Internal Audit, Risk, Business & Technology Consulting

Protiviti Perspective provided by Michael K., New York

A PEN TEST IS NOT ENOUGHFebruary 27, 2019

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

DOES THIS CYCLE SOUND FAMILIAR?

2

Perform Annual Pen

Test

Perform Regular

Vulnerability Scans

Remediate Scan Results

Pen Testers Gain Domain

Admin

Remediate Exploited

Vulnerabilities

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

FOCUS FOR TODAY

3

Today we will cover:

• The Current Cybersecurity & Business Landscape

• Strategies for How Internal Audit Can Grow to Meet these Changes

– Effectively Engage the Board of Directors

– Adapt our Methods

• Provide Tactical Approaches to Better Audit Cybersecurity

THE CURRENT LANDSCAPE

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

INTERNET CRIME IS ON THE RISE

5

The average cost of a data

breach is $3.86 Million

Complaints have been

filed in all 50 states

$2.3 Billionin Adjusted losses for

2018

1,420,555 complaints

filed with the FBI in 2017

Over $5.52 Billion in

losses between 2013 and

2017

Source = 2018 Internet Crime Report (FBI)

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

Innovation Timeline

MEANWHILE, THE BUSINESS IS EVOLVING…

6

Informational Sources:[1] IT Robotic Automation Market (RPA Tools and Services), Transparency Market Research. March 2015 [2] M. Rostron. With RPA good things come to those that don’t wait. Redwood. April 2016

1990s mid 2000s

The next Wave ofInnovation

The Internetrevolutionized the way we live, communicate, and do

business

Social Media has become ingrained in our

personal and professional lives

Robotic Automation is expected to revolutionize the business process outsourcing

landscape, changing the way we operate

Present Day

• Robotic Automation market estimated to reach $4.98B USD by 2020[1]

• Forecasted to grow 60.5% annually from 2014-2020[1]

• Increasing automation is the second most important strategic priority for shared services and global business services leaders.[2]

• Key factors driving market growth: cost benefits and efficiency realized over manual process handling

HOW DO WE KEEP UP?

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

UNDERSTAND OUR KEY RISKS

8

Critical assets are not appropriately secured within an electronic security perimeter and may become vulnerable to threats.

Personnel without appropriate levels of training may not follow required procedures for securing critical assets.

Inappropriate response to events suspected may create additional risks to systems and entities beyond the initially targeted systems.

Inappropriate parties may gain unauthorized physical access to critical assets/products.

Recovery of critical assets may not be possible without appropriate recovery plans (example: ransomware).

Critical assets may not be secure if methods, processes and procedures for securing these systems have not been defined.

Responses to security incidents may not be appropriate if a comprehensive plan is not developed.

Critical assets are not identified and may not be included in the organization’s security plans.

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

UNDERSTAND WHY WE AREN’T BETTER AT DETECTING INCIDENTS

9

xx

xx

xx

1

2

3

Breaches (of the kind where data is stolen) are usually the result of targeted attacks (an attacker, with intention, is going after the target).

The security detection capabilities most organizations have work primarily by identifying known, bad signatures or suspicious behaviors (IP addresses, known malware, port scans).

Targeted attackers fly under the radar enough to keep their signatures and behaviors unknown (at least for a long time), so these detection capabilities rarely work on them.

Detection tools are mostly focused on detecting and responding to known bad behaviors.

BOARDS ARE PAYING ATTENTION TO CYBER SECURITY RISK…

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

BOARDS ARE HIGHLY ENGAGED IN THE TOPIC

11

Boards show a significant level of engagement in and understanding of the organization’s information security risks.

Source: Protiviti and ISACA’s 7th Annual IT Audit Benchmarking Survey

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

8 KEY CONSIDERATIONS FOR BOARD OVERSIGHT OF CYBER SECURITY RISK

12

1. The organization must be prepared for success.

5. Cyber security is like a game of chess, so companies should play it that way.

2. It is highly probable that the company is already breached and does not know it.

6. Cyber security must extend beyond the four walls.

3. The board should focus on adverse business outcomes that must be managed.

7. Cyber issues cannot dominate the IT budget.

4. Cyber threats are constantly evolving.

8. Directors should gauge their confidence in the advice they are receiving.

…SO HOW CAN YOU RESPOND?

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

QUARTERLY REPORTING: EXAMPLE METRICS TO SHARE WITH THE BOARD

14

Incident Metrics:• Number of Security Incidents• Number of Lost or Stolen Unencrypted Devices

Technology Metrics:• Number of Servers Infected with Malware• Number of High Risk Vulnerabilities and Age of Those Risks

Vendor Metrics:• Percentage of High Risk Suppliers that Comply with Standard

Security Requirements

Audit Metrics:• Percentage of Appropriate Responses to Email Penetration Tests• Number of Open Audit Issues and Age of Those Issues

Incident Metrics:• Percentage of Employees Completing Awareness Training• Percentage of Employee Access Terminated Within Established Target

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

CYBER SECURITY RISK – ROLES AND RESPONSIBILITIES

15

Effective risk management is the product of multiple layers of risk defense. Internal audit should support the board’s need to understand the effectiveness of cyber security controls.

Roles and Responsibilities

• Include risk-informed decision making into daily operations.

• Define accepted risk levels and escalate any risks outside of tolerance.

• Perform risk mitigation procedures as appropriate.

• Establish risk governance, including baselines, policies and standards.

• Implement risk mitigation tools, procedures and monitoring.

• Provide risk oversight.

• Independently assess program effectiveness.• Report risk management effectiveness to the

board.• Comply with SEC requirements and disclosure

obligations related to cyber security risks.

Given recent high-profile cyber attacks, data losses and regulatory expectations, it is critical for internal audit to understand cyber risks and be prepared to address the questions and concerns raised by the audit committee and the board.

1st Line of DefenseBusiness and IT Functions

2nd Line of DefenseInformation Technology

Risk Management Functions

3rd Line of Defense

Internal Audit

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

WHAT STEPS CAN AUDIT TAKE AS THE THIRD LINE OF DEFENSE?

16

Support the Board

1. Cyber security is an enterprise-wide risk management issue2. Understand the legal implications of cyber risks3. Access to cyber security expertise4. Set an expectation that management will establish an enterprise-wide risk management5. Discussion of cyber risk should include identification of what risks to avoid, accept,

mitigate or transfer

Anticipate the Board

Dig Deeper

1. Does the organization use a security framework?2. What are the top five risks this organization faces related to cyber security?3. How are employees made aware of their role related to cyber security?4. Are both internal and external threats considered when planning cyber security

activities?5. How is cyber security governance handled within this organization?6. In the event of a serious breach, has management developed a robust response plan?

1. Ask the thousand “hows” 2. Know the process3. Follow the data4. Training, training, training

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

CYBER SECURITY AND THE AUDIT PLAN

17

Cyber risk continues to garner a high level of attention and interest, yet a number of organizations still do not include it in the audit plan.

Source: Protiviti and ISACA’s 7th Annual IT Audit Benchmarking Survey

A PEN TEST IS NOT ENOUGH

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

PEN TESTS: WHAT THEY ARE & AREN’T

19

Internal audit plans frequently include a penetration test, and only a penetration test, as a cyber security-related audit. Pen tests sometimes provide a false sense of security, and organizations need to be aware of what a typical pen test entails and what it doesn’t.

01

02

03

04

A strong component in a broader program to evaluate your organization’s security posture.

A simulation of a single attack limited to the scope defined by those involved and budget constraints.

Time bound to the length of the engagement.

Constrained to the path of least resistance.

A Pen Test is… A Pen Test is Not…

01

02

03

04

A thorough review of all exploitable vulnerabilities.

A test of your organization’s full response and vulnerability management programs.

Assurance that you could not be breached by another approach.

An assessment of the underlying IT processes that give rise to vulnerabilities.

✓

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

WE NEED TO ADAPT OUR APPROACH

20

The NIST Cybersecurity Framework provides an excellent approach to thinking about cybersecurity, and we need to adapt our approach to coverage the full range of security functions and categories.

Detect RecoverIdentify Respond

• Asset Management

• Business Environment

• Governance

• Risk Assessment

• Risk Management Strategy

• Access Control

• Awareness & Training

• Data Security

• Information Protection Processes & Procedures

• Maintenance

• Protective Technology

• Response Planning

• Communications

• Analysis

• Mitigation

• Improvements

• Recovery Planning

• Improvements

• Communications

Protect

• Anomalies and Events

• Security Continuous Monitoring

• Detection Processes

Cat

egor

ies

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

UNDERSTAND WHERE WE NEED TO IMPROVE

21

The output of a NIST Cybersecurity Framework assessment should provide a roadmap of the specific strengths and development areas for the organization across the domains and categories.

Tier 4Adaptive

Tier 3Repeatable

Tier 2Informed

Tier 1Partial

Category Identify Protect Detect Respond Recover

- Current Tier

- Peer Benchmark

- Target Tier

HOW DO WE PICK THE RIGHT CYBER AUDITS?

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

SELECTING THE RIGHT CYBER SECURITY AUDITS

23

An internal audit plan focused on cyber risk should be based on the organization’s risk profile and the external threat landscape. Security audits are generally categorized into four areas (as described below), and then specific projects can be selected based on the corresponding maturity level.

Managing Liquidity

Gap

Breach Detection and

Response

Technical Attack

Assessments Program/

Governance

Applications and Infrastructure

Traditional and emerging attack vectors an attackermay use to access your network andinformation

Assessing an organization’s ability to identify and properly respond to a security incident

Focused assessments to identify and evaluate risks associated with applications, supporting infrastructure and emerging technology, such as Cloud and IoT

Understanding and assessing the overall security posture of the environment

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

ASK THE RIGHT QUESTIONS

24

By asking the right questions and looking for key indicators, we must first identify where our organizations are on the maturity spectrum.

Cybersecurity Maturity

Key Indicators Key Indicators

• Lack of a formal budget• No (or minimal) dedicated resources• Lack of policies/procedures• Limited security risk management

capabilities

• Dedicated resources• Formal policies/procedures• Meaningful security reporting• “Active” security risk management

Key Questions

• Do we have regulations to comply with?• Are we already breached?

Key Questions

• Do we have the resources to identify and detect a compromise?

• Can we respond efficiently and quickly to a breach?

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

AUDIT TO YOUR ORGANIZATION’S MATURITY LEVEL

25

Internal audit should scope their cybersecurity audits to match the maturity of their organization’s cybersecurity capabilities. The focus shouldn’t just be either technical assessments either – we need to look at the processes supporting cybersecurity too.

Lower Cybersecurity Maturity

Technical Attack Assessments

Breach Detection / Response

Program / Governance

Infrastructure

Vulnerability Program assessment to understand how threats and vulns are being identified and addressed

Pre-Breach Assessment to perform threat hunting using tools to identify indicators of an existing compromise

Cyber Kill Chain to assess technical capabilities using a standard approach

Cyber Security FrameworkAssessment to understand & benchmark current/future capabilities against a framework

External/Internal Penetration testing to assess threats on the network

Cyber Defense Review to assess monitoring and response capabilities

Cyber Risk Assessment to help understand and prioritize risks

Technical Configurationreviews to understand if systems and new technologies are configured securely

Regulatory & Data Privacy reviews for sensitive data exposure

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

AUDIT TO YOUR ORGANIZATION’S MATURITY LEVEL

26

Internal audit should scope their cybersecurity audits to match the maturity of their organization’s cybersecurity capabilities. The focus shouldn’t just be either technical assessments either – we need to look at the processes supporting cybersecurity too.

Higher Cybersecurity Maturity

Technical Attack Assessments

Breach Detection / Response

Program / Governance

Infrastructure

Social Engineering or Mobile Security Reviews to assess readiness for each.

Blue Team Coordination and Incident Response Review to comprehensively assess incident response program

Third-Party Risk Assessment to understand how the organization is identifying and addressing risk in this channel

Secure SDLC review to assess security controls that support the development process including static/dynamic code

Customized Pen Testing Scenarios to specific target controls

Identity and Access Management review to assess identity risks, including privileged access

Data Security review to assess controls to identify, inventory and protect sensitive data

Red Team exercises to perform unannounced testing of controls

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

CLIENT CASE STUDY

27

2011: Cybersecurity vulnerability assessment & penetration test

2015: Added more field sites to audit scope based on previous value delivered

2014: Also began focusing on the field• SCADA• Field Wireless

Review

2013: Added:• Security

Awareness Assessment

• Database Security Audit

2017: Added:• Cybersecurity

metrics• Privileged

Access Mgmt• NIST CSF

Benchmark

2016: Expanded infrastructure assessment program & added Network Segmentation Review

2012: In addition to a pen test, added:• Quarterly

assessments• AD Audit• Firewall Audit

2014: Created a full infrastructure assessment program (NAC, 2 Factor Auth, AV, Vuln Mgmt)

2015: Began performing follow-up reviews on previous findings

2018: Added:• 3rd Party

Cloud• Data

Protection & Privacy

• Incident Response

20182011

CLOSING THOUGHTS

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

NEXT STEPS FOR INTERNAL AUDIT TO ADDRESS CYBER SECURITY RISK

29

Address external AND internal cyber risks.

Leverage relationships with the audit committee and board.

Ensure that cyber risk is integrated formally into the audit plan.

Keep a current understanding of emerging technologies and trends.

Perform a NIST Cyber Security Framework assessment.

Address any IT/audit staffing and resource shortages.

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

QUESTIONS

30

Phone: 713.314.1205

jordan.hackney@protiviti.com

Houston, Texas

Jordan HackneyAssociate Director, IT Internal Audit

Phone: 713.314.5178

ashley.cuevas@protiviti.com

Houston, Texas

Ashley CuevasManaging Director, IT Internal Audit

© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.