TIPS FOR AUDITING CYBERSECURITY Dr. Vilius Benetis, ISACA Lithuania Chapter, NRD CS 18 October 2016
TODAY S SPEAKER Dr. Vilius Benetis Cybersecurity Practice Leader Norway Registers Development (NRD Cybersecurity) ISACA Lithuania Chapter 2
AGENDA Tip #0 on please enable personal account strong authentication: google, Facebook, Evernote, office365, dropbox,.. Read more: https://twofactorauth.org/ Tip #1 on Clarification on Cybersecurity Domain Tip #2 on Auditing Process and Cybersecurity Tip #3 on CIS Critical Security Controls Tip #4 on Auditing Cybersecurity Skills 3
#1 ON CLARIFICATION ON CYBERSECURITY DOMAIN 4
GOOGLE IT: CYBERSECURITY DEFINITION Where do we start? Let s ground the terms 5
GOOGLE IT: CYBERSECURITY DEFINITION Where do we start? Let s ground the terms 6
7
ISO 27032: 8
ISO 27032: 9
ISO 27032 (& ): SECURITY CONCEPTS AND TECHNIQUES 10
#1 ON CLARIFICATION ON CYBERSECURITY DOMAIN 1. Are you sure you want to limit with Cybersecurity? And not e-information Security? 2. Please adjust terms as fits your organisation 11
#2 ON AUDITING PROCESS AND CYBERSECURITY 12
Automation of business functions Ex. Assess org./is resilience to cyber threats From ISACA publication: Information Systems Auditing: Tools and Techniques Creating Audit Programs 13
#3 ON CIS CRITICAL SECURITY CONTROLS 14
CIS CRITICAL SECURITY CONTROLS (V6.1) 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4: Continuous Vulnerability Assessment and Remediation 5: Controlled Use of Administrative Privileges (12) 6: Maintenance, Monitoring, and Analysis of Audit Logs (14) 7: Email and Web Browser Protections (new) 8: Malware Defenses (5) 9: Limitation and Control of Network Ports, Protocols, and Services (11) 10: Data Recovery Capability (8) 10: Data Recovery Capability (8) 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches (10) 12: Boundary Defense (13) 13: Data Protection (17) 14: Controlled Access Based on the Need to Know (15) 15: Wireless Access Control (7) 16: Account Monitoring and Control (16) 17: Security Skills Assessment and Appropriate Training to Fill Gaps (9) 18: Application Software Security (6) 19: Incident Response and Management (18) 20: Penetration Tests and Red Team Exercises (20) 15
THE FIVE CRITICAL TENETS OF CYBER DEFENSE: 1. Offense informs defense 2. Prioritization 3. Metrics 4. Continuous diagnostics and mitigation 5. Automation 16
CSC 1: INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES Actively manage (inventory, track, and correct) all hardware devices on the network so that: only authorized devices are given access, and unauthorized and unmanaged devices are: found and prevented from gaining access. 17
CSC 1: INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES 1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization s public and private network(s). Both active tools that scan through IPv4 or IPv6 network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed. 1.2 If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect unknown systems. 1.3 Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network. 18
CSC 1: INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES 1.4 Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization s network. 1.5 Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems. 19
CSC 1: INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES 20
CSC 1: INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES ID Metric 1.1 How many unauthorized devices are presently on the organization's network (by business unit)? 1.2 How long, on average, does it take to remove unauthorized devices from the organization's network (by business unit)? 1.3 What is the percentage of systems on the organization's network that are not utilizing Network Level Authentication (NLA) to authenticate to the organization's network (by business unit)? 1.5 How long does it take to detect new devices added to the organization's network (time in minutes - by business unit)? 1.6 How long does it take to isolate/remove unauthorized devices from the organization's network (time in minutes - by business unit)? Lower Risk Threshold Moderate Risk Threshold Higher Risk Threshold Less that 1% 1%-4% 5%-10% 60 Minutes 1,440 Minutes (1 Day) 10,080 Minutes (1 Week) Less that 1% 1%-4% 5%-10% 60 Minutes 60 Minutes 1,440 Minutes (1 Day) 1,440 Minutes (1 Day) 10,080 Minutes (1 Week) 10,080 Minutes (1 Week) 21
Relationship to COBIT processes 22
#4 ON AUDITING CYBERSECURITY SKILLS 23
Should we include skills audit? 1) Risk: Lack of skilled people 2) Skills required to assess Methodologies (NICE, CSC, e- CF, SFIA) Automation of business functions Ex. Assess org/is resilience to cyber threats 24
CYBERSECURITY/ICT SKILLS MODELS 1. NIST NICE - United States 2. e-cf - European Union / Dutch 3. SFIA6 UK 25
ADDITIONAL REASONS FOR SKILLS AUDIT HR: Re-organization preparation. What skillsets we need to plan? What skillset to hire? CISO office: Information security should be handled better. What skills are missing? Career planning: What should I focus for my cybersecurity career? 26
HOW TO RUN SKILLS AUDIT? Simplest: Ask: what skills are missing to reach the goals? Medium: Inventory/assess existing skills via questionnaires (list competences, ask to self-assess) Sophisticated: Run serious tests to assess 27
OUTPUT OF SKILLS AUDIT Simplest: List of skills/competences and who covers them Items without people missing competences Medium: Skills/competences with required levels, and fulfilled levels Gap is visible Sophisticated: Detail report of professional skills assessors 28
SUMMARY Tip #1 on Clarification on Cybersecurity Domain Tip #2 on Auditing Process and Cybersecurity Tip #3 on CIS Critical Security Controls Tip #4 on Auditing Cybersecurity Skills & Tip #0 on please enable personal accounts strong authentication 29
RELEVANT RESOURCES: 1. SFIA: https://www.sfia-online.org 2. NIST NICE: http://csrc.nist.gov/nice/ 3. CIS CSC: https://www.cisecurity.org/critical-controls/ 4. ISO 27032: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_det ail.htm?csnumber=44375 5. http://www.isaca.org/knowledge- Center/Research/ResearchDeliverables/Pages/Information- Systems-Auditing-Tools-and-Techniques-Creating-Audit- Programs.aspx 30
Questions? 31
THIS TRAINING CONTENT ( CONTENT ) IS PROVIDED TO YOU WITHOUT WARRANTY, AS IS AND WITH ALL FAULTS. ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON- INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED. YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE APPROPRIATE PROCEDURES, TESTS, OR CONTROLS. Copyright 2016 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise). 32
THANK YOU FOR ATTENDING THIS WEBINAR