2. #NACACS
WHO WE ARE
âą Nate Anderson
â IT Audit Director, Sears Holdings Corporation
âą Lucas Morris
â Senior Manager, Crowe Horwath LLP
3. #NACACS
AGENDA
â security is no longer a function of IT, itâs part of enterprise risk
managementâ
1. the case for cybersecurity
2. three lines of defense model and security roles
3. rethinking the role of internal audit
7. #NACACS
BREACHES BY THE NUMBERS
58%24%
15%
2% 2%
source of breach
malicious
outsider
accidental loss
malicious
insider
hacktivist
state sponsored
43%
19%
17%
12%
6% 3%
breaches by industry
government
healthcare
other
technology
retail
education
Âč breach level index: http://breachlevelindex.com
8. #NACACS
BREACHES BY THE NUMBERS
âą Average cost per record lost in 2015 is $217
IBM 2015 Cost of Breach Study: http://ibm.co/1rnnBN3
10. #NACACS
THREE LINES OF DEFENSE MODEL
Own &
manage risk
and control
(front line
operating
management
Monitor risk and
control in support of
management (risk,
control, compliance
functions put in place by
management).
Provide independent
assurance to board & senior
management concerning the
effectiveness of management
of risk and control.
coso: three lines of defense: http://bit.ly/1I4XrQT
12. #NACACS
THREE LINES EXAMPLE: EMPLOYEE DATA
Internal audit
information security / it compliance
human resources
control requirements â cobit / nist
risk assessment
control gaps
global view
system & asset inventory
control set
13. #NACACS
ROLE OF BOARD OF DIRECTORS & AUDIT COMMITTEE
40% of boards deal with computer & information security issues
48% have board-level risk committee for privacy & security
65% [of directors] want at least âsomeâ additional time and focus
on IT risks like cybersecurityÂč
83% of the board or its committees are very or moderately
engaged with overseeing/understanding the risk of cyberattacks.
65% of board or its committees are very or moderately engaged
with overseeing/understanding the level of spend on cybersecurity.
Deloitte: http://bit.ly/1pnZCN5 PwC: http://pwc.to/1RMkXWK
15. #NACACS
SECURITY AS ENTERPRISE RISK MANAGEMENT
âą identify your threat landscape: assets, threat actors, and
threatsÂč
âą assess defense and determine relevancy of attacks
âą audit and test defenses and technical controls
âą communicate and collaborate with other lines of defense and
audit committee
Âč refer to appendix A. for recommended reading list.
16. #NACACS
SECURITY AS ENTERPRISE RISK MANAGEMENT
âą identify your threat landscape: assets, threat actors,
and threats
âą assess defense and determine relevancy of attacks
âą audit and test defenses and technical controls
âą communicate and collaborate with other lines of defense and
audit committee
17. #NACACS
IDENTIFY YOUR THREAT LANDSCAPE: ASSETSÂč
what are your crown jewels?
Âč refer to appendix B. for security frameworks supporting
an asset-driven approach.
18. #NACACS
IDENTIFY YOUR THREAT LANDSCAPE: ASSETS
where are your crown jewels?
âan organization cannot properly protect
[assets] it does not know about.â - nistÂč
points of entry servers
databases
staging warehouse
third parties cloud
unstructured
reports
Âč NIST Protecting PII: http://1.usa.gov/1DgxrRy
19. #NACACS
IDENTIFY YOUR THREAT LANDSCAPE: THREAT ACTORS
relevant external
threat actors are
relevant based on:
- assets
- industry
nation states
hacktivists
criminal organizations
terrorists
individuals
(internal &
external)
attack originationÂč
external internal partner
80%+ 17% 3%
relevant internal &
third party threat
actors
Âč verizon data breach investigations report: http://vz.to/1ILoZPv
20. #NACACS
âą Highly knowledgeable, highly
funded
âą Looking for targets of value
âą Example: Lulzsec, Stuxnet,
Nation Sponsored
âą Advanced attacks with specific
targets
âą Worms, Application Vulnerabilities
âą Example: Conficker, Sasser
âą Leverage widely available tools
âą Look for targets of opportunity
âą Example: Website defacement
âą Employee, partners, contractors
âą Typically highest likelihood of monetary impact
âą Example: WikiLeaks
THREAT ACTOR SOPHISTICATION
insider threats
âscript kiddiesâ
targeted attacks
advanced
persistent threats
21. #NACACS
# OF BREACHES BY THREAT ACTIVE MOTIVE
Âč verizon dbir 2016: http://vz.to/1Svr72f
22. #NACACS
IDENTIFY YOUR THREAT LANDSCAPE - THREATS
phishing
data leakage credentials
trojan
backdoor
command & control
malware
23. #NACACS
THREATS â USER CREDENTIALS
âą at risk credentials
â weak, reused, default credentials
â easy method for attackers to gain and expand access
âą how do they obtain them:
â guessing
â stealing them encrypted from memory or storage
â stealing them while in use (unencrypted)
â stealing the users session or token
âą enable attacker to:
â gather significant amounts of low risk information
â access files
â search and scan for additional access, moving both laterally and vertically
credentials
24. #NACACS
THREATS â THIRD PARTIES
âą itâs 10:30 am monday morning and IT gets a callâŠ
âHello, this is Tom from procurement. We have a vendor that will be here
at 2:00 and they are requesting that we provide them an internal IP
address for the installation.â
âą recent breaches show compliance is not the goal
âą right to audit clause
âą more hands on testing
â vendors will hate this
â small organizations will struggle
credentials
25. #NACACS
THREATS â DATA LEAKAGE
internet third parties
shares
email
printers
intranetapplications
backups
media
database
local files
data leakage
26. #NACACS
THREATS â SOCIAL ENGINEERING
From: âClient Content Filter System" <client-web-filter@FAKEBUTLOOKSREAL.org>
Subject: Potential Acceptable Use Violation
Michael,
Our web traffic monitoring service has reported that your account has visited potentially malicious web
sites, including sites that are restricted per ABCâs Acceptable Use Policy.
We do realize that this type of activity is often caused by viruses and other types of malware. The
following link will direct you to the detailed report of the malicious web sites your system has visited as
reported by the monitoring service; please review this list for accuracy.
https://www.FAKEBUTLOOKSREAL.org/ABC/?sessionid=chris.wilkinson@abc.com
The file has been encrypted for privacy and requires Microsoft Word macros to be enabled for viewing.
If you believe that any of the sites listed in the report have been reported erroneously or that all sites
noted are false positives, please reply to this email and a manual review will be conducted by
Information Security.
phishing
27. #NACACS
THREATS â PHISHING SCENARIO EXAMPLE
1
user receives phishing
Email; clicks attachment
2
malicious malware installed
that enables backdoor
3
communication between
User system & attacker
4
attacker scans network
for targets, lateral movement
phishing
28. #NACACS
SECURITY AS ENTERPRISE RISK MANAGEMENT
âą identify your threat landscape: assets, threat actors, and
threats
âą assess defense and determine relevancy of attacks
âą audit and test defenses and technical controls
âą communicate and collaborate with other lines of defense and
audit committee
29. #NACACS
ASSESS DEFENSE
Initial Point of Entry
The Point of Entry represents how the attacker obtains initial access. Examples
could include social engineering, unpatched Internet accessible systems, or weak
passwords on externally accessible systems.
Fortify Access and Access Data
As the attacker pivots around the network, they continue to attempt to escalate
their authority until they have the necessary access. They will typically fortify
their access by installing malware or backdoors to maintain access. Persistent
Administrator access is the end goal.
Pivot Point
The initial access typically does not provide the information the attacker is
looking for. They will leverage the access they do have to try to increase
authority on the network. This could be occur through shared passwords,
unpatched systems, or excessive privileges.
Data Exfiltration
Once the attacker has data, they need to get it out of the network. This can be
completed through a variety of vehicles email or FTP. This has forced the
maturity in the approach to Information Security from only focusing on
prevention to include detection and response.
30. #NACACS
ASSESS RELEVANCY â ATTACK SCENARIOS & PATTERNSÂč
Âč refer to appendices C. through F. for additional threat
pattern and scenario details.
ÂČ verizon dbir 2015: http://vz.to/1ILoZPv
Âł verizon data breach digest 2016: http://vz.to/21zkult
social engineering
financial pretexting
insider threat
usb infection
peripheral tampering
rogue connection
logic switch
sql injection
cms compromise
backdoor access
ram scraping
credential theft
over the previous
three years, just 12
attack scenarios
represent over 60% of
our investigations.Âł
pos intrusions
web application attacks
cyberespionage
crimeware
insider/privilege misuse
payment card skimmers
miscellaneous errors
physical theft & loss
denial of service
âwhile we saw many
changes in the threat
landscape the last 12
months, [9] patterns
still covered the vast
majority of incidents
(96%).â ÂČ
31. #NACACS
ASSESS THREAT RELEVANCY â TOP PATTERNS
frequency of
incident
patterns across
all security
incidentsÂč
frequency of
incident
patterns with
confirmed data
breachesÂč
Âč verizon dbir 2015: http://vz.to/1ILoZPv
32. #NACACS
# OF BREACHES PER THREAT ACTION TYPE
top 5
C2 (malware)
use of stolen creds
export data (malware)
use of backdoor or C2
phishing (social)
Âč verizon dbir 2016: http://vz.to/1Svr72f
33. #NACACS
SECURITY AS ENTERPRISE RISK MANAGEMENT
âą identify your threat landscape: assets, threat actors, and
threats
âą assess defense and determine relevancy of attacks
âą audit and test defenses and technical controls
âą communicate and collaborate with other lines of defense and
audit committee
34. #NACACS
AUDIT & TEST â IDENTIFICATION OF SENSITIVE ASSETS
focus on completeness of inventory during data security audits
create data flows
create system & asset inventory
hold management
accountable for upkeep
âentity should confirm the accuracy of their PCI DSS scope by identifying all locations
and flows of cardholder data, and identify all systems that are connected to or,
if compromised, could impact the CDE.â â PCI DSS 3.1
35. #NACACS
AUDIT & TEST â ALIGN WITH SECURITY FRAMEWORK
example security frameworks: COBIT, ISO 2700X, NIST or OCTAVE
COBIT 5 ISO 27001/27002 NIST cybersecurity
framework
OCTAVE allegro
- more focus on
alignment with
business goals,
governance
roles (2nd & 3rd
line of defense)
- control set (no
risk language)
- maps to ISO
27001, NIST
CSF
- controls have
wider coverage
than NIST CSF
- accepted
standard in
many countries
- supports
certification
process
- Maps to NIST
CSF, COBIT
- subset of verbose
sp 800-53 NIST
framework
- control set (no risk
language)
- detailed guidance
for technical
controls
- Maps to ISO
27001, COBIT
- many publications
- risk-based
approach
- aligns with NIST
risk assessment
publication sp
800-39
- Provides steps,
worksheets,
questionnaires;
not a control
framework
36. #NACACS
AUDIT & TEST â ASSESS MEASUREMENT CAPABILITY
Risk & Control Activity Intellectual
Property
Cardholder
(PCI)
Health
(ePHI)
Employee
(PII)
Customer
(PII)
Financial
(SOX)
System & Asset
Inventory
Third Party Inventory
Identify & Classify Risks
Define Control
Requirements
Identify Existing Controls
Control Assessment
Measure Residual Risks
Identify & Manage
Incidents
establish method to measure
key risks & controls
37. #NACACS
AUDIT & TEST â ACROSS THE ATTACK CHAIN
Internet Application Infrastructure Endpoint
Third Party
Firewall
Remote Users
Mobile Devices
Web Application
Applications
Network Employees
Workstations
Servers
Printers
Cloud
Database
38. #NACACS
AUDIT & TEST â SOCIAL ENGINEERING AUDIT
malicious email
filtering
phishing incident
management
security awareness
program
- blocking sufficient %
of malicious emails
- filters updated based
on incidents
- accurate, complete list of
incidents
- analysis of nature and
severity
- remediation effective &
complete; includes cleaning
user systems, blocking at
network-level, identifying any
command & control activity
- evaluate effectiveness
& reach of training &
communications
- determine how
effectiveness of
program is evaluated
39. #NACACS
AUDIT & TEST â PHISHING SIMULATIONS
1
email ploy crafted by audit
(similar to actual)
phishing engine selects
appropriate random targets
across areas of organization
3
2
measure % that click,
open, provide credentials
4
repeat different ploys
regularly, collecting stats
- % open email (30% avg.Âč)
- % open link / attachment (12% avg.)
- % report suspicious email (3% avg.)
- track % over time
- track % by area
- adjust awareness program
Âč verizon dbir 2016: http://vz.to/1Svr72f
40. #NACACS
INFORMATION SECURITY AUDITS TO CONSIDER
cloud & data lake governance it asset management
security vulnerabilities & patching assessment
phishing & security awareness
network segmentation assessment
security logging & event detection
penetration testing
web & mobile application assessment
program assessments: PCI & PHI
information security overall assessment
firewall ruleset assessment
41. #NACACS
SECURITY AS ENTERPRISE RISK MANAGEMENT
âą identify your threat landscape: assets, threat actors, and
threats
âą assess defense and determine relevancy of attacks
âą audit and test defenses and technical controls
âą communicate and collaborate with other lines of
defense and audit committee
42. #NACACS
RELEVANT COMMUNICATION TO LEADERS
3rd line of defense
what are you communicating
to the audit committee,
security, IT, and the business
about cybersecurity?
44. #NACACS
THANK YOU
Lucas Morris lucas.morris@crowehorwath.com
www.github.com/CroweCybersecurity
214-777-5257
Nate Anderson nate.anderson@searshc.com
47. #NACACS
B. POPULAR FRAMEWORKS ON ASSET IDENTIFICATION
Âč nist csf: http://1.usa.gov/1dIqXf5
ÂČ octave allegro: http://bit.ly/1LTaH2F
methodology system & asset reference
nist
cybersecurity
frameworkÂč
step 2: orient. Once the scope of the cybersecurity program has been determined for
the business line or process, the organization identifies related systems and assets,
regulatory requirements, and overall risk approach. The organization then identifies
threats to, and vulnerabilities of, those systems and assets.
octave allegroÂČ step 2: develop an information asset profile
The methodology focuses on the information assets of the organization and Step 2
begins the process of creating a profile for those assets⊠The methodologyâs profiling
process ensures that an asset is clearly and consistently described, that there is an
unambiguous definition of the assetâs boundaries, and that the security requirements for
the asset are adequately defined. The profile for each asset is captured on a single
worksheet that forms the basis for the identification of threats and risks in
subsequent steps.
step 3: identify information asset containers
Containers describe the places where information assets are stored, transported, and
processed. Information assets reside not only in containers within an organizationâs
boundaries but they also often reside in containers that are not in the direct control of the
organization. Any risks to the containers in which the information asset lives are inherited
by the information asset.
48. #NACACS
C. THREAT ACTIONS â TOP 9 INCIDENT PATTERNS
Âč verizon data breach digest 2016: http://vz.to/21zkult
49. #NACACS
D. THREAT ACTIONS â 12 MOST COMMON SCENARIOSÂč
Âč verizon data breach digest 2016: http://vz.to/21zkult
# scenario freq threat actor(s) sophistication threat source
1 social engineering 16% organized crime, state-affiliated 3-4-5 China, Argentina, North Korea,
Russian Federation
2 financial pretexting 7% organized crime 2-3 varies
3 insider threat 12% Cashier/bank teller/waiter, end
users, organized crime, finance
employees, call center employees
1 varies
4 usb infection 33% State-affiliated, organized crime 4-5 China, North Korea, Russian
Federation
5 peripheral
tampering
<1% organized crime 2 Bulgaria, Romania, Armenia, Brazil, the
U.S.
6 rogue connection 4% organized crime 1-2-3 varies
7 logic switch 53% Organized crime, una liated,
state-affiliated, activist group
1-2-3-4-5 The U.S., China
8 sql injection 23% Activist, organized crime, state-
affiliated
3 varies
9 cms compromise 46% organized crime 3 China, Malaysia, the U.S., Russian
Federation
10 backdoor access 51% State-affiliated, organized crime 3-4-5 Romania, China, Russian
Federation
11 ram scraping 55% organized crime, state-affiliated 2-3 Romania, Germany, China, Russian
Federation
12 credential theft 42% organized crime, state-affiliated 2-3-4-5 Ukraine, China, Romania, Germany,
Russian Federation, the U.S.
51. #NACACS
F. TOP 25 VERIS (VERIZON) THREAT ACTIONS
# scenario # threat actor(s)
1 PhishingâPhishing (or any type of *ishing) 13 DownloaderâDownloader (pull updates or other malware)
2 Use of stolen credsâUse of stolen credentials 14 Scan networkâScan or footprint network
3 RAM scraperâRAM scraper or memory parser 15 Password dumperâPassword dumper
4 Brute forceâBrute force attack 16 Privilege abuseâAbuse of system access privileges
5 Export dataâExport data to another site or system 17 SkimmerâPayment card skimmers
6 Use of backdoor or C2âUse of backdoor or C2 18 AdminwareâSystem or network utilities (e.g., , PsTools)
7 UnknownâMalware unknown 19 RootkitâRootkit (maintain local privileges and stealth)
8 BackdoorâBackdoor (enable remote access) 20 SQL injectionâSQL injection attack
9 Spyware/KeyloggerâSpyware, keylogger, etc. 21 Exploit vulnâExploit vulnerability in code
10 UnknownâHacking unknown 22 Disable controlsâDisable or interfere with security controls
11 C2âCommand and control (C2) 23 Brute forceâBrute force attack
12 Capture stored dataâCapture data stored on disk 24 Unapproved hardwareâUse of unapproved hardware
25 Packet snifferâPacket sniffer (capture data from network)
Âč verizon data breach digest 2016: http://vz.to/21zkult
52. #NACACS
ICON CREDITS â 1 OF 2Âč
Âč thenounproject.com
icon credit icon credit icon credit
invoice 1 alex auda samora invoice 2 alex auda samora cloud server icon 54
credit card redfusion bank anbileru adaleru black database sergio luna
money gregor cresnar mystery person yamini ahluwalia building lil squid
health joao proenca brain jessie_vp white server mister pixel
diamond rflor report aldredo hernandez server w/legs chameleon design
thumbprint wilson joseph cash register icon 54 spreadsheet useiconic
license olivia stelan elephant ted mitchner circle lifecycle yamini ahluwalia
process flow mantisshrimpdesign black hoodie olivier guin black hat spy alex auda samora
black mask luis prado white mask icon 54 black mask hat creative stall
53. #NACACS
ICON CREDITS â 2 OF 2Âč
Âč thenounproject.com
icon credit icon credit icon credit
download creative stall trojan horse luis prado open lock chameleon design
phishing juan pablo bravo broken lock james mayor safe luis prado
pass crack matt wasser keyring william j salvador