. Only 4% of TalkTalk customers sensitive personal data at risk. Difficult decision to notify all our customers of the risk. We believe we had a responsibility to warn customers Source: TalkTalk website Status of October 21, 2015 attack, November 6/10, 2015 "TalkTalk constantly updates its systems to make sure they are as secure as possible against the rapidly evolving threat of cyber crime, impacting an increasing number of individuals and organisations," says TalkTalk CEO Dido Harding. "We take any threat to the security of our customers' data extremely seriously and we are taking all the necessary steps to understand what has happened here."

13 Talktalk Attack, Oct 15-Nov 16 Firm settles ICO fine for 320,000 - Saves 80,000 by coughing up early Costs of TalkTalk breach amount to 60m

14 TalkTalk Lessons learned Appearing in front of a House of Commons Select Committee, Dido Harding defended TalkTalk's cyber-security plans and took responsibility for incident response, describing security as a board issue and business risk. Dec 15,

15 Protecting personal data in Online Eight important areas of computer security Software updates SQL injection Unnecessary services Decommissioning of software or services Password storage Configuration of SSL and TLS Inappropriate locations for processing data Default credentials Source: Protecting personal data in online services: learning from the mistakes of others, Information Commisioner Office (ICO) May

16 Software security updates SW updates policy for personal data-sw. (operating systems, applications, libraries and DEV FW). Good reasons for not apply all available updates ASAP. When there is no compelling reason to delay, apply security updates as soon as is practical. 16

17 SQL injection Assets vulnerable to SQL injection. SQL injection can pass user input into a database. (eg modern websites and web applications) High risk of compromising significant amounts of personal data. High priority for prevention, detection and remediation. SQL injection results from coding flaws. Review developing and maintaining. Give guidance and training Independent security testing (penetration testing, vulnerability assessment, or code review, as appropriate) including SQL injection flaws. Before go live and periodically test live. Use parameterised queries when remediating SQL injection flaw. Ensure similar input locations are checked and remediated 17

18 Unnecessary services Completely decommission any not necessary service Avoid high risk services (eg. telnet) Local use only services are not made publicly-available. Use periodic port-scanning to check for unnecessary services. Maintain a list of available services. Periodically review the list to see whether any services have become unnecessary, and restrict or decommission them as appropriate. 18

19 Decommissioning of SW or services Be aware of all the components of a service so that you can make sure they are all decommissioned. Make a record of any temporary services need eventually to disable. Check decommissioning procedure has actually succeeded. Use systematic tools (port scanners). Arrange proper disposal of any hardware, as appropriate (ICO guidance on IT disposal). 19

20 Password storage Don t store passwords in plain text, nor in decryptable form. Use a hash function. Only store the hashed values. Appropriate strength Hash function making offline brute-force attacks extremely impractical. Use salting -> offline brute-force attacks less effective. Periodically review the strength of the hash function and up to date with advances in computing power. (password hashing scheme with a configurable work factor) Use a combination of password strength requirements and user-education to ensure that attackers can't simply guess common passwords. Have a plan of action in case of a password breach. How to reset users' passwords in bulk and notify them of what has happened and what they need to do about it. 20

21 Cracking MD5-hashed passwords Time taken to compute all possible MD5 hash values for various character sets and password lengths Hardware used: Intel Core i GHz 4 4GB RAM Software used: hashcat bit Ubuntu LTS 21

22 Configuration of SSL or TLS Personal data and sensitive information transferred using SSL or TLS Use SSL or TLS for all data transfer in order to reduce complexity. Ensure that SSL or TLS is set up to provide encryption of adequate strength. Ensure that every SSL or TLS service uses a valid certificate, schedule renewal of all certificates before they expire Consider obtaining an Extended Validation (EV) certificate if assurance of identity is of particular importance. Do not encourage users to ignore SSL or TLS security warnings. 22

23 Inappropriate locations for processing data Security architecture Storing personal data in a widely-accessible location 23

24 Security architecture Segregated testing or staging environments from production environment. Segmenting your network according to function and in accordance with your data protection policies. Network architecture accounts for functions such as backups and business continuity in general. 24

25 Storing personal data in a widelyaccessible location Policies for how, when and where personal data will be processed. All services running, how they are accessible, and whether they comply with policies. In particular, ensure any web servers are exposing only the intended content. Apply specific access restrictions. Do not rely merely on obscurity to prevent access. 25

26 Default credentials Change any default credentials as soon as possible. When changing default credentials, remember to follow good practice on password choice. Ensure that credentials are not hard-coded into any of your software. Ensure that credentials are not transmitted in plain text. 26

27 Other considerations A practical guide to IT security: ideal for small businesses IT asset disposal guidance Guidance on the use of cloud computing Bring Your Own Device (BYOD) guidance Guidance for app developers Privacy in mobile apps Guidance on data security breach management Notification of data security breaches to the Information Commissioner s Office 27

28 Control Categories Control categories include: Preventive Automative - Proactive Detective IT-manual - Reactive Corrective Manual-After incident/breach Compensatory Manual Weak/lack controls Deterrent Managerial - Proactive 28

29 Five principles for corporate boards: oversight of cyber risks Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. Directors should understand the legal implications of cyber risks as they relate to their company s specific circumstances. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach. The National Association of Corporate Directors (NACD), in conjunction with the American International Group (AIG) and the Internet Security Alliance (ISA), 2014

30 Six Questions for Board regarding Cybersecurity Does the organization use a security framework? 1. What are the top five risks the organization has related to cybersecurity? 2. How are employees made aware of their role related to cybersecurity? 3. Are external and internal threats considered when planning cybersecurity program activities? 4. How is security governance managed within the organization? 5. In the event of a serious breach, has management developed a robust response protocol? Source: Cybersecurity what the Board of Directors need to ask, IIARF Research Report, 2014

31 SEC Cybersecurity Guidance Cybersecurity an important issue. Measures to consider in addressing cybersecurity risk: Conduct a periodic assessment Create a strategy that is designed to prevent, detect and respond to cybersecurity threats Implement the strategy through written policies and procedures and training Source:

32 Summary Cyber Governance & Assurance business critical Organization of any scale can be cyber attacked Ask Cyber questions to B-o-D and C-suite Security and assurance. Keep updated via research and white paper There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.

33 Questions Associated Professor & Statsautoriseret Revisor Hans Henrik Aabenhus Berthing CGEIT CRISC CISA CIA Phone: Mobile Verifica Statsautoriseret Revisionsvirksomhed

34 Additional Ressources Center for Cyber Security, fe-ddis.dk Cybersecurity Nexus, ISACA Responding to Targeted Cyberattacks, 2013, ISACA & EY Cybersecurity What the Board of Directors Needs to Ask, 2014, IIARF Research Report Transforming cybersecurity using cobit5, 2013, ISACA Cybercrime Audit Assurance Program, 2012, ISACA Cyber Security in the Danish Financial Sector, Danish National Bank Interpol and National Cyber Crime Investigation & Research Verizon s Data Breach Investigations Report PwC s Global Economic Crime Survey US cybercrime: Rising risks, reduced readiness Key findings from the 2014 US State of Cybercrime Survey, PWC Information Commisioner s office, ico.org.uk Danish Data Supervisory, datatilsynet.dk ISACA Knowledge Center: Cybersecurity Nexus Plus many more 34