Internal Audit, Risk, Business & Technology Consulting
Protiviti Perspective provided by Michael K., New York
A PEN TEST IS NOT ENOUGHFebruary 27, 2019
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DOES THIS CYCLE SOUND FAMILIAR?
2
Perform Annual Pen
Test
Perform Regular
Vulnerability Scans
Remediate Scan Results
Pen Testers Gain Domain
Admin
Remediate Exploited
Vulnerabilities
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FOCUS FOR TODAY
3
Today we will cover:
• The Current Cybersecurity & Business Landscape
• Strategies for How Internal Audit Can Grow to Meet these Changes
– Effectively Engage the Board of Directors
– Adapt our Methods
• Provide Tactical Approaches to Better Audit Cybersecurity
THE CURRENT LANDSCAPE
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
INTERNET CRIME IS ON THE RISE
5
The average cost of a data
breach is $3.86 Million
Complaints have been
filed in all 50 states
$2.3 Billionin Adjusted losses for
2018
1,420,555 complaints
filed with the FBI in 2017
Over $5.52 Billion in
losses between 2013 and
2017
Source = 2018 Internet Crime Report (FBI)
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Innovation Timeline
MEANWHILE, THE BUSINESS IS EVOLVING…
6
Informational Sources:[1] IT Robotic Automation Market (RPA Tools and Services), Transparency Market Research. March 2015 [2] M. Rostron. With RPA good things come to those that don’t wait. Redwood. April 2016
1990s mid 2000s
The next Wave ofInnovation
The Internetrevolutionized the way we live, communicate, and do
business
Social Media has become ingrained in our
personal and professional lives
Robotic Automation is expected to revolutionize the business process outsourcing
landscape, changing the way we operate
Present Day
• Robotic Automation market estimated to reach $4.98B USD by 2020[1]
• Forecasted to grow 60.5% annually from 2014-2020[1]
• Increasing automation is the second most important strategic priority for shared services and global business services leaders.[2]
• Key factors driving market growth: cost benefits and efficiency realized over manual process handling
HOW DO WE KEEP UP?
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
UNDERSTAND OUR KEY RISKS
8
Critical assets are not appropriately secured within an electronic security perimeter and may become vulnerable to threats.
Personnel without appropriate levels of training may not follow required procedures for securing critical assets.
Inappropriate response to events suspected may create additional risks to systems and entities beyond the initially targeted systems.
Inappropriate parties may gain unauthorized physical access to critical assets/products.
Recovery of critical assets may not be possible without appropriate recovery plans (example: ransomware).
Critical assets may not be secure if methods, processes and procedures for securing these systems have not been defined.
Responses to security incidents may not be appropriate if a comprehensive plan is not developed.
Critical assets are not identified and may not be included in the organization’s security plans.
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
UNDERSTAND WHY WE AREN’T BETTER AT DETECTING INCIDENTS
9
xx
xx
xx
1
2
3
Breaches (of the kind where data is stolen) are usually the result of targeted attacks (an attacker, with intention, is going after the target).
The security detection capabilities most organizations have work primarily by identifying known, bad signatures or suspicious behaviors (IP addresses, known malware, port scans).
Targeted attackers fly under the radar enough to keep their signatures and behaviors unknown (at least for a long time), so these detection capabilities rarely work on them.
Detection tools are mostly focused on detecting and responding to known bad behaviors.
BOARDS ARE PAYING ATTENTION TO CYBER SECURITY RISK…
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
BOARDS ARE HIGHLY ENGAGED IN THE TOPIC
11
Boards show a significant level of engagement in and understanding of the organization’s information security risks.
Source: Protiviti and ISACA’s 7th Annual IT Audit Benchmarking Survey
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
8 KEY CONSIDERATIONS FOR BOARD OVERSIGHT OF CYBER SECURITY RISK
12
1. The organization must be prepared for success.
5. Cyber security is like a game of chess, so companies should play it that way.
2. It is highly probable that the company is already breached and does not know it.
6. Cyber security must extend beyond the four walls.
3. The board should focus on adverse business outcomes that must be managed.
7. Cyber issues cannot dominate the IT budget.
4. Cyber threats are constantly evolving.
8. Directors should gauge their confidence in the advice they are receiving.
…SO HOW CAN YOU RESPOND?
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
QUARTERLY REPORTING: EXAMPLE METRICS TO SHARE WITH THE BOARD
14
Incident Metrics:• Number of Security Incidents• Number of Lost or Stolen Unencrypted Devices
Technology Metrics:• Number of Servers Infected with Malware• Number of High Risk Vulnerabilities and Age of Those Risks
Vendor Metrics:• Percentage of High Risk Suppliers that Comply with Standard
Security Requirements
Audit Metrics:• Percentage of Appropriate Responses to Email Penetration Tests• Number of Open Audit Issues and Age of Those Issues
Incident Metrics:• Percentage of Employees Completing Awareness Training• Percentage of Employee Access Terminated Within Established Target
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CYBER SECURITY RISK – ROLES AND RESPONSIBILITIES
15
Effective risk management is the product of multiple layers of risk defense. Internal audit should support the board’s need to understand the effectiveness of cyber security controls.
Roles and Responsibilities
• Include risk-informed decision making into daily operations.
• Define accepted risk levels and escalate any risks outside of tolerance.
• Perform risk mitigation procedures as appropriate.
• Establish risk governance, including baselines, policies and standards.
• Implement risk mitigation tools, procedures and monitoring.
• Provide risk oversight.
• Independently assess program effectiveness.• Report risk management effectiveness to the
board.• Comply with SEC requirements and disclosure
obligations related to cyber security risks.
Given recent high-profile cyber attacks, data losses and regulatory expectations, it is critical for internal audit to understand cyber risks and be prepared to address the questions and concerns raised by the audit committee and the board.
1st Line of DefenseBusiness and IT Functions
2nd Line of DefenseInformation Technology
Risk Management Functions
3rd Line of Defense
Internal Audit
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHAT STEPS CAN AUDIT TAKE AS THE THIRD LINE OF DEFENSE?
16
Support the Board
1. Cyber security is an enterprise-wide risk management issue2. Understand the legal implications of cyber risks3. Access to cyber security expertise4. Set an expectation that management will establish an enterprise-wide risk management5. Discussion of cyber risk should include identification of what risks to avoid, accept,
mitigate or transfer
Anticipate the Board
Dig Deeper
1. Does the organization use a security framework?2. What are the top five risks this organization faces related to cyber security?3. How are employees made aware of their role related to cyber security?4. Are both internal and external threats considered when planning cyber security
activities?5. How is cyber security governance handled within this organization?6. In the event of a serious breach, has management developed a robust response plan?
1. Ask the thousand “hows” 2. Know the process3. Follow the data4. Training, training, training
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CYBER SECURITY AND THE AUDIT PLAN
17
Cyber risk continues to garner a high level of attention and interest, yet a number of organizations still do not include it in the audit plan.
Source: Protiviti and ISACA’s 7th Annual IT Audit Benchmarking Survey
A PEN TEST IS NOT ENOUGH
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
PEN TESTS: WHAT THEY ARE & AREN’T
19
Internal audit plans frequently include a penetration test, and only a penetration test, as a cyber security-related audit. Pen tests sometimes provide a false sense of security, and organizations need to be aware of what a typical pen test entails and what it doesn’t.
01
02
03
04
A strong component in a broader program to evaluate your organization’s security posture.
A simulation of a single attack limited to the scope defined by those involved and budget constraints.
Time bound to the length of the engagement.
Constrained to the path of least resistance.
A Pen Test is… A Pen Test is Not…
01
02
03
04
A thorough review of all exploitable vulnerabilities.
A test of your organization’s full response and vulnerability management programs.
Assurance that you could not be breached by another approach.
An assessment of the underlying IT processes that give rise to vulnerabilities.
✓
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WE NEED TO ADAPT OUR APPROACH
20
The NIST Cybersecurity Framework provides an excellent approach to thinking about cybersecurity, and we need to adapt our approach to coverage the full range of security functions and categories.
Detect RecoverIdentify Respond
• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management Strategy
• Access Control
• Awareness & Training
• Data Security
• Information Protection Processes & Procedures
• Maintenance
• Protective Technology
• Response Planning
• Communications
• Analysis
• Mitigation
• Improvements
• Recovery Planning
• Improvements
• Communications
Protect
• Anomalies and Events
• Security Continuous Monitoring
• Detection Processes
Cat
egor
ies
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
UNDERSTAND WHERE WE NEED TO IMPROVE
21
The output of a NIST Cybersecurity Framework assessment should provide a roadmap of the specific strengths and development areas for the organization across the domains and categories.
Tier 4Adaptive
Tier 3Repeatable
Tier 2Informed
Tier 1Partial
Category Identify Protect Detect Respond Recover
- Current Tier
- Peer Benchmark
- Target Tier
HOW DO WE PICK THE RIGHT CYBER AUDITS?
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
SELECTING THE RIGHT CYBER SECURITY AUDITS
23
An internal audit plan focused on cyber risk should be based on the organization’s risk profile and the external threat landscape. Security audits are generally categorized into four areas (as described below), and then specific projects can be selected based on the corresponding maturity level.
Managing Liquidity
Gap
Breach Detection and
Response
Technical Attack
Assessments Program/
Governance
Applications and Infrastructure
Traditional and emerging attack vectors an attackermay use to access your network andinformation
Assessing an organization’s ability to identify and properly respond to a security incident
Focused assessments to identify and evaluate risks associated with applications, supporting infrastructure and emerging technology, such as Cloud and IoT
Understanding and assessing the overall security posture of the environment
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
ASK THE RIGHT QUESTIONS
24
By asking the right questions and looking for key indicators, we must first identify where our organizations are on the maturity spectrum.
Cybersecurity Maturity
Key Indicators Key Indicators
• Lack of a formal budget• No (or minimal) dedicated resources• Lack of policies/procedures• Limited security risk management
capabilities
• Dedicated resources• Formal policies/procedures• Meaningful security reporting• “Active” security risk management
Key Questions
• Do we have regulations to comply with?• Are we already breached?
Key Questions
• Do we have the resources to identify and detect a compromise?
• Can we respond efficiently and quickly to a breach?
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AUDIT TO YOUR ORGANIZATION’S MATURITY LEVEL
25
Internal audit should scope their cybersecurity audits to match the maturity of their organization’s cybersecurity capabilities. The focus shouldn’t just be either technical assessments either – we need to look at the processes supporting cybersecurity too.
Lower Cybersecurity Maturity
Technical Attack Assessments
Breach Detection / Response
Program / Governance
Infrastructure
Vulnerability Program assessment to understand how threats and vulns are being identified and addressed
Pre-Breach Assessment to perform threat hunting using tools to identify indicators of an existing compromise
Cyber Kill Chain to assess technical capabilities using a standard approach
Cyber Security FrameworkAssessment to understand & benchmark current/future capabilities against a framework
External/Internal Penetration testing to assess threats on the network
Cyber Defense Review to assess monitoring and response capabilities
Cyber Risk Assessment to help understand and prioritize risks
Technical Configurationreviews to understand if systems and new technologies are configured securely
Regulatory & Data Privacy reviews for sensitive data exposure
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AUDIT TO YOUR ORGANIZATION’S MATURITY LEVEL
26
Internal audit should scope their cybersecurity audits to match the maturity of their organization’s cybersecurity capabilities. The focus shouldn’t just be either technical assessments either – we need to look at the processes supporting cybersecurity too.
Higher Cybersecurity Maturity
Technical Attack Assessments
Breach Detection / Response
Program / Governance
Infrastructure
Social Engineering or Mobile Security Reviews to assess readiness for each.
Blue Team Coordination and Incident Response Review to comprehensively assess incident response program
Third-Party Risk Assessment to understand how the organization is identifying and addressing risk in this channel
Secure SDLC review to assess security controls that support the development process including static/dynamic code
Customized Pen Testing Scenarios to specific target controls
Identity and Access Management review to assess identity risks, including privileged access
Data Security review to assess controls to identify, inventory and protect sensitive data
Red Team exercises to perform unannounced testing of controls
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CLIENT CASE STUDY
27
2011: Cybersecurity vulnerability assessment & penetration test
2015: Added more field sites to audit scope based on previous value delivered
2014: Also began focusing on the field• SCADA• Field Wireless
Review
2013: Added:• Security
Awareness Assessment
• Database Security Audit
2017: Added:• Cybersecurity
metrics• Privileged
Access Mgmt• NIST CSF
Benchmark
2016: Expanded infrastructure assessment program & added Network Segmentation Review
2012: In addition to a pen test, added:• Quarterly
assessments• AD Audit• Firewall Audit
2014: Created a full infrastructure assessment program (NAC, 2 Factor Auth, AV, Vuln Mgmt)
2015: Began performing follow-up reviews on previous findings
2018: Added:• 3rd Party
Cloud• Data
Protection & Privacy
• Incident Response
20182011
CLOSING THOUGHTS
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
NEXT STEPS FOR INTERNAL AUDIT TO ADDRESS CYBER SECURITY RISK
29
Address external AND internal cyber risks.
Leverage relationships with the audit committee and board.
Ensure that cyber risk is integrated formally into the audit plan.
Keep a current understanding of emerging technologies and trends.
Perform a NIST Cyber Security Framework assessment.
Address any IT/audit staffing and resource shortages.
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
QUESTIONS
30
Phone: 713.314.1205
Houston, Texas
Jordan HackneyAssociate Director, IT Internal Audit
Phone: 713.314.5178
Houston, Texas
Ashley CuevasManaging Director, IT Internal Audit
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.