SlideShare uma empresa Scribd logo

Cybersecurity Slides

Jim Kaplan CIA CFE
Jim Kaplan CIA CFE

Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues. In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including: Where are we now and Where are we going? Current Cyberrisks • Data Breach and Cloud Misconfigurations • Insecure Application User Interface (API) • The growing impact of AI and ML • Malware Attack • Single factor passwords • Insider Threat • Shadow IT Systems • Crime, espionage and sabotage by rogue nation-states • IoT • CCPA and GDPR • Cyber attacks on utilities and public infrastructure • Shift in attack vectors

Tecnologia
1 de 26
Baixar para ler offline
3/23/2020 1 Richard Cascarino CISM, CIA, ACFE, CRMA Cybersecurity Series 2020 Update 3 About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2 1 2
3/23/2020 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 3.100 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no partial CPE will be awarded). • If you meet the criteria for earning CPE you will receive a link via email to download your certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There is a processing fee to have your CPE credit regenerated post event. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate. 3 4
3/23/2020 3 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 5 TODAY’S AGENDA Page 6 Where are We? What can we do?  Derived PIV  5 G Security  Zero Trust  Attribute-based Access Control  The Trusted Cloud  Good and Bad Bots 5 6
3/23/2020 4 WHERE ARE WE?  The Rise of Cryptomining  Cryptojacking (also called malicious cryptomining) is an emerging online threat that hides on a computer or mobile device and uses the machine's resources to “mine” forms of online money known as cryptocurrencies.  A form of cyber attack in which a hacker hijacks a target's processing power in order to mine cryptocurrency on the hacker's behalf.  User downloads the cryptomining script on the computer (email, infected sites etc)  The script then works in the background without the victim’s knowledge WHAT IS BITCOIN?  Bitcoin is a crypto currency and worldwide payment system  First decentralized digital currency  The system works without a central bank or single administrator.  The network is peer-to-peer and transactions take place between users directly, without an intermediary  Transactions are verified by network nodes through the use of cryptography and recorded in a public distributed ledger called a block chain. 7 8
3/23/2020 5 BITCOIN WHAT IS BLOCKCHAIN?  The block chain is an incorruptible digital ledger of economic transactions that can be programmed to record not just financial transactions but virtually everything of value  By storing blocks of information that are identical across its network, the block chain cannot:  Be controlled by any single entity.  Has no single point of failure. 9 10
3/23/2020 6 BLOCKCHAIN BITCOIN MINING 11 12
3/23/2020 7 NEED FOR PERSONAL IDENTITY VERIFICATION  The use of faked identities is a very common issue  EG large number of terrorists are believed to be hidden among migrants from the Middle East entering Europe  For example, one of the terrorists involved in the Brussels airport suicide bombing on March 22, 2016 was using the identity of a former Inter Milan football player  Semantic attacks such as phishing/web-spoofing are also rampant  Largely exploit non-expert everyday users  Most security tools were designed by security experts for expert users IDENTITY ATTRIBUTES  Multiple layers of identity attributes (including location, activity, device, and email attributes) can present a much more detailed and accurate likeness of an identity 13 14
3/23/2020 8 PIV VS DERIVED PIV  Born from FIPS 201 (2004)  Personal identity verification (PIV) card is a United States Federal smart card that contains the necessary data for the cardholder to be granted to Federal facilities and information systems  PIV standard now used to guide the development of internal employee credential programs.  A derived PIV is a secure, reliable, federally issued credential issued to a mobile device instead of a user G5 SECURITY  5G networks support a massive number of connected devices.  IoT devices are one of the most-attacked types of hardware, making up over 78% of malware detection events in communication service provider networks in 2018  “If an IoT device today is plugged into the network, and it doesn’t have protection in it, it’s infected in three minutes or less,”  Mary O’Neill, VP of security at Nokia 2019 15 16
3/23/2020 9 REQUIRED FOR G5  Cloud virtualization technologies such as software-defined networking (SDN) and network functions virtualization (NFV) are thriving  Multi-pronged approach to 5G security required  Trust models  Authentication and Key Agreement (AKA  Extensible Authentication Protocol (EAP)-based secondary authentication SECURING THE NETWORK  Each virtual network slice could require unique security capabilities  A secure edge  Ensuring real-time detection at the edge  A secure SDN controller  Enabling dynamic security protocol through northbound and southbound APIs  Northbound APIs gather intelligence about network activity  Southbound APIs control switches, routers, and firewalls to end attacks as they occur  Proactive analytics  Hypervisor and container security  Security through orchestration 17 18
3/23/2020 10 MORE SECURITY  Proactive analytics  Uses machine learning and AI to detect unusual activity in the network  Based on previously-learned network patterns and trends in previous breach attempts  Hypervisor and container security  Ensuring that virtualized network elements are protected from exfiltration and VM-based attacks  Hypervisor inspection and hardening mechanisms  Security through orchestration  Using software-defined, disaggregated architecture, and orchestrating VNFs and NFVs to automatically react in the event of a breach ZERO TRUST  Introduced in 2004 as a design concept  Now mobile endpoints are becoming the norm for application access  Never trust, Always verify  Initiated in 2010 by John Kindervag  Based on the principle that organizations need to proactively control all interactions between people, data, and information systems to reduce security risks to acceptable levels  Requires continuous authentication and authorization for any asset to be accessible 19 20
3/23/2020 11 ZERO TRUST FUNDAMENTALS  The network is always assumed to be hostile  External and internal threats exist on the network at all times  Network locality is not sufficient for deciding trust in a network  Every device, user, and network flow is authenticated and authorized  Policies must be dynamic and calculated from as many sources of data as possible. ZERO TRUST 6 PILLARS  Users  Devices  Network  Applications  Automation  Analytics Zero Trust Networks, Evan Gilman & Doug Barth, ISBN: 978-1-491-96219-0 21 22
3/23/2020 12 ZERO TRUST  Governing user access is key to success  Just as with network security and Zero Trust, you must identify, segment, and analyze your users to shift power in your favor ACCESS MODELS Access control models fall into two basic categories Mandatory models (MAC) users’ rights are defined by administrators and data may be labeled to indicate its sensitivity Discretionary (DAC) users may administer the data items they create and own 23 24
3/23/2020 13 PRIVACY BY DESIGN  Proactive not Reactive; Preventative not Remedial  Privacy as the Default; Maximum degree of privacy built into the system by default  Privacy Embedded into Design  Full Functionality – Accommodate all legitimate interests and objectives  End-to-End Lifecycle Protection; Extends data security throughout the entire lifecycle of the data involved  Visibility and Transparency; Assure all stakeholders it is operating according to the stated promises and objectives  Respect for User Privacy ; Offers strong privacy defaults, appropriate notice, and empowering user-friendly options LOGICAL ACCESS CONTROL  Access control traditionally based on roles  Now facing the “role explosion”  where more roles exist than actual individuals in an organization  Attribute-based access control(ABAC) - a seismic shift in the development of access control technology  Policy driven approach facilitates tightening regulatory constraints  See https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-162.pdf 25 26
3/23/2020 14 User Information required for authorization Subject Access Decision Grant Deny Others (e.g., NotApplicable, Error) Access Control Component Resources 3 ACCESS CONTROL SCENARIO  Attributes are name and value pairs  Attributes are associated with different entities  User: role, group, department, project, topic  Subject: clearance, role, admin, network  Object: sensitivity, date, owner, size, last_modified  Context: CPU usage, server_location, risk_level, time  Attribute (i.e., meta-attribute): risk_level_of_role, size_of_organization, head_of_department, trust_of_clearance  Converted by policies into rights just in time  Retrieve attributes related with each request: (subject, object, operation) 10 ABAC 27 28
3/23/2020 15 UA = {Clr, Dept, Proj, Skill} Attribute Type Scope Clr atomic unclassified, classified, secret, topsecret Dept atomic software, hardware, finance, market Proj set search, game, mobile, social, cloud Skill set web, system, server, windows, security Attributes assignment for Fred: Clr(Fred) = classified Dept(Fred) = finance Proj(Fred) = {search, game, cloud} Skill(Fred) = {web, server} 16 EXAMPLE USER ATTRIBUTES THE TRUSTED CLOUD  Cloud Computing Challenges  Security compliance has become more complex  Increasing Virtualization  Growing Threats  Need to Track Compliance  Server security breaches are common  Compliance procedures are struggling to keep up 29 30
3/23/2020 16 POTENTIAL DATA LEAKAGE AT THE PROVIDER SITE 31Nuno Santos, MPI-SWS • Customer pay virtual machine (VM) to compute data • E.g., Amazon EC2 • Privileged user with access to VM state can leak data • Accidentally or intentionally 2009 NEED TO TRUST  Trust your hardware  You need to trust every server  If it’s not behaving as it should, remove it as a known risk to eliminate vulnerability  Trust your resources  You need to rely on a “known good” pool of compute resources that have proven trustworthy  Trust your verification process  Need transparency to audit workloads, users, data, and system resources for compliance and reporting 31 32
3/23/2020 17 NEED SOLUTION TO SECURE THE COMPUTATION STATE 33 Encryption can secure communications and storage But, encryption per se is ineffective for computation Raw data kept in memory during computation Provider benefits from providing a solution Nuno Santos, MPI-SWS2009 TRUSTED CLOUD COMPUTING PLATFORM 34 Goal: Make computation of virtual machines confidential Deployed by the service provider Customer can verify that computation is confidential Nuno Santos, MPI-SWS2009 33 34
3/23/2020 18 USING A THREAT MODEL 35  A threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutions Steps: Identify attackers, assets, threats and other components Rank the threats Choose mitigation strategies Build solutions based on the strategies ATTACKERS At client Learn passwords/authentication information Gain control of the VMs At cloud provider Log client communication Can read unencrypted data Can possibly peek into VMs, or make copies of VMs Can monitor network communication, application patterns Why?  Gain information about client data  Gain information on client behavior  Sell the information or use itself 35 36
3/23/2020 19 ATTACKERS What? Listen to network traffic (passive) Insert malicious traffic (active) Probe cloud structure (active) Launch DDoS Goal? Intrusion Network analysis Man in the middle Cartography DATA LIFE CYCLE 38 • Personal information should be managed as part of the data used by the organization • Protection of personal information should consider the impact of the cloud on each phase From [6] Cloud Security and Privacy by Mather and Kumaraswamy 37 38
3/23/2020 20 POSSIBLE SOLUTIONS 39 Minimize Lack of Trust Policy Language Certification Minimize Loss of Control Monitoring Utilizing different clouds Access control management Identity Management (IDM) Minimize Multi-tenancy MINIMIZE LACK OF TRUST: CERTIFICATION Certification Some form of reputable, independent, comparable assessment and description of security features and assurance Sarbanes-Oxley, DIACAP, DISTCAP, etc (are they sufficient for a cloud environment?) Risk assessment Performed by certified third parties Provides consumers with additional assurance 39 40
3/23/2020 21 GOOD AND BAD BOTS  In the beginning, there were only good bots.  ex: google bot, game bot etc.  Later, bad people thought of creating bad bots so that they may  Send Spam and Phishing emails  Control others pc  Launch attacks to servers (DDOS)  Many malicious bots were created  SDBot/Agobot/Phatbot etc.  Botnets started to emerge BOTNETS: CURRENT SINGLE LARGEST INTERNET THREAT? “Attack of zombie computers is growing threat” (New York Times) “Why we are losing the botnet battle” (Network World) “Botnet could eat the internet” (Silicon.com) “25% of Internet PCs are part of a botnet” (Vint Cerf) 41 42
3/23/2020 22 WHAT ARE BOTS/BOTNETS? Bot (Zombie) Compromised computer controlled by botcode (malware) without owner consent/knowledge Professionally written; self-propagating Botnets (Bot Armies): Networks of bots controlled by criminals Definition: “A coordinated group of malware instances that are controlled via C&C channels”. Architectures: centralized (e.g., IRC,HTTP), distributed (e.g., P2P) Key platform for fraud and other for-profit exploits HOW DO BOTNETS GROW?  Exploit a vulnerability to execute a short program (exploits) on victim‟s machine  Buffer overflows, email viruses, Trojans etc.  Exploit downloads and installs actual bot  Bot disables firewall and A/V software  Bot locates IRC server, connects, joins  Typically need DNS to find out server‟s IP address  Authentication password often stored in bot binary  Botmaster issues commands 43 44
3/23/2020 23 BOTNET EPIDEMIC More than 95% of all spam All distributed denial of service (DDoS) attacks Click fraud Phishing & pharming attacks Key logging & data/identity theft Distributing other malware, e.g., spyware Anonymized terrorist & criminal communication INTERNET SECURITY: BROKEN ASSUMPTIONS Internet infrastructure (e.g., DNS, BGP) is trustworthy DNS is more vulnerable than you think … Computers are secure when using up-to-date AV tools and firewall Not really Attackers are for fun and fame Profit, profit, profit! Attackers have limited/bounded computing power They hare almost unbounded(?) power Attacks from isolated computers The network is attacking you 45 46
3/23/2020 24 BOTNET DETECTION  Host Based  Intrusion Detection Systems (IDS)  Anomaly Detection  IRC Nicknames  HoneyPot and HoneyNet HONEYPOTS / HONEYNETS  HoneyPot is a vulnerable machine, ready to be attacked  Example: unpatched windows  Once attacked, the malware is caught inside  The malware is analyzed, its activity is monitored  When it connects to the C&C server,  The server‟s identity is revealed  HoneyNet: a network of honeypots  Very effective, worked in many cases  Also pose great security risk If not maintained properly  Hacker may use them to attack others  Must be monitored cautiously 47 48
3/23/2020 25 GOOD BOTS  Unattended bots can be run on an organization’s servers at scheduled times 24/7/365.  Unattended bots are often IT-driven as they can use free or virtual machines to get the workload done  Significant reduction in costs and increased ROI make it ideal for back office tasks  Bots complete business processes without human intervention per a predetermined schedule  Frees employees from rote work, lowering costs, improving compliance, and accelerating processes QUESTIONS? Any Questions? Don’t be Shy! 49 50
3/23/2020 26 AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week THANK YOU! Page 52 Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Follow Me on Twitter for Special Offers - @auditnet Join my LinkedIn Group – https://www.linkedin.com/groups/44252/ Like my Facebook business page https://www.facebook.com/pg/AuditNetLLC Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) Tel: +1 970 367 5429 eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino 51 52

Recomendados

Driving More Value With Automated Analytics
Driving More Value With Automated AnalyticsDriving More Value With Automated Analytics
Driving More Value With Automated AnalyticsJim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Jim Kaplan CIA CFE
 
How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Jim Kaplan CIA CFE
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4Jim Kaplan CIA CFE
 
Ethics for internal auditors
Ethics for internal auditorsEthics for internal auditors
Ethics for internal auditorsJim Kaplan CIA CFE
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update SlidesJim Kaplan CIA CFE
 

Recomendados

Driving More Value With Automated Analytics
Driving More Value With Automated AnalyticsDriving More Value With Automated Analytics
Driving More Value With Automated AnalyticsJim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Jim Kaplan CIA CFE
 
How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Jim Kaplan CIA CFE
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4Jim Kaplan CIA CFE
 
Ethics for internal auditors
Ethics for internal auditorsEthics for internal auditors
Ethics for internal auditorsJim Kaplan CIA CFE
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update SlidesJim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Jim Kaplan CIA CFE
 
Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Jim Kaplan CIA CFE
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudJim Kaplan CIA CFE
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Jim Kaplan CIA CFE
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Auditing Social Media
Auditing Social MediaAuditing Social Media
Auditing Social MediaJim Kaplan CIA CFE
 
Fraud auditing creative techniques
Fraud auditing creative techniquesFraud auditing creative techniques
Fraud auditing creative techniquesJim Kaplan CIA CFE
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Remote auditing: the pros and cons
Remote auditing: the pros and consRemote auditing: the pros and cons
Remote auditing: the pros and consIllumeo
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Withum
 
Hacking3e ppt ch15
Hacking3e ppt ch15Hacking3e ppt ch15
Hacking3e ppt ch15Skillspire LLC
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWithum
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05Skillspire LLC
 
Identity, Security and Healthcare
Identity, Security and HealthcareIdentity, Security and Healthcare
Identity, Security and HealthcareNetIQ
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Brianna Johnson
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsBeyondTrust
 

Mais conteúdo relacionado

Mais procurados

Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Jim Kaplan CIA CFE
 
Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Jim Kaplan CIA CFE
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudJim Kaplan CIA CFE
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Jim Kaplan CIA CFE
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Fraud auditing creative techniques
Fraud auditing creative techniquesFraud auditing creative techniques
Fraud auditing creative techniquesJim Kaplan CIA CFE
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Remote auditing: the pros and cons
Remote auditing: the pros and consRemote auditing: the pros and cons
Remote auditing: the pros and consIllumeo
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Withum
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWithum
 
Identity, Security and Healthcare
Identity, Security and HealthcareIdentity, Security and Healthcare
Identity, Security and HealthcareNetIQ
 

Mais procurados (20)

Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10)
 
Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10)
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Auditing Social Media
Auditing Social MediaAuditing Social Media
Auditing Social Media
 
Fraud auditing creative techniques
Fraud auditing creative techniquesFraud auditing creative techniques
Fraud auditing creative techniques
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
Remote auditing: the pros and cons
Remote auditing: the pros and consRemote auditing: the pros and cons
Remote auditing: the pros and cons
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
 
Hacking3e ppt ch15
Hacking3e ppt ch15Hacking3e ppt ch15
Hacking3e ppt ch15
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breach
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05
 
Identity, Security and Healthcare
Identity, Security and HealthcareIdentity, Security and Healthcare
Identity, Security and Healthcare
 

Semelhante a Cybersecurity Slides

Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Brianna Johnson
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsBeyondTrust
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guideNis
 
Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)Cloudflare
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloudUlf Mattsson
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.Chinatu Uzuegbu
 
Slideshare fintech-may26th-def
Slideshare fintech-may26th-defSlideshare fintech-may26th-def
Slideshare fintech-may26th-defQafis
 
Cyber security and cyber law
Cyber security and cyber lawCyber security and cyber law
Cyber security and cyber lawDivyank Jindal
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud DatasheetMani Rai
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsLabSharegroup
 
Navigating Today’s Threat Landscape: Discussing Hype vs. Reality
Navigating Today’s Threat Landscape: Discussing Hype vs. RealityNavigating Today’s Threat Landscape: Discussing Hype vs. Reality
Navigating Today’s Threat Landscape: Discussing Hype vs. RealityEnterprise Management Associates
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
 
Web 3.0 – From Buzzword to Security with Schellman
Web 3.0 – From Buzzword to Security with SchellmanWeb 3.0 – From Buzzword to Security with Schellman
Web 3.0 – From Buzzword to Security with Schellmansaastr
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Lisa Brown
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 

Semelhante a Cybersecurity Slides (20)

Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guide
 
Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloud
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
 
Slideshare fintech-may26th-def
Slideshare fintech-may26th-defSlideshare fintech-may26th-def
Slideshare fintech-may26th-def
 
Cyber security and cyber law
Cyber security and cyber lawCyber security and cyber law
Cyber security and cyber law
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud Datasheet
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
 
Navigating Today’s Threat Landscape: Discussing Hype vs. Reality
Navigating Today’s Threat Landscape: Discussing Hype vs. RealityNavigating Today’s Threat Landscape: Discussing Hype vs. Reality
Navigating Today’s Threat Landscape: Discussing Hype vs. Reality
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach
 
Web 3.0 – From Buzzword to Security with Schellman
Web 3.0 – From Buzzword to Security with SchellmanWeb 3.0 – From Buzzword to Security with Schellman
Web 3.0 – From Buzzword to Security with Schellman
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
Internet Banking
Internet BankingInternet Banking
Internet Banking
 

Mais de Jim Kaplan CIA CFE

Enhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsEnhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsJim Kaplan CIA CFE
 
mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) Jim Kaplan CIA CFE
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Jim Kaplan CIA CFE
 
How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides Jim Kaplan CIA CFE
 
How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationJim Kaplan CIA CFE
 
General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 Jim Kaplan CIA CFE
 
Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analyticsJim Kaplan CIA CFE
 
Ethics and the Internal Auditor
Ethics and the Internal AuditorEthics and the Internal Auditor
Ethics and the Internal AuditorJim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingHow analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingJim Kaplan CIA CFE
 
Building and Striving for Data Analytics Excellence
Building and Striving for Data Analytics ExcellenceBuilding and Striving for Data Analytics Excellence
Building and Striving for Data Analytics ExcellenceJim Kaplan CIA CFE
 
The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection Jim Kaplan CIA CFE
 
Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Jim Kaplan CIA CFE
 

Mais de Jim Kaplan CIA CFE (16)

Enhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsEnhanced fraud detection with data analytics
Enhanced fraud detection with data analytics
 
mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10)
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
 
How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides
 
How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel
 
Tracking down outliers
Tracking down outliersTracking down outliers
Tracking down outliers
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
 
General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6
 
Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analytics
 
Ethics and the Internal Auditor
Ethics and the Internal AuditorEthics and the Internal Auditor
Ethics and the Internal Auditor
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingHow analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
 
Ethics for Internal Auditors
Ethics for Internal AuditorsEthics for Internal Auditors
Ethics for Internal Auditors
 
Building and Striving for Data Analytics Excellence
Building and Striving for Data Analytics ExcellenceBuilding and Striving for Data Analytics Excellence
Building and Striving for Data Analytics Excellence
 
The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection
 
Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Structuring your organization for success with data analytics
Structuring your organization for success with data analytics
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

Cybersecurity Slides

  • 1. 3/23/2020 1 Richard Cascarino CISM, CIA, ACFE, CRMA Cybersecurity Series 2020 Update 3 About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2 1 2
  • 2. 3/23/2020 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 3.100 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no partial CPE will be awarded). • If you meet the criteria for earning CPE you will receive a link via email to download your certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There is a processing fee to have your CPE credit regenerated post event. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate. 3 4
  • 3. 3/23/2020 3 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 5 TODAY’S AGENDA Page 6 Where are We? What can we do?  Derived PIV  5 G Security  Zero Trust  Attribute-based Access Control  The Trusted Cloud  Good and Bad Bots 5 6
  • 4. 3/23/2020 4 WHERE ARE WE?  The Rise of Cryptomining  Cryptojacking (also called malicious cryptomining) is an emerging online threat that hides on a computer or mobile device and uses the machine's resources to “mine” forms of online money known as cryptocurrencies.  A form of cyber attack in which a hacker hijacks a target's processing power in order to mine cryptocurrency on the hacker's behalf.  User downloads the cryptomining script on the computer (email, infected sites etc)  The script then works in the background without the victim’s knowledge WHAT IS BITCOIN?  Bitcoin is a crypto currency and worldwide payment system  First decentralized digital currency  The system works without a central bank or single administrator.  The network is peer-to-peer and transactions take place between users directly, without an intermediary  Transactions are verified by network nodes through the use of cryptography and recorded in a public distributed ledger called a block chain. 7 8
  • 5. 3/23/2020 5 BITCOIN WHAT IS BLOCKCHAIN?  The block chain is an incorruptible digital ledger of economic transactions that can be programmed to record not just financial transactions but virtually everything of value  By storing blocks of information that are identical across its network, the block chain cannot:  Be controlled by any single entity.  Has no single point of failure. 9 10
  • 7. 3/23/2020 7 NEED FOR PERSONAL IDENTITY VERIFICATION  The use of faked identities is a very common issue  EG large number of terrorists are believed to be hidden among migrants from the Middle East entering Europe  For example, one of the terrorists involved in the Brussels airport suicide bombing on March 22, 2016 was using the identity of a former Inter Milan football player  Semantic attacks such as phishing/web-spoofing are also rampant  Largely exploit non-expert everyday users  Most security tools were designed by security experts for expert users IDENTITY ATTRIBUTES  Multiple layers of identity attributes (including location, activity, device, and email attributes) can present a much more detailed and accurate likeness of an identity 13 14
  • 8. 3/23/2020 8 PIV VS DERIVED PIV  Born from FIPS 201 (2004)  Personal identity verification (PIV) card is a United States Federal smart card that contains the necessary data for the cardholder to be granted to Federal facilities and information systems  PIV standard now used to guide the development of internal employee credential programs.  A derived PIV is a secure, reliable, federally issued credential issued to a mobile device instead of a user G5 SECURITY  5G networks support a massive number of connected devices.  IoT devices are one of the most-attacked types of hardware, making up over 78% of malware detection events in communication service provider networks in 2018  “If an IoT device today is plugged into the network, and it doesn’t have protection in it, it’s infected in three minutes or less,”  Mary O’Neill, VP of security at Nokia 2019 15 16
  • 9. 3/23/2020 9 REQUIRED FOR G5  Cloud virtualization technologies such as software-defined networking (SDN) and network functions virtualization (NFV) are thriving  Multi-pronged approach to 5G security required  Trust models  Authentication and Key Agreement (AKA  Extensible Authentication Protocol (EAP)-based secondary authentication SECURING THE NETWORK  Each virtual network slice could require unique security capabilities  A secure edge  Ensuring real-time detection at the edge  A secure SDN controller  Enabling dynamic security protocol through northbound and southbound APIs  Northbound APIs gather intelligence about network activity  Southbound APIs control switches, routers, and firewalls to end attacks as they occur  Proactive analytics  Hypervisor and container security  Security through orchestration 17 18
  • 10. 3/23/2020 10 MORE SECURITY  Proactive analytics  Uses machine learning and AI to detect unusual activity in the network  Based on previously-learned network patterns and trends in previous breach attempts  Hypervisor and container security  Ensuring that virtualized network elements are protected from exfiltration and VM-based attacks  Hypervisor inspection and hardening mechanisms  Security through orchestration  Using software-defined, disaggregated architecture, and orchestrating VNFs and NFVs to automatically react in the event of a breach ZERO TRUST  Introduced in 2004 as a design concept  Now mobile endpoints are becoming the norm for application access  Never trust, Always verify  Initiated in 2010 by John Kindervag  Based on the principle that organizations need to proactively control all interactions between people, data, and information systems to reduce security risks to acceptable levels  Requires continuous authentication and authorization for any asset to be accessible 19 20
  • 11. 3/23/2020 11 ZERO TRUST FUNDAMENTALS  The network is always assumed to be hostile  External and internal threats exist on the network at all times  Network locality is not sufficient for deciding trust in a network  Every device, user, and network flow is authenticated and authorized  Policies must be dynamic and calculated from as many sources of data as possible. ZERO TRUST 6 PILLARS  Users  Devices  Network  Applications  Automation  Analytics Zero Trust Networks, Evan Gilman & Doug Barth, ISBN: 978-1-491-96219-0 21 22
  • 12. 3/23/2020 12 ZERO TRUST  Governing user access is key to success  Just as with network security and Zero Trust, you must identify, segment, and analyze your users to shift power in your favor ACCESS MODELS Access control models fall into two basic categories Mandatory models (MAC) users’ rights are defined by administrators and data may be labeled to indicate its sensitivity Discretionary (DAC) users may administer the data items they create and own 23 24
  • 13. 3/23/2020 13 PRIVACY BY DESIGN  Proactive not Reactive; Preventative not Remedial  Privacy as the Default; Maximum degree of privacy built into the system by default  Privacy Embedded into Design  Full Functionality – Accommodate all legitimate interests and objectives  End-to-End Lifecycle Protection; Extends data security throughout the entire lifecycle of the data involved  Visibility and Transparency; Assure all stakeholders it is operating according to the stated promises and objectives  Respect for User Privacy ; Offers strong privacy defaults, appropriate notice, and empowering user-friendly options LOGICAL ACCESS CONTROL  Access control traditionally based on roles  Now facing the “role explosion”  where more roles exist than actual individuals in an organization  Attribute-based access control(ABAC) - a seismic shift in the development of access control technology  Policy driven approach facilitates tightening regulatory constraints  See https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-162.pdf 25 26
  • 14. 3/23/2020 14 User Information required for authorization Subject Access Decision Grant Deny Others (e.g., NotApplicable, Error) Access Control Component Resources 3 ACCESS CONTROL SCENARIO  Attributes are name and value pairs  Attributes are associated with different entities  User: role, group, department, project, topic  Subject: clearance, role, admin, network  Object: sensitivity, date, owner, size, last_modified  Context: CPU usage, server_location, risk_level, time  Attribute (i.e., meta-attribute): risk_level_of_role, size_of_organization, head_of_department, trust_of_clearance  Converted by policies into rights just in time  Retrieve attributes related with each request: (subject, object, operation) 10 ABAC 27 28
  • 15. 3/23/2020 15 UA = {Clr, Dept, Proj, Skill} Attribute Type Scope Clr atomic unclassified, classified, secret, topsecret Dept atomic software, hardware, finance, market Proj set search, game, mobile, social, cloud Skill set web, system, server, windows, security Attributes assignment for Fred: Clr(Fred) = classified Dept(Fred) = finance Proj(Fred) = {search, game, cloud} Skill(Fred) = {web, server} 16 EXAMPLE USER ATTRIBUTES THE TRUSTED CLOUD  Cloud Computing Challenges  Security compliance has become more complex  Increasing Virtualization  Growing Threats  Need to Track Compliance  Server security breaches are common  Compliance procedures are struggling to keep up 29 30
  • 16. 3/23/2020 16 POTENTIAL DATA LEAKAGE AT THE PROVIDER SITE 31Nuno Santos, MPI-SWS • Customer pay virtual machine (VM) to compute data • E.g., Amazon EC2 • Privileged user with access to VM state can leak data • Accidentally or intentionally 2009 NEED TO TRUST  Trust your hardware  You need to trust every server  If it’s not behaving as it should, remove it as a known risk to eliminate vulnerability  Trust your resources  You need to rely on a “known good” pool of compute resources that have proven trustworthy  Trust your verification process  Need transparency to audit workloads, users, data, and system resources for compliance and reporting 31 32
  • 17. 3/23/2020 17 NEED SOLUTION TO SECURE THE COMPUTATION STATE 33 Encryption can secure communications and storage But, encryption per se is ineffective for computation Raw data kept in memory during computation Provider benefits from providing a solution Nuno Santos, MPI-SWS2009 TRUSTED CLOUD COMPUTING PLATFORM 34 Goal: Make computation of virtual machines confidential Deployed by the service provider Customer can verify that computation is confidential Nuno Santos, MPI-SWS2009 33 34
  • 18. 3/23/2020 18 USING A THREAT MODEL 35  A threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutions Steps: Identify attackers, assets, threats and other components Rank the threats Choose mitigation strategies Build solutions based on the strategies ATTACKERS At client Learn passwords/authentication information Gain control of the VMs At cloud provider Log client communication Can read unencrypted data Can possibly peek into VMs, or make copies of VMs Can monitor network communication, application patterns Why?  Gain information about client data  Gain information on client behavior  Sell the information or use itself 35 36
  • 19. 3/23/2020 19 ATTACKERS What? Listen to network traffic (passive) Insert malicious traffic (active) Probe cloud structure (active) Launch DDoS Goal? Intrusion Network analysis Man in the middle Cartography DATA LIFE CYCLE 38 • Personal information should be managed as part of the data used by the organization • Protection of personal information should consider the impact of the cloud on each phase From [6] Cloud Security and Privacy by Mather and Kumaraswamy 37 38
  • 20. 3/23/2020 20 POSSIBLE SOLUTIONS 39 Minimize Lack of Trust Policy Language Certification Minimize Loss of Control Monitoring Utilizing different clouds Access control management Identity Management (IDM) Minimize Multi-tenancy MINIMIZE LACK OF TRUST: CERTIFICATION Certification Some form of reputable, independent, comparable assessment and description of security features and assurance Sarbanes-Oxley, DIACAP, DISTCAP, etc (are they sufficient for a cloud environment?) Risk assessment Performed by certified third parties Provides consumers with additional assurance 39 40
  • 21. 3/23/2020 21 GOOD AND BAD BOTS  In the beginning, there were only good bots.  ex: google bot, game bot etc.  Later, bad people thought of creating bad bots so that they may  Send Spam and Phishing emails  Control others pc  Launch attacks to servers (DDOS)  Many malicious bots were created  SDBot/Agobot/Phatbot etc.  Botnets started to emerge BOTNETS: CURRENT SINGLE LARGEST INTERNET THREAT? “Attack of zombie computers is growing threat” (New York Times) “Why we are losing the botnet battle” (Network World) “Botnet could eat the internet” (Silicon.com) “25% of Internet PCs are part of a botnet” (Vint Cerf) 41 42
  • 22. 3/23/2020 22 WHAT ARE BOTS/BOTNETS? Bot (Zombie) Compromised computer controlled by botcode (malware) without owner consent/knowledge Professionally written; self-propagating Botnets (Bot Armies): Networks of bots controlled by criminals Definition: “A coordinated group of malware instances that are controlled via C&C channels”. Architectures: centralized (e.g., IRC,HTTP), distributed (e.g., P2P) Key platform for fraud and other for-profit exploits HOW DO BOTNETS GROW?  Exploit a vulnerability to execute a short program (exploits) on victim‟s machine  Buffer overflows, email viruses, Trojans etc.  Exploit downloads and installs actual bot  Bot disables firewall and A/V software  Bot locates IRC server, connects, joins  Typically need DNS to find out server‟s IP address  Authentication password often stored in bot binary  Botmaster issues commands 43 44
  • 23. 3/23/2020 23 BOTNET EPIDEMIC More than 95% of all spam All distributed denial of service (DDoS) attacks Click fraud Phishing & pharming attacks Key logging & data/identity theft Distributing other malware, e.g., spyware Anonymized terrorist & criminal communication INTERNET SECURITY: BROKEN ASSUMPTIONS Internet infrastructure (e.g., DNS, BGP) is trustworthy DNS is more vulnerable than you think … Computers are secure when using up-to-date AV tools and firewall Not really Attackers are for fun and fame Profit, profit, profit! Attackers have limited/bounded computing power They hare almost unbounded(?) power Attacks from isolated computers The network is attacking you 45 46
  • 24. 3/23/2020 24 BOTNET DETECTION  Host Based  Intrusion Detection Systems (IDS)  Anomaly Detection  IRC Nicknames  HoneyPot and HoneyNet HONEYPOTS / HONEYNETS  HoneyPot is a vulnerable machine, ready to be attacked  Example: unpatched windows  Once attacked, the malware is caught inside  The malware is analyzed, its activity is monitored  When it connects to the C&C server,  The server‟s identity is revealed  HoneyNet: a network of honeypots  Very effective, worked in many cases  Also pose great security risk If not maintained properly  Hacker may use them to attack others  Must be monitored cautiously 47 48
  • 25. 3/23/2020 25 GOOD BOTS  Unattended bots can be run on an organization’s servers at scheduled times 24/7/365.  Unattended bots are often IT-driven as they can use free or virtual machines to get the workload done  Significant reduction in costs and increased ROI make it ideal for back office tasks  Bots complete business processes without human intervention per a predetermined schedule  Frees employees from rote work, lowering costs, improving compliance, and accelerating processes QUESTIONS? Any Questions? Don’t be Shy! 49 50
  • 26. 3/23/2020 26 AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week THANK YOU! Page 52 Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Follow Me on Twitter for Special Offers - @auditnet Join my LinkedIn Group – https://www.linkedin.com/groups/44252/ Like my Facebook business page https://www.facebook.com/pg/AuditNetLLC Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) Tel: +1 970 367 5429 eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino 51 52