This document discusses cyber security threats and the role of internal audit in addressing them. It begins by outlining the current cyber security landscape, noting that threats are becoming more sophisticated and can have serious economic and national security consequences. It then discusses the role of internal audit in identifying key risks, understanding controls, evaluating fraud risks and controls, and promoting continuous improvement. The document provides examples of Boise Inc.'s internal audit approach, which includes maintaining strong IT audit staffing, collaborating across departments, monitoring the threat landscape, and leveraging digital forensic skills to investigate incidents.

1. Cyber Security Threats: Are You at Risk?
Boise Chapter, Institute of Internal Auditors
January 2012
Patricia Watson
Digital Forensics Program Manager
Boise Inc.
Mark Pearson
Director, Internal Audit Services
Boise Inc.

2. Outline
 What is the current cyber security landscape?
 What is the role of internal audit?
 Boise Inc. internal audit approach
 Leveraging digital forensic skills
 Resources
 Questions/discussion
Internal Audit Services| Page 2

3. Awareness is key…
 Video: Amazing mind reader reveals his “gift”
http://www.youtube.com/watch?v=LABVsSC0H4g
Internal Audit Services| Page 3

4. President Obama has declared that the “cyber threat
is one of the most serious economic and national
security challenges we face as a nation” and that
“America's economic prosperity in the 21st century
will depend on cybersecurity.”
Source: http://www.whitehouse.gov/administration/eop/nsc/cybersecurity
Internal Audit Services| Page 4

5. What is the current landscape?
“…With each passing year, the security threats facing computer networks have
become more technically sophisticated, better organized and harder to detect. At
the same time, the consequences of failing to block these attacks have
increased. In addition to the economic consequences of financial fraud, we are
seeing real-world attacks that impact the reliability of critical infrastructure and
national security.”
Source: Forbes, December 2012: Tom Cross, Five Key Computer Network Challenges for 2013
As we enter 2013, security experts say that the top threats are posed by
organized crime, hacktivists, nation-states and insiders.
Source: Bankinfosecurity.com, January 2013
“Defense Secretary Leon Panetta recently outlined new warfare terrain: The
Internet. Cyber security concerns do not simply include hackers and criminals.
Panetta said the greater danger is a cyber attack carried out by nation states or
extremist groups that could be as destructive as the terrorist attack on Sept. 11,
2001 and ‘virtually paralyze the nation’.”
Source: Inquisitor.com, December 2012
Internal Audit Services| Page 5

6. What is the current landscape (cont.)?
According to a report from the US Department of Homeland Security's
(DHS's) Cyber Emergency Response Team for Industrial Control Systems
(ICS-CERT) cyberattacks on systems at organizations that are part of the
US energy infrastructure are on the rise. In the 12 months ending in
September 2012, nearly 200 cyber incidents were reported to ICS-CERT.
More than 40 percent of those incidents were directed at energy sector
companies.
Source: SANS Institute, January 2013
The US Office of the Comptroller of the Currency (OCC) has issued an alert
about the recent wave of distributed denial-of-service (DDoS) attacks against
financial institutions. SANS News
Source: SANS News, December, 2012
Nearly 12 million people are affected by identity fraud each year.
Source: http://gpluspro.hubpages.com/hub/Identity-Theft-Statistics-2012
CERT reports that malicious insiders within the financial industry typically get
away with their fraud for nearly 32 months before being detected.
Source: Forbes.Com – Cybersecurity Threats of 2013
DHS reports that “The majority of corporate security breaches occur when
hackers exploit employees through social engineering and scams”.
Source: DHS.gov – Defending against cybercriminals
Internal Audit Services| Page 6

7. From openspace.com and networkworld.com:
 Over six million passwords were stolen in a hack of the professional
networking site linkedin.com. Earlier today, it was reported that a user in a
Russian forum uploaded 6,458,020 hashed LinkedIn passwords.
 Ars Technica reported that a list of about 1.5 million passwords appeared to
include users of dating website eHarmony.
 U.K.-based security researchers have found a backdoor that was “deliberately”
inserted into an American military chip to help attackers gain unauthorized
access and reprogram its memory, according to a draft research paper.
Production of the chip had been outsourced to the Chinese.
 At least 228,000 Social Security numbers were exposed in a March 30 breach
involving a Medicaid server at the Utah Department of Health.
 A 31-year-old Russian national living in New York, Petr Murmylyuk, was
charged with hacking into accounts at Fidelity, Scottrade, E*Trade and Schwab
in a complex scheme that involved making unauthorized trades that profited
the gang he recruited to open bank accounts to receive the illegal proceeds.
The brokerage firms said they lost $1 million because of Murmylyuk's fraud.
From Gizmodo.com
 Hacker Leaks 300,000 Verizon Customer Records and claims to have
millions more.
Recent (2012) security breaches
Internal Audit Services| Page 7

8.  2008: 134 million credit cards exposed at Heartland.
 2006: 94 million credit cards exposed at TJX.
 2011: Names and e-mails of millions of customers at Epsilon were
exposed.
 2011: Possibly 40 million employee records stolen at RSA Security.
 2010: Stuxnet attack on the Iran nuclear power program.
 2006: An unencrypted national database at the Department of
Veterans Affairs with names, Social Security numbers, dates of births,
and some disability ratings for 26.5 million veterans, active-duty
military personnel and spouses was stolen.
 2011: 77 million PlayStation Network accounts hacked; Sony is said to
have lost millions while the site was down for a month.
 2011: The personal information of 35 million South Koreans was
exposed after hackers breached the security of a popular software
provider, ESTsoft.
Worst breaches recent history
Source: csoonline.com
Internal Audit Services| Page 8

9. Cybersecurity is a key area of concern for Boards, Audit Committees, and
Governance Committees:
 Cybersecurity is in Deloitte’s top 10 issues for Audit Committees: “Cyber-
security risks and incidents have risen to the top of audit committee
agendas…”
Source: Deloitte Audit Committee Brief, Top Issues for Audit Committees for 2013.
 IIA’s Tone at the Top, a publication for Directors, lists emerging technologies
as a top 8 risk for organizations in 2013, with cybersecurity specifically
mentioned.
Source: IIA Tone at the Top, Issue 59
 Publications aimed at Directors include Director’s Role in Cybersecurity
Oversight, Mark Camillo; and Information Security Oversight: A 2007 Survey
Report.
And, It is getting the attention of the SEC:
 SEC requires disclosure of cyber-security risks and incidents: “Registrants
should address cyber-security risks and cyber incidents in their …(MD&A),
Risk Factors, Description of Business, Legal Proceedings and Financial
Statement Disclosures.”
Source: Deloitte Audit Committee Brief, Top Issues for Audit Committees for 2013.
Stakeholder view
Internal Audit Services| Page 9

10. Are organizations/individuals doing enough
to protect themselves?
A recent survey by the National Cyber Security Alliance and Symantec
found that 77% of small and medium-size businesses believe they’re
safe from hackers, viruses and malware. And 83% of SMBs take no
formal measures against cyberthreats — even though almost half of all
attacks are aimed at SMBs.
Source: Forbes, December 2012: Tom Devany, Five Ways Small Businesses Can Protect Against Computer Crime
The two most common computer passwords today are “password” and
“123456”
Source: Splashdata,com
15% of Americans have never checked their social networking privacy and
security account settings.
Source: http://www.internetsafety101.org/Socialnetworkingstats.htm
Internal Audit Services| Page 10

11. The Standards for the Professional Practice of Internal Auditing require the
internal audit activity to (see addendum A):
 Assess information technology governance
 Evaluate the risk management processes and contribute to their improvement
 Evaluate risk exposures related to the organizations information systems
 Evaluate the potential for fraud and how fraud risk is managed
 Assist the organization in maintaining effective controls by evaluating their effectiveness and
efficiency and by promoting continuous improvement
 Maintain sufficient knowledge of key IT risks and controls
Other Guidance, strongly recommended by the IIA (see addendum B):
 Evaluate key risk management processes, facilitate identification and evaluation of key risks,
coach management in responding to key risks. The Role of Internal Audit in ERM
 Assess the organization’s information reliability and integrity practices PA 2130.A1-1
 Assess the adequacy of management’s identification of risks related to its privacy objectives and
the adequacy of the controls PA 2130.A1-1
 Benchmark information security governance against independent standards GTAG 15
 Evaluate fraud risks and related controls and help management establish fraud prevention
measures GTAG 13
 Assess the effectiveness of preventive, detective, and mitigation measures against cyber threats
and attacks GTAG 6
What is the role of Internal Audit?
Internal Audit Services| Page 11

12. Said Simply:
 Identify and assess key cyber security risks
 Develop an appropriate audit plan
 Understand and assess key cyber-security controls, tools and processes
 Evaluate the risk of fraud and how fraud risks are managed
 Promote continuous improvement
 Evaluate key risk management processes, facilitate identification and
evaluation of key risks
 Assess the effectiveness of preventive, detective, and mitigation measures
against cyber threats and attacks
 Help develop and maintain the ERM framework
 Support management in identifying and responding to key risks
 Ensure that you have the expertise, or co-source, to do the above
What is the role of Internal Audit?
Internal Audit Services| Page 12

13. Boise Inc. Internal Audit approach
General
• Maintain strong IT audit staffing and co-source where we don’t have the
skills in-house
• Collaborate with IT & Legal to improve computer policies, and
information security and awareness
• Participate in project teams to improve controls and processes
• Monitor the cyber security landscape
• Maintain a quarterly information security monitoring process
• Assist management with risk assessment
• Perform digital forensic investigations of suspected WF&A
• Use COBIT as a framework for IT reviews
Review key compliance areas
• Personal sensitive information
• HIPAA privacy and security provisions
• Payment card industry (PCI) compliance
• SOX compliance (controls over network security, data base security,
other key IT areas)
Internal Audit Services| Page 13

14. Boise Inc. Internal Audit approach (cont.)
Review cyber security processes and controls
• Virtual server environment (co-source & internal audit)
• Web application development (co-source & internal audit)
• Boise IT strategy including information security (co-source)
• Security penetration tests (co-source)
• Cybersecurity of mill process control networks (team with internal
audit, IT, engineering, consultants)
• Wireless network controls
• Application development, particularly with major systems
development
• File transfer protocol
• Access management and security including Active Directory
Internal Audit Services| Page 14

15. Leveraging Digital Forensic Skills
 Forensic Skills Set
• A broad range of technical, investigative, procedural,
and legal skills
 Disk geometry, file system anatomy, reverse engineering, evidence
integrity, COC and criminal profiling
• The ability to function in a complex, dynamic
environment
 Computer technology as well as legal and regulatory environments
are constantly changing
• The ability to objectively testify in a court of law
 Reproduce incident, interpret results, be prepared for cross-
examination
Internal Audit Services| Page 15

16. Leveraging Digital Forensic Techniques
 Incident Response
• NIST has a great “Guide to Integrating Forensic Techniques into Incident
Response”
 Malware Analysis
• Forensic image is a great sandbox for malware analysis
 Cyber Security Risk Assessments
• Forensic tools are passive, non-intrusive and for the most part,
transparent to the end user
 Litigation Support
• Preservation of ESI, complex keyword crafting/searching, & FRCP
 IT Governance & Compliance
• PCI, HIPAA, antitrust compliance, sensitive and proprietary data & testing
controls
Internal Audit Services| Page 16

17. Questions??

18. Addendums and Resources

19. Excerpts from The Standards for the Professional Practice of Internal Auditing:
 Internal auditors must have sufficient knowledge of key information technology risks
and controls and available technology-based audit techniques to perform their
assigned work. Standard 1210.A3
 The internal audit activity must assess whether the information technology
governance of the organization supports the organization’s strategies and objectives.
Standard 2110.A2
 The internal audit activity must evaluate the effectiveness and contribute to the
improvement of risk management processes. Standard 2120
 The internal audit activity must evaluate risk exposures relating to the organization’s
governance, operations, and information systems. Standard 2120.A1
 The internal audit activity must evaluate the potential for the occurrence of fraud and
how the organization manages fraud risk. Standard 2120.A2
 The internal audit activity must assist the organization in maintaining effective
controls by evaluating their effectiveness and efficiency and by promoting continuous
improvement. Standard 2130
Addendum A: Applicable IIA Standards
(The Standards are mandatory guidance)
Internal Audit Services| Page 19

20. Excerpts from The Role of Internal Audit in ERM (IIA position paper):
 Evaluate and provide assurance on key risk management processes
 Evaluate the reporting management of key risks
 Facilitate and coordinate identification and evaluation of key risks
 Coach management in responding to key risks
 Developing and maintaining inn the ERM framework
Excerpts from IIA Practice Advisories:
 Internal auditors periodically assess the organization’s information reliability and integrity
practices…PA 2130.A1-1
 Assess the adequacy of management’s identification of risks related to its privacy objectives and
the adequacy of the related controls. PA 2130.A1-2
IIA Practice Guides
 Auditing Privacy Risks, 2nd Edition
 GTAG 2: Change and Patch Management Controls, 2nd Edition
 GTAG 6: Managing and Auditing IT Vulnerabilities
 GTAG 9: Identity and Access Management
 GTAG 11: Developing the IT Audit Plan
 GTAG 13: Fraud Detection and Prevention in the Automated World
 GTAG 15: Information Security Governance
 GTAG 17: Auditing IT Governance
Addendum B: Other IIA Guidance
(strongly recommended by the IIA)
Internal Audit Services| Page 20

21. Resources
• StaySafeOnline.Org: http://www.staysafeonline.org/business-safe-online/assess-your-
risk
• FBI Cyber Crime: http://www.fbi.gov/about-us/investigate/cyber/cyber
• US-CERT CSET: http://www.us-cert.gov/control_systems/satool.html
• INL Control System Security Program : http://www.inl.gov/research/control-systems-
security-program/
• NIST - Guide to Integrating Forensic Techniques into Incident Response:
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
• Fighting to Close the Gap, E&Y 15th annual Global Information Security Survey
http://www.ey.com/Publication/vwLUAssets/Fighting_to_close_the_gap:_2012_Global_
Information_Security_Survey/$FILE/2012_Global_Information_Security_Survey___Fig
hting_to_close_the_gap.pdf
• KPMG Institute http://www.kpmginstitutes.com/government-institute/insights/2011/ppa-
cybersecurity-and-data-driven-issues.aspx
• Local Professional Organizations: IIA, ISACA, ISSA, HTCIA, ACFE