IT AUDIT AND SECURITY COMPLIANCE: WHERE TO FOCUS YOUR EFFORTS FOR

Transcription

1 O'Connor & Drew, P.C. 1 IT AUDIT AND SECURITY COMPLIANCE: WHERE TO FOCUS YOUR EFFORTS FOR IT Audit and Security O Connor & Drew, P.C. Jake March 2014

2 O'Connor & Drew, P.C. 2 Jake McAleer, CISA Professional Profile Senior IT Audit and Security Manager, O Connor & Drew, P.C. Director of Operations, Dyn Senior IT Auditor, State Street Bank Network and Systems Engineer, Raytheon Company Industry Expertise Internet Services and Infrastructure (IaaS, PaaS, SaaS, Colocation, Data Center) Financial Services Manufacturing Government Not-for-Profit Organizations Family-Owned Businesses

3 O'Connor & Drew, P.C. 3 INFORMATION SECURITY PROGRAM An Overview Of A Security Program and Review of IT Control Terminology

4

5

6 O'Connor & Drew, P.C. 6 Risk Rating Many people confuse the risk event for the risk rating Risk Event = The description of the risk Risk Rating = Likelihood + Impact Prioritizing your audit program by risk is called a Risk-Based Audit Approach

7

8 O'Connor & Drew, P.C. 8 Security Programs Vary By Business Every business is different No one framework or law will completely protect you Vendors can help, but don t rely entirely on them You know your business better than anyone, so your input is key! Internal owners manage and enforce the process Employees must be provided direction and training All programs need proper ownership, employee education, and enforcement

9

10

11 O'Connor & Drew, P.C. 11 The password must be exactly 8 characters long. It must contain at least one letter, one number, and one special character. The only special characters allowed # $ A special character must not be located in the first or last position. Two of the same characters sitting next to each other are considered to be a set. No sets are allowed. Avoid using names, such as your name, user ID, or the name of your company or employer. Other words that cannot be used are Texas, child, and the months of the year. A new password cannot be too similar to the previous password. Example: previous password - abc#1234, acceptable new password - acb$1243 Characters in the first, second, and third positions cannot be identical. (abc*****) Characters in the second, third, and fourth positions cannot be identical. (*bc#****) Characters in the sixth, seventh, and eighth positions cannot be identical. (*****234) A password can be changed voluntarily (no Help Desk assistance needed) once in a 15-day period. If needed, the Help Desk can reset the password at any time. The previous 8 passwords cannot be reused.

12

13 O'Connor & Drew, P.C. 13 Focus On The Objective Prevent guessing 8+ Characters and some basic variation (upper and lower case, number, special character, etc.) to prevent just a word as the password Prevent brute force Lock out after 5-10 attempts and lock out across the organization! Protect the encrypted/hashed values Prevent reuse Check against DB of old passwords Prevent compromise User education (don t reuse passwords, don t write them on your laptop, etc.) Force a change every days Enforce use Automatic password/pin enforcement on devices Automatic screen locks after 10 minutes Review how password resets are managed

14

15 O'Connor & Drew, P.C. 15 IT AUDITING IN Focusing on the three inputs: Business Needs Legal and Regulatory Customers and Partners

16

17 O'Connor & Drew, P.C. 17 Legal And Regulatory Requirements Focuses on a specific: Industry Consumer Type of data Geographic region Often: Long and complex Cross-references other sections or laws Subjective and broadly worded Reference dated (now outdated) terms Intended to protect someone else, not your business

18 O'Connor & Drew, P.C. 18 Regulatory Examples Credit card account information Payment Card Industry (PCI) Electronic patient health information Health Insurance Portability and Accountability Act (HIPAA) Consumers private banking information Gramm Leach Bliley Act (GLBA) Government data and systems Federal Information Security Management Act (FISMA) Public company accounting Sarbanes-Oxley Act (SOX)

19 O'Connor & Drew, P.C. 19 Legal, Regulatory, Industry-Specific What laws must the business comply with? Is there a legal/compliance group to rely on? Do you have an international presence? International customers? What laws apply? Are these areas being reviewed for changes? Are there periodic requirements? Example: PCI Quarterly Scans, Yearly Attestation Can the work be done by another group or external resource?

20 O'Connor & Drew, P.C. 20 PCI-DSS v3.0 Enforcement Date Version 3.0 will introduce more changes than Version 2.0. The core 12 security areas remain the same, but the updates will include several new sub-requirements that did not exist previously. Recognizing that additional time may be necessary to implement some of these sub-requirements, the Council will introduce future implementation dates accordingly. This means until 1 July 2015 some of these sub-requirements will be best practices only, to allow organizations more flexibility in planning for and adapting to these changes. Additionally, while entities are encouraged to begin implementation of the new version of the Standards as soon as possible, to ensure adequate time for the transition, Version 2.0 will remain active until 31 December and PA-DSS Change Highlights.pdf

21 O'Connor & Drew, P.C. 21 Examples - PCI v3.0 Requirements New requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination New requirement to implement a methodology for penetration testing Perhaps use a standard such as NIST SP New requirement for service providers to provide the written agreement/acknowledgment to their customers. DSS v3 Summary of Changes.pdf

22

23

24 O'Connor & Drew, P.C. 24 M.G.L. c. 93H and MA 201 CMR 17 Requires: Designated program owner/maintainer Identifying where PII might be within the organization Encryption Monitoring and effectiveness testing Anti-virus and patching Employee training 3 rd party service provider compliance Timely disclosure of a breach Written Information Security Program (WISP) Documents your methodologies, processes, procedures, technologies, PII data types, etc

25 O'Connor & Drew, P.C. 25 MA 201 CMR 17 Definition of PII Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account; provided, however, that Personal information shall not include information that is lawfully obtained from publicly.

26 O'Connor & Drew, P.C. 26 HR Rep: Welcome To The Company! We need an ID for your I-9 Form. We need your routing number so we can pay you.

27

28 O'Connor & Drew, P.C. 28 Computer Access Nearly every employee has access to a PC at work Lawyer s Office Doctor s Office Accountant Car Repair Shop Retail Banks Restaurants Grocery Store Non-profit Call Center

29 O'Connor & Drew, P.C. 29 Access To A Computer At Work Are employees surfing the web on business critical systems? If so, is it necessary? Can you provide them alternatives such as a virtual machine or protected area of the system or limit user privileges? Anti-malware/virus software? Are you segregating general PCs from sensitive networks? Do you have open network shares? Are you blocking the right websites? Social Media Cloud Storage Known malicious sites TOR, P2P, anonymous browsing sites Google Drive

30 O'Connor & Drew, P.C. 30 End User Systems - Internet Access Do users have Java installed? Do they NEED it? First half of 2013, Java was the most common zero-day focus for attackers. Internet Explorer (IE) vs. Firefox or Chrome? Second half of 2013, observed a burst of IE zero-days. Still using Windows XP? General support and updates discontinued April of 2014 A wave of attacks is rumored to be coming

31

32 To The Cloud! O'Connor & Drew, P.C. 32

33 O'Connor & Drew, P.C. 33 Cloud Service Providers (SaaS, PaaS, ) Is the provider responsible for safeguarding your information or simply providing software/hardware? If so, how are they safeguarding it? Who is reviewing/approving contracts with providers? What SLAs and other commitments are they agreeing to? Who in the organization has access to these resources? Are they being used to circumvent traditional IT groups? Is your business able (legal, regulatory, etc) to use them? Who (if anyone) is managing them? Firewall rules Patching Testing

34

35

36

37 O'Connor & Drew, P.C. 37 SOC 2 and 3 Reports AICPA - Service Organization Control (SOC) Started in the 1990s as a SAS70 report SOC 1 (SSAE 16) Internal Financial Reporting SOC 2 Service Provider Detailed Report SOC 3 Service Provider Summary Report SOC 2 report may be shared under NDA SOC 3 report is for public release, put right on the website Ask for a SOC 2 or 3 report from your service providers Cloud/Hosting SaaS

38 O'Connor & Drew, P.C. 38 IMPORTANT SECURITY TOPICS FOR Timely topics to investigate

39

40

41 O'Connor & Drew, P.C. 41 Egress Filtering Simply blocking by ports isn t enough Deep packet inspection HTTP DNS SSH/FTP Encryption complicates the topic Malicious URL/destination filtering Different rules for different systems Block all external traffic to/from PCI and other protected systems Whitelist updates/patching

42 O'Connor & Drew, P.C. 42 Event Monitoring and Alerting IDS/IPS Monitors can block suspicious traffic Where are these devices? What are they monitoring? Are they up-to-date? SIEM - Real-time collection and analysis of security alerts generated by network hardware and applications What devices are reporting to it? Who is monitoring it? What activities are being logged and analyzed? How does the system correlate activities? Are employees able to take corrective action in a timely manner? Are different teams using different SIEMs? Are they sharing info? How often are they truly tested to ensure effectiveness?

43

44 O'Connor & Drew, P.C. 44 Encryption and DLP Encryption is a must! Laptops and desktops USB thumb drives Backup media and hard drives Passwords and other sensitive data Data Loss Prevention Monitoring of USB thumb drives and removable media Files being ed in and out of the company Files being uploaded to 3 rd party systems

45 O'Connor & Drew, P.C. 45 MDM Mobile Device Management Do you allow personal phones to connect to your network or s servers? Are you able to remotely check settings and wipe data in the event of a loss or employee termination? PIN and encryption enforcement Do you limit what applications can be installed? Do you limit what websites employees can go to on their phones? Would an employee know who to report a loss to?

46

47 O'Connor & Drew, P.C. 47 DDoS Mitigation Excess bandwidth ISP filters Dedicated and specialized equipment Customer and server segregation DNS and low TTLs 3 rd Party Protection CloudFlare Prolexic (now part of Akamai)

48 O'Connor & Drew, P.C. 48 SCADA Controls Supervisory Control And Data Acquisition Monitor and control heating, ventilation, and air conditioning systems (HVAC), physical access, and energy consumption Many Fortune1000 companies have these somewhere (data center, facilities, etc) Specialized hardware that often runs small, dedicated software/web servers Some tips: Separate with VLANs, firewalls/routers, MPLS Limit access to necessary personnel only Have maintenance work with IT staff to ensure proper configuration Investigate how to keep system up-to-date

49 O'Connor & Drew, P.C. 49 Policies and Procedures AUP (Acceptable Use Policy) Users understand potentially everything they do is monitored No outside software may be installed Limited personal use Consequences for not following policies Don t leave laptops in plain view or unlocked vehicles Example Template: Use Policy.pdf Written Information Security Program - WISP Legally required document for businesses with Massachusetts customers

50

51 O'Connor & Drew, P.C. 51 SECURITY CONTROLS BASELINE General IT Controls any business should have in place.

52 O'Connor & Drew, P.C. 52 Frameworks ITIL COBIT ISO 27001, 27002, etc NIST COSO Others They can be long, complex, generic (too high-level), industry specific, etc In other words: Many have similar pitfalls as legal and regulatory compliance!

53 O'Connor & Drew, P.C. 53 SANS 20 Critical Security Controls A list of the top 20 critical security controls (CSCs) were agreed upon and outlined, taking risk into consideration. Collaborative work across various governmental, public, and private organizations U.S. Department of Homeland Security U.S. Department of State, Office of the CISO MITRE Corporation SANS Institute A great foundation for any security program Tangible, measurable, free advice that includes examples of processes and technologies to implement

54 O'Connor & Drew, P.C. 54 SANS CSCs Numbers : Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Access Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training 10: Secure Configurations for Network Devices Wording shortened to fit on slide, full text available at

55 O'Connor & Drew, P.C. 55 SANS CSCs Numbers : Limitation and Control of Network Ports, Protocols, Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Protection 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises Wording shortened to fit on slide, full text available at

56 O'Connor & Drew, P.C. 56 Example: 1 - Inventory Devices Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

57 O'Connor & Drew, P.C. 57 Why Do We Care About Inventory? Helps understand what s out there Are rogue devices on your network? Is old hardware still online that shouldn t be? Are people bringing in personal devices? Are there DR systems? Are they being backed up? Are departments buying equipment outside of supply chain process? Did equipment suddenly go missing? Helps to track down devices quickly in the event of a breach or security incident.

58 O'Connor & Drew, P.C. 58 How To Implement Inventory Control CSC 1-1 Deploy an automated asset inventory discovery tool CSC 1-2 Deploy dynamic host configuration protocol (DHCP) server logging CSC 1-3 Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network CSC 1-4 Maintain an asset inventory Easy Win More Effort

59 O'Connor & Drew, P.C. 59 How To Implement Inventory Control CSC 1-5 Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network CSC 1-6 Deploy network access control (NAC) to monitor authorized systems CSC 1-7 Utilize client certificates to validate and authenticate systems prior to connecting to the private network More Effort Advanced

60 O'Connor & Drew, P.C. 60 Some Final Thoughts 1/3 Social media Who manages your social media pages? Are they taking precautions to secure your brand? If you don t have a twitter feed, what s to stop me from pretending to be you? Are they available in an emergency? Are you monitoring the web for your company name/files? pastebin.com Google Forums Mobile tethering/hotspots to circumvent internal protections DNS service: Who manages the account? How is that account protected?

61 O'Connor & Drew, P.C. 61 Some Final Thoughts 2/3 Declaring a digital emergency Who would be involved? Who makes the final call? How is communication managed within the organization? BC/DR site? Mass notification during an emergency Employee call list addresses of all customers in the event of a breach Honeypots and Open Source/Cheap Scanning Software Metasploit, Nexpose, Nessus, owasp.org (Open Web Application Security Project)

62 O'Connor & Drew, P.C. 62 Some Final Thoughts 3/3 Code scanning software Known poor coding standards Copy/paste of OSS code The insider threat Users with elevated privileges Who s watching the watchers? What happens when an IT administrator leaves? Get rid of old devices (securely) Printers, ancient servers, hard drives Recycle and make some money!

63 O'Connor & Drew, P.C. 63 Statistics About Data Breaches Two-thirds of the breaches took months or more to discover. 69% of all breaches were discovered by someone outside the affected organization. German and US companies had the most costly data breaches ($199 and $188 per record, respectively). GL NA WP Ponemon-2013-Cost-of-a-Data-Breach- Report daina cta72382.pdf

64 O'Connor & Drew, P.C. 64 Questions? Jake McAleer Senior IT Security and Audit Manager O Connor & Drew, P.C.

65 O'Connor & Drew, P.C. 65 Download Link Please visit the following link to download a digital copy of the presentation: