impact of disruptive technology change … audit 2017/mr. kenneth...impact of disruptive technology...

IMPACT OF DISRUPTIVE TECHNOLOGY CHANGE ON AUDITING

KENNETH HO, CISA, CISM, CGEIT24 OCTOBER 2017

2

The 7 most expensive words in business:

“We have always done it that way”

The Future - Introduction

3

The Dominators … … but what happened

From 1998 to 2008, Nokia was the global leader in mobile phones

… Now, smartphones are dominated by Apple, Samsung, Huawei; Nokia brand

name discarded

Nokia sold to Microsoft in 2013 …

Kodak filed for bankruptcy in 2012 ….

From 1888 to 1990s, Kodak dominated film & camera business

… Now, digital cameras are dominated by Canon & Nikon

The Future

Not Adapting Means Extinction (1/2)

© ISACA 2017

4

The Dominators … … but what happened

At its peak in 2004, they had >9,000 stores

At its peak in 2003, they had >1,200 stores

Borders filed for bankruptcy in 2011 ….

… Now, <10% of books sold via independent bookstores; Amazon

holds 65% e-book market share

Blockbuster filed for bankruptcy in 2010

… Now, on-demand video streaming has become the norm

The Future

Not Adapting Means Extinction (2/2)

© ISACA 2017

5

The world’s largest taxi company … owns no vehicles

The world’s most popular media owner …creates no content

The most valuable retailer …has no inventory

The world’s largest accommodation provider …owns no real estate

The Future - No Shortage of New,

Aggressive Competitors

© ISACA 2017

Source: http://www.independent.co.uk/news/business/comment/hamish-mcrae/facebook-airbnb-uber-and-the-unstoppable-rise-of-the-content-non-generators-10227207.html

http://www.independent.co.uk/news/business/comment/hamish-mcrae/facebook-airbnb-uber-and-the-unstoppable-rise-of-the-content-non-generators-10227207.html

6

A technology that significantly alters

the way that businesses operate. A

disruptive technology may force

companies to alter the way that they

approach their business, risk

losing market share or risk becoming

irrelevant.

Recent examples of disruptive

technologies include smart phones

and the e-commerce retailing. Clayton

Christensen popularized the idea of

disruptive technologies in the book

“The Innovator's Dilemma” in 1997.

Disruptive Technology - Definition

© ISACA 2017

Source: http://www.investopedia.com/terms/d/disruptive-technology.asp

http://www.investopedia.com/terms/d/disruptive-technology.asp

7

• Enabling Technology

+invention or innovation, affordable and accessible

• Innovative business model

+targets non-consumers or low-end consumers

• Coherent value network

+upstream and downstream suppliers, partners,

distributors and customers are better off when the

disruptive technology prospers

Disruptive Technology – 3 ingredients

© ISACA 2017

Source: https://chapters.theiia.org/IIA%20Canada/Thought%20Leadership%20Documents/Disruptive-Technologies-What-is-it-for-Internal-Auditors.pdf

https://chapters.theiia.org/IIA Canada/Thought Leadership Documents/Disruptive-Technologies-What-is-it-for-Internal-Auditors.pdf

8

12 Disruptive Technologies

© ISACA 2017

Source: http://thumbnails.visually.netdna-cdn.com/mckinsey-global-institute-12-disruptive-technologies_5277d72d35513_w1500.png

http://thumbnails.visually.netdna-cdn.com/mckinsey-global-institute-12-disruptive-technologies_5277d72d35513_w1500.png

9

What are the 12 disruptive technologies?

Source: https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/disruptive-technologies

© ISACA 2017

https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/disruptive-technologies

10

With Disruptive Technologies comes greater

risks - IoTs

Source: https://intel.malwaretech.com/botnet/mirai

© ISACA 2017

21 Oct 2016 145607 (5% IOT) Cameras In DYN Attack : 1TBps About 1200 Websites Down?

If 2,717,774 IOT Attack : 20 TB?? 24000 Website Down???

4 Nov 2016 Massive 'test' cyberattacks using Mirai botnet temporarily knock out Liberia's

Internet

https://intel.malwaretech.com/botnet/mirai

11


risks – Autonomous Driving

Source: http://www.bbc.com/news/technology-33650491

© ISACA 2017

http://www.bbc.com/news/technology-33650491

12


risks – 3D Printing

Source: https://www.techrepublic.com/article/3d-printing-hack-researchers-crash-drone-with-sabotaged-propeller/

© ISACA 2017

https://www.techrepublic.com/article/3d-printing-hack-researchers-crash-drone-with-sabotaged-propeller/

13


risks – Cloud Computing

Source: https://www.scmagazine.com/no-accounting-for-this-deloittes-email-server-reportedly-breached/article/695503/

© ISACA 2017

https://www.scmagazine.com/no-accounting-for-this-deloittes-email-server-reportedly-breached/article/695503/

14

Rethinking the role of Internal Audit

• identify your threat landscape: assets, threat actors,

and threats

• assess defense and determine relevancy of attacks

• audit and test defenses and technical controls

• communicate and collaborate with other lines of

defense and audit committee

© ISACA 2017

Source: https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity

https://www.slideshare.net/naanders/2016-isaca-nacacs-audit-as-an-impact-player-for-cybersecurity

15

Part 1: Identify your Threat Landscape:

Asset

© ISACA 2017

what are your crown jewels?



16

Identify your Threat Landscape: Asset

© ISACA 2017

where are your crown jewels?

“an organization cannot properly protect [assets] it does not know about.” - nist¹

points of entry

databases

servers staging warehouse

third parties cloud

unstructuredreports

¹ NIST Protecting PII: http://1.usa.gov/1DgxrRy


http://1.usa.gov/1DgxrRy


17

Identify your Threat Landscape: Threat

Actors

© ISACA 2017

relevant external

threat actors are

relevant based on:

- assets

- industry

nation states

hacktivists

criminal organizations

individuals

(internal &

external)

attack origination¹

external internal partner

80%+ 17% 3%

relevant internal &

third party threat

actors

terrorists

¹ verizon data breach investigations report: http://vz.to/1ILoZPv


http://vz.to/1ILoZPv


18

Threat Actor Sophistication

© ISACA 2017

• Highly knowledgeable, highly

funded

• Looking for targets of value

• Example: Lulzsec, Stuxnet,

Nation Sponsored

• Advanced attacks with specific

targets

• Worms, ApplicationVulnerabilities

• Example: Conficker, Sasser

• Leverage widely available tools

• Look for targets of opportunity

• Example: Website defacement

• Employee, partners, contractors

• Typically highest likelihood of monetary impact

• Example: WikiLeaksinsider threats

“script kiddies”

targeted attacks

advanced

persistent threats



19

# of breaches by Threat Active Motive

© ISACA 2017

¹ verizon dbir 2016: http://vz.to/1Svr72f


http://vz.to/1Svr72f


20

Identify your threat landscape - Threats

© ISACA 2017phis

hin

g

data leakage credentials

trojan

backdoor

command & control

malware



21

Threats – Data Leakage

internet third parties

shares

emailprinters

intranetapplications

backups

media

database

local files

data leakage

© ISACA 2017



22

Threats – Phishing Scenario Example

1user receives phishing

Email; clicks attachment2

malicious malware installed

that enables backdoor

3communication between

User system & attacker4

attacker scans network

for targets, lateral movement

phis

hin

g

© ISACA 2017



23

Part 2: Assess Defense

Initial Point of EntryThe Point of Entry represents how the attacker obtains initial access. Examples could include social engineering, unpatched Internet accessible systems, or weak passwords on externally accessible systems.

Pivot PointThe initial access typically does not provide the information the attacker is looking for. They will leverage the access they do have to try to increase authority on the network. This could be occur through shared passwords, unpatched systems, or excessive privileges.

Fortify Access and Access DataAs the attacker pivots around the network, they continue to attempt to escalate their authority until they have the necessary access. They will typically fortify their access by installing malware or backdoors to maintain access. Persistent Administrator access is the end goal.

Data ExfiltrationOnce the attacker has data, they need to get it out of the network. This can be completed through a variety of vehicles email or FTP. This has forced the maturity in the approach to Information Security from only focusing on prevention to include detection and response.

© ISACA 2017



24

Assess Revelancy – Attack Scenarios & Patterns

social engineering

financialpretexting

insider threat

usb infection

peripheral tampering

rogue connection

logic switch

sql injection

cms compromise

backdoor access

ram scraping

credential theft

over the previous

three years, just 12

attack scenarios

represent over 60% of

our investigations.

pos intrusions

web applicationattacks

cyberespionage

crimeware

insider/privilege misuse

payment card skimmers

miscellaneous errors

physical theft & loss

denial of service

“while we saw many

changes in the threat

landscape the last 12

months, [9] patterns

still covered the vast

majority of incidents

(96%).”

© ISACA 2017



25

Assess Threat Relevancy – Top Patterns

frequency of

incident

patterns across

all security

incidents¹

frequency of

incident

patterns with

confirmed data

breaches¹

¹ verizon dbir 2015: http://vz.to/1ILoZPv

© ISACA 2017


http://vz.to/1ILoZPv


26

# Of Breaches Per Threat Action Type

top 5

C2 (malware)

use of stolen creds

export data (malware)

use of backdoor or C2

phishing (social)


© ISACA 2017




27

Part 3: Audit & Test – Identification of

sensitive assets

focus on completeness of inventory during data security audits

create data flows

create system & asset inventory

hold management

accountable for upkeep

“entity should confirm the accuracy of their PCI DSS scope by identifying all locations

and flows of cardholder data, and identify all systems that are connected to or,

if compromised, could impact the CDE.” – PCI DSS 3.1

© ISACA 2017



28

Audit & Test – Align with Security Frameworks

example security frameworks: COBIT, ISO 2700X, NIST or OCTAVE

COBIT 5 ISO 27001/27002 NIST cybersecurity

framework

OCTAVE allegro

- more focus on

alignment with

business goals,

governance

roles (2nd & 3rd

line of defense)

- control set (no

risk language)

- maps to ISO

27001, NIST

CSF

- controls have

wider coverage

than NIST CSF

- accepted

standard in

many countries

- supports

certification

process

- Maps to NIST

CSF, COBIT

- subset of verbose

sp 800-53 NIST

framework

- control set (no risk

language)

- detailed guidance

for technical

controls

- Maps to ISO

27001, COBIT

- many publications

- risk-based

approach

- aligns with NIST

risk assessment

publication sp

800-39

- Provides steps,

worksheets,

questionnaires;

not a control

framework

© ISACA 2017



29

Audit & Test– Assess Measurement

Capability

Risk & ControlActivity Intellectual

Property

Cardholder

(PCI)

Health

(ePHI)

Employee

(PII)

Customer

(PII)

Financial

(SOX)

System &Asset

Inventory

Third Party Inventory

Identify & Classify Risks

Define Control

Requirements

Identify Existing Controls

ControlAssessment

Measure Residual Risks

Identify & Manage

Incidents

© ISACA 2017



30

Audit & Test – Across the Attack Chain

Internet Application Infrastructure Endpoint

ThirdParty

Firewall

Remote Users

Mobile Devices

Web Application

Applications

Network Employees

Workstations

ServersPrinters

Cloud

Database

© ISACA 2017



31

Audit & Test – Social Engineering Audit

malicious email

filtering

- blocking sufficient %

of malicious emails

- filters updated based

on incidents

phishing incident

management

- accurate, complete list of

incidents

- analysis of nature and

severity

- remediation effective &

complete; includes cleaning

user systems, blocking at

network-level, identifying any

command & control activity

security awareness

program

- evaluate effectiveness

& reach of training &

communications

- determine how

effectiveness of

program is evaluated

© ISACA 2017



32

Audit & Test – Phishing Simulations

1email ploy crafted by audit

(similar to actual)

phishing engine selects

appropriate random targets

across areas of organization

3

2

measure % that click,

open, provide credentials4

repeat different ploys

regularly, collecting stats

- % open email (30% avg.¹)

- % open link / attachment (12% avg.)

- % report suspicious email (3% avg.)

- track % over time

- track % by area

- adjust awareness program


© ISACA 2017




33

Information Security Audits to Consider

cloud & data lake governance it asset management

security vulnerabilities & patching assessment

network segmentation assessment penetration testing

information security overall assessment

security logging & event detection phishing & security awareness

program assessments: PCI & PHI firewall ruleset assessment

web & mobile application assessment

© ISACA 2017



34

Part 4: Relevant Communications To Leaders

3rd line of defense

what are you communicating

to the audit committee,

security, IT, and the business

about cybersecurity?

© ISACA 2017



35

Opportunities for auditors in an Age of

Disruptive Change


• Governance Structure

+ corporate culture, tone at the top, risk appetite (Uber and Airbnb) – focus on public issues of the day

• Accountability and responsibility

+ clear definition of the roles and responsibilities of the players within the disrupter enterprise

• Status of New Regulations to Address Disruptive Apps

+ paying attention to the development of new regulations or exposure draft that address the most pervasive/disruptive Apps

© ISACA 2017


36

Questions to Ask


• How vulnerable is your industry / sector as a disrupter’s

target?

• What is the tone at the top regarding the strategic

significance of disruptive technology?

• What is the entity’s technology risk appetite?

• What are the current pressing governance issues for

disrupter companies in media?

• Are major business decisions solely grounded in solid

analysis of past data?

© ISACA 2017


37

Is Disruptive Technologies on your playlist?


• To stay current in an age of rapid disruptive change is

daunting

• To put knowledge to practical use is even more daunting

• There are more questions than answers

• To participate and contribute to the answers, we have to

be in the game.

© ISACA 2017


Thank You!