cyber security for ia and risk 150601

Cyber-security for IA & Risk functions

Overview and recommendations!June 2015!

2 © 2015 Protiviti Inc.

Global cyber-breach examples“It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.” – Warren Buffett!

In 2013, Target’s network was hacked and was compromised for credit card information and other customer data of 70 million customers.!The company suffered a loss of $162 million and has also proposed to pay $10 million to settle a class-action lawsuit.!

All TV5Monde broadcasts were brought down in a blackout between 10pm and 1am local time on March 8 and 9 by hackers claiming allegiance to Isis. They were able to seize control of the television network founded by the French government in 1984, simultaneously hacking 11 channels as well as its website and social media accounts.!

Malware installed on cash register system across 2,200 The Home Depot stores syphoned credit card details of up to 56 million customers. The same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others are reported to be behind the breach. !

Anthem, one of the USA’s largest health insurers said that the personal information of tens of millions of its customers and employees, including its chief executive, was the subject of a “very sophisticated external cyber-attack.”. Hackers were able to breach a database that contained as many as 80 million records of current and former customers, as well as employees. !

In July 2014 , JP Morgan Chase, US's largest bank was compromised by hackers, stealing names, addresses, phone numbers and emails of account holders. The hack began in June but was not discovered until July, when the hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers.!


Australian cyber-breach examples“Privacy is not for the passive” – Jeffrey Rosen!

The personal details of 31 of the world's leading political figures were leaked to the organisers of a soccer tournament late last year, in a major data breach caused by an email autofill error. The breach was caused by a staff member at Australia's Department of Immigration and related to world leaders attending the G20 Leaders' Summit in Australia last year.!

Pizza Hut Australia confirmed that its customer data was compromised during a hacking attack on its website in 2012. The website was allegedly hacked by a group called 0-Day and Pyknic with claims that 240,000 credit card details were stolen in the process. !

Chinese hackers ‘breach Australian media organisations’ ahead of G20 2014 meeting. The group called “Deep Panda” is believed to be affiliated with the Chinese government. Deep Panda targeted Australian media organizations in an attempt to understand the domestic media climate when Chinese president Xi Jinping arrived.!

A database containing the personal details of almost 10,000 asylum seekers in Australia, both adults and children, was mistakenly made available on the Web site of the country's Department of Immigration and Border Protection in 2014. The database included names, nationalities, locations, arrival dates and boat arrival information. !


Global and local cyber-breach statisticsNo sector is immune to cyber-breaches and the cost is growing everywhere!

325 303

277 235

223 164

146 141

95 65

28 27 23 22 17 10 10 6 2 2 1

Unknown!Public!

Finance!Manufacturing!

Accommodation!Retail!

Professional!Healthcare!Information!Education!

Other!Administrative!Entertainment!Transportation!

Mining!Real Estate!

Utilities!Trade!

Agriculture!Construction!Management!

16.2

10.4

8.8

8.1

7.6

5.1

4.3

United States!

Germany!

Japan!

France!

United Kingdom!

Australia!

Russia!

Average company loss AUD million Security incidents with confirmed data loss

Source: Verizon 2015 Data Breach Investigations Report; Ponemon Institute; Hewlett-Packard (HP Enterprise Security), October 2014!

10% average increase year-on-

year!

30 days average resolution time


Types of cyber-breachA major type of cyber-security incidents remains socially engineered targeted emails!!

Source: 2013 CERT Australia Cyber Crime and Security Survey!

63%

52%

46%

35%

26%

17%

17%

17%

Targeted emails!

Virus or worm infection!

Trojan or rootkit malware!

Theft of mobile devices!

Unauthorised access!

Ransomware!

DDoS!

Unauthorised access to information from an

•  Businesses across a wide range of industry sectors are exposed to potentially enormous physical losses as well as liabilities and costs as a result of cyber-attacks and data breaches.!

•  Spammers and other cyber-criminals are moving away from exploit-kits in favour of phishing messages containing malicious email attachments, a tried-and-true attack technique.!


57%

50%

48%

48%

41%

22%

16%

11%

Staff error and/or omission!

Poor security culture!

Unpatched or unprotected software!

Misconfigured systems, applications

Lack of technical security controls!

Lack of IT security staff!

Malicious leak!

Other!

Contributors to cyber-breachesStaff errors and/or omissions followed by poor security culture, unpatched or unprotected software are major internal factors!

Source: 2013 CERT Australia Cyber Crime and Security Survey!

51%

49%

38%

36%

31%

16%

Targeted attack!

Third party risks and/or vulnerabilities!

Sophisticated attackers!

Powerful automated attack tools!

Volume of attacks!

Other!

Internal Contributors External Contributors


Cyber-security investments & realityAll organisations must recognise that perimeter defences will be breached!!•  Boards should not be fooled into believing

that good practices will prevent a well conceived targeted attack: they reduce vulnerability!

•  The reality is that it is simply not possible to secure everything, let alone the perimeter.!

•  Even if it was possible to secure the perimeter, this would not be enough, as it is far too easy to get behind it.!o All you have to do is be invited in!o Alternatively, it is possible to use social

engineering techniques to get somebody behind the perimeter to open the door!

•  The large amounts that have been invested in perimeter defences are of limited value.!


The need for new toolsOrganisations now need to rely on a different set of controls and associated tools to manage cyber-security risk!

•  Solutions are all too often seen as purely technology rather than having a critical people element.!

•  Over 70% of organisations* have not implemented the types of tools we would expect to see in place behind the perimeter.!

•  ‘Intelligent’ security monitoring techniques that highlight abnormal behaviour or potential incidents and enable a real time response are increasingly important.!

•  IT rarely presents a business case for these solutions to the Board nor clearly explain the value.!

•  Boards have been seen to invest in these solutions where a clear business risk and the value proposition around the solution and target investment has been presented.!

* Recent Protiviti study!


The cyber-security challenge in summaryOrganisations are now faced with a challenging cyber-threat environment exacerbated by operational hurdles!

We often find companies fill a Security Lead role and fail to support them with complementary resources. As a result, the security function reflects the Lead’s particular strengths… and weaknesses. !

Cyber-security is too often seen as a technology problem and not handled as a core business risk!

The personnel market for cyber-security professionals is highly competitive and those with strong business focus are even harder to find and hire!

The attack surface is increasing as more devices are attached and the internet-of-things becomes reality!

The sophistication of today’s threat-actors is increasing often they are often well run organisations or state-controlled groups with significant funding and capability!

The annual direct costs of detecting, diagnosing and remediating cyber-breaches is increasing at over 10% p.a.!

Cyber-risk is now a Board level risk item often in the top five risks!


Frameworks & realityThere is no one size fits all! Complying with frameworks isn’t sufficient!

•  There are so many areas to address:!–  from encryption, to application security, to

disaster recovery!•  Then there is the complication of

compliance with regulatory requirements, especially in multiple geographies!

•  Target: PCI-DSS compliant!•  Home Depot: PCI-DSS compliant!•  JP Morgan: GLBA, FFIEC compliant!•  Anthem: HIPAA compliant!•  Aussie Travel Cover: Data not disclosed for 2

months!

Plethora of frameworks and standards Compliance isn’t security


Internal audit’s role in effective cyber-security“Top performers” address cyber-security risk in their audit plan and have boards that are highly engaged with cyber-security risk!

Higher board engagement in information security if cyber-

security is included in audit plan!

Higher level of inclusion of cyber-security in the audit plan

if high board engagement in information security !

High board engagement!Other” board engagement!

Included in audit plan!Not included in audit plan!


Internal audit’s role in effective cyber-securityOrganisations which include cyber-security in their audit plan also have a stronger ability to identify, assess and mitigate cyber-security risk!

Organisations that rate themselves “very effective” at identifying/assessing/mitigating

cyber-security risk

Organisations that have a cyber-security risk strategy and policy in place

In audit plan!Not in audit plan!


Questions to considerIA and Risk professionals can have a conversation with the business to determine and make them aware of whether they understand the threats!

Do you know the value of your data?

Do you know where your data is?

Do you know who has access to this data?

Do you know who is protecting the data?

Do you know how to respond in case the data is compromised?

•  A risk based approach needs to be adopted: a one size fits all approach is all too often adopted and is not practical, too costly and will ultimately fail!

•  Top down ERM approach to security risk assessments is essential, identifying sensitive data, assessing threats,!capturing risk appetite, and!informing risk mitigation strategies!

•  ‘Intelligent’ security monitoring techniques that highlight abnormal behaviour or potential incidents and enable a real time response are increasingly important!

•  People are often the weakest link: security awareness training that works is essential!

Traditional approaches to cyber-security are not working …

… and most organisations struggle to answer five key questions


Action items for Risk and Internal Audit (1/2) Given internal audit’s key role in effective cyber-security there are ten actions that IA can take!

Develop strategy & policy

§  Work with management and the board to develop a cyber-security strategy and policy!

Become “very effective”

Recognise “internal” threats

Board awareness & engagement

Audit plan integration

§  Seek to have the organisation become “very effective” in its ability to identify, assess and mitigate cyber-security risk to an acceptable level. !

§  Recognise the threat of a cyber-security breach resulting from the actions of an employee or business partner!

§  Leverage board relationships to:!a)  heighten the board’s awareness and knowledge of cyber-security risk!b)  ensure that the board remains highly engaged with cyber-security matters and

up to date on the changing nature and strategic importance of cyber-security risk. !

§  Ensure cyber-security risk is formally integrated into the audit plan. !

1!

2!

3!

4!

5!


Action items for Risk and Internal Audit (2/2) Given internal audit’s key role in effective cyber-security there are ten actions that IA can take!

Keep on top of new technologies

§  Develop, and keep current, an understanding of how emerging technologies and technological trends are affecting the company and its cyber-security risk profile!

Use NIST, ISO27001, ISO27002

Address people & technology

Make monitoring & response a priority

Address IT audit staffing

§  Evaluate the organization’s cyber-security program against the NIST Cyber-security Framework, recognise that the framework does not go to the control level and therefore may require additional evaluations of ISO 27001 and 27002!

§  Recognise that the strongest preventative capability requires a combination of human and technology security – a complementary blend of education, awareness, vigilance and technology tools!

§  Make cyber-security monitoring and cyber-incident response a top management priority – a clear escalation protocol can help make the case for (and sustain) this priority!

§  Address any IT/audit staffing and resource shortages, which represents a top technology challenge in many organisations and can hamper efforts to address cyber-security issues. !

6!

7!

8!

9!

10!


Breach Detection Audit

Key Questions

•  Are there signs that the organization is currently breached or has been in the recent past? !

•  How effective are in-place security monitoring tools and processes?!

•  Have potential breaches been sufficiently investigated?!

Fieldwork Activities

•  Forensic review of key indicators of a targeted attack (logs, network activity, systems).!

•  Evaluation of breach detection capabilities and processes.!

•  Review of previous potential breach incidents and organizational follow up.!

Value Provided to Management

•  Management will appreciate the timeliness and relevance.!

•  Proven action steps that Management can take improve its ability to detect breaches.!

•  Communication to stakeholders of key controls Management has invested in.!

Organisations that are at high risk of cyber-attack should consider an annual Breach Detection Audit.!


Third Party Access Audit

Key Questions

•  Could a breach of a third party result in a breach of our organization?!

•  Are vendor, contractor, and other third party accounts sufficiently restricted?!

•  Would we know if a vendor account was being used improperly?!

Fieldwork Activities

•  Review of policies and procedures for third parties.!

•  Review of a sample of third party accounts for appropriate access.!

•  Attempting privilege escalation from an example third party account.!

Value Provided to Management

•  Topical given Target initial intrusion method.!

•  Factual arguments to support limiting vendor access further.!

•  Comforting stakeholders on a key area of risk (provided appropriate controls are in place).!

IA and Risk can help Management limit risk associated with a hacked third party (e.g., HVAC).!


Protiviti’s cyber-security servicesProtiviti provides a full range of cyber-security services to help clients address the challenges of effective cyber-security!

We work with clients to address IT cyber-security issues and deploy focused application and data management structures that solve problems and add business value

Data Centric Security

Incident Response & Forensics

Security Operations & Implementation

Security Program & Policy

Vulnerability/Penetration Testing

Identity & Access Management

•  Data Governance!•  Data Classification!•  Data Leakage!•  Vendor Management &!

Due Diligence!•  Privacy Management &

Implementation!•  PCI and Security Compliance!

•  Incident Response Strategy &!Planning!

•  Emergency Response!•  Computer Forensics!•  Proactive eDiscovery Planning !•  Reactive eDiscovery Support!

•  Infrastructure Vulnerability!•  Application Vulnerability!•  Network Vulnerability!•  Database Vulnerability!•  Secure Code Reviews!

•  Security Policy & Program!•  Security Strategy &

Architecture!•  Security Metrics!•  Awareness & Training!

•  Identity Governance!•  IAM Policy & Standards !•  IAM Programme Support !•  Role Based Access!•  Privileged User Access

Management!•  Identity Federation !

•  Security Operations Center Design!•  SIEM Program & Operational!

•  SOC Implementation & Staffing!•  Security Product Implementation!


Protiviti’s industry contributionsProtiviti makes significant contributions to industry groups by actively participating, sponsoring and leading many industry associations!

•  Established a position of thought leadership regarding information security, governance and regulatory compliance, through efforts such as active participation with the information security Organisations such as OWASP, I-4, ISSA, CSI, InfraGard, SANS, ISACA and CSI and release of our Bulletin and Frequently Asked Questions publications.!

•  BITS Shared Assessments – on the Shared Assessments steering committee. !

•  All four PCI certifications: Qualified Security Assessor (QSA), Approved Scan Vendor (ASV), PCI Forensics Investigator (PFI) and Payment Application QSA (PA-QSA). !

•  FS-ISAC – serves on the Board and Advisors Committee.!•  I-4 – Member of industry “think-tank” focused on information

security. Frequent presenter on Industry Best Practices. !•  Board of directors member & charter member of the IT Policy

Compliance Group. !•  High Technology Crimes and Investigation Association (HTCIA).!•  FBI Infraguard. !•  Information System Security Association (ISSA).!


Protiviti’s thought leadershipProtiviti is a leading organisation in developing an disseminating pragmatic thought leadership in cyber-security and risk management!