Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 14 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
1. 7/15/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
Cybersecurity Series
2020 Update 4
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial Award
Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2
2. 7/15/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,200 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE, you will receive a link via email to download
your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is
important to white list this address. It is from this email that your CPE credit will be sent.
There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
3
4
3. 7/15/2020
3
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
5
TODAY’S AGENDA
Page 6
Where do we start
Developing a cybersecurity architecture
Typical IT Architecture
Sources of threat
Hardening the operating system
Hardening the network
Evaluating cybersecurity architecture design
effectiveness
Where are the prime vulnerabilities
5
6
4. 7/15/2020
4
FROM INFORMATION SECURITY
FORUM
Increases in:
Disruption
Over-reliance on fragile connectivity creates the potential for
premeditated internet outages capable of bringing trade to its
knees and heightened risk that ransomware will be used to
hijack the Internet of Things.
Distortion
The intentional spread of misinformation, including by bots and
automated sources, causes trust in the integrity of information
to be compromised.
Deterioration
Rapid advances in intelligent technologies plus conflicting
demands posed by evolving national security and individual
privacy regulations negatively impact organizations’ ability to
control their own information.
CHANGING FOCUS OF THE
INDUSTRY
$$$
Desktop, Users
Data
Center
Desktop, Users
Data
Center
Attention is focused on technologies and products that ship in
millions of units per year
7
8
5. 7/15/2020
5
Application
System Software
Access
Access paths
PREVIOUS PRESENTAccess here!
Access here!
Access here!
Access here!
Network
Access here!
DIGITAL ASSETS :
CHALLENGES
INFORMATION SECURITY
Confidentiality
Clause 3.3 of
ISO/IEC 27001
Ensuring that information is
accessible only to those
authorized to have access
Integrity
Clause 3.8 of
ISO/IEC 27001
Safeguarding the accuracy and
completeness of information and
processing methods
Availability
Clause 3.2 of
ISO/IEC 27001
Ensuring that authorized users
have access to information and
associated assets when required
9
10
8. 7/15/2020
8
HOW DO THEY DO IT ?
• Technical Attacks
• Automated Attack Software
• Network Sniffer
• Insider Knowledge
• Social Engineering
15
16
9. 7/15/2020
9
WHAT CREATED THESE
SECURITY PROBLEMS ?
• Mainframe Maginot Line mentality
• Rise & Proliferation of mobile technology
• Unfamiliar security roles
• Limited security technology
ACCESS - USERS
Data
17
18
12. 7/15/2020
12
WINDOWS
HARDENING THE OPERATING
ENVIRONMENT
24
Removing unneeded functionality and Services
Activating selected security capabilities
Ensuring service packs and software patches are
appropriately activated
Renaming or disabling default system accounts and
passwords
Access granted on a need-to-have or least privilege
basis
23
24
13. 7/15/2020
13
HARDENING THE OPERATING
ENVIRONMENT
25
Activation of antivirus and malware protection software
Ensuring definitions are up to date
Ongoing scrutiny of system log files
Retention of log files for appropriate periods
Restriction of access to log files
COMMUNICATIONS AND
NETWORK SECURITY
26
Security failure risks:
Loss of reputation
Loss of confidentiality
Loss of information integrity
User authentication failure
System unavailability
Risk evaluation
Design of system of internal controls
25
26
14. 7/15/2020
14
NETWORK PROTECTION
27
Use of Trust Zones
Network areas containing sensitive systems with all accesses
directly controlled
Unauthorized access in such an area could be highly detrimental
Would be seen as hostile zones.
Network areas containing information resources open to the
public
Still require user identification and authentication
Would be seen as untrusted zones.
NETWORK PROTECTION
28
Network areas containing information resources open to a
restricted number of authorized outside users
Users identified and authenticated
Would be seen as semitrusted zones
Network areas with no outside access containing systems
Requiring full access by internal users and systems Users can
be validated and controlled directly under the authority of the
organization
Would normally be seen as trusted zones.
27
28
15. 7/15/2020
15
NETWORK AUDIT
29
Auditor will seek to ensure:
Physical security of the network
Use of data encryption and digital certificates
Appropriate monitoring
Access control lists within the routers
Use of appropriate firewalls
CYBERSECURITY
CHALLENGES
Location of insecurity
90 % : within the organization
- unconscious / unknown
- known (misusage, fraud)
10 % : outside the organization
(mostly disgruntled or ex-employees)
- eavesdropping and burglary
- copying and theft of data
- viruses and backdoors
- modification and destruction
29
30
16. 7/15/2020
16
MAJOR SECURITY
PROBLEMS?
• Viruses 75%
• In-advertant errors 70%
• Non-disaster downtime 60%
• Malicious acts by employees 40%
• Natural disasters 30%
• External malicious acts 20%
• Industrial espionage 10%
Based on : Information Week
WHAT IS WRONG WITH
SECURITY WITHIN COMPANIES?
90%
40%
35%
20%
15%
Based on : Intrusion Detection
•Users do not change passwords frequently
enough
•User access to information is too broad
•Inconsistent application of security rules
for new users
•Passwords are easily guessed
•User identifications are inactive
31
32
17. 7/15/2020
17
IMPROVING LOGICAL
ACCESS CONTROLS
Removal of Generic User-ids
Immediate restriction of Tech Staff Access to Systems
(Need to Have Basis)
Tightening of User Authorization Procedures
Improvement in Access Monitoring
Removal of open supplier access
OPERATIONAL AWARENESS
OF STAFF
Staff Undertrained
Over-notified of problems by email
Skills shortages being identified
Initial Training in IT security not undertaken
Training needs being analyzed for all staff
Regrouping of staff planned to ensure cross-training is
effective
Problem notification rationalized
33
34
18. 7/15/2020
18
BCP
BCP not presently workable
Current plan primarily a technical plan
Key elements not fully workable / testable
Allocated to a specific staff member as a full-time
position
To be converted to a business plan
To be developed with testing in mind
Technical flaws to be corrected
MAJOR SECURITY TRENDS
Comprehensive corporate security strategy : including central
security administration, records management, external
access controls, information security awareness and
personnel security agreements
Business Continuity Planning
Internet : including monitoring of activities
Strong PC controls : including secure access, message
authentication codes, single sign-on (SSO) software and PC
hardware security devices
Client/Server computing : including monitoring of networks
(LAN, MAN, WAN)
IT Incident response strategy
35
36
19. 7/15/2020
19
HOW TO PROTECT AN
ORGANIZATION ?
Train Technical Staff & Users
Monitor all access
One-time Passwords
Compartmentalize
Database & Application Security
Operating System Hardening
To be aware of all the points of access into the
system and of the human factor
To watch over and update the security of system:
especially with regard to recently found weaknesses
(update)
fight against malware, viruses and against intrusions
To watch over and detect intrusions
Only few sites have adequate tools and
methods
To test and qualify one’s security
audit of the security
KEYS OF SECURITY
37
38
20. 7/15/2020
20
FIREWALLS
• "of all successful break-ins via the Internet, 30%
of the targeted companies had a firewall"
Computer Security Institute
• Firewalls cost from nothing to absurd
• Firewalls should be able to:
• Deny all services except those specifically
permitted
• Support the company's policies not impose its
own
• Be flexible to new services and needs
• Contain advanced authentication measures
`
"What Are The Short Falls?”
Perform Gap
Analysis
Dynamic Security
Infrastructure "What Is Our
Security Policy?”
"Implement!"
"How Do We Get There?"
"Experience Feedback"
Compliance
Reporting
Compliance
Reporting
Strategy
Definition
Strategy
Definition
Security
Architecture
Security
Architecture
Deploy
Solutions
Deploy
Solutions
Periodic Re-evaluation
"Where Are We Today?"
Baseline
Current
Security
Baseline
Current
Security
New Risks, Legislation
Security Requirements
New Risks, Legislation
Security Requirements
WHERE DO WE NEED TO BE
39
40
21. 7/15/2020
21
QUESTIONS?
Any Questions?
Don’t be Shy!
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
41
42
22. 7/15/2020
22
THANK YOU!
Page 43
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
43