IT Security Update on Practical Risk Mitigation Strategies Bonnie Bastow, CIA, CISA, CISM Director May 2016
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo. 2
IT Security Update on Practical Risk Mitigation Strategies Learning Objectives/Knowledge Gained IT Security Update on 2016 Threats McAfee Labs 2016 Threat Predictions PwC 2016 Forecast Cybersecurity events - what they have in common Practical Risk Mitigation Strategies Increased knowledge of cybersecurity risk assessment processes and tools IT controls to mitigate risks 3
McAfee Labs 2016 Threat Predictions Threat Hardware Ransomware Vulnerabilities Payment Systems Comments Operating System level attacks As a service hosted on the Tor Network Financial and Government sectors targets Targeting cloud services and mobile devices Adobe Flash, Unix Credential stealing and attacking payment card devices (skimmers, etc) 4
McAfee Labs 2016 Threat Predictions Threat Attacks through Employee Systems Cloud Services Integrity Comments Increase expected in Android devices. Securing home networks for employees remote access. Users have little insight into the provider s security measures Compromise the integrity of the systems and data. Stealth, selective, attacks appearing to be operational problems, accounting errors, or dumb mistakes 5
PwC Survey - Top 3 Challenges - Financial Services 2016 1. Financial services respondents ranked assessment of security capabilities of third-party vendors as the top challenge to their information security efforts. More than half said they would increase spending to better monitor third-party security in the coming 12 months. Average information security spending is up 15% 2. Rapidly evolving, sophisticated, and complex technologies 3. Increased use of mobile technologies by customers 6
Cyber Security Events What They Have in Common Social Engineering 7
Social Engineering Defined Social Engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. 8
Common Data Breaches/Threats Phishing is a form of social engineering Phishing is the most common threat Usually accomplished through email or phone call schemes Our employees are our weakest link Continuous/annual employee training is a must in this area to assist with prevention 9
Spear Phishing Unlike traditional spam, spear phishing is by no means random it is a highly-targeted operation. Sender impersonates a friend or colleague of potential victims in order to trick them into opening malware-ridden files or into visiting malicious websites, or do some action for the phishers benefit Has a high success rate 10
Spear Phishing Example https://www.youtube.com/watch?v=bjyhmx_ouq Q&feature=youtu.be&t=2m13s..\The Edit.mp4 11
Common Data Breaches/Threats Malware threats Malware is software designed to infiltrate, damage or obtain information from a computer system without the owner s consent (as defined by ISACA) Spyware/Key logger (records users key strokes can obtain user names and passwords) 75% of cases Backdoor (Ex. Malware creates backdoor access for cyber criminal) 66% Captured Stored Data (Ex. Ransomware) 55% http://us.norton.com/yoursecurityresource/detail.jsp?aid=rise_in_ransomware 12
Keylogger Example Hacker builds wireless Microsoft keyboard keylogger disguised as USB wall charger 13
Risk Mitigation Strategies 1 - IT General Controls 2- Cyber Security Assessments 3- Training Employee and IT Specific 4- Risk Assessments and Information Sharing 14
1 - IT General Controls Security Administration Logical Security Change Management Operations User provisioning Password controls Authorization and Approval Backups User removal Privilege User review User Testing Restore test User Access Reviews/with SoD Security Monitoring Access to Production Vendor Management Physical Segregation of Duties Job Monitoring 15
2 - Cyber Security Assessments Internal Network Vulnerability Scans Patching is largest category System configuration External Network Vulnerability Scans External Penetration Testing Wireless Scans Social Engineering Assessments Social Engineering Training 16
2 - Cyber Security Assessments Reporting Categories Category Patch Management System Configuration Trust Application Vulnerabilities Resulting from. Failure to apply patches provided by vendors to address security weaknesses. Software / firmware patches are primarily an administrative detail. Identified configuration settings on devices that may not be set in an optimal manner for security consideration. Identification of insecure authentication methods or configurations on workstations/servers. Discovery of applications with known vulnerabilities found on the network. Examples include the discovery of software such as Dropbox, Skype, and Coupons Printer. 17
3 - Training - Employee and IT Specific Training, training, training (employees as well as clients/customers) Technical training for key employees and management Set the appropriate tone at the top make security a priority and not just an IT initiative 18
Training Aids Cisco (DNS) Launched an online quiz to show how easy it is to get people hooked on a social engineering phishing email. https://www.opendns.com/phishing-quiz/ Can you pass the quiz (can also be used for training purposes)? 19
4 Information Sharing FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors sharing of physical and cybersecurity threat and vulnerability information. 20
4 - Information Sharing 21
4 - Risk Assessment Reduction Solutions FFIEC Nov. 3, 2014 Press Release: https://www.ffiec.gov/press/pr110314.htm FFIEC released observations from the recent cybersecurity assessment and recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC). https://www.fsisac.com/ The assessment included more than 500 community banks. FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors sharing of physical and cybersecurity threat and vulnerability information. 22
4 Risk Assessment Reduction Solutions FFIEC Cybersecurity Assessment General Observations (Summer 2014) https://www.ffiec.gov/press/pdf/ffiec_cybersecurity_asse ssment_observations.pdf - This document presents general observations from the Cybersecurity Assessment about the range of inherent risks and the varied risk management practices among financial institutions and suggests questions for chief executive officers and boards of directors to consider when assessing their financial institutions cybersecurity and preparedness. 23
McAfee Labs 2016 Threat Predictions Threat Hardware Ransomware Vulnerabilities Payment Systems Attacks through Employee Systems Cloud Services Integrity Risk Mitigation Strategy Patching, Vulnerability Scans Risk Assessment/Vendor Management & Cyber Insurance Patching Programs Physical controls, scans, basic controls Social engineering, remote access controls Risk Assessments, Vendor Management Monitoring controls, Social engineering Basic IT General Controls and Assessments 24
PwC Survey - Top Challenges - Financial Services 2016 Challenges Third Party Security Risk Mitigation Rapidly evolving, sophisticated & complex technologies Increased use of mobile technologies by customers Deeper Vendor Management practices More thorough Risk Assessments and Vendor Due Diligence Cyber Insurance 25
PwC- The State of Security 2016 Survey PwC proposed Risk Mitigation Approaches 1. Risk-Based Frameworks 91% adoption rate for cybersecurity framework Frameworks provide for better identification and prioritization of security risks. ISO 27001 NIST / SAN Critical Controls / COBIT 2. Cloud-Based Security 69% use cloud-based cybersecurity services Real time monitoring 26
PwC- The State of Security 2016 Survey 3. The Impact of Big Data Trending, looking for patterns 4. Threat Intelligence Sharing 65% of respondents collaborate to improve security and reduce cyber risks (up from 50% in previous year) Information Sharing and Analysis Centers (ISACs) 5. Executive Involvement 45% of respondents stated their boards now participate in the overall security strategy Resulted in boost in security spending by 24% - http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/key-findings.html 27
Did you know? The biggest violators of IT Security are the senior members of the IT/IS team (via controls override) the team that is responsible for securing the enterprise (and CEOs/Presidents) 28
Questions 29
Bonnie Bastow, CIA, CISA, CISM Email: bonnie.bastow@elliottdavis.com Phone: 704.808.5275 Website: www.elliottdavis.com Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With seventeen offices across six states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com. 30