impact of disruptive technology change … audit 2017/mr. kenneth...impact of disruptive technology...
TRANSCRIPT
IMPACT OF DISRUPTIVE TECHNOLOGY CHANGE ON AUDITING
KENNETH HO, CISA, CISM, CGEIT24 OCTOBER 2017
2
The 7 most expensive words in business:
“We have always done it that way”
The Future - Introduction
3
The Dominators … … but what happened
From 1998 to 2008, Nokia was the global leader in mobile phones
… Now, smartphones are dominated by Apple, Samsung, Huawei; Nokia brand
name discarded
Nokia sold to Microsoft in 2013 …
Kodak filed for bankruptcy in 2012 ….
From 1888 to 1990s, Kodak dominated film & camera business
… Now, digital cameras are dominated by Canon & Nikon
The Future
Not Adapting Means Extinction (1/2)
© ISACA 2017
4
The Dominators … … but what happened
At its peak in 2004, they had >9,000 stores
At its peak in 2003, they had >1,200 stores
Borders filed for bankruptcy in 2011 ….
… Now, <10% of books sold via independent bookstores; Amazon
holds 65% e-book market share
Blockbuster filed for bankruptcy in 2010
… Now, on-demand video streaming has become the norm
The Future
Not Adapting Means Extinction (2/2)
© ISACA 2017
5
The world’s largest taxi company … owns no vehicles
The world’s most popular media owner …creates no content
The most valuable retailer …has no inventory
The world’s largest accommodation provider …owns no real estate
The Future - No Shortage of New,
Aggressive Competitors
© ISACA 2017
Source: http://www.independent.co.uk/news/business/comment/hamish-mcrae/facebook-airbnb-uber-and-the-unstoppable-rise-of-the-content-non-generators-10227207.html
6
A technology that significantly alters
the way that businesses operate. A
disruptive technology may force
companies to alter the way that they
approach their business, risk
losing market share or risk becoming
irrelevant.
Recent examples of disruptive
technologies include smart phones
and the e-commerce retailing. Clayton
Christensen popularized the idea of
disruptive technologies in the book
“The Innovator's Dilemma” in 1997.
Disruptive Technology - Definition
© ISACA 2017
Source: http://www.investopedia.com/terms/d/disruptive-technology.asp
7
• Enabling Technology
+invention or innovation, affordable and accessible
• Innovative business model
+targets non-consumers or low-end consumers
• Coherent value network
+upstream and downstream suppliers, partners,
distributors and customers are better off when the
disruptive technology prospers
Disruptive Technology – 3 ingredients
© ISACA 2017
Source: https://chapters.theiia.org/IIA%20Canada/Thought%20Leadership%20Documents/Disruptive-Technologies-What-is-it-for-Internal-Auditors.pdf
8
12 Disruptive Technologies
© ISACA 2017
Source: http://thumbnails.visually.netdna-cdn.com/mckinsey-global-institute-12-disruptive-technologies_5277d72d35513_w1500.png
9
What are the 12 disruptive technologies?
Source: https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/disruptive-technologies
© ISACA 2017
10
With Disruptive Technologies comes greater
risks - IoTs
Source: https://intel.malwaretech.com/botnet/mirai
© ISACA 2017
21 Oct 2016 145607 (5% IOT) Cameras In DYN Attack : 1TBps About 1200 Websites Down?
If 2,717,774 IOT Attack : 20 TB?? 24000 Website Down???
4 Nov 2016 Massive 'test' cyberattacks using Mirai botnet temporarily knock out Liberia's
Internet
11
With Disruptive Technologies comes greater
risks – Autonomous Driving
Source: http://www.bbc.com/news/technology-33650491
© ISACA 2017
12
With Disruptive Technologies comes greater
risks – 3D Printing
Source: https://www.techrepublic.com/article/3d-printing-hack-researchers-crash-drone-with-sabotaged-propeller/
© ISACA 2017
13
With Disruptive Technologies comes greater
risks – Cloud Computing
Source: https://www.scmagazine.com/no-accounting-for-this-deloittes-email-server-reportedly-breached/article/695503/
© ISACA 2017
14
Rethinking the role of Internal Audit
• identify your threat landscape: assets, threat actors,
and threats
• assess defense and determine relevancy of attacks
• audit and test defenses and technical controls
• communicate and collaborate with other lines of
defense and audit committee
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
15
Part 1: Identify your Threat Landscape:
Asset
© ISACA 2017
what are your crown jewels?
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
16
Identify your Threat Landscape: Asset
© ISACA 2017
where are your crown jewels?
“an organization cannot properly protect [assets] it does not know about.” - nist¹
points of entry
databases
servers staging warehouse
third parties cloud
unstructuredreports
¹ NIST Protecting PII: http://1.usa.gov/1DgxrRy
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
17
Identify your Threat Landscape: Threat
Actors
© ISACA 2017
relevant external
threat actors are
relevant based on:
- assets
- industry
nation states
hacktivists
criminal organizations
individuals
(internal &
external)
attack origination¹
external internal partner
80%+ 17% 3%
relevant internal &
third party threat
actors
terrorists
¹ verizon data breach investigations report: http://vz.to/1ILoZPv
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
18
Threat Actor Sophistication
© ISACA 2017
• Highly knowledgeable, highly
funded
• Looking for targets of value
• Example: Lulzsec, Stuxnet,
Nation Sponsored
• Advanced attacks with specific
targets
• Worms, ApplicationVulnerabilities
• Example: Conficker, Sasser
• Leverage widely available tools
• Look for targets of opportunity
• Example: Website defacement
• Employee, partners, contractors
• Typically highest likelihood of monetary impact
• Example: WikiLeaksinsider threats
“script kiddies”
targeted attacks
advanced
persistent threats
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
19
# of breaches by Threat Active Motive
© ISACA 2017
¹ verizon dbir 2016: http://vz.to/1Svr72f
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
20
Identify your threat landscape - Threats
© ISACA 2017phis
hin
g
data leakage credentials
trojan
backdoor
command & control
malware
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
21
Threats – Data Leakage
internet third parties
shares
emailprinters
intranetapplications
backups
media
database
local files
data leakage
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
22
Threats – Phishing Scenario Example
1user receives phishing
Email; clicks attachment2
malicious malware installed
that enables backdoor
3communication between
User system & attacker4
attacker scans network
for targets, lateral movement
phis
hin
g
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
23
Part 2: Assess Defense
Initial Point of EntryThe Point of Entry represents how the attacker obtains initial access. Examples could include social engineering, unpatched Internet accessible systems, or weak passwords on externally accessible systems.
Pivot PointThe initial access typically does not provide the information the attacker is looking for. They will leverage the access they do have to try to increase authority on the network. This could be occur through shared passwords, unpatched systems, or excessive privileges.
Fortify Access and Access DataAs the attacker pivots around the network, they continue to attempt to escalate their authority until they have the necessary access. They will typically fortify their access by installing malware or backdoors to maintain access. Persistent Administrator access is the end goal.
Data ExfiltrationOnce the attacker has data, they need to get it out of the network. This can be completed through a variety of vehicles email or FTP. This has forced the maturity in the approach to Information Security from only focusing on prevention to include detection and response.
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
24
Assess Revelancy – Attack Scenarios & Patterns
social engineering
financialpretexting
insider threat
usb infection
peripheral tampering
rogue connection
logic switch
sql injection
cms compromise
backdoor access
ram scraping
credential theft
over the previous
three years, just 12
attack scenarios
represent over 60% of
our investigations.
pos intrusions
web applicationattacks
cyberespionage
crimeware
insider/privilege misuse
payment card skimmers
miscellaneous errors
physical theft & loss
denial of service
“while we saw many
changes in the threat
landscape the last 12
months, [9] patterns
still covered the vast
majority of incidents
(96%).”
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
25
Assess Threat Relevancy – Top Patterns
frequency of
incident
patterns across
all security
incidents¹
frequency of
incident
patterns with
confirmed data
breaches¹
¹ verizon dbir 2015: http://vz.to/1ILoZPv
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
26
# Of Breaches Per Threat Action Type
top 5
C2 (malware)
use of stolen creds
export data (malware)
use of backdoor or C2
phishing (social)
¹ verizon dbir 2016: http://vz.to/1Svr72f
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
27
Part 3: Audit & Test – Identification of
sensitive assets
focus on completeness of inventory during data security audits
create data flows
create system & asset inventory
hold management
accountable for upkeep
“entity should confirm the accuracy of their PCI DSS scope by identifying all locations
and flows of cardholder data, and identify all systems that are connected to or,
if compromised, could impact the CDE.” – PCI DSS 3.1
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
28
Audit & Test – Align with Security Frameworks
example security frameworks: COBIT, ISO 2700X, NIST or OCTAVE
COBIT 5 ISO 27001/27002 NIST cybersecurity
framework
OCTAVE allegro
- more focus on
alignment with
business goals,
governance
roles (2nd & 3rd
line of defense)
- control set (no
risk language)
- maps to ISO
27001, NIST
CSF
- controls have
wider coverage
than NIST CSF
- accepted
standard in
many countries
- supports
certification
process
- Maps to NIST
CSF, COBIT
- subset of verbose
sp 800-53 NIST
framework
- control set (no risk
language)
- detailed guidance
for technical
controls
- Maps to ISO
27001, COBIT
- many publications
- risk-based
approach
- aligns with NIST
risk assessment
publication sp
800-39
- Provides steps,
worksheets,
questionnaires;
not a control
framework
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
29
Audit & Test– Assess Measurement
Capability
Risk & ControlActivity Intellectual
Property
Cardholder
(PCI)
Health
(ePHI)
Employee
(PII)
Customer
(PII)
Financial
(SOX)
System &Asset
Inventory
Third Party Inventory
Identify & Classify Risks
Define Control
Requirements
Identify Existing Controls
ControlAssessment
Measure Residual Risks
Identify & Manage
Incidents
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
30
Audit & Test – Across the Attack Chain
Internet Application Infrastructure Endpoint
ThirdParty
Firewall
Remote Users
Mobile Devices
Web Application
Applications
Network Employees
Workstations
ServersPrinters
Cloud
Database
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
31
Audit & Test – Social Engineering Audit
malicious email
filtering
- blocking sufficient %
of malicious emails
- filters updated based
on incidents
phishing incident
management
- accurate, complete list of
incidents
- analysis of nature and
severity
- remediation effective &
complete; includes cleaning
user systems, blocking at
network-level, identifying any
command & control activity
security awareness
program
- evaluate effectiveness
& reach of training &
communications
- determine how
effectiveness of
program is evaluated
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
32
Audit & Test – Phishing Simulations
1email ploy crafted by audit
(similar to actual)
phishing engine selects
appropriate random targets
across areas of organization
3
2
measure % that click,
open, provide credentials4
repeat different ploys
regularly, collecting stats
- % open email (30% avg.¹)
- % open link / attachment (12% avg.)
- % report suspicious email (3% avg.)
- track % over time
- track % by area
- adjust awareness program
¹ verizon dbir 2016: http://vz.to/1Svr72f
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
33
Information Security Audits to Consider
cloud & data lake governance it asset management
security vulnerabilities & patching assessment
network segmentation assessment penetration testing
information security overall assessment
security logging & event detection phishing & security awareness
program assessments: PCI & PHI firewall ruleset assessment
web & mobile application assessment
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
34
Part 4: Relevant Communications To Leaders
3rd line of defense
what are you communicating
to the audit committee,
security, IT, and the business
about cybersecurity?
© ISACA 2017
Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity
35
Opportunities for auditors in an Age of
Disruptive Change
Source: https://chapters.theiia.org/IIA%20Canada/Thought%20Leadership%20Documents/Disruptive-Technologies-What-is-it-for-Internal-Auditors.pdf
• Governance Structure
+ corporate culture, tone at the top, risk appetite (Uber and Airbnb) – focus on public issues of the day
• Accountability and responsibility
+ clear definition of the roles and responsibilities of the players within the disrupter enterprise
• Status of New Regulations to Address Disruptive Apps
+ paying attention to the development of new regulations or exposure draft that address the most pervasive/disruptive Apps
© ISACA 2017
36
Questions to Ask
Source: https://chapters.theiia.org/IIA%20Canada/Thought%20Leadership%20Documents/Disruptive-Technologies-What-is-it-for-Internal-Auditors.pdf
• How vulnerable is your industry / sector as a disrupter’s
target?
• What is the tone at the top regarding the strategic
significance of disruptive technology?
• What is the entity’s technology risk appetite?
• What are the current pressing governance issues for
disrupter companies in media?
• Are major business decisions solely grounded in solid
analysis of past data?
© ISACA 2017
37
Is Disruptive Technologies on your playlist?
Source: https://chapters.theiia.org/IIA%20Canada/Thought%20Leadership%20Documents/Disruptive-Technologies-What-is-it-for-Internal-Auditors.pdf
• To stay current in an age of rapid disruptive change is
daunting
• To put knowledge to practical use is even more daunting
• There are more questions than answers
• To participate and contribute to the answers, we have to
be in the game.
© ISACA 2017
Thank You!