SlideShare ist ein Scribd-Unternehmen logo

Cybersecurity Series 2019 Update 2

Jim Kaplan CIA CFE
Jim Kaplan CIA CFE

Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues. In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including: Where are we now and Where are we going? Current Cyberrisks • Data Breach and Cloud Misconfigurations • Insecure Application User Interface (API) • The growing impact of AI and ML • Malware Attack • Single factor passwords • Insider Threat • Shadow IT Systems • Crime, espionage and sabotage by rogue nation-states • IoT • CCPA and GDPR • Cyber attacks on utilities and public infrastructure • Shift in attack vectors

Technologie
1 von 28
Downloaden Sie, um offline zu lesen
1/20/2020 1 Richard Cascarino CISM, CIA, ACFE, CRMA Cybersecurity Series 2019 Update 2 About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2 1 2
1/20/2020 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no partial CPE will be awarded). • If you meet the criteria for earning CPE you will receive a link via email to download your certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There is a processing fee to have your CPE credit regenerated post event. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate. 3 4
1/20/2020 3 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 5 TODAY’S AGENDA Page 6 Where are we now and Where are we going?  Current Cyberrisks  Data Breach and Cloud Misconfigurations  Shift in attack vectors  Insecure Application User Interface (API)  The growing impact of AI and ML  Malware Attack  Single factor passwords  Insider Threat  Shadow IT Systems  Crime, espionage and sabotage by rogue nation-states  IoT  CCPA and GDPR  Cyber attacks on utilities and public infrastructure 5 6
1/20/2020 4 ARCHITECTURE AND SERVICE DEFINITIONS Three Cloud Service Delivery Models: • 1. Infrastructure as a Service (IaaS) • 2. Platform as a Service (PaaS) • 3. Software as a Service (SaaS) Four Cloud Service Deployment Models • 1. Public • 2. Private • 3. Community • 4. Hybrid THREATS TO CLOUD COMPUTING Changes to business model Abusive use of cloud computing Insecure interfaces and API Malicious insiders Shared technology issues Data loss and leakage Service hijacking Risk profiling Identity theft 7 8
1/20/2020 5 REGULATORY COMPLIANCE Texas Business & Commerce Code FISMA NIST SP 800 – 122 FIPS 200 HIPAA / HITECH Act Payment Card Industry (PCI) GPDR (General Data Protection Regulation) ATTACKS ON CLOUD COMPUTING Zombie Attack Service injection attack Attacks on virtualization Man-in-the Middle attack Metadata spoofing Phishing Backdoor channel attack 9 10
1/20/2020 6 THE ATTACK VECTORS Any system Any infrastructure Any communication Any language Any architecture Any component Any information, any data Any physical layer Any logical layer Any storage device / facility Any (communication) channel Any interface Any encryption Any environment Any site (including DR) Any transaction Any log and audit trail Any archive Any process (operations, ongoing, development) CONTAINING DATA BREACHES  Need to Identify:  What type of data has been breached?  Is there any sensitive information?  How many people could be affected?  How many records? 11 12
1/20/2020 7 POLLING QUESTION DO YOU KNOW? • 75% of attacks today happen at the Application Layer (Gartner). • Many “easy hacking recipes” published on web. • Security holes in the web application layer can make a perfectly patched and firewalled server completely vulnerable. The cost and reputation savings of avoiding a security breach are “priceless” 13 14
1/20/2020 8 OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Injection : Injection attacks occur when the user is able to input untrusted data tricking the application/system to execute unintended commands. Injections can be – SQL queries, PHP queries, LDAP queries and OS commands. • Broken Authentication : Broken authentication occurs when the application mismanages session related information such that the user’s identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc. to either get into someone else’s session or use a session which has been ended by the user or steal session related information. • Sensitive data exposure : Attackers can sniff or modify the sensitive data if not handled securely by the application. A few examples include use if weak encryption keys, use of weak TLS. In order to identify sensitive data bits and exploit them. • XML External Entities (XXE) : An application is vulnerable to XXE attacks if it enabled users to upload a malicious XML which further exploits the vulnerable code and/or dependencies for example to execute code, steal data and perform other malicious tasks. OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Broken Access control : Applications have various account types depending on the users: admins, operators and reporting groups etc. One common problem is that the developers restrict the privileges just on the UI side and not on the server side. If exploited, each user can have admin rights. • Security misconfigurations : Developers and IT staff ensure functionality and not the security. Many of the security requirements get missed unless identified by experts or hackers. Security misconfigurations can include weak passwords, default passwords, default scripts stored on the servers, default directories, default error messages etc. • Cross Site Scripting (XSS) : Cross-site scripting occurs when an attacker is able to insert untrusted data/scripts into a web page. The data/scripts inserted by the attackers get executed in the browser can steal users data, deface websites etc. 15 16
1/20/2020 9 OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Insecure Deserialization : Many applications which rely on the client to maintain state may allow tampering of serialized data. • Using Components with known vulnerabilities : When components with known vulnerabilities are used by the application, this may lead to security breaches or server takeover. The components can be coding frameworks, libraries, vulnerable functions, network frameworks etc. • Insufficient logging and monitoring: Attacks still happen and get noticed only after an incident has happened. To ensure the malicious intent of the attackers gets noticed beforehand, it is essential to log all the activity and monitor it for any suspicious behavior. POLLING QUESTION 17 18
1/20/2020 10 AI and ML MACHINE LEARNING Algorithmic ways to “describe” data Supervised We are giving the system a lot of training data and it learns from that Unsupervised We give the system some kind of DEEP LEARNING A “newer” machine learning algorithm Eliminates the feature engineering step Explainability / verifiability issues DATA MINING Methods to explore data - automatically ARTIFICIAL INTELLIGENCE A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.” ML IN SECURITY SUPERVISED Malware classification Deep learning on millions of samples - 400k new malware samples a day Has increased true positives and decreased false positives compared to traditional ML Spam identification Analyzing massive amounts of firewall data to predict and score malicious sources (IPs) UNSUPERVISED DNS analytics Domain name classification, lookup Threat Intelligence feed curation IOC prioritization, deduplication, … Tier 1 analyst automation Reducing workload from 600M raw events to User and Entity Behavior Analytics (UEBA) Uses mostly regular statistics and rule-based approaches * See Respond Software Inc. 19 20
1/20/2020 11 MALWARE ATTACKS  General misconception among people  Malware = “malicious software”  Malware is any kind of unwanted software that is installed without your consent on your computer.  Viruses, worms, Trojan horses, bombs, spyware, adware are subgroups of malware. VIRUS TYPES 22 Multipartite – a multi-part virus, a virus that attempts to attack both the boot sector and the executable, or program, files at the same time. When the virus attaches to the boot sector, it will in turn affect the system files, and when the virus attaches to the files, it will in turn infect the boot sector. Appending - A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself. Overwriting - A type of computer virus that will copy its own code over the host computer system's file data, which destroys the original program. After your computer system has been cleaned using an antivirus program, users will need to install the original program again. 21 22
1/20/2020 12 VIRUS TYPES 23 Polymorphic - A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program. Tunneling – A type of virus that attempts installation beneath the antivirus program by directly intercepting the interrupt handlers of the operating system to evade detection. Stealth – A computer virus that actively hides itself from antivirus software by either masking the size of the file that it hides in or temporarily removing itself from the infected file and placing a copy of itself in another location on the drive, replacing the infected file with an uninfected one that it has stored on the hard drive. VIRUS TYPES 24 Bimodal - Also called a Boot Sector Infector, a bimodal virus is one that infects both boot records and files on the computer system. Self-garbling - A type of computer virus that will attempt to hide from an antivirus program by garbling its own code. When a self-garbling virus propagates it will change the encoding of its own code to trick antivirus programs and stay hidden on the computer system. Memory resident - A virus that stays in memory after it executes and after its host program is terminated. In contrast, non-memory-resident viruses only are activated when an infected application runs. 23 24
1/20/2020 13 CLOUD ANTIVIRUS  New form of antivirus program  The virus scanning is done from a remote location(not on the computer).  Why this is so popular is because it relieves the physical computer resources.  Constant functionality (Nonstop scanning)  Security Issues TWO-FACTOR AUTHENTICATION OVERVIEW 26  Single Factor passwords  A major biometric hack shows the weakness of single-factor authentication  Two-factor authentication requires the use of two of the three authentication factors: Something only the user: 1. Knows (e.g. password, PIN, secret answer) 2. Has (e.g. ATM card, mobile phone, hard token) 3. Is (e.g. biometric – iris, fingerprint, etc.) 25 26
1/20/2020 14 POLLING QUESTION INSIDER THREATS Insider attacks account for as much as 80% of all computer and Internet related crimes [1] 70% of attacks causing at least $20,000 of damage are the direct result of malicious insiders Majority of insiders are privileged users and majority of attacks are launched from remote machines 27 28
1/20/2020 15 TYPICAL INSIDER THREATS Data corruption, deletion, and modification Leaking sensitive data Denial of service attacks Blackmail Theft of corporate data Etc. Etc. Etc INSIDER THREAT REMEDIATION Minimize the size of the user population to decrease the number of possible insiders Distribute trust amongst multiple parties to force collusion Most insiders act alone Question trust assumptions made in computing systems Treat the LAN like the WAN BroLAN, SANE, etc… Others? 29 30
1/20/2020 16 SHADOW IT SYSTEMS  Shadow IT  Unsanctioned apps or services in use  Shadow Data  Unmanaged content that users put into: sanctioned apps or services meant for other purposes or unsanctioned apps or services  In GDPR terms  Shadow IT = Technology environments where there is a lack of control over which personal data is handled by whom within the organization  Shadow Data in sanctioned apps / services may be processed out of policy  Shadow Data in unsanctioned apps / services cannot be accounted for SHADOW IT SYSTEMS More than 5,000 personal devices connect to enterprise networks every day with little or no endpoint security enabled in one of every three companies in the U.S., U.K., and Germany. More than 1,000 shadow IoT devices connect to enterprise networks every day in 30% of the U.S., U.K., and German companies. 12% of U.K. organizations are seeing more than 10,000 shadow IoT devices connect to their enterprise networks every day. Forbes 31 32
1/20/2020 17 RISKS ASSOCIATED WITH SHADOW IT  The organization loses control and visibility into the data migrated to Shadow IT systems.  The risks include:  security and regulatory noncompliance,  data leaks and inability to perform disaster recovery measures involving data in Shadow IT systems when required. CRIME, ESPIONAGE AND SABOTAGE BY ROGUE NATION-STATES  Utilities and Industrial Control Systems targeted with Ransomware  A Nation-State Launches a “Fire Sale” Attack  Attackers hold the Internet Hostage  US cyber security strategy is built around four tenets:  Protect the American People, the Homeland and the American Way of Life  Promote American Prosperity  Preserve Peace through Strength  Advance American Influence  More nations developing offensive cyber capabilities  Isolationist trade policies will incentivize nation states and corporate entities to steal trade secrets and use cyber tactics to disrupt government, critical infrastructure, and vital industries  China's Belt and Road Initiative to drive cyber espionage activity 33 34
1/20/2020 18 POLLING QUESTION Components of IoT  IoT consists of three principal components:  The things themselves that, in most cases, represent the devices or sensors with the ability to capture or produce data, and the time to create an effect on the environment in which they have some influence  The communications network that interconnects the things (this network connectivity, in most cases, is wireless)  The computing systems that process and use the data received and/or transmitted by the things, with, in most cases, a minimal computational capability  Source: https://www.isaca.org/journal/archives/2015/volume-2/pages/internet-of-things-offers-great-opportunities-and-much-risk.aspx 35 36
1/20/2020 19 GAO Highlights INTERNET OF THINGS RISKS What GAO Found The Internet of Things (IoT) is the set of Internet-capable devices, such as wearable fitness devices and smartphones, that interact with the physical environment and typically contain elements for sensing, communicating, processing, and actuating. Even as the IoT creates many benefits, it is important to acknowledge its emerging security implications. Highlights of GAO-17-668, a report to congressional committees IT Risk Areas Deserving Increased Focus IT Governance: Mission: The mission of IT is not aligned to protect the value of its existing assets and create new or future value. IT and Business Alignment: Corporations increasingly do not coordinate IT with business processes to realize their true value. Portfolio Management: The IT Portfolio is not reliable or adequately available. IT Risk Management: IT compliance with laws and regulations. 37 38
1/20/2020 20 IT Risk Areas Deserving Increased Focus Enterprise Security:  Security Configuration Management: Security administration processes are undefined.  Identity and Access Management: System Configurations are not in line with the security policy. Access to systems is not managed to ensure access is appropriately administered timely. Firewalls are not properly configured or monitored to prevent/detect unauthorized access and malicious attacks.  Security Penetration & Vulnerability Testing: Tools and techniques are not in place or not properly configured to periodically test and report to management.  Security Awareness & Training: Security notifications and training do not exist to make users aware of their responsibilities in securing corporate data.  Security Compliance: Management has not implemented a security compliance program to address regulatory requirements (HIPPA, GLBA, SOX, etc.)  Source: Deloitte IT Risk Awareness Presentation IT Risk Areas Deserving Increased Focus Crisis Management:  Business Impact Assessment: An enterprise-wide disaster recovery plan has not been prepared or is not based on a business impact assessment.  Communications / Crisis Management Plans: Management has not prepared or coordinated with cross-functional business units to ensure appropriate escalation and communication of crisis management (declaration and ongoing communication).  Service Level Agreements: Relationships with third party vendors do not exist to ensure IT operations continuity in case of disaster/crisis.  Insurance: Insurance agreements do not exist for the IT infrastructure or Business Impact  Site Reconstruction / Relocation: The disaster recovery plan does not contain a strategy to either rebuild or relocate IT operations permanently to ensure continuity in the case of total loss of production systems.  Disaster Recovery Testing: Management has not periodically tested the disaster recovery plan or has not documented results and incorporated improvements into the disaster recovery plans. Source: Deloitte IT Risk Awareness Presentation 39 40
1/20/2020 21 POLLING QUESTION MORE LEGISLATION  California Consumer Privacy Act Ma  State statute intended to enhance privacy rights and consumer protection for residents of California  Took effect on January 1, 2020 Six Statutory rights: 1.To be provided with information on what personal information is collected about them and the purposes for which that personal information is used. 2. To be provided with information on what personal information is sold or disclosed for a business purpose and to whom. 3. To opt out of the sale of their personal information to third parties (or in the case of minors under age 16, to require an opt in before the sale of their personal information). 4. To request the deletion of their personal information. 5. Not to be subject to discrimination for exercising any of the above rights, including being denied goods or services or being charged a different price, or being subjected to a lower level of quality, of such goods or services. 6. To seek statutory damages of $100 to $750 for breaches of unencrypted personal information that arise as a result of a business’ violation of its duty to implement and maintain reasonable security procedures.  41 42
1/20/2020 22 APPLIES TO  For profit business entities in CA that:  Gross revenue of 25 million dollar or more  Receives or share more then 50,000 consumers, households, or devices  More than 50% of revenue from the sale of PHI Exception for HIPAA, CMIA ( California Medical Information Act), GLBA (Gramm Leach Bliley Act ) statues REQUIREMENTS  Business required to post details on website or other public means how they’re using or not using consumer data for rolling 12 months and opt out instructions  Businesses will have to develop processes and procedures to accommodate all consumer rights including data mapping / access reports  Requirements for businesses to reasonably safeguard consumer data  Significant damage implications for business if fail to comply (enforced by CA AG)  Consumers have a private right of action but it’s limited ($100 to $750 per violation)  Fines for business $7500 per violation 43 44
1/20/2020 23 WHAT IS GDPR? On 4 May 2016, the EU Regulation on Data Protection (GDPR) was published in the Official Journal of the European Union The GDPR entered into force on 24 May 2016 to replace the former 1995 EU Data Protection Directive and create a harmonized data protection law across Europe To more effectively manage data on their customers, employees, contacts and any other relevant persons WHAT IS DATA PROTECTION? Data Protection is about avoiding harm to individuals by misusing or mismanaging their personal data. So if you collect, use, or store personal data then the Data Protection Act applies to you. It sets out eight principles you have to adhere to, which include: Only collect information for specific purposes and don’t then use it for other purposes Only collect what you need for the specific purpose Keep it accurate and up to date; and safe and secure Process information lawfully and allow subject access in line with the Act. 45 46
1/20/2020 24 GDPR & WHY IT’S IMPORTANT Why is it important? Significant impact for organisations and how they manage data with some potentially very large penalties for violations – 4% of global revenues Impacts the storage, processing, access, transfer, and disclosure of an individual’s data records Who is affected? These protections apply to any organisation (anywhere in the world) that processes the personal data of EU data subjects POLLING QUESTION 47 48
1/20/2020 25 CYBER ATTACKS ON UTILITIES AND PUBLIC INFRASTRUCTURE We are increasingly dependent on the Internet: Directly Communication (Email, IM, VoIP) Commerce (business, banking, e-commerce, etc) Control systems (public utilities, etc) Information and entertainment Sensitive data stored on the Internet Indirectly Biz, Edu, Gov have permanently replaced physical/manual processes with Internet-based processes CYBERSECURITY ROADBLOCKS No metrics to measure (in)security Internet is inherently international Private sector owns most of the infrastructure “Cybersecurity Gap”: a cost/incentive disconnect?  Businesses will pay to meet business imperatives  Who’s going to pay to meet national security imperatives? 49 50
1/20/2020 26 CORPORATE VS NATIONAL corporate cybersecurity = availability, integrity and secrecy of information systems and networks in the face of attacks, accidents and failures with the goal of protecting a corporation’s operations and assets national cybersecurity = availability, integrity and secrecy of the information systems and networks in the face of attacks, accidents and failures with the goal of protecting a nation’s operations and assets (preventing an electronic Pearl Harbour) National Infrastructure Protection Plan (NIPP) From DHS THE NIPP PROVIDES A STRATEGIC CONTEXT FOR INFRASTRUCTURE PROTECTION/RESILIENCY 52  Dynamic threat environment  Natural Disasters  Terrorists  Accidents  Cyber Attacks  A complex problem, requiring a national plan and organizing framework  18 Sectors, all different, ranging from asset-focused to systems and networks  Outside regulatory space (very few security-focused regimes)  85% privately owned  100% in State and local jurisdictions 51 52
1/20/2020 27 CRITICAL INFRASTRUCTURE & KEY RESOURCES (CIKR) 53 Critical Infrastructure: Systems and assets, whether physical or virtual, so vital to the United States that the incapacitation or destruction of such systems and assets would have a debilitating impact on national security, national economic security, public health or safety, or any combination of those matters Key Resources: Publicly or privately controlled resources essential to the minimal operations of the economy or government Why is CIKR Protection Important? Essential to the Nation’s security, public health and safety, economic vitality, and way of life QUESTIONS? Any Questions? Don’t be Shy! 53 54
1/20/2020 28 AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week THANK YOU! Page 56 Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Follow Me on Twitter for Special Offers - @auditnet Join my LinkedIn Group – https://www.linkedin.com/groups/44252/ Like my Facebook business page https://www.facebook.com/pg/AuditNetLLC Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) Tel: +1 970 367 5429 eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino 55 56

Empfohlen

Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Jim Kaplan CIA CFE
 
Driving More Value With Automated Analytics
Driving More Value With Automated AnalyticsDriving More Value With Automated Analytics
Driving More Value With Automated AnalyticsJim Kaplan CIA CFE
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4Jim Kaplan CIA CFE
 
How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity SlidesJim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Jim Kaplan CIA CFE
 

Empfohlen

Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Jim Kaplan CIA CFE
 
Driving More Value With Automated Analytics
Driving More Value With Automated AnalyticsDriving More Value With Automated Analytics
Driving More Value With Automated AnalyticsJim Kaplan CIA CFE
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4Jim Kaplan CIA CFE
 
How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity SlidesJim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Jim Kaplan CIA CFE
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update SlidesJim Kaplan CIA CFE
 
Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Jim Kaplan CIA CFE
 
Ethics for internal auditors
Ethics for internal auditorsEthics for internal auditors
Ethics for internal auditorsJim Kaplan CIA CFE
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudJim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationJim Kaplan CIA CFE
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10Jim Kaplan CIA CFE
 
Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analyticsJim Kaplan CIA CFE
 
Tracking down outliers
Tracking down outliersTracking down outliers
Tracking down outliersJim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Jim Kaplan CIA CFE
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowTechSoup
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14Skillspire LLC
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05Skillspire LLC
 
The growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQLThe growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQLRajni Baliyan
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10Skillspire LLC
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 

Weitere ähnliche Inhalte

Was ist angesagt?

Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Jim Kaplan CIA CFE
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudJim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationJim Kaplan CIA CFE
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10Jim Kaplan CIA CFE
 
Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analyticsJim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Jim Kaplan CIA CFE
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowTechSoup
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC
 
The growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQLThe growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQLRajni Baliyan
 

Was ist angesagt? (20)

CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?
 
Ethics for internal auditors
Ethics for internal auditorsEthics for internal auditors
Ethics for internal auditors
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10
 
Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analytics
 
Tracking down outliers
Tracking down outliersTracking down outliers
Tracking down outliers
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10)
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to Know
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breach
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05
 
The growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQLThe growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQL
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10
 

Ähnlich wie Cybersecurity Series 2019 Update 2

Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisLuncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisNorth Texas Chapter of the ISSA
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Jim Kaplan CIA CFE
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security OverviewNoah Jaehnert
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Decisions
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Digitalstakeout Scout Overview
Digitalstakeout Scout OverviewDigitalstakeout Scout Overview
Digitalstakeout Scout OverviewDigitalStakeout
 
CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slidesJim Kaplan CIA CFE
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 

Ähnlich wie Cybersecurity Series 2019 Update 2 (20)

Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisLuncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Digitalstakeout Scout Overview
Digitalstakeout Scout OverviewDigitalstakeout Scout Overview
Digitalstakeout Scout Overview
 
CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slides
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 

Mehr von Jim Kaplan CIA CFE

Enhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsEnhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsJim Kaplan CIA CFE
 
mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) Jim Kaplan CIA CFE
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Jim Kaplan CIA CFE
 
How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides Jim Kaplan CIA CFE
 
How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel Jim Kaplan CIA CFE
 
General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 Jim Kaplan CIA CFE
 
Ethics and the Internal Auditor
Ethics and the Internal AuditorEthics and the Internal Auditor
Ethics and the Internal AuditorJim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingHow analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingJim Kaplan CIA CFE
 
Building and Striving for Data Analytics Excellence
Building and Striving for Data Analytics ExcellenceBuilding and Striving for Data Analytics Excellence
Building and Striving for Data Analytics ExcellenceJim Kaplan CIA CFE
 
The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection Jim Kaplan CIA CFE
 
Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Jim Kaplan CIA CFE
 

Mehr von Jim Kaplan CIA CFE (13)

Enhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsEnhanced fraud detection with data analytics
Enhanced fraud detection with data analytics
 
mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10)
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
 
How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides
 
How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel
 
General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6
 
Ethics and the Internal Auditor
Ethics and the Internal AuditorEthics and the Internal Auditor
Ethics and the Internal Auditor
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingHow analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
 
Ethics for Internal Auditors
Ethics for Internal AuditorsEthics for Internal Auditors
Ethics for Internal Auditors
 
Building and Striving for Data Analytics Excellence
Building and Striving for Data Analytics ExcellenceBuilding and Striving for Data Analytics Excellence
Building and Striving for Data Analytics Excellence
 
The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection
 
Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Structuring your organization for success with data analytics
Structuring your organization for success with data analytics
 

Kürzlich hochgeladen

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Kürzlich hochgeladen (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Cybersecurity Series 2019 Update 2

  • 1. 1/20/2020 1 Richard Cascarino CISM, CIA, ACFE, CRMA Cybersecurity Series 2019 Update 2 About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2 1 2
  • 2. 1/20/2020 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no partial CPE will be awarded). • If you meet the criteria for earning CPE you will receive a link via email to download your certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There is a processing fee to have your CPE credit regenerated post event. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate. 3 4
  • 3. 1/20/2020 3 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 5 TODAY’S AGENDA Page 6 Where are we now and Where are we going?  Current Cyberrisks  Data Breach and Cloud Misconfigurations  Shift in attack vectors  Insecure Application User Interface (API)  The growing impact of AI and ML  Malware Attack  Single factor passwords  Insider Threat  Shadow IT Systems  Crime, espionage and sabotage by rogue nation-states  IoT  CCPA and GDPR  Cyber attacks on utilities and public infrastructure 5 6
  • 4. 1/20/2020 4 ARCHITECTURE AND SERVICE DEFINITIONS Three Cloud Service Delivery Models: • 1. Infrastructure as a Service (IaaS) • 2. Platform as a Service (PaaS) • 3. Software as a Service (SaaS) Four Cloud Service Deployment Models • 1. Public • 2. Private • 3. Community • 4. Hybrid THREATS TO CLOUD COMPUTING Changes to business model Abusive use of cloud computing Insecure interfaces and API Malicious insiders Shared technology issues Data loss and leakage Service hijacking Risk profiling Identity theft 7 8
  • 5. 1/20/2020 5 REGULATORY COMPLIANCE Texas Business & Commerce Code FISMA NIST SP 800 – 122 FIPS 200 HIPAA / HITECH Act Payment Card Industry (PCI) GPDR (General Data Protection Regulation) ATTACKS ON CLOUD COMPUTING Zombie Attack Service injection attack Attacks on virtualization Man-in-the Middle attack Metadata spoofing Phishing Backdoor channel attack 9 10
  • 6. 1/20/2020 6 THE ATTACK VECTORS Any system Any infrastructure Any communication Any language Any architecture Any component Any information, any data Any physical layer Any logical layer Any storage device / facility Any (communication) channel Any interface Any encryption Any environment Any site (including DR) Any transaction Any log and audit trail Any archive Any process (operations, ongoing, development) CONTAINING DATA BREACHES  Need to Identify:  What type of data has been breached?  Is there any sensitive information?  How many people could be affected?  How many records? 11 12
  • 7. 1/20/2020 7 POLLING QUESTION DO YOU KNOW? • 75% of attacks today happen at the Application Layer (Gartner). • Many “easy hacking recipes” published on web. • Security holes in the web application layer can make a perfectly patched and firewalled server completely vulnerable. The cost and reputation savings of avoiding a security breach are “priceless” 13 14
  • 8. 1/20/2020 8 OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Injection : Injection attacks occur when the user is able to input untrusted data tricking the application/system to execute unintended commands. Injections can be – SQL queries, PHP queries, LDAP queries and OS commands. • Broken Authentication : Broken authentication occurs when the application mismanages session related information such that the user’s identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc. to either get into someone else’s session or use a session which has been ended by the user or steal session related information. • Sensitive data exposure : Attackers can sniff or modify the sensitive data if not handled securely by the application. A few examples include use if weak encryption keys, use of weak TLS. In order to identify sensitive data bits and exploit them. • XML External Entities (XXE) : An application is vulnerable to XXE attacks if it enabled users to upload a malicious XML which further exploits the vulnerable code and/or dependencies for example to execute code, steal data and perform other malicious tasks. OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Broken Access control : Applications have various account types depending on the users: admins, operators and reporting groups etc. One common problem is that the developers restrict the privileges just on the UI side and not on the server side. If exploited, each user can have admin rights. • Security misconfigurations : Developers and IT staff ensure functionality and not the security. Many of the security requirements get missed unless identified by experts or hackers. Security misconfigurations can include weak passwords, default passwords, default scripts stored on the servers, default directories, default error messages etc. • Cross Site Scripting (XSS) : Cross-site scripting occurs when an attacker is able to insert untrusted data/scripts into a web page. The data/scripts inserted by the attackers get executed in the browser can steal users data, deface websites etc. 15 16
  • 9. 1/20/2020 9 OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Insecure Deserialization : Many applications which rely on the client to maintain state may allow tampering of serialized data. • Using Components with known vulnerabilities : When components with known vulnerabilities are used by the application, this may lead to security breaches or server takeover. The components can be coding frameworks, libraries, vulnerable functions, network frameworks etc. • Insufficient logging and monitoring: Attacks still happen and get noticed only after an incident has happened. To ensure the malicious intent of the attackers gets noticed beforehand, it is essential to log all the activity and monitor it for any suspicious behavior. POLLING QUESTION 17 18
  • 10. 1/20/2020 10 AI and ML MACHINE LEARNING Algorithmic ways to “describe” data Supervised We are giving the system a lot of training data and it learns from that Unsupervised We give the system some kind of DEEP LEARNING A “newer” machine learning algorithm Eliminates the feature engineering step Explainability / verifiability issues DATA MINING Methods to explore data - automatically ARTIFICIAL INTELLIGENCE A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.” ML IN SECURITY SUPERVISED Malware classification Deep learning on millions of samples - 400k new malware samples a day Has increased true positives and decreased false positives compared to traditional ML Spam identification Analyzing massive amounts of firewall data to predict and score malicious sources (IPs) UNSUPERVISED DNS analytics Domain name classification, lookup Threat Intelligence feed curation IOC prioritization, deduplication, … Tier 1 analyst automation Reducing workload from 600M raw events to User and Entity Behavior Analytics (UEBA) Uses mostly regular statistics and rule-based approaches * See Respond Software Inc. 19 20
  • 11. 1/20/2020 11 MALWARE ATTACKS  General misconception among people  Malware = “malicious software”  Malware is any kind of unwanted software that is installed without your consent on your computer.  Viruses, worms, Trojan horses, bombs, spyware, adware are subgroups of malware. VIRUS TYPES 22 Multipartite – a multi-part virus, a virus that attempts to attack both the boot sector and the executable, or program, files at the same time. When the virus attaches to the boot sector, it will in turn affect the system files, and when the virus attaches to the files, it will in turn infect the boot sector. Appending - A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself. Overwriting - A type of computer virus that will copy its own code over the host computer system's file data, which destroys the original program. After your computer system has been cleaned using an antivirus program, users will need to install the original program again. 21 22
  • 12. 1/20/2020 12 VIRUS TYPES 23 Polymorphic - A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program. Tunneling – A type of virus that attempts installation beneath the antivirus program by directly intercepting the interrupt handlers of the operating system to evade detection. Stealth – A computer virus that actively hides itself from antivirus software by either masking the size of the file that it hides in or temporarily removing itself from the infected file and placing a copy of itself in another location on the drive, replacing the infected file with an uninfected one that it has stored on the hard drive. VIRUS TYPES 24 Bimodal - Also called a Boot Sector Infector, a bimodal virus is one that infects both boot records and files on the computer system. Self-garbling - A type of computer virus that will attempt to hide from an antivirus program by garbling its own code. When a self-garbling virus propagates it will change the encoding of its own code to trick antivirus programs and stay hidden on the computer system. Memory resident - A virus that stays in memory after it executes and after its host program is terminated. In contrast, non-memory-resident viruses only are activated when an infected application runs. 23 24
  • 13. 1/20/2020 13 CLOUD ANTIVIRUS  New form of antivirus program  The virus scanning is done from a remote location(not on the computer).  Why this is so popular is because it relieves the physical computer resources.  Constant functionality (Nonstop scanning)  Security Issues TWO-FACTOR AUTHENTICATION OVERVIEW 26  Single Factor passwords  A major biometric hack shows the weakness of single-factor authentication  Two-factor authentication requires the use of two of the three authentication factors: Something only the user: 1. Knows (e.g. password, PIN, secret answer) 2. Has (e.g. ATM card, mobile phone, hard token) 3. Is (e.g. biometric – iris, fingerprint, etc.) 25 26
  • 14. 1/20/2020 14 POLLING QUESTION INSIDER THREATS Insider attacks account for as much as 80% of all computer and Internet related crimes [1] 70% of attacks causing at least $20,000 of damage are the direct result of malicious insiders Majority of insiders are privileged users and majority of attacks are launched from remote machines 27 28
  • 15. 1/20/2020 15 TYPICAL INSIDER THREATS Data corruption, deletion, and modification Leaking sensitive data Denial of service attacks Blackmail Theft of corporate data Etc. Etc. Etc INSIDER THREAT REMEDIATION Minimize the size of the user population to decrease the number of possible insiders Distribute trust amongst multiple parties to force collusion Most insiders act alone Question trust assumptions made in computing systems Treat the LAN like the WAN BroLAN, SANE, etc… Others? 29 30
  • 16. 1/20/2020 16 SHADOW IT SYSTEMS  Shadow IT  Unsanctioned apps or services in use  Shadow Data  Unmanaged content that users put into: sanctioned apps or services meant for other purposes or unsanctioned apps or services  In GDPR terms  Shadow IT = Technology environments where there is a lack of control over which personal data is handled by whom within the organization  Shadow Data in sanctioned apps / services may be processed out of policy  Shadow Data in unsanctioned apps / services cannot be accounted for SHADOW IT SYSTEMS More than 5,000 personal devices connect to enterprise networks every day with little or no endpoint security enabled in one of every three companies in the U.S., U.K., and Germany. More than 1,000 shadow IoT devices connect to enterprise networks every day in 30% of the U.S., U.K., and German companies. 12% of U.K. organizations are seeing more than 10,000 shadow IoT devices connect to their enterprise networks every day. Forbes 31 32
  • 17. 1/20/2020 17 RISKS ASSOCIATED WITH SHADOW IT  The organization loses control and visibility into the data migrated to Shadow IT systems.  The risks include:  security and regulatory noncompliance,  data leaks and inability to perform disaster recovery measures involving data in Shadow IT systems when required. CRIME, ESPIONAGE AND SABOTAGE BY ROGUE NATION-STATES  Utilities and Industrial Control Systems targeted with Ransomware  A Nation-State Launches a “Fire Sale” Attack  Attackers hold the Internet Hostage  US cyber security strategy is built around four tenets:  Protect the American People, the Homeland and the American Way of Life  Promote American Prosperity  Preserve Peace through Strength  Advance American Influence  More nations developing offensive cyber capabilities  Isolationist trade policies will incentivize nation states and corporate entities to steal trade secrets and use cyber tactics to disrupt government, critical infrastructure, and vital industries  China's Belt and Road Initiative to drive cyber espionage activity 33 34
  • 18. 1/20/2020 18 POLLING QUESTION Components of IoT  IoT consists of three principal components:  The things themselves that, in most cases, represent the devices or sensors with the ability to capture or produce data, and the time to create an effect on the environment in which they have some influence  The communications network that interconnects the things (this network connectivity, in most cases, is wireless)  The computing systems that process and use the data received and/or transmitted by the things, with, in most cases, a minimal computational capability  Source: https://www.isaca.org/journal/archives/2015/volume-2/pages/internet-of-things-offers-great-opportunities-and-much-risk.aspx 35 36
  • 19. 1/20/2020 19 GAO Highlights INTERNET OF THINGS RISKS What GAO Found The Internet of Things (IoT) is the set of Internet-capable devices, such as wearable fitness devices and smartphones, that interact with the physical environment and typically contain elements for sensing, communicating, processing, and actuating. Even as the IoT creates many benefits, it is important to acknowledge its emerging security implications. Highlights of GAO-17-668, a report to congressional committees IT Risk Areas Deserving Increased Focus IT Governance: Mission: The mission of IT is not aligned to protect the value of its existing assets and create new or future value. IT and Business Alignment: Corporations increasingly do not coordinate IT with business processes to realize their true value. Portfolio Management: The IT Portfolio is not reliable or adequately available. IT Risk Management: IT compliance with laws and regulations. 37 38
  • 20. 1/20/2020 20 IT Risk Areas Deserving Increased Focus Enterprise Security:  Security Configuration Management: Security administration processes are undefined.  Identity and Access Management: System Configurations are not in line with the security policy. Access to systems is not managed to ensure access is appropriately administered timely. Firewalls are not properly configured or monitored to prevent/detect unauthorized access and malicious attacks.  Security Penetration & Vulnerability Testing: Tools and techniques are not in place or not properly configured to periodically test and report to management.  Security Awareness & Training: Security notifications and training do not exist to make users aware of their responsibilities in securing corporate data.  Security Compliance: Management has not implemented a security compliance program to address regulatory requirements (HIPPA, GLBA, SOX, etc.)  Source: Deloitte IT Risk Awareness Presentation IT Risk Areas Deserving Increased Focus Crisis Management:  Business Impact Assessment: An enterprise-wide disaster recovery plan has not been prepared or is not based on a business impact assessment.  Communications / Crisis Management Plans: Management has not prepared or coordinated with cross-functional business units to ensure appropriate escalation and communication of crisis management (declaration and ongoing communication).  Service Level Agreements: Relationships with third party vendors do not exist to ensure IT operations continuity in case of disaster/crisis.  Insurance: Insurance agreements do not exist for the IT infrastructure or Business Impact  Site Reconstruction / Relocation: The disaster recovery plan does not contain a strategy to either rebuild or relocate IT operations permanently to ensure continuity in the case of total loss of production systems.  Disaster Recovery Testing: Management has not periodically tested the disaster recovery plan or has not documented results and incorporated improvements into the disaster recovery plans. Source: Deloitte IT Risk Awareness Presentation 39 40
  • 21. 1/20/2020 21 POLLING QUESTION MORE LEGISLATION  California Consumer Privacy Act Ma  State statute intended to enhance privacy rights and consumer protection for residents of California  Took effect on January 1, 2020 Six Statutory rights: 1.To be provided with information on what personal information is collected about them and the purposes for which that personal information is used. 2. To be provided with information on what personal information is sold or disclosed for a business purpose and to whom. 3. To opt out of the sale of their personal information to third parties (or in the case of minors under age 16, to require an opt in before the sale of their personal information). 4. To request the deletion of their personal information. 5. Not to be subject to discrimination for exercising any of the above rights, including being denied goods or services or being charged a different price, or being subjected to a lower level of quality, of such goods or services. 6. To seek statutory damages of $100 to $750 for breaches of unencrypted personal information that arise as a result of a business’ violation of its duty to implement and maintain reasonable security procedures.  41 42
  • 22. 1/20/2020 22 APPLIES TO  For profit business entities in CA that:  Gross revenue of 25 million dollar or more  Receives or share more then 50,000 consumers, households, or devices  More than 50% of revenue from the sale of PHI Exception for HIPAA, CMIA ( California Medical Information Act), GLBA (Gramm Leach Bliley Act ) statues REQUIREMENTS  Business required to post details on website or other public means how they’re using or not using consumer data for rolling 12 months and opt out instructions  Businesses will have to develop processes and procedures to accommodate all consumer rights including data mapping / access reports  Requirements for businesses to reasonably safeguard consumer data  Significant damage implications for business if fail to comply (enforced by CA AG)  Consumers have a private right of action but it’s limited ($100 to $750 per violation)  Fines for business $7500 per violation 43 44
  • 23. 1/20/2020 23 WHAT IS GDPR? On 4 May 2016, the EU Regulation on Data Protection (GDPR) was published in the Official Journal of the European Union The GDPR entered into force on 24 May 2016 to replace the former 1995 EU Data Protection Directive and create a harmonized data protection law across Europe To more effectively manage data on their customers, employees, contacts and any other relevant persons WHAT IS DATA PROTECTION? Data Protection is about avoiding harm to individuals by misusing or mismanaging their personal data. So if you collect, use, or store personal data then the Data Protection Act applies to you. It sets out eight principles you have to adhere to, which include: Only collect information for specific purposes and don’t then use it for other purposes Only collect what you need for the specific purpose Keep it accurate and up to date; and safe and secure Process information lawfully and allow subject access in line with the Act. 45 46
  • 24. 1/20/2020 24 GDPR & WHY IT’S IMPORTANT Why is it important? Significant impact for organisations and how they manage data with some potentially very large penalties for violations – 4% of global revenues Impacts the storage, processing, access, transfer, and disclosure of an individual’s data records Who is affected? These protections apply to any organisation (anywhere in the world) that processes the personal data of EU data subjects POLLING QUESTION 47 48
  • 25. 1/20/2020 25 CYBER ATTACKS ON UTILITIES AND PUBLIC INFRASTRUCTURE We are increasingly dependent on the Internet: Directly Communication (Email, IM, VoIP) Commerce (business, banking, e-commerce, etc) Control systems (public utilities, etc) Information and entertainment Sensitive data stored on the Internet Indirectly Biz, Edu, Gov have permanently replaced physical/manual processes with Internet-based processes CYBERSECURITY ROADBLOCKS No metrics to measure (in)security Internet is inherently international Private sector owns most of the infrastructure “Cybersecurity Gap”: a cost/incentive disconnect?  Businesses will pay to meet business imperatives  Who’s going to pay to meet national security imperatives? 49 50
  • 26. 1/20/2020 26 CORPORATE VS NATIONAL corporate cybersecurity = availability, integrity and secrecy of information systems and networks in the face of attacks, accidents and failures with the goal of protecting a corporation’s operations and assets national cybersecurity = availability, integrity and secrecy of the information systems and networks in the face of attacks, accidents and failures with the goal of protecting a nation’s operations and assets (preventing an electronic Pearl Harbour) National Infrastructure Protection Plan (NIPP) From DHS THE NIPP PROVIDES A STRATEGIC CONTEXT FOR INFRASTRUCTURE PROTECTION/RESILIENCY 52  Dynamic threat environment  Natural Disasters  Terrorists  Accidents  Cyber Attacks  A complex problem, requiring a national plan and organizing framework  18 Sectors, all different, ranging from asset-focused to systems and networks  Outside regulatory space (very few security-focused regimes)  85% privately owned  100% in State and local jurisdictions 51 52
  • 27. 1/20/2020 27 CRITICAL INFRASTRUCTURE & KEY RESOURCES (CIKR) 53 Critical Infrastructure: Systems and assets, whether physical or virtual, so vital to the United States that the incapacitation or destruction of such systems and assets would have a debilitating impact on national security, national economic security, public health or safety, or any combination of those matters Key Resources: Publicly or privately controlled resources essential to the minimal operations of the economy or government Why is CIKR Protection Important? Essential to the Nation’s security, public health and safety, economic vitality, and way of life QUESTIONS? Any Questions? Don’t be Shy! 53 54
  • 28. 1/20/2020 28 AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week THANK YOU! Page 56 Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Follow Me on Twitter for Special Offers - @auditnet Join my LinkedIn Group – https://www.linkedin.com/groups/44252/ Like my Facebook business page https://www.facebook.com/pg/AuditNetLLC Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) Tel: +1 970 367 5429 eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino 55 56