#2 - it security - update on practical risk mitigation ... · it security – update on practical...

IT Security – Update on Practical Risk Mitigation Strategies

Bonnie Bastow, CIA, CISA, CISM Director, Risk Advisory Services, IT Audit & Security April 2016

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC 2

Learning Objectives/Knowledge Gained IT Security – Update on 2016 Threats McAfee Labs 2016 Threat Predictions PwC 2016 Forecast Cybersecurity events - what they have in common

Practical Risk Mitigation Strategies Increased knowledge of cybersecurity risk

assessment processes and tools IT controls to mitigate risks

IT Security – Update on Practical Risk Mitigation Strategies

3© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

Threat Comments

Hardware Operating System level attacks

Ransomware As a service – hosted on the Tor NetworkFinancial and Government sectors targetsTargeting cloud services and mobile devices

Vulnerabilities Abode Flash, Unix

Payment Systems Credential stealing and attacking payment card devices (skimmers, etc)

McAfee Labs 2016 Threat Predictions

4© Elliott Davis Decosimo, LLC

Threat Comments

Attacks through Employee Systems

Increase expected in Android devices.Securing home networks for employees remote access.

Cloud Services Users have little insight into the provider’s security measures

Integrity Compromise the integrity of the systems and data.Stealth, selective, attacks – appearing to be operational problems, accounting errors, or dumb mistakes,



1. Financial services respondents ranked assessment of security capabilities of third-party vendors as the top challenge to their information security efforts. More than half said they would increase spending

to better monitor third-party security in the coming 12 months.

Average information security spending is up 15%2. Rapidly evolving, sophisticated, and complex

technologies3. Increased use of mobile technologies by customers

PwC Survey - Top 3 Challenges -Financial Services 2016


Cyber Security Events –What They Have in Common


Social Engineering

Social Engineering Defined

© 2015 Elliott Davis Decosimo, PLLC8

Social Engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.

A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

Phishing is a form of social engineering Phishing is the most common threat Usually accomplished through email or phone

call schemes Our employees are our weakest link Continuous/annual employee training is a must

in this area to assist with prevention


Common Data Breaches/Threats

9

Unlike traditional spam, spear phishing is by no means random – it is a highly-targeted operation.

Sender impersonates a friend or colleague of potential victims in order to trick them into opening malware-ridden files or into visiting malicious websites, or do some action for the ‘phishers’ benefit

Has a high success rate

Spear Phishing


https://www.youtube.com/watch?v=bjYhmX_OUQQ&feature=youtu.be&t=2m13s

..\The Edit.mp4

Spear Phishing Example


Common Data Breaches/Threats Malware threats Malware is software designed to infiltrate, damage

or obtain information from a computer system without the owner’s consent (as defined by ISACA)

Spyware/Key logger (records users key strokes – can obtain user names and passwords) – 75% of cases

Backdoor (Ex. Malware creates backdoor access for cyber criminal) – 66%

Captured Stored Data (Ex. Ransomware) – 55% http://us.norton.com/yoursecurityresource/detail.jsp

?aid=rise_in_ransomware


Hacker builds wireless Microsoft keyboard keylogger disguised as USB wall charger

Keylogger Example


1 - IT General Controls

2- Cyber Security Assessments

3- Training – Employee and IT Specific

4- Risk Assessments and Information Sharing

Risk Mitigation Strategies


1 - IT General Controls


Security Administration

Logical Security

ChangeManagement

Operations

User provisioning

Password controls

Authorizationand Approval

Backups

User removal PrivilegeUser review

User Testing Restore test

User Access Reviews/with SoD

Security Monitoring

Access to Production

Vendor Management

Physical Segregation of Duties

JobMonitoring

Internal Network Vulnerability Scans Patching is largest category System configuration

External Network Vulnerability Scans External Penetration Testing Wireless Scans Social Engineering Assessments Social Engineering Training

2 - Cyber Security Assessments


Category Vulnerabilities Resulting from….Patch Management

Failure to apply patches provided by vendors to address security weaknesses. Software / firmware patches are primarily an administrative detail.

System Configuration

Identified configuration settings on devices that may not be set in an optimal manner for security consideration.

Trust Identification of insecure authentication methods or configurations on workstations/servers.

Application Discovery of applications with known vulnerabilities found on the network. Examples include the discovery of software such as Dropbox, Skype, and Coupons Printer.

2 - Cyber Security Assessments Reporting Categories


Training, training, training (employees as well as clients/customers) Technical training for key employees and

managementSet the appropriate tone at the top – make security a priority and not just an IT initiative

3 - Training - Employee and IT Specific



Training Aids

Cisco (DNS) Launched an online quiz to show how easy

it is to get people hooked on a social engineering phishing email.

https://www.opendns.com/phishing-quiz/

Can you pass the quiz (can also be used for training purposes)?

19

FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.

4 – Information Sharing


4 - Information Sharing


4 - Risk Assessment Reduction Solutions

FFIEC Nov. 3, 2014 Press Release: https://www.ffiec.gov/press/pr110314.htm

FFIEC released observations from the recent cybersecurity assessment and recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC). https://www.fsisac.com/

The assessment included more than 500 community banks. FS-ISAC is a non-profit, information-sharing forum

established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.


4 – Risk Assessment Reduction Solutions

FFIEC Cybersecurity Assessment – General Observations (Summer 2014) https://www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_Assessment_Observations.pdf- This document presents general observations from

the Cybersecurity Assessment about the range of inherent risks and the varied risk management practices among financial institutions and suggests questions for chief executive officers and boards of directors to consider when assessing their financial institutions’ cybersecurity and preparedness.


Threat Risk Mitigation Strategy

Hardware Patching, Vulnerability ScansRansomware Risk Assessment/Vendor Management &

Cyber InsuranceVulnerabilities Patching Programs

Payment Systems Physical controls, scans, basic controls

Attacks through Employee Systems

Social engineering, remote access controls

Cloud Services Risk Assessments, Vendor Management

Integrity Monitoring controls, Social engineering

Basic IT General Controls and Assessments



Challenges Risk Mitigation

Third Party Security

Deeper Vendor Management practices

More thorough Risk Assessments and Vendor Due

Diligence

Cyber Insurance

Rapidly evolving, sophisticated & complex technologies

Increased use of mobile technologies by customers

PwC Survey - Top Challenges -Financial Services 2016


PwC proposed Risk Mitigation Approaches1. Risk-Based Frameworks 91% adoption rate for cybersecurity framework Frameworks provide for better identification and

prioritization of security risks. ISO 27001 NIST / SAN Critical Controls / COBIT

2. Cloud-Based Security 69% use cloud-based cybersecurity services Real time monitoring

PwC- The State of Security 2016 Survey


3. The Impact of Big Data Trending, looking for patterns

4. Threat Intelligence Sharing 65% of respondents collaborate to improve security

and reduce cyber risks (up from 50% in previous year) Information Sharing and Analysis Centers (ISACs)

5. Executive Involvement 45% of respondents stated their boards now

participate in the overall security strategy Resulted in boost in security spending by 24%- http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/key-findings.html

PwC- The State of Security 2016 Survey


Did you know?

The biggest violators of IT Security are the senior members of the IT/IS team (via controls override) –the team that is responsible for securing the enterprise (and CEOs/Presidents)


Questions


Bonnie Bastow, CIA, CISA, CISMEmail: [email protected]: 704.808.5275Website: www.elliottdavis.com

Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With sixteen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.


#2 - it security - update on practical risk mitigation ... · it security – update on practical...

Documents