internal audit’s role in cyber · pdf filean independent member of uhy international...
TRANSCRIPT
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
INTERNAL AUDIT’S ROLE IN CYBER SECURITY ISACA GEEK WEEK AUGUST 2015
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
RECENT HEADLINES
“The government does not defend or protect the private sector against cyber security threats, but will be partners in post-breach investigation.” - Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
CYBER SECURITY THREAT TYPES
Passive (Silent Data Collection) Consumer Data • PCI (credit card data) • PII (SSN, DOB, DL) • Salary information Proprietary Data • HFT algorithms • Research information • Investment strategies • Trade blotters • Risk analytics
Aggressive (Loud Disruption) Technology Services • Communication systems • Desktops / Users • Servers / Admins Corporate Services • Destroy
− Delete proprietary data − Delete backups
• Disseminate − Leak & extort proprietary data
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
THREAT INCENTIVES
Passive Target Consumer Data • PCI (credit card data) • PII (SSN, DOB, DL)
JP Morgan Consumer Data • PCI (credit card data) • PII (SSN, DOB, DL)
Home Depot Consumer Data • PCI (credit card data)
Aggressive Sony Consumer & Proprietary Data • PII (SSN, DOB, DL) • Total IP (email, business data)
National Security Agency Proprietary Data • Surveillance protocols • Classified national security data
LinkedIn Consumer & Proprietary Data • Usernames & passwords
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
PASSIVE: REVENUE INCENTIVE
Consumer Data • PCI, PII, and Income data are
bundled and sold as portfolios • Portfolios have a lifespan and
are assigned a ‘generally accepted’ rating similar to our credit rating system for valuation on the black market
• Accounts within sold portfolios are used to cypher funds
PCI PII
Salary Consumer Data Portfolio
Rated Consumer Data Portfolio
FOR SALE
Rated Consumer Data Portfolio
SOLD Gift Cards
Mini-purchases
Withdrawals
Transfers
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
PASSIVE: REVENUE INCENTIVE
Proprietary Data • HFT algorithms are analyzed
and reengineered • Research, trade blotter, and
prospective investment information from multiple firms are aggregated into a single composite
• Non-disclosed, proprietary information (e.g. M&A deals) are mapped to composite to develop ‘Insider’ investment strategies
Investment Data
HFT Data Prospects
Blotters Composite
Non-Disclosed Data
M&A Deals Projections
Roadmaps ‘Insider’ Investment Strategy
‘Insider’ Investment Strategy
Enacted
Inside Acme A
Inside Acme B
Inside Acme C
Inside Acme B
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
AGGRESSIVE: POLITICAL EXPLOITATION
Disrupt, Disseminate, Destroy • U.S. Critical Infrastructure, managed by the private sector, are most
viable targets (e.g. railroads, airports, power grids, water & nuclear treatment facilities)
• Infiltration is typically announced by the adversaries via service outages, desktop wallpapers, and website hijacks
• ‘Trap doors’ and ‘logic bombs’ could remain dormant and undetectable for years
• Attribution is difficult to determine • Private sector has no option of recourse against the adversary
Aside from holding data for ransom, this approach is rarely used in enterprise scenarios for financial gain.
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
“The government does not defend or protect the private sector against cyber security threats”
KNOW THE ADVERSARY
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
“The government does not defend or protect the private sector against cyber security threats”
KNOW THE ADVERSARY
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
NATION-STATE BEHAVIORS
Passive (Silent Data Collection) Consumer Data • PCI (credit card data) • PII (SSN, DOB, DL) • Salary information
Proprietary Data • HFT algorithms • Research information • Investment strategies • Trade blotters • Risk analytics
Aggressive (Loud Disruption) Technology Services • Communications systems • Desktop / Users • Server / Admins Corporate Services • Destroy
− Delete proprietary data − Delete backups
• Disseminate − Leak & extort proprietary data
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
INITIAL VECTORS OF ATTACK
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
TARGET SAMPLES
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
TARGET SAMPLES
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
COMMON ADVERSARY PLAYBOOK
Acquire Targets Data Collection
Deploy Malware
Infiltrate Corporate Systems
Exfiltrate Data Permeate
•Locate affiliated groups
•Identify individual targets
- Colleagues - Spouse - Children - Parents
•Use collected data to deploy malware to targeted individuals
•Use malware-collected data to ‘passively’ authenticate to corporate systems
•Locate and exfiltrate corporate data
•Crack NTDS.dit to acquire usernames and passwords
•Place trapdoors throughout environment
Characteristics of cyber threats are no longer "infect as many machines as possible". Today’s attacks only need to compromise one targeted machine to be successful.
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
SOPHISTICATED DISCIPLINED
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
RISK MANAGEMENT DISIPLINE
Definition: The forecasting and evaluation of risks together with the identification of procedures to avoid or minimize their impact
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
IT SECURITY VS CYBER SECURITY
IT Security Cyber Security
IT Security programs focus on technology around the perimeter. Cyber Security programs focus on today’s largest vectors of attack; people and processes.
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
CYBER RISK GOVERNANCE
Establish a governance structure where the CISO reports IT risks
independent from the CIO
Align IT risks to business risks
Variation of a typical org structure used to report operational capabilities (e.g. BCP / DR), but not operational risks
Optimized risk management structure
CEO
CISO
CIO
CEO
CISO
CRO
Govern cyber security by aligning IT risks to business risks.
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
LEVERAGE & ALIGN STRATEGIC RISK MANAGEMENT ASSETS
Process People
Tools and
Technology
RM Strategy
Adaptability
Effectiveness Efficiency
Discipline
Process People
Tools and
Technology
Common State Target Operating Model
Risk Management Strategy
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
COMPLIANCE VS RISK MANAGEMENT Being ‘Compliant’ does not equate to being ‘Secure’. It is easy to lose sight of the risk management drivers behind the Internal Audit Function.
Internal Audit Program
COSO
SOX PCI
Internal Priorities
Self-defined
risk matrix
Customer Expectations
NIST
COSO
Regulatory Obligations
SOX PCI
Shouldn’t Compliance be positioned as the byproduct of a mature information security and internal audit program, by ‘doing the right things’ and ‘proving it’?
Compliance Risk Management
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
Optimized Control Framework
Functional Processes Information Security
Data Classification/Privacy
Financial Accounting and Reporting
Services Customer Compliance (SOC)
ICFR / SOX
Compliance (PCI, HIPAA)
Operational Best Practice Controls Rationalization An
swer
Man
y
Test Once
Compliance is important…and exhausting. Decrease audit fatigue and more effectively manage risk by testing once and empowering Internal Audit to focus more time on internal risk objectives.
TEST ONCE, ANSWER MANY
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
LINES OF DEFENSE
1. Operations
3. Auditors & Exec Board
2. Compliance &
Risk Mgm
t
Determine and align risk capacity, appetite, and budget within a risk governance framework.
An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved
RECOMMENDED READING / CONTACT INFORMATION
Cyber Security Questions for CEOs https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf Cyber Risks and the Boardroom http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#_edn36 NIST Cyber Security Framework http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf Cyber War http://www.amazon.com/Cyber-War-Threat-National-Security/dp/0061962244/ref=sr_1_1?ie=UTF8&qid=1420819593&sr=8-1&keywords=cyberwar
David Allen King II Manager, UHY Advisors 678-602-4435 [email protected]
David Barton Managing Director, UHY Advisors 678-602-4400 [email protected]
Contact Information