©2016 Crowe Horwath LLP

Cyber (In)Security

October 27, 2016

Steel Manufacturers Association

Board of Directors Fall Interim Meeting

©2016 Crowe Horwath LLP 22

Overuse of the “Cyber” Prefix

Cyber-overload within the Media

• “These days CyberPatriots go to CyberCamps”

•“Director of National Intelligence told Congress a ‘cyber Armageddon’ is

unlikely.”

•CBS has introduced “CSI: Cyber” as a show in the CSI series.

•Twitter account @cybercyber tracks use or abuse of the prefix “cyber”

•Purpose “All the cyberpanic you can cyberhandle.”

•Cyber Security or Cybersecurity…

Source: Danny Yadron and Jennifer Valentino-Devries, “This Article Was Written With the Help of a ‘Cyber’ Machine,” The Wall Street Journal, March 3, 2015,

http://www.wsj.com/articles/is-the-prefix-cyber-overused-1425427767

©2016 Crowe Horwath LLP 33

Simplest Definition of Cybersecurity

• “Measures taken to protect a computer or computer system (as on the internet)

against unauthorized access or attack”*

•Regardless of the definition, cybersecurity objectives still continue to be:

•The triad of security for your data and operations

•Confidentiality

• Integrity

•Availability

•Who does it impact?

•Anyone, individual or organization, connected to a network or the internet

* Source: Merriam-Webster Dictionary, http://www.merriam-webster.com/dictionary/cybersecurity

©2016 Crowe Horwath LLP 44

Cybersecurity Strategy

• Who is leading the initiative?

• Is everyone on the same page?

• What’s our top priority?

• Would we know if we were hacked?

• Who would respond and how?

• What does our Board think?

Management tends to regard cybersecurity predominantly a technology issue rather than a business issue.

Key Steps

1. Information Security Officers (ISOs) or Chief Information Security Officers (CISOs) and CIOs

should maintain focus on business impacts and outcomes from cyber risks for their

organization

2. Provide reports that help the Board (Audit and Risk Committees) focus on your

organization's specific cyber risk situation, instead of distracting media headlines.

3. Consider new technology and skilled personnel to organize, execute and maintain the

cybersecurity initiative.

©2016 Crowe Horwath LLP 55

Understanding Risk

•An asset is what we are trying to protect.

•A threat is what we are trying to protect against.

•A vulnerability is a weakness or gap in our protection efforts.

•Risk – The potential for loss, damage or destruction of an asset as a result of a

threat exploiting a vulnerability.

Asset + Threat + Vulnerability = Risk

©2016 Crowe Horwath LLP 66

The World Today – Recent Cybersecurity Breaches

• Chase

• Target

• Jimmy John’s

• P.F. Chang’s

• Community Health Systems

• The Home Depot

• Adobe

• Apple iCloud

©2016 Crowe Horwath LLP 77

2015 Statistics Snapshot

•717 Breaches (176M records lost) through 2015

•$254/record; The forecast average loss for a breach of 1,000 records is between

$52,000 and $87,000.

0

100

200

300

400

500

600

700

800

900

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Number of Breaches

Verizon Data Breach Report - http://www.verizonenterprise.com/DBIR/

Identify Threat Resource Center - http://www.idtheftcenter.org/

©2016 Crowe Horwath LLP 88

Anatomy of a Cyber Incident

Internet Application Infrastructure Endpoint

Third Party

Firewall

Remote Users

Mobile Devices

Web Application

Applications

Network Employees

Workstations

ServersPrinters

Cloud

Database

Source: Crowe analysis

©2016 Crowe Horwath LLP 99

Source: “M-Trends 2015: A View From the Front Lines,” Mandiant, 2015, https://www2.fireeye.com/WEB-2015RPTM-Trends.html

Initial Point of Entry

The point of entry represents how the attacker obtains initial access. Examples include

social engineering, unpatched internet-accessible systems, or weak passwords on

externally accessible systems. In a 2015 Mandiant case study, the initial point of entry

was achieved by logging into an externally accessible virtual system.

Fortify Access and Access Data

As the attacker pivots around the network, they continue to attempt to escalate their

authority until they have the necessary access. They will typically fortify their access by

installing malware or backdoors to maintain access. In the Mandiant case study, the

administrator credentials the attacker obtained also had authority to the cardholder

network, where they installed a card harvesting malware to capture credit card data.

Pivot Point

The initial access typically does not provide the information the attacker is looking for.

They will take advantage of the initial access to try to increase authority on the network.

This could occur through shared passwords, unpatched systems, or excessive

privileges. In the Mandiant case study, the attackers took advantage of misconfigured

devices and shared passwords to eventually obtain domain administrator authority.

Data Exfiltration

Once the attacker has data, they need to get it out of the network. This can be

completed through email or FTP. In the Mandiant case study, the malware wrote the

cards to a temp file on the database, which was copied to a server, then to a

workstation that had internet access, where it was sent via FTP to the attacker.

Attack Scenario

©2016 Crowe Horwath LLP 1010

Verizon Data Breach Report - http://www.verizonenterprise.com/DBIR/

2015 Detection and Reaction Times

©2016 Crowe Horwath LLP 1111

Evolving Threats

•The threat landscape is continually evolving…

• Ransomware

• Whaling

• Distributed Denial of Service Attack (DDoS)

• 10/21/2016 DDoS - DDoS attack that disrupted internet was largest of its kind in history, experts say

• Third-Parties Within Your Supply Chain

• Newly Acquired Businesses

• Internet of Things

©2016 Crowe Horwath LLP 1212

Third-Party Risk Management

• The Ponemon Institute’s study called U.S. Cost of a Data Breach found that 42 percent of

breaches (as identified from survey respondents) were caused by a third-party vendor.

• Source:

http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_0

9_012209_sec.pdf

• Most organizations don’t have a comprehensive list of the vendors they share data with.

• Lines of business have the ability to engage vendors with little to no involvement of security

personnel.

• Organizations perform minimal oversight of vendors’ control environments.

©2016 Crowe Horwath LLP 1313

An Ideal Process

©2016 Crowe Horwath LLP 1414

Merger and Acquisition Due Diligence

• Cybersecurity should be part of your due diligence process

• Not just what ERP application are they running

• Scope should include:

• Management and Oversight

• Employee Management

• Third-Party Risk Management

• Business Continuity and Disaster Recovery

• Incident Response

• Asset Management

• Threat and Vulnerability Management

• Network Architecture

• Logging and Monitoring

• Logical Access Management

• Secure Configuration Management

• Physical Security

• Review through questionnaires, surveys, interviews, review of recent audit and penetration

testing, and walkthroughs

©2016 Crowe Horwath LLP 1515

Trends in Cybersecurity – “The Internet of Things”

•Everything has an IP

•HVAC

•Cars

•Garage Door Opener

•Refrigerator

•Webcams

What about the equipment, controllers, and

computers within your factory?

©2016 Crowe Horwath LLP 1616

Cyber Resilience

• In the face of a continually evolving and maturing threat environments,

organizations must be resilient in order to effectively manage risks.

•Cyber resilience includes concepts such as information security, business

continuity management, and organizational resilience.

•Components of cyber resilience include:

• Asset management

• Controls management

• Configuration and change management

• Vulnerability management

• Incident management

• Service continuity management

• Risk management

• External dependencies management

• Training and awareness

• Situational awareness

©2016 Crowe Horwath LLP 1717

Why IT Risk Management Fails

• It’s all a matter of perception…• IT Risk is not viewed as a shared risk with the business

• In reality, the business is part of the first line of defense!

• Management and IT view risk differently• Minimal linkage between ERM and IT Risk Management

• Security is not prioritized or measured comparative to other operational factors (time to

market, budget, etc.)

•Cybersecurity is a component of IT Risk Management

©2016 Crowe Horwath LLP 1818

IT Risk Management Process

Asset Risk AssessmentInherent Risk

Risk Management

Programs

Residual Risk

Treatment Remediation Acceptance Transfer Avoid

Risk Tolerance

FacilitiesThird Parties

Technologies Infrastructure Applications Endpoints

IT Risk Management

Threat Assessment

Impact

Likelihood

Security Assessments

Password ManagementPassword Management

Risk Appetite

Threat & Vulnerability Management

Unified Control FrameworkIndustry

Standards ISO NIST CoBIT/COSO

Compliance PCI DS HIPAA Sox State

Privacy

Threat Likelihood

Threat Capability

Go

vern

ance

Advanced Endpoint Protection

Security Incident and Event Management

Data Loss Prevention

Business Continuity / Disaster Recovery

Security Awareness Training

Data Classification

Data Inventory

Managed Security Services

Control Objectives

Security Assessment

Penetration Testing

Security

Inte

lligen

ce C

enter

Security O

pe

ratio

ns

Information Feeds

Incident Planning

Incident Response

External Audit

Internal Audit

•Step 1

• Risk assessment

•Step 2

• Define control

objectives

•Step 3

• Implement risk

management

programs

•Step 4

• Assess programs

Source: Crowe analysis

©2016 Crowe Horwath LLP 1919

How is Cybersecurity Different

•Risk Velocity for cybersecurity risks is high• The time between a risk scenario occurring and the organization realizing the impact

is short.

•The direction for most cybersecurity risks is increasing• This is due to heightened awareness (both internally and externally,) increased threat

activity, and awareness of multiple attack vectors.

•There is still a lack of understanding, even amongst IT professionals, on the true impact of even ‘low’ risk systems.

• This is often times due to the inability to understand how an attack could traverse the environment.

©2016 Crowe Horwath LLP 2020

Cybersecurity Maturity

•Maturity focuses on the capabilities of the people, processes and technologies supporting the organization’s cybersecurity program.

• People – The necessary skills and abilities to execute necessary tasks.

• Process – The procedures needed to achieve the goals and objectives.

• Technology – The supporting IT management tools and infrastructure needed to enable the processes to be carried out.

Effectiveness Efficiency Responsiveness

The ability of the organization to achieve the desired results of the control objective.

The ability of the organization to achieve results cost-effectively.

The ability of the organization to react to external and internal influences on information security.

©2016 Crowe Horwath LLP 2121

The NIST Cybersecurity Framework – Implementation Tiers

Framework Core

•Functions

• Identify

• Protect

• Detect

• Respond

• Recover

•Categories

•Subcategories

• Informative References

Framework Link:

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

©2016 Crowe Horwath LLP 2222

The NIST Cybersecurity Framework – Implementation Tiers

Tier 1: Partial

• Not formalized

• Adhoc

• Limited awareness

• Limited external coordination

Tier 2: Risk Informed

• Approved but not established

• Not consistent across the organization

• Informal

Tier 3: Repeatable

• Formal Risk Management

• Organizationally consistent

• Respond to risk changes

• Collaborates with external parties

Tier 4: Adaptive

• Improve based on lessons and indicators

• Risk management part of culture

• Active information sharing with external parties to drive action

©2016 Crowe Horwath LLP 2323

Common Cybersecurity Risks

•The top cybersecurity risk areas in our experience

Key Risk Areas

Risk Examples Comments

Security Governance

Phishing / Social

Engineering

Shadow IT (mobile, personal cloud)

Organizations have been providing training for a while. However

employees continue to be the weakest link to security. Organizations

must find solutions to make security part of the organization’s culture,

empowering employees to understand and manage the risks independently.

Change Management

Patch ManagementUnsecured deployments

Vulnerabilities are identified regularly, and with the proliferation of

technologies and applications, organizations are unable to keep these

technologies up to date. In addition, there is a continue struggle

between innovation and security. Employees are still incentivized by

meeting deadlines and staying on budget, with minimal security

expectations. Organizations need to set the right tone as it relates to

security, including providing the right incentives to employees to manage critical risk effectively.

Third-PartiesData ProtectionDenial of Service

Organization’s reliance on third parties has increased significantly,

providing them more access than ever to sensitive data, and increasing

the criticality third-party solutions play in day to day

operations. Organizations need to develop programs around

identification and management of critical vendors commensurate with their potential impact on the business.

©2016 Crowe Horwath LLP 2424

Common Cybersecurity Risks

•The top cybersecurity risks in our experience

Key Risk Areas

Risk Examples Comments

Incident Response

Inappropriate

response during an incident

As public awareness of breaches and their impact continue to rise, potential

impacts on companies are also increasing. Organizational perspectives are

shifting from incident avoidance to breach mitigation. However, organizations fail

to properly plan their response when an incident does occur. Organizations

need to clearly define and test incident response procedures that triage, respond, and remediate incidents when they occur.

BalanceImproper

balance between

security risk and

business risk

Organizations continue to struggle to find the right balance between innovation

and security, often taking reactionary approaches to prioritizing strategies. With

the heightened sensitivity to breaches, organizations may over correct and

emphasize security to a point that other business goals are negatively impacted.

Organization’s need to establish programs to proactively identify and manage risks to levels acceptable to the organization.

©2016 Crowe Horwath LLP 2525

Asset Management – Data Protection

•Risks and Threats:

• Lost or misplaced data

• Unknown secondary and tertiary data stores

• Third-party vendors

• Cloud computing storage

• Oversharing of data

• Keeping unnecessary sensitive data

•Threat Responses:

• Data classification system

• Data custodians

• Digital rights management

• E-discovery

• Cloud access security brokers

©2016 Crowe Horwath LLP 2626

Passwords

•Risks and Threats:

• Phishing and spear phishing

• Personal versus business email

• Reset processes

• Unnecessary accounts

• Test accounts

• Temp accounts

• Weak passwords

• Blank

• “Joe” password

• Username = password

• Guessable (Summer2015)

• Password sharing

• Temp1

• Intern1

•Threat Responses:

• Multi-factor authentication

• Personal computing

restrictions

• Network segmentation

• Password management

systems

©2016 Crowe Horwath LLP 2727

Password Strength

https://www.xkcd.com/936/

©2016 Crowe Horwath LLP 2828

Data Exfiltration

Source: Crowe analysis

•Risk and Threats:

• Incidents lead to breach

• Data is accidentally or maliciously disclosed

• Oversharing of data

•Threat Responses:

• Content filtering

• Personal email

• Online storage

• Firewall rules

• Portable storage

• Data loss prevention

©2016 Crowe Horwath LLP 2929

•Risk and Threats:

• Breach activity

• Bot activity

• Data compromise

• Lack of data for forensic investigation

• Privacy violations

•Threat Responses:

• Centralized log storage

• Trend detection and response

• Privacy alerts

Logging and Monitoring

©2016 Crowe Horwath LLP 3030

Common Breach Vectors

• Viruses/Malware

• 0-day vulnerabilities• Heartbleed, Shellshock, POODLE

• SQL Injections

• Stolen/re-used credentials

• More than 80% of breaches “have a root cause in employee negligence”• Misconfiguration/Default Configuration

• Lack of Patching

• Weak Passwords

• Social Engineering

• Awareness Training is Key!

©2016 Crowe Horwath LLP 3131

Security Awareness

* Source: Don Reisinger, “Younger Workers Pose Big Security Risks,” Baseline, Dec. 21, 2011,

http://www.baselinemag.com/c/a/Security/Younger-Workers-Pose-Big-Security-Risks-888439/

• Sometimes, employees don’t understand the risks:

• “One-third of employees say they break IT policies because they don’t believe they’re doing

anything wrong when doing so.”*

• “61% say its up to IT staff, not them, to safeguard information and devices”*

• What are the big risks?

• Phishing

• Email

• Social engineering

• Drive-by attacks

• Access to third parties

©2016 Crowe Horwath LLP 3232

Ransomware [Defined]

•Per the FBI Cyber Division

• Ransomware is a form of malware that targets both human and technical weaknesses in

organizations and individual networks in an effort to deny the availability of critical data and

systems.

•Evolution

• First reported instances of Ransomware… 1989 using floppy disks!

• 1996 produced research on the subject matter

• Modern-day Ransomware began in 2005

• First “mass-deployed Ransomware” in 2012

Source: http://blog.talosintel.com/2016/04/ransomware.html#ch2

©2016 Crowe Horwath LLP 3333

Ransomware [Attack-flow]

•Primary attack vector: social

engineering

•Takeaway: results are different;

attack vectors and

recommendations are not

•Preparedness activities on next

slides

•Moment to pause:

• What would the impact to your

organization be? Loss of:

• Files

• Workstation(s)

• ServersSource: Courtesy of the Information Assurance Directorate at the National Security Agency

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/ransomeware-locky.cfm

©2016 Crowe Horwath LLP 3434

Case Study

Case Study 1: Ransomware Infection

A staff member has downloaded a virus containing Ransomware from a malicious email attachment. It has

begun to encrypt or lock all files available to them on their computer as well as all of the files available to

them on shared drives. The staff member has a message on their screen with instructions on how to pay

the criminals to unlock the files as well as links to news stories about large organizations paying to

successfully unlock their files. The ransom is 12 chatcoin, an anonymous cryptocurrency, or approximately

$20,000 USD.

Currently about 40% of the 70,000 files that the staff member has access to have been locked by the

Ransomware. The files that have been locked and have become unavailable to other users on the

network. The files contain important intellectual property, CAD drawings and financial data for their

manufacturing processes.

Questions to consider include:

• What key players should be involved in the work to resolve this issue?

• What tactical steps need to be taken to contain the Ransomware?

• What are some of the key factors in deciding whether to pay the ransom?

• What are some of the repercussions of deciding to pay the ransom?

• What kinds of technical protections/controls could have prevented the situation?

• How do we estimate the impact of the potential intellectual property?

• Will you disclose any details surrounding the compromise? How and which details?

©2016 Crowe Horwath LLP 3535

Ransomware [Preparedness]

•This is a global issue which does not appear to be dissipating anytime soon and

your chances of successfully thwarting an attacker are rooted in basic

information security 101 activities:

•Strategic…

• Know where all of your critical data is located

• This is a security fundamental most organizations cannot effectively answer to drive their

IT operations

• Ensure external access is as minimalistic as possible

• Understanding what exposure your enterprise has externally is key (e.g. the last VOIP

upgrade, were any ports opened externally? How about for the new MDM solution?)

• Have realistic/practical logging in place

• Logging should not be treated like a check box; it needs to be practical and actionable

• Isolate systems that cannot be patched /upgraded/ or protected with cybersecurity

controls

• If you can’t fix them, securely isolate them

©2016 Crowe Horwath LLP 3636

Ransomware [Preparedness]

•Tactically, what should we be reviewing…

•Email Content Filtering: What is able to be delivered to employees?

•Security Awareness: How well are employees trained?

•Endpoint Protection: Is there a layered approach?

•Propagation: Are we limiting the avenues for privilege escalation, including local

administrator? Share permissions?

•Data Backups: Have procedures been tested?

•Data Exfiltration: What channels of communication are available outbound?

• Incident Response: Can we respond in a timely manner with the right skills?

©2016 Crowe Horwath LLP 3737

Incident Response Planning

• 27% of organizations don’t have a breach response plan or team in place

• 37% have not reviewed or updated their plan since it was created

• Questions to consider:

• What will I do?

• What are the laws?

• What will my regulator say?

• How much will my customers ask?

• Who will I call?

• How do I stop it?

©2016 Crowe Horwath LLP 3838

Incident Response Planning

Plan & Practice

Identify & Respond

Investigate,

Contain, & Remove

Reflect & Refine • Metrics

• Measures

• Proof of performance

• Specialized training, techniques

• Specialized tools/solutions

• Outside help predetermined

• Your alarms• Malware, whitelisting, DLP, SIEM, etc…

• Tip lines

• Risk assessments

• Deployed security controls/solutions

• Routine testing/audits

• User awareness/education

©2016 Crowe Horwath LLP 3939

Incident Response Planning – Observed Shortfalls From Our

Investigations

•Lack of awareness about what critical data is actually on an IT system

• Improper handling of a compromised IT system

•No available IT system backups

•No reasonable security detection, logging, or monitoring on key IT systems

•No/poor detective controls – typically another system breaks as a symptom of the

original breach situation before action is taken

•No plan to communicate with internal employees, external customers, or law

enforcement/reporting agencies

©2016 Crowe Horwath LLP 4040

Incident Response Planning – Minimum Requirements

• Know where all of your critical data is on your IT systems

• Ensure that external IT system access is as minimal as possible

• Have real-time and archived logs available for all critical IT systems

• Keep all malware software enabled and updated

• Routinely patch all software – at a minimum, monthly

• Isolate systems that cannot be patched, upgraded, or protected with software-

based firewalls or anti-malware

©2016 Crowe Horwath LLP

Questions or Additional Information Requests

Jim Stempak, Partner

Technology Risk Consulting

+1 214-777-5203 Office

+1 214-422-6801 Cell

jim.stempak@crowehorwath.com

https://www.linkedin.com/in/jstempak

Cybersecurity Watch Blog:

https://www.crowehorwath.com/cybersecurity-watch/

Follow Our Cybersecurity Watch Blog (RSS)

Follow Crowe Risk on Twitter