internal audit’s role in cyber · pdf filean independent member of uhy international...

An independent member of UHY International © UHY Advisors, Inc. 2015 All Rights Reserved

INTERNAL AUDIT’S ROLE IN CYBER SECURITY ISACA GEEK WEEK AUGUST 2015


RECENT HEADLINES

“The government does not defend or protect the private sector against cyber security threats, but will be partners in post-breach investigation.” - Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism


CYBER SECURITY THREAT TYPES

Passive (Silent Data Collection) Consumer Data • PCI (credit card data) • PII (SSN, DOB, DL) • Salary information Proprietary Data • HFT algorithms • Research information • Investment strategies • Trade blotters • Risk analytics

Aggressive (Loud Disruption) Technology Services • Communication systems • Desktops / Users • Servers / Admins Corporate Services • Destroy

− Delete proprietary data − Delete backups

• Disseminate − Leak & extort proprietary data


THREAT INCENTIVES

Passive Target Consumer Data • PCI (credit card data) • PII (SSN, DOB, DL)

JP Morgan Consumer Data • PCI (credit card data) • PII (SSN, DOB, DL)

Home Depot Consumer Data • PCI (credit card data)

Aggressive Sony Consumer & Proprietary Data • PII (SSN, DOB, DL) • Total IP (email, business data)

National Security Agency Proprietary Data • Surveillance protocols • Classified national security data

LinkedIn Consumer & Proprietary Data • Usernames & passwords


PASSIVE: REVENUE INCENTIVE

Consumer Data • PCI, PII, and Income data are

bundled and sold as portfolios • Portfolios have a lifespan and

are assigned a ‘generally accepted’ rating similar to our credit rating system for valuation on the black market

• Accounts within sold portfolios are used to cypher funds

PCI PII

Salary Consumer Data Portfolio

Rated Consumer Data Portfolio

FOR SALE

Rated Consumer Data Portfolio

SOLD Gift Cards

Mini-purchases

Withdrawals

Transfers


PASSIVE: REVENUE INCENTIVE

Proprietary Data • HFT algorithms are analyzed

and reengineered • Research, trade blotter, and

prospective investment information from multiple firms are aggregated into a single composite

• Non-disclosed, proprietary information (e.g. M&A deals) are mapped to composite to develop ‘Insider’ investment strategies

Investment Data

HFT Data Prospects

Blotters Composite

Non-Disclosed Data

M&A Deals Projections

Roadmaps ‘Insider’ Investment Strategy

‘Insider’ Investment Strategy

Enacted

Inside Acme A

Inside Acme B

Inside Acme C

Inside Acme B


AGGRESSIVE: POLITICAL EXPLOITATION

Disrupt, Disseminate, Destroy • U.S. Critical Infrastructure, managed by the private sector, are most

viable targets (e.g. railroads, airports, power grids, water & nuclear treatment facilities)

• Infiltration is typically announced by the adversaries via service outages, desktop wallpapers, and website hijacks

• ‘Trap doors’ and ‘logic bombs’ could remain dormant and undetectable for years

• Attribution is difficult to determine • Private sector has no option of recourse against the adversary

Aside from holding data for ransom, this approach is rarely used in enterprise scenarios for financial gain.


“The government does not defend or protect the private sector against cyber security threats”

KNOW THE ADVERSARY


NATION-STATE BEHAVIORS

Passive (Silent Data Collection) Consumer Data • PCI (credit card data) • PII (SSN, DOB, DL) • Salary information

Proprietary Data • HFT algorithms • Research information • Investment strategies • Trade blotters • Risk analytics

Aggressive (Loud Disruption) Technology Services • Communications systems • Desktop / Users • Server / Admins Corporate Services • Destroy

− Delete proprietary data − Delete backups

• Disseminate − Leak & extort proprietary data


INITIAL VECTORS OF ATTACK


TARGET SAMPLES


COMMON ADVERSARY PLAYBOOK

Acquire Targets Data Collection

Deploy Malware

Infiltrate Corporate Systems

Exfiltrate Data Permeate

•Locate affiliated groups

•Identify individual targets

- Colleagues - Spouse - Children - Parents

•Use collected data to deploy malware to targeted individuals

•Use malware-collected data to ‘passively’ authenticate to corporate systems

•Locate and exfiltrate corporate data

•Crack NTDS.dit to acquire usernames and passwords

•Place trapdoors throughout environment

Characteristics of cyber threats are no longer "infect as many machines as possible". Today’s attacks only need to compromise one targeted machine to be successful.


SOPHISTICATED DISCIPLINED


RISK MANAGEMENT DISIPLINE

Definition: The forecasting and evaluation of risks together with the identification of procedures to avoid or minimize their impact


IT SECURITY VS CYBER SECURITY

IT Security Cyber Security

IT Security programs focus on technology around the perimeter. Cyber Security programs focus on today’s largest vectors of attack; people and processes.


CYBER RISK GOVERNANCE

Establish a governance structure where the CISO reports IT risks

independent from the CIO

Align IT risks to business risks

Variation of a typical org structure used to report operational capabilities (e.g. BCP / DR), but not operational risks

Optimized risk management structure

CEO

CISO

CIO

CEO

CISO

CRO

Govern cyber security by aligning IT risks to business risks.


LEVERAGE & ALIGN STRATEGIC RISK MANAGEMENT ASSETS

Process People

Tools and

Technology

RM Strategy

Adaptability

Effectiveness Efficiency

Discipline

Process People

Tools and

Technology

Common State Target Operating Model

Risk Management Strategy


COMPLIANCE VS RISK MANAGEMENT Being ‘Compliant’ does not equate to being ‘Secure’. It is easy to lose sight of the risk management drivers behind the Internal Audit Function.

Internal Audit Program

COSO

SOX PCI

Internal Priorities

Self-defined

risk matrix

Customer Expectations

NIST

COSO

Regulatory Obligations

SOX PCI

Shouldn’t Compliance be positioned as the byproduct of a mature information security and internal audit program, by ‘doing the right things’ and ‘proving it’?

Compliance Risk Management


Optimized Control Framework

Functional Processes Information Security

Data Classification/Privacy

Financial Accounting and Reporting

Services Customer Compliance (SOC)

ICFR / SOX

Compliance (PCI, HIPAA)

Operational Best Practice Controls Rationalization An

swer

Man

y

Test Once

Compliance is important…and exhausting. Decrease audit fatigue and more effectively manage risk by testing once and empowering Internal Audit to focus more time on internal risk objectives.

TEST ONCE, ANSWER MANY


LINES OF DEFENSE

1. Operations

3. Auditors & Exec Board

2. Compliance &

Risk Mgm

t

Determine and align risk capacity, appetite, and budget within a risk governance framework.


RECOMMENDED READING / CONTACT INFORMATION

Cyber Security Questions for CEOs https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf Cyber Risks and the Boardroom http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#_edn36 NIST Cyber Security Framework http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf Cyber War http://www.amazon.com/Cyber-War-Threat-National-Security/dp/0061962244/ref=sr_1_1?ie=UTF8&qid=1420819593&sr=8-1&keywords=cyberwar

David Allen King II Manager, UHY Advisors 678-602-4435 [email protected]

David Barton Managing Director, UHY Advisors 678-602-4400 [email protected]

Contact Information

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

http://www.sec.gov/News/Speech/Detail/Speech/1370542057946

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

http://www.amazon.com/Cyber-War-Threat-National-Security/dp/0061962244/ref=sr_1_1?ie=UTF8&qid=1420819593&sr=8-1&keywords=cyberwar













Q&A

internal audit’s role in cyber · pdf filean independent member of uhy international...

Documents