17597 - uae internal auditors association iia global ... · fascinating period for benefiting from...
TRANSCRIPT
1
TECH TENSION
SMART AND SAFE DIGITAL
18 April 2019Karim Sabbagh ‐ CEO
2
Fascinating period for benefiting from the uber rise of digitization
Intriguing time to observe the acceleration of risk in cyberspace
Dynamics are, in fact, intertwined
TECH TENSION – ABSTRACT
3
TECH TENSION – CONFRONTING AUDIT & RISK MANAGEMENT
Audited institutions are increasingly digitized along with their ways-of-working
Audit functions and practices are increasingly digitized
Technology Audit is emerging as central capability in digitized organizations
Audit & Risk Management, now intertwined, are jointly confronting tech tension dynamic
4
TECH TENSION – GENERAL PREVALENCE OF CYBER RISKS
Interstate conflict with regional consequences
Large scale involuntary migration
Extreme weather events
Extreme weather events
Extreme weather events
Extreme weather events
Extreme weather events
Large scale involuntary migration
Natural disastersFailure of climate-change mitigation and adaptation
Failure of national governance
Failure of climate-change mitigation and adaptation
Major natural disasters Cyber-attacks Natural disasters
State collapse or crisis
Interstate conflict with regional consequences
Large scale terrorist attacks
Data fraud or theft
Data fraud or theft
High Structural unemployment or underemployment
Major natural catastrophes
Massive incident of data fraud/theft
Failure of climate-change mitigation and adaptation
Cyber-attacks
2015 2016 2017 2018 2019
1st
2nd
3rd
4th
5th
Source: World Economic Forum “The Global Risks Report 2019”
5
TECH TENSION – SPECIFIC PREVALENCE OF CYBER RISKS
Cyber Security Cyber Security Cyber Security Cyber Security Cyber Security
Disaster Recovery & Resilience Strategic Change Strategic Change Strategic change
Technology Transformation and Change
Large scale Change
Third-party Management
Data Management and Data Governance
Data Management and Data Governance
Data Protection and Governance
Enterprise Technology Architecture
IT Disaster Recovery & Resilience
Third-party Management
IT Disaster Recovery & Resilience
Technology Resilience
Third-party management
Data Management and Data Governance
IT Disaster Recovery & Resilience
Information Security/Identity & Access Man.
Extended Enterprise Risk Management
2015 2016 2017 2018 2019
1st
2nd
3rd
4th
5th
Source: Deloitte “IT Internal Audit Hot Topics in Financial Services 2015‐2019”
6
DIGITIZATION 1.0 – EVOLUTIONARY TALE
Digitize a work-step
Digitize a process
Digitize the business model
Digitize the enterprise
Digitize the ecosystem
7
DIGITIZATION 1.0 – DIGITAL CHAMPIONS TAKE ALL
Digitally enabled new products and services
Digitally enabled go-to-market and personalization
Digitally enabled future-proof technologies
8
Trillion-dollar opportunity for the industrial sector
Cover Innovation, Production and Delivery, Selling, Servicing, Running the Corporation
Digital champions are first out of the starting gate – winners take all pattern reinforced
DIGITIZATION 2.0 – ANALYTICS & AUTOMATIONS
9
AUDIT 2.0 – DIGITIZING AUDIT
Enhancing audit management through new GRC solutions
Leveraging analytics to industrialize continuous audit
Implementing continuous risk assessments
Increasing productivity through knowledge management 2.0
10
AUDIT 2.0 (bis) – AUDITING DIGITIZATION
Enhancing evaluation of digital operational technologies
Enhancing evaluation of digital security technologies
Improving company practices to guard organization’s information
Assuring company practices in disseminating information to authorized parties
11
AUDIT 3.0 – AUDIT IN THE AGE OF AI
AI as transformational enabler of operational and cost efficiencies, business model, customer engagement
AI as disruptive technology to established risk management frameworks and regulations
AI capabilities to learn and reach decision thru algorithmic layers poses a challenge to auditability and traceability
12
$8 Trillion as cost of cybercrime to businesses over the next five years
Irreparable reputational damages are on the rise
Escalating regulations are increasingly penalizing failures to tackle cybercrime
CYBERCRIME – COSTLY ENCOUNTERS
13
CYBERCRIME – GENERATING HEADLINES
14
TECH TENSION – UAE PERSPECTIVE
Threat landscape is becoming increasingly complex and hyper connected
UAE has significant wealth and excels in digitization and innovation, making it an attractive target for advanced threat actors
Organizations must actively manage cybersecurity threats and risks so that they can realize the full potential of digitization
Source: DarkMatter analysis
15
ATTACK SURFACE – TELCOS EXPANDING THREATS
Source: DarkMatter analysis
More and more data and services are reachable through Internet
Multitude of new complex IT systems coexisting with legacy ones
Multiplication of equipment: femtocells, Wi-Fi routers, Set-top boxes, IoT devices, …
PHYSICAL SITE ACCESS
PHISHINGROGUE ACCESS POINT
TARGETED MALWARE
SOCIAL ENGINEERING
MOBILE DEVICE EXPLOITATION
SOCIAL NETWORKING
PHYSICAL ACCESS TO CORPORATE ASSETS
VULNERABILITY EXPLOITATION
16
136,000UAE websites surveyed
35% were hosted outside the UAE
791,162UAE public hosts
276,055 vulnerabilities identified
39% ranked high/critical severity
UAE-RELATED WEBSITES – SIGNIFICANT VULNERABILITIES
Source: DarkMatter analysis
17
REGIONAL INFRACO-SERVCO – COMPARABLE DIAGNOSTIC
Source: DarkMatter analysis
39entities analyzed
1,057domains from HQ and subsidiaries reviewed
4,545vulnerabilities identified
421high and critical vulnerabilities not patched for more than 2 years
69 9661191
299
685
87
334
16 2669
966
1230
375
0
834
113
497
1 2 3 4 5 6 7 8 9 10
Vulnerabilities by Severity and Age
Low Medium High Critical
< 3 months
3‐12 months
1‐2 years
>2 years
Vulnerability Severity
18
Our Security Operations Centers investigated numerous incidents
They have been categorized into 6 types and their severity ranked to aeCert’s severity scale
SECURITY OPERATIONS CENTERS – INSIGHTS
Source: DarkMatter analysis
19
TECHNICAL ASSESSMENTS – INSIGHTS
Several vulnerabilities and configuration flaws were also identified during technical assessments
Outdated and unsupported software are the most common vulnerabilities
Source: DarkMatter analysis
20
TOP SECURITY WEAKNESSES – ROOT CAUSES
Patch Management and Outdated Technology most significant impact
Insecure Deployment and Configuration Management contributing factors
50%
53%
53%
57%
70%
77%
83%
93%
SMB Signing Disabled
NetBIOS over TCP and LLMNR Enabled
Insufficient Network Segregation
Unencrypted Protocols in Use
SNMP Default Community Strings
Default / Weak Credentials
Unsupported Software
Outdated Software
Top Weaknesses by Occurrence with Root Cause
Outdated Technology
Patch Management
Insecure Deployment
Configuration Management Source: DarkMatter analysis
21
TOP WEAKNESSES – VULNERABILITIES AND EXPOSURES
Information Leak represented 40% of vulnerabilities and exposures to Outdated Software, the most common weakness
Data Handling and Input Validation ranked high for that weakness
Source: DarkMatter analysis
22
xen1thLabs has tested utility-related devices available to subscribers in the region
With 35 critical vulnerabilities found, attackers could potentially execute code to: • Get free access to services• Access subscribers’ information• Organize DDOS attacks• Disable devices remotely
Softwaresecurity testing
Hardwaresecurity testing
Telecommunications and mobile security
testing
Cryptographicprotocols validation
Cryptographicimplementation testing
In-depthCryptanalysis services
Side-ChannelAnalysis
CRYP
TOGRA
GHIC SER
VICE
SSYSTEM
SEC
URITY
TESTING
TESTING EQUIPMENT – INSIGHTS
Source: DarkMatter analysis
23
EXPOSING VULNERABILITIES – EXAMPLES OF IMPACT
Source: DarkMatter analysis
Equipment
Cisco patched the vulnerability on March 2019
• Attackers could remotely execute code on vulnerable Cisco IP Phones
• Successful attacks could listen to calls or disrupt the service
Samsung patched the vulnerability on March 2019
• Vulnerability on the Wi-Fi driver could allow attacker to remotely crash connected Samsung devices through the Wi-Fi interface
pgPool patched the vulnerability on December 2018
• PostgreSQL is the default database on macOS Server but runs also on Windows and Linux
• Attackers could remotely bypass the authentication process and get unauthorized access to users and data
Vulnerability Mitigation / Fix
24
CYBER RESILIENCE – ITERATIVE FRAMEWORK (1/2)
Source: DarkMatter analysis
DM Assessments evaluate an organization’s cybersecurity posture, measure the maturityand provide recommendations aligned to the management and technical controls in UAE Information Assurance (IA) Standards
1. Controls assessment
3. Vulnerability assessment and penetration testing
2. Compromise assessment
Sample from
UAE
IA
Stan
dard
Type
of a
ssessm
ents
25
CYBER RESILIENCE – ITERATIVE FRAMEWORK (2/2)
Source: DarkMatter analysis
Level 2: Define the operating modelSupport the strategy with a detailed operating model covering both the technology (security architecture) and people(organizational design)
Level 1: Create the strategyDefine the security strategy and roadmap aligned to organization’s strategic objectives, priorities and initiatives. Maintain oversight via an effective governance program. Dynamically adjust for evolving L2 and L3 requirements.
Level 3: Execute the strategyCodify and operationalize various initiatives and implement controls aligned to the organization’s strategy, roadmap and the operating model
HumanCapital
Technology Architecture
AccessControl
Security Strategy
RiskMgmt.
SecurityOperations
Comm.Security
DisasterRecovery
26
TECH TENSION – RECAP
Increasing prevalence of digitization is outpaced by a faster incidence of cybersecurity risks
Growing digital empowerment at individual level is translating into a stronger expansion of the threat and attack surface
Advancing digital adoption is missing the required capability for detecting and predicting cyber attacks
Expanding digital knowledge is numbing our situational awareness vis-à-vis cyber risks
Disrupting legacy models through digitization are missing in too many cases the business continuity pillar
Source: DarkMatter analysis
27
ENABLE BUSINESSES AND
GOVERNMENTS TO BECOME SMART,
SAFE, AND CYBER RESILIENT
Provide
Protect
Nurture
OUR MISSION
28
OUR PRACTICES
WE ARE SMARTAND SAFE DIGITAL