InfoSec Risks from the Front Lines Adam Brand, Protiviti Orange County IIA Seminar
Who I Am Adam Brand IT Security Services Some Incident Response Experience Lead Breach Detection Audits @adamrbrand Who are you? 2
What I Hope to Accomplish (in the next hour) Current Threat Landscape Latest Risks to Watch Where Internal Audit Should Focus Q & A 3
Current External Threat Landscape Credit Card/PII Thieves Ransomware Crooks Wire Transfer Fraudsters Botnet Herders Political Attackers Corporate Secrets Thieves Insider threats and compliance threats are a different presentation 4
Credit Card/PII Thieves 5
Ransomware Crooks 6
Wire Transfer Fraudsters 7
Botnet Herders 8
Political Attackers 9
Corporate Secrets Thieves 10
Latest Risks to Watch? Cloud Mobile Internet of Things 11
It Depends 12
It Depends (cont) 13
What Does The Data Say? Source: USSS/Verizon Data Breach Report, 2014 14
Latest Risks to Watch Not Knowing Yourself Permissive Web Access Over-reliance on Tools 15
Not Knowing Yourself Easier Questions What does our network look like (systems, network, users)? Where is our sensitive data? What are our weaknesses? Harder Questions What programs should be running on our systems? What type of traffic is normal for us? What user activity is normal? What s the Risk? Not knowing what you have makes it hard to know what to protect. Not knowing your weaknesses makes it hard to know where you will be hit. Not knowing what is normal makes it hard to know what is abnormal. 16
Not Knowing Yourself: Controls Basics Strong asset and configuration management Periodic data discovery (interviews + tool sweeps) Third-party vulnerability assessments Stronger System baselining and variance monitoring Traffic baselining and variance monitoring User activity baselining and variance monitoring If you know the enemy and know yourself, you need not fear the result of a hundred battles. - Guess Who? 17
Permissive Web Access Not blocking Uncategorized sites (most of the Internet) Not restricting servers Not filtering https (SSL) Having exceptions for executive systems What s the Risk? Malware being delivered through the web. Attackers sending data out and remotely controlling systems. 18
Permissive Web Access: Controls Uncategorized websites blocked for most users A speed bump for other users Https sites filtered Alternate web access options (VDI, sandboxing, tablet) 80% The average percent of users that click malicious links in our social engineering engagements. 1 The number of users an attacker needs to convince to click a link. 19
Over-reliance on Tools Assuming security tools are properly configured Overconfidence in anti-virus, any security tool Believing the tool will run itself perhaps it is self-aware? What s the Risk? Assuming you re protected by a tool when you re not. Not effectively using the tool due to manpower issues. 20
Over-reliance on Tools: Controls Realistically estimating maintenance when considering a new tool Investing in security staff training to improve effectiveness Periodic health checks to validate tool configuration Skynet isn t self aware yet! 21
Where Internal Audit Should Focus
Is Increased Attention from IA Needed?
Increased Risk Environment The frequency of attacks and breaches has been increasing over the past five years. High-profile attacks such as those at Sony, Anthem, and Ashley Madison are just some of the thousands of breaches that actually occur each year. Source: Verizon Data Breach Investigation Report, 2014. 24
Heightened Regulatory Scrutiny As a result of the very public data breaches, regulators are taking a closer look at cybersecurity across all industries. Even industry regulations such as the PCI Data Security Standard are becoming increasingly difficult to adhere to. Financial Services Healthcare Other Industries In 2014, the FFIEC audited 500 banks specifically on cybersecurity. New York s Department of Financial Services announced increased focus on cybersecurity in its audits. OCR has increased its cybersecurity focus and promised increased enforcement activity. After Anthem, the Senate has said it will lead a bipartisan review of healthcare information security law. PCI compliance has become much more difficult under the new 3.0 standard (Jan 1). The FTC has been increasingly active with cybersecurity-related investigations and fines. 25
Boards of Directors Attention Boards of Directors are increasingly inquiring about cybersecurity as they see news of breaches, hear about increased regulatory scrutiny, and grow more concerned about cybersecurity risks. NACD Guidance The National Association of Corporate Directors (NACD) recently released guidance encouraging the full Board (not just the audit committee) to receive regular briefings on information security and provided five principles for Board involvement. Source: NACD Cyber-Risk Oversight Handbook. 26
What an Cybersecurity Audit Plan Should Look Like
A Penetration Test is Not Enough Internal Audit plans frequently include a penetration test, and only a penetration test, as a cybersecurityrelated audit. The increased risk environment necessitates that Internal Audit look beyond penetration tests and increase the number of cybersecurity audits. Function Unique Identifier Function Category Unique Identifier Category ID AM Asset management Limits of Penetration Testing ID Identity ID BE ID GV Business Environment Governance ID RA Risk Assessment A penetration test does not always provide an accurate or comprehensive assessment of cybersecurity risk. The goal of a penetration test is to simulate a single attack, not to uncover all possible attack scenarios. It is also usually very time-constrained, lasting weeks instead of the months that actual attackers have. PR DE Protect Detect ID RM PR AC PR AT PR DS PR IP PR MA PR PT DE AE DE CM Risk Management Strategy Access Control Awareness & Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies & Events Security Continuous Monitoring DE DP Detection Processes RS RP Response Planning RS CO Communications RS Respond RS AN Analysis Internal Audit departments need to rebalance their plans to cover more cybersecurity areas. RC Recover RS MI RS IM RC RP RC IM Mitigation Improvements Recovery Planning Improvements RC CO Communications 28
Key Areas of an Internal Audit Plan for Cybersecurity An Internal Audit plan for cybersecurity should be based on the organization s risk profile and the external threat landscape. A balanced plan might include: Operational Security Topic (e.g., Security Monitoring) Technology Security Topic (e.g., SQL Server) Compliance Topic (e.g., PCI, Privacy) Internal and External Penetration Testing Organizations that are at high risk for cyberattack should consider an annual Breach Detection Audit as a point-in-time view on indicators of breach in the environment. 29
Hot Audit Areas for 2016
Breach Detection Audit Organizations are not very good at self-detecting breaches; IA can help identify gaps. Key Questions Are there signs that the organization is currently breached or has been in the recent past? How effective are in-place security monitoring tools and processes? Have potential breaches been sufficiently investigated? Fieldwork Activities Forensic review of key indicators of a targeted attack (logs, network activity, systems). Evaluation of breach detection capabilities and processes. Review of previous potential breach incidents and organizational follow up. Value Provided to Management Management will appreciate the timeliness and relevance. Proven action steps that Management can take improve its ability to detect breaches. Communication to stakeholders of key controls Management has invested in. Can be completed in 250 to 500 hours, depending on components included. 31
Third Party Access Audit IA can help Management limit risk associated with a hacked third party (e.g., HVAC). Key Questions Could a breach of a third party result in a breach of our organization? Are vendor, contractor, and other third party accounts sufficiently restricted? Would we know if a vendor account was being used improperly? Fieldwork Activities Review of policies and procedures for third parties. Review of a sample of third party accounts for appropriate access. Attempting privilege escalation from an example third party account. Value Provided to Management Topical given Target initial intrusion method. Factual arguments to support limiting vendor access further. Comforting stakeholders on a key area of risk (provided appropriate controls are in place). Can be completed in 150 to 250 hours, depending on components included. 32
NIST Cybersecurity Framework (CSF) Audit IA can help Management validate its NIST CSF implementation or alignment. Key Questions Do we have sufficient cybersecurity control coverage as described in the NIST CSF? How mature is our control environment related to the NIST CSF categories? Fieldwork Activities Interviews and review of documents related to the NIST CSF controls. Testing a risk-based sample of controls for effectiveness. Reviewing control maturity and efficiency. Value Provided to Management Directly responsive to Board interest in NIST CSF. Third-party validation of successful control implementation. Can be completed in 250 to 350 hours, depending on organization size and scope of testing. 33
Other Hot Topic Areas Depending on the organization s industry and maturity, there are a number of other areas that could demonstrate Internal Audit s awareness of new cybersecurity risks: Medical Device Security Potentially Embarrassing Information (PEI) Security Data Exfiltration Monitoring Destructive Malware Resilience Include someone from the information security team in brainstorming sessions when determining audit topic areas for the upcoming year. 34
Key Takeaways Threat agents are growing in number, type, and intensity. The risks you hear the most about may not be the right ones to focus on (does your organization have the basics?). Internal Audit should increase its focus on cybersecurity and may need to rebalance its audit plan to cover a wider variety of areas. 35
Closing Thought: Internal Audit s Evolving Role In Security The increased attention on Information Security will continue for the foreseeable future. It is critical that Internal Auditors continue to educate themselves on the risks and focus audits in security-related areas. The help is needed! 36
Q & A Questions? Adam Brand @adamrbrand adam.brand@protiviti.com That time already? 37