CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD
December 2014
KEVIN GROOM
ISACA Involvement (Middle Tennessee Chapter)
Treasurer (2009 – 2011)
Vice President (2011 – 2013)
President (2013 – present)
Education
UT Martin, B.S. in Business Administration (Economics)
UT Knoxville, M.S. in Management Science
Certifications – CISA, CISSP, CPA
IT Audit Director at HCA (8 years)
Largest healthcare provider in the US (#79 on the Fortune 100)
Also held positions as operations research analyst, statistical analyst, programmer, and consultant
2
ASHLEY SPANGLER
ISACA Involvement (Middle Tennessee Chapter)
Webmaster (2012 – 2013)
Marketing Director (2013 – present)
Academic Coordinator (2013 – present)
Currently a Senior Consultant at LBMC
KraftCPAs, IS Assurance Associate (8/2011 – 12/2012)
Undergraduate – TTU, Accounting with IS Concentration
Graduate – MTSU, Accounting and Information Systems
Unrelated to this presentation: I love golf
3
ABOUT ISACA
A non-profit, global member association of:
IT Audit and Assurance professionals
IT Security professionals
Risk & Compliance professionals
Governance professionals and more!
Nearly all industry categories: financial, public accounting, government/public sector, technology, healthcare, utilities and manufacturing
Vision: “Trust in, and value from, information and information systems”
Mission: “be the leading global provider of knowledge, certifications, community, advocacy and education”
4
GLOBALLY RECOGNIZED CERTIFICATIONS
5
for IT professionals whose job is to identify and
manage risks through appropriate IS controls for IT governance specialists
for those responsible for auditing, monitoring, and
assessing IT and/or business systems
focuses on security strategy and assessing the
systems and policies in place
15 TOP-PAYING CERTIFICATIONS FOR 2014
#1 Certified in Risk and Information Systems Control (CRISC) - $118,253
#2 Certified Information Security Manager (CISM) - $114,844
#3 Certified Information Systems Auditor (CISA) - $112,040
6
MIDDLE TENNESSEE CHAPTER
Founded in 1986
411 members
224 members have obtained Certified Information Systems Auditor (CISA)
Free events - quarterly chapter meetings, annual luncheon, and periodic socials
www.isaca.org/nashville
@isacanashville
7
LOCAL MEMBERSHIP
8
STUDENT MEMBERSHIP
Must be currently enrolled as a full-time student
Annual costs
$25 International dues ($110 savings)
No local chapter dues ($45 savings)
Attend local chapter meetings, annual meeting, and socials for FREE
ISACA offers over 70 free webinars
Also eligible to join our chapter LinkedIn group
www.isaca.org/grow
9
CYBERSECURITY TRENDS The World is Changing
WHY CARE ABOUT CYBERSECURITY?
11
KEY TRENDS AND DRIVERS OF SECURITY
Consumerization
•Mobile devices
•Social media
•Cloud services
•Nonstandard
•Security as a Service (SECaaS)
Continual Regulatory and Compliance Pressures
• SOX
• PCI
• HIPAA
• ISO 27001
Emerging Trends
•Decrease in time to exploit
•Targeted attacks
•Advanced persistent threats (APTs)
12
THE WORLD IS CHANGING
13
ADAPTIVE ATTACK VECTORS
The threat landscape will continue to evolve as attackers adapt new and innovative attack methods to existing or adaptive attack vectors while defenders deploy new defense strategies.
14
WHAT IS AN ADVANCED PERSISTENT THREAT?
ADVANCED, STEALTHY AND CHAMELEON-
LIKE in its adaptability, APTs were once
thought to be limited to attacks on
government networks.
However, APTs are commonplace and can
happen to any enterprise. Repeated pursuit of
objectives, adaptation to defenders and
persistence differentiate APTs from a typical
attack. Primarily, the purpose of the majority of
APTs is to extract information from systems –
this could be critical research, enterprise
intellectual property or government information,
among other things.
15
THE APT LIFE CYCLE
History shows that most sophisticated attackers, regardless of their motives, funding or control, tend to operate in a certain cycle and are extremely effective at attacking their targets.
16
APT MODUS OPERANDI
APTs have adapted their tactics, techniques and procedures to the typical information security architecture they find deployed. For example…
Traditional Security Practice APT Modus Operandi
Network boundary/perimeter devices
inspect traffic content.
SSL, custom encryption, and password
protected/encrypted container files make
packet content inspection difficult or impossible.
Network firewalls monitor and assess
traffic metadata.
Communication initiated from within the
network using standard ports and protocols
(HTTP, DNS, SSL, SMTP, etc.).
Host firewalls monitor and assess local
traffic metadata.
Initial infection tool adds malware to host
firewall white list.
Intrusion detection and prevention
systems with real-time assessment and
alerting running on servers and
workstations.
Communications use common ports and
protocols – hide in plain site within
obvious/allowed traffic.
17
METHODS FOR DEFENDING AGAINST THE APT
Many enterprises
implement some of the
intermediate-level
concepts. Because the
APT and other advanced,
sophisticated attackers
have such a high success
rate, it is recommended
that every enterprise
implement all of the basic
concepts.
18
ISACA APT SURVEY
1,220 Individuals Globally (February 2014)
Because the study’s purpose was to measure information security characteristics such as knowledge of advanced persistent threats (APTs), internal controls, internal incidents, policy adherence and management support, the study surveyed those who deal with those issues every day: professionals with information security responsibilities.
Respondents are still using the wrong controls, such as antimalware, antivirus and firewalls, to defend against APTs. These aren’t effective as most of these attacks come from zero-day exploits and the attack vectors are very personalized spear-phishing attacks and now web exploits in the browser. While technology improvements are not clear, behavior is improving, with more organizations making the necessary changes in terms of incident response plans and security awareness training.
19
92% SAY APTS POSE A CREDIBLE THREAT TO NATIONAL SECURITY OR ECONOMIC STABILITY.
1 IN 5 HAVE EXPERIENCED AN APT ATTACK.
66% SAY IT IS LIKELY OR VERY LIKELY THAT THEIR ORGANIZATION WILL EXPERIENCE AN APT ATTACK:
Very Likely (17%)
Likely (49%)
Not Very Likely(32%)
Not At All Likely(2%)
20
SKILLS SHORTAGE Security Skills Are Needed, But Most Don’t Feel They Will Have the Skills They Need
A MAJORITY OF STUDENT MEMBERS (88%) PLAN TO WORK IN A FIELD REQUIRING CYBERSECURITY KNOWLEDGE
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
YES NO UNSURE
After graduation, do you plan to work in a field or job that requires some level of cybersecurity knowledge?
9% 3% 88%
22
BUT FEWER THAN HALF SAY THEY WILL HAVE ADEQUATE SKILLS FOR THE JOB
Do you feel that you will have adequate cybersecurity knowledge to do the type of job you are seeking when
you graduate?
Yes (47%)
No (22%)
Unsure (29%)
I do not need cybersecurityknowledge for the job I amseeking (2%)
23
DO YOU PLAN TO PURSUE A CYBERSECURITY RELATED CERTIFICATE/CERTIFICATION?
0% 20% 40% 60% 80%
YES
UNSURE
NO
74%
19%
7%
24
25 | 12/6/2014
CYBERSECURITY CAREER PATH
0-3 years (Cybersecurity Fundamentals Certificate)
Established in 2014
No experience required
Must pass knowledge-based exam
3-5 years (Cybersecurity Practitioner-level Certification)
Coming in mid-2015
5+ years (Certified Information Security Manager Certification)
25,000+ professionals certified since inception
26
CYBERSECURITY FUNDAMENTALS KNOWLEDGE CERTIFICATE
Knowledge-based exam for those with 0 to 3 years experience
Foundational level covers four domains:
Cybersecurity architecture principles
Security of networks, systems, applications and data
Incident response
Security implications related to adoption of emerging technologies
Price for the exam and study guide together is $185 (members)
Exam is offered online (at your convenience) and at select ISACA conferences and training events (first was in September 2014)
Content aligns with the National Initiative for Cybersecurity Education (NICE) framework and was developed by a team of ~20 cybersecurity professionals from around the world
27
CYBERSECURITY NEXUS
www.isaca.org/cyber
28
…insights and resources for the cybersecurity professional…
…cutting-edge thought leadership, training and certification programs for
professionals...
…knowledge, tools, guidance and connections…
QUESTIONS
29
Kevin Groom
IT Audit Director
HCA
Ashley Spangler
Senior Consultant
LBMC Security & Risk Services