IT Vulnerabilities: What an IT Auditor Should be Thinking About Evolving in a Changing Landscape OCTOBER 23-25 HOTEL NIKKO - SF
Agenda 1. About the Speaker 2. IT Vulnerability: The Term Defined 3. Identification 4. Prioritization 5. Inventories & Reporting 6. Remediation 7. Sustainable Controls 8. Final Words 2
ABOUT THE SPEAKER Evolving in a Changing Landscape OCTOBER 23-25 HOTEL NIKKO - SF
Marta O Shea, Senior Vice President & IT Audit Director, Wells Fargo Bank CISA & CIA 16 years IT Audit & Risk Management experience Background is primarily financial services: Charles Schwab, Visa, Wells Fargo, IBM 10 years IT experience in large-scale data center operations & change management Dual US/Australian citizen! 4
Wells Fargo Audit Services: Enterprise Technology Audit Group CIO Audit Team Infrastructure Audit Team Cybersecurity Audit Team ~66 FTEs SDLC & Application Development Application-layer controls Integrated Audits Change initiatives ~34 FTEs Data centers Platform Engineering (Mainframe, Midrange, Distributed) Infrastructure/ Production Environment ~29 FTEs NIST-based model Cyber Defense Security Governance 5
Wells Fargo Audit Services: Other Notes Total Audit Division = ~1100 (IT Audit = ~130) Regulatory Agencies: OCC, FRB, FDIC, CFPB 6
IT Vulnerability: The Term Defined Broad definition: ISACA Risk IT framework A weakness in design, implementation, operation or internal control Could apply to pretty much any IT audit finding (for example, data center visitor log not maintained, failure to consistently execute background checks on key personnel) 7
IT Vulnerability: The Term Defined For the purposes of our discussion today, we ll focus on a narrow application of the definition: Weaknesses in software code or code within hardware that could be exploited to compromise an IT environment Audit Considerations: 1. Does your audit plan address this risk? 2. Do you look at it in an Enterprise-wide manner, or platform-by-platform, application-by-application etc.? 3. Could looking at this risk through an alternate lens give you greater insight into the magnitude of risk your organization is faced with? 8
IT Vulnerabilities: Identification Manual Code Reviews Scanning Vendor Code (Qualys) Scanning Internally- Developed Code (Fortify, AppScan) Audit Considerations: 1. Does your organization use automated scanning tools to identify vulnerabilities? If not, why not? 2. If scanning tools are used, how do you gain assurance that they are scanning the entire relevant population? Security Assessments Penetration Tests 9
IT Vulnerabilities: Prioritization Typical Approaches to Prioritization: Assigning numeric risk score Vendor code vulnerabilities NVD - CVSS* score Better practice is to combine this with an organizationspecific asset model that considers the profile of the asset (internet-facing etc.) Audit Considerations: 1. Is your IT organization s approach to assessing vulnerability prioritization appropriate, based on your company s risk profile? Internally-developed code vulnerabilities OWASP** score Also consider risk profile of the application (internet-facing etc.) * National Vulnerability Database - Common Vulnerability Scoring System ** Open Web Application Security Project 10
IT Vulnerabilities: Inventories and Reporting Scanning is great but when you switch it on Some Challenges Organizational Scale Multiple platforms (Mainframe, distributed, O/S s, D/B s, middleware, PC s, mobile etc.) Millions of vulnerabilities? How to Track? How to Report? Audit Considerations: 1. Does your organization have a plan for how they will address scanning results? Once you know about the vulnerabilities, you obviously need a plan to remediate. Has that been thought through before switching on scanning? 2. How does management ensure the integrity and usability of their scanning results database? 11
IT Vulnerabilities: Remediation Typical vulnerability remediation approaches: Vendor code weaknesses - Patches - System upgrades - Configuration setting changes Internally-developed code weaknesses - Re-coding Challenges - Test, test, test for incompatibilities between elements in the stack (O/S, M/W, D/B, App) - Outage windows the business won t give us a downtime window!! Audit Considerations: 1. How does your organization select a remediation solution? Do they defer implementation of a patch in favor of an upgrade in the future? If so, is that an appropriate risk decision? 2. Does your organization have instances where there is endof-life software in a layer of the stack that precludes being able to patch or upgrade other elements of the stack? How should this risk be managed? 12
IT Vulnerabilities: Sustainable Controls Sustainable Controls Not very sexy so Why? $$$, reputation, efficiency, to name a few Scan, identify, fix, build new server based on old vulnerable image, scan, identify, fix etc. Or even worse: Scan, identify, fix, engineer makes a change that reintroduces the vulnerability, scan, identify, fix etc. Key Control Disciplines: Configuration baselines Golden images Drift monitoring Vulnerability remediation timeline standards End-of-Life standards Secure coding requirements Audit Considerations: 1. Does your organization have a strong configuration management foundation? 2. Is your production environment locked down, with changes carefully controlled? 3. Are your asset management processes robust? (Procure, build, deploy, decommission etc.) 13
IT Vulnerabilities: A Few Last Words Influencing Senior Management A real challenge for auditors! This is a pretty technical topic, many C-Suite leaders and Board Members don t have a comfort zone in this area so may not fully understand the risks Try this: Translate your concerns into plain English and give examples of how the business can be impacted This Stuff s Expensive! It s true. Keeping software up-to-date requires continual investment if a company wants to avoid a very costly and complex environment re-engineering effort Try this: Your fellow Enterprise Risk organization could be your friend here, introducing some financial risk models into the discussion could demonstrate that investment now is a more sound financial proposition than unanticipated spend later We ll do this next year Kicking the can down the road, because there s a hard problem to solve. It s a common problem. Try this: Highlight examples of other companies who ve suffered security breaches as a result, or been unable to nimbly respond to business challenges 14
THANK-YOU!! 15