The document outlines a webinar hosted by AuditNet® featuring experts Richard Cascarino and Jim Kaplan discussing cybersecurity threats and preventive measures. Key topics include the current landscape of cyber threats, essential frameworks for cybersecurity, and critical vulnerabilities to web applications. The material emphasizes the importance of security awareness and the implementation of best practices to combat increasing cybercrime risks.

1. 2/7/2018
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
Cybersecurity Series
Cyber Defense
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
2

2. 2/7/2018
2
About Jim Kaplan, CIA, CFE
 President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
 Auditor, Web Site Guru,
 Internet for Auditors Pioneer
 IIA Bradford Cadmus Memorial Award
Recipient
 Local Government Auditor’s Lifetime
Award
 Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 3
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 4

3. 2/7/2018
3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized
usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join
link.
• We are recording the webinar and you will be provided access to that recording after the webinar.
Downloading or otherwise duplicating the webinar recording is expressly prohibited.
• If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no
partial CPE will be awarded).
• If you meet the criteria for earning CPE you will receive a link via email to download your certificate.
The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this
address. It is from this email that your CPE credit will be sent. There is a processing fee to have your
CPE credit regenerated post event.
• Submit questions via the chat box on your screen and we will answer them either during or at the
conclusion.
• You must answer the survey questions after the Webinar or before downloading your certificate.
IMPORTANT INFORMATION
REGARDING CPE!
• SUBSCRIBERS/SITE LICENSE USERS - If you attend the entire Webinar you will receive an
email with the link to download your CPE certificate. The official email for CPE will be issued
via NoReply@gensend.io and it is important to white list this address. It is from this email that
your CPE credit will be sent. There is a processing fee to have your CPE credit regenerated
post event.
• NON-SUBSCRIBERS/NON-SITE LICENSE USERS - If you attend the entire Webinar and
requested CPE you must pay a fee to receive your CPE. No exceptions!
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• Anyone may register, attend and view the Webinar without fees if they opted out of receiving
CPE.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.

4. 2/7/2018
4
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
TODAY’S AGENDA
• Threats/Threat actors/Common Cyber Attack methods
• Attacks and vulnerabilities exposed
• Layered protection measures against Cyber threats
• Firewalls and levels of protection they provide
• Traffic profiling and monitoring for inbound and outbound
traffic
• Intrusion Detection
• Incidences of Compromises
• Penetration testing regimes and vulnerability testing
• NIST Vulnerability Checklist
• The Security Content Automation Protocol (SCAP)
Page 8

5. 2/7/2018
5
2010 E-CRIME SURVEY FROM
CERT
• Cybercrime threats increasing faster than many
organizations can combat them
• Current security models are only minimally effective
• Repeat offense on the rise
• Many Cybercrimes go unreported
• Leading prevention practices
• conducting periodic penetration tests of their systems
• implementing periodic security education and awareness
programs for their employees
• delivering regular communication about security from senior
management
CYBERSECURITY PROBLEMS
83%
of enterprises have difficulty finding
the security skills they need
2012 ESG Research
of IT professionals
have no risk strategy
2013 Global Reputational Risk & IT Study, IBM
31%
49%
of IT executives have no measure
of security effectiveness
2012 Forrester Research Study

6. 2/7/2018
6
KEY TRENDS FROM 2015
1
1
CURRENT THREATS
• Ex-insiders now outsiders with a grudge
• Social engineering
• Unauthorized access to mobile devices
• Poor destruction of confidential information
• Access to removable media
• Inadequate security event monitoring
• Poor access control
• Overpowerful users
• Inadequate authentication
• Wireless access

7. 2/7/2018
7
POLLING QUESTION
WHERE ARE WE GOING?
• Browser-based attacks and wireless networking
• Cross-site scripting (XSS) attacks
• Trump or Clinton website?
• Your bank or mine?
• Microsoft removed 300% more Trojan horse
downloader programs from Windows machines in last
6 months of 2007 – 1 in 123 inspected machines per
month
• (Malicious Software Removal Tool stats)

8. 2/7/2018
8
WHERE ELSE?
• Phishing moving from email to social networks
• Bogus security software (Win32/Winfixer etc)
• Bounceback backscatter (2 to 3% of all spam)
• Botnets creating Zombie computers
• Rootkits
• Taking control of the system without authorization
by the system's owners
WHERE ELSE?
• Mobile Agents
• Mobile code acting autonomously on behalf of a
user for continuous collecting and processing of
information
• Autonomous mobile agents produced by an
originator and may visit any number of hosts before
returning to the originator
• web applets, dynamic email etc
• Identity theft
• In all its forms

9. 2/7/2018
9
THREATS WITHIN ATTACKS
• Threats to raw data
• Threats to communications
• Access vulnerabilities
• Identity Theft
• Business continuity
• Fraud
• Lack of customer retention
• Business success
• Sexual Harassment or stalking performed using your
Computers?
OTHER THREATS
• Cybersmut
• Cyber Harassment
• Breaking and Entering
• Investment & Other Scams
• On-Line Gambling
• Theft of Trade Secrets
• Money Laundering
• Extortion

10. 2/7/2018
10
THREAT SOURCES
Source: IBM Security Services 2013 Cyber Security Intelligence Index
 Configuration
Errors
 “Weak” defaults
 Easy passwords
 “Bugs”
 Input
validation
 Installing
suspect
applications
 Clicking
malicious links
 Phishing Emails
 Watering Hole
attacks
MalwareVulnerabilities
THE 2014 U.S. STATE OF
CYBERCRIME SURVEY
The survey identified eight common deficiencies where spending and efforts lag:
1. Most organizations do not take a strategic approach to cybersecurity spending
2. Organizations do not assess security capabilities of third-party providers
3. Supply chain risks are not understood or adequately assessed
4. Security for mobile devices is inadequate and has elevated risks
5. Cyber risks are not sufficiently assessed
6. Organizations do not collaborate to share intelligence on threats and responses
7. Insider threats are not sufficiently addressed
8. Employee training and awareness is very effective at deterring and responding to
incidents, yet it is lacking at most organizations
Co-sponsored by CSO magazine, CERT Division of the Software Engineering Institute at Carnegie Mellon University, PwC,
and the US Secret Service, March-April 2014
http://www.pwc.com/us/en/increasing-it-effectiveness/publications/2014-us-state-of-cybercrime.jhtml

11. 2/7/2018
11
POLLING QUESTION
ETHERNET AND PASSWORDS
• Was never secure from
eavesdropping
• “Sniffing” tools are
common
• grab host name, user
name, and password
• check any hacker
collection
• Credit card numbers are
easy
• Over 10,000,000
captured in 2014
• It doesn’t matter how
good your password is if
it can be sniffed!
• Still in wide use - even
for root!

12. 2/7/2018
12
YOUR INFO FOR SALE
• Overall Rank Prct Price Range
• 1 Credit card information 19% $0.85–$30
• 2 Bank account credentials 19% $15–$850
• 3 Email accounts 7% $1–$20
• 4 Email addresses 7% $1.70/MB–$15/MB
• 5 Shell scripts 6% $2–$5
• 6 Full identities 5% $0.70–$20
• 7 Credit card dumps 5% $4–$150
• 8 Mailers 4% $4–$10
• 9 Cash-out services 4% $0–$600
• 10 Website administration credentials 4% $2–$30
• Goods and services advertised on underground economy servers
• Source: Symantec 2009
SOURCES
• Internal (Disaffected) Employees
• Consultants and Temporaries
• Reality Challenged
• Amateur Hackers & Crackers
• Radicals (Animal Rights, Greens, Etc.)
• Professionals: Cyber-Criminals for Hire

13. 2/7/2018
13
WHAT HAS CREATED THE
PROBLEM?
• Mainframe Maginot Line Mentality
• Rise & Proliferation of wireless networks
• Mobile technology
• Integration
• Unfamiliar Security Roles
• Limited use of Security Technology
IMPACTS
• Destruction
• Denial of service
• Disclosure of confidential information
• Damage or modification of data
• Fraud on a major scale
• Annoyance attacks

14. 2/7/2018
14
ARE THERE COMMON
CAUSES?
• User awareness
• Management conflicts between security and other
priorities
• Reactive investment
• Technology as the whole solution
POLLING QUESTION

15. 2/7/2018
15
Cyber Defense - The Intel View
Data
Aggregation
& Amount
of Valuable
Data
Number
of
Connected
People
A security program must keep pace with the evolving threat landscape.
It must become an intrinsic part of the enterprise that grows along with it.
29
A FRAMEWORK
30
• http://whatis.techtarget.com/definition/framework:
“a framework is a real or conceptual structure intended
to serve as a support or guide for the building of
something that expands the structure into something
useful.”
Example: the Zachman framework (for Enterprise
Architecture and Information Systems Architecture)
“a logical structure intended to provide a comprehensive
representation of an information technology enterprise
that is independent of the tools and methods used in any
particular IT business”

16. 2/7/2018
16
FRAMEWORKS GALORE
• ISO/IEC 27001 & 27002 (formerly ISO 17799)
• NIST SP 800-53: Security and Privacy Controls for
Federal Information Systems and Organizations
• Federal Enterprise Architecture Framework (FEAF)
• Sherwood Applied Business Security Architecture
(SABSA)
• NIST SP 800-39: Risk Management Framework
• Security in Major IT Management Frameworks
• COBIT 5
31
OVERALL
• Feb. 12, 2013: Obama administration issued an executive
order for “improving critical infrastructure cybersecurity”.
• Several mandates:
Expanding information sharing
Establishing a cybersecurity framework
…
• “The executive order calls for the NIST to establish a
baseline framework to reduce cyber-risk to critical
infrastructure.”
• Oct. 2013: first draft of the framework
• Feb. 2014: final draft (v1.0)
32

17. 2/7/2018
17
SECURITY FRAMEWORKS AND RISK-MANAGEMENT
STRATEGIES ADDRESS
Evolving
threats
Including the growing sophistication of threats, new
attack methods, and adaptations to technologies or
delivery methods
Changing
business needs
Including evolving lines of business, acquisitions,
mergers, the integration of operations, and the addition
or elimination of business functions
Volatile
economics
Including changes in business profitability, the market for
the organization’s goods or services, national and
international economic trends, or wholesale currency
changes
Increasing
regulation
Including changes and additions to regulation and
compliance requirements, locally, nationally or
internationally
Technology and
process
changes
Including adding new or removing existing technologies,
or implementing a bring-your-own-device (BYOD)
program
Geographic and
facilities
changes
Including moving to a new location or having data-center
or cloud services added from another area
POLLING QUESTION

18. 2/7/2018
18
• Framework for Improving Critical Infrastructure
Cybersecurity, version 1.0, the National Institute of
Standards and Technology (NIST), February 12, 2014.
o A response to the President’s Executive Order 13636,
“Improving Critical Infrastructure Cybersecurity” on February
12, 2013.
• Critical infrastructure: “systems and assets, whether physical
or virtual, so vital to the United States that the incapacity or
destruction of such systems and assets would have a debilitating
impact on security, national economic security, national public
health or safety, or any combination of those matters.”
• a voluntary risk-based Cybersecurity Framework
– a set of industry standards and best practices to help
organizations manage cybersecurity risks
• The Framework is technology neutral.
NIST CYBERSECURITY
FRAMEWORK
35
NIST FRAMEWORK
36

19. 2/7/2018
19
• Three parts:
o The Framework Core
o The Framework Profile
o The Framework Implementation Tiers
• Framework Core
- A set of activities, outcomes, and informative
references
- Providing the detailed guidance for developing
individual organizational Profiles
NIST CYBERSECURITY
FRAMEWORK
37
CORE STRUCTURE
38
• Functions organize basic cybersecurity activities at their highest level.
• Categories are the subdivisions of a Function into groups of
cybersecurity outcomes closely tied to programmatic needs and
particular activities.
o Example Categories: “Asset Management,” “Access Control,” “Detection
Processes.”

20. 2/7/2018
20
FRAMEWORK PROFILE
39
POLLING QUESTION

21. 2/7/2018
21
IMPLEMENTATION TIERS
• Describe the degree to which an organization’s cybersecurity risk
management practices exhibit the characteristics defined in the
Framework.
• Characterize an organization’s practices over a range
• from Partial (Tier 1) to Adaptive (Tier 4)
• Partial: risks are managed in an ad hoc manner
• Risk Informed: Risk management practices are approved by
management but may not be established as organizational-wide
policy.
• Repeatable: Risk management practices are formally approved and
expressed as policy.
• Adaptive: The organization adapts its cybersecurity practices
based on lessons learned and predictive indicators derived from
previous and current cybersecurity activities.
• Reflect a progression from informal, reactive responses to
approaches that are agile and risk-informed.
41
ALIGNMENT STRATEGY
• Infrastructure
• Align Macro-level risk management practices to CSF
• Perform initial CSF assessment against infrastructure
• Product
• Explore mapping of products and services capabilities to CSF
• Examine product assurance initiatives (SDL, etc.) through CSF
lens.
• Supply Chain/Third Party Contracting
• Examine and potentially pilot contracting updates to align to CSF
language
42

22. 2/7/2018
22
WEB VULNERABILITIES
• 1 - Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data
and sends it to a web browser without first validating or encoding that content. XSS allows attackers to
execute script in the victim's browser which can hijack user sessions, deface web sites, possibly
introduce worms, etc.
• 2 - Injection Flaws Injection flaws, particularly SQL injection, are common in web applications.
Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The
attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
• 3 - Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include
hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file
execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
• 4 - Insecure Direct Object Reference A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file, directory, database record, or key, as a
URL or form parameter. Attackers can manipulate those references to access other objects without
authorization.
• 5 - Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a
pre-authenticated request to a vulnerable web application, which then forces the victim's browser to
perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application
that it attacks.
Open Web Application Security Project (OWASP) Top 10 Security Vulnerabilities
44
WEB VULNERABILITIES
• 6 - Information Leakage and Improper Error Handling Applications can
unintentionally leak information about their configuration, internal workings, or violate
privacy through a variety of application problems. Attackers use this weakness to
steal sensitive data, or conduct more serious attacks.
• 7 - Broken Authentication and Session Management Account credentials and
session tokens are often not properly protected. Attackers compromise passwords,
keys, or authentication tokens to assume other users' identities.
• 8 - Insecure Cryptographic Storage Web applications rarely use cryptographic
functions properly to protect data and credentials. Attackers use weakly protected
data to conduct identity theft and other crimes, such as credit card fraud.
• 9 - Insecure Communications Applications frequently fail to encrypt network traffic
when it is necessary to protect sensitive communications.
• 10 - Failure to Restrict URL Access Frequently, an application only protects
sensitive functionality by preventing the display of links or URLs to unauthorized
users. Attackers can use this weakness to access and perform unauthorized
operations by accessing those URLs directly.
Open Web Application Security Project (OWASP) Top 10 Security Vulnerabilities

23. 2/7/2018
23
How Much Security is Enough?
• Security based on Cost vs. Risk
Threat * Vulnerability = Risk
Cost of Implementing Controls – Cost of not
Implementing Controls = Cost
POLLING QUESTION

24. 2/7/2018
24
CYBERSECURITY WEBINAR
SERIES
• March 9 - SANS SEC440: Critical Security Controls
• March 29 - Malware Defense
• April 26 - Boundary Defense Mechanisms
• May 24 - Controlling Ports and Network Devices
• June 21 - Application Security
• July 12 - SEIM Log Analysis
• August 2 - Administrative Control Breaches
• Sept 14 - Vulnerability Assessment
• Sept 27 - Advanced Persistent Threats and targeted
cyber attacks
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week