CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

December 2014

KEVIN GROOM

ISACA Involvement (Middle Tennessee Chapter)

Treasurer (2009 – 2011)

Vice President (2011 – 2013)

President (2013 – present)

Education

UT Martin, B.S. in Business Administration (Economics)

UT Knoxville, M.S. in Management Science

Certifications – CISA, CISSP, CPA

IT Audit Director at HCA (8 years)

Largest healthcare provider in the US (#79 on the Fortune 100)

Also held positions as operations research analyst, statistical analyst, programmer, and consultant

2

ASHLEY SPANGLER

ISACA Involvement (Middle Tennessee Chapter)

Webmaster (2012 – 2013)

Marketing Director (2013 – present)

Academic Coordinator (2013 – present)

Currently a Senior Consultant at LBMC

KraftCPAs, IS Assurance Associate (8/2011 – 12/2012)

Undergraduate – TTU, Accounting with IS Concentration

Graduate – MTSU, Accounting and Information Systems

Unrelated to this presentation: I love golf

3

ABOUT ISACA

A non-profit, global member association of:

IT Audit and Assurance professionals

IT Security professionals

Risk & Compliance professionals

Governance professionals and more!

Nearly all industry categories: financial, public accounting, government/public sector, technology, healthcare, utilities and manufacturing

Vision: “Trust in, and value from, information and information systems”

Mission: “be the leading global provider of knowledge, certifications, community, advocacy and education”

4

GLOBALLY RECOGNIZED CERTIFICATIONS

5

for IT professionals whose job is to identify and

manage risks through appropriate IS controls for IT governance specialists

for those responsible for auditing, monitoring, and

assessing IT and/or business systems

focuses on security strategy and assessing the

systems and policies in place

15 TOP-PAYING CERTIFICATIONS FOR 2014

#1 Certified in Risk and Information Systems Control (CRISC) - $118,253

#2 Certified Information Security Manager (CISM) - $114,844

#3 Certified Information Systems Auditor (CISA) - $112,040

6

MIDDLE TENNESSEE CHAPTER

Founded in 1986

411 members

224 members have obtained Certified Information Systems Auditor (CISA)

Free events - quarterly chapter meetings, annual luncheon, and periodic socials

www.isaca.org/nashville

@isacanashville

7

LOCAL MEMBERSHIP

8

STUDENT MEMBERSHIP

Must be currently enrolled as a full-time student

Annual costs

$25 International dues ($110 savings)

No local chapter dues ($45 savings)

Attend local chapter meetings, annual meeting, and socials for FREE

ISACA offers over 70 free webinars

Also eligible to join our chapter LinkedIn group

www.isaca.org/grow

9

CYBERSECURITY TRENDS The World is Changing

WHY CARE ABOUT CYBERSECURITY?

11

KEY TRENDS AND DRIVERS OF SECURITY

Consumerization

•Mobile devices

•Social media

•Cloud services

•Nonstandard

•Security as a Service (SECaaS)

Continual Regulatory and Compliance Pressures

• SOX

• PCI

• HIPAA

• ISO 27001

Emerging Trends

•Decrease in time to exploit

•Targeted attacks

•Advanced persistent threats (APTs)

12

THE WORLD IS CHANGING

13

ADAPTIVE ATTACK VECTORS

The threat landscape will continue to evolve as attackers adapt new and innovative attack methods to existing or adaptive attack vectors while defenders deploy new defense strategies.

14

WHAT IS AN ADVANCED PERSISTENT THREAT?

ADVANCED, STEALTHY AND CHAMELEON-

LIKE in its adaptability, APTs were once

thought to be limited to attacks on

government networks.

However, APTs are commonplace and can

happen to any enterprise. Repeated pursuit of

objectives, adaptation to defenders and

persistence differentiate APTs from a typical

attack. Primarily, the purpose of the majority of

APTs is to extract information from systems –

this could be critical research, enterprise

intellectual property or government information,

among other things.

15

THE APT LIFE CYCLE

History shows that most sophisticated attackers, regardless of their motives, funding or control, tend to operate in a certain cycle and are extremely effective at attacking their targets.

16

APT MODUS OPERANDI

APTs have adapted their tactics, techniques and procedures to the typical information security architecture they find deployed. For example…

Traditional Security Practice APT Modus Operandi

Network boundary/perimeter devices

inspect traffic content.

SSL, custom encryption, and password

protected/encrypted container files make

packet content inspection difficult or impossible.

Network firewalls monitor and assess

traffic metadata.

Communication initiated from within the

network using standard ports and protocols

(HTTP, DNS, SSL, SMTP, etc.).

Host firewalls monitor and assess local

traffic metadata.

Initial infection tool adds malware to host

firewall white list.

Intrusion detection and prevention

systems with real-time assessment and

alerting running on servers and

workstations.

Communications use common ports and

protocols – hide in plain site within

obvious/allowed traffic.

17

METHODS FOR DEFENDING AGAINST THE APT

Many enterprises

implement some of the

intermediate-level

concepts. Because the

APT and other advanced,

sophisticated attackers

have such a high success

rate, it is recommended

that every enterprise

implement all of the basic

concepts.

18

ISACA APT SURVEY

1,220 Individuals Globally (February 2014)

Because the study’s purpose was to measure information security characteristics such as knowledge of advanced persistent threats (APTs), internal controls, internal incidents, policy adherence and management support, the study surveyed those who deal with those issues every day: professionals with information security responsibilities.

Respondents are still using the wrong controls, such as antimalware, antivirus and firewalls, to defend against APTs. These aren’t effective as most of these attacks come from zero-day exploits and the attack vectors are very personalized spear-phishing attacks and now web exploits in the browser. While technology improvements are not clear, behavior is improving, with more organizations making the necessary changes in terms of incident response plans and security awareness training.

19

92% SAY APTS POSE A CREDIBLE THREAT TO NATIONAL SECURITY OR ECONOMIC STABILITY.

1 IN 5 HAVE EXPERIENCED AN APT ATTACK.

66% SAY IT IS LIKELY OR VERY LIKELY THAT THEIR ORGANIZATION WILL EXPERIENCE AN APT ATTACK:

Very Likely (17%)

Likely (49%)

Not Very Likely(32%)

Not At All Likely(2%)

20

SKILLS SHORTAGE Security Skills Are Needed, But Most Don’t Feel They Will Have the Skills They Need

A MAJORITY OF STUDENT MEMBERS (88%) PLAN TO WORK IN A FIELD REQUIRING CYBERSECURITY KNOWLEDGE

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

YES NO UNSURE

After graduation, do you plan to work in a field or job that requires some level of cybersecurity knowledge?

9% 3% 88%

22

BUT FEWER THAN HALF SAY THEY WILL HAVE ADEQUATE SKILLS FOR THE JOB

Do you feel that you will have adequate cybersecurity knowledge to do the type of job you are seeking when

you graduate?

Yes (47%)

No (22%)

Unsure (29%)

I do not need cybersecurityknowledge for the job I amseeking (2%)

23

DO YOU PLAN TO PURSUE A CYBERSECURITY RELATED CERTIFICATE/CERTIFICATION?

0% 20% 40% 60% 80%

YES

UNSURE

NO

74%

19%

7%

24

25 | 12/6/2014

CYBERSECURITY CAREER PATH

0-3 years (Cybersecurity Fundamentals Certificate)

Established in 2014

No experience required

Must pass knowledge-based exam

3-5 years (Cybersecurity Practitioner-level Certification)

Coming in mid-2015

5+ years (Certified Information Security Manager Certification)

25,000+ professionals certified since inception

26

CYBERSECURITY FUNDAMENTALS KNOWLEDGE CERTIFICATE

Knowledge-based exam for those with 0 to 3 years experience

Foundational level covers four domains:

Cybersecurity architecture principles

Security of networks, systems, applications and data

Incident response

Security implications related to adoption of emerging technologies

Price for the exam and study guide together is $185 (members)

Exam is offered online (at your convenience) and at select ISACA conferences and training events (first was in September 2014)

Content aligns with the National Initiative for Cybersecurity Education (NICE) framework and was developed by a team of ~20 cybersecurity professionals from around the world

27

CYBERSECURITY NEXUS

www.isaca.org/cyber

28

…insights and resources for the cybersecurity professional…

…cutting-edge thought leadership, training and certification programs for

professionals...

…knowledge, tools, guidance and connections…

QUESTIONS

29

Kevin Groom

IT Audit Director

HCA

kevin.groom@hcahealthcare.com

Ashley Spangler

Senior Consultant

LBMC Security & Risk Services

aspangler@lbmc.com