Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues. In part 14 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including: Where are we now and Where are we going? Current Cyberrisks • Data Breach and Cloud Misconfigurations • Insecure Application User Interface (API) • The growing impact of AI and ML • Malware Attack • Single factor passwords • Insider Threat • Shadow IT Systems • Crime, espionage and sabotage by rogue nation-states • IoT • CCPA and GDPR • Cyber attacks on utilities and public infrastructure • Shift in attack vectors

1. 7/15/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
Cybersecurity Series
2020 Update 4
About Jim Kaplan, CIA, CFE
 President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
 Auditor, Web Site Guru,
 Internet for Auditors Pioneer
 IIA Bradford Cadmus Memorial Award
Recipient
 Local Government Auditor’s Lifetime
Award
 Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2

2. 7/15/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,200 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE, you will receive a link via email to download
your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is
important to white list this address. It is from this email that your CPE credit will be sent.
There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
3
4

3. 7/15/2020
3
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
5
TODAY’S AGENDA
Page 6
Where do we start
Developing a cybersecurity architecture
Typical IT Architecture
Sources of threat
Hardening the operating system
Hardening the network
Evaluating cybersecurity architecture design
effectiveness
Where are the prime vulnerabilities
5
6

4. 7/15/2020
4
FROM INFORMATION SECURITY
FORUM
Increases in:
 Disruption
 Over-reliance on fragile connectivity creates the potential for
premeditated internet outages capable of bringing trade to its
knees and heightened risk that ransomware will be used to
hijack the Internet of Things.
 Distortion
 The intentional spread of misinformation, including by bots and
automated sources, causes trust in the integrity of information
to be compromised.
 Deterioration
 Rapid advances in intelligent technologies plus conflicting
demands posed by evolving national security and individual
privacy regulations negatively impact organizations’ ability to
control their own information.
CHANGING FOCUS OF THE
INDUSTRY
$$$
Desktop, Users
Data
Center
Desktop, Users
Data
Center
Attention is focused on technologies and products that ship in
millions of units per year
7
8

5. 7/15/2020
5
Application
System Software
Access
Access paths
PREVIOUS PRESENTAccess here!
Access here!
Access here!
Access here!
Network
Access here!
DIGITAL ASSETS :
CHALLENGES
INFORMATION SECURITY
Confidentiality
Clause 3.3 of
ISO/IEC 27001
Ensuring that information is
accessible only to those
authorized to have access
Integrity
Clause 3.8 of
ISO/IEC 27001
Safeguarding the accuracy and
completeness of information and
processing methods
Availability
Clause 3.2 of
ISO/IEC 27001
Ensuring that authorized users
have access to information and
associated assets when required
9
10

6. 7/15/2020
6
SECURITY STRATEGY
FRAMEWORK
11
 The various components of the
architecture and strategy combine to
form the Security Framework. The
Framework is a unified representation
of the people, process and technology
components that need to be addressed
in the development of an enterprise
security program.
 The Framework consists of several
interconnected components, each of
which contains a specific set of
requirements and deliverables that
contribute to the overall architecture
and strategy. Once each component
has been implemented, the Framework
will enable a company to proactively
reduce risk, adhere to regulatory,
security, and privacy standards, and
enable secuirty to effectively support its
business requirements.
 The objective, represented by the circle
on the framework is.. Availability,
Confidentiality, and Integrity.
Source: © Ernst & Young LLP
KEY CONTROLS
Controls
Considered
Essential from
a Legislative
Point of View
Data protection and privacy of personal information
Protection of organizational records
Intellectual property rights
Controls
Considered
to be Best
Practice
Information security policy document
Allocation of information security responsibilities
Information security awareness, education, and training
Correct processing in applications
Technical vulnerability management
Business continuity management
Management of information security incidents
and improvements
11
12

7. 7/15/2020
7
COSO
X8
Director
1
X6
Expediter
1
X5
Eport
1
Insigh
t
2
X4
VWP
1
VIE
2
SW
Xcng
2
X1
Nav
1
Telebank
2
X2
AMD
1
Br20
3
X3
MFA
1
I-series
1.10.20.50
SW
RT
RT
SW WS
User
A BANK
13
14

8. 7/15/2020
8
HOW DO THEY DO IT ?
• Technical Attacks
• Automated Attack Software
• Network Sniffer
• Insider Knowledge
• Social Engineering
15
16

9. 7/15/2020
9
WHAT CREATED THESE
SECURITY PROBLEMS ?
• Mainframe Maginot Line mentality
• Rise & Proliferation of mobile technology
• Unfamiliar security roles
• Limited security technology
ACCESS - USERS
Data
17
18

10. 7/15/2020
10
ACCESS - USERS
Transaction Processing
Data
Telecommunications Software
VTAM
NDL
T/P Monitor CICS
IMS/DC
GEMCOS
ACCESS - USERS
Data
Telecommunications Software
VTAM
NDL
T/P Monitor CICS
IMS/DC
GEMCOS
Application Programs
19
20

11. 7/15/2020
11
ACCESS - USERS
Data
Telecommunications Software
VTAM
NDL
T/P Monitor CICS
IMS/DC
GEMCOS
Application Programs
DBMS
IMS/DB
ADABAS
DMSII
File Access Method VSAM
ACCESS - OTHERS
Telecommunications Software
VTAM
NDL
Editors & Tools TSO
ROSCOE
CANDE
21
22

12. 7/15/2020
12
WINDOWS
HARDENING THE OPERATING
ENVIRONMENT
24
Removing unneeded functionality and Services
Activating selected security capabilities
Ensuring service packs and software patches are
appropriately activated
Renaming or disabling default system accounts and
passwords
Access granted on a need-to-have or least privilege
basis
23
24

13. 7/15/2020
13
HARDENING THE OPERATING
ENVIRONMENT
25
Activation of antivirus and malware protection software
Ensuring definitions are up to date
Ongoing scrutiny of system log files
Retention of log files for appropriate periods
Restriction of access to log files
COMMUNICATIONS AND
NETWORK SECURITY
26
Security failure risks:
Loss of reputation
Loss of confidentiality
Loss of information integrity
User authentication failure
System unavailability
Risk evaluation
Design of system of internal controls
25
26

14. 7/15/2020
14
NETWORK PROTECTION
27
Use of Trust Zones
Network areas containing sensitive systems with all accesses
directly controlled
 Unauthorized access in such an area could be highly detrimental
 Would be seen as hostile zones.
Network areas containing information resources open to the
public
 Still require user identification and authentication
 Would be seen as untrusted zones.
NETWORK PROTECTION
28
Network areas containing information resources open to a
restricted number of authorized outside users
 Users identified and authenticated
 Would be seen as semitrusted zones
Network areas with no outside access containing systems
 Requiring full access by internal users and systems Users can
be validated and controlled directly under the authority of the
organization
 Would normally be seen as trusted zones.
27
28

15. 7/15/2020
15
NETWORK AUDIT
29
Auditor will seek to ensure:
 Physical security of the network
 Use of data encryption and digital certificates
 Appropriate monitoring
 Access control lists within the routers
 Use of appropriate firewalls
CYBERSECURITY
CHALLENGES
Location of insecurity
90 % : within the organization
- unconscious / unknown
- known (misusage, fraud)
10 % : outside the organization
(mostly disgruntled or ex-employees)
- eavesdropping and burglary
- copying and theft of data
- viruses and backdoors
- modification and destruction
29
30

16. 7/15/2020
16
MAJOR SECURITY
PROBLEMS?
• Viruses 75%
• In-advertant errors 70%
• Non-disaster downtime 60%
• Malicious acts by employees 40%
• Natural disasters 30%
• External malicious acts 20%
• Industrial espionage 10%
Based on : Information Week
WHAT IS WRONG WITH
SECURITY WITHIN COMPANIES?
90%
40%
35%
20%
15%
Based on : Intrusion Detection
•Users do not change passwords frequently
enough
•User access to information is too broad
•Inconsistent application of security rules
for new users
•Passwords are easily guessed
•User identifications are inactive
31
32

17. 7/15/2020
17
IMPROVING LOGICAL
ACCESS CONTROLS
Removal of Generic User-ids
Immediate restriction of Tech Staff Access to Systems
(Need to Have Basis)
Tightening of User Authorization Procedures
Improvement in Access Monitoring
Removal of open supplier access
OPERATIONAL AWARENESS
OF STAFF
Staff Undertrained
Over-notified of problems by email
Skills shortages being identified
Initial Training in IT security not undertaken
Training needs being analyzed for all staff
Regrouping of staff planned to ensure cross-training is
effective
Problem notification rationalized
33
34

18. 7/15/2020
18
BCP
BCP not presently workable
Current plan primarily a technical plan
Key elements not fully workable / testable
Allocated to a specific staff member as a full-time
position
To be converted to a business plan
To be developed with testing in mind
Technical flaws to be corrected
MAJOR SECURITY TRENDS
Comprehensive corporate security strategy : including central
security administration, records management, external
access controls, information security awareness and
personnel security agreements
Business Continuity Planning
Internet : including monitoring of activities
Strong PC controls : including secure access, message
authentication codes, single sign-on (SSO) software and PC
hardware security devices
Client/Server computing : including monitoring of networks
(LAN, MAN, WAN)
IT Incident response strategy
35
36

19. 7/15/2020
19
HOW TO PROTECT AN
ORGANIZATION ?
Train Technical Staff & Users
Monitor all access
One-time Passwords
Compartmentalize
Database & Application Security
Operating System Hardening
 To be aware of all the points of access into the
system and of the human factor
 To watch over and update the security of system:
 especially with regard to recently found weaknesses
(update)
 fight against malware, viruses and against intrusions
 To watch over and detect intrusions
 Only few sites have adequate tools and
methods
 To test and qualify one’s security
 audit of the security
KEYS OF SECURITY
37
38

20. 7/15/2020
20
FIREWALLS
• "of all successful break-ins via the Internet, 30%
of the targeted companies had a firewall"
Computer Security Institute
• Firewalls cost from nothing to absurd
• Firewalls should be able to:
• Deny all services except those specifically
permitted
• Support the company's policies not impose its
own
• Be flexible to new services and needs
• Contain advanced authentication measures
`
"What Are The Short Falls?”
Perform Gap
Analysis
Dynamic Security
Infrastructure "What Is Our
Security Policy?”
"Implement!"
"How Do We Get There?"
"Experience Feedback"
Compliance
Reporting
Compliance
Reporting
Strategy
Definition
Strategy
Definition
Security
Architecture
Security
Architecture
Deploy
Solutions
Deploy
Solutions
Periodic Re-evaluation
"Where Are We Today?"
Baseline
Current
Security
Baseline
Current
Security
New Risks, Legislation
Security Requirements
New Risks, Legislation
Security Requirements
WHERE DO WE NEED TO BE
39
40

21. 7/15/2020
21
QUESTIONS?
Any Questions?
Don’t be Shy!
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
41
42

22. 7/15/2020
22
THANK YOU!
Page 43
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
43