Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Cybersecurity Slides
1. 3/23/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
Cybersecurity Series
2020 Update 3
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial Award
Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2
2. 3/23/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3.100 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized
usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join
link.
• We are recording the webinar and you will be provided access to that recording after the webinar.
Downloading or otherwise duplicating the webinar recording is expressly prohibited.
• If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no
partial CPE will be awarded).
• If you meet the criteria for earning CPE you will receive a link via email to download your certificate.
The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this
address. It is from this email that your CPE credit will be sent. There is a processing fee to have your
CPE credit regenerated post event.
• Submit questions via the chat box on your screen and we will answer them either during or at the
conclusion.
• You must answer the survey questions after the Webinar or before downloading your certificate.
3
4
3. 3/23/2020
3
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
5
TODAY’S AGENDA
Page 6
Where are We?
What can we do?
Derived PIV
5 G Security
Zero Trust
Attribute-based Access Control
The Trusted Cloud
Good and Bad Bots
5
6
4. 3/23/2020
4
WHERE ARE WE?
The Rise of Cryptomining
Cryptojacking (also called malicious cryptomining) is an
emerging online threat that hides on a computer or mobile
device and uses the machine's resources to “mine” forms of
online money known as cryptocurrencies.
A form of cyber attack in which a hacker hijacks a target's
processing power in order to mine cryptocurrency on the
hacker's behalf.
User downloads the cryptomining script on the computer (email,
infected sites etc)
The script then works in the background without the victim’s
knowledge
WHAT IS BITCOIN?
Bitcoin is a crypto currency and worldwide payment
system
First decentralized digital currency
The system works without a central bank or single
administrator.
The network is peer-to-peer and transactions take
place between users directly, without an
intermediary
Transactions are verified by network nodes through
the use of cryptography and recorded in a public
distributed ledger called a block chain.
7
8
5. 3/23/2020
5
BITCOIN
WHAT IS BLOCKCHAIN?
The block chain is an incorruptible digital ledger of
economic transactions that can be programmed to
record not just financial transactions but virtually
everything of value
By storing blocks of information that are identical
across its network, the block chain cannot:
Be controlled by any single entity.
Has no single point of failure.
9
10
7. 3/23/2020
7
NEED FOR PERSONAL
IDENTITY VERIFICATION
The use of faked identities is a very common issue
EG large number of terrorists are believed to be hidden
among migrants from the Middle East entering Europe
For example, one of the terrorists involved in the Brussels
airport suicide bombing on March 22, 2016 was using the
identity of a former Inter Milan football player
Semantic attacks such as phishing/web-spoofing
are also rampant
Largely exploit non-expert everyday users
Most security tools were designed by security
experts for expert users
IDENTITY ATTRIBUTES
Multiple layers of identity attributes (including location,
activity, device, and email attributes) can present a
much more detailed and accurate likeness of an
identity
13
14
8. 3/23/2020
8
PIV VS DERIVED PIV
Born from FIPS 201 (2004)
Personal identity verification (PIV) card is a United
States Federal smart card that contains the
necessary data for the cardholder to be granted to
Federal facilities and information systems
PIV standard now used to guide the development
of internal employee credential programs.
A derived PIV is a secure, reliable, federally issued
credential issued to a mobile device instead of a
user
G5 SECURITY
5G networks support a massive number of connected
devices.
IoT devices are one of the most-attacked types of
hardware, making up over 78% of malware detection
events in communication service provider networks in
2018
“If an IoT device today is plugged into the network,
and it doesn’t have protection in it, it’s infected in
three minutes or less,”
Mary O’Neill, VP of security at Nokia 2019
15
16
9. 3/23/2020
9
REQUIRED FOR G5
Cloud virtualization technologies such as software-defined
networking (SDN) and network functions virtualization (NFV) are
thriving
Multi-pronged approach to 5G security required
Trust models
Authentication and Key Agreement (AKA
Extensible Authentication Protocol (EAP)-based secondary
authentication
SECURING THE NETWORK
Each virtual network slice could require unique
security capabilities
A secure edge
Ensuring real-time detection at the edge
A secure SDN controller
Enabling dynamic security protocol through
northbound and southbound APIs
Northbound APIs gather intelligence about
network activity
Southbound APIs control switches, routers,
and firewalls to end attacks as they occur
Proactive analytics
Hypervisor and container security
Security through orchestration
17
18
10. 3/23/2020
10
MORE SECURITY
Proactive analytics
Uses machine learning and AI to detect unusual activity in the
network
Based on previously-learned network patterns and trends in
previous breach attempts
Hypervisor and container security
Ensuring that virtualized network elements are protected from
exfiltration and VM-based attacks
Hypervisor inspection and hardening mechanisms
Security through orchestration
Using software-defined, disaggregated architecture, and
orchestrating VNFs and NFVs to automatically react in the
event of a breach
ZERO TRUST
Introduced in 2004 as a design concept
Now mobile endpoints are becoming the norm for
application access
Never trust, Always verify
Initiated in 2010 by John Kindervag
Based on the principle that organizations need to
proactively control all interactions between people,
data, and information systems to reduce security
risks to acceptable levels
Requires continuous authentication and
authorization for any asset to be accessible
19
20
11. 3/23/2020
11
ZERO TRUST
FUNDAMENTALS
The network is always assumed to be hostile
External and internal threats exist on the network
at all times
Network locality is not sufficient for deciding trust
in a network
Every device, user, and network flow is
authenticated and authorized
Policies must be dynamic and calculated from as
many sources of data as possible.
ZERO TRUST 6 PILLARS
Users
Devices
Network
Applications
Automation
Analytics
Zero Trust Networks, Evan Gilman & Doug Barth, ISBN: 978-1-491-96219-0
21
22
12. 3/23/2020
12
ZERO TRUST
Governing user access is key to success
Just as with network security and Zero Trust, you
must identify, segment, and analyze your users to
shift power in your favor
ACCESS MODELS
Access control models fall into two basic
categories
Mandatory models (MAC)
users’ rights are defined by administrators and data
may be labeled to indicate its sensitivity
Discretionary (DAC)
users may administer the data items they create and
own
23
24
13. 3/23/2020
13
PRIVACY BY DESIGN
Proactive not Reactive; Preventative not Remedial
Privacy as the Default; Maximum degree of privacy built into the
system by default
Privacy Embedded into Design
Full Functionality – Accommodate all legitimate interests and
objectives
End-to-End Lifecycle Protection; Extends data security throughout
the entire lifecycle of the data involved
Visibility and Transparency; Assure all stakeholders it is operating
according to the stated promises and objectives
Respect for User Privacy ; Offers strong privacy defaults,
appropriate notice, and empowering user-friendly options
LOGICAL ACCESS CONTROL
Access control traditionally based on roles
Now facing the “role explosion”
where more roles exist than actual individuals in an organization
Attribute-based access control(ABAC) - a seismic
shift in the development of access control
technology
Policy driven approach facilitates tightening
regulatory constraints
See https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-162.pdf
25
26
14. 3/23/2020
14
User
Information required for authorization
Subject
Access Decision
Grant Deny
Others (e.g., NotApplicable, Error)
Access Control Component
Resources
3
ACCESS CONTROL SCENARIO
Attributes are name and value pairs
Attributes are associated with different entities
User: role, group, department, project, topic
Subject: clearance, role, admin, network
Object: sensitivity, date, owner, size, last_modified
Context: CPU usage, server_location, risk_level, time
Attribute (i.e., meta-attribute): risk_level_of_role,
size_of_organization, head_of_department, trust_of_clearance
Converted by policies into rights just in time
Retrieve attributes related with each request: (subject, object, operation)
10
ABAC
27
28
15. 3/23/2020
15
UA = {Clr, Dept, Proj, Skill}
Attribute Type Scope
Clr atomic unclassified, classified, secret, topsecret
Dept atomic software, hardware, finance, market
Proj set search, game, mobile, social, cloud
Skill set web, system, server, windows, security
Attributes assignment for Fred:
Clr(Fred) = classified
Dept(Fred) = finance
Proj(Fred) = {search, game, cloud}
Skill(Fred) = {web, server}
16
EXAMPLE USER ATTRIBUTES
THE TRUSTED CLOUD
Cloud Computing Challenges
Security compliance has become more complex
Increasing Virtualization
Growing Threats
Need to Track Compliance
Server security breaches are common
Compliance procedures are struggling to keep up
29
30
16. 3/23/2020
16
POTENTIAL DATA LEAKAGE
AT THE PROVIDER SITE
31Nuno Santos, MPI-SWS
• Customer pay virtual machine (VM) to compute
data
• E.g., Amazon EC2
• Privileged user with access to VM state can
leak data
• Accidentally or intentionally
2009
NEED TO TRUST
Trust your hardware
You need to trust every server
If it’s not behaving as it should, remove it as a
known risk to eliminate vulnerability
Trust your resources
You need to rely on a “known good” pool of
compute resources that have proven
trustworthy
Trust your verification process
Need transparency to audit workloads, users,
data, and system resources for compliance
and reporting
31
32
17. 3/23/2020
17
NEED SOLUTION TO SECURE
THE COMPUTATION STATE
33
Encryption can secure communications and
storage
But, encryption per se is ineffective for
computation
Raw data kept in memory during computation
Provider benefits from providing a solution
Nuno Santos, MPI-SWS2009
TRUSTED CLOUD
COMPUTING PLATFORM
34
Goal: Make computation of virtual machines
confidential
Deployed by the service provider
Customer can verify that computation is confidential
Nuno Santos, MPI-SWS2009
33
34
18. 3/23/2020
18
USING A THREAT MODEL
35
A threat model helps in analyzing a security problem,
design mitigation strategies, and evaluate solutions
Steps:
Identify attackers, assets, threats and other components
Rank the threats
Choose mitigation strategies
Build solutions based on the strategies
ATTACKERS
At client
Learn passwords/authentication information
Gain control of the VMs
At cloud provider
Log client communication
Can read unencrypted data
Can possibly peek into VMs, or make copies of VMs
Can monitor network communication, application patterns
Why?
Gain information about client data
Gain information on client behavior
Sell the information or use itself
35
36
19. 3/23/2020
19
ATTACKERS
What?
Listen to network traffic (passive)
Insert malicious traffic (active)
Probe cloud structure (active)
Launch DDoS
Goal?
Intrusion
Network analysis
Man in the middle
Cartography
DATA LIFE CYCLE
38
• Personal information should be
managed as part of the data used
by the organization
• Protection of personal information
should consider the impact of the
cloud on each phase
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
37
38
20. 3/23/2020
20
POSSIBLE SOLUTIONS
39
Minimize Lack of Trust
Policy Language
Certification
Minimize Loss of Control
Monitoring
Utilizing different clouds
Access control management
Identity Management (IDM)
Minimize Multi-tenancy
MINIMIZE LACK OF TRUST:
CERTIFICATION
Certification
Some form of reputable, independent, comparable
assessment and description of security features and
assurance
Sarbanes-Oxley, DIACAP, DISTCAP, etc (are they sufficient
for a cloud environment?)
Risk assessment
Performed by certified third parties
Provides consumers with additional assurance
39
40
21. 3/23/2020
21
GOOD AND BAD BOTS
In the beginning, there were only good bots.
ex: google bot, game bot etc.
Later, bad people thought of creating bad bots so that
they may
Send Spam and Phishing emails
Control others pc
Launch attacks to servers (DDOS)
Many malicious bots were created
SDBot/Agobot/Phatbot etc.
Botnets started to emerge
BOTNETS: CURRENT SINGLE
LARGEST INTERNET THREAT?
“Attack of zombie computers is growing threat”
(New York Times)
“Why we are losing the botnet battle”
(Network World)
“Botnet could eat the internet”
(Silicon.com)
“25% of Internet PCs are part of a botnet”
(Vint Cerf)
41
42
22. 3/23/2020
22
WHAT ARE BOTS/BOTNETS?
Bot (Zombie)
Compromised computer controlled by botcode (malware) without
owner consent/knowledge
Professionally written; self-propagating
Botnets (Bot Armies): Networks of bots controlled by
criminals
Definition: “A coordinated group of malware instances that are
controlled via C&C channels”.
Architectures: centralized (e.g., IRC,HTTP), distributed (e.g., P2P)
Key platform for fraud and other for-profit exploits
HOW DO BOTNETS GROW?
Exploit a vulnerability to execute a short
program (exploits) on victim‟s machine
Buffer overflows, email viruses, Trojans etc.
Exploit downloads and installs actual bot
Bot disables firewall and A/V software
Bot locates IRC server, connects, joins
Typically need DNS to find out server‟s IP
address
Authentication password often stored in bot
binary
Botmaster issues commands
43
44
23. 3/23/2020
23
BOTNET EPIDEMIC
More than 95% of all spam
All distributed denial of service (DDoS) attacks
Click fraud
Phishing & pharming attacks
Key logging & data/identity theft
Distributing other malware, e.g., spyware
Anonymized terrorist & criminal communication
INTERNET SECURITY:
BROKEN ASSUMPTIONS
Internet infrastructure (e.g., DNS, BGP) is trustworthy
DNS is more vulnerable than you think …
Computers are secure when using up-to-date AV tools
and firewall
Not really
Attackers are for fun and fame
Profit, profit, profit!
Attackers have limited/bounded computing power
They hare almost unbounded(?) power
Attacks from isolated computers
The network is attacking you
45
46
24. 3/23/2020
24
BOTNET DETECTION
Host Based
Intrusion Detection Systems (IDS)
Anomaly Detection
IRC Nicknames
HoneyPot and HoneyNet
HONEYPOTS / HONEYNETS
HoneyPot is a vulnerable machine, ready to be
attacked
Example: unpatched windows
Once attacked, the malware is caught inside
The malware is analyzed, its activity is monitored
When it connects to the C&C server,
The server‟s identity is revealed
HoneyNet: a network of honeypots
Very effective, worked in many cases
Also pose great security risk If not maintained properly
Hacker may use them to attack others
Must be monitored cautiously
47
48
25. 3/23/2020
25
GOOD BOTS
Unattended bots can be run on an organization’s
servers at scheduled times 24/7/365.
Unattended bots are often IT-driven as they can use
free or virtual machines to get the workload done
Significant reduction in costs and increased ROI
make it ideal for back office tasks
Bots complete business processes without human
intervention per a predetermined schedule
Frees employees from rote work, lowering costs,
improving compliance, and accelerating processes
QUESTIONS?
Any Questions?
Don’t be Shy!
49
50
26. 3/23/2020
26
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
THANK YOU!
Page 52
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
51
52