Auditing emerging cyber threats and IT controls

Transcription

1 Auditing emerging cyber threats and IT controls Robert Baldi Director of IT Audit, ACI Worldwide Warren Fish Manager of IT Audit, ACI Worldwide

2 Competency The trouble with competence is that it is always stale. * CDR Chris Hadfield, first Canadian to walk in space *Quoted from 2015 IIA Conference, Vancouver, British Columbia, Canada

3 Agenda The state of cybersecurity (IIA perspective) Recent breaches IIA Standards 1210: Proficiency Cutting Edge IT Auditing: IT Skills required, auditing skills second Fruit Tree of IT Auditing Emerging Cyber Threats

4 The state of cybersecurity (IIA) The Cybersecurity Imperative: To help organizations lock down security, internal auditors must raise their skills and understand the latest threats, IIA July 31, The Board is asking questions: This year for the first time, cybersecurity broke into the top 10 risk priorities. Small wonder then that 80 percent of public company board members report their board discusses cybersecurity at most or all board meetings. A Common Language: Bridging those gaps is difficult because there is no generally accepted cybersecurity framework. The Board, Management, IT, information security, and internal audit may all have their own points of reference. Recommend establishing a common framework that enables everyone in the organization to speak the same language about cyber risk. Recruit Cybersecurity Specialists Internal audit departments that lack IT auditors can gain expertise by hiring cybersecurity experts and then training them in internal audit. Tim McCollum is Internal Auditor magazine's associate managing editor.

5 IIA (Standards 1210) Proficiency Internal Auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Interpretation: 1210.A1 - The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement A2 - Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud A3 - Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing C1 - The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. 5

6 Cutting Edge IT Auditing: IT Skills required, auditing skills second Maintaining IT competencies: IT Auditors at ACI Worldwide are maintaining their IT skills by maintaining membership in the following organizations, pursing certifications and staying current and connected via social media. Institute of Internal Auditors ISACA Nebraska Computer Emergency Response Team (CERT) Armed Forces Communications and Electronics Association InfraGARD (Public-Private Partnership between FBI and US business) National Cyber Security Alliance (DHS and home, small US business) International Information Systems Security Certification Consortium (ISC²) Open Web Application Security Project (OWASP-Omaha) Risk * 7 Attributes of Highly Effective Internal Auditors, By Chambers, McDonald, IIA, 2013

7 Fruit Tree of Internal Auditing High Hanging Fruit - Simulated Breach Exercises (war gaming) - Penetration Testing (In house) - Data Loss Prevention (Insider Threat) - Bring Your Own Device (BYOD) - Database Security - Two-Factor Controls Medium Hanging Fruit - Data backup processes - Asset Management and/or Identity Management - WiFi Security Assessment - Vulnerability & Patch Management - Configuration Management Low Hanging Fruit - Credential (Admin) Verification/Appropriateness - Default & weak passwords - Unpatched devices (routers, switches, servers, workstations) - Poorly configured firewalls, IPS, IDS< SIEM - Applications not working as configured on workstations (Virus, Web Filtering, etc ) 7

8 Emerging Cyber Threats & IT Controls Recent Breaches & Cyber War gaming Social Media Data Loss Prevention Bring (or Wear) Your Own Device Penetration Testing Incident Response Social Engineering Phishing

9 Cyber Security Breaches 2014 & 2015

10 Cybersecurity: war gaming The cybersecurity imperative By: Tim McCollum (Page 27) 10

11 Social Media Every employee with a social media account tied to your company is an ambassador of the company. Possible risks: Reputation/brand, stock prices, or injury/workplace violence. Example: TD Ameritrade uses a company to monitor Social Media List every company-based social media account Do not limit just to Facebook, Twitter, LinkedIn, etc imperative that you use GoogleDorks or obtain an external objective subject matter expert to assist you

12 Data Loss Prevention (DLP) Where are your egress points? What controls are in place? What do your policies state? What training is provided to your staff? Which of the 45 popular cloud hosting providers (DropBox.com, Cloud.com, etc) are blocked?

13 Bring (or Wear) Your Own Device (BYOD)

14 Penetration Testing? But we just passed our PCI Audit! Vulnerabilities Exist? But we just passed our PCI audit!

15 Incident Response Yes, you probably have a plan. But do you have a letter vetted through legal for each state / country in which you operate to comply with breach notification laws?

16 Social Engineering 16

17 Phishing Phishing still remains the easiest way to compromise a company Unsuspecting employee in any business unit clicks on a perfectly legitimate looking which says, Please click here to check on the status of your order. Access/Compromise Once the attacker has compromised the company workstation, they will install a key logger to collect logins, passwords, etc 23% of recipients now open phishing messages 11% click on attachments 50% open s with the first hour Awareness and training are the most effective defense

18 Contact Info Rob Baldi Director of Information Technology Internal Audit Warren Fish Manager of Information Technology Internal Audit ACI Worldwide is looking for an IT Audit Intern. Please contact Rob or Warren for more details! 18