monday cs 1 7 nick galletto michael juergens

8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens

1/30

Cyber-Security: Proactivelymanaging the cyber threat

landscape


2/30

Agenda

• Understanding the cyber threat landscape

• Building a resilient Cyber Risk capability

• An Internal Audit approach• Closing thoughts


3/30

Understanding the

cyber threat landscape


4/30

The evolving threat landscape…

1 http://www.ibj.com/lilly-employees-stole-55-million-in-trade-secrets-indictment-alleges/PARAMS/article/439492 http://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-data-breach.html?_r=03 http://www.nytimes.com/2012/07/27/us/cyberattacks-are-up-national-security-chief-says.html?_r=0

800 million

$55 million

40 million

3

Lilly scientists stole $55 million in trade secrets1

Indianapolis Business Journal, October 8, 2013

Last year, over 800 million records were breached globally, up from 250 million in 2012The Economist, July 2014

Target missed signs of a data breach (40 million credit card numbers compromis ed)2

NY Times, March 13, 2014

On a scale of 1 to 10… Amer ican preparedness for a large-scale cyber attack is around a 33NY Times, July 2012

Why?

Corporatechange

& innovation

Evolvingthreat

environment

Changingregulatory

environment

Regulatory changes continue

to absorb resources and attention.

Cyber threats are asymmetrical risks. Cyber crime

grows in sophistication, and attacks increase in

speed and number, while time to respond

decreases. Targeted attacks on operations, brand,

and competitive advantage are more impactfulthan ever.

Technology innovations that drive

business growth also create cyber risk.

New technology-enabled business

models create new opportunities for

malicious actors to exploit and higherlikelihood of accidental vulnerabilities.

© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape 4

http://www.ibj.com/lilly-employees-stole-55-million-in-trade-secrets-indictment-alleges/PARAMS/article/43949http://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-data-breach.html?_r=0http://www.nytimes.com/2012/07/27/us/cyberattacks-are-up-national-security-chief-says.html?_r=0http://www.nytimes.com/2012/07/27/us/cyberattacks-are-up-national-security-chief-says.html?_r=0http://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-data-breach.html?_r=0http://www.ibj.com/lilly-employees-stole-55-million-in-trade-secrets-indictment-alleges/PARAMS/article/43949


5/30

Cyber riskHigh on the agenda

Audit committees and board members are seeing cybersecurity as a top risk, underscored by recentheadlines and increased government and regulatory focus

The Executive Order highlights the focus on an improved cybersecurity framework and the rapid changes of regulatoryagency expectations and oversight

Recent U.S. Securities and Exchange Commission (SEC) guidance regarding disclosure obligations relating tocybersecurity risks and incidents…..

“Registrants should address cybersecurity risks and cyber incidents in theirManagement’s Discussion and Analysis of Financial Condition and Results ofOperations (MD&A), Risk Factors, Description of Business, Legal Proceedingsand Financial Statement Disclosures.” SEC Division of Corporate FinanceDisclosure Guidance: Topic No. 2 ‒ Cybersecurity

Ever-growing concerns about cyber-attacks affecting the nation’s critical infrastructure prompted the signing of theExecutive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity.

One of the foundational drivers behind the update and release of the 2013 COSO Framework was the need to addresshow organizations use and rely on evolving technology for internal control purposes

5© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape


6/30

Cyber risk (cont’d)Roles and responsibilities

Effective risk management is the product of multiple layers of risk defense. Internal Audit should support the board’s needto understand the effectiveness of cybersecurity controls.

1st Line of defensebusiness and IT

functions

2nd Line of defenseinformation and technology

risk managementfunction

3rd Line ofdefense

internal audit

• Establish governance and oversight

• Set risk baselines, policies, and standards

• Implement tools and processes

• Monitor and call for action, as appropriate

• Provide oversight, consultation, checks and balances, andenterprise-level policies and standards

• Incorporate risk-informed decision making into day-to-day operationsand fully integrate risk management into operational processes

• Define risk appetite and escalate risks outside of tolerance

• Mitigate risks, as appropriate

• Independently review program effectiveness• Provide confirmation to the board on risk management effectiveness

• Meet requirements of SEC disclosure obligations focused oncybersecurity risks

Roles and responsibilities

Given recent high profile cyber attacks and data losses, and the SEC’s and other regulators’ expectations, it iscritical for Internal Audit to understand cyber risks and be prepared to address the questions and concernsexpressed by the audit commit tee and the board



7/30

What are we seeing?

1 Attack vector shifting from technology to people.

2 Attack patterns are increasingly starting to look like normal behavior. Threats are increasinglyhiding in plain sight. Some of the threats are adaptive and have the ability to go into dormantmode, making them difficult to detect.

3 Criminals, state actors and even Hactivists are building better intelligence, capability and have awider network of resources than organizations (i.e., wideningcapability gap).

4 Supply chain and business partner poisoning or lateral entry are on the rise.

5 Advanced Threat Adversaries' Calling Card – defy traditional signature-based approaches.



8/30

Incident patterns

of incidents can bedescribed by just

nine basic patterns

of incidents in anindustry can be

described by justthree of the nine

patterns

Card skimmersCyber-espionagePhysical theft/loss

Point-of-sale

intrusionsMiscellaneous errors

Web applicationattacks

Everything elseInsider misuse

CrimewareDenial of service attacks



9/30

• Cyber criminals

• Hactivists (agenda driven)

• Nation states

• Malicious insiders

• Rogue suppliers

• Competitors

• Skilled individual hacker

• Sensitive data

• Financial fraud(e.g., wire transfer,payments)

• Business disruption(building systems, etc.)

• Threats to health & safety

Who might attack?

What are they afterand what key businessrisks must we mitigate?

What tacticsmight they use?

• Spear phishing, drive bydownload, etc.

• Software or hardwarevulnerabilities

• Third party compromise

• Stolen credentials

• Control systemscompromise

Ultimately cyber is about brand and reputationwith your tenants and investors

It starts by understanding yourorganizational risk appetite



10/30

Cyber…

What is the actual threat?

Crime Did it?Who

Espionage Did they see & take?What

Warfare Do we fight back?When

Terrorism Did they do it?Why

Security Do we prevent it (again)?How



11/30

Fulfill objectiveSteal/damage/disruptEncrypt then exfiltrate data being stolen,stay hidden for long periods of time, erasedigital footprint

ReconnaissanceGain intelligence and identify vulnerabilitiesResearch the internet, call call-centers,trawl social media etc.

AttackTarget identified vulnerabilitiesTargeted email attacks, unsuspectingdownloads from malicious or compromisedwebsites, exploit application orinfrastructure software vulnerabilities etc.

ExploitGain broad deep accessEscalate privileges, gain increased access,

observe/control network or servers,increase sophistication of attacks, hidetracks, etc.

Strategic assets,

financial assets,

data & intelligence

Your business

What How

New technologies, new threats

Vulnerability Target



12/30

Speed of attack is accelerating

Initial attack to initialcompromise takes placewithin minutes(almost 3 of 4 cases)

Data leaks occur within minutes(nearly half)

Discoverytakesweeks or longer

Containment(post-discovery)

requiresweeks or longer

72%

72% 59%

46%

Time is of the essence



13/30

Case studyJP Morgan Chase & Co.

*http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-million.html?_r=0

Victim timeline

Mid-June Mid-August Aug 27 Aug 28 Sept 11 Oct 2 Jan 08

Attacker timel ine

JP learns of attack,closes all network

access path

State attorneysseek informationfrom JP about thebreach

JP reports to US-SEC, revealsdetails of cyber-attack

News agencies reportof FBI investigating thebank

Attackers gainaccess to JPservers stealsPersonalinformation

JP says it isn't seeing“ unusual fraud”

JP maintains thestatement ‒ isn’tseeing any “un usualfraud activity”



14/30

Building a resilient

Cyber Risk capability

© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape

14


15/30

Build a resilient cyber securityorganization

This means having the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents

Are controls in place to guard

against known and emergingthreats?

Can we detect malicious or

unauthorized activity, includingthe unknown?

Can we act and recover quicklyto minimize impact?

Cyber governance

Cyber threat mitigationCyber threat intelligence Cyber incident response

Secure Vigilant Resilient



16/30

Changes in threat landscape versuscapability

C y b er

w ar f ar e

Behavioral analysis and machine learning model

Risk analytics (includ ing BDSA)

Effective Marginally effective In-effective

Signature based (e.g., correlation)

Conventional(Conventional warfare, symmetric vectors)

Infrastructure threats(Retail threats, open toolkits, general Botnet, Distributed

denial of service)

C onv e

n t i on al

w ar

f ar e

System 1 learning

Guerilla(Hide among civilians (hide in plain sight))

Targeted attacks(Hide within business traffic))

Espionage(Seek, analyze and exfiltrate)

Cyber-espionage(Seek, analyze and exfiltrate)

System 2 learning

Cat A ‒ SIEM (Near real time analysis)Cat B ‒ Behavioral analysis and

machine learning (mid term analysis)Cat C – Cyber analytics

(long term analysis)



17/30

OptionsBuilding your defenses

Insource Co-sourceOutsource



18/30

Benefits and challenges

Operating model

Maintain and enhance existinguse cases

Resourcing required to operatethree shifts

Industry and business alignment

Level one monitoringand management

Limited threat intelligencegathering

Hardware, build, run and maintaincosts

Alignment of use casesto evolving th reat landscape

Round the clock monitoring,management and incident response

Industry and risk profile alignment

Level one, two and threemonitor ing and management

Proactive cyber threat intelligence

Cloud based service –utility based costing

Alignment of use casesto evolving threat landscape

Round the clock monitoring,management and incident response

Business, industry andrisk profile alignment

Level one, two and threemonito ring and management

Proactive cyber threat intelligence

Hardware, build, runand maintain costs

Insource Outsource Co-source

Capex Opex Capex and Opex



19/30

An internal audit

approach



20/30

V i g i l a n t • Incident response and forensics

• Application security testing

• Threat modeling and intelligence

• Security event monitoring and logging

• Penetration testing• Vulnerability management

Threat and vulnerability management

• Information gathering and analysis around: – User, account, entity

– Events/incidents

– Fraud and anti-money laundering

– Operational loss

Risk analytics

• Data classification and inventory• Breach notification and management

• Data loss prevention

• Data security strategy

• Data encryption and obfuscation• Records and mobile device management

Data management and protection

R e s i l i e n t

• Recover strategy, plans & procedures• Testing & exercising

• Business impact analysis

• Business continuity planning• Disaster recovery planning

Crisis management and resiliency

• Security training• Security awareness

• Third-party responsibilities

Security awareness and training

• Change management• Configuration management

• Network defense

• Security operations management• Security architecture

Security operations

S e c u r e

• Compliance monitoring• Issue and corrective action planning

• Regulatory and exam management

• Risk and compliance assessment and mgmt.

• Integrated requirements and control framework

Cybersecurity risk and compliance management

• Evaluation and selection• Contract and service initiation

• Ongoing monitoring• Service termination

Third-party management

• Security direction and strategy• Security budget and finance management

• Policy and standards management

• Exception management

• Talent s trategy

Security program and talent management

• Account provisioning• Privileged user management

• Access certification• Access management and governance

Identity and access management

• Secure build and testing• Secure coding guidelines

• Application role design/access

• Security design/architecture

• Security/risk requirements

Secure development life cycle

• Information and asset classification and inventory• Information records management

• Physical and environment security controls• Physical media handling

Information and asset management

* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.

An assessment of the organization’s cybersecurity should evaluate specificcapabilities across multiple domains

Cyber risk ‒ Deloitte cybersecurity framework*

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its

subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.


http://www.deloitte.com/us/abouthttp://www.deloitte.com/us/about


21/30

V i g i l a n t • Incident response and forensics

• Application security testing

• Threat modeling and intelligence

• Security event monitoring and logging

• Penetration testing• Vulnerability management


• Information gathering and analysis around: – User, account, entity

– Events/incidents

– Fraud and anti-money laundering

– Operational loss

Risk analytics

• Data classification and inventory• Breach notification and management

• Data loss prevention

• Data security strategy

• Data encryption and obfuscation• Records and mobile device management


R e s i l i e n t

• Recover strategy, plans & procedures• Testing & exercising

• Business impact analysis

• Business continuity planning• Disaster recovery planning


• Security training• Security awareness

• Third-party responsibilities


• Change management• Configuration management

• Network defense

• Security operations management• Security architecture

Security operations

S e c u r e

• Compliance monitoring• Issue and corrective action planning

• Regulatory and exam management

• Risk and compliance assessment and mgmt.

• Integrated requirements and control framework

Cybersecurity risk and compliance management

• Evaluation and selection• Contract and service initiation

• Ongoing monitoring• Service termination


• Security direction and strategy• Security budget and finance management

• Policy and standards management

• Exception management

• Talent s trategy


• Account provisioning• Privileged user management

• Access certification• Access management and governance


• Secure build and testing• Secure coding guidelines

• Application role design/access

• Security design/architecture

• Security/risk requirements


• Information and asset classification and inventory• Information records management

• Physical and environment security controls• Physical media handling


* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.

Certain cybersecurity domains may be partially covered by existing IT audits,however many capabilities have historically not been reviewed by internal audit

Cyber risk ‒ Deloitte cybersecurity framework* (cont’d)

SOX (financially relevant systems only BCP/DRP TestingPenetration and vulnerability testing



22/30

Phase IV: Gapassessment and

recommendations

Assessment approach

Cyber risk

An internal audit assessment of cybersecurity should cover all domains andrelevant capabilities, and involve subject matter specialists when appropriate

Phase III: Riskassessment

Phase II: Understandcurrent state

Phase I: Planning andscoping

P h a s e

K e y a c t i v i t i e s

D e l i v e r a b l e s

Acti vi ties:

• Identify specific internal andexternal stakeholders: IT,Compliance, Legal, Risk, etc.

• Understand organization missionand objectives

• Identify industry requirements andregulatory landscape

• Perform industry and sector riskprofiling (i.e., review industryreports, news, trends,risk vectors)

• Identify in-scope systems

and assets• Identify vendors and third-party

involvement

Acti vi ties:

• Conduct interviews and workshopsto understand the current profile

• Perform walkthroughs of in-scopesystems and processes tounderstand existing controls

• Understand the use of third-parties,including reviews of applicablereports

• Review relevant policies andprocedures, including securityenvironment, strategic plans, andgovernance for both internal and

external stakeholders• Review self assessments

• Review prior audits

Acti vi ties:

• Document list of potential risksacross all in-scope capabilities

• Collaborate with subject matterspecialists and management tostratify emerging risks, anddocument potential impact

• Evaluate likelihood and impact ofrisks

• Prioritize risks based uponorganization’s objectives,capabilities, and risk appetite

• Review and validate the risk

assessment results withmanagement and identify criticality

Acti vi ties :

• Document capability assessmentresults and develop assessmentscorecard

• Review assessment results withspecific stakeholders

• Identify gaps and evaluatepotential severity

• Map to maturity analysis

• Document recommendations

• Develop multiyear cybersecurity/ITaudit plan

Deliverable:• Assessment objectives and scope• Capability assessment scorecard

framework

Deliverable:• Understanding of environment and

current state

Deliverable:• Prioritized risk ranking• Capability assessment findings

Deliverables:• Maturity analysis• Assessment scorecard• Remediation recommendations• Cybersecurity audit plan



23/30

Maintaining and enhancing security capabilities can help mitigate cyber threats

and help the organization to arrive at its desired level of maturity

Cyber risk ‒ Assessment maturity analysis

Cybersecurity domain

Cybersecurity risk and compliance mgmt.








Risk analytics


Security operations


Initial Managed Defined Predictable Optimized

Current state CMMI maturity*

Maturity analysis

• Recognized the issue• Ad-hoc/case by case• Partially achieved goals• No training, communication, or

standardization

• Process is managed• Responsibility defined• Defined procedures with

deviations• Process reviews

• Defined process• Communicated procedures• Performance data collected• Integrated with other

processes• Compliance oversight

• Defined quantitative performancethresholds and control limits

• Constant improvement• Automation and tools implemented• Managed to business objectives

• Continuously improved• Improvement objectives

defined• Integrated with IT• Automated workflow• Improvements from new

technology

Stage 1: Initial Stage 2: Managed Stage 4: PredictableStage 3: Defined Stage 5: Optimized

*The industry recognizedCapability Maturity ModelIntegration (CMMI) can beused as the model for theassessment. Each domainconsists of specificcapabilities w hich areassessed and averaged tocalculate an overall domainmaturity.

S e c u r e

V i g i l a n t

R e s i l i e n t



24/30

A scorecard can support the overall maturity assessment, with detailed cyberrisks for people, process, and technology. Findings should be documented and

recommendations identified for all gaps

Cyber risk ‒ Assessment scorecard

Threat and vu lnerability management—Penetration testing

Area Findings Ref. Recommendations Ref.

People

• The organization hassome resources withinthe ISOC that canconduct penetrationtesting, but not on a

routine basis due tooperational constraintsand multiple roles thatthose resources arefulfilling

2.6.4

• The organization may findit of more value and costbenefit to utilize currentresources to conductinternal penetration testing

on a routine and dedicatedbasis since they do haveindividuals with thenecessary skills to performthis duty.

2.6.4

Process

• The organization haslimited capability toconduct penetrationtesting in a stagedenvironment or againstnew and emergingthreats

2.6.5

• The organization shouldexpand its penetrationtesting capability to includemore advance testing,more advanced socialengineering, and developgreater control over thefrequency of testing

2.6.5

Technology

• The organization lacksstandard tools to performits own ad-hoc and on-the-spot penetrationtests to confirm orsupport potentialvulnerability assessmentalerts and/or incidentinvestigation findings.

2.6.6

• Either through agreementwith a third-party vendor,or through technologyacquisition, develop thetechnology capability toperform out of cyclepenetration testing.

2.6.6

1: Initial2:

Managed4:

Predictable3:

Defined5:

Optimized

Capability assessment findings andrecommendations

Cybersecurity domain

Cybersecurity risk and compliance mgmt.








Risk analytics


Security operations


Asses smen t sco recar d

S e c u r e

V i g i l a n t

R e s i l i e n t

People Process Technology

4 2 1



25/30

A cybersecurity assessment can drive a risk-based IT internal audit plan. Auditfrequency should correspond to the level of risk identified, and applicableregulatory requirements/expectations.

25

Internal Audit FY 2015 FY 2016 FY 2017 Notes (representative)

SOX IT GeneralComputer Controls

X X X Annual requirement but only coversfinancially significant systems and

applicationsExternal Penetration andVulnerability Testing

X X X Cover a portion of IP addresses each year

Internal Vulnerability Testing X Lower risk due to physical access controls

Business ContinuityPlan/Disaster Recovery Plan

X XCoordinate with annual 1st and 2nd line ofdefense testing

Data Protection andInformation Security

X Lower risk due to …

Third-party Management X Lower risk due to …

Risk Analytics X X X Annual testing to cycle through risk areas,and continuous monitoring

Crisis Management X X Cyber war gaming scenario planned

Social Media X Social media policy and awareness program

Data Loss Protection (DLP) X Shared drive scan for SSN/Credit Card #

Cyber risk

Representative internal audit plan

© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape


26/30

Closing thoughts



27/30

Key considerations

1. Know your crown jewels – not just what you want to protect,but what you need to protect

2. Know your fr iends – contractors, vendors and suppliers can be security allies or liabilities

3. Understand the threat landscape and assess incremental threat scenarios that expose yourorganization to risk

4. Assess controls and Identify gapsin policies, standards, processes, metrics and reporting, etc.5. Maintain “ cyber security” as an organizational priority and standing agenda item in audit

committee updates

6. Apprise the Audit Committee of key risks, enterprise level risk trends related to cyber security

7. Make awareness a priority within every internal departmentand among external partners

8. Fort ify and monitor – situational awareness, diligently gather intelligence, build, maintain and

proactively monitor9. Prepare for the inevitable – Test your incident management process



28/30

For more information

If you would like more information on cyber security or how Deloitte can help your organization, pleasecontact one of the following professionals:

Nick Galletto Americas Cyber Risk Leader [email protected]

Michael JuergensManaging Principal | IT Internal [email protected] |


mailto:[email protected]:[email protected]:[email protected]:[email protected]


29/30

Deloitte IT internal audit

Cyber risk

Leading cybersecurity risk management services ‒ Specifically suited to collaborate with you

Number 1 provider of cyber risk management solut ions

• The only organization with the breadth, depth, and insight to helpcomplex organizations become secure, vigilant, and resilient

• 1000+ cyber risk management projects in the U.S. alone in 2014executed cross industry

• 11,000 risk management and security professionals globally acrossthe Deloitte Touche Tohmatsu Limited network of member firms

Contributing t o the betterment of cyber risk managementpractices

• Assisted National Institute of Standards and Technology indeveloping their cybersecurity framework in response to the 2013Executive Order for Improving Critical Infrastructure Cybersecurity

• Third-party observer of the Quantum Dawn 2 Cyber AttackSimulation, conducted by the Securities Industry and FinancialMarkets Association in July 2013

• Working with government agencies on advanced threat solutions

• Named as a Kennedy Vanguard Leader in cyber security consulting: “[Deloitte] continually develops, tests, and launches methodologies thatreflect a deep understanding of clients’ cyber security and help the firm… set the bar.”

Source: Kennedy Consulting Research & Advisory; Cyber Security Consulting 2013; Kennedy Consulting Research & Advisory estimates © 2013Kennedy Information, LLC. Rreproduced under license.

• “Deloitte’s ability to execute rated the highest of all the participants”

Forrester Research, “Forrester WaveTM: Information Security Consulting Services Q1 2013”, Ed Ferrara and Andrew Rose, February 1, 2013

The right resources at the right time

• Deloitte has provided IT audit services for the past 30 years and IT audittraining to the profession for more than 15 years. Our professionalsbring uncommon insights and a differentiated approach to IT auditing,and we are committed to remaining an industry leader.

• We have distinct advantages through:

− Access to a global team of IA professionals, including IT subject

matter specialists in a variety of technologies and risk areas

− A responsive team of cyber risk specialists with wide-rangingcapabilities virtually anywhere in the world, prepared to advise ascircumstances arise or as business needs change

− A differentiated IT IA approach that has been honed over the years insome of the most demanding environments in the world, with toolsand methodologies that help accelerate IT audit

− Access to leading practices and the latest IT thought leadership onaudit trends and issues



30/30

www.deloitte.ca

Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, anOntario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of memberfirms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legalstructure of Deloitte Touche Tohmatsu Limited and its member firms.

© Deloitte LLP and affiliated entities.

monday cs 1 7 nick galletto michael juergens

Documents