A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER 1
Agenda Audits Articles/Examples Classify Your Data IT Control Objectives (Best Practices) Organization & Administrative Controls Data Backup and Business Continuity Physical Security Network & Internet Security Environmental Controls Segregation of Functions Summary & Take Away 2
Here Come the Auditors.. Statement on Auditing Standards (SAS) 94, The Effect of Information Technology on the Auditor s Consideration of Internal Control in a Financial Audit, requires the auditor to consider the importance of IT processes and controls in the preparation of financial statements. A report from the Public Oversight Board s Panel on Audit Effectiveness recommended that:... audit firms place a high priority on enhancing the overall effectiveness of auditors work on internal control, particularly with respect to the depth and substance of their knowledge about the entity's information technology. 3
Here Come the Auditors.. Audits that Impact the Clerk of Courts: Annual Financial Statement Audit Internal Control Audits of Service Organizations (SOC 1 Audits) Florida Courts E-Filing Portal: Court Filings and Electronic Commerce MyFloridaCounty.com Traffic Citations, Child Support, Ordering Official Records and Other 4
MyFloridaCounty.com and Florida Courts E-Filing Portal SOC 1 Workflow 5
Understanding Controls over Technology Source: Journal of Accountancy 6
Agenda Audits Articles/Examples Classify Your Data IT Control Objectives (Best Practices) Organization & Administrative Controls Data Backup and Business Continuity Physical Security Network & Internet Security Environmental Controls Segregation of Functions Summary & Take Away 7
Threat/Damage Examples Data Theft Political Competitive Advantage Monetary Gain Data Loss (Permanently removed or destroyed) External hacker Ransomware DoS (Denial of Service) Employee Disgruntled Hired or motivated by outside source 8
Breach Examples Stay out of the News! 9
Agenda Audits Articles/Examples Classify Your Data IT Control Objectives (Best Practices) Organization & Administrative Controls Data Backup and Business Continuity Physical Security Network & Internet Security Environmental Controls Segregation of Functions Summary & Take Away 10
Classify Your Data What are you trying to protect? Assign levels to data Critical Sensitive Top 10 threat action within Insider Misuse Low Level Public Restrict access By Department User Groups Higher level doesn t always mean access should be granted Common Issue Verizon 2014 Data Breach Investigations Report Misclassification Storage in wrong location 11
Agenda Audits Articles/Examples Classify your Data IT Control Objectives (Best Practices) Organization & Administrative Controls Data Backup and Business Continuity Physical Security Network & Internet Security Environmental Controls Segregation of Functions Summary & Take Away 12
IT Control Overview Organization & Administrative Controls Physical Security Environmental Controls Network and Internet Security Segregation of Functions Data Backup, Business Continuity and Disaster Recovery 13
Organization & Administrative Control Example Information Security Policy Do you have one? If so, are you following it? Develop the Policy Group effort from multiple departments Months to develop Risk versus cost and operational functionality Implement, Follow, Enforce Test Continuously Revise 14
Example Security Policy Content Client Data and Retention Privacy & Monitoring User Responsibilities Email and Remote Access Internet Security Hardware and Software Virus Protection Software Licensing and Use Mobile Device Policy (BYOD) Personal Use SANS Information Security Policy Templates 15
Organization & Administrative Control Example User Awareness & Education (Training a must!) Present the Security Policy and revisions Signed copy in every staff member s personnel file Vigilance - What to look for Safe browsing techniques (Lookout for Social Engineering attacks) Examples of breaches and attacks (How they happened) Difficult to protect your network with uneducated users Approximately 58% of cyber security incidents in the public sector were caused by employees (34% Accidents & 24% Unapproved or Malicious Data)1 16
Physical Security Building Access Key card or fob access Visitor badges and escorted Data Center Access Restricted access to authorized users Monitoring Security and fire monitoring from third-party vendor Annual Third-Party Security Review If the attacker can gain access to physical workstations or other hardware, you are toast! 17
Environmental Controls Redundant Cooling Systems Fire Suppression System Uninterruptible Power Supply (UPS) Units Backup Power Diesel/Natural Gas Generator Temperature & Humidity Monitoring 18
Network & Internet Security Network Diagram, Documentation and Labeling Security Devices & Firewalls Anti-Virus Protection Password Management Change Management Encryption Patch Management Monitoring (internal logs, IPS) User Roles (IT and Staff) 19
Layered Security Network Platform/OS Application Data Response Firewalls, routers, DMZ, VLAN, VPN Active Directory, Password Management, Antivirus, patching (Windows, Java, Flash, BIOS) Secure coding, change management, database security (i.e. SQL) Encryption, backup, access groups Monitoring (logs), intrusion detection, remediation 20
Layered Security (Good Example) Symantec website: Jan 30 2012 21
User Security Example Password Management Domain/Network Security Examples Minimum 10 characters Password complexity Required change every six months Unsuccessful attempt lockout Two-factor authentication (especially Internet facing) Include in Security Policy and User Education Never use the same password for other logins (i.e. banking, Facebook, third-party email) Never use linkable names and/or dates (i.e. family members, pets, birthdays and anniversaries) 22
Segregation of Functions User/Staff Access groups based on data classification Application Access Roles within applications (i.e. accounting software) IT Staff Access groups based on data classification Operating staff and programmers separated Creating user silos Local Admins and Domain Admins very dangerous! 23
Popular Attack - PtH (Pass-the-Hash) 24
Data Backup, Business Continuity and Disaster Recovery Backup Documentation (Disaster Recovery Policy) Schedule Hourly, Daily, Monthly, Annual (based on classification) Offsite backup and replication (hot-site) Retention Policy Test, Test, Test! (i.e. periodic restores of all areas) Contingency Plans Still have a breach Structured plan of remediation PR Protocol Who s talking to the press? 25
Agenda Audits Articles/Examples Classify Your Data IT Control Objectives (Best Practices) Organization & Administrative Controls Data Backup and Business Continuity Physical Security Network & Internet Security Environmental Controls Segregation of Functions Summary & Take Away 26
Summary and Takeaway Audits What we look at Breach Examples Stay out of the news! IT Control Examples Importance of Information Security Policy and other documentation User Education & Awareness Most important yet least utilized Layered Network Security Approach Contingency Ready if the breach still takes place? 27
Helpful Resources Verizon 2014 Data Breach Investigations Report http://www.verizonenterprise.com/dbir/2014/ AICPA Service Organization Control (SOC) Reports http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/so RHome.aspx SANS Information Security Policy Templates http://www.sans.org/security-resources/policies/ Microsoft Whitepaper - Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques http://www.microsoft.com/en-us/download/details.aspx?id=36036 28
Questions? John Keillor, CPA, Audit Partner jkeillor@lanigancpa.com Bryan D Miller, IT Director bmiller@lanigancpa.com Lanigan Group Lanigan & Associates, P.C. Lanigan Wealth Management 314 Gordon Avenue Thomasville Tallahassee - Atlanta (229) 226-8320 www.lanigancpa.com 29