infosec risks from the front lines - chapters site county/iia oc... · key areas of an internal...

InfoSec Risks from the Front Lines

Adam Brand, Protiviti

Orange County IIA Seminar

© 2014 Protiviti Inc. An Equal Opportunity Employer.2

Who I Am

• Adam Brand

• IT Security Services

• Some Incident Response Experience

• Lead Breach Detection Audits

• @adamrbrand

• Who are you?


What I Hope to Accomplish (in the next hour)

• Current Threat Landscape

• Latest Risks to Watch

• Where Internal Audit Should Focus

• Q & A


Current External Threat Landscape

Credit Card/PII Thieves

Political AttackersBotnet Herders Corporate Secrets Thieves

Ransomware Crooks Wire Transfer Fraudsters

Insider threats and compliance “threats” are a different presentation…


Credit Card/PII Thieves


Ransomware Crooks


Wire Transfer Fraudsters


Botnet Herders


Political Attackers


Corporate Secrets Thieves


Latest Risks to Watch?

Cloud Mobile Internet of Things


It Depends…


It Depends (cont)…


What Does The Data Say?

Source: USSS/Verizon Data Breach Report, 2014


Latest Risks to Watch

Not Knowing Yourself Permissive Web Access Over-reliance on Tools


Not Knowing Yourself

Easier Questions

• What does our network look like

(systems, network, users)?

• Where is our sensitive data?

• What are our weaknesses?

Harder Questions

• What programs should be running on

our systems?

• What type of traffic is “normal” for us?

• What user activity is normal?

What’s the Risk?

• Not knowing what you have makes it

hard to know what to protect.

• Not knowing your weaknesses makes it

hard to know where you will be hit.

• Not knowing what is normal makes it

hard to know what is abnormal.


Not Knowing Yourself: Controls

Basics

• Strong asset and configuration management

• Periodic data discovery (interviews + tool sweeps)

• Third-party vulnerability assessments

Stronger

• System baselining and variance monitoring

• Traffic baselining and variance monitoring

• User activity baselining and variance monitoring

“If you know the enemy and know yourself, you

need not fear the result of a hundred battles.”

- Guess Who?


Permissive Web Access

• Not blocking Uncategorized sites (most of the Internet)

• Not restricting servers

• Not filtering https (SSL)

• Having exceptions for executive systems

What’s the Risk?

• Malware being delivered through

the web.

• Attackers sending data out and

remotely controlling systems.


Permissive Web Access: Controls

• Uncategorized websites blocked for most users

• A “speed bump” for other users

• Https sites filtered

• Alternate web access options (VDI, sandboxing, tablet)

80% – The average percent of users

that click “malicious” links in our

social engineering engagements.

1 – The number of users an attacker

needs to convince to click a link.


Over-reliance on Tools

• Assuming security tools are properly configured

• Overconfidence in anti-virus, any security tool

• Believing the tool will run itself – perhaps it is self-aware?

What’s the Risk?

• Assuming you’re protected by a

tool when you’re not.

• Not effectively using the tool due

to manpower issues.


Over-reliance on Tools: Controls

• Realistically estimating maintenance when considering a new tool

• Investing in security staff training to improve effectiveness

• Periodic “health checks” to validate tool configuration

Skynet isn’t self aware yet!

Where Internal Audit Should Focus

Is Increased Attention from IA Needed?


Increased Risk Environment

The frequency of attacks and breaches has been increasing over the past five years. High-profile attacks

such as those at Sony, Anthem, and Ashley Madison are just some of the thousands of breaches that

actually occur each year.

Source: Verizon Data Breach Investigation Report, 2014.


Heightened Regulatory Scrutiny

Financial Services

• In 2014, the FFIEC audited

500 banks specifically on

cybersecurity.

• New York’s Department of

Financial Services

announced increased focus

on cybersecurity in its audits.

Healthcare

• OCR has increased its

cybersecurity focus and

promised increased

enforcement activity.

• After Anthem, the Senate has

said it will lead a bipartisan

review of healthcare

information security law.

Other Industries

• PCI compliance has become

much more difficult under the

new 3.0 standard (Jan 1).

• The FTC has been

increasingly active with

cybersecurity-related

investigations and fines.

As a result of the very public data breaches, regulators are taking a closer look at cybersecurity across all

industries. Even industry regulations such as the PCI Data Security Standard are becoming increasingly

difficult to adhere to.


Boards of Directors Attention

Boards of Directors are increasingly inquiring about cybersecurity as they see news of breaches, hear about

increased regulatory scrutiny, and grow more concerned about cybersecurity risks.

Source: NACD Cyber-Risk Oversight Handbook.

NACD Guidance

The National Association of Corporate

Directors (NACD) recently released guidance

encouraging the full Board (not just the audit

committee) to receive regular briefings on

information security and provided five

principles for Board involvement.

What an Cybersecurity Audit Plan

Should Look Like


A Penetration Test is Not Enough

Internal Audit plans frequently include a penetration test, and only a penetration test, as a cybersecurity-

related audit. The increased risk environment necessitates that Internal Audit look beyond penetration tests

and increase the number of cybersecurity audits.

Limits of Penetration Testing

A penetration test does not always

provide an accurate or comprehensive

assessment of cybersecurity risk. The

goal of a penetration test is to simulate a

single attack, not to uncover all possible

attack scenarios. It is also usually very

time-constrained, lasting weeks instead

of the months that actual attackers have.

Function Unique

IdentifierFunction Category Unique Identifier Category

ID Identity

ID AM Asset management

ID BE Business Environment

ID GV Governance

ID RA Risk Assessment

ID RM Risk Management Strategy

PR Protect

PR AC Access Control

PR AT Awareness & Training

PR DS Data Security

PR IP Information Protection Processes & Procedures

PR MA Maintenance

PR PT Protective Technology

DE Detect

DE AE Anomalies & Events

DE CM Security Continuous Monitoring

DE DP Detection Processes

RS Respond

RS RP Response Planning

RS CO Communications

RS AN Analysis

RS MI Mitigation

RS IM Improvements

RC Recover

RC RP Recovery Planning

RC IM Improvements

RC CO Communications

Internal Audit departments need to

rebalance their plans to cover more

cybersecurity areas.


Key Areas of an Internal Audit Plan for Cybersecurity

Organizations that are at high risk for cyberattack should consider an annual Breach Detection Audit

as a point-in-time view on indicators of breach in the environment.

An Internal Audit plan for cybersecurity should be based on the organization’s risk profile and the external

threat landscape. A balanced plan might include:

Technology Security Topic (e.g., SQL Server)

Compliance Topic (e.g., PCI, Privacy)

Internal and External Penetration Testing

Operational Security Topic (e.g., Security Monitoring)

Hot Audit Areas for 2016


Breach Detection Audit

Can be completed in 250 to 500 hours, depending on components included.

Key Questions

• Are there signs that the

organization is currently

breached or has been in the

recent past?

• How effective are in-place

security monitoring tools and

processes?

• Have potential breaches

been sufficiently

investigated?

Fieldwork Activities

• Forensic review of key

indicators of a targeted

attack (logs, network activity,

systems).

• Evaluation of breach

detection capabilities and

processes.

• Review of previous potential

breach incidents and

organizational follow up.

Value Provided to

Management

• Management will appreciate

the timeliness and

relevance.

• Proven action steps that

Management can take

improve its ability to detect

breaches.

• Communication to

stakeholders of key controls

Management has invested

in.

Organizations are not very good at self-detecting breaches; IA can help identify gaps.


Third Party Access Audit

Key Questions

• Could a breach of a third

party result in a breach of

our organization?

• Are vendor, contractor, and

other third party accounts

sufficiently restricted?

• Would we know if a vendor

account was being used

improperly?

Fieldwork Activities

• Review of policies and

procedures for third parties.

• Review of a sample of third

party accounts for

appropriate access.

• Attempting privilege

escalation from an example

third party account.

Value Provided to

Management

• Topical given Target initial

intrusion method.

• Factual arguments to

support limiting vendor

access further.

• Comforting stakeholders on

a key area of risk (provided

appropriate controls are in

place).

Can be completed in 150 to 250 hours, depending on components included.

IA can help Management limit risk associated with a hacked third party (e.g., HVAC).


NIST Cybersecurity Framework (CSF) Audit

Can be completed in 250 to 350 hours, depending on organization size and scope of testing.

• Do we have sufficient

cybersecurity control

coverage as described in the

NIST CSF?

• How mature is our control

environment related to the

NIST CSF categories?

• Interviews and review of

documents related to the

NIST CSF controls.

• Testing a risk-based sample

of controls for effectiveness.

• Reviewing control maturity

and efficiency.

• Directly responsive to Board

interest in NIST CSF.

• Third-party validation of

successful control

implementation.

IA can help Management validate its NIST CSF implementation or alignment.

Key Questions Fieldwork ActivitiesValue Provided to

Management


Other Hot Topic Areas

Include someone from the information security team in brainstorming sessions when determining

audit topic areas for the upcoming year.

Depending on the organization’s industry and maturity, there are a number of other areas that could

demonstrate Internal Audit’s awareness of new cybersecurity risks:

Potentially Embarrassing Information (PEI) Security

Data Exfiltration Monitoring

Destructive Malware Resilience

Medical Device Security


Key Takeaways

• Threat agents are growing in number, type, and intensity.

• The risks you hear the most about may not be the right ones to focus

on (does your organization have the basics?).

• Internal Audit should increase its focus on cybersecurity and may need

to rebalance its audit plan to cover a wider variety of areas.


Closing Thought: Internal Audit’s Evolving Role In Security

The increased attention on Information Security will

continue for the foreseeable future. It is critical that Internal

Auditors continue to educate themselves on the risks and

focus audits in security-related areas. The help is needed!


Q & A

Questions?

Adam Brand

@adamrbrand

[email protected]

That time already?

infosec risks from the front lines - chapters site county/iia oc... · key areas of an internal...

Documents