what non-technical auditors need to know to navigate the ... · presented by david losacco, cpa,...

PRESENTED BYDavid Losacco CPA CIA CISA Principal

CYBERSECURITY 101 What Non-Technical Auditors Need

to Know to Navigate the Cybersecurity Landscape

2

bull The comments and statements in this presentation are the opinions of the speaker and do not necessarily reflect the opinions or positions of Stinnett amp Associates LLC

bull This presentation is the property of Stinnett amp Associates LLC All rights reserved No part of this document may be reproduced transmitted or otherwise distributed in any form without written permission from Stinnett amp Associates LLC

bull Stinnett amp Associates LLC expressly disclaims any liability in connection with the use of this presentation or its contents by any third party

DISCLAIMER

bull Why should we be concerned with cybersecurity

bull What are some key cybersecurity definitions

bull What are some emerging cybersecurity trends and threats

bull What happened with some recent high-profile cybersecurity attacks

bull What are some cybersecurity roadblocks

bull What steps can Internal Audit take to evaluate your companyrsquos cybersecurity risk level

bull What can a Non-Technical Auditor do to evaluate your companyrsquos cybersecurity health

LEARNING OBJECTIVES

3

4

INTRODUCTION TO A CYBER CRIMINAL

5

WHAT DO ALL THESE COMPANIES HAVE IN COMMON

6

hellip AND THESE

7

List of Recent headlines

8

AS AUDITORS WHY DO WE CARE

Sources 2018 Global Megatrends in Cybersecurity

bull 51 of data breaches are caused by Organized Cyber Crime 18 are caused by Nation-States

bull 70 of cyber attacks and data breaches go undetected

bull 69 of organizations learn of their breach from an outside entity such as law enforcement customers or suppliers

bull In 2017 there were over 130 large-scale targeted breaches in the US per year and that number is growing by 27 percent per year

bull Small and mid-size businesses make up 43 of cyber crime targets

bull Cyber Crime costs estimated to reach $6 Trillion by 2021

bull 77 of organizations do not have a formal Cybersecurity Incident Response Plan

bull 147900000 consumer records impacted by Equifax breach in 2017 US Population is 327 Million

bull In 1st Quarter of 2017 60 of malware payloads were ransomware By the end of 2018 ransomwareaccounted for only 5 of malware

bull ldquoFilelessrdquo malware attacks increased 432 in 2017

bull Cyrptojacking attacks increased 8500 in 2017

Security compromises are a persistent business risk

9

THEY WANT OUR MONEY

Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2017 Espionage and other factors combined still make up less than 25

bull Personally Identifiable Information (PII) is worth more on the black market (ldquoThe Dark Webrdquo) than Credit Card Numbers

bull Ransomware payments estimated over $1 billion in 2017 70 of all Ransomware was paid

bull Email scams cost businesses over $12 Billion in 2018

bull 10 of laundered money is attributable to cyber crime That number is $200 Billion

Source Verizon Data Breach Investigations Report 2018

10

HOW DO THEY DO IT

Cyber criminals have multiple means to achieve Financial Gain

bull Theft of funds (Bank Accounts)

bull Extortion (Ransomware)

bull Selling of stolen credit cards

bull Selling of PII and PHI data

bull Insider Trading Information

bull Using compromised environment for other attacks or for rent (Cryptojacking)

11

EVERCHANGING LANDSCAPE

The types of cyber attacks and exploits are changing

bull Server Attacks once at 50 are trending down

bull User Device and Person attacks are both trending upward at nearly same pace due to Malware Ransomware and Phishing attacks

COMMON TERMS AND DEFINITIONSInformation Technology (IT) ndash The corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services

Operational Technology (OT) ndash The hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition systems (SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)

Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data

12

13

ATTACKS IN THE HEADLINES

httpswwwbusinessinsidercomhackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4

httpsjsiswashingtonedunewscyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks

14

COMMON TERMS AND DEFINITIONSBot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets

Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals

Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet

15


httpswwwcsoonlinecomarticle3258748the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internethtml

httpswwwwiredcomstoryreaper-iot-botnet-infected-million-networks

16

COMMON TERMS AND DEFINITIONSMiddleware ndash Software that facilitates exchange of data between two application programs within the same environment or across different hardware and network environments Three basic types of middleware are (1) communication middleware (2) database middleware and (3) system middleware

Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for themselves while unknown to the other two parties

SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious code into a website In SQL Injection the attacker uses SQL language to obtain information back from the website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of website

17


httpswwwzdnetcomarticleman-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable

httpskrebsonsecuritycom201809secret-service-warns-of-surge-in-atm-wiretapping-attackscomment-page-1httpswwwscmagazinecomhomesecurity-newscisco-patches-prime-license-

manager-sql-injection-vulnerability

httpswwwtechrepubliccomarticlebritish-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions

18

COMMON TERMS AND DEFINITIONSCommon Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level

Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor

Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity

19

Malware is short for malicious software Malware is a broad term that encompasses computer viruses worms Trojan horses spyware adware and Ransomware Malware is designed to interfere with normal computer operation usually giving hackers a chance to gain access to your computer and collect sensitive personal information

MALWARE

bull Malware is seen as first access point used in connection with Hacking attempts

bull Ransomware is a version of Malware that has been in the headlines

bull Malware can grant command and control of a device to the hackers

bull 1 in 131 emails contained Malware in 2016

bull ldquoFilelessrdquo Malware is a new variant that is more difficult to detect

20

bull Attack started early March 2017 with hackers using a Bot programmed to search the web for a recently

released CVE (Common Vulnerability and Exposure)

bull Took the hackers two months before they found the vulnerability on one of Equifaxrsquos websites used to help

customers with claims

COMPLEXITY BEHIND THE EQUIFAX ATTACK

bull Hackers then used another vulnerability (a Fileless Malware

named Apache Struts) that was also a CVE that had been

issued a month before but never fixed

bull Hackers spent an estimated 76 days in the network and

downloaded records from 51 different databases

bull Over 148 million records were stolen

bull Attack was not identified until July 30 2017

21

In addition to US consumers the UK Data Protection Authority the Information Commissionerrsquos Office reported

bull Approximately 20000 UK data subjects had names dates of birth telephone numbers and driving license numbers exposed

bull More than 600000 UK data subjects had names dates of birth and telephone numbers exposed

bull Up to 15 million UK data subjects had names and dates of birth exposed

EQUIFAX ndash WHAT WAS LOST

22

COMMON TERMS AND DEFINITIONSDark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or means Darknet sites require special software such as TOR (The Onion Router) that helps keep users anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or Credit card data as well as Botnet rentals Bitcoins are traded on the Dark Web

Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash that is the amount of computing power involved ndash increases

23

RANSOMWAREA type of malware that prevents or limits users from accessing their system either by locking the systems screen or by locking the users files unless a ransom is paid Ransomware typically encrypts certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key

bull The Use of BITCOINS is typically the payment method

bull Ransomware attacks were growing at a rate of 350 annually until 2017 and have now dropped but still present (HR and Healthcare companies both in February)

bull WannaCry Ransomware attack impacted over 200000 people across 150 countries (included a Worm)

24

RANSOMWARERansomware-As-A-Service allows any amateur attacker to get into the business with basic knowledge and less effort The Amateur attacker can visit a RAAS site on the dark web and set up an account to create the Ransomware package It is up to the attacker to distribute the ransomware while the RaaS will handle the ransom payments The RaaS developer takes a cut of any payments that are made The developer will also reduce their cut depending on the volume of payments received

25

bull Business Email Compromise (BEC) is an exploit targeting a companyrsquos corporate email accounts and impersonating or ldquospoofingrdquo the email identity of an employee or company executive in order to fraudulently obtain moneys or sensitive information from the company its business partners andor employees

bull The FBIs Internet Crime Complaint Center or IC3 said that based on fraud reports submitted from October 2013 to May 2018 there were 41058 total US victims of BEC schemes which collectively lost at least $29 billion while global losses were more than four times that amount (FBI Global Business Email Compromise Losses Hit $125 Billion)

bull BEC exploits have become so concerning that the SEC issued a Report of Investigation in October 2018 (httpswwwsecgovlitigationinvestreport34-84429pdf) The report was considered a ldquohighly unusual actionrdquo by the SEC and identified nine companies that had been specifically investigated by the SEC due to a BEC incident

bull All nine lost at least $1 Million due to BEC scam

bull Two companies lost more then $30 Million each

bull In total the nine issuers lost almost $100 Million

BUSINESS EMAIL COMPROMISE (BEC)

26

A form of social engineering in which a message typically an email with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment

BEC amp PHISHING

Spear PhishingPhishing attacks directed at a specific individual or company Sub-category of Spear phishing includes Cloning (using a previous legitimate email) and Whaling (attacking a high-level executive)

bull CEO Email to Treasurerbull HR Phishing for Employee Databull W2 Phishing Data (IRS sent out warning)

The majority of Phishing cases are used as a means to install Malware onto a host environment

27

Most companies battle the increased Phishing and Spear-phishing attacks by labeling each external email with some form of the following inserts

PHISHING EMAIL EXAMPLE

This ldquoband-aidrdquo is still widely in practice today however

28

bull Office 365 is Microsoftrsquos Cloud-based solution offering everything from email and Excel to cloud storage

bull Microsoft Office 365 is now in use at over 70 of Fortune 500 Companies

bull 20 of all companies use Office 365

bull Office 365 overtook Office products in 4th quarter 2017 as the largest revenue stream for Microsoft

BEC amp OFFICE 365

bull Most companies do not correctly set up Office 365

Security or Logging

bull Significant increase in attack vectors against Office

365

bull Only takes one employee and the hacker is internal to

email and Office 365

bull Some attack vectors do not require Phishing email

29

BEC ATTACK WALKTHROUGH

30

BEC ndash PROTECT YOUR CASHAccounting controls at all entryexit points for cash

Cash Receiptsbull Review of balances over 60 days and $10k ndash triggered review and

communication uncovered change in bank info (communication was being sent to deleted email)

bull Reports that generate overdue receivables timely for follow-upbull Elevation rules for overdue receivables

Cash Disbursementbull SOD ndash limit access to vendor master filebull Controls related to changing bank info for all vendors ndash need

more than email communication personal verification with vendor requesting change

bull Vendor set-up ndash verification of information providedbull ISNetworld ndash vetting process for vendors could require vetting

prior to set up as vendorsbull ACH debits ndash no reason to give debit access to account if done

dual approval and ZBA should be usedbull Multi-factor authentication

Treasury Cyber Insurance

Payroll Legal Liabilities

Royalties Contract Language

SOX Impact

Other Processes to Consider

31

AND MULTI-FACTOR AUTHENTICATIONbull Google has not had any of its 85000+ employees successfully phished on their work-related accounts since early 2017

when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes

bull Office 365 and other cloud-based services should all use multi-factor Authentication

32

Many companies do not know where to start with cybersecurity how to evaluate what is enough or how to recover when their best efforts still result in a cyber breach

Main reasons for companies struggles are

BARRIERS TO EFFECTIVE CYBERSECURITY

bull Lack of skilled resources (people and time)

bull Lack of funds

bull Continued innovations in Technology

bull Expansion of the Attack Surface

bull Lack of understanding of companyrsquos information assets and value

bull Failure to properly understand threats and risks

bull Failure to implement core security protocols and procedures

33

Defense-in-Depth approach to Cybersecurity is a layered approach to cybersecurity that recognizes a companyrsquos first line of defense may fail and integrates multiple layers of defense around a companyrsquos information assets Also called the Castle Approach (once you breach the walls more defenses are in place)

DEFENSE IN-DEPTH APPROACH

Patch Management Operating System EOL

Network Vulnerability Scanning Security Staffing

Internal amp External Network Boundaries Wireless Security

Firewall Implementation and Monitoring (including NextGen) IPS IDS SIEM Implementations

Firewall Dataflow amp Standards Documentation Cloud Service Provider Evaluations

Security Incident Management Physical Security

Evaluation of Encryption Technologies Network Access Control

Workstation Endpoint Protection

CYBERSECURITY DEFENSE IN-DEPTH

PEOPLE

TECHNOLOGYPROCESSES

THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program

THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential

THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important

35

Step 1 - Identify risks through formal risk assessment of assets

Step 2 - Perform baseline gap analysis of the current control environment to industry standard frameworks and identify controls which need to be implemented to reduce the risk of cybersecurity incidents effecting critical data assets

Step 3 - Make recommendations on implementation and ongoing management of cybersecurity controls

Step 4 - Follow-up reviews to monitor control implementation progress

Repeat

WHERE AUDIT CAN HELP

Risk Assessments

Create a BaselineGap

Analysis

Implement and Manage

Controls

Assess amp Report

36

bull Perform risk assessments to understand the organizational risk and where high-risk assets exist

bull Risk assessment should include interviews of departments outside of IT to ensure all critical data asset types are identified

bull Work with IT to classify each of the asset types to assist in measuring overall risk of a cybersecurity event

bull Consider using a Threat Modeling tool to semi-qualitatively measure cybersecurity risks to identify estimate and prioritize information security risks

STEP 1 - CYBERSECURITY RISK ASSESSMENT

Identification of Assets

Asset Locations

Classification of Assets

Threat Modeling

Calculated Risk Results

Key to an effective cybersecurity program is to understand the Companyrsquos information assets


bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Data Locationbull Cash In Cash Out Processesbull Who Would Want the Data

37

38

bull Through formal risk assessments with all critical functions in the business identify where data lives and how the data should be classified then perform a threat analysis to semi-qualitatively determine the risk of a particular cybersecurity incident occurring This allows you to determine the critical data assets in your environment that are at most risk of a cybersecurity incident

bull Use this data to evaluate and identify the cybersecurity framework controls to put in place for your business


Example screenshot of a critical data asset risk assessment

bull Perform walkthroughs with information technology department to understand cybersecurity controls in place

bull Evaluate control design as it relates to commonly accepted framework(s)

bull Identify control gaps and create a baseline for cybersecurity maturity in the organization

STEP 2 - BASELINE GAP ANALYSIS

39

40




bull Use the cybersecurity maturity baseline and risk assessment results to identify and prioritize controls to implement including the highest priority most impactful controls that should be implemented first


41

bull The Baseline Gap Analysis facilitates the Identification of controls which will most reduce the risk of cybersecurity threats to the greatest number of critical data assets (as identified during the risk assessment)

bull Work with IT Management to identify realistic and feasible mitigating controls and an implementation roadmap

1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514

MITIGATING CONTROL COUNTS

A) Identify Info Systems with calc cybersecurity risk gt 100

B) Does Info system have the SPECIFIC THREAT cybersecurity risk over 100 (Yes No) If yes move to next step

C) Identified mitigating controls to implement to mitigate threat

D) Totaled all instances where controls reduced risk

STEP 3 - CONTROLS ANALYSIS

42

bull Leverage information gained during the project to provide management with a detailed mapping of the organizations cybersecurity position

bull Consider using the COBIT Process Capability Model to map out the CSC framework which will allow management to begin tracking cybersecurity maturity

5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED

STEP 4 - CYBERSECURITY REPORTING

CYBERSECURITY FRAMEWORKS AND GUIDANCE

NIST

bull NIST SP 800-53 r5 Recommended Security Controls for Federal Information Systems and Organizations

bull NIST Cyber Security Framework v 11

bull Various other NIST special publications

Center for Internet Security

bull Critical Security Controls (formerly SAN Top 20)

International Organization for Standardization

bull ISO ndash 27001 family ndash Information security management systems

ISACA

bull Implementing the NIST Cybersecurity Framework Using COBIT 5

Does company size matterCompanies with more than 10000 employees are slightly more likely to have adopted a security framework (90) but even smaller companies with fewer than 1000 employees report significant rates of adoption (77) ndash Source itgovernanceusacom

According to Tenablersquos Trends in Security Framework Adoption Survey 84 of organizations in the US leverage a security framework in their organization and 44 use more than one framework - Source itgovernanceusacom

43

44

CENTER FOR INTERNET SECURITY ndash CRITICAL SECURITY CONTROLS

45

CYBERSECURITY ndash WHAT INTERNAL AUDIT CAN DO

User and Administrator Level Access

bull Companies fail to adequately assess user access levels to ensure that the principle of least privilege is applied throughout IT systems Donrsquot just think SOX

bull Confirm IT is not using privileged accounts for daily tasks that can include browsing the internet or answering email

bull Determine whether privileged and admin account passwords are held at a higher standard than normal accounts (complexity length change frequency sharing)

bull Consider how IT monitors and is alerted on changes to elevated privileges

User Cybersecurity Training and Awareness

bull Companies often fail to implement basic end user training around cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the company

bull Determine whether your company conducts random phishing awareness training campaigns

bull Evaluate your companyrsquos overall cybersecurity training awareness program

46


Vulnerability Management bull Most companies fail to implement sound patch management processes and procedures which includes

bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published

bull Companies do not know all of the Information devices in their network and therefore are unable to adequately assess their patch management process

bull Ensure your IT departments are scanning all assets continuously to ensure newly discovered vulnerabilities are identified quickly

bull Validate the patch management process is effective in ensuring all IT devices are properly updated (patched) to reflect the latest software update or release from the vendor This includes workstations servers network equipment VMware Citrix non-Microsoft software etc

bull If known vulnerabilities cannot be patched due to business reasons determine whether those risks are formally accepted and tracked by management Assess whether there are sufficient mitigating controls in place

47

CYBERSECURITY ndash SUMMARY QUICK HIT LIST

REVIEW AT LEAST THE FOLLOWING FOR YOUR COMPANYbull Obtain a basic understanding of your critical information assets where they are

stored and how they are protected

bull Perform an Inventory of IT devices and assess each devicersquos risk relating to patches

bull Understand your companyrsquos fundamental process around Patch Management and focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)

bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)

bull Implement a continual end user training program

bull Ensure backups and recovery plans work as intended and are properly segregated

bull Understand the coverage and terms of your companyrsquos cyber insurance policy

bull Assess the requirement for Multi-factor Authentication

48

ANATOMY OF AN ATTACK

49

QUESTIONS

David Losacco Principalmobile (918) 625-8870

davidlosaccostinnett-associatescom

Stinnett amp Associatesstinnett-associatescom

Dallas | Denver | Houston | Oklahoma City | San Antonio | Tulsa

lrmhstna01busers6vanticwMy DocumentsIIA Houston Conference2019PresentationsCS35-Losaccopptxlrm

2

bull The comments and statements in this presentation are the opinions of the speaker and do not necessarily reflect the opinions or positions of Stinnett amp Associates LLC

bull This presentation is the property of Stinnett amp Associates LLC All rights reserved No part of this document may be reproduced transmitted or otherwise distributed in any form without written permission from Stinnett amp Associates LLC

bull Stinnett amp Associates LLC expressly disclaims any liability in connection with the use of this presentation or its contents by any third party

DISCLAIMER








LEARNING OBJECTIVES

3

4


5


6

hellip AND THESE

7


8















9

THEY WANT OUR MONEY







10

HOW DO THEY DO IT








11








12

13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS













LEARNING OBJECTIVES

3

4


5


6

hellip AND THESE

7


8















9

THEY WANT OUR MONEY







10

HOW DO THEY DO IT








11








12

13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






4


5


6

hellip AND THESE

7


8















9

THEY WANT OUR MONEY







10

HOW DO THEY DO IT








11








12

13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






5


6

hellip AND THESE

7


8















9

THEY WANT OUR MONEY







10

HOW DO THEY DO IT








11








12

13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






6

hellip AND THESE

7


8















9

THEY WANT OUR MONEY







10

HOW DO THEY DO IT








11








12

13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






7


8















9

THEY WANT OUR MONEY







10

HOW DO THEY DO IT








11








12

13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






8















9

THEY WANT OUR MONEY







10

HOW DO THEY DO IT








11








12

13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






9

THEY WANT OUR MONEY







10

HOW DO THEY DO IT








11








12

13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






10

HOW DO THEY DO IT








11








12

13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






11








12

13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS









12

13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






13




14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






14




15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






15




16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






16




17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






17






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






18




19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






19


MALWARE






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






20













21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






21






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






22



23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






23





24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






24


25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






25








26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






26


BEC amp PHISHING




27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






27




28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






28





BEC amp OFFICE 365


Security or Logging


365




29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






29


30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






30













SOX Impact


31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






31




32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






32





bull Lack of funds






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






33












PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS







PEOPLE

TECHNOLOGYPROCESSES




35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






35





Repeat


Risk Assessments


Analysis


Controls

Assess amp Report

36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






36







Asset Locations


Threat Modeling





37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS









37

38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






38









39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS










39

40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






40






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






41



1

79

25 2523

8

18

6

12

16

6

16

3

25 25

7

1514







42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






42



5 = OPTIMIZED

4 = PREDICTABLE

3 = ESTABLISHED

2 = MANAGED

1 = PERFORMED



NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS







NIST








ISACA




43

44


45











46








47











48


49

QUESTIONS






44


45











46








47











48


49

QUESTIONS






45











46








47











48


49

QUESTIONS






46








47











48


49

QUESTIONS






47











48


49

QUESTIONS






48


49

QUESTIONS






49

QUESTIONS




