INTERNAL AUDIT S ROLE IN CYBER SECURITY

Transcription

1 INTERNAL AUDIT S ROLE IN CYBER SECURITY ISACA GEEK WEEK AUGUST 2015

2 RECENT HEADLINES The government does not defend or protect the private sector against cyber security threats, but will be partners in post-breach investigation. - Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism

3 CYBER SECURITY THREAT TYPES Passive (Silent Data Collection) Consumer Data PCI (credit card data) PII (SSN, DOB, DL) Salary information Proprietary Data HFT algorithms Research information Investment strategies Trade blotters Risk analytics Aggressive (Loud Disruption) Technology Services Communication systems Desktops / Users Servers / Admins Corporate Services Destroy Delete proprietary data Delete backups Disseminate Leak & extort proprietary data

4 THREAT INCENTIVES Passive Target Consumer Data PCI (credit card data) PII (SSN, DOB, DL) JP Morgan Consumer Data PCI (credit card data) PII (SSN, DOB, DL) Home Depot Consumer Data PCI (credit card data) Aggressive Sony Consumer & Proprietary Data PII (SSN, DOB, DL) Total IP ( , business data) National Security Agency Proprietary Data Surveillance protocols Classified national security data LinkedIn Consumer & Proprietary Data Usernames & passwords

5 PASSIVE: REVENUE INCENTIVE Consumer Data PCI, PII, and Income data are bundled and sold as portfolios Portfolios have a lifespan and are assigned a generally accepted rating similar to our credit rating system for valuation on the black market Accounts within sold portfolios are used to cypher funds PCI PII Salary SOLD Rated Consumer Data Portfolio Consumer Data Portfolio Gift Cards Mini-purchases Withdrawals Transfers FOR SALE Rated Consumer Data Portfolio

6 PASSIVE: REVENUE INCENTIVE Proprietary Data HFT algorithms are analyzed and reengineered Research, trade blotter, and prospective investment information from multiple firms are aggregated into a single composite Non-disclosed, proprietary information (e.g. M&A deals) are mapped to composite to develop Insider investment strategies Investment Data HFT Data Prospects Blotters Non-Disclosed Data M&A Deals Projections Roadmaps Insider Investment Strategy Enacted Composite Insider Investment Strategy Inside Acme A Inside Acme B Inside Acme C Inside Acme B

7 AGGRESSIVE: POLITICAL EXPLOITATION Aside from holding data for ransom, this approach is rarely used in enterprise scenarios for financial gain. Disrupt, Disseminate, Destroy U.S. Critical Infrastructure, managed by the private sector, are most viable targets (e.g. railroads, airports, power grids, water & nuclear treatment facilities) Infiltration is typically announced by the adversaries via service outages, desktop wallpapers, and website hijacks Trap doors and logic bombs could remain dormant and undetectable for years Attribution is difficult to determine Private sector has no option of recourse against the adversary

8 KNOW THE ADVERSARY The government does not defend or protect the private sector against cyber security threats

9 KNOW THE ADVERSARY The government does not defend or protect the private sector against cyber security threats

10 NATION-STATE BEHAVIORS Passive (Silent Data Collection) Consumer Data PCI (credit card data) PII (SSN, DOB, DL) Salary information Proprietary Data HFT algorithms Research information Investment strategies Trade blotters Risk analytics Aggressive (Loud Disruption) Technology Services Communications systems Desktop / Users Server / Admins Corporate Services Destroy Delete proprietary data Delete backups Disseminate Leak & extort proprietary data

11 INITIAL VECTORS OF ATTACK

12 TARGET SAMPLES

13 TARGET SAMPLES

14 COMMON ADVERSARY PLAYBOOK Characteristics of cyber threats are no longer "infect as many machines as possible". Today s attacks only need to compromise one targeted machine to be successful. Acquire Targets Data Collection Deploy Malware Infiltrate Corporate Systems Exfiltrate Data Permeate Locate affiliated groups Identify individual targets - Colleagues - Spouse - Children - Parents Use collected data to deploy malware to targeted individuals Use malwarecollected data to passively authenticate to corporate systems Locate and exfiltrate corporate data Crack NTDS.dit to acquire usernames and passwords Place trapdoors throughout environment

15 SOPHISTICATED DISCIPLINED

16 RISK MANAGEMENT DISIPLINE Definition: The forecasting and evaluation of risks together with the identification of procedures to avoid or minimize their impact

17 IT SECURITY VS CYBER SECURITY IT Security programs focus on technology around the perimeter. Cyber Security programs focus on today s largest vectors of attack; people and processes. IT Security Cyber Security

18 CYBER RISK GOVERNANCE Govern cyber security by aligning IT risks to business risks. CEO CEO CIO Establish a governance structure where the CISO reports IT risks independent from the CIO CRO CISO Align IT risks to business risks CISO Variation of a typical org structure used to report operational capabilities (e.g. BCP / DR), but not operational risks Optimized risk management structure

19 LEVERAGE & ALIGN STRATEGIC RISK MANAGEMENT ASSETS Common State Target Operating Model Discipline People Process Risk Management Strategy People Adaptability RM Strategy Process Tools and Technology Efficiency Effectiveness Tools and Technology

20 COMPLIANCE VS RISK MANAGEMENT Being Compliant does not equate to being Secure. It is easy to lose sight of the risk management drivers behind the Internal Audit Function. Internal Priorities SOX PCI Customer Expectations COSO Selfdefined risk matrix NIST COSO Regulatory Obligations SOX PCI Internal Audit Program Compliance Risk Management Shouldn t Compliance be positioned as the byproduct of a mature information security and internal audit program, by doing the right things and proving it?

21 TEST ONCE, ANSWER MANY Compliance is important and exhausting. Decrease audit fatigue and more effectively manage risk by testing once and empowering Internal Audit to focus more time on internal risk objectives. ICFR / SOX Operational Best Practice Answer Many Compliance (PCI, HIPAA) Services Customer Compliance (SOC) Optimized Control Framework Financial Accounting and Reporting Information Security Functional Processes Data Classification/Privacy Controls Rationalization Test Once

22 LINES OF DEFENSE Determine and align risk capacity, appetite, and budget within a risk governance framework. 1. Operations 2. Compliance & Risk Mgmt 3. Auditors & Exec Board

23 RECOMMENDED READING / CONTACT INFORMATION Cyber Security Questions for CEOs Cyber Risks and the Boardroom NIST Cyber Security Framework Cyber War Security/dp/ /ref=sr_1_1?ie=UTF8&qid= &sr=8-1&keywords=cyberwar Contact Information David Allen King II Manager, UHY Advisors dking@uhy-us.com David Barton Managing Director, UHY Advisors dbarton@uhy-us.com

24 Q&A