17597 - uae internal auditors association iia global ... · fascinating period for benefiting from...

1

TECH TENSION

SMART AND SAFE DIGITAL

18 April 2019Karim Sabbagh ‐ CEO

2

Fascinating period for benefiting from the uber rise of digitization

Intriguing time to observe the acceleration of risk in cyberspace

Dynamics are, in fact, intertwined

TECH TENSION – ABSTRACT

3

TECH TENSION – CONFRONTING AUDIT & RISK MANAGEMENT

Audited institutions are increasingly digitized along with their ways-of-working

Audit functions and practices are increasingly digitized

Technology Audit is emerging as central capability in digitized organizations

Audit & Risk Management, now intertwined, are jointly confronting tech tension dynamic

4

TECH TENSION – GENERAL PREVALENCE OF CYBER RISKS

Interstate conflict with regional consequences

Large scale involuntary migration

Extreme weather events





Large scale involuntary migration

Natural disastersFailure of climate-change mitigation and adaptation

Failure of national governance

Failure of climate-change mitigation and adaptation

Major natural disasters Cyber-attacks Natural disasters

State collapse or crisis

Interstate conflict with regional consequences

Large scale terrorist attacks

Data fraud or theft

Data fraud or theft

High Structural unemployment or underemployment

Major natural catastrophes

Massive incident of data fraud/theft

Failure of climate-change mitigation and adaptation

Cyber-attacks

2015 2016 2017 2018 2019

1st

2nd

3rd

4th

5th

Source: World Economic Forum “The Global Risks Report 2019”

5

TECH TENSION – SPECIFIC PREVALENCE OF CYBER RISKS

Cyber Security Cyber Security Cyber Security Cyber Security Cyber Security

Disaster Recovery & Resilience Strategic Change Strategic Change Strategic change

Technology Transformation and Change

Large scale Change

Third-party Management

Data Management and Data Governance


Data Protection and Governance

Enterprise Technology Architecture

IT Disaster Recovery & Resilience

Third-party Management


Technology Resilience

Third-party management



Information Security/Identity & Access Man.

Extended Enterprise Risk Management

2015 2016 2017 2018 2019

1st

2nd

3rd

4th

5th

Source: Deloitte “IT Internal Audit Hot Topics in Financial Services 2015‐2019”

6

DIGITIZATION 1.0 – EVOLUTIONARY TALE

Digitize a work-step

Digitize a process

Digitize the business model

Digitize the enterprise

Digitize the ecosystem

7

DIGITIZATION 1.0 – DIGITAL CHAMPIONS TAKE ALL

Digitally enabled new products and services

Digitally enabled go-to-market and personalization

Digitally enabled future-proof technologies

8

Trillion-dollar opportunity for the industrial sector

Cover Innovation, Production and Delivery, Selling, Servicing, Running the Corporation

Digital champions are first out of the starting gate – winners take all pattern reinforced

DIGITIZATION 2.0 – ANALYTICS & AUTOMATIONS

9

AUDIT 2.0 – DIGITIZING AUDIT

Enhancing audit management through new GRC solutions

Leveraging analytics to industrialize continuous audit

Implementing continuous risk assessments

Increasing productivity through knowledge management 2.0

10

AUDIT 2.0 (bis) – AUDITING DIGITIZATION

Enhancing evaluation of digital operational technologies

Enhancing evaluation of digital security technologies

Improving company practices to guard organization’s information

Assuring company practices in disseminating information to authorized parties

11

AUDIT 3.0 – AUDIT IN THE AGE OF AI

AI as transformational enabler of operational and cost efficiencies, business model, customer engagement

AI as disruptive technology to established risk management frameworks and regulations

AI capabilities to learn and reach decision thru algorithmic layers poses a challenge to auditability and traceability

12

$8 Trillion as cost of cybercrime to businesses over the next five years

Irreparable reputational damages are on the rise

Escalating regulations are increasingly penalizing failures to tackle cybercrime

CYBERCRIME – COSTLY ENCOUNTERS

13

CYBERCRIME – GENERATING HEADLINES

14

TECH TENSION – UAE PERSPECTIVE

Threat landscape is becoming increasingly complex and hyper connected

UAE has significant wealth and excels in digitization and innovation, making it an attractive target for advanced threat actors

Organizations must actively manage cybersecurity threats and risks so that they can realize the full potential of digitization

Source: DarkMatter analysis

15

ATTACK SURFACE – TELCOS EXPANDING THREATS


More and more data and services are reachable through Internet

Multitude of new complex IT systems coexisting with legacy ones

Multiplication of equipment: femtocells, Wi-Fi routers, Set-top boxes, IoT devices, …

PHYSICAL SITE ACCESS

PHISHINGROGUE ACCESS POINT

TARGETED MALWARE

SOCIAL ENGINEERING

MOBILE DEVICE EXPLOITATION

SOCIAL NETWORKING

PHYSICAL ACCESS TO CORPORATE ASSETS

VULNERABILITY EXPLOITATION

16

136,000UAE websites surveyed

35% were hosted outside the UAE

791,162UAE public hosts

276,055 vulnerabilities identified

39% ranked high/critical severity

UAE-RELATED WEBSITES – SIGNIFICANT VULNERABILITIES


17

REGIONAL INFRACO-SERVCO – COMPARABLE DIAGNOSTIC


39entities analyzed

1,057domains from HQ and subsidiaries reviewed

4,545vulnerabilities identified

421high and critical vulnerabilities not patched for more than 2 years

69 9661191

299

685

87

334

16 2669

966

1230

375

0

834

113

497

1 2 3 4 5 6 7 8 9 10

Vulnerabilities by Severity and Age

Low Medium High Critical

< 3 months

3‐12 months

1‐2 years

>2 years

Vulnerability Severity

18

Our Security Operations Centers investigated numerous incidents

They have been categorized into 6 types and their severity ranked to aeCert’s severity scale

SECURITY OPERATIONS CENTERS – INSIGHTS


19

TECHNICAL ASSESSMENTS – INSIGHTS

Several vulnerabilities and configuration flaws were also identified during technical assessments

Outdated and unsupported software are the most common vulnerabilities


20

TOP SECURITY WEAKNESSES – ROOT CAUSES

Patch Management and Outdated Technology most significant impact

Insecure Deployment and Configuration Management contributing factors

50%

53%

53%

57%

70%

77%

83%

93%

SMB Signing Disabled

NetBIOS over TCP and LLMNR Enabled

Insufficient Network Segregation

Unencrypted Protocols in Use

SNMP Default Community Strings

Default / Weak Credentials

Unsupported Software

Outdated Software

Top Weaknesses by Occurrence with Root Cause

Outdated Technology

Patch Management

Insecure Deployment

Configuration Management Source: DarkMatter analysis

21

TOP WEAKNESSES – VULNERABILITIES AND EXPOSURES

Information Leak represented 40% of vulnerabilities and exposures to Outdated Software, the most common weakness

Data Handling and Input Validation ranked high for that weakness


22

xen1thLabs has tested utility-related devices available to subscribers in the region

With 35 critical vulnerabilities found, attackers could potentially execute code to: • Get free access to services• Access subscribers’ information• Organize DDOS attacks• Disable devices remotely

Softwaresecurity testing

Hardwaresecurity testing

Telecommunications and mobile security

testing

Cryptographicprotocols validation

Cryptographicimplementation testing

In-depthCryptanalysis services

Side-ChannelAnalysis

CRYP

TOGRA

GHIC SER

VICE

SSYSTEM

SEC

URITY

TESTING

TESTING EQUIPMENT – INSIGHTS


23

EXPOSING VULNERABILITIES – EXAMPLES OF IMPACT


Equipment

Cisco patched the vulnerability on March 2019

• Attackers could remotely execute code on vulnerable Cisco IP Phones

• Successful attacks could listen to calls or disrupt the service

Samsung patched the vulnerability on March 2019

• Vulnerability on the Wi-Fi driver could allow attacker to remotely crash connected Samsung devices through the Wi-Fi interface

pgPool patched the vulnerability on December 2018

• PostgreSQL is the default database on macOS Server but runs also on Windows and Linux

• Attackers could remotely bypass the authentication process and get unauthorized access to users and data

Vulnerability Mitigation / Fix

24

CYBER RESILIENCE – ITERATIVE FRAMEWORK (1/2)


DM Assessments evaluate an organization’s cybersecurity posture, measure the maturityand provide recommendations aligned to the management and technical controls in UAE Information Assurance (IA) Standards

1. Controls assessment

3. Vulnerability assessment and penetration testing

2. Compromise assessment

Sample from

UAE

IA

Stan

dard

Type

of a

ssessm

ents

25

CYBER RESILIENCE – ITERATIVE FRAMEWORK (2/2)


Level 2: Define the operating modelSupport the strategy with a detailed operating model covering both the technology (security architecture) and people(organizational design)

Level 1: Create the strategyDefine the security strategy and roadmap aligned to organization’s strategic objectives, priorities and initiatives. Maintain oversight via an effective governance program. Dynamically adjust for evolving L2 and L3 requirements.

Level 3: Execute the strategyCodify and operationalize various initiatives and implement controls aligned to the organization’s strategy, roadmap and the operating model

HumanCapital

Technology Architecture

AccessControl

Security Strategy

RiskMgmt.

SecurityOperations

Comm.Security

DisasterRecovery

26

TECH TENSION – RECAP

Increasing prevalence of digitization is outpaced by a faster incidence of cybersecurity risks

Growing digital empowerment at individual level is translating into a stronger expansion of the threat and attack surface

Advancing digital adoption is missing the required capability for detecting and predicting cyber attacks

Expanding digital knowledge is numbing our situational awareness vis-à-vis cyber risks

Disrupting legacy models through digitization are missing in too many cases the business continuity pillar


27

ENABLE BUSINESSES AND

GOVERNMENTS TO BECOME SMART,

SAFE, AND CYBER RESILIENT

Provide

Protect

Nurture

OUR MISSION

28

OUR PRACTICES

WE ARE SMARTAND SAFE DIGITAL

17597 - uae internal auditors association iia global ... · fascinating period for benefiting from...

Documents