Weitere ähnliche Inhalte Ähnlich wie Cyber security for ia and risk 150601 (20) Kürzlich hochgeladen (20) Cyber security for ia and risk 1506012. 2 © 2015 Protiviti Inc.
Global cyber-breach examples
“It takes twenty years to build a reputation and five minutes to ruin it. If
you think about that, you'll do things differently.” – Warren Buffett!
In 2013, Target’s network was hacked and was compromised for credit card
information and other customer data of 70 million customers.!
The company suffered a loss of $162 million and has also proposed to pay $10
million to settle a class-action lawsuit.!
All TV5Monde broadcasts were brought down in a blackout between 10pm and 1am local
time on March 8 and 9 by hackers claiming allegiance to Isis. They were able to seize
control of the television network founded by the French government in 1984, simultaneously
hacking 11 channels as well as its website and social media accounts.!
Malware installed on cash register system across 2,200 The Home Depot stores
syphoned credit card details of up to 56 million customers. The same group of Russian
and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and
P.F. Chang’s, among others are reported to be behind the breach. !
Anthem, one of the USA’s largest health insurers said that the personal information of
tens of millions of its customers and employees, including its chief executive, was the
subject of a “very sophisticated external cyber-attack.”. Hackers were able to breach a
database that contained as many as 80 million records of current and former customers,
as well as employees. !
In July 2014 , JP Morgan Chase, US's largest bank was compromised by hackers, stealing
names, addresses, phone numbers and emails of account holders. The hack began in June
but was not discovered until July, when the hackers had already obtained the highest
level of administrative privilege to dozens of the bank’s computer servers.!
3. 3 © 2015 Protiviti Inc.
Australian cyber-breach examples
“Privacy is not for the passive” – Jeffrey Rosen!
The personal details of 31 of the world's leading political figures were leaked
to the organisers of a soccer tournament late last year, in a major data breach
caused by an email autofill error. The breach was caused by a staff member at
Australia's Department of Immigration and related to world leaders attending
the G20 Leaders' Summit in Australia last year.!
Pizza Hut Australia confirmed that its customer data was compromised during
a hacking attack on its website in 2012. The website was allegedly hacked by
a group called 0-Day and Pyknic with claims that 240,000 credit card details
were stolen in the process. !
Chinese hackers ‘breach Australian media organisations’ ahead of G20 2014
meeting. The group called “Deep Panda” is believed to be affiliated with the
Chinese government. Deep Panda targeted Australian media organizations in an
attempt to understand the domestic media climate when Chinese president Xi
Jinping arrived.!
A database containing the personal details of almost 10,000 asylum seekers
in Australia, both adults and children, was mistakenly made available on the Web
site of the country's Department of Immigration and Border Protection in 2014.
The database included names, nationalities, locations, arrival dates and boat
arrival information. !
4. 4 © 2015 Protiviti Inc.
Global and local cyber-breach statistics
No sector is immune to cyber-breaches and the cost is growing
everywhere!
325
303
277
235
223
164
146
141
95
65
28
27
23
22
17
10
10
6
2
2
1
Unknown!
Public!
Finance!
Manufacturing!
Accommodation!
Retail!
Professional!
Healthcare!
Information!
Education!
Other!
Administrative!
Entertainment!
Transportation!
Mining!
Real Estate!
Utilities!
Trade!
Agriculture!
Construction!
Management!
16.2
10.4
8.8
8.1
7.6
5.1
4.3
United
States!
Germany!
Japan!
France!
United
Kingdom!
Australia!
Russia!
Average company loss AUD millionSecurity incidents with confirmed data loss
Source: Verizon 2015 Data Breach Investigations Report; Ponemon Institute; Hewlett-Packard (HP Enterprise Security), October 2014!
10%
average
increase
year-on-
year!
30 days average resolution time
5. 5 © 2015 Protiviti Inc.
Types of cyber-breach
A major type of cyber-security incidents remains socially engineered
targeted emails!
!
Source: 2013 CERT Australia Cyber Crime and Security Survey!
63%
52%
46%
35%
26%
17%
17%
17%
Targeted emails!
Virus or worm infection!
Trojan or rootkit malware!
Theft of mobile devices!
Unauthorised access!
Ransomware!
DDoS!
Unauthorised access to
information from an
• Businesses across a wide range of industry
sectors are exposed to potentially enormous
physical losses as well as liabilities and
costs as a result of cyber-attacks and data
breaches.!
• Spammers and other cyber-criminals are
moving away from exploit-kits in favour of
phishing messages containing malicious
email attachments, a tried-and-true attack
technique.!
6. 6 © 2015 Protiviti Inc.
57%
50%
48%
48%
41%
22%
16%
11%
Staff error and/or
omission!
Poor security culture!
Unpatched or
unprotected software!
Misconfigured
systems, applications
Lack of technical
security controls!
Lack of IT security
staff!
Malicious leak!
Other!
Contributors to cyber-breaches
Staff errors and/or omissions followed by poor security culture,
unpatched or unprotected software are major internal factors!
Source: 2013 CERT Australia Cyber Crime and Security Survey!
51%
49%
38%
36%
31%
16%
Targeted attack!
Third party risks and/or
vulnerabilities!
Sophisticated attackers!
Powerful automated
attack tools!
Volume of attacks!
Other!
Internal Contributors External Contributors
7. 7 © 2015 Protiviti Inc.
Cyber-security investments & reality
All organisations must recognise that perimeter defences will be
breached!
!
• Boards should not be fooled into believing
that good practices will prevent a well
conceived targeted attack: they reduce
vulnerability!
• The reality is that it is simply not possible to
secure everything, let alone the perimeter.!
• Even if it was possible to secure the
perimeter, this would not be enough, as it is
far too easy to get behind it.!
o All you have to do is be invited in!
o Alternatively, it is possible to use social
engineering techniques to get somebody
behind the perimeter to open the door!
• The large amounts that have been invested
in perimeter defences are of limited value.!
8. 8 © 2015 Protiviti Inc.
The need for new tools
Organisations now need to rely on a different set of controls and
associated tools to manage cyber-security risk!
• Solutions are all too often seen as purely
technology rather than having a critical people
element.!
• Over 70% of organisations* have not implemented
the types of tools we would expect to see in place
behind the perimeter.!
• ‘Intelligent’ security monitoring techniques that
highlight abnormal behaviour or potential
incidents and enable a real time response are
increasingly important.!
• IT rarely presents a business case for these
solutions to the Board nor clearly explain the
value.!
• Boards have been seen to invest in these
solutions where a clear business risk and the
value proposition around the solution and target
investment has been presented.!
* Recent Protiviti study!
9. 9 © 2015 Protiviti Inc.
The cyber-security challenge in summary
Organisations are now faced with a challenging cyber-threat
environment exacerbated by operational hurdles!
We often find companies fill
a Security Lead role and fail
to support them with
complementary resources.
As a result, the security
function reflects the Lead’s
particular strengths… and
weaknesses. !
Cyber-security is too often seen as
a technology problem and not
handled as a core business risk!
The personnel market for cyber-
security professionals is highly
competitive and those with strong
business focus are even harder to
find and hire!
The attack surface is increasing as
more devices are attached and the
internet-of-things becomes reality!
The sophistication of
today’s threat-actors is
increasing often they are
often well run organisations
or state-controlled groups
with significant funding and
capability!
The annual direct costs of
detecting, diagnosing and
remediating cyber-
breaches is increasing at
over 10% p.a.!
Cyber-risk is now a Board level risk
item often in the top five risks!
10. 10 © 2015 Protiviti Inc.
Frameworks & reality
There is no one size fits all! Complying with frameworks isn’t sufficient!
• There are so many areas to address:!
– from encryption, to application security, to
disaster recovery!
• Then there is the complication of
compliance with regulatory
requirements, especially in multiple
geographies!
• Target: PCI-DSS compliant!
• Home Depot: PCI-DSS compliant!
• JP Morgan: GLBA, FFIEC compliant!
• Anthem: HIPAA compliant!
• Aussie Travel Cover: Data not disclosed for 2
months!
Plethora of frameworks and standards Compliance isn’t security
11. 11 © 2015 Protiviti Inc.
Internal audit’s role in effective cyber-security
“Top performers” address cyber-security risk in their audit plan and
have boards that are highly engaged with cyber-security risk!
Higher board engagement in
information security if cyber-
security is included in audit plan!
Higher level of inclusion of
cyber-security in the audit plan
if high board engagement in
information security !
High board engagement!
Other” board engagement!
Included in audit plan!
Not included in audit plan!
12. 12 © 2015 Protiviti Inc.
Internal audit’s role in effective cyber-security
Organisations which include cyber-security in their audit plan also have
a stronger ability to identify, assess and mitigate cyber-security risk!
Organisations that rate themselves “very
effective” at identifying/assessing/mitigating
cyber-security risk
Organisations that have a cyber-security
risk strategy and policy in place
In audit plan!
Not in audit plan!
13. 13 © 2015 Protiviti Inc.
Questions to consider
IA and Risk professionals can have a conversation with the business to
determine and make them aware of whether they understand the threats!
Do you know the
value of your data?
Do you know where
your data is?
Do you know who
has access to this
data?
Do you know who is
protecting the data?
Do you know how to
respond in case the
data is compromised?
• A risk based approach needs to be adopted:
a one size fits all approach is all too often
adopted and is not practical, too costly and
will ultimately fail!
• Top down ERM approach to security risk
assessments is essential, identifying
sensitive data, assessing threats,!
capturing risk appetite, and!
informing risk mitigation strategies!
• ‘Intelligent’ security monitoring techniques
that highlight abnormal behaviour or
potential incidents and enable a real time
response are increasingly important!
• People are often the weakest link: security
awareness training that works is essential!
Traditional approaches to cyber-security
are not working …
… and most organisations struggle to
answer five key questions
14. 14 © 2015 Protiviti Inc.
Action items for Risk and Internal Audit (1/2)
Given internal audit’s key role in effective cyber-security there are ten
actions that IA can take!
Develop strategy &
policy
§ Work with management and the board to develop a cyber-security strategy
and policy!
Become “very
effective”
Recognise “internal”
threats
Board awareness &
engagement
Audit plan integration
§ Seek to have the organisation become “very effective” in its ability to identify,
assess and mitigate cyber-security risk to an acceptable level. !
§ Recognise the threat of a cyber-security breach resulting from the actions of
an employee or business partner!
§ Leverage board relationships to:!
a) heighten the board’s awareness and knowledge of cyber-security risk!
b) ensure that the board remains highly engaged with cyber-security matters and
up to date on the changing nature and strategic importance of cyber-security
risk. !
§ Ensure cyber-security risk is formally integrated into the audit plan. !
1!
2!
3!
4!
5!
15. 15 © 2015 Protiviti Inc.
Action items for Risk and Internal Audit (2/2)
Given internal audit’s key role in effective cyber-security there are ten
actions that IA can take!
Keep on top of new
technologies
§ Develop, and keep current, an understanding of how emerging technologies
and technological trends are affecting the company and its cyber-security
risk profile!
Use NIST, ISO27001,
ISO27002
Address people &
technology
Make monitoring &
response a priority
Address IT audit
staffing
§ Evaluate the organization’s cyber-security program against the NIST Cyber-
security Framework, recognise that the framework does not go to the control
level and therefore may require additional evaluations of ISO 27001 and
27002!
§ Recognise that the strongest preventative capability requires a combination
of human and technology security – a complementary blend of education,
awareness, vigilance and technology tools!
§ Make cyber-security monitoring and cyber-incident response a top
management priority – a clear escalation protocol can help make the case
for (and sustain) this priority!
§ Address any IT/audit staffing and resource shortages, which represents a
top technology challenge in many organisations and can hamper efforts to
address cyber-security issues. !
6!
7!
8!
9!
10!
16. 16 © 2015 Protiviti Inc.
Breach Detection Audit
Key Questions
• Are there signs that the
organization is currently
breached or has been in
the recent past? !
• How effective are in-place
security monitoring tools
and processes?!
• Have potential breaches
been sufficiently
investigated?!
Fieldwork Activities
• Forensic review of key
indicators of a targeted
attack (logs, network
activity, systems).!
• Evaluation of breach
detection capabilities and
processes.!
• Review of previous
potential breach incidents
and organizational follow
up.!
Value Provided to
Management
• Management will
appreciate the timeliness
and relevance.!
• Proven action steps that
Management can take
improve its ability to detect
breaches.!
• Communication to
stakeholders of key
controls Management has
invested in.!
Organisations that are at high risk of cyber-attack should consider an
annual Breach Detection Audit.!
17. 17 © 2015 Protiviti Inc.
Third Party Access Audit
Key Questions
• Could a breach of a third
party result in a breach of
our organization?!
• Are vendor, contractor, and
other third party accounts
sufficiently restricted?!
• Would we know if a vendor
account was being used
improperly?!
Fieldwork Activities
• Review of policies and
procedures for third parties.!
• Review of a sample of third
party accounts for
appropriate access.!
• Attempting privilege
escalation from an example
third party account.!
Value Provided to
Management
• Topical given Target initial
intrusion method.!
• Factual arguments to
support limiting vendor
access further.!
• Comforting stakeholders on
a key area of risk (provided
appropriate controls are in
place).!
IA and Risk can help Management limit risk associated with a hacked third
party (e.g., HVAC).!
18. 18 © 2015 Protiviti Inc.
Protiviti’s cyber-security services
Protiviti provides a full range of cyber-security services to help clients
address the challenges of effective cyber-security!
We work with clients to address IT cyber-security issues and
deploy focused application and data management structures
that solve problems and add business value
Data Centric Security
Incident Response & Forensics
Security Operations & Implementation
Security Program & Policy
Vulnerability/Penetration Testing
Identity & Access Management
• Data Governance!
• Data Classification!
• Data Leakage!
• Vendor Management &!
Due Diligence!
• Privacy Management &
Implementation!
• PCI and Security Compliance!
• Incident Response Strategy &!
Planning!
• Emergency Response!
• Computer Forensics!
• Proactive eDiscovery Planning !
• Reactive eDiscovery Support!
• Infrastructure Vulnerability!
• Application Vulnerability!
• Network Vulnerability!
• Database Vulnerability!
• Secure Code Reviews!
• Security Policy & Program!
• Security Strategy &
Architecture!
• Security Metrics!
• Awareness & Training!
• Identity Governance!
• IAM Policy & Standards !
• IAM Programme Support !
• Role Based Access!
• Privileged User Access
Management!
• Identity Federation !
• Security Operations Center Design!
• SIEM Program & Operational!
• SOC Implementation & Staffing!
• Security Product Implementation!
19. 19 © 2015 Protiviti Inc.
Protiviti’s industry contributions
Protiviti makes significant contributions to industry groups by actively
participating, sponsoring and leading many industry associations!
• Established a position of thought leadership regarding information
security, governance and regulatory compliance, through efforts
such as active participation with the information security
Organisations such as OWASP, I-4, ISSA, CSI, InfraGard, SANS,
ISACA and CSI and release of our Bulletin and Frequently Asked
Questions publications.!
• BITS Shared Assessments – on the Shared Assessments steering
committee. !
• All four PCI certifications: Qualified Security Assessor (QSA),
Approved Scan Vendor (ASV), PCI Forensics Investigator (PFI) and
Payment Application QSA (PA-QSA). !
• FS-ISAC – serves on the Board and Advisors Committee.!
• I-4 – Member of industry “think-tank” focused on information
security. Frequent presenter on Industry Best Practices. !
• Board of directors member & charter member of the IT Policy
Compliance Group. !
• High Technology Crimes and Investigation Association (HTCIA).!
• FBI Infraguard. !
• Information System Security Association (ISSA).!
20. 20 © 2015 Protiviti Inc.
Protiviti’s thought leadership
Protiviti is a leading organisation in developing an disseminating
pragmatic thought leadership in cyber-security and risk management!