Simplifying Security & Compliance Innovating IT Managed Services. Data Security Threat Landscape and IT General Controls

Transcription

1 Simplifying Security & Compliance Innovating IT Managed Services Data Security Threat Landscape and IT General Controls

2 Audit Standards and IT General Controls General IT controls discussed in AUC Section 315 Understanding the Entity and Its Environment IT controls that maintain the integrity of information and security of data commonly include; Data center and network operation System software acquisition, change and maintenance Program change Access security Application system acquisition, development, and maintenance

3 Simplifying Security & Compliance Innovating IT Managed Services IT general controls (ITGC) affect almost all financial audits IT controls (or lack thereof) may introduce risk of material misstatement (RMM) in relationship to financial data IT needs to be assessed as to the level of risk to the audit objectives in all financial audits

4 Simplifying Security & Compliance Innovating IT Managed Services The focus of IT General Controls (ITGC) in a financial statement audit is to ensure defenses are in place so that your financial data maintains: Confidentiality Preventing the disclosure of data to unauthorized individuals or systems Integrity Ensuring that data or information cannot be changed undetectably Availability Ensuring the information is available when needed

5 Simplifying Security & Compliance Innovating IT Managed Services What are we trying to protect? This includes: User authentication to access valuable data Any customer specific data, PII, ephi, financial information, employee SSN & direct deposit data

6 Simplifying Security & Compliance Innovating IT Managed Services

7 Center for Digital Government Research Study

8 Government is an Attractive Target

9 What Threats are You Most Concerned About?

10 What type of network breach has your organization experienced in the last year?

11 What types of technologies do you currently employ? NEXT GENERATION FIREWALL INTRUSION PREVENTION & DETECTION SYSTEMS MALWARE PROTECTION SYSTEMS ANTI-VIRUS SOFTWARE Don't Know Planning to Employ Currently Employ

12 What types of technologies do you currently employ? WEB & GATEWAYS HOST-BASED INTRUSION PREVENTION SYSTEMS APPLICATION WHITELISTING VIRTUALIZATION Don't Know Planning to Employ Currently Employ

13 Simplifying Security & Compliance Innovating IT Managed Services How do we protect data? People The New Security Perimeter Processes Policies and Procedures Technology Advanced Threat Protection

14 IT General Control Audits Controls We Evaluate Physical Security User Account Management AntiVirus and Malware Data Backup Application Security Network Security Policies and Procedures Business Continuity/Disaster Recovery

15 IT Controls Evaluated and Common Findings Application Security Inadequate User password rules No interface with Active Directory (requires multiple logons) Lack of activity logging, reporting and monitoring capabilities IT Staff with excessive access to production data Decentralized security administration (No separation of duties)

16 QUESTION: Can an organization be compliant but not secure? 1. Yes 2. No 3. Maybe

17 Simplifying Security & Compliance Innovating IT Managed Services Compliance vs Security Compliance is backward-looking and static, Grachis says. Security is forward-looking, dynamic, and intelligent. Fortune November 17, 2014

18 IT Controls Evaluated and Common Findings Network Security Shared and local administrator ID s on network devices Firewall rules need tightening Intrusion Prevention Systems either not installed or not maintained No formal procedure for monitoring server and network device events No log aggregation

19 Unified Threat Management (UTM) Firewalls

20 Unified Threat Management (UTM) Firewalls

21 Unified Threat Management (UTM) Firewalls

22 Unified Threat Management (UTM) Firewalls

23 Unified Threat Management (UTM) Firewalls

24 The cyber attacker blueprint

25 How a strategic web compromise works

26 Dr Leonard Kleinrock

27 A professor of computer science at the University of California-Los Angeles It was 1969 and a busy year for making history: Woodstock, men on the moon -- and something less celebrated but arguably more significant, the birth of the Internet. On October 29 of that year, for perhaps the first time, a message was sent over the network that would eventually become the Web

28 One of the problems of the Internet is that we didn't install what I like to call strong user authentication. We didn't anticipate the level of the dark side we see today. The culture of the early Internet was one of TRUST of all the users. Dr. Leonard Kleinrock

29 IT Controls Evaluated and Common Findings Anti-Virus and Malware Auto run or auto play functionality enabled Lack of centralized control and management of anti-virus software Ransomware Digital Extortion

30 Digital Extortion Crypto-Ransomware There are several different cryptoransomware families, such as Cryptolocker Cryptodefense Cryptowall but their method of exploitation is the same.

31 Digital Extortion Crypto-Ransomware

32 Future Ransomware Evolution Crypto-Ransomware continues to target Mapped drives Attached storage Cloud Storage (as mapped drive) But it is finding new targets In 2014, Synolocker targeted NAS/SAN drives Also in 2014 the first crypto-ransomware for smartphones appeared

33 Future Ransomware Evolution

34 IT Controls Evaluated and Common Findings Data Backup Backups not stored in a secure offsite location Transport of backup tapes not logged Backups not encrypted Backup not tested No formal procedure in place to age backup tapes Does your backup utilize versioning; keeping several versions of the same file enabling you to choose which version to restore.

35 QUESTION: A Gartner 2014 whitepaper stated Prevention is futile, what does that mean? A. Just forget it, we can t stop them. B. They are already in, ignore them we are too busy. C. Assume they are in, but use Continuous Monitoring to detect their presence and remove them D. They are in all networks, get used to it!

36 IT Controls Evaluated and Common Findings User Management Terminated employees still in the systems Shared Administrator User ID s Password complexity rules not used or only partially implemented End Users configured as power users or administrators Password protected screensavers, network and application timeouts not enforced

37 Insider Threats

38 IT Controls Evaluated and Common Findings Policies and Procedures Security Awareness Program Acceptable Use Policies & Procedures User Account Management Policies (HR) Change Control Policies & Procedures Patch Management Policies and Procedures Data Backup Management Encryption Management Personal Computing Device Management Policies

39 Simplifying Security & Compliance Innovating IT Managed Services

40 Acceptable Use Policy No expectation of privacy Communication of trade secrets Duty not to waste computer resources Illegal copying Inappropriate or unlawful material Inappropriate Internet Usage No Sharing of Passwords

41 Simplifying Security & Compliance Innovating IT Managed Services The best processes and technologies can be rendered completely ineffective if users do not take responsibility to safeguard information assets from disclosure, alteration, or destruction. BE A HUMAN FIREWALL

42 Simplifying Security & Compliance Innovating IT Managed Services Social engineering is the art of gaining access to systems or data by exploiting human psychology, rather than using technical hacking techniques. For example; SPAM, Phishing and even cell phone text messages

43 Phishing and Social Media

44 Phishing and Social Media

45 Phishing and Social Media

46 Phishing and Social Media

47 Phishing and Social Media

48 Simplifying Security & Compliance Innovating IT Managed Services

49 Phishing Spelling Errors Bad Grammar Links in Threats/Emotions Fake Website

50 Phishing

51 Phishing

52 Most Recent Breach Phishing

53 Bank Phishing

54 Spoofed Outlook Web Access (OWA)

55 Simplifying Security & Compliance Innovating IT Managed Services

56 Attackers created a rule to prevent remediation.

57 Phishing

58 Phishing

59 Phishing

60 Simplifying Security & Compliance Innovating IT Managed Services

61 5 Questions Executive Leadership Should Ask About Cyber Risks

62 QUESTION: Anyone in this room a victim of one or more of the following data Breaches? Target 110 Million Records Home Depot 56 Million Records Anthem 80 Million Records

63 IT Controls Evaluated and Common Findings Physical Security Excessive staff access to the computer room No access logs to the computer room Who was in there? When? Why? No video surveillance in computer rooms What were they doing? Security lacking in Telecom closets - Could bring down your network Mobile Devices laptops, tablets, USB devices, smartphones

64 IT Controls Evaluated and Common Findings Business Continuity and Disaster Recovery Lack of fully documented Disaster Recovery Plan Lack of fully documented Business Continuity Plan Lack of exercising or testing of Plans

65 IT Controls Evaluated and Common Findings Business Continuity and Disaster Recovery

66 QUESTION: What is the average number of days attackers are present on a victim s network before detection? A. 35 days B. 97 days C. 142 days D. 243 days

67 Simplifying Security & Compliance Innovating IT Managed Services

68 Final Thoughts In the majority of our audits we continually see these HIGH Risk issues: No policies, partial, or incomplete policies No security awareness training No patch management or incomplete patching No vulnerability scanning or penetration (PEN) testing

69 Final Thoughts

70 Final Thoughts

71 Simplifying Security & Compliance Innovating IT Managed Services Data security is everyone in your organizations responsibility where does your team stack up? Caryn Reiker Direct: