‘Cyber Security –Risks, Controls, Auditing’ ‘Cyber Security –Risks, Controls, Auditing’ Dalim Basu RISK ASSESSMENT ORIENTATIONS ORIENTATION DESCRIPTION Asset Important

Dalim Basu CISA CRISC FBCS CITP BSc.(Hons)

Events Director, ISACA London [email protected] +44 7703 314 988

‘Cyber Security– Risks, Controls, Auditing’

mailto:[email protected]



‘Cyber Security – Risks, Controls, Auditing’ Dalim Basu

ENVIRONMENT & DRIVERS

Nature of business

Security profile Risk tolerance

Industry trends for security

Mergers, acquisitions and

partnerships

Outsourcing services or providers


Business plans and business environment

Available information technology

Increasing dependence

on digital technologies

makes organizations

more susceptible to

cybersecurity risk.

CYBERSECURITY RISK


Information security deals

with information, regardless

of its format. It includes:

• Paper documents

• Digital and intellectual

property

• Verbal or visual

communications

Cybersecurity is concerned with

protecting digital assets.

Includes:

• Networks

• Hardware

• Software

• Information that is

processed, stored or

transported by

internetworked IS

DEFINITIONS



BOARD OF DIRECTORS

Identify key assets and verify that protection

levels and priorities are appropriate

ROLES

EXECUTIVE COMMITTEE

Set the tone for cybersecurity management and

ensure that necessary functions, resources and

infrastructure are available and properly utilized

SECURITY MANAGEMENT

Develop security and risk mitigation strategies,

implement security programs and manage

incidents and remediation

CYBERSECURITY PRACTITIONERS

Design, implement and manage processes and

technical controls and respond to events and

incidents

Board ofDirectors

ExecutiveCommittee

SecurityManagement

CybersecurityPractitioners



CYBERSECURITY TRIAD


• Asset

• Threat Source

• Threat Event

• Vulnerability

• Inherent Risk

• Residual Risk

IDENTIFY



LIKELIHOOD & IMPACT

Certain

Likely

Unlikely

Impossible

Security architecture shows:

• How defense in depth is implemented

• How layers of control are linked

• How elements function together

SECURITY ARCHITECTURE



DEFENCE IN DEPTH

CONCENTRIC RINGS

• Creates a series of nested

layers that must be

bypassed in order to

complete an attack

• Each layer delays the

attacker and provides

opportunities to detect the

attack


ISOLATION & SEGMENTATION

• Detects attacks and prevents damage to the

intended victim/host

• Limits damage or disruption to systems that are

attacked

• Must be properly configured to be effective

IPS


MALWARE

Malware can be controlled through many different

mechanisms, including:

• Restriction of outbound traffic

• Policies and awareness training

• Multiple layers of anti-malware software



NETWORK RISKS

Loss of data through unauthorized

changes

Lack of current data protection through inability to maintain

version control

Exposure to external activity through

limited user verification

Virus and worm infection

Improper disclosure of data because of

general access

Violating software licenses

Illegal access by impersonating

legitimate users

Internal users sniffing

Internal users spoofing

Destruction of logging and auditing

data



REMOTE ACCESS RISK

Denial-of-service

Malicious third parties

Misconfiguredcommunications

software

Misconfigureddevices on corp.

computing infrastructure

Host systems not secured appropriately

Physical security issues


RISK ATTRIBUTES

Source: Encurve, LLC, Risk

Management Concepts

Presentation, 2013


RISK MANAGEMENT PROCESS

Source: ISACA, COBIT 5 for Risk,

2013


RISK ASSESSMENT ORIENTATIONS

ORIENTATION DESCRIPTION

Asset Important assets are defined first, and then potential threats

to those assets are analyzed. Vulnerabilities are identified

that may be exploited to access the asset.

Threat Potential threats are determined first, and then threat

scenarios are developed. Based on the scenarios,

vulnerabilities and assets of interest to the adversary are

determined in relation to the threat.

Vulnerability Vulnerabilities and deficiencies are identified first, then the

exposed assets and potential threat events are determined.


RISK RESPONSES

• Implementation of controls or countermeasures to reduce likelihood or impact of risk to acceptable levels

Risk Reduction

• Avoid risk by not participating in an activity or business

Risk Avoidance

• Transfer risk to third party (e.g., insurance) or share with a third party via contractual agreement

Risk Transfer or Sharing

• Assume the risk and absorb losses if risk is within tolerance or the cost of mitigation exceeds potential loss

Risk Acceptance

• A vulnerability is an exploitable weakness resulting in loss.

• They are continuously being discovered.

• Common discovery techniques include vulnerability scans

and penetration tests.

• Organizations must understand cybersecurity assets and

where they reside (physical and logical).

• Taking advantage of a vulnerability is called an exploit.

VULNERABILITY MANAGEMENT



Types of Vulnerabilities

TYPE CAUSE CYBERSECURITY EXAMPLES

Technical Errors in design, implementation,

placement or configuration

• Coding errors

• Inadequate passwords

• Open network ports

• Lack of monitoring

Process Errors in operation • Failure to monitor logs

• Failure to patch software

Organizational Errors in management, decision-

making, planning or ignorance

• Lack of policies

• Lack of awareness

• Failure to implement controls

Emergent Interactions between, or changes

in, environments

• Cross-organizational failures

• Interoperability errors

• Implementing new technology



RECENT TRENDS

Source: ENISA Threat Landscape 2013 + Ransomware, APTs & more…


Evolving Threat Landscape


Cyber Attack Process

Perform reconnaissance

Create attack tools

Deliver malicious

capabilities

Exploit and compromise

Conduct an attack

Achieve results

Maintain a presence

Coordinate a campaign


STAGES OF AN APT ATTACK

Target Selection

Target Research

Target Penetration

Command and Control

Target Discovery

Data Exfiltration

Intelligence Dissemination

Information Exploitation

www.isaca.org ISACA IS Audit/Assurance Program, based on NIST Cybersecurity Framework

ISACA AUDIT/ASSURANCE PROGRAMMEBASED ON NIST CYBERSECURITY FRAMEWORK [1]

Business Risk & Impact

Cyberincidents can have financial, operational, legal and reputational impact.

An organization’s role in critical infrastructure can also increase the potential impact of a cyberincident. Impacts may include:

1. Negative publicity resulting in loss of reputation

2. Loss of intellectual property or trade secrets

3. Fines, lawsuits and legal fees resulting from noncompliance or loss of confidential or consumer information

4. Forensic investigation costs

5. Public relations campaign costs to improve public image

6. Technology improvement costs to mitigate & improve cybersec controls

7. Loss of time and productivity


http://www.isaca.org/



ISACA Security Functions & Topics coveredIDENTIFY Asset Management, Business Environment

Governance, Risk Assessment, Risk Management

PROTECT Access Control, Awareness and Training

Data Security, Info Protection Processes & Procedures

Maintenance, Protective TechnologyDETECT Anomalies and Events, Security Continuous Monitoring

Detection Processes

RESPOND Response Planning, Communications, Analysis, Mitigation, Improvement

RECOVER Recovery Planning, Improvements, Communications



Primary security and control issues include:

Protection of sensitive data and intellectual property

Protection of networks with multiple information resources connected

Responsibility for devices and information held on them


Audit Objectives

Provide management with an assessment of their cybersecuritypoliciesand procedures and their operating effectiveness.

Identify security control concerns that could affect the reliability, accuracy and security of the enterprise data due to weaknesses in security controls.

Evaluate the effectiveness of response and recovery programs.





Audit Scope

Audit/assurance program may be built on 5 critical cybersecurity activities:- Identify - Protect - Detect - Respond - Recover

The auditor identifies the scope of organizational systems and assets to be reviewed. The audit/assurance program can be adapted to support various business processes, applications or systems with different security needs.


Testing Steps

Audit steps have been developed for each NIST Cybersecurity Framework

subcategory to evaluate effectiveness of the organization’s controls.

[Ref. Cybersecurity NIST Audit Program Excel workbook for full audit/assurance program].



Column Name Description

Process Sub-area An activity within an overall process influenced by the enterprise's policies and procedures that takes inputs from a number of sources, manipulates the inputs and produces outputs

Ref. Risk Specifies the risk this control is intended to address

Control Objectives A statement of the desired result or purpose that must be in place to address the inherent risk in the review areas within scope

Controls The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management or legal nature

Control Type Controls can be automated (technical), manual (administrative) or physical.Automated/technical controls are things managed or performed by computer systems.Manual/administrative controls are usually things that employees can or cannot do.Physical controls include locks, fences, mantraps and even geographic specific controls.

Control Classification Another way to classify controls is by the way they address a risk exposure.Preventive controls should stop an event from happening.Detective controls should identify an event when it is happening and generate an alert that prompts a corrective control to act.Corrective controls should limit the impact of an event and help resume normal operations within a reasonable time frame.Compensating controls are alternate controls designed to accomplish the intent of the original controls as closely as possible when the ordesigned controls cannot be used due to limitations of the environment.

Control Frequency Control activities can occur in real-time, daily, weekly, monthly, annually, etc.

Testing Step Identifies the steps being tested to evaluate the effectiveness of the control under review

NIST Ref. to COBIT 5 Identifies the COBIT 5 processes related to the control objective or control activities as defined by the NIST Cybersecurity Framework

Additional Ref. COBIT 5 Identifies additional COBIT 5 processes related to the control objective or control activities

Ref. Framework/Standards Specifies frameworks and/or standards that relate to the control under review (e.g., NIST, HIPAA, SOX, ISO)

Ref. Workpaper The evidence column usually contains a reference to other documents that contain the evidence supporting the pass/fail mark for

Pass/Fail Document preliminary conclusions regarding the effectiveness of controls.

Comments Free format field




10 TYPES OF CYBER SECURITY THREATS


APT

Cybercrime

DDOS

Insider Threats

Malware

Mobile Malware

Ransomware

Social Engineering

Unpatched Systems

Watering Hole

https://cybersecurity.isaca.org/csx-threats-and-controls


10 TYPES OF CYBER SECURITY THREATS

These include the following: DATA MANAGEMENT

Access Control

Classification

Data Integrity

Data Privacy

Data Retention/Disposal

Data Validation

Digital Rights Management

Encryption

Manipulation Controls


72 CONTROLS

https://cybersecurity.isaca.org/csx-threats-and-controls

ARCHITECTURE CONTROLS

Defence-in- Depth

Device-level H/w & S/w Controls

Endpoint Controls

Log Management

Network Infrastructure

Perimeter Controls

User/Management Awareness

Plus HARDWARE, NETWORK, SOFTWARE, USER MANAGEMENT Controls

Make use of existing

frameworks/guidelines

Consider forthcoming

legislation

All risks are subjective

People are the biggest

security risk

Basic info security controls

still apply

10 (MORE) THINGS AUDITORS SHOULD KNOW ABOUT CYBER SECURITY

Watch out for credential thefts

Need a Cyber incident response

policy and plan fully tested

Cyber security strategy needs to

be agile as landscape changes

Cyber security awareness

depends on good training

Everything may be

interconnected

www.isaca.org/auditing-cyber-security ISACA 2016


http://www.isaca.org/auditing-cyber-security





‘Where are we going?’ Dalim Basu 9

IoT to IoE?


‘Cyber Security’ Dalim Basu 2


Dalim Basu CISA CRISC FBCS CITP BSc.(Hons)

Events Director, ISACA London [email protected] +44 7703 314 988

‘Cyber Security– Risks, Controls, Auditing’




Documents

‘Cyber Security –Risks, Controls, Auditing’ ‘Cyber Security –Risks, Controls, Auditing’ Dalim Basu RISK ASSESSMENT ORIENTATIONS ORIENTATION DESCRIPTION Asset Important