Information systems audit for information security purposes PwC Romania Security Threats and our response. CIO Council - Bucharest, Romania

Transcription

1 Information systems audit for information security purposes Romania Security Threats and our response CIO Council - Bucharest, Romania May 12, 2015

2 Agenda Information Systems Audits Practitioner View Handling Cyber Risks EU CyberSecurity Directive Proposal Questions? Information systems audit for information security purposes April

3 Information Systems Audits Information security aspect Key characteristics and aspects to consider: InfoSec = Integral part and aspect of every IS audit Multi-faceted approach from governance and compliance to technical details and technology expertise Increasingly important - aspects: Business protect critical information, IP, data Regulatory/Compliance industry, national or global standards Competitiveness/Reputation Target (US) = direct hit on profit, ebay, PayPal breaches 46% Profit reduction from Q to Q Information systems audit for information security purposes April

4 Information Systems Audits What, when, who and how? Key characteristics and aspects to consider: Business Risks IT Risk Assessment what are IT risks and how they relate to the organization s business or purpose Exchange/Print server downtime vs. Billing Application downtime Misconfigured firewall, non-monitoring of IDS/IPS logs + non-standard threat, systems not patched, etc. Billing $ Information systems audit for information security purposes Board of Directors IT Manager April

5 Information Systems Audits What, when, who and how? Key characteristics and aspects to consider: Scope of the audit Governance + Infrastructure + Apps + DBs Governance+: ISMS, Policies and procedures, BCP/DRP, ASF Norm 6/2015, etc. Infrastructure: T&V Assessments, Pen Test, IPS/IDS setup Apps: Configuration review Business Rules/Workflow review Access review/segregation of Duty /Administration Patch management Change Management, SDLC, Project Management Software Asset Management DBs: Configuration, Administration, Patch management Information systems audit for information security purposes Similar September April

6 Information Systems Audits What, when, who and how? Key characteristics and aspects to consider: People on both sides of the audit: $ $ Board of Directors IT Manager IT Auditor Key assumptions: Ability to make decisions and act Trust Ability and willingness to communicate Confidentiality Listen and translate what they are hearing Go beyond the duty Information systems audit for information security purposes April

7 Additional layers...summary results of +50 cyber attack simulations conducted by Cyber Security, RO included Weak prevention No detection Low awareness We gained unauthorised access to offices and server rooms where sensitive information is stored and/or processed. 4 hours average time to gain access to sensitive data and/or systems We gained unauthorised access and/or control over computers, servers, memory of printers and scanners. We gained access to sensitive business documents, employees passwords, banking/ecommerce transactions and IT systems. We were able to extract the data and send it outside the company s network. 90% organisations tested did not detect/respond to the cyber attack We built phishing sites and successfully encouraged employees to download malicious files. 100% employees disclosed their passwords as a result of phishing test In only one case the employee reported suspicious activities to security officers. 7

8 How we do the cyber attack simulations - STRIKE The goal is to get an unauthorised access to business information and critical systems and identify security weaknesses in terms of people, technologies and processes. We test the chances whether a person without any privileges is able to get access to your business information and IT systems. Using a set of techniques including technology-based and social engineering, we will attempt to access sensitive information within a limited time of 3-5 days. Simulation of the cyber attack from the Internet Attempt to compromise web applications and Internet infrastructure security mechanisms Phishing/spear phishing Simulated hacking STRIKE Simulation of an attack conducted by a guest left alone in a conference room Analysis of security controls against unauthorised access to Company s resources from internal and external network Realistic and tailored as-we-go test scenarios against the cyber security lines of defense Simulation of an attack conducted from networks available in the Company s reception desk Social engineering Attempt to pass technical and physical security controls 8

9 Information systems audit for information security purposes September

10 Information systems audit for information security purposes September

11 Information systems audit for information security purposes September

12 Win One of many Crown Jewels Information systems audit for information security purposes September

13 Information Systems Audits Why? Goods Receipt - Physical HQ Access Management IT AR Goods receipt USER1 X.Y.Z = USER1 Xyz = ADMIN Goods receipt - System Goods Scrap - ADMIN Information systems audit for information security purposes April

14 Information Systems Audits What, when, who and how? Key characteristics and aspects to consider: Approach and methodology + tools COBIT, ISO27001, other guidelines, etc. Audit programs: Specific systems, specific controls Scripts: To test settings To extract data Tools: Just a help = Things need to be put in context No single solution and answer = Judgment call / Experience Information systems audit for information security purposes April

15 Information Systems Audits What, when, who and how? Key characteristics and aspects to consider: Results and Quality Review: Risk levels of the problems found Compensating factors Follow-up Timeline Comprehensive reports Side benefit: great tool to drive IT security initiatives Information systems audit for information security purposes April

16 Handling Cyber Risks You can t secure everything Seize the advantage Set the right priorities. Enterprise security architecture Protect what matters Strategy, organisation, governance Threat intelligence Priorities Risk Exploit digital opportunity with confidence. Compliance with privacy and regulation Digital trust is embedded in the strategy It s not if but when Risk management and risk appetite Build an intelligence-led defence, enabling rapid cyber response. Continuity & resilience Crisis management Incident response Monitoring and detection Crisis Connections Their risk is your risk Understand and manage risk in your interconnected business ecosystem. Digital channels Partner and supplier management Robust contracts Fix the basics Use technology to your advantage, deriving maximum return from your technology investments. Identity and access management Information technology hygiene Information technology, operations technology and consumer technology Technology People People matter Build and maintain a secure culture, where people are aware of their critical security decisions. Insider threat management People and Moments that Matter Security culture and awareness Security intelligence and analytics Information systems audit for information security purposes April

17 EU CyberSecurity Directive Proposal Key characteristics NOW: Actions DEADLINE TO IMPLEMENT: Action Adoption Date + 18 months Establishing national Computer Emergency Response Teams - CERT.RO Sharing and collaboration body Incidents should be reported by: Critical Infrastructure operators (Internet, energy, transport, telekoms, etc.) Financial Services (banks, stock exchanges, etc.) Health Public Administration Cross-implementation/compliance in respect to other policies eprivacy, EU Data Protection Information systems audit for information security purposes April

18 Thank you Armin Dinar Risk Assurance Solutions Senior Manager Office: Mobile: Fax: / PricewaterhouseCoopers Audit S.R.L. Lakeview Building, Barbu Vacarescu St., Bucharest Romania This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, Audit SRL, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it Audit SRL. All rights reserved. In this document, refers to Audit SRL which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.