InfoSec Risks from the Front Lines

Similar documents
CYBERSECURITY MATURITY ASSESSMENT

Designing and Building a Cybersecurity Program

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Cybersecurity and the Board of Directors

MODERN MALWARE, MODERN DEFENSES AND PROTECTION

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cybersecurity The Evolving Landscape

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

THE POWER OF TECH-SAVVY BOARDS:

Managing Cybersecurity Risk

Rethinking Information Security Risk Management CRM002

Cyber Risks in the Boardroom Conference

Emerging Issues: Cybersecurity. Directors College 2015

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Information Governance, the Next Evolution of Privacy and Security

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cybersecurity Auditing in an Unsecure World

Sage Data Security Services Directory

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

CYBER SECURITY AND MITIGATING RISKS

Cybersecurity Session IIA Conference 2018

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cybersecurity and Hospitals: A Board Perspective

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Keys to a more secure data environment

Incident Response Table Tops

Bringing Cybersecurity to the Boardroom Bret Arsenault

Effective Strategies for Managing Cybersecurity Risks

Monthly Cyber Threat Briefing

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

HITRUST Common Security Framework - Are you prepared?

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Cybersecurity for Health Care Providers

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

The Evolving Threat to Corporate Cyber & Data Security

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Hacking and Cyber Espionage

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

FDIC InTREx What Documentation Are You Expected to Have?

Certified Information Security Manager (CISM) Course Overview

Cyber Fraud What can you do about it?

Defensible and Beyond

What It Takes to be a CISO in 2017

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

2017 Annual Meeting of Members and Board of Directors Meeting

the SWIFT Customer Security

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

GLBA, information security and incident response a compliance perspective

Digital Health Cyber Security Centre

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Security and Privacy Governance Program Guidelines

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cybersecurity Today Avoid Becoming a News Headline

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

External Supplier Control Obligations. Cyber Security

Cybersecurity and Examinations

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Building a Resilient Security Posture for Effective Breach Prevention

locuz.com SOC Services

Compliance Audit Readiness. Bob Kral Tenable Network Security

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

Information Security Controls Policy

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Interpreting the FFIEC Cybersecurity Assessment Tool

RSA NetWitness Suite Respond in Minutes, Not Months

Cyber Security and Cyber Fraud

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Locking Down the Cloud Security is Not a Myth

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

ID Theft and Data Breach Mitigation

EU General Data Protection Regulation (GDPR) Achieving compliance

BHConsulting. Your trusted cybersecurity partner

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

mhealth SECURITY: STATS AND SOLUTIONS

DeMystifying Data Breaches and Information Security Compliance

Developing a Model for Cyber Security Maturity Assessment

Oracle Data Cloud ( ODC ) Inbound Security Policies

Background FAST FACTS

Must Have Items for Your Cybersecurity or IT Budget in 2018

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Cybersecurity in Higher Ed

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Transcription:

InfoSec Risks from the Front Lines Adam Brand, Protiviti Orange County IIA Seminar

Who I Am Adam Brand IT Security Services Some Incident Response Experience Lead Breach Detection Audits @adamrbrand Who are you? 2

What I Hope to Accomplish (in the next hour) Current Threat Landscape Latest Risks to Watch Where Internal Audit Should Focus Q & A 3

Current External Threat Landscape Credit Card/PII Thieves Ransomware Crooks Wire Transfer Fraudsters Botnet Herders Political Attackers Corporate Secrets Thieves Insider threats and compliance threats are a different presentation 4

Credit Card/PII Thieves 5

Ransomware Crooks 6

Wire Transfer Fraudsters 7

Botnet Herders 8

Political Attackers 9

Corporate Secrets Thieves 10

Latest Risks to Watch? Cloud Mobile Internet of Things 11

It Depends 12

It Depends (cont) 13

What Does The Data Say? Source: USSS/Verizon Data Breach Report, 2014 14

Latest Risks to Watch Not Knowing Yourself Permissive Web Access Over-reliance on Tools 15

Not Knowing Yourself Easier Questions What does our network look like (systems, network, users)? Where is our sensitive data? What are our weaknesses? Harder Questions What programs should be running on our systems? What type of traffic is normal for us? What user activity is normal? What s the Risk? Not knowing what you have makes it hard to know what to protect. Not knowing your weaknesses makes it hard to know where you will be hit. Not knowing what is normal makes it hard to know what is abnormal. 16

Not Knowing Yourself: Controls Basics Strong asset and configuration management Periodic data discovery (interviews + tool sweeps) Third-party vulnerability assessments Stronger System baselining and variance monitoring Traffic baselining and variance monitoring User activity baselining and variance monitoring If you know the enemy and know yourself, you need not fear the result of a hundred battles. - Guess Who? 17

Permissive Web Access Not blocking Uncategorized sites (most of the Internet) Not restricting servers Not filtering https (SSL) Having exceptions for executive systems What s the Risk? Malware being delivered through the web. Attackers sending data out and remotely controlling systems. 18

Permissive Web Access: Controls Uncategorized websites blocked for most users A speed bump for other users Https sites filtered Alternate web access options (VDI, sandboxing, tablet) 80% The average percent of users that click malicious links in our social engineering engagements. 1 The number of users an attacker needs to convince to click a link. 19

Over-reliance on Tools Assuming security tools are properly configured Overconfidence in anti-virus, any security tool Believing the tool will run itself perhaps it is self-aware? What s the Risk? Assuming you re protected by a tool when you re not. Not effectively using the tool due to manpower issues. 20

Over-reliance on Tools: Controls Realistically estimating maintenance when considering a new tool Investing in security staff training to improve effectiveness Periodic health checks to validate tool configuration Skynet isn t self aware yet! 21

Where Internal Audit Should Focus

Is Increased Attention from IA Needed?

Increased Risk Environment The frequency of attacks and breaches has been increasing over the past five years. High-profile attacks such as those at Sony, Anthem, and Ashley Madison are just some of the thousands of breaches that actually occur each year. Source: Verizon Data Breach Investigation Report, 2014. 24

Heightened Regulatory Scrutiny As a result of the very public data breaches, regulators are taking a closer look at cybersecurity across all industries. Even industry regulations such as the PCI Data Security Standard are becoming increasingly difficult to adhere to. Financial Services Healthcare Other Industries In 2014, the FFIEC audited 500 banks specifically on cybersecurity. New York s Department of Financial Services announced increased focus on cybersecurity in its audits. OCR has increased its cybersecurity focus and promised increased enforcement activity. After Anthem, the Senate has said it will lead a bipartisan review of healthcare information security law. PCI compliance has become much more difficult under the new 3.0 standard (Jan 1). The FTC has been increasingly active with cybersecurity-related investigations and fines. 25

Boards of Directors Attention Boards of Directors are increasingly inquiring about cybersecurity as they see news of breaches, hear about increased regulatory scrutiny, and grow more concerned about cybersecurity risks. NACD Guidance The National Association of Corporate Directors (NACD) recently released guidance encouraging the full Board (not just the audit committee) to receive regular briefings on information security and provided five principles for Board involvement. Source: NACD Cyber-Risk Oversight Handbook. 26

What an Cybersecurity Audit Plan Should Look Like

A Penetration Test is Not Enough Internal Audit plans frequently include a penetration test, and only a penetration test, as a cybersecurityrelated audit. The increased risk environment necessitates that Internal Audit look beyond penetration tests and increase the number of cybersecurity audits. Function Unique Identifier Function Category Unique Identifier Category ID AM Asset management Limits of Penetration Testing ID Identity ID BE ID GV Business Environment Governance ID RA Risk Assessment A penetration test does not always provide an accurate or comprehensive assessment of cybersecurity risk. The goal of a penetration test is to simulate a single attack, not to uncover all possible attack scenarios. It is also usually very time-constrained, lasting weeks instead of the months that actual attackers have. PR DE Protect Detect ID RM PR AC PR AT PR DS PR IP PR MA PR PT DE AE DE CM Risk Management Strategy Access Control Awareness & Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies & Events Security Continuous Monitoring DE DP Detection Processes RS RP Response Planning RS CO Communications RS Respond RS AN Analysis Internal Audit departments need to rebalance their plans to cover more cybersecurity areas. RC Recover RS MI RS IM RC RP RC IM Mitigation Improvements Recovery Planning Improvements RC CO Communications 28

Key Areas of an Internal Audit Plan for Cybersecurity An Internal Audit plan for cybersecurity should be based on the organization s risk profile and the external threat landscape. A balanced plan might include: Operational Security Topic (e.g., Security Monitoring) Technology Security Topic (e.g., SQL Server) Compliance Topic (e.g., PCI, Privacy) Internal and External Penetration Testing Organizations that are at high risk for cyberattack should consider an annual Breach Detection Audit as a point-in-time view on indicators of breach in the environment. 29

Hot Audit Areas for 2016

Breach Detection Audit Organizations are not very good at self-detecting breaches; IA can help identify gaps. Key Questions Are there signs that the organization is currently breached or has been in the recent past? How effective are in-place security monitoring tools and processes? Have potential breaches been sufficiently investigated? Fieldwork Activities Forensic review of key indicators of a targeted attack (logs, network activity, systems). Evaluation of breach detection capabilities and processes. Review of previous potential breach incidents and organizational follow up. Value Provided to Management Management will appreciate the timeliness and relevance. Proven action steps that Management can take improve its ability to detect breaches. Communication to stakeholders of key controls Management has invested in. Can be completed in 250 to 500 hours, depending on components included. 31

Third Party Access Audit IA can help Management limit risk associated with a hacked third party (e.g., HVAC). Key Questions Could a breach of a third party result in a breach of our organization? Are vendor, contractor, and other third party accounts sufficiently restricted? Would we know if a vendor account was being used improperly? Fieldwork Activities Review of policies and procedures for third parties. Review of a sample of third party accounts for appropriate access. Attempting privilege escalation from an example third party account. Value Provided to Management Topical given Target initial intrusion method. Factual arguments to support limiting vendor access further. Comforting stakeholders on a key area of risk (provided appropriate controls are in place). Can be completed in 150 to 250 hours, depending on components included. 32

NIST Cybersecurity Framework (CSF) Audit IA can help Management validate its NIST CSF implementation or alignment. Key Questions Do we have sufficient cybersecurity control coverage as described in the NIST CSF? How mature is our control environment related to the NIST CSF categories? Fieldwork Activities Interviews and review of documents related to the NIST CSF controls. Testing a risk-based sample of controls for effectiveness. Reviewing control maturity and efficiency. Value Provided to Management Directly responsive to Board interest in NIST CSF. Third-party validation of successful control implementation. Can be completed in 250 to 350 hours, depending on organization size and scope of testing. 33

Other Hot Topic Areas Depending on the organization s industry and maturity, there are a number of other areas that could demonstrate Internal Audit s awareness of new cybersecurity risks: Medical Device Security Potentially Embarrassing Information (PEI) Security Data Exfiltration Monitoring Destructive Malware Resilience Include someone from the information security team in brainstorming sessions when determining audit topic areas for the upcoming year. 34

Key Takeaways Threat agents are growing in number, type, and intensity. The risks you hear the most about may not be the right ones to focus on (does your organization have the basics?). Internal Audit should increase its focus on cybersecurity and may need to rebalance its audit plan to cover a wider variety of areas. 35

Closing Thought: Internal Audit s Evolving Role In Security The increased attention on Information Security will continue for the foreseeable future. It is critical that Internal Auditors continue to educate themselves on the risks and focus audits in security-related areas. The help is needed! 36

Q & A Questions? Adam Brand @adamrbrand adam.brand@protiviti.com That time already? 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback