iia st. louis louis/news/chapterdocuments/stliia... · new type of hackers iloveyou virus, botnets...

61
Internal Audit, Risk, Business & Technology Consulting © 2020 Protiviti Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. IIA ST. LOUIS UNDERSTANDING CYBERSECURITY - PAST AND THE PRESENT David Stehr, Protiviti Rob Woltering, Protiviti April 23, 2020

Upload: others

Post on 12-Oct-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

Internal Audit, Risk, Business & Technology Consulting © 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial

statements or offer attestation services. All registered trademarks are the property of their respective owners.

IIA ST. LOUISUNDERSTANDING CYBERSECURITY -PAST AND THE PRESENT

David Stehr, Protiviti

Rob Woltering, Protiviti

April 23, 2020

Page 2: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

WHO WE ARE

David Stehr

Director - Security and Privacy

Phone: 636-578-4291

Email: [email protected]

Rob Woltering

Senior Manager - Security and Privacy

Phone: 314-656-1752

Email: [email protected]

Page 3: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

TODAY’S AGENDA:

• Defining Hacking and Understanding the Evolution

of a Hacker

• A look at Different Security Frameworks

• How Hackers Attack – Case Study of a Large Retail

Organization

• Why are we so bad at Detecting Breaches?

• Detecting Malicious Activity - Introduction to Threat

Hunting

• Selecting High-Value Cyber Audits

Page 4: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial

statements or offer attestation services. All registered trademarks are the property of their respective owners.

DEFINING HACKING AND UNDERSTANDING THE EVOLUTION OF A HACKER

Page 5: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

LARGE DATA BREACHES

Source: CNN, NBC, CSO Online

"Some of the more obvious results of IS failures include reputational damage,

placing the organization at a competitive disadvantage, and contractual

noncompliance. These impacts should not be underestimated."

― The IIA Research Foundation

2006 2008 2009 2011

20132014201520162017

AOL: Data on more than 20

million web inquiries, from

more than 650,000 users,

including shopping and

banking data were posted

publicly on a web site.

Wyndham Hotels: Sued by the

U.S. Federal Government after

sensitive customer data, including

credit card numbers and personal

information, allegedly were stolen

three times in less than two years.

Google/other Silicon

Valley companies:

Stolen intellectual

property, including

source code.

Sony's PlayStation Network:

77 million PlayStation Network

accounts hacked; Sony is said to have

lost millions while the system was

down for a month.

Target – 110 million

records breached, including

40 million credit and debit

cards. CEO and CIO

resigned.

Home Depot – 56 million

payment cards breached.

Similar to Target, the attack

relied on stolen vendor

credentials and RAM

scraping.

Equifax – Personal

credit information

including SSN, credit

card numbers, and

credit records for 145+

Million consumers

stolen.

Yahoo Breach – All 3

billion accounts

compromised.

Resulted in a $350

million price drop in

Verizon’s pending

acquisition.

Anthem – 78 million

personal data records

from Anthem and

other Blue Cross

customers breached.

Page 6: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

DEFINING HACKING

There is more than

one type of “hacking”

Hacking often refers to the practice of modifying or altering

computer software and hardware to accomplish a goal that is

considered to be outside of the creator’s original objective.

People who engage in computer hacking activities are often

called hackers.

Software

HARDWARE

PEOPLE

Page 7: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

HACKER TYPES

WHITE HATGood Guys; Non-Malicious Intent;

“Ethical Hacker”

BLACK HATBad Guys; Malicious Intent

GREY HATWhite and Black Hat; Notifies

Administrator of Issue

BLUE HATOutside Consulting Firm that Tests a

System Prior or After Launch

01’

02’

03’

04’

SCRIPT KIDDIESLittle Knowledge; Uses Pre-Packaged

Tools05’

Page 8: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

EVOLUTION OF HACKING

First Unix

Vulnerability

Worm Invented

----------------

First Large-Scale

Attacks

Sting Op.

“Sundevil”

The Mitnick

Takedown

Held Four Years

Without Trial

The Movies

Mainstream

Culture

Phone

Phreaking

Once only a hobby for few, quickly turned into a vehicle

for criminal enterprises and garnered the attention

mainstream culture.

1965’ 1970’s 1980’s 1990’ 19951990’s

Page 9: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

EVOLUTION OF HACKING CONTINUED

A new wave of hackers has emerged based not on

financial gain but rather social values.

2000’s

Rise of the Internet

2010’ 2012+

Large

Commerce

Becomes Major

Target Nieman

Marcus, Home

Depot, Sony,

Target, Anthem

2020+

What’s Next

New Type of Hackers

ILOVEYOU Virus, Botnets

Anonymous, Lulzsec, Wikileaks

USA Presidential

Campaign Hacking

2016

Page 10: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

PII and Credit Card Thieves

EXTERNAL THREAT LANDSCAPE

Ransomware Crooks Wire Transfer Fraudsters

Botnet Herders Hacktivist Nation State Attackers

Page 11: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

HACKER MOTIVATIONS

Reputation

and Notoriety

Hactivism and

Social Rights

Curiosity

and Challenges

Money and

Personal Gain

Page 12: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial

statements or offer attestation services. All registered trademarks are the property of their respective owners.

A LOOK AT DIFFERENT SECURITY FRAMEWORKS

Page 13: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

LAYERED SECURITY MODEL

Physical Security

User Awareness

Firewalls & IDS/IPS

Logical Access

Anti - Virus

Patch Management

Device Configuration

Defense in Depth

Defense in depth is the

coordinated use of multiple

security counter measures to

protect the confidentiality, integrity,

and availability of the information

assets in an enterprise.

If a hacker gains access to a

system, defense in depth

minimizes the adverse impact and

gives administrators and

engineers time to deploy new or

updated counter measures to

prevent recurrence.

Source: http://searchsecurity.techtarget.com/definition/defense-in-depth

Page 14: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

NIST CYBER SECURITY FRAMEWORK (CSF)

OVERVIEW

Where did the framework originate from?In February 2013, President Barack Obama signed an executive order launching the development of a cybersecurity framework

with the goal of developing a voluntary “how-to” guide for organizations in the United States’ critical infrastructure community to

enhance their cybersecurity postures.

Who developed the framework?Individuals and organizations around the world provided their thoughts on the standards, best practices, and guidelines that

would meaningfully improve critical infrastructure cybersecurity. The Department of Commerce's National Institute of Standards

and Technology (NIST) consolidated the input into the voluntary Cybersecurity Framework announced on February 12th, 2014.

On April 16th, 2018, version 1.1 of the Framework was released.

What is the framework based upon?The Framework leverages and integrates commonly known risk and information security approaches from ISO 2700X, CoBIT,

ISO 31000, ISO 27005 and FISMA (NIST 800-53)..

What is the intended purpose of the framework?The framework is designed to help organizations understand, communicate, and manage their cyber risks. For organizations

that don’t know where to start, the framework provides a roadmap. For organizations with more advanced cybersecurity

programs, the framework offers a way to better communicate their cyber risks internally and externally.

Page 15: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

NIST CYBER SECURITY FRAMEWORK (CSF)

OVERVIEW

● Asset Management

● Business Environment

● Governance

● Risk Assessment

● Risk Management Strategy

● Supply Chain Risk

Management

Identify DetectProtect RecoverRespond

Framework Core

● Access Control

● Awareness and Training

● Data Security

● Information Protection

Processes & Procedures

● Maintenance

● Protective Technology

● Anomalies and Events

● Security Continuous

Monitoring

● Detection Processes

● Response Planning

● Communications

● Analysis

● Mitigation

● Improvements

● Recovery Planning

● Improvements

● Communications

Implementation TiersFour tiers describe the degree to which processes exhibit characteristics defined in the CSF:

Practices are not formalized

or do not exist

Tier 1 - Partial Tier 3 – RepeatableTier 2 - Informed Tier 4 - Adaptive

Practices are in place but

may not be formalized as

policy

Practices are formally

approved and expressed as

policy

Policies and practices are

adapted and continuously

improved and optimized

The NIST CSF v1.1 consists of 5 functions, 23 categories, and 108 subcategories based on

industry best practices including COBIT, ISO/IEC 27001, NIST SP 800-53, and SANS CSC.

Page 16: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

ISO 27002 SECURITY FRAMEWORK OVERVIEW

The 2013 publication of ISO 27002 contains 114 controls, including those for:

• Structure

• Security Policies

• Organization of Information Security

• Human Resources Security

• IT Asset Management

• Access Control

• Cryptography

• Physical and Environmental Security

• Operations Security

• Communications Security

• Information Systems Acquisition,

Development, Maintenance

• Supplier Relationships

• Information Security Incident Management

• Information Security Aspects of Business

Continuity

• Compliance

ISO 27K is an international standard published by the International Standardization

Organization (ISO) describing how to establish and effectively manage an organizations

Information Security Management System (ISMS.)

ISO 27K standard consists of 14 domains (including sections on Information Security

Policies, Organization of Information Security, Asset Management, Access Control, etc.) 35

subdomains, and 114 controls.

Page 17: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

CIS CRITICAL SECURITY CONTROLS

In 2008, the Center for Internet Security's Critical Security Controls ("CIS Controls") were

created as a collaboration between representatives from the U.S. government and private

sector security research organizations.

A set of practical defenses specifically targeted toward stopping cyber-attacks, these

proposed defenses were technical in nature and intended to define specific, practical

steps an organization could take to stop the most common cyber threats from

compromising their information systems.

Formally known as the SANS TOP 20

The CIS Controls consists of 149 sub-controls grouped into 20 parent control categories.

Page 18: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

Organizations that apply the first five CIS Controls can reduce their risk of cyberattack by

around 85 percent.

CIS CRITICAL SECURITY CONTROLS

Top 5 CIS Controls

✓ CSC 1: Inventory of Authorized and Unauthorized Devices

✓ CSC 2: Inventory of Authorized and Unauthorized Software

✓ CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops,

Workstations and Servers

✓ CSC 4: Continuous Vulnerability Assessment and Remediation

✓ CSC 5: Controlled Use of Administrative Privileges

Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.

Page 19: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial

statements or offer attestation services. All registered trademarks are the property of their respective owners.

HOW HACKERS ATTACK

CASE STUDY OF A LARGE RETAIL ORGANIZATION

Page 20: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

CYBER KILL CHAIN

“A kill chain is a systematic process to

target and engage an adversary to create

desired effects.”

“The essence of an intrusion is that the

aggressor must develop a payload to

breach a trusted boundary, establish a

presence inside a trusted environment, and

from that presence, take actions towards

their objectives, be they moving laterally

inside the environment or violating the

confidentiality, integrity, or availability of a

system in the environment.”

-- Lockheed Martin, Intelligence-Driven

Computer Network Defense Informed by

Analysis of Adversary Campaigns and

Intrusion Kill Chains

Page 21: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

KILL CHAIN PHASE: RECONNAISSANCE

Adversary gathers information about the victim

21

➢ GOOGLE SEARCH REVEALS RETAILER’S SUPPLIER PORTAL

• Retailer gave vendors access for electronic billing, contract

submission, and project management purposes

• Publicly available documentation reveals HVAC vendor info;

file metadata may have been used as well.

➢ ADVERSARY IDENTIFIES POTENTIAL TARGET

• HVAC and refrigeration company

Page 22: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

KILL CHAIN PHASE: WEAPONIZATION & DELIVERY

Adversary prepares and delivers a malicious payload to the victim

22

➢ ADVERSARY LAUNCHES PHISHING ATTACK

AGAINST VENDOR

• Vendor received phishing e-mails, likely

containing malicious PDF files, macro-

enabled Microsoft Office files, or

malicious web links, two months prior to

the breach.

➢ MALICIOUS PAYLOAD INSTALLS KEY LOGGER

• Key logger collects vendor employee’s log-in credentials to the

Retailer portal.

➢ VENDOR DID NOT HAVE PROPER SECURITY CONTROLS

• Used free personal edition of anti-virus, which does not provide

real-time protection. It did not detect the malicious key logger.

Page 23: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

KILL CHAIN PHASE: EXPLOITATION

Adversary’s payload is executed in the victim’s network

23

➢ ADVERSARY NOW HAS GAINED ACCESS TO THE VENDOR PORTAL

➢ HOW DID THEY PIVOT FROM WEB SERVER TO INTERNAL NETWORK?

• Details have not been disclosed by Retailer.

• Possible that the web service / portal was exploited gain to

command-line access to the underlying OS.

• Possibly a SQL injection.

• Possible that the adversary then escalated their privileges on the

webserver OS.

• Possible that default vendor software credentials were used.

Page 24: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.24

PAUSEThe adversary has now gained access to Retailer’s internal network.

What could have been done to prevent the adversary from getting this far?

-------------------------------------------1

-------------------------------------------2

-------------------------------------------3

-------------------------------------------4

-------------------------------------------5

-------------------------------------------6

Page 25: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.25

PAUSEThe adversary has now gained access to Retailer’s internal network.

What could have been done to prevent the adversary from getting this far?

VENDOR MANAGEMENT1

-------------------------------------------2

-------------------------------------------3

-------------------------------------------4

-------------------------------------------5

-------------------------------------------6

Page 26: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.26

PAUSEThe adversary has now gained access to Retailer’s internal network.

What could have been done to prevent the adversary from getting this far?

VENDOR MANAGEMENT1

MULTI-FACTOR AUTHENTICATION2

-------------------------------------------3

-------------------------------------------4

-------------------------------------------5

-------------------------------------------6

Page 27: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.27

PAUSEThe adversary has now gained access to Retailer’s internal network.

What could have been done to prevent the adversary from getting this far?

VENDOR MANAGEMENT1

MULTI-FACTOR AUTHENTICATION2

WEB APP PENETRATION TESTING3

-------------------------------------------4

-------------------------------------------5

-------------------------------------------6

Page 28: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.28

PAUSEThe adversary has now gained access to Retailer’s internal network.

What could have been done to prevent the adversary from getting this far?

VENDOR MANAGEMENT1

MULTI-FACTOR AUTHENTICATION2

WEB APP PENETRATION TESTING3

VULNERABILITY MANAGEMENT4

-------------------------------------------5

-------------------------------------------6

Page 29: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.29

PAUSEThe adversary has now gained access to Retailer’s internal network.

What could have been done to prevent the adversary from getting this far?

VENDOR MANAGEMENT1

MULTI-FACTOR AUTHENTICATION2

WEB APP PENETRATION TESTING3

VULNERABILITY MANAGEMENT4

PATCH MANAGEMENT5

-------------------------------------------6

Page 30: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.30

PAUSEThe adversary has now gained access to Retailer’s internal network.

What could have been done to prevent the adversary from getting this far?

VENDOR MANAGEMENT1

MULTI-FACTOR AUTHENTICATION2

WEB APP PENETRATION TESTING3

VULNERABILITY MANAGEMENT4

PATCH MANAGEMENT5

NETWORK INTRUSION DETECTION SYSTEM6

Page 31: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

KILL CHAIN PHASE: INSTALLATION

Adversary establishes a foothold in the victim’s network

31

➢ ADVERSARY NOW HAS ACCESS TO RETAILER’S INTERNAL NETWORK

➢ ADVERSARY IDENTIFIES POS SYSTEMS AND DEPLOYS MALWARE

• “RAM scrapping” malware available for purchase on black-market

forums for $1,800 - $2,300.

• The malware was then modified to adversary’s needs in attacking

Reatiler.

As soon as a card is swiped, the card

information is temporarily loaded into

RAM in clear-text. The “RAM

scrapping” malware immediately pulls

the data from RAM before it is

processed and erased.

Page 32: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

KILL CHAIN PHASE: COMMAND & CONTROL

Adversary establishes remote access to the victim’s network

32

➢ ADVERSARY GAINED PERSISTENT ACCESS

• Details are unknown / undisclosed, but it is believed

persistent access was obtained using Vendor’s credentials, or

other credentials obtained after compromising the web

server.

➢ ADDITIONAL INTERNAL SERVERS WERE COMPROMISED

• The adversary compromised at least two other internal

servers to control and execute the attack

• A “dump” server to which all of the credit card data

scrapped from the POS systems was dumped to.

• An exfiltration server which was used to pull data from

the “dump” server and uploaded it to an external, non-

Retailer server (believed to have been compromised by

the adversary).

Page 33: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

KILL CHAIN PHASE: ACTION ON OBJECTIVES

Adversary exfiltrates data from the victim network

33

1. POS malware writes credit card data to dump server

2. Exfiltration server pulls card data from dump server and sends to

external FTP servers

• Transmissions occur multiple times per day for two weeks

between 10am and 6pm.

3. Data downloaded from FTP sites by a Russian virtual private server

Page 34: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.34

WHERE DID THE RETAILER GO

WRONG?

Page 35: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

VENDOR MANAGEMENT

VENDOR MANAGEMENTVendor had a weak security program, and access

to the Retailer network01’

❖ RECON – Publically available information disclosed the Retailer’s

vendors.

❖ WEAPONIZATION – Vendor used inadequate anti-virus without real-

time alerting or defenses.

❖ DELIVERY – Vendor did not detect phishing emails it received, and did

not train its users to recognize and report phishing attempts.

❖ DELIVERY – Retailer did not isolate the its billing system from the rest of

its network, and did not require two-factor authentication.

Page 36: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

INTRUSION RESPONSE

❖ EXPLOTATION – Retailer had known security vulnerabilities on their

POS systems that went unpatched and unmitigated. These

vulnerabilities were exploited to gain access and install the RAM

scraping malware.

❖ EXPLOTATION – Retailer’s alerting system reported events for each

install of the malware. These alerts were ignored by the Retailer and its

security solution was not configured to automatically delete the

malware when detected.

❖ INSTALLATION – Retailer’s antivirus detected malware on the POS

systems and the exfiltration server. These alerts were also ignored.

INTRUSION RESPONSERetailer failed to respond to automated alerts that

malware was being installed02’

Page 37: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

NETWORK / SYSTEM ISOLATION

❖ INSTALLATION – It is suspected that the attackers used a common

account and password to move through the network from the third-

party-facing system to the dump server and exfiltration server.

❖ INSTALLATION – Retailer was not running white-listing software on

any of the critical systems, and thus unknown untrusted software

outside of any change control process was allowed to execute on

critical systems.

❖ COMMAND & CONTROL – Retailer’s systems were allowed to

connect outbound to the internet using common data exfiltration

ports that were not required for business purposes.

NETWORK/SYSTEM ISOLATIONAttackers were able to move from less sensitive areas of the

network to more sensitive areas containing customer data03’

Page 38: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

EXFILTRATION RESPONSE

❖ ACT ON OBJECTIVES – Credit card data was sent in clear text via FTP.

It was detected by data loss prevention (DLP) technology, and the

generated events were ignored.

❖ ACT ON OBJECTIVES – The exfiltration destination was in Russia.

Presumably, there was not a justified business reason for a server to

initiate outbound connections to Russia, regardless of protocol or data

content.

❖ ACT ON OBJECTIVES – Retailer’s systems reported events of data

exfiltration to known credit card dump locations repeatedly while the

attackers exfiltrated data across a period of two weeks. Retailer ignored

the events.

EXFILTRATION RESPONSERetailer failed to respond to automated alerts that systems were

communicating outbound with known data exfiltration IP addresses04’

Page 39: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

Retailer was PCI-DSS Compliant

Warranting the question:

Do your cybersecurity program and 3rd line of defense audits

just check the box…

… Or do they strive to enable the business to proactively

find and respond to indicators of compromise before the

breach?

Page 40: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial

statements or offer attestation services. All registered trademarks are the property of their respective owners.

WHY ARE WE SO BAD AT DETECTING BREACHES?

Page 41: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

HOW AND WHEN ORGANIZATIONS NOTICE

BREACHES

From a recent Mandiant report:

• Nearly 70% of breached organizations

were notified they were breached by an

outside party.

• A median of 205 days passed before an

organization was notified that

it was breached or it noticed

itself.

Other industry reports, such as the Verizon

DBIR, and Protiviti’s own experience with

incident response, shows a similar pattern.

Conclusion: Organizations are not good at

self-detecting breaches in a timely

manner.

Page 42: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

HOW MOST DETECTION TECHNOLOGY WORKS:

KNOWN BAD

Most attacker-detection technology works on

detecting either known bad signatures or known

suspicious behavior that have been known to be

associated with attackers.

Cybersecurity isn’t hard, just look for this

guy in the break room.

Page 43: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

KNOWN BAD SIGNATURES

Similar to TSA looking for guns, knives,

and explosive residue during screening.

• IP addresses associated with bad actors.

• Contents of communications used by

previous malware.

• Strings in previous malware used or file

hashes of those files.

Page 44: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

BENEFITS OF LOOKING FOR KNOWN BAD

SIGNATURES

Easy Cheap Accurate

TSA Approach

Page 45: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

DISADVANTAGES OF LOOKING FOR KNOWN BAD

SIGNATURES

Outdated

Quickly

Less Effective

for Individual

Attackers

Known By

Attackers

Page 46: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

WHAT IS AN ALTERNATIVE?

KNOWN SUSPICIOUS BEHAVIORS

1One computer on a network connecting to many other computers in quick succession.

2An executable file that attempts to reach out to the Internet when it is launched.

3Multiple incorrect password attempts on a user account over a short period of time.

Similar to TSA flagging passengers that

purchased using cash, bought a one-way ticket,

or have traveled to certain countries.

Page 47: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

BENEFITS OF LOOKING

FOR KNOWN SUSPICIOUS BEHAVIORS

1 Somewhat Automatable

2 Earlier Detection

3 Stays Relevant Longer

Page 48: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

CHALLENGES IN LOOKING FOR

KNOWN SUSPICIOUS BEHAVIORS

1Difficult to Balance False Positives and False Negatives.

2 Expensive.

3 Known By Attackers.

Page 49: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial

statements or offer attestation services. All registered trademarks are the property of their respective owners.

DETECTING MALICIOUS ACTIVITY

AN INTRO TO THREAT HUNTING

Page 50: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

HUNTING: SEARCHING FOR ATTACKERS

Proactively searching

for attackers that would

not be detected using

in-place technologies,

processes, and

information.

Hunting helps answer the question “are we

currently breached and just don’t know it?”

Page 51: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

Hunting is not standardized in the

industry, but often includes:

HUNTING AREAS

Broad review of processes running on systems for anomalies and

detailed examination of key systems, often involving forensic

investigation such as examining memory and disk captures.Systems Review

High-level statistical review of Internet and other key network

destinations and activity over time, along with a “deep dive” into

network traffic captures for a shorter duration.Network Review

High-level statistical review of user activity to identify anomalies,

with particular focus on privileged administrator, application service

accounts and remote access.User Activity Review

Looking at historic alerts from anti-virus and other detection

mechanisms to look for cases where alerts were more serious than

first thought or look more serious given current information.Historic Alerts Review

Page 52: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

HUNTING: THE IMPORTANCE OF THE HUNTER

• While introducing additional “known bad”

information can provide value and identify

undiscovered threats, skilled hunters must be

employed to identify “unknown bad” threats.

• This is key to turning the tables on attackers ---

using intelligent, creative analysts as opposed to

just relying on detection technology attackers know

about.

Effective hunting cannot be achieved through technology

alone.

Page 53: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial

statements or offer attestation services. All registered trademarks are the property of their respective owners.

SELECTING HIGH VALUE CYBERSECURITY AUDITS

Page 54: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

OVERVIEW

High Value IT audits typically fall into the following categories:

High value audits are designed to provide the audit committee with relevant and pragmatic

insights into the technology risks and related recommendations in the audit area.

Audits that have the potential for a

high return on investment

Audits that address very critical and

high-risk activities/functions

Page 55: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

THE ART OF WAR

Page 56: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

LET’S GET TO KNOW OURSELVES

Easier Questions

What does our network look like (systems, network, users)?

Where is our sensitive data?

What are our weaknesses?

Harder Questions

What programs should be running on our systems?

What type of traffic is “normal” for us?

What user activity is normal?

What’s the Risk?

Not knowing what you have makes it hard to know what to protect.

Not knowing your weaknesses makes it hard to know where you will

be hit.

Not knowing what is normal makes it hard to know what is

abnormal.

Page 57: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

A PENETRATION TEST IS NOT ENOUGH

Internal audit plans frequently include a penetration test, and only a penetration test, as a cyber security-

related audit. The increased risk environment necessitates that internal audit look beyond penetration tests

and increase the number of cyber security audits.

Limits of Penetration Testing

A penetration test does not always provide an

accurate or comprehensive assessment of

cyber security risk. The goal of a penetration

test is to simulate a single attack, not to

uncover all possible attack scenarios. It is also

usually very time-constrained, lasting weeks

instead of the months that actual attackers

have.

NIS

T C

yb

ers

ecu

rity

Fra

mew

ork

Function Category

Identify

Asset Management

Business Environment

Governance

Risk Assessment

Risk Management Strategy

Protect

Access Control

Awareness & Training

Data Security

Information Protection Processes & Procedures

Maintenance

Protective Technology

Detect

Anomalies & Events

Security Continuous Monitoring

Detection Processes

Respond

Response Planning

Communications

Analysis

Mitigation

Improvements

Recover

Recovery Planning

Improvements

Communications

Internal audit departments need to rebalance

their plans to cover more cyber security areas.

Page 58: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

SELECTING THE RIGHT CYBER SECURITY AUDITS

An internal audit plan focused on cyber risk should be based on the organization’s risk profile and the

external threat landscape. Security audits are generally categorized into four areas (as described below), and

then specific projects can be selected based on the corresponding maturity level.

Breach Detection and

Response

Assessing an organization’s

ability to identify and properly

respond to a security incident

Technical Attack

Assessments

Traditional and emerging

attack vectors an attacker

may use to access your

network and information

Program/Governance

Understanding and

assessing the overall

security posture of the

environment

Applications and

Infrastructure

Focused assessments to identify

and evaluate risks associated with applications, supporting

infrastructure and emerging

technology, such as Cloud and

IoT

Page 59: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm

and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

Blue Team Coordination and Incident Response

Review to comprehensively assess incident response

program

Pre-Breach Assessment to perform threat hunting

using tools to identify indicators of an existing

compromise

• Dedicated resources

• Formal

policies/procedures

• Meaningful security

reporting

• “Active” security risk

management

• Do we have the

resources to identify and

detect a compromise?

• Can we respond

efficiently and quickly to

a breach?

• Lack of a formal budget

• No (or minimal)

dedicated resources

• Lack of

policies/procedures

• Limited security risk

management capabilities

• Do we have regulations

to comply with?

• Are we already

breached?

More Mature

Red Team exercises to perform unannounced testing

of controls using “out of the box” techniques

Social Engineering or Mobile Security Reviews to

assess attacks specific to these channels

External/Internal Penetration testing to assess

threats on the network

Vulnerability Program assessment to understand

how threats and vulns are being identified and

addressed

Technical Attack Assessments

Secure SDLC review to assess security controls that

support the development process including

static/dynamic code

Identity and Access Management review to assess

identity risks, including privileged access

Technical Configuration reviews to understand if

systems and emerging technologies are configured

securely

Cyber Security Framework Assessment to

understand & benchmark current/future capabilities

against a standard framework

Data Security review to assess controls to identify,

inventory and protect sensitive data

Third-Party Risk Assessment to understand how the

organization is identifying and addressing risk in this

channel

Regulatory and Data Privacy reviews to understand

risks and issues around the protection and handling of

personally identifiable information

Cyber Risk Assessment to help understand and

prioritize risks

Cyber Kill Chain to assess technical capabilities using

a standard approach

Program/Governance

InfrastructureBreach Detection/Response

Customized Pen Testing Scenarios to specifically

target controls such as segmentation, data exfil.

protection, priv. accounts

Less Mature

SELECTING THE RIGHT AUDITS

Indicators and

Questions to Ask

Cyber Defense Review to assess monitoring and

response capabilities

Page 60: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial

statements or offer attestation services. All registered trademarks are the property of their respective owners.

QUESTIONS?

Page 61: IIA ST. LOUIS Louis/News/ChapterDocuments/STLIIA... · New Type of Hackers ILOVEYOU Virus, Botnets Anonymous, Lulzsec, Wikileaks USA Presidential Campaign Hacking 2016 ... PII and

© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not

licensed or registered as a public accounting firm and does not issue opinions on financial statements

or offer attestation services. All registered trademarks are the property of their respective owners.