Auditing After
a Cyber‐Attack
JAX IIA Chapter Meeting Cybersecurity and Law Enforcement
© Copyright Elevate Consult LLC. All Rights Reserved 1
Presenter
Ray Guzman MBA, CISSP, CGEIT, CRISC, CISA
Over 25 years of diversified expertise in:
• Technology Infrastructure Development
• Implementing ERP Solutions
• Developing Information Security Programs
• Business Continuity/Disaster Recovery Planning
• Risk Management
• IT Auditing
• Adjunt Professor at several South Florida Colleges
2
Topic Agenda
Cyber security Trends in 2013
The rise of cyber‐attacks against service providers
The threat and challenges healthcare providers face
The role of the Internal Auditor to thwart cyber-attacks
Auditing a service provider after a cyber‐attack
3
Cyber security Trends in 2013
Perspective Case Study: NASA (Paul K. Martin, Inspector General) Testimony before the Subcommittee on Investigations and Oversight, House Committee on Science, Space, and Technology February 2012
“In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its systems”
Some of these intrusions have affected thousands of NASA computers
Resulted in the theft of export-controlled and otherwise sensitive data
Estimated cost to NASA of more than $7 million
4
Cyber security Trends in 2013
According to NASA’s Inspector General:
“NASA spends more than $1.5 billion annually on its IT-related activities”
So, what is the problem?
“NASA’s Chief Information Officer Lacks Visibility of and Oversight Authority for Key NASA IT Assets”
5
Cyber security Trends in 2013
Wayne Gretzky, also known as “the great one” said;
“A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be.”
Are we learning from Cyber Security Trends?
6
Cyber security Trends in 2013
Are we learning from Cyber Security Trends?
MacAfee's 2013 threats predictions;
1. “Ransomware” resurges and takes on mobile devices
2. Mobile malware goes on a shopping spree
3. Mobile “tap and pay” worms “bump and infect”
4. Botnets phone home
5. Online marketplaces offer “click” to hack services
7
Cyber security Trends in 2013
Are we learning from Cyber Security Trends?
Open Web Application Security Project (OWASP)
8
OWASP is an open community organization All of the OWASP tools, documents, forums, and
chapters are free and open to anyone interested in improving application security
OWASP advocates approaching application security as: People Process Technology
Cyber security Trends in 2013
Are we learning from Cyber Security Trends?
Open Web Application Security Project (OWASP)
9
Top 5 Vulnerabilities of 2010 Top 5 Vulnerabilities of 2013
A1 – Injection A1 – Injection
A3 – Broken Authentication and Session Management
A3 – Broken Authentication and Session Management
A2 – Cross-Site Scripting (XSS) A2 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A4 – Insecure Direct Object References
A6 – Security Misconfiguration A6 – Security Misconfiguration
Cyber security Trends in 2013
Lessons learned:
The means to carry out Cyber attacks will continue to evolve
to overcome countermeasures Cyber attacks can’t be defeated by just throwing money at
the problem Visibility: How can you protect what you don’t know you
have in your network? Reduce the attack surface of software applications Software assurance: Reduce software vulnerabilities
10
The rise of cyber‐attacks against healthcare service providers
The problem for health care service providers;
“As predicted, HITRUST has seen a marked increase in the frequency and sophistication of cyber attacks targeted at healthcare organizations,” Daniel Nutkis, Chief Executive Officer, HITRUST
11
The rise of cyber‐attacks against healthcare service providers
The problem for health care service providers;
New Kid on the block
Financial services and retail organizations have more experience and insight mitigating the risk posed by cyber threats
12
The rise of cyber‐attacks against healthcare service providers
The problem for health care service providers;
“Healthcare, education, and government accounted for
nearly two-thirds of all identities breached in 2012.”
Symantec Corporation
Internet Security Threat Report 2013 :: Volume 18
13
The rise of cyber‐attacks against healthcare service providers The problem for health care service providers;
14
The threat and challenges healthcare providers face The threat
“Symantec saw a 42 percent increase in the targeted attack
rate in 2012 compared with the preceding 12 months.” Internet Security Threat Report 2013 :: Volume 18
Why would a hacker be more interested on Electronic Health Records (EHR) than credit card information?
15
The threat and challenges healthcare providers face The threat
Hackers know about:
• The push to share and exchange medical information electronically
• The push for compliance
• The push for security: protect the confidentiality, integrity and availability of EHRs
• The urgency to do it all while keeping costs low
16
The threat and challenges healthcare providers face The threat
Hackers have the upper hand, but why?
Hackers don’t have competing motives
But even more important;
Element of surprise
Resources
Time
17
The threat and challenges healthcare providers face The Challenge: Regulatory and compliance pressures:
Dissimilar technologies that don’t work together Millions of new patients coming into the system Industry that was not traditionally the focus of cybercrime, but
it is now becoming the biggest target Lack of awareness and education to deal with increasing cyber
security threats and attacks
18
The role of the Internal Auditor to thwart cyber-attacks
Protecting Critical EHRs
• Review the organization’s Cyber Security strategy
• Review the organization’s incident response and communication plans
• Review the organization’s critical assets and associated risks
How are vulnerabilities identified?
How are risks disclosed?
19
The role of the Internal Auditor to thwart cyber-attacks
Protecting Critical EHRs
• Examine information security controls to ensure they are sufficient for regulatory requirements and follow industry best practices
Monitor cloud
Monitor suppliers
Monitor the networks
Monitor software
20
The role of the Internal Auditor to thwart cyber-attacks
Protecting Critical EHRs
• Identify what digital information is leaving the organization
Where is it going?
How is it tracked?
Who is monitoring the cyber risk?
21
Auditing a service provider after a cyber‐attack
Forensic investigative and analytical skills and abilities are needed
Technical skills
• Building a digital audit trail
• Understand computer fraud techniques
• Understand information collected from various computer logs
• Understand the inner workings of web servers, firewalls, attack methodology, security procedures & penetration testing
22
Auditing a service provider after a cyber‐attack
Forensic investigative and analytical skills and abilities are needed
Review:
• Computer Incident Response Plan and its performance after the cyber attack
• Chain-of-custody process
• Information Security Policies and Procedures
• Organizational and legal protocols for incident handling
23
Reference Documents
NASA Testimony Before Congress in February 2012
McAfee Threats Report Third Quarter 2012
OWASP Top 10 Report for 2013
HITRUST Guidance for Healthcare Organizations to Assess Cybersecurity Preparedness
24