Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
1. 1/20/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
Cybersecurity Series
2019 Update 2
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial Award
Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2
2. 1/20/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized
usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join
link.
• We are recording the webinar and you will be provided access to that recording after the webinar.
Downloading or otherwise duplicating the webinar recording is expressly prohibited.
• If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no
partial CPE will be awarded).
• If you meet the criteria for earning CPE you will receive a link via email to download your certificate.
The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this
address. It is from this email that your CPE credit will be sent. There is a processing fee to have your
CPE credit regenerated post event.
• Submit questions via the chat box on your screen and we will answer them either during or at the
conclusion.
• You must answer the survey questions after the Webinar or before downloading your certificate.
3
4
3. 1/20/2020
3
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
5
TODAY’S AGENDA
Page 6
Where are we now and Where are we going?
Current Cyberrisks
Data Breach and Cloud Misconfigurations
Shift in attack vectors
Insecure Application User Interface (API)
The growing impact of AI and ML
Malware Attack
Single factor passwords
Insider Threat
Shadow IT Systems
Crime, espionage and sabotage by rogue nation-states
IoT
CCPA and GDPR
Cyber attacks on utilities and public infrastructure
5
6
4. 1/20/2020
4
ARCHITECTURE AND
SERVICE DEFINITIONS
Three Cloud Service Delivery Models:
• 1. Infrastructure as a Service (IaaS)
• 2. Platform as a Service (PaaS)
• 3. Software as a Service (SaaS)
Four Cloud Service Deployment Models
• 1. Public
• 2. Private
• 3. Community
• 4. Hybrid
THREATS TO CLOUD
COMPUTING
Changes to business model
Abusive use of cloud computing
Insecure interfaces and API
Malicious insiders
Shared technology issues
Data loss and leakage
Service hijacking
Risk profiling
Identity theft
7
8
6. 1/20/2020
6
THE ATTACK VECTORS
Any system
Any infrastructure
Any communication
Any language
Any architecture
Any component
Any information, any data
Any physical layer
Any logical layer
Any storage device / facility
Any (communication) channel
Any interface
Any encryption
Any environment
Any site (including DR)
Any transaction
Any log and audit trail
Any archive
Any process (operations,
ongoing, development)
CONTAINING DATA
BREACHES
Need to Identify:
What type of data has been breached?
Is there any sensitive information?
How many people could be affected?
How many records?
11
12
7. 1/20/2020
7
POLLING QUESTION
DO YOU KNOW?
• 75% of attacks today happen at the Application Layer
(Gartner).
• Many “easy hacking recipes” published on web.
• Security holes in the web application layer can make a
perfectly patched and firewalled server completely
vulnerable.
The cost and reputation savings of avoiding a security breach
are “priceless”
13
14
8. 1/20/2020
8
OWASP- TOP 10 VULNERABILITIES IN
WEB APPLICATIONS
• Injection : Injection attacks occur when the user is able to input untrusted data
tricking the application/system to execute unintended commands. Injections can be
– SQL queries, PHP queries, LDAP queries and OS commands.
• Broken Authentication : Broken authentication occurs when the application
mismanages session related information such that the user’s identity gets
compromised. The information can be in the form of session cookies, passwords,
secret keys etc. to either get into someone else’s session or use a session which
has been ended by the user or steal session related information.
• Sensitive data exposure : Attackers can sniff or modify the sensitive data if not
handled securely by the application. A few examples include use if weak encryption
keys, use of weak TLS. In order to identify sensitive data bits and exploit them.
• XML External Entities (XXE) : An application is vulnerable to XXE attacks if it
enabled users to upload a malicious XML which further exploits the vulnerable code
and/or dependencies for example to execute code, steal data and perform other
malicious tasks.
OWASP- TOP 10 VULNERABILITIES IN
WEB APPLICATIONS
• Broken Access control : Applications have various account types depending on
the users: admins, operators and reporting groups etc. One common problem is that
the developers restrict the privileges just on the UI side and not on the server side.
If exploited, each user can have admin rights.
• Security misconfigurations : Developers and IT staff ensure functionality and not
the security. Many of the security requirements get missed unless identified by
experts or hackers. Security misconfigurations can include weak passwords, default
passwords, default scripts stored on the servers, default directories, default error
messages etc.
• Cross Site Scripting (XSS) : Cross-site scripting occurs when an attacker is able
to insert untrusted data/scripts into a web page. The data/scripts inserted by the
attackers get executed in the browser can steal users data, deface websites etc.
15
16
9. 1/20/2020
9
OWASP- TOP 10 VULNERABILITIES IN
WEB APPLICATIONS
• Insecure Deserialization : Many applications which rely on the client to maintain
state may allow tampering of serialized data.
• Using Components with known vulnerabilities : When components with known
vulnerabilities are used by the application, this may lead to security breaches or
server takeover. The components can be coding frameworks, libraries, vulnerable
functions, network frameworks etc.
• Insufficient logging and monitoring: Attacks still happen and get noticed only
after an incident has happened. To ensure the malicious intent of the attackers gets
noticed beforehand, it is essential to log all the activity and monitor it for any
suspicious behavior.
POLLING QUESTION
17
18
10. 1/20/2020
10
AI and ML
MACHINE LEARNING
Algorithmic ways to “describe” data
Supervised
We are giving the system a lot of
training data and it learns from that
Unsupervised
We give the system some kind of
DEEP LEARNING
A “newer” machine learning algorithm
Eliminates the feature engineering step
Explainability / verifiability issues
DATA MINING
Methods to explore data - automatically
ARTIFICIAL INTELLIGENCE
A program that doesn't simply classify
or compute model parameters, but
comes up with novel knowledge that a
security analyst finds insightful.”
ML IN SECURITY
SUPERVISED
Malware classification
Deep learning on millions of samples - 400k
new malware samples a day
Has increased true positives and decreased
false positives compared to traditional ML
Spam identification
Analyzing massive amounts of firewall data to
predict and score malicious sources (IPs)
UNSUPERVISED
DNS analytics
Domain name classification, lookup
Threat Intelligence feed curation
IOC prioritization, deduplication, …
Tier 1 analyst automation
Reducing workload from 600M raw events to
User and Entity Behavior Analytics
(UEBA)
Uses mostly regular statistics and
rule-based approaches
* See Respond Software Inc.
19
20
11. 1/20/2020
11
MALWARE ATTACKS
General misconception among people
Malware = “malicious software”
Malware is any kind of unwanted software that
is installed without your consent on your
computer.
Viruses, worms, Trojan horses, bombs,
spyware, adware are subgroups of malware.
VIRUS TYPES
22
Multipartite – a multi-part virus, a virus that attempts to attack both
the boot sector and the executable, or program, files at the same
time. When the virus attaches to the boot sector, it will in turn affect
the system files, and when the virus attaches to the files, it will in turn
infect the boot sector.
Appending - A virus that inserts a copy of its malicious code at the
end of the file. The goal of an appending virus is not to harm the host
program, but to modify it to hold the virus code and then be able to
run itself.
Overwriting - A type of computer virus that will copy its own code
over the host computer system's file data, which destroys the original
program. After your computer system has been cleaned using an
antivirus program, users will need to install the original program
again.
21
22
12. 1/20/2020
12
VIRUS TYPES
23
Polymorphic - A virus that changes its virus signature (i.e., its
binary pattern) every time it replicates and infects a new file in
order to keep from being detected by an antivirus program.
Tunneling – A type of virus that attempts installation beneath
the antivirus program by directly intercepting the interrupt
handlers of the operating system to evade detection.
Stealth – A computer virus that actively hides itself from
antivirus software by either masking the size of the file that it
hides in or temporarily removing itself from the infected file and
placing a copy of itself in another location on the drive,
replacing the infected file with an uninfected one that it has
stored on the hard drive.
VIRUS TYPES
24
Bimodal - Also called a Boot Sector Infector, a bimodal virus is
one that infects both boot records and files on the computer
system.
Self-garbling - A type of computer virus that will attempt to
hide from an antivirus program by garbling its own code. When
a self-garbling virus propagates it will change the encoding of
its own code to trick antivirus programs and stay hidden on the
computer system.
Memory resident - A virus that stays in memory after it
executes and after its host program is terminated. In contrast,
non-memory-resident viruses only are activated when an
infected application runs.
23
24
13. 1/20/2020
13
CLOUD ANTIVIRUS
New form of antivirus program
The virus scanning is done from a remote
location(not on the computer).
Why this is so popular is because it relieves
the physical computer resources.
Constant functionality (Nonstop scanning)
Security Issues
TWO-FACTOR AUTHENTICATION
OVERVIEW
26
Single Factor passwords
A major biometric hack shows the weakness of
single-factor authentication
Two-factor authentication requires the use of two of
the three authentication factors:
Something only the user:
1. Knows (e.g. password, PIN, secret answer)
2. Has (e.g. ATM card, mobile phone, hard token)
3. Is (e.g. biometric – iris, fingerprint, etc.)
25
26
14. 1/20/2020
14
POLLING QUESTION
INSIDER THREATS
Insider attacks account for as much as 80% of all
computer and Internet related crimes [1]
70% of attacks causing at least $20,000 of damage are
the direct result of malicious insiders
Majority of insiders are privileged users and majority of
attacks are launched from remote machines
27
28
15. 1/20/2020
15
TYPICAL INSIDER THREATS
Data corruption, deletion, and modification
Leaking sensitive data
Denial of service attacks
Blackmail
Theft of corporate data
Etc. Etc. Etc
INSIDER THREAT
REMEDIATION
Minimize the size of the user population to
decrease the number of possible insiders
Distribute trust amongst multiple parties to
force collusion
Most insiders act alone
Question trust assumptions made in
computing systems
Treat the LAN like the WAN
BroLAN, SANE, etc…
Others?
29
30
16. 1/20/2020
16
SHADOW IT SYSTEMS
Shadow IT
Unsanctioned apps or services in use
Shadow Data
Unmanaged content that users put into: sanctioned apps or services
meant for other purposes or unsanctioned apps or services
In GDPR terms
Shadow IT = Technology environments where there is a lack of control
over which personal data is handled by whom within the organization
Shadow Data in sanctioned apps / services may be processed out of
policy
Shadow Data in unsanctioned apps / services cannot be accounted for
SHADOW IT SYSTEMS
More than 5,000 personal devices connect to
enterprise networks every day with little or no
endpoint security enabled in one of every three
companies in the U.S., U.K., and Germany.
More than 1,000 shadow IoT devices connect to
enterprise networks every day in 30% of the U.S.,
U.K., and German companies.
12% of U.K. organizations are seeing more than
10,000 shadow IoT devices connect to their
enterprise networks every day.
Forbes
31
32
17. 1/20/2020
17
RISKS ASSOCIATED WITH
SHADOW IT
The organization loses control and visibility into the data
migrated to Shadow IT systems.
The risks include:
security and regulatory noncompliance,
data leaks and inability to perform disaster recovery
measures involving data in Shadow IT systems when
required.
CRIME, ESPIONAGE AND SABOTAGE BY
ROGUE NATION-STATES
Utilities and Industrial Control Systems targeted with
Ransomware
A Nation-State Launches a “Fire Sale” Attack
Attackers hold the Internet Hostage
US cyber security strategy is built around four tenets:
Protect the American People, the Homeland and the
American Way of Life
Promote American Prosperity
Preserve Peace through Strength
Advance American Influence
More nations developing offensive cyber capabilities
Isolationist trade policies will incentivize nation states and
corporate entities to steal trade secrets and use cyber tactics to
disrupt government, critical infrastructure, and vital industries
China's Belt and Road Initiative to drive cyber espionage activity
33
34
18. 1/20/2020
18
POLLING QUESTION
Components of IoT
IoT consists of three principal components:
The things themselves that, in most cases, represent the devices or
sensors with the ability to capture or produce data, and the time to create
an effect on the environment in which they have some influence
The communications network that interconnects the things (this network
connectivity, in most cases, is wireless)
The computing systems that process and use the data received and/or
transmitted by the things, with, in most cases, a minimal computational
capability
Source: https://www.isaca.org/journal/archives/2015/volume-2/pages/internet-of-things-offers-great-opportunities-and-much-risk.aspx
35
36
19. 1/20/2020
19
GAO Highlights INTERNET OF THINGS RISKS
What GAO Found
The Internet of Things (IoT) is the set of Internet-capable devices, such as
wearable fitness devices and smartphones, that interact with the physical
environment and typically contain elements for sensing, communicating,
processing, and actuating. Even as the IoT creates many benefits, it is important
to acknowledge its emerging security implications.
Highlights of GAO-17-668, a report to congressional committees
IT Risk Areas Deserving Increased Focus
IT Governance:
Mission: The mission of IT is not aligned to protect the
value of its existing assets and create new or future value.
IT and Business Alignment: Corporations increasingly
do not coordinate IT with business processes to realize
their true value.
Portfolio Management: The IT Portfolio is not reliable or
adequately available.
IT Risk Management: IT compliance with laws and
regulations.
37
38
20. 1/20/2020
20
IT Risk Areas Deserving Increased Focus
Enterprise Security:
Security Configuration Management: Security administration
processes are undefined.
Identity and Access Management: System Configurations are
not in line with the security policy. Access to systems is not
managed to ensure access is appropriately administered timely.
Firewalls are not properly configured or monitored to
prevent/detect unauthorized access and malicious attacks.
Security Penetration & Vulnerability Testing: Tools and
techniques are not in place or not properly configured to
periodically test and report to management.
Security Awareness & Training: Security notifications and
training do not exist to make users aware of their responsibilities
in securing corporate data.
Security Compliance: Management has not implemented a
security compliance program to address regulatory requirements
(HIPPA, GLBA, SOX, etc.)
Source: Deloitte IT Risk Awareness Presentation
IT Risk Areas Deserving Increased Focus
Crisis Management:
Business Impact Assessment: An enterprise-wide disaster
recovery plan has not been prepared or is not based on a
business impact assessment.
Communications / Crisis Management Plans: Management
has not prepared or coordinated with cross-functional business
units to ensure appropriate escalation and communication of crisis
management (declaration and ongoing communication).
Service Level Agreements: Relationships with third party
vendors do not exist to ensure IT operations continuity in case of
disaster/crisis.
Insurance: Insurance agreements do not exist for the IT
infrastructure or Business Impact
Site Reconstruction / Relocation: The disaster recovery plan
does not contain a strategy to either rebuild or relocate IT
operations permanently to ensure continuity in the case of total
loss of production systems.
Disaster Recovery Testing: Management has not periodically
tested the disaster recovery plan or has not documented results
and incorporated improvements into the disaster recovery plans.
Source: Deloitte IT Risk Awareness Presentation
39
40
21. 1/20/2020
21
POLLING QUESTION
MORE LEGISLATION
California Consumer Privacy Act Ma
State statute intended to enhance privacy rights and
consumer protection for residents of California
Took effect on January 1, 2020
Six Statutory rights:
1.To be provided with information on what personal information is collected about
them and the purposes for which that personal information is used.
2. To be provided with information on what personal information is sold or disclosed
for a business purpose and to whom.
3. To opt out of the sale of their personal information to third parties (or in the case
of minors under age 16, to require an opt in before the sale of their personal
information).
4. To request the deletion of their personal information.
5. Not to be subject to discrimination for exercising any of the above rights,
including being denied goods or services or being charged a different price, or being
subjected to a lower level of quality, of such goods or services.
6. To seek statutory damages of $100 to $750 for breaches of unencrypted personal
information that arise as a result of a business’ violation of its duty to
implement and maintain reasonable security procedures.
41
42
22. 1/20/2020
22
APPLIES TO
For profit business entities in CA that:
Gross revenue of 25 million dollar or more
Receives or share more then 50,000 consumers, households, or
devices
More than 50% of revenue from the sale of PHI Exception for
HIPAA, CMIA ( California Medical Information Act), GLBA
(Gramm Leach Bliley Act ) statues
REQUIREMENTS
Business required to post details on website or other public means
how they’re using or not using consumer data for rolling 12 months
and opt out instructions
Businesses will have to develop processes and procedures to
accommodate all consumer rights including data mapping / access
reports
Requirements for businesses to reasonably safeguard consumer
data
Significant damage implications for business if fail to comply
(enforced by CA AG)
Consumers have a private right of action but it’s limited ($100 to
$750 per violation)
Fines for business $7500 per violation
43
44
23. 1/20/2020
23
WHAT IS GDPR?
On 4 May 2016, the EU Regulation on Data Protection
(GDPR) was published in the Official Journal of the
European Union
The GDPR entered into force on 24 May 2016 to replace
the former 1995 EU Data Protection Directive and create
a harmonized data protection law across Europe
To more effectively manage data on their customers,
employees, contacts and any other relevant persons
WHAT IS DATA PROTECTION?
Data Protection is about avoiding harm to individuals by
misusing or mismanaging their personal data.
So if you collect, use, or store personal data then the Data
Protection Act applies to you. It sets out eight principles you have
to adhere to, which include:
Only collect information for specific purposes and don’t then use
it for other purposes
Only collect what you need for the specific purpose
Keep it accurate and up to date; and safe and secure
Process information lawfully and allow subject access in line with
the Act.
45
46
24. 1/20/2020
24
GDPR & WHY IT’S
IMPORTANT
Why is it important?
Significant impact for organisations and how they
manage data with some potentially very large penalties
for violations – 4% of global revenues
Impacts the storage, processing, access, transfer, and
disclosure of an individual’s data records
Who is affected?
These protections apply to any organisation (anywhere
in the world) that processes the personal data of EU
data subjects
POLLING QUESTION
47
48
25. 1/20/2020
25
CYBER ATTACKS ON UTILITIES
AND PUBLIC INFRASTRUCTURE
We are increasingly dependent on the Internet:
Directly
Communication (Email, IM, VoIP)
Commerce (business, banking, e-commerce, etc)
Control systems (public utilities, etc)
Information and entertainment
Sensitive data stored on the Internet
Indirectly
Biz, Edu, Gov have permanently replaced
physical/manual processes with Internet-based
processes
CYBERSECURITY
ROADBLOCKS
No metrics to measure (in)security
Internet is inherently international
Private sector owns most of the infrastructure
“Cybersecurity Gap”: a cost/incentive
disconnect?
Businesses will pay to meet business imperatives
Who’s going to pay to meet national security imperatives?
49
50
26. 1/20/2020
26
CORPORATE VS NATIONAL
corporate cybersecurity = availability, integrity
and secrecy of information systems and networks
in the face of attacks, accidents and failures with
the goal of protecting a corporation’s operations
and assets
national cybersecurity = availability, integrity and
secrecy of the information systems and networks
in the face of attacks, accidents and failures with
the goal of protecting a nation’s operations and
assets (preventing an electronic Pearl Harbour)
National Infrastructure Protection Plan (NIPP)
From DHS
THE NIPP PROVIDES A STRATEGIC CONTEXT
FOR INFRASTRUCTURE
PROTECTION/RESILIENCY
52
Dynamic threat environment
Natural Disasters
Terrorists
Accidents
Cyber Attacks
A complex problem, requiring a national plan and organizing framework
18 Sectors, all different, ranging from asset-focused to systems and
networks
Outside regulatory space (very few security-focused regimes)
85% privately owned
100% in State and local jurisdictions
51
52
27. 1/20/2020
27
CRITICAL INFRASTRUCTURE &
KEY RESOURCES (CIKR)
53
Critical Infrastructure: Systems and assets, whether physical or
virtual, so vital to the United States that the incapacitation or
destruction of such systems and assets would have a debilitating
impact on national security, national economic security, public health
or safety, or any combination of those matters
Key Resources: Publicly or privately controlled resources essential
to the minimal operations of the economy or government
Why is CIKR Protection Important?
Essential to the Nation’s security, public health and safety,
economic vitality, and way of life
QUESTIONS?
Any Questions?
Don’t be Shy!
53
54
28. 1/20/2020
28
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
THANK YOU!
Page 56
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
55
56