Embed Size (px)
Citation preview
Dr. Robert K. MinnitiDBA, CPA, CFE, Cr.FA, CVA, CFF, MAFF, CGMA, PI
President, Minniti CPA, LLC
Cybersecurity Basics forAccountants & Tax Community
Dr. Robert K. Minniti
DBA – Doctor of Business AdministrationCPA - Certified Public AccountantCFE – Certified Fraud ExaminerCrFA – Certified Forensic AccountantCFF – Certified in Financial ForensicsCVA – Certified Valuation AnalystMAFF – Master Analyst in Financial ForensicsCGMA – Charted Global Management AccountantPI – Licensed Private Investigator
Objectives
Upon completing this class you will be able to:
Identify cybersecurity risksIdentify internal controls for cybersecurity
Cybersecurity Terminology
Threat
An event with the potential to adversely affect an organization
Unauthorized access to systems or data
Destruction of systems or data
Disclosure of data
Modifications or changes to data
Denial of service (DoS)
Cybersecurity Terminology
Adversary
An individual or entity with the intent to harm an organization by conducting cyber attacks
Attacker
An individual or entity attempting to harm an organization by conducting cyber attacks
Cybersecurity Terminology
Authorization
Access privileges granted to users or applications
Authentication
Verifying the identity of a user, software application or device before granting access
Cybersecurity Terminology
Encryption
Converting data to another format that cannot be read or viewed until it is decrypted.
An average desktop computer is estimated to take around 6.4 quadrillion years to crack an RSA 2048 encryption key.
Cybersecurity Terminology
Hacker
An individual or entity trying to gain access to an IT system to steal or compromise data
Black Hat HackerWhite Hat HackerGray Hat Hacker
Polling Question #1
True or False
A black hat hacker is usually considered a criminal
Hackers
Hackers have different motivations for their actions
Hacktivists
Cyber Criminals
Insiders
Competitors
Nation States
Joyriders
Upset customers
Law Enforcement
Cybersecurity Terminology
Weakness
A vulnerability in the IT systemSoftware bugs
Hardware issues
Security issues
EXAMPLES OF VULNERABILITIES
"Meltdown" (CVE-2017-5754) is a flaw that lets ordinary applications cross the security boundaries enforced at chip level to protect access to the private contents of kernel memory in Intel chips produced over the last decade.
"Spectre" (CVE-2017-5753 and CVE-2017-5715), are more insidious and widespread, having been found in chips from AMD and ARM as well as Intel. Spectre could enable an attacker to bypass isolation among different applications.
https://www.knowbe4.com/
Cybersecurity Terminology
Exfiltration
The unauthorized theft or transfer of data
Exposure
The time period in which a vulnerability can be exploited
Polling Question #2
True or False
Exfiltration is the unauthorized theft or transfer of data
Backdoors
A backdoor is a route into a computer that circumvents the user authentication process and allows hackers open access to the system once it is installed.
Computer Virus
A computer virus is usually hidden in a computer program and performs functions such as copying or deleting data files. A computer virus creates copies of itself that it inserts in data files or other programs.
Trojan Horse
A Trojan horse is a malware program that is disguised as something else. Users assume it is a beneficial program when it fact it is not. Trojans horses are often used to insert spyware onto computers.
Computer Worms
A computer worm is a type of malware that transmits itself over networks and the internet to infect more computers with the malware.
Polling Question #3
True or False
A computer virus attacks software already on your computer
Internet of Things (IoT)
Devices with access to an IT system or to the internet.Cameras
Microphones
Cars
Thermostats
Appliances
Copiers & office equipment
Cloud Computing
Using the internet to connect with remote servers to access software or data.
INTERNET STRUCTURE
www.cybertraining365.com
Cybersecurity Risks
Civil litigation
Fines
Damage to reputation
Loss of customers
Government settlement – long term audits
Business disruption
Ransom payments
Cybersecurity Risk Factors
Employees
Don’t understand the risksLack of cybersecurity trainingOverride internal controlsInattentionWorking remotelyData & file sharingUsing personal devices
Cybersecurity Risk Factors
IT Systems
Complex IT systemsOlder technologyBring your own device (BYOD)Lack of internal controlsIneffective cybersecurity measuresUndertrained IT personnelFile SharingCloud Computing
https://amp-cnn-com.cdn.ampproject.org/c/s/amp.cnn.com/cnn/2020/04/14/politics/coronavirus-scams-and-rip-offs/index.html
CYBERSECURITY RISKS
Phishing
Used to gain personal or business information, such as usernames, passwords, Social Security numbers, and credit card numbers, etc.
Often accomplished by using fraudulent e-mail messages that appear to come from legitimate businesses or government agencies.
Phishing Example
Phishing Example
Phishing Example
Phishing Example
Phishing Example
IRS Vishing
Computer generated voice:
Hello. This call is officially a final notice from the IRS, Internal Revenue Service. The reason of this call is to inform you that IRS is filing lawsuit against you. To get more information about this case file, please call immediately on our department number 202-492-8816. I repeat 202-492-8816. Thank you.
VISHING
Vishing is similar to phishing but it occurs over the phone rather than over the internet.
Criminals try to obtain information or try to load malware on the victim’s computer.
VISHING
DISGUISING A VOICE
When criminals want to disguise their voices over the phone it is easy to do because there are numerous “Apps for that”
Smishing Examples
SPOOFING A PHONE NUMBER
https://www.spoofcard.com/apps
Polling Question #4
True or False
Criminals use phishing emails to obtain information or to load malware on a victim’s computer
Denial of Service Attacks
This cybercrime occurs when the criminals use botnets or networks of infected computers to bring down a website by overloading the server.
Oftentimes criminals follow up with an attempt to hack the system and put malware on the server when the victim is busy repairing the damage
Malware
Malware is placed on computers or cell phones to hijack the computers, steal data, or encrypt the data for ransom.
Ransomware
Ransomware is placed on computers to encrypt your data until a ransom is paid for the decryption key
CryptoLocker is one example of ransomware.
CryptoWall 2.0 is one of the newer versions
The FBI estimates that ransomware is a $1 Billion a year fraud
http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/index.html?section=money_technology
RANSOMWARE
Scareware (Pop-ups)
PC Cyborg (1998)
TeslaCrypt (Gamers)
Locky (Email)
Wannacry (Windows flaw)
https://www.knowbe4.com/
CryptoLocker
Ransomware
RANSOMWARE ATTACKS EMAIL
https://www.knowbe4.com/
Cell Phone Spyware
Popular versions of spyware for cell phones
• HighsterMobile• Spyera• Spyrix• FlexiSpy• Mobile Spy• MobiStealth• mSpy
Cell Phone Spyware
Criminals use charging stations in public places to load malware onto mobile devices.
Always use an electric plug or USB condom when charging your mobile device
Other Spyware
Popular versions of other types of spyware
• Keylogger
• Win-Spy
• Spytech Spy Agent
• SpectorSoft
• 007 Spy Software
Polling Question #5
True or False
One type of ransomware encrypts data on your computer
Data Breaches
Stealing data from computer systems belonging to companies, governmental units, and even not-for-profit organizations.
Large amounts of information are stolen in a short amount of time.
Data Breaches in 2016
2017 Cost of Data Breach Study: Global Analysis, Benchmark research sponsored by IBM, Independently conducted by Ponemon Institute LLC
Sockpuppets
Computer Generated Photos
https://petapixel.com/2018/12/17/these-portraits-were-made-by-ai-none-of-these-people-exist/
Polling Question #6
True or False
Lack of adequate internal controls is one cybersecurity risk
Cybersecurity Risk Management
Managing IT assetsEmployee awareness & trainingBusiness continuationChange managementIT configuration managementData securityDisaster recovery planIncident response plans & teams
Cybersecurity Risk Management
Access controlMonitoring issuesSending alertsManaging media & dataPhysical securityEnvironmental considerationsHardware & software maintenance
Cybersecurity Risk Management
Vendor managementEmployee trainingAssessing new hardware & softwareMobile devicesWork-at-home employeesCustomer accessLegal & regulatory requirementsBacking up data
Cybersecurity Frameworks
COSO Framework for Internal ControlCOBITISO 27001NISTCIS Critical Security ControlsHITRUST
COSO Framework for Internal Controls
The COSO Framework for Internal Controls has five components
Control EnvironmentControl ActivitiesRisk AssessmentInformation & CommunicationMonitoring
2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO)
COSO Requirements for IT
Select and Develop General Controls over Technology
Determines Dependency between the Use of Technology in Business Processes and Technology General Controls
Establishes Relevant Technology Infrastructure Control Activities
Establishes Relevant Security Management Process Control Activities
Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities
2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO)
COBIT
Created and published by the ISACA
Used in conjunction with the COSO Framework
Often adopted by public companies
A best-practices framework
Four main domains Plan & organize
Acquire & implement
Deliver & support
Monitor & evaluate
ISO 27001
Created and published by International Organization for Standardization (ISO)
Most well known cybersecurity standard
Most commonly used outside the U.S.
Focuses on technology and assets
Concentrates on risk mitigation
NIST
Created and published by the National Institute of Standards and Technology (NIST)
Used for implementing the Federal Information Security Act of 2002 (FISMA)
Developed & used by government agencies and contractors
Sets minimum requirements for IT security
CIS Critical Security Controls
Recommended cybersecurity controls
Provides specific ways to stop attacks
Prioritizes actions with high payoff results
HITRUST
A risk & compliance framework
Mostly used in the US healthcare industry
Designed to protect personal health information (PHI)
Easily modified for flexibility of scale (Size, type, etc.)
Easily updated as regulations change
Defines a set of internal controls
Polling Question #7
True or False
The HITRUST framework is predominately used in the US healthcare industry
Basic Internal Controls
Router & Switch
Firewall (Hardware & Software)
Virtual Private Network (VPN)
Encryption
Proxies
Network Intrusion Prevention System (NIPS)
Network Intrusion Detection System (NIDS)
Security Information and Event Management (SIEM)
Basic Internal Controls
Limit access with user IDs and passwordsRequire complex passphrases
A minimum of 24 characters
Require password changes ever 90 days
Reset the default local administrator password
Spam filters
SOC for Cybersecurity (Vendors & others with access)
Basic Internal Controls
Conduct a background check before hiring an employee who will have access to IT systems.
Conduct regular training for employees on how to protect company information.
Enroll in a back-up or wiping program that backs up smartphones and will allow you to remotely erase the information on a lost or stolen phone.
Basic Internal Controls
Install a good anti-virus program on your computer and keep it up-to-date.
Encrypt your office wireless networks using WPA2.
Do not send company information over public WiFi networks.
Basic Internal Controls
Do not reply to e-mails or click on links in e-mails from unknown sources.
Use a separate computer for bank and financial transactions
Monitor user activity on your IT system
Cyber Insurance
Basic Internal Controls
Have real time monitoring of security events on your IT system
Update all software when vendor updates are made available
Use multi-factor authentication or biometrics
Conduct regular penetration & phishing tests
Polling Question #8
True or False
Internal controls over a company’s IT system and data are essential
Any Questions?
