infosec risks from the front lines - chapters site county/iia oc... · key areas of an internal...
TRANSCRIPT
InfoSec Risks from the Front Lines
Adam Brand, Protiviti
Orange County IIA Seminar
© 2014 Protiviti Inc. An Equal Opportunity Employer.2
Who I Am
• Adam Brand
• IT Security Services
• Some Incident Response Experience
• Lead Breach Detection Audits
• @adamrbrand
• Who are you?
© 2014 Protiviti Inc. An Equal Opportunity Employer.3
What I Hope to Accomplish (in the next hour)
• Current Threat Landscape
• Latest Risks to Watch
• Where Internal Audit Should Focus
• Q & A
© 2014 Protiviti Inc. An Equal Opportunity Employer.4
Current External Threat Landscape
Credit Card/PII Thieves
Political AttackersBotnet Herders Corporate Secrets Thieves
Ransomware Crooks Wire Transfer Fraudsters
Insider threats and compliance “threats” are a different presentation…
© 2014 Protiviti Inc. An Equal Opportunity Employer.5
Credit Card/PII Thieves
© 2014 Protiviti Inc. An Equal Opportunity Employer.6
Ransomware Crooks
© 2014 Protiviti Inc. An Equal Opportunity Employer.7
Wire Transfer Fraudsters
© 2014 Protiviti Inc. An Equal Opportunity Employer.8
Botnet Herders
© 2014 Protiviti Inc. An Equal Opportunity Employer.9
Political Attackers
© 2014 Protiviti Inc. An Equal Opportunity Employer.10
Corporate Secrets Thieves
© 2014 Protiviti Inc. An Equal Opportunity Employer.11
Latest Risks to Watch?
Cloud Mobile Internet of Things
© 2014 Protiviti Inc. An Equal Opportunity Employer.12
It Depends…
© 2014 Protiviti Inc. An Equal Opportunity Employer.13
It Depends (cont)…
© 2014 Protiviti Inc. An Equal Opportunity Employer.14
What Does The Data Say?
Source: USSS/Verizon Data Breach Report, 2014
© 2014 Protiviti Inc. An Equal Opportunity Employer.15
Latest Risks to Watch
Not Knowing Yourself Permissive Web Access Over-reliance on Tools
© 2014 Protiviti Inc. An Equal Opportunity Employer.16
Not Knowing Yourself
Easier Questions
• What does our network look like
(systems, network, users)?
• Where is our sensitive data?
• What are our weaknesses?
Harder Questions
• What programs should be running on
our systems?
• What type of traffic is “normal” for us?
• What user activity is normal?
What’s the Risk?
• Not knowing what you have makes it
hard to know what to protect.
• Not knowing your weaknesses makes it
hard to know where you will be hit.
• Not knowing what is normal makes it
hard to know what is abnormal.
© 2014 Protiviti Inc. An Equal Opportunity Employer.17
Not Knowing Yourself: Controls
Basics
• Strong asset and configuration management
• Periodic data discovery (interviews + tool sweeps)
• Third-party vulnerability assessments
Stronger
• System baselining and variance monitoring
• Traffic baselining and variance monitoring
• User activity baselining and variance monitoring
“If you know the enemy and know yourself, you
need not fear the result of a hundred battles.”
- Guess Who?
© 2014 Protiviti Inc. An Equal Opportunity Employer.18
Permissive Web Access
• Not blocking Uncategorized sites (most of the Internet)
• Not restricting servers
• Not filtering https (SSL)
• Having exceptions for executive systems
What’s the Risk?
• Malware being delivered through
the web.
• Attackers sending data out and
remotely controlling systems.
© 2014 Protiviti Inc. An Equal Opportunity Employer.19
Permissive Web Access: Controls
• Uncategorized websites blocked for most users
• A “speed bump” for other users
• Https sites filtered
• Alternate web access options (VDI, sandboxing, tablet)
80% – The average percent of users
that click “malicious” links in our
social engineering engagements.
1 – The number of users an attacker
needs to convince to click a link.
© 2014 Protiviti Inc. An Equal Opportunity Employer.20
Over-reliance on Tools
• Assuming security tools are properly configured
• Overconfidence in anti-virus, any security tool
• Believing the tool will run itself – perhaps it is self-aware?
What’s the Risk?
• Assuming you’re protected by a
tool when you’re not.
• Not effectively using the tool due
to manpower issues.
© 2014 Protiviti Inc. An Equal Opportunity Employer.21
Over-reliance on Tools: Controls
• Realistically estimating maintenance when considering a new tool
• Investing in security staff training to improve effectiveness
• Periodic “health checks” to validate tool configuration
Skynet isn’t self aware yet!
Where Internal Audit Should Focus
Is Increased Attention from IA Needed?
© 2014 Protiviti Inc. An Equal Opportunity Employer.24
Increased Risk Environment
The frequency of attacks and breaches has been increasing over the past five years. High-profile attacks
such as those at Sony, Anthem, and Ashley Madison are just some of the thousands of breaches that
actually occur each year.
Source: Verizon Data Breach Investigation Report, 2014.
© 2014 Protiviti Inc. An Equal Opportunity Employer.25
Heightened Regulatory Scrutiny
Financial Services
• In 2014, the FFIEC audited
500 banks specifically on
cybersecurity.
• New York’s Department of
Financial Services
announced increased focus
on cybersecurity in its audits.
Healthcare
• OCR has increased its
cybersecurity focus and
promised increased
enforcement activity.
• After Anthem, the Senate has
said it will lead a bipartisan
review of healthcare
information security law.
Other Industries
• PCI compliance has become
much more difficult under the
new 3.0 standard (Jan 1).
• The FTC has been
increasingly active with
cybersecurity-related
investigations and fines.
As a result of the very public data breaches, regulators are taking a closer look at cybersecurity across all
industries. Even industry regulations such as the PCI Data Security Standard are becoming increasingly
difficult to adhere to.
© 2014 Protiviti Inc. An Equal Opportunity Employer.26
Boards of Directors Attention
Boards of Directors are increasingly inquiring about cybersecurity as they see news of breaches, hear about
increased regulatory scrutiny, and grow more concerned about cybersecurity risks.
Source: NACD Cyber-Risk Oversight Handbook.
NACD Guidance
The National Association of Corporate
Directors (NACD) recently released guidance
encouraging the full Board (not just the audit
committee) to receive regular briefings on
information security and provided five
principles for Board involvement.
What an Cybersecurity Audit Plan
Should Look Like
© 2014 Protiviti Inc. An Equal Opportunity Employer.28
A Penetration Test is Not Enough
Internal Audit plans frequently include a penetration test, and only a penetration test, as a cybersecurity-
related audit. The increased risk environment necessitates that Internal Audit look beyond penetration tests
and increase the number of cybersecurity audits.
Limits of Penetration Testing
A penetration test does not always
provide an accurate or comprehensive
assessment of cybersecurity risk. The
goal of a penetration test is to simulate a
single attack, not to uncover all possible
attack scenarios. It is also usually very
time-constrained, lasting weeks instead
of the months that actual attackers have.
Function Unique
IdentifierFunction Category Unique Identifier Category
ID Identity
ID AM Asset management
ID BE Business Environment
ID GV Governance
ID RA Risk Assessment
ID RM Risk Management Strategy
PR Protect
PR AC Access Control
PR AT Awareness & Training
PR DS Data Security
PR IP Information Protection Processes & Procedures
PR MA Maintenance
PR PT Protective Technology
DE Detect
DE AE Anomalies & Events
DE CM Security Continuous Monitoring
DE DP Detection Processes
RS Respond
RS RP Response Planning
RS CO Communications
RS AN Analysis
RS MI Mitigation
RS IM Improvements
RC Recover
RC RP Recovery Planning
RC IM Improvements
RC CO Communications
Internal Audit departments need to
rebalance their plans to cover more
cybersecurity areas.
© 2014 Protiviti Inc. An Equal Opportunity Employer.29
Key Areas of an Internal Audit Plan for Cybersecurity
Organizations that are at high risk for cyberattack should consider an annual Breach Detection Audit
as a point-in-time view on indicators of breach in the environment.
An Internal Audit plan for cybersecurity should be based on the organization’s risk profile and the external
threat landscape. A balanced plan might include:
Technology Security Topic (e.g., SQL Server)
Compliance Topic (e.g., PCI, Privacy)
Internal and External Penetration Testing
Operational Security Topic (e.g., Security Monitoring)
Hot Audit Areas for 2016
© 2014 Protiviti Inc. An Equal Opportunity Employer.31
Breach Detection Audit
Can be completed in 250 to 500 hours, depending on components included.
Key Questions
• Are there signs that the
organization is currently
breached or has been in the
recent past?
• How effective are in-place
security monitoring tools and
processes?
• Have potential breaches
been sufficiently
investigated?
Fieldwork Activities
• Forensic review of key
indicators of a targeted
attack (logs, network activity,
systems).
• Evaluation of breach
detection capabilities and
processes.
• Review of previous potential
breach incidents and
organizational follow up.
Value Provided to
Management
• Management will appreciate
the timeliness and
relevance.
• Proven action steps that
Management can take
improve its ability to detect
breaches.
• Communication to
stakeholders of key controls
Management has invested
in.
Organizations are not very good at self-detecting breaches; IA can help identify gaps.
© 2014 Protiviti Inc. An Equal Opportunity Employer.32
Third Party Access Audit
Key Questions
• Could a breach of a third
party result in a breach of
our organization?
• Are vendor, contractor, and
other third party accounts
sufficiently restricted?
• Would we know if a vendor
account was being used
improperly?
Fieldwork Activities
• Review of policies and
procedures for third parties.
• Review of a sample of third
party accounts for
appropriate access.
• Attempting privilege
escalation from an example
third party account.
Value Provided to
Management
• Topical given Target initial
intrusion method.
• Factual arguments to
support limiting vendor
access further.
• Comforting stakeholders on
a key area of risk (provided
appropriate controls are in
place).
Can be completed in 150 to 250 hours, depending on components included.
IA can help Management limit risk associated with a hacked third party (e.g., HVAC).
© 2014 Protiviti Inc. An Equal Opportunity Employer.33
NIST Cybersecurity Framework (CSF) Audit
Can be completed in 250 to 350 hours, depending on organization size and scope of testing.
• Do we have sufficient
cybersecurity control
coverage as described in the
NIST CSF?
• How mature is our control
environment related to the
NIST CSF categories?
• Interviews and review of
documents related to the
NIST CSF controls.
• Testing a risk-based sample
of controls for effectiveness.
• Reviewing control maturity
and efficiency.
• Directly responsive to Board
interest in NIST CSF.
• Third-party validation of
successful control
implementation.
IA can help Management validate its NIST CSF implementation or alignment.
Key Questions Fieldwork ActivitiesValue Provided to
Management
© 2014 Protiviti Inc. An Equal Opportunity Employer.34
Other Hot Topic Areas
Include someone from the information security team in brainstorming sessions when determining
audit topic areas for the upcoming year.
Depending on the organization’s industry and maturity, there are a number of other areas that could
demonstrate Internal Audit’s awareness of new cybersecurity risks:
Potentially Embarrassing Information (PEI) Security
Data Exfiltration Monitoring
Destructive Malware Resilience
Medical Device Security
© 2014 Protiviti Inc. An Equal Opportunity Employer.35
Key Takeaways
• Threat agents are growing in number, type, and intensity.
• The risks you hear the most about may not be the right ones to focus
on (does your organization have the basics?).
• Internal Audit should increase its focus on cybersecurity and may need
to rebalance its audit plan to cover a wider variety of areas.
© 2014 Protiviti Inc. An Equal Opportunity Employer.36
Closing Thought: Internal Audit’s Evolving Role In Security
The increased attention on Information Security will
continue for the foreseeable future. It is critical that Internal
Auditors continue to educate themselves on the risks and
focus audits in security-related areas. The help is needed!
© 2014 Protiviti Inc. An Equal Opportunity Employer.37
Q & A
Questions?
Adam Brand
@adamrbrand
That time already?