Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Dalim Basu CISA CRISC FBCS CITP BSc.(Hons)
Events Director, ISACA London [email protected] +44 7703 314 988
‘Cyber Security– Risks, Controls, Auditing’
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
ENVIRONMENT & DRIVERS
Nature of business
Security profile Risk tolerance
Industry trends for security
Mergers, acquisitions and
partnerships
Outsourcing services or providers
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
Business plans and business environment
Available information technology
Increasing dependence
on digital technologies
makes organizations
more susceptible to
cybersecurity risk.
CYBERSECURITY RISK
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
Information security deals
with information, regardless
of its format. It includes:
• Paper documents
• Digital and intellectual
property
• Verbal or visual
communications
Cybersecurity is concerned with
protecting digital assets.
Includes:
• Networks
• Hardware
• Software
• Information that is
processed, stored or
transported by
internetworked IS
DEFINITIONS
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
BOARD OF DIRECTORS
Identify key assets and verify that protection
levels and priorities are appropriate
ROLES
EXECUTIVE COMMITTEE
Set the tone for cybersecurity management and
ensure that necessary functions, resources and
infrastructure are available and properly utilized
SECURITY MANAGEMENT
Develop security and risk mitigation strategies,
implement security programs and manage
incidents and remediation
CYBERSECURITY PRACTITIONERS
Design, implement and manage processes and
technical controls and respond to events and
incidents
Board ofDirectors
ExecutiveCommittee
SecurityManagement
CybersecurityPractitioners
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
CYBERSECURITY TRIAD
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
• Asset
• Threat Source
• Threat Event
• Vulnerability
• Inherent Risk
• Residual Risk
IDENTIFY
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
LIKELIHOOD & IMPACT
Certain
Likely
Unlikely
Impossible
Security architecture shows:
• How defense in depth is implemented
• How layers of control are linked
• How elements function together
SECURITY ARCHITECTURE
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
DEFENCE IN DEPTH
CONCENTRIC RINGS
• Creates a series of nested
layers that must be
bypassed in order to
complete an attack
• Each layer delays the
attacker and provides
opportunities to detect the
attack
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
ISOLATION & SEGMENTATION
• Detects attacks and prevents damage to the
intended victim/host
• Limits damage or disruption to systems that are
attacked
• Must be properly configured to be effective
IPS
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
MALWARE
Malware can be controlled through many different
mechanisms, including:
• Restriction of outbound traffic
• Policies and awareness training
• Multiple layers of anti-malware software
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
NETWORK RISKS
Loss of data through unauthorized
changes
Lack of current data protection through inability to maintain
version control
Exposure to external activity through
limited user verification
Virus and worm infection
Improper disclosure of data because of
general access
Violating software licenses
Illegal access by impersonating
legitimate users
Internal users sniffing
Internal users spoofing
Destruction of logging and auditing
data
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
REMOTE ACCESS RISK
Denial-of-service
Malicious third parties
Misconfiguredcommunications
software
Misconfigureddevices on corp.
computing infrastructure
Host systems not secured appropriately
Physical security issues
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
RISK ATTRIBUTES
Source: Encurve, LLC, Risk
Management Concepts
Presentation, 2013
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
RISK MANAGEMENT PROCESS
Source: ISACA, COBIT 5 for Risk,
2013
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
RISK ASSESSMENT ORIENTATIONS
ORIENTATION DESCRIPTION
Asset Important assets are defined first, and then potential threats
to those assets are analyzed. Vulnerabilities are identified
that may be exploited to access the asset.
Threat Potential threats are determined first, and then threat
scenarios are developed. Based on the scenarios,
vulnerabilities and assets of interest to the adversary are
determined in relation to the threat.
Vulnerability Vulnerabilities and deficiencies are identified first, then the
exposed assets and potential threat events are determined.
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
RISK RESPONSES
• Implementation of controls or countermeasures to reduce likelihood or impact of risk to acceptable levels
Risk Reduction
• Avoid risk by not participating in an activity or business
Risk Avoidance
• Transfer risk to third party (e.g., insurance) or share with a third party via contractual agreement
Risk Transfer or Sharing
• Assume the risk and absorb losses if risk is within tolerance or the cost of mitigation exceeds potential loss
Risk Acceptance
• A vulnerability is an exploitable weakness resulting in loss.
• They are continuously being discovered.
• Common discovery techniques include vulnerability scans
and penetration tests.
• Organizations must understand cybersecurity assets and
where they reside (physical and logical).
• Taking advantage of a vulnerability is called an exploit.
VULNERABILITY MANAGEMENT
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
Types of Vulnerabilities
TYPE CAUSE CYBERSECURITY EXAMPLES
Technical Errors in design, implementation,
placement or configuration
• Coding errors
• Inadequate passwords
• Open network ports
• Lack of monitoring
Process Errors in operation • Failure to monitor logs
• Failure to patch software
Organizational Errors in management, decision-
making, planning or ignorance
• Lack of policies
• Lack of awareness
• Failure to implement controls
Emergent Interactions between, or changes
in, environments
• Cross-organizational failures
• Interoperability errors
• Implementing new technology
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
RECENT TRENDS
Source: ENISA Threat Landscape 2013 + Ransomware, APTs & more…
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
Evolving Threat Landscape
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
Cyber Attack Process
Perform reconnaissance
Create attack tools
Deliver malicious
capabilities
Exploit and compromise
Conduct an attack
Achieve results
Maintain a presence
Coordinate a campaign
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
STAGES OF AN APT ATTACK
Target Selection
Target Research
Target Penetration
Command and Control
Target Discovery
Data Exfiltration
Intelligence Dissemination
Information Exploitation
www.isaca.org ISACA IS Audit/Assurance Program, based on NIST Cybersecurity Framework
ISACA AUDIT/ASSURANCE PROGRAMMEBASED ON NIST CYBERSECURITY FRAMEWORK [1]
Business Risk & Impact
Cyberincidents can have financial, operational, legal and reputational impact.
An organization’s role in critical infrastructure can also increase the potential impact of a cyberincident. Impacts may include:
1. Negative publicity resulting in loss of reputation
2. Loss of intellectual property or trade secrets
3. Fines, lawsuits and legal fees resulting from noncompliance or loss of confidential or consumer information
4. Forensic investigation costs
5. Public relations campaign costs to improve public image
6. Technology improvement costs to mitigate & improve cybersec controls
7. Loss of time and productivity
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
ISACA AUDIT/ASSURANCE PROGRAMMEBASED ON NIST CYBERSECURITY FRAMEWORK [5]
www.isaca.org ISACA IS Audit/Assurance Program, based on NIST Cybersecurity Framework
ISACA Security Functions & Topics coveredIDENTIFY Asset Management, Business Environment
Governance, Risk Assessment, Risk Management
PROTECT Access Control, Awareness and Training
Data Security, Info Protection Processes & Procedures
Maintenance, Protective TechnologyDETECT Anomalies and Events, Security Continuous Monitoring
Detection Processes
RESPOND Response Planning, Communications, Analysis, Mitigation, Improvement
RECOVER Recovery Planning, Improvements, Communications
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
Primary security and control issues include:
Protection of sensitive data and intellectual property
Protection of networks with multiple information resources connected
Responsibility for devices and information held on them
ISACA AUDIT/ASSURANCE PROGRAMMEBASED ON NIST CYBERSECURITY FRAMEWORK [2]
Audit Objectives
Provide management with an assessment of their cybersecuritypoliciesand procedures and their operating effectiveness.
Identify security control concerns that could affect the reliability, accuracy and security of the enterprise data due to weaknesses in security controls.
Evaluate the effectiveness of response and recovery programs.
www.isaca.org ISACA IS Audit/Assurance Program, based on NIST Cybersecurity Framework
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
ISACA AUDIT/ASSURANCE PROGRAMMEBASED ON NIST CYBERSECURITY FRAMEWORK [3]
Audit Scope
Audit/assurance program may be built on 5 critical cybersecurity activities:- Identify - Protect - Detect - Respond - Recover
The auditor identifies the scope of organizational systems and assets to be reviewed. The audit/assurance program can be adapted to support various business processes, applications or systems with different security needs.
www.isaca.org ISACA IS Audit/Assurance Program, based on NIST Cybersecurity Framework
Testing Steps
Audit steps have been developed for each NIST Cybersecurity Framework
subcategory to evaluate effectiveness of the organization’s controls.
[Ref. Cybersecurity NIST Audit Program Excel workbook for full audit/assurance program].
ISACA AUDIT/ASSURANCE PROGRAMMEBASED ON NIST CYBERSECURITY FRAMEWORK [4]
Column Name Description
Process Sub-area An activity within an overall process influenced by the enterprise's policies and procedures that takes inputs from a number of sources, manipulates the inputs and produces outputs
Ref. Risk Specifies the risk this control is intended to address
Control Objectives A statement of the desired result or purpose that must be in place to address the inherent risk in the review areas within scope
Controls The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management or legal nature
Control Type Controls can be automated (technical), manual (administrative) or physical.Automated/technical controls are things managed or performed by computer systems.Manual/administrative controls are usually things that employees can or cannot do.Physical controls include locks, fences, mantraps and even geographic specific controls.
Control Classification Another way to classify controls is by the way they address a risk exposure.Preventive controls should stop an event from happening.Detective controls should identify an event when it is happening and generate an alert that prompts a corrective control to act.Corrective controls should limit the impact of an event and help resume normal operations within a reasonable time frame.Compensating controls are alternate controls designed to accomplish the intent of the original controls as closely as possible when the ordesigned controls cannot be used due to limitations of the environment.
Control Frequency Control activities can occur in real-time, daily, weekly, monthly, annually, etc.
Testing Step Identifies the steps being tested to evaluate the effectiveness of the control under review
NIST Ref. to COBIT 5 Identifies the COBIT 5 processes related to the control objective or control activities as defined by the NIST Cybersecurity Framework
Additional Ref. COBIT 5 Identifies additional COBIT 5 processes related to the control objective or control activities
Ref. Framework/Standards Specifies frameworks and/or standards that relate to the control under review (e.g., NIST, HIPAA, SOX, ISO)
Ref. Workpaper The evidence column usually contains a reference to other documents that contain the evidence supporting the pass/fail mark for
Pass/Fail Document preliminary conclusions regarding the effectiveness of controls.
Comments Free format field
www.isaca.org ISACA IS Audit/Assurance Program, based on NIST Cybersecurity Framework
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
10 TYPES OF CYBER SECURITY THREATS
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
APT
Cybercrime
DDOS
Insider Threats
Malware
Mobile Malware
Ransomware
Social Engineering
Unpatched Systems
Watering Hole
https://cybersecurity.isaca.org/csx-threats-and-controls
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
10 TYPES OF CYBER SECURITY THREATS
These include the following: DATA MANAGEMENT
Access Control
Classification
Data Integrity
Data Privacy
Data Retention/Disposal
Data Validation
Digital Rights Management
Encryption
Manipulation Controls
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
72 CONTROLS
https://cybersecurity.isaca.org/csx-threats-and-controls
ARCHITECTURE CONTROLS
Defence-in- Depth
Device-level H/w & S/w Controls
Endpoint Controls
Log Management
Network Infrastructure
Perimeter Controls
User/Management Awareness
Plus HARDWARE, NETWORK, SOFTWARE, USER MANAGEMENT Controls
Make use of existing
frameworks/guidelines
Consider forthcoming
legislation
All risks are subjective
People are the biggest
security risk
Basic info security controls
still apply
10 (MORE) THINGS AUDITORS SHOULD KNOW ABOUT CYBER SECURITY
Watch out for credential thefts
Need a Cyber incident response
policy and plan fully tested
Cyber security strategy needs to
be agile as landscape changes
Cyber security awareness
depends on good training
Everything may be
interconnected
www.isaca.org/auditing-cyber-security ISACA 2016
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
‘Where are we going?’ Dalim Basu 9
IoT to IoE?
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
‘Cyber Security’ Dalim Basu 2
‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu
Dalim Basu CISA CRISC FBCS CITP BSc.(Hons)
Events Director, ISACA London [email protected] +44 7703 314 988
‘Cyber Security– Risks, Controls, Auditing’