From our house to yours. An overview of recent IS Audit activities.

1. From Our House to
Yours
Brian T. O’Hara CISA, CISM, CRISC
CISO, The Mako Group, LLC
btohara@makopro.com
260.241.4799

2. The Mako Group, LLC
“The Mako Group, LLC is as an Information
Technology and Systems security, compliance,
and consulting firm, specializing in audit,
compliance, Enterprise Risk Management and
data security in both private and public sectors.
As CISO, my responsibilities include the
oversight and management of security related
functions and services including audit and
regulatory compliance reviews, Enterprise Risk
Management (ERM), and development of
strategic planning with regard to current and
emerging security technologies.”

3. Introduction
• Health Care
• Banking
• SOX
• PCI
• Government
• Critical Infrastructure
• SOC (Service Organization Control)
• Manufacturing

4. HEALTH CARE
2013-2014

5. Audit And Compliance Authority
• DHHS Department of Health & Human
Services
– Charged with administering HIPAA
• OCR Office for Civil Rights
– Charged with Enforcement
• KPMG
– Audit Subcontractor to OCR

6. HIPAA
• HITECH Act
– Breach Notification
– Business Associate Agreements
– Security Rule
• OMNIBUS Rule
– Enforcement Rule
• BA Chain of Assurance
– Clarification of Rules

7. OCR/KPMG Audit Hot Buttons
• Risk Management
• Risk Assessment
• Risk Management Strategy
• IT Strategic Planning
• Key Phrases
– “Culture of Compliance”
– “Visible Demonstrable Evidence”

8. PERSISTENT PROBLEMS
• Lack of Knowledge
• Poor Risk Based Decision Making
• Resources
• “Experts”
• Shaming Tactics

9. Trends
• Poor/Non-Existent Risk Management
• Poor Understanding of Regulations
• Denial
• Overwhelmed
– Don’t know where to start
– Don’t understand regulations
• Lots of “Experts” and “Certified” products*
– ISC2 CISPP Certification

10. BANKING
2013-2014

11. FFIEC TSP Guidance
• FFIEC Statement of Authority
– Anyone who does business with a financial institution
falls under their jurisdiction *
• FDIC Audits
– Now available but you must ask
– TSP should be providing these

12. FFIEC Cloud Guidance
• Add On to Vendor Management

13. FFIEC Social Media
Guidance
• Inclusion in Risk Assessment and ERM
– Owning the namespace
• Brand Protection
– Owning and Controlling Data
• Account access controls
– Monitoring Brand Usage

14. ACH

15. PERSISTENT PROBLEMS
• Risk Based Decision Making
• Human Behavior
• Cost (not so much)

16. Trends
• Risk Management and ERM
• BOD Involvement
• Risk Based Vendor Management
• Social Media

17. SOX

18. 10 Years After
• Beast of Burden?
• Has It Helped?
– Madoff
– CHASE
– Freddie Mx
• Too Large To Fail?
– again

19. PCAOB Scrutiny
• Pressuring Accounting firms to further verify
information coming out of systems

20. PCI
PCI 3.0
Changes 2013-2015

21. Goals of Standards Clarification
• Drive more consistency among assessors
• Help manage evolving risks / threats
• Align with changes in industry best practices
• Clarify scoping and reporting
• Eliminate redundant sub-requirements and consolidate
documentation
• Provide stronger focus on some of the greater risk areas in the
threat environment
• Provide increased clarity on PCI DSS & PA-DSS requirements
• Build greater understanding on the intent of the requirements and
how to apply them
• Improve flexibility for all entities implementing, assessing, and
building to the Standards

22. Change Categories
• Clarification
• Additional Guidance
• Evolving Requirements
– Passwords and Passphrases

23. Rankings (Updated)
• In Place
• In Place with Compensating Controls
• Not Applicable
• Not In Place
• Not Tested

24. Review of Target and Neiman Marcus
COMPLIANCE DOES NOT MEAN SECURITY

25. PERSISTENT PROBLEMS
• Inconsistent application of standards in audit from QSAs
• Inconsistent knowledge from acquiring banks
• Slow Adoption of EVM Chip Based Technology
– Has been successfully breached but extremely difficult, time
consuming, and expensive.

26. Trends
• Tighter controls on applications
• Tighter controls on terminal devices
– Physical seals used much like weights and measures
• Move to EVM Chip Based Cards
– Provides end to end encryption
– Already in Use in EU
– Some in Use Today in US

27. PUBLIC SECTOR
2013-2014
NIST and FISMA

28. NIST
• SP 800 Series
• SP 800-53 Rev 4 Security and Privacy Controls for Federal
Information Systems and Organizations
• Those certified under Rev 3 will have catch up work to do
• New control mappings

29. FISMA
• Federal Information Security Act of 2002
• Required of all Federal Agencies or Sub Contractors
– “Chain of Assurance”
• DoD Does Own Thing
– Examples
• FDA, DHHS, IRS, etc.

30. PERSISTENT PROBLEMS
• Standards Keeping Pace
• Compliance does not = security
• Cost

31. Trends
• “Chain of Assurance”*
– Any subcontractor doing business with an agency required to have
completed FISMA audits, must also undergo FISMA audit and meet
requirements

32. CRITICAL INFRASTRUCTURE
“systems and assets, whether physical or virtual, so vital to
the United States that the incapacity or destruction of such
systems and assets would have a debilitating impact on
security, national economic security, national public health
or safety, or any combination of those matters.”
From President Obama’s Executive Order – Improving Critical Infrastructure Cybersecurity February 12, 2013.

33. Industrial Control
Systems (ICS)
• SCADA
– Supervisory Control And Data Acquisition
• Typically larger than traditional stand alone ICS
– Water plant versus small manufacturing
– Examples
• Water Utility
• Power Utility
• Supply Chain
• Transportation

34. PERSISTENT PROBLEMS
• Lack of Security in Design Phase
• Costly Upgrades
• Poor Inter Vendor Operability
• Poor Industry Awareness
• Poor Regulations

35. Trends
• Just Scratching the Surface
• Increased Vendor Awareness and Diligence
• Improving Operator Awareness Via Training
• ICS-CERT

36. SOC Updates
SSAE16 Is Dead and Gone

37. No Longer SSAE16
• SOC 1
• SOC 2
• SOC 3
SHOULD RESULT IN NO DEFICIENCIES!

38. SOC 1
• Primarily for User Auditors
– Internal Controls Related to Financial Reporting

39. SOC 2
• Describes the suitability of design and operating
effectiveness of controls at a service organization
relevant to security, availability, processing
integrity or confidentiality.
• Becoming More prevalent
• Involves 5 Security Trust Principles
• Standard Being Updated

40. SOC 3
• Similar to SOC 2 but does not disclose detailed
controls and testing.
• More for Public Awareness
– Website Logos

41. PERSISTENT PROBLEMS
• Terminology Confusion
– SSAE16, SOC 1, etc.
• Standards Evolving
• HUGE CHANGE
– From SAS70

42. Trends
• More SOC 2 Reports
• Better Understanding of
– Target Audience
– Purpose
– Trust Security Principles

43. Summary Top Issues
1. Risk Management
2. Vendor Management
3. BYO(C)(D)
4. Social Media
5. Cloud Computing
6. “Chain of Assurance”
7. Application Security
8. Mobile Device Security

44. Summary
• Some Things Never Change
– Behavior
• Some Things Always Change
– Regulations
– Examiner Expectations
• Compliance Does Not Lead To Security
• Security Will Lead To Compliance

45. Q&A

46. BREAK
5 Minutes

47. TOOLS
RECON FOR AUDITORS

48. TOOLS
• Beginners
– InSSIDER
– Nmap
– MBSA
• Intermediate
– MS EMET
• Advanced
– Wireshark

49. InSSIDER
• Home of Wi-Fi Reconnaissance Tools (Metageek.net)
– Spectrum Analyzers
– SSID Identifier (free and paid)
– Wi-Fi Packet Analyzers

50. InSSIDER

51. Nmap
• Network Cartography
– Free
– Easy to use
– Non Intrusive
– Non Disruptive
• With exceptions
– CLI and Gui
– Scanme.org

52. Nmap

53. Nmap

54. MBSA

55. MBSA
• Patch Status
• Reboot Status
• Administrator Access Status
• Non-Expiring Passwords
• IIS Misconfigurations
• SQL Misconfigurations
– Runtimes AND Instances

56. MBSA

57. Microsoft EMET
• MS Enhanced Mitigation Experience Toolkit (4.1)
– “The Enhanced Mitigation Experience Toolkit (EMET) is a utility that
helps prevent vulnerabilities in software from being successfully
exploited. EMET achieves this goal by using security mitigation
technologies. These technologies function as special protections and
obstacles that an exploit author must defeat to exploit software
vulnerabilities. These security mitigation technologies do not
guarantee that vulnerabilities cannot be exploited. However, they
work to make exploitation as difficult as possible to perform.”

58. EMET

59. Wireshark
• “Wireshark is the world's foremost network protocol
analyzer. It lets you see what's happening on your network
at a microscopic level. It is the de facto (and often de jure)
standard across many industries and educational
institutions.”
• For Advanced Users
• Packet Capture and Analysis Tool
– Identify data exfiltration
– Identify C&C Traffic

60. Wireshark

61. Q&A

62. From Our House to
Yours
THANKS!
Brian T. O’Hara CISA, CISM, CRISC
CISO, The Mako Group, LLC
btohara@makopro.com
260.241.4799