MEETS THE CHALLENGE OF CHANGE

Robert Baldi

Director of IT Audit, ACI Worldwide

Warren Fish

Manager of IT Audit, ACI Worldwide

Auditing emerging cyber

threats and IT controls

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Competency “The trouble with competence is that it is always stale.“*

CDR Chris Hadfield, first Canadian to walk in space

*Quoted from 2015 IIA Conference, Vancouver, British Columbia, Canada

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Agenda

• The state of cybersecurity (IIA perspective)

• Recent breaches

• IIA Standards 1210: Proficiency

• Cutting Edge IT Auditing: IT Skills required, auditing skills second

• Fruit Tree of IT Auditing

• Emerging Cyber Threats

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

The state of cybersecurity (IIA)

The Cybersecurity Imperative: To help organizations lock down security, internal auditors must

raise their skills and understand the latest threats, IIA July 31, 2015

• https://iaonline.theiia.org/2015/the-cybersecurity-imperative

• The Board is asking questions: This year for the first time, cybersecurity broke into the top 10

risk priorities. Small wonder then that 80 percent of public company board members report

their board discusses cybersecurity at most or all board meetings.

• A Common Language: Bridging those gaps is difficult because there is no generally accepted

cybersecurity framework. The Board, Management, IT, information security, and internal audit

may all have their own points of reference. Recommend establishing a common framework that

enables everyone in the organization to speak the same language about cyber risk.

• Recruit Cybersecurity Specialists Internal audit departments that lack IT auditors can gain

expertise by hiring cybersecurity experts and then training them in internal audit.

Tim McCollum is Internal Auditor magazine's associate managing editor.

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE 5

• Internal Auditors must possess the knowledge, skills, and other competencies needed to perform their

individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge,

skills, and other competencies needed to perform its responsibilities.

• Interpretation:

• 1210.A1 - The chief audit executive must obtain competent advice and assistance if the internal

auditors lack the knowledge, skills, or other competencies needed to perform all or part of the

engagement.

• 1210.A2 - Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the

manner in which it is managed by the organization, but are not expected to have the expertise of a

person whose primary responsibility is detecting and investigating fraud.

• 1210.A3 - Internal auditors must have sufficient knowledge of key information technology risks and

controls and available technology-based audit techniques to perform their assigned work. However, not

all internal auditors are expected to have the expertise of an internal auditor whose primary

responsibility is information technology auditing.

• 1210.C1 - The chief audit executive must decline the consulting engagement or obtain competent

advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed

to perform all or part of the engagement.

IIA (Standards 1210) Proficiency

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Cutting Edge IT Auditing: IT Skills required,

auditing skills second

• Maintaining IT competencies: IT Auditors at ACI Worldwide are maintaining their IT skills

by maintaining membership in the following organizations, pursing certifications and staying

current and connected via social media.

• Institute of Internal Auditors

• ISACA

• Nebraska Computer Emergency Response Team (CERT)

• Armed Forces Communications and Electronics Association

• InfraGARD (Public-Private Partnership between FBI and US business)

• National Cyber Security Alliance (DHS and home, small US business)

• International Information Systems Security Certification Consortium (ISC²)

• Open Web Application Security Project (OWASP-Omaha) Risk

* 7 Attributes of Highly Effective

Internal Auditors, By Chambers,

McDonald, IIA, 2013

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Fruit Tree of Internal Auditing

7

High Hanging Fruit

- Simulated Breach Exercises (war gaming)

- Penetration Testing (In house)

- Data Loss Prevention (Insider Threat)

- Bring Your Own Device (BYOD)

- Database Security

- Two-Factor Controls

Medium Hanging Fruit

- Data backup processes

- Asset Management and/or Identity Management

- WiFi Security Assessment

- Vulnerability & Patch Management

- Configuration Management

Low Hanging Fruit

- Credential (Admin) Verification/Appropriateness

- Default & weak passwords

- Unpatched devices (routers, switches, servers,

workstations)

- Poorly configured firewalls, IPS, IDS< SIEM

- Applications not working as configured on

workstations (Virus, Web Filtering, etc…)

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Emerging Cyber Threats & IT Controls

• Recent Breaches & Cyber War gaming

• Social Media

• Data Loss Prevention

• Bring (or Wear) Your Own Device

• Penetration Testing

• Incident Response

• Social Engineering

• Phishing

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Cyber Security Breaches – 2014 & 2015

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Cybersecurity: war gaming

10

The cybersecurity imperative

By: Tim McCollum (Page 27)

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Social Media

• Every employee with a social media account tied to your company e-mail is an ambassador of

the company. Possible risks: Reputation/brand, stock prices, or injury/workplace violence.

• Example: TD Ameritrade uses a company to monitor Social Media

• List every company-based social media account

• Do not limit just to Facebook, Twitter, LinkedIn, etc – imperative that you use GoogleDorks or

obtain an external “objective” subject matter expert to assist you

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Data Loss Prevention (DLP)

• Where are your egress points?

• What controls are in place?

• What do your policies state?

• What training is provided to your staff?

• Which of the 45 popular cloud hosting providers

(DropBox.com, Cloud.com, etc) are blocked?

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Bring (or Wear) Your Own Device (BYOD)

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Penetration Testing? But we just passed our

PCI Audit!

• Vulnerabilities Exist? But we just passed our PCI audit!

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Incident Response

• Yes, you probably have a plan. But do you have a letter vetted through legal for

each state / country in which you operate to comply with breach notification laws?

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE 16

Social Engineering

http://www.social-engineer.org/

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

• Phishing still remains the easiest way to compromise a company

• Unsuspecting employee in any business unit clicks on a perfectly legitimate looking email which says,

“Please click here to check on the status of your order.”

• Access/Compromise

• Once the attacker has compromised the company workstation, they will install a key logger to

• collect logins, passwords, etc…

• 23% of recipients now open phishing messages

• 11% click on attachments

• 50% open e-mails with the first hour

• Awareness and training are the most effective defense

Phishing

MEETS THE CHALLENGE OF CHANGE MEETS THE CHALLENGE OF CHANGE

Contact Info

18

Rob Baldi

Director of Information Technology Internal Audit

402-778-1929

robert.baldi@aciworldwide.com

Warren Fish

Manager of Information Technology Internal Audit

402-778-2044

warren.fish@aciworldwide.com

ACI Worldwide is looking for an IT Audit Intern.

Please contact Rob or Warren for more details!