Cyber Security Threats: Are You at Risk?
Boise Chapter, Institute of Internal Auditors
January 2012
Patricia Watson
Digita...
Outline
 What is the current cyber security landscape?
 What is the role of internal audit?
 Boise Inc. internal audit ...
Awareness is key…
 Video: Amazing mind reader reveals his “gift”
http://www.youtube.com/watch?v=LABVsSC0H4g
Internal Audi...
President Obama has declared that the “cyber threat
is one of the most serious economic and national
security challenges w...
What is the current landscape?
“…With each passing year, the security threats facing computer networks have
become more te...
What is the current landscape (cont.)?
According to a report from the US Department of Homeland Security's
(DHS's) Cyber E...
From openspace.com and networkworld.com:
 Over six million passwords were stolen in a hack of the professional
networking...
 2008: 134 million credit cards exposed at Heartland.
 2006: 94 million credit cards exposed at TJX.
 2011: Names and e...
Cybersecurity is a key area of concern for Boards, Audit Committees, and
Governance Committees:
 Cybersecurity is in Delo...
Are organizations/individuals doing enough
to protect themselves?
A recent survey by the National Cyber Security Alliance ...
The Standards for the Professional Practice of Internal Auditing require the
internal audit activity to (see addendum A):
...
Said Simply:
 Identify and assess key cyber security risks
 Develop an appropriate audit plan
 Understand and assess ke...
Boise Inc. Internal Audit approach
General
• Maintain strong IT audit staffing and co-source where we don’t have the
skill...
Boise Inc. Internal Audit approach (cont.)
Review cyber security processes and controls
• Virtual server environment (co-s...
Leveraging Digital Forensic Skills
 Forensic Skills Set
• A broad range of technical, investigative, procedural,
and lega...
Leveraging Digital Forensic Techniques
 Incident Response
• NIST has a great “Guide to Integrating Forensic Techniques in...
Questions??
Addendums and Resources
Excerpts from The Standards for the Professional Practice of Internal Auditing:
 Internal auditors must have sufficient k...
Excerpts from The Role of Internal Audit in ERM (IIA position paper):
 Evaluate and provide assurance on key risk managem...
Resources
• StaySafeOnline.Org: http://www.staysafeonline.org/business-safe-online/assess-your-
risk
• FBI Cyber Crime: ht...
Upcoming SlideShare
Loading in...5
×

Cyber Security Threats | IIA Boise Chapter

554

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
554
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Cyber Security Threats | IIA Boise Chapter"

  1. 1. Cyber Security Threats: Are You at Risk? Boise Chapter, Institute of Internal Auditors January 2012 Patricia Watson Digital Forensics Program Manager Boise Inc. Mark Pearson Director, Internal Audit Services Boise Inc.
  2. 2. Outline  What is the current cyber security landscape?  What is the role of internal audit?  Boise Inc. internal audit approach  Leveraging digital forensic skills  Resources  Questions/discussion Internal Audit Services| Page 2
  3. 3. Awareness is key…  Video: Amazing mind reader reveals his “gift” http://www.youtube.com/watch?v=LABVsSC0H4g Internal Audit Services| Page 3
  4. 4. President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America's economic prosperity in the 21st century will depend on cybersecurity.” Source: http://www.whitehouse.gov/administration/eop/nsc/cybersecurity Internal Audit Services| Page 4
  5. 5. What is the current landscape? “…With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failing to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security.” Source: Forbes, December 2012: Tom Cross, Five Key Computer Network Challenges for 2013 As we enter 2013, security experts say that the top threats are posed by organized crime, hacktivists, nation-states and insiders. Source: Bankinfosecurity.com, January 2013 “Defense Secretary Leon Panetta recently outlined new warfare terrain: The Internet. Cyber security concerns do not simply include hackers and criminals. Panetta said the greater danger is a cyber attack carried out by nation states or extremist groups that could be as destructive as the terrorist attack on Sept. 11, 2001 and ‘virtually paralyze the nation’.” Source: Inquisitor.com, December 2012 Internal Audit Services| Page 5
  6. 6. What is the current landscape (cont.)? According to a report from the US Department of Homeland Security's (DHS's) Cyber Emergency Response Team for Industrial Control Systems (ICS-CERT) cyberattacks on systems at organizations that are part of the US energy infrastructure are on the rise. In the 12 months ending in September 2012, nearly 200 cyber incidents were reported to ICS-CERT. More than 40 percent of those incidents were directed at energy sector companies. Source: SANS Institute, January 2013 The US Office of the Comptroller of the Currency (OCC) has issued an alert about the recent wave of distributed denial-of-service (DDoS) attacks against financial institutions. SANS News Source: SANS News, December, 2012 Nearly 12 million people are affected by identity fraud each year. Source: http://gpluspro.hubpages.com/hub/Identity-Theft-Statistics-2012 CERT reports that malicious insiders within the financial industry typically get away with their fraud for nearly 32 months before being detected. Source: Forbes.Com – Cybersecurity Threats of 2013 DHS reports that “The majority of corporate security breaches occur when hackers exploit employees through social engineering and scams”. Source: DHS.gov – Defending against cybercriminals Internal Audit Services| Page 6
  7. 7. From openspace.com and networkworld.com:  Over six million passwords were stolen in a hack of the professional networking site linkedin.com. Earlier today, it was reported that a user in a Russian forum uploaded 6,458,020 hashed LinkedIn passwords.  Ars Technica reported that a list of about 1.5 million passwords appeared to include users of dating website eHarmony.  U.K.-based security researchers have found a backdoor that was “deliberately” inserted into an American military chip to help attackers gain unauthorized access and reprogram its memory, according to a draft research paper. Production of the chip had been outsourced to the Chinese.  At least 228,000 Social Security numbers were exposed in a March 30 breach involving a Medicaid server at the Utah Department of Health.  A 31-year-old Russian national living in New York, Petr Murmylyuk, was charged with hacking into accounts at Fidelity, Scottrade, E*Trade and Schwab in a complex scheme that involved making unauthorized trades that profited the gang he recruited to open bank accounts to receive the illegal proceeds. The brokerage firms said they lost $1 million because of Murmylyuk's fraud. From Gizmodo.com  Hacker Leaks 300,000 Verizon Customer Records and claims to have millions more. Recent (2012) security breaches Internal Audit Services| Page 7
  8. 8.  2008: 134 million credit cards exposed at Heartland.  2006: 94 million credit cards exposed at TJX.  2011: Names and e-mails of millions of customers at Epsilon were exposed.  2011: Possibly 40 million employee records stolen at RSA Security.  2010: Stuxnet attack on the Iran nuclear power program.  2006: An unencrypted national database at the Department of Veterans Affairs with names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans, active-duty military personnel and spouses was stolen.  2011: 77 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month.  2011: The personal information of 35 million South Koreans was exposed after hackers breached the security of a popular software provider, ESTsoft. Worst breaches recent history Source: csoonline.com Internal Audit Services| Page 8
  9. 9. Cybersecurity is a key area of concern for Boards, Audit Committees, and Governance Committees:  Cybersecurity is in Deloitte’s top 10 issues for Audit Committees: “Cyber- security risks and incidents have risen to the top of audit committee agendas…” Source: Deloitte Audit Committee Brief, Top Issues for Audit Committees for 2013.  IIA’s Tone at the Top, a publication for Directors, lists emerging technologies as a top 8 risk for organizations in 2013, with cybersecurity specifically mentioned. Source: IIA Tone at the Top, Issue 59  Publications aimed at Directors include Director’s Role in Cybersecurity Oversight, Mark Camillo; and Information Security Oversight: A 2007 Survey Report. And, It is getting the attention of the SEC:  SEC requires disclosure of cyber-security risks and incidents: “Registrants should address cyber-security risks and cyber incidents in their …(MD&A), Risk Factors, Description of Business, Legal Proceedings and Financial Statement Disclosures.” Source: Deloitte Audit Committee Brief, Top Issues for Audit Committees for 2013. Stakeholder view Internal Audit Services| Page 9
  10. 10. Are organizations/individuals doing enough to protect themselves? A recent survey by the National Cyber Security Alliance and Symantec found that 77% of small and medium-size businesses believe they’re safe from hackers, viruses and malware. And 83% of SMBs take no formal measures against cyberthreats — even though almost half of all attacks are aimed at SMBs. Source: Forbes, December 2012: Tom Devany, Five Ways Small Businesses Can Protect Against Computer Crime The two most common computer passwords today are “password” and “123456” Source: Splashdata,com 15% of Americans have never checked their social networking privacy and security account settings. Source: http://www.internetsafety101.org/Socialnetworkingstats.htm Internal Audit Services| Page 10
  11. 11. The Standards for the Professional Practice of Internal Auditing require the internal audit activity to (see addendum A):  Assess information technology governance  Evaluate the risk management processes and contribute to their improvement  Evaluate risk exposures related to the organizations information systems  Evaluate the potential for fraud and how fraud risk is managed  Assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement  Maintain sufficient knowledge of key IT risks and controls Other Guidance, strongly recommended by the IIA (see addendum B):  Evaluate key risk management processes, facilitate identification and evaluation of key risks, coach management in responding to key risks. The Role of Internal Audit in ERM  Assess the organization’s information reliability and integrity practices PA 2130.A1-1  Assess the adequacy of management’s identification of risks related to its privacy objectives and the adequacy of the controls PA 2130.A1-1  Benchmark information security governance against independent standards GTAG 15  Evaluate fraud risks and related controls and help management establish fraud prevention measures GTAG 13  Assess the effectiveness of preventive, detective, and mitigation measures against cyber threats and attacks GTAG 6 What is the role of Internal Audit? Internal Audit Services| Page 11
  12. 12. Said Simply:  Identify and assess key cyber security risks  Develop an appropriate audit plan  Understand and assess key cyber-security controls, tools and processes  Evaluate the risk of fraud and how fraud risks are managed  Promote continuous improvement  Evaluate key risk management processes, facilitate identification and evaluation of key risks  Assess the effectiveness of preventive, detective, and mitigation measures against cyber threats and attacks  Help develop and maintain the ERM framework  Support management in identifying and responding to key risks  Ensure that you have the expertise, or co-source, to do the above What is the role of Internal Audit? Internal Audit Services| Page 12
  13. 13. Boise Inc. Internal Audit approach General • Maintain strong IT audit staffing and co-source where we don’t have the skills in-house • Collaborate with IT & Legal to improve computer policies, and information security and awareness • Participate in project teams to improve controls and processes • Monitor the cyber security landscape • Maintain a quarterly information security monitoring process • Assist management with risk assessment • Perform digital forensic investigations of suspected WF&A • Use COBIT as a framework for IT reviews Review key compliance areas • Personal sensitive information • HIPAA privacy and security provisions • Payment card industry (PCI) compliance • SOX compliance (controls over network security, data base security, other key IT areas) Internal Audit Services| Page 13
  14. 14. Boise Inc. Internal Audit approach (cont.) Review cyber security processes and controls • Virtual server environment (co-source & internal audit) • Web application development (co-source & internal audit) • Boise IT strategy including information security (co-source) • Security penetration tests (co-source) • Cybersecurity of mill process control networks (team with internal audit, IT, engineering, consultants) • Wireless network controls • Application development, particularly with major systems development • File transfer protocol • Access management and security including Active Directory Internal Audit Services| Page 14
  15. 15. Leveraging Digital Forensic Skills  Forensic Skills Set • A broad range of technical, investigative, procedural, and legal skills  Disk geometry, file system anatomy, reverse engineering, evidence integrity, COC and criminal profiling • The ability to function in a complex, dynamic environment  Computer technology as well as legal and regulatory environments are constantly changing • The ability to objectively testify in a court of law  Reproduce incident, interpret results, be prepared for cross- examination Internal Audit Services| Page 15
  16. 16. Leveraging Digital Forensic Techniques  Incident Response • NIST has a great “Guide to Integrating Forensic Techniques into Incident Response”  Malware Analysis • Forensic image is a great sandbox for malware analysis  Cyber Security Risk Assessments • Forensic tools are passive, non-intrusive and for the most part, transparent to the end user  Litigation Support • Preservation of ESI, complex keyword crafting/searching, & FRCP  IT Governance & Compliance • PCI, HIPAA, antitrust compliance, sensitive and proprietary data & testing controls Internal Audit Services| Page 16
  17. 17. Questions??
  18. 18. Addendums and Resources
  19. 19. Excerpts from The Standards for the Professional Practice of Internal Auditing:  Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. Standard 1210.A3  The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives. Standard 2110.A2  The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Standard 2120  The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems. Standard 2120.A1  The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. Standard 2120.A2  The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Standard 2130 Addendum A: Applicable IIA Standards (The Standards are mandatory guidance) Internal Audit Services| Page 19
  20. 20. Excerpts from The Role of Internal Audit in ERM (IIA position paper):  Evaluate and provide assurance on key risk management processes  Evaluate the reporting management of key risks  Facilitate and coordinate identification and evaluation of key risks  Coach management in responding to key risks  Developing and maintaining inn the ERM framework Excerpts from IIA Practice Advisories:  Internal auditors periodically assess the organization’s information reliability and integrity practices…PA 2130.A1-1  Assess the adequacy of management’s identification of risks related to its privacy objectives and the adequacy of the related controls. PA 2130.A1-2 IIA Practice Guides  Auditing Privacy Risks, 2nd Edition  GTAG 2: Change and Patch Management Controls, 2nd Edition  GTAG 6: Managing and Auditing IT Vulnerabilities  GTAG 9: Identity and Access Management  GTAG 11: Developing the IT Audit Plan  GTAG 13: Fraud Detection and Prevention in the Automated World  GTAG 15: Information Security Governance  GTAG 17: Auditing IT Governance Addendum B: Other IIA Guidance (strongly recommended by the IIA) Internal Audit Services| Page 20
  21. 21. Resources • StaySafeOnline.Org: http://www.staysafeonline.org/business-safe-online/assess-your- risk • FBI Cyber Crime: http://www.fbi.gov/about-us/investigate/cyber/cyber • US-CERT CSET: http://www.us-cert.gov/control_systems/satool.html • INL Control System Security Program : http://www.inl.gov/research/control-systems- security-program/ • NIST - Guide to Integrating Forensic Techniques into Incident Response: http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf • Fighting to Close the Gap, E&Y 15th annual Global Information Security Survey http://www.ey.com/Publication/vwLUAssets/Fighting_to_close_the_gap:_2012_Global_ Information_Security_Survey/$FILE/2012_Global_Information_Security_Survey___Fig hting_to_close_the_gap.pdf • KPMG Institute http://www.kpmginstitutes.com/government-institute/insights/2011/ppa- cybersecurity-and-data-driven-issues.aspx • Local Professional Organizations: IIA, ISACA, ISSA, HTCIA, ACFE

×