#2 - it security - update on practical risk mitigation ... · it security – update on practical...
TRANSCRIPT
IT Security – Update on Practical Risk Mitigation Strategies
Bonnie Bastow, CIA, CISA, CISM Director, Risk Advisory Services, IT Audit & Security April 2016
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC 2
Learning Objectives/Knowledge Gained IT Security – Update on 2016 Threats McAfee Labs 2016 Threat Predictions PwC 2016 Forecast Cybersecurity events - what they have in common
Practical Risk Mitigation Strategies Increased knowledge of cybersecurity risk
assessment processes and tools IT controls to mitigate risks
IT Security – Update on Practical Risk Mitigation Strategies
3© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Threat Comments
Hardware Operating System level attacks
Ransomware As a service – hosted on the Tor NetworkFinancial and Government sectors targetsTargeting cloud services and mobile devices
Vulnerabilities Abode Flash, Unix
Payment Systems Credential stealing and attacking payment card devices (skimmers, etc)
McAfee Labs 2016 Threat Predictions
4© Elliott Davis Decosimo, LLC
Threat Comments
Attacks through Employee Systems
Increase expected in Android devices.Securing home networks for employees remote access.
Cloud Services Users have little insight into the provider’s security measures
Integrity Compromise the integrity of the systems and data.Stealth, selective, attacks – appearing to be operational problems, accounting errors, or dumb mistakes,
McAfee Labs 2016 Threat Predictions
5© Elliott Davis Decosimo, LLC
1. Financial services respondents ranked assessment of security capabilities of third-party vendors as the top challenge to their information security efforts. More than half said they would increase spending
to better monitor third-party security in the coming 12 months.
Average information security spending is up 15%2. Rapidly evolving, sophisticated, and complex
technologies3. Increased use of mobile technologies by customers
PwC Survey - Top 3 Challenges -Financial Services 2016
6© Elliott Davis Decosimo, LLC
Cyber Security Events –What They Have in Common
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC 7
Social Engineering
Social Engineering Defined
© 2015 Elliott Davis Decosimo, PLLC8
Social Engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.
A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.
Phishing is a form of social engineering Phishing is the most common threat Usually accomplished through email or phone
call schemes Our employees are our weakest link Continuous/annual employee training is a must
in this area to assist with prevention
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Common Data Breaches/Threats
9
Unlike traditional spam, spear phishing is by no means random – it is a highly-targeted operation.
Sender impersonates a friend or colleague of potential victims in order to trick them into opening malware-ridden files or into visiting malicious websites, or do some action for the ‘phishers’ benefit
Has a high success rate
Spear Phishing
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC 10
https://www.youtube.com/watch?v=bjYhmX_OUQQ&feature=youtu.be&t=2m13s
..\The Edit.mp4
Spear Phishing Example
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC 11
Common Data Breaches/Threats Malware threats Malware is software designed to infiltrate, damage
or obtain information from a computer system without the owner’s consent (as defined by ISACA)
Spyware/Key logger (records users key strokes – can obtain user names and passwords) – 75% of cases
Backdoor (Ex. Malware creates backdoor access for cyber criminal) – 66%
Captured Stored Data (Ex. Ransomware) – 55% http://us.norton.com/yoursecurityresource/detail.jsp
?aid=rise_in_ransomware
12© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Hacker builds wireless Microsoft keyboard keylogger disguised as USB wall charger
Keylogger Example
13© Elliott Davis Decosimo, LLC
1 - IT General Controls
2- Cyber Security Assessments
3- Training – Employee and IT Specific
4- Risk Assessments and Information Sharing
Risk Mitigation Strategies
14© Elliott Davis Decosimo, LLC
1 - IT General Controls
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC 15
Security Administration
Logical Security
ChangeManagement
Operations
User provisioning
Password controls
Authorizationand Approval
Backups
User removal PrivilegeUser review
User Testing Restore test
User Access Reviews/with SoD
Security Monitoring
Access to Production
Vendor Management
Physical Segregation of Duties
JobMonitoring
Internal Network Vulnerability Scans Patching is largest category System configuration
External Network Vulnerability Scans External Penetration Testing Wireless Scans Social Engineering Assessments Social Engineering Training
2 - Cyber Security Assessments
16© Elliott Davis Decosimo, LLC
Category Vulnerabilities Resulting from….Patch Management
Failure to apply patches provided by vendors to address security weaknesses. Software / firmware patches are primarily an administrative detail.
System Configuration
Identified configuration settings on devices that may not be set in an optimal manner for security consideration.
Trust Identification of insecure authentication methods or configurations on workstations/servers.
Application Discovery of applications with known vulnerabilities found on the network. Examples include the discovery of software such as Dropbox, Skype, and Coupons Printer.
2 - Cyber Security Assessments Reporting Categories
17© Elliott Davis Decosimo, LLC
Training, training, training (employees as well as clients/customers) Technical training for key employees and
managementSet the appropriate tone at the top – make security a priority and not just an IT initiative
3 - Training - Employee and IT Specific
18© Elliott Davis Decosimo, LLC
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Training Aids
Cisco (DNS) Launched an online quiz to show how easy
it is to get people hooked on a social engineering phishing email.
https://www.opendns.com/phishing-quiz/
Can you pass the quiz (can also be used for training purposes)?
19
FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.
4 – Information Sharing
20© Elliott Davis Decosimo, LLC
4 - Information Sharing
21© Elliott Davis Decosimo, LLC
4 - Risk Assessment Reduction Solutions
FFIEC Nov. 3, 2014 Press Release: https://www.ffiec.gov/press/pr110314.htm
FFIEC released observations from the recent cybersecurity assessment and recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC). https://www.fsisac.com/
The assessment included more than 500 community banks. FS-ISAC is a non-profit, information-sharing forum
established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.
22© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
4 – Risk Assessment Reduction Solutions
FFIEC Cybersecurity Assessment – General Observations (Summer 2014) https://www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_Assessment_Observations.pdf- This document presents general observations from
the Cybersecurity Assessment about the range of inherent risks and the varied risk management practices among financial institutions and suggests questions for chief executive officers and boards of directors to consider when assessing their financial institutions’ cybersecurity and preparedness.
23© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Threat Risk Mitigation Strategy
Hardware Patching, Vulnerability ScansRansomware Risk Assessment/Vendor Management &
Cyber InsuranceVulnerabilities Patching Programs
Payment Systems Physical controls, scans, basic controls
Attacks through Employee Systems
Social engineering, remote access controls
Cloud Services Risk Assessments, Vendor Management
Integrity Monitoring controls, Social engineering
Basic IT General Controls and Assessments
McAfee Labs 2016 Threat Predictions
24© Elliott Davis Decosimo, LLC
Challenges Risk Mitigation
Third Party Security
Deeper Vendor Management practices
More thorough Risk Assessments and Vendor Due
Diligence
Cyber Insurance
Rapidly evolving, sophisticated & complex technologies
Increased use of mobile technologies by customers
PwC Survey - Top Challenges -Financial Services 2016
25© Elliott Davis Decosimo, LLC
PwC proposed Risk Mitigation Approaches1. Risk-Based Frameworks 91% adoption rate for cybersecurity framework Frameworks provide for better identification and
prioritization of security risks. ISO 27001 NIST / SAN Critical Controls / COBIT
2. Cloud-Based Security 69% use cloud-based cybersecurity services Real time monitoring
PwC- The State of Security 2016 Survey
26© Elliott Davis Decosimo, LLC
3. The Impact of Big Data Trending, looking for patterns
4. Threat Intelligence Sharing 65% of respondents collaborate to improve security
and reduce cyber risks (up from 50% in previous year) Information Sharing and Analysis Centers (ISACs)
5. Executive Involvement 45% of respondents stated their boards now
participate in the overall security strategy Resulted in boost in security spending by 24%- http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/key-findings.html
PwC- The State of Security 2016 Survey
27© Elliott Davis Decosimo, LLC
Did you know?
The biggest violators of IT Security are the senior members of the IT/IS team (via controls override) –the team that is responsible for securing the enterprise (and CEOs/Presidents)
28© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Questions
29© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Bonnie Bastow, CIA, CISA, CISMEmail: [email protected]: 704.808.5275Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With sixteen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC 30