SlideShare a Scribd company logo

Cybersecurity update 12

Jim Kaplan CIA CFE, profile picture
Jim Kaplan CIA CFE

The document provides an overview of current cybersecurity risks, including threats from cloud computing, insider threats, and vulnerabilities in web applications. It emphasizes the importance of understanding various attack vectors and regulatory compliance in mitigating these risks. Additionally, it discusses the growing role of AI and machine learning in security measures and highlights the necessity of two-factor authentication.

Technology
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1/20/2020 1 Richard Cascarino CISM, CIA, ACFE, CRMA Cybersecurity Series 2019 Update 2 About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2 1 2
1/20/2020 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no partial CPE will be awarded). • If you meet the criteria for earning CPE you will receive a link via email to download your certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There is a processing fee to have your CPE credit regenerated post event. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate. 3 4
1/20/2020 3 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 5 TODAY’S AGENDA Page 6 Where are we now and Where are we going?  Current Cyberrisks  Data Breach and Cloud Misconfigurations  Shift in attack vectors  Insecure Application User Interface (API)  The growing impact of AI and ML  Malware Attack  Single factor passwords  Insider Threat  Shadow IT Systems  Crime, espionage and sabotage by rogue nation-states  IoT  CCPA and GDPR  Cyber attacks on utilities and public infrastructure 5 6
1/20/2020 4 ARCHITECTURE AND SERVICE DEFINITIONS Three Cloud Service Delivery Models: • 1. Infrastructure as a Service (IaaS) • 2. Platform as a Service (PaaS) • 3. Software as a Service (SaaS) Four Cloud Service Deployment Models • 1. Public • 2. Private • 3. Community • 4. Hybrid THREATS TO CLOUD COMPUTING Changes to business model Abusive use of cloud computing Insecure interfaces and API Malicious insiders Shared technology issues Data loss and leakage Service hijacking Risk profiling Identity theft 7 8
1/20/2020 5 REGULATORY COMPLIANCE Texas Business & Commerce Code FISMA NIST SP 800 – 122 FIPS 200 HIPAA / HITECH Act Payment Card Industry (PCI) GPDR (General Data Protection Regulation) ATTACKS ON CLOUD COMPUTING Zombie Attack Service injection attack Attacks on virtualization Man-in-the Middle attack Metadata spoofing Phishing Backdoor channel attack 9 10
1/20/2020 6 THE ATTACK VECTORS Any system Any infrastructure Any communication Any language Any architecture Any component Any information, any data Any physical layer Any logical layer Any storage device / facility Any (communication) channel Any interface Any encryption Any environment Any site (including DR) Any transaction Any log and audit trail Any archive Any process (operations, ongoing, development) CONTAINING DATA BREACHES  Need to Identify:  What type of data has been breached?  Is there any sensitive information?  How many people could be affected?  How many records? 11 12
1/20/2020 7 POLLING QUESTION DO YOU KNOW? • 75% of attacks today happen at the Application Layer (Gartner). • Many “easy hacking recipes” published on web. • Security holes in the web application layer can make a perfectly patched and firewalled server completely vulnerable. The cost and reputation savings of avoiding a security breach are “priceless” 13 14
1/20/2020 8 OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Injection : Injection attacks occur when the user is able to input untrusted data tricking the application/system to execute unintended commands. Injections can be – SQL queries, PHP queries, LDAP queries and OS commands. • Broken Authentication : Broken authentication occurs when the application mismanages session related information such that the user’s identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc. to either get into someone else’s session or use a session which has been ended by the user or steal session related information. • Sensitive data exposure : Attackers can sniff or modify the sensitive data if not handled securely by the application. A few examples include use if weak encryption keys, use of weak TLS. In order to identify sensitive data bits and exploit them. • XML External Entities (XXE) : An application is vulnerable to XXE attacks if it enabled users to upload a malicious XML which further exploits the vulnerable code and/or dependencies for example to execute code, steal data and perform other malicious tasks. OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Broken Access control : Applications have various account types depending on the users: admins, operators and reporting groups etc. One common problem is that the developers restrict the privileges just on the UI side and not on the server side. If exploited, each user can have admin rights. • Security misconfigurations : Developers and IT staff ensure functionality and not the security. Many of the security requirements get missed unless identified by experts or hackers. Security misconfigurations can include weak passwords, default passwords, default scripts stored on the servers, default directories, default error messages etc. • Cross Site Scripting (XSS) : Cross-site scripting occurs when an attacker is able to insert untrusted data/scripts into a web page. The data/scripts inserted by the attackers get executed in the browser can steal users data, deface websites etc. 15 16
1/20/2020 9 OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Insecure Deserialization : Many applications which rely on the client to maintain state may allow tampering of serialized data. • Using Components with known vulnerabilities : When components with known vulnerabilities are used by the application, this may lead to security breaches or server takeover. The components can be coding frameworks, libraries, vulnerable functions, network frameworks etc. • Insufficient logging and monitoring: Attacks still happen and get noticed only after an incident has happened. To ensure the malicious intent of the attackers gets noticed beforehand, it is essential to log all the activity and monitor it for any suspicious behavior. POLLING QUESTION 17 18
1/20/2020 10 AI and ML MACHINE LEARNING Algorithmic ways to “describe” data Supervised We are giving the system a lot of training data and it learns from that Unsupervised We give the system some kind of DEEP LEARNING A “newer” machine learning algorithm Eliminates the feature engineering step Explainability / verifiability issues DATA MINING Methods to explore data - automatically ARTIFICIAL INTELLIGENCE A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.” ML IN SECURITY SUPERVISED Malware classification Deep learning on millions of samples - 400k new malware samples a day Has increased true positives and decreased false positives compared to traditional ML Spam identification Analyzing massive amounts of firewall data to predict and score malicious sources (IPs) UNSUPERVISED DNS analytics Domain name classification, lookup Threat Intelligence feed curation IOC prioritization, deduplication, … Tier 1 analyst automation Reducing workload from 600M raw events to User and Entity Behavior Analytics (UEBA) Uses mostly regular statistics and rule-based approaches * See Respond Software Inc. 19 20
1/20/2020 11 MALWARE ATTACKS  General misconception among people  Malware = “malicious software”  Malware is any kind of unwanted software that is installed without your consent on your computer.  Viruses, worms, Trojan horses, bombs, spyware, adware are subgroups of malware. VIRUS TYPES 22 Multipartite – a multi-part virus, a virus that attempts to attack both the boot sector and the executable, or program, files at the same time. When the virus attaches to the boot sector, it will in turn affect the system files, and when the virus attaches to the files, it will in turn infect the boot sector. Appending - A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself. Overwriting - A type of computer virus that will copy its own code over the host computer system's file data, which destroys the original program. After your computer system has been cleaned using an antivirus program, users will need to install the original program again. 21 22
1/20/2020 12 VIRUS TYPES 23 Polymorphic - A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program. Tunneling – A type of virus that attempts installation beneath the antivirus program by directly intercepting the interrupt handlers of the operating system to evade detection. Stealth – A computer virus that actively hides itself from antivirus software by either masking the size of the file that it hides in or temporarily removing itself from the infected file and placing a copy of itself in another location on the drive, replacing the infected file with an uninfected one that it has stored on the hard drive. VIRUS TYPES 24 Bimodal - Also called a Boot Sector Infector, a bimodal virus is one that infects both boot records and files on the computer system. Self-garbling - A type of computer virus that will attempt to hide from an antivirus program by garbling its own code. When a self-garbling virus propagates it will change the encoding of its own code to trick antivirus programs and stay hidden on the computer system. Memory resident - A virus that stays in memory after it executes and after its host program is terminated. In contrast, non-memory-resident viruses only are activated when an infected application runs. 23 24
1/20/2020 13 CLOUD ANTIVIRUS  New form of antivirus program  The virus scanning is done from a remote location(not on the computer).  Why this is so popular is because it relieves the physical computer resources.  Constant functionality (Nonstop scanning)  Security Issues TWO-FACTOR AUTHENTICATION OVERVIEW 26  Single Factor passwords  A major biometric hack shows the weakness of single-factor authentication  Two-factor authentication requires the use of two of the three authentication factors: Something only the user: 1. Knows (e.g. password, PIN, secret answer) 2. Has (e.g. ATM card, mobile phone, hard token) 3. Is (e.g. biometric – iris, fingerprint, etc.) 25 26
1/20/2020 14 POLLING QUESTION INSIDER THREATS Insider attacks account for as much as 80% of all computer and Internet related crimes [1] 70% of attacks causing at least $20,000 of damage are the direct result of malicious insiders Majority of insiders are privileged users and majority of attacks are launched from remote machines 27 28
1/20/2020 15 TYPICAL INSIDER THREATS Data corruption, deletion, and modification Leaking sensitive data Denial of service attacks Blackmail Theft of corporate data Etc. Etc. Etc INSIDER THREAT REMEDIATION Minimize the size of the user population to decrease the number of possible insiders Distribute trust amongst multiple parties to force collusion Most insiders act alone Question trust assumptions made in computing systems Treat the LAN like the WAN BroLAN, SANE, etc… Others? 29 30
1/20/2020 16 SHADOW IT SYSTEMS  Shadow IT  Unsanctioned apps or services in use  Shadow Data  Unmanaged content that users put into: sanctioned apps or services meant for other purposes or unsanctioned apps or services  In GDPR terms  Shadow IT = Technology environments where there is a lack of control over which personal data is handled by whom within the organization  Shadow Data in sanctioned apps / services may be processed out of policy  Shadow Data in unsanctioned apps / services cannot be accounted for SHADOW IT SYSTEMS More than 5,000 personal devices connect to enterprise networks every day with little or no endpoint security enabled in one of every three companies in the U.S., U.K., and Germany. More than 1,000 shadow IoT devices connect to enterprise networks every day in 30% of the U.S., U.K., and German companies. 12% of U.K. organizations are seeing more than 10,000 shadow IoT devices connect to their enterprise networks every day. Forbes 31 32
1/20/2020 17 RISKS ASSOCIATED WITH SHADOW IT  The organization loses control and visibility into the data migrated to Shadow IT systems.  The risks include:  security and regulatory noncompliance,  data leaks and inability to perform disaster recovery measures involving data in Shadow IT systems when required. CRIME, ESPIONAGE AND SABOTAGE BY ROGUE NATION-STATES  Utilities and Industrial Control Systems targeted with Ransomware  A Nation-State Launches a “Fire Sale” Attack  Attackers hold the Internet Hostage  US cyber security strategy is built around four tenets:  Protect the American People, the Homeland and the American Way of Life  Promote American Prosperity  Preserve Peace through Strength  Advance American Influence  More nations developing offensive cyber capabilities  Isolationist trade policies will incentivize nation states and corporate entities to steal trade secrets and use cyber tactics to disrupt government, critical infrastructure, and vital industries  China's Belt and Road Initiative to drive cyber espionage activity 33 34
1/20/2020 18 POLLING QUESTION Components of IoT  IoT consists of three principal components:  The things themselves that, in most cases, represent the devices or sensors with the ability to capture or produce data, and the time to create an effect on the environment in which they have some influence  The communications network that interconnects the things (this network connectivity, in most cases, is wireless)  The computing systems that process and use the data received and/or transmitted by the things, with, in most cases, a minimal computational capability  Source: https://www.isaca.org/journal/archives/2015/volume-2/pages/internet-of-things-offers-great-opportunities-and-much-risk.aspx 35 36
1/20/2020 19 GAO Highlights INTERNET OF THINGS RISKS What GAO Found The Internet of Things (IoT) is the set of Internet-capable devices, such as wearable fitness devices and smartphones, that interact with the physical environment and typically contain elements for sensing, communicating, processing, and actuating. Even as the IoT creates many benefits, it is important to acknowledge its emerging security implications. Highlights of GAO-17-668, a report to congressional committees IT Risk Areas Deserving Increased Focus IT Governance: Mission: The mission of IT is not aligned to protect the value of its existing assets and create new or future value. IT and Business Alignment: Corporations increasingly do not coordinate IT with business processes to realize their true value. Portfolio Management: The IT Portfolio is not reliable or adequately available. IT Risk Management: IT compliance with laws and regulations. 37 38
1/20/2020 20 IT Risk Areas Deserving Increased Focus Enterprise Security:  Security Configuration Management: Security administration processes are undefined.  Identity and Access Management: System Configurations are not in line with the security policy. Access to systems is not managed to ensure access is appropriately administered timely. Firewalls are not properly configured or monitored to prevent/detect unauthorized access and malicious attacks.  Security Penetration & Vulnerability Testing: Tools and techniques are not in place or not properly configured to periodically test and report to management.  Security Awareness & Training: Security notifications and training do not exist to make users aware of their responsibilities in securing corporate data.  Security Compliance: Management has not implemented a security compliance program to address regulatory requirements (HIPPA, GLBA, SOX, etc.)  Source: Deloitte IT Risk Awareness Presentation IT Risk Areas Deserving Increased Focus Crisis Management:  Business Impact Assessment: An enterprise-wide disaster recovery plan has not been prepared or is not based on a business impact assessment.  Communications / Crisis Management Plans: Management has not prepared or coordinated with cross-functional business units to ensure appropriate escalation and communication of crisis management (declaration and ongoing communication).  Service Level Agreements: Relationships with third party vendors do not exist to ensure IT operations continuity in case of disaster/crisis.  Insurance: Insurance agreements do not exist for the IT infrastructure or Business Impact  Site Reconstruction / Relocation: The disaster recovery plan does not contain a strategy to either rebuild or relocate IT operations permanently to ensure continuity in the case of total loss of production systems.  Disaster Recovery Testing: Management has not periodically tested the disaster recovery plan or has not documented results and incorporated improvements into the disaster recovery plans. Source: Deloitte IT Risk Awareness Presentation 39 40
1/20/2020 21 POLLING QUESTION MORE LEGISLATION  California Consumer Privacy Act Ma  State statute intended to enhance privacy rights and consumer protection for residents of California  Took effect on January 1, 2020 Six Statutory rights: 1.To be provided with information on what personal information is collected about them and the purposes for which that personal information is used. 2. To be provided with information on what personal information is sold or disclosed for a business purpose and to whom. 3. To opt out of the sale of their personal information to third parties (or in the case of minors under age 16, to require an opt in before the sale of their personal information). 4. To request the deletion of their personal information. 5. Not to be subject to discrimination for exercising any of the above rights, including being denied goods or services or being charged a different price, or being subjected to a lower level of quality, of such goods or services. 6. To seek statutory damages of $100 to $750 for breaches of unencrypted personal information that arise as a result of a business’ violation of its duty to implement and maintain reasonable security procedures.  41 42
1/20/2020 22 APPLIES TO  For profit business entities in CA that:  Gross revenue of 25 million dollar or more  Receives or share more then 50,000 consumers, households, or devices  More than 50% of revenue from the sale of PHI Exception for HIPAA, CMIA ( California Medical Information Act), GLBA (Gramm Leach Bliley Act ) statues REQUIREMENTS  Business required to post details on website or other public means how they’re using or not using consumer data for rolling 12 months and opt out instructions  Businesses will have to develop processes and procedures to accommodate all consumer rights including data mapping / access reports  Requirements for businesses to reasonably safeguard consumer data  Significant damage implications for business if fail to comply (enforced by CA AG)  Consumers have a private right of action but it’s limited ($100 to $750 per violation)  Fines for business $7500 per violation 43 44
1/20/2020 23 WHAT IS GDPR? On 4 May 2016, the EU Regulation on Data Protection (GDPR) was published in the Official Journal of the European Union The GDPR entered into force on 24 May 2016 to replace the former 1995 EU Data Protection Directive and create a harmonized data protection law across Europe To more effectively manage data on their customers, employees, contacts and any other relevant persons WHAT IS DATA PROTECTION? Data Protection is about avoiding harm to individuals by misusing or mismanaging their personal data. So if you collect, use, or store personal data then the Data Protection Act applies to you. It sets out eight principles you have to adhere to, which include: Only collect information for specific purposes and don’t then use it for other purposes Only collect what you need for the specific purpose Keep it accurate and up to date; and safe and secure Process information lawfully and allow subject access in line with the Act. 45 46
1/20/2020 24 GDPR & WHY IT’S IMPORTANT Why is it important? Significant impact for organisations and how they manage data with some potentially very large penalties for violations – 4% of global revenues Impacts the storage, processing, access, transfer, and disclosure of an individual’s data records Who is affected? These protections apply to any organisation (anywhere in the world) that processes the personal data of EU data subjects POLLING QUESTION 47 48
1/20/2020 25 CYBER ATTACKS ON UTILITIES AND PUBLIC INFRASTRUCTURE We are increasingly dependent on the Internet: Directly Communication (Email, IM, VoIP) Commerce (business, banking, e-commerce, etc) Control systems (public utilities, etc) Information and entertainment Sensitive data stored on the Internet Indirectly Biz, Edu, Gov have permanently replaced physical/manual processes with Internet-based processes CYBERSECURITY ROADBLOCKS No metrics to measure (in)security Internet is inherently international Private sector owns most of the infrastructure “Cybersecurity Gap”: a cost/incentive disconnect?  Businesses will pay to meet business imperatives  Who’s going to pay to meet national security imperatives? 49 50
1/20/2020 26 CORPORATE VS NATIONAL corporate cybersecurity = availability, integrity and secrecy of information systems and networks in the face of attacks, accidents and failures with the goal of protecting a corporation’s operations and assets national cybersecurity = availability, integrity and secrecy of the information systems and networks in the face of attacks, accidents and failures with the goal of protecting a nation’s operations and assets (preventing an electronic Pearl Harbour) National Infrastructure Protection Plan (NIPP) From DHS THE NIPP PROVIDES A STRATEGIC CONTEXT FOR INFRASTRUCTURE PROTECTION/RESILIENCY 52  Dynamic threat environment  Natural Disasters  Terrorists  Accidents  Cyber Attacks  A complex problem, requiring a national plan and organizing framework  18 Sectors, all different, ranging from asset-focused to systems and networks  Outside regulatory space (very few security-focused regimes)  85% privately owned  100% in State and local jurisdictions 51 52
1/20/2020 27 CRITICAL INFRASTRUCTURE & KEY RESOURCES (CIKR) 53 Critical Infrastructure: Systems and assets, whether physical or virtual, so vital to the United States that the incapacitation or destruction of such systems and assets would have a debilitating impact on national security, national economic security, public health or safety, or any combination of those matters Key Resources: Publicly or privately controlled resources essential to the minimal operations of the economy or government Why is CIKR Protection Important? Essential to the Nation’s security, public health and safety, economic vitality, and way of life QUESTIONS? Any Questions? Don’t be Shy! 53 54
1/20/2020 28 AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week THANK YOU! Page 56 Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Follow Me on Twitter for Special Offers - @auditnet Join my LinkedIn Group – https://www.linkedin.com/groups/44252/ Like my Facebook business page https://www.facebook.com/pg/AuditNetLLC Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) Tel: +1 970 367 5429 eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino 55 56

More Related Content

PDF
Implementing and Auditing GDPR Series (2 of 10)
Jim Kaplan CIA CFE
 
PDF
Driving More Value With Automated Analytics
Jim Kaplan CIA CFE
 
PDF
GDPR Series Session 4
Jim Kaplan CIA CFE
 
PDF
How to use ai apps to unleash the power of your audit program
Jim Kaplan CIA CFE
 
PDF
Cybersecurity Slides
Jim Kaplan CIA CFE
 
PDF
Implementing and Auditing GDPR Series (3 of 10)
Jim Kaplan CIA CFE
 
PDF
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
PDF
Implementing and Auditing GDPR Series (8 of 10)
Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (2 of 10)
Jim Kaplan CIA CFE
 
Driving More Value With Automated Analytics
Jim Kaplan CIA CFE
 
GDPR Series Session 4
Jim Kaplan CIA CFE
 
How to use ai apps to unleash the power of your audit program
Jim Kaplan CIA CFE
 
Cybersecurity Slides
Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (8 of 10)
Jim Kaplan CIA CFE
 

What's hot (18)

PDF
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
PDF
Is Your Audit Department Highly Effective?
Jim Kaplan CIA CFE
 
PDF
Ethics for internal auditors
Jim Kaplan CIA CFE
 
PDF
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
Jim Kaplan CIA CFE
 
PDF
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
PDF
General Data Protection Regulation for Auditors 5 of 10
Jim Kaplan CIA CFE
 
PDF
Focused agile audit planning using analytics
Jim Kaplan CIA CFE
 
PPTX
Tracking down outliers
Jim Kaplan CIA CFE
 
PPTX
Implementing and Auditing GDPR Series (9 of 10)
Jim Kaplan CIA CFE
 
PPTX
Data breach presentation
Bradford Bach
 
PPTX
Defensible cybersecurity-jan-25th-
IT Strategy Group
 
PDF
Security and Privacy: What Nonprofits Need to Know
TechSoup
 
PDF
Five strategies for gdpr compliance
Peter Goldbrunner
 
PDF
2014 ota databreach3
Meg Weber
 
PDF
How to safe your company from having a security breach
Baltimax
 
PDF
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC
 
PDF
The growing mandatory requirements to protect data- secure PostgreSQL
Rajni Baliyan
 
PDF
Protecting Your Business From Cyber Risks
This account is closed
 
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
Is Your Audit Department Highly Effective?
Jim Kaplan CIA CFE
 
Ethics for internal auditors
Jim Kaplan CIA CFE
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
General Data Protection Regulation for Auditors 5 of 10
Jim Kaplan CIA CFE
 
Focused agile audit planning using analytics
Jim Kaplan CIA CFE
 
Tracking down outliers
Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (9 of 10)
Jim Kaplan CIA CFE
 
Data breach presentation
Bradford Bach
 
Defensible cybersecurity-jan-25th-
IT Strategy Group
 
Security and Privacy: What Nonprofits Need to Know
TechSoup
 
Five strategies for gdpr compliance
Peter Goldbrunner
 
2014 ota databreach3
Meg Weber
 
How to safe your company from having a security breach
Baltimax
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC
 
The growing mandatory requirements to protect data- secure PostgreSQL
Rajni Baliyan
 
Protecting Your Business From Cyber Risks
This account is closed
 
Ad

Similar to Cybersecurity update 12 (20)

PDF
Cyber security series Application Security
Jim Kaplan CIA CFE
 
PPTX
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
hoang971
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PDF
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
North Texas Chapter of the ISSA
 
PDF
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPTX
IBM Relay 2015: Securing the Future
IBM
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
PPTX
CS5300 class presentation on managing information systems
zenhubris
 
PPTX
Web_Appication_Security_Training_For_Developers.pptx
xobewe1102
 
PPTX
Web Security Overview
Noah Jaehnert
 
PPTX
How Does a Data Breach Happen?
Claranet UK
 
PDF
Scalar Security Roadshow April 2015
Scalar Decisions
 
PPTX
Fragments-Plug the vulnerabilities in your App
Appsecco
 
PDF
Digitalstakeout Scout Overview
DigitalStakeout
 
PDF
CyberSecurity Series Malware slides
Jim Kaplan CIA CFE
 
PPTX
Network security, seriously?
Peter Wood
 
PPTX
New Horizons SCYBER Presentation
New Horizons Computer Learning Centers / 5PE
 
PDF
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
PPTX
Application Security-Understanding The Horizon
Lalit Kale
 
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
hoang971
 
00. introduction to app sec v3
Eoin Keary
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
North Texas Chapter of the ISSA
 
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
Secure coding guidelines
Zakaria SMAHI
 
IBM Relay 2015: Securing the Future
IBM
 
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
CS5300 class presentation on managing information systems
zenhubris
 
Web_Appication_Security_Training_For_Developers.pptx
xobewe1102
 
Web Security Overview
Noah Jaehnert
 
How Does a Data Breach Happen?
Claranet UK
 
Scalar Security Roadshow April 2015
Scalar Decisions
 
Fragments-Plug the vulnerabilities in your App
Appsecco
 
Digitalstakeout Scout Overview
DigitalStakeout
 
CyberSecurity Series Malware slides
Jim Kaplan CIA CFE
 
Network security, seriously?
Peter Wood
 
New Horizons SCYBER Presentation
New Horizons Computer Learning Centers / 5PE
 
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Application Security-Understanding The Horizon
Lalit Kale
 
Ad

More from Jim Kaplan CIA CFE (13)

PDF
Enhanced fraud detection with data analytics
Jim Kaplan CIA CFE
 
PDF
mplementing and Auditing GDPR Series (10 of 10)
Jim Kaplan CIA CFE
 
PDF
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Jim Kaplan CIA CFE
 
PDF
How to detect fraud like a pro detective slides
Jim Kaplan CIA CFE
 
PDF
How to get auditors performing basic analytics using excel
Jim Kaplan CIA CFE
 
PDF
General Data Protection Regulation Webinar 6
Jim Kaplan CIA CFE
 
PDF
Ethics and the Internal Auditor
Jim Kaplan CIA CFE
 
PDF
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
PDF
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
PPTX
Ethics for Internal Auditors
Jim Kaplan CIA CFE
 
PDF
Building and Striving for Data Analytics Excellence
Jim Kaplan CIA CFE
 
PDF
The Future of Auditing and Fraud Detection
Jim Kaplan CIA CFE
 
PDF
Structuring your organization for success with data analytics
Jim Kaplan CIA CFE
 
Enhanced fraud detection with data analytics
Jim Kaplan CIA CFE
 
mplementing and Auditing GDPR Series (10 of 10)
Jim Kaplan CIA CFE
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Jim Kaplan CIA CFE
 
How to detect fraud like a pro detective slides
Jim Kaplan CIA CFE
 
How to get auditors performing basic analytics using excel
Jim Kaplan CIA CFE
 
General Data Protection Regulation Webinar 6
Jim Kaplan CIA CFE
 
Ethics and the Internal Auditor
Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
Ethics for Internal Auditors
Jim Kaplan CIA CFE
 
Building and Striving for Data Analytics Excellence
Jim Kaplan CIA CFE
 
The Future of Auditing and Fraud Detection
Jim Kaplan CIA CFE
 
Structuring your organization for success with data analytics
Jim Kaplan CIA CFE
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
KodekX | Application Modernization Development
KodekX
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
A Presentation on Artificial Intelligence
memembruh336
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Teaching material agriculture food technology
LiaRayya
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Approach and Philosophy of On baking technology
30anthuong17
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
KodekX | Application Modernization Development
KodekX
 

Cybersecurity update 12

  • 1. 1/20/2020 1 Richard Cascarino CISM, CIA, ACFE, CRMA Cybersecurity Series 2019 Update 2 About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2 1 2
  • 2. 1/20/2020 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no partial CPE will be awarded). • If you meet the criteria for earning CPE you will receive a link via email to download your certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There is a processing fee to have your CPE credit regenerated post event. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate. 3 4
  • 3. 1/20/2020 3 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 5 TODAY’S AGENDA Page 6 Where are we now and Where are we going?  Current Cyberrisks  Data Breach and Cloud Misconfigurations  Shift in attack vectors  Insecure Application User Interface (API)  The growing impact of AI and ML  Malware Attack  Single factor passwords  Insider Threat  Shadow IT Systems  Crime, espionage and sabotage by rogue nation-states  IoT  CCPA and GDPR  Cyber attacks on utilities and public infrastructure 5 6
  • 4. 1/20/2020 4 ARCHITECTURE AND SERVICE DEFINITIONS Three Cloud Service Delivery Models: • 1. Infrastructure as a Service (IaaS) • 2. Platform as a Service (PaaS) • 3. Software as a Service (SaaS) Four Cloud Service Deployment Models • 1. Public • 2. Private • 3. Community • 4. Hybrid THREATS TO CLOUD COMPUTING Changes to business model Abusive use of cloud computing Insecure interfaces and API Malicious insiders Shared technology issues Data loss and leakage Service hijacking Risk profiling Identity theft 7 8
  • 5. 1/20/2020 5 REGULATORY COMPLIANCE Texas Business & Commerce Code FISMA NIST SP 800 – 122 FIPS 200 HIPAA / HITECH Act Payment Card Industry (PCI) GPDR (General Data Protection Regulation) ATTACKS ON CLOUD COMPUTING Zombie Attack Service injection attack Attacks on virtualization Man-in-the Middle attack Metadata spoofing Phishing Backdoor channel attack 9 10
  • 6. 1/20/2020 6 THE ATTACK VECTORS Any system Any infrastructure Any communication Any language Any architecture Any component Any information, any data Any physical layer Any logical layer Any storage device / facility Any (communication) channel Any interface Any encryption Any environment Any site (including DR) Any transaction Any log and audit trail Any archive Any process (operations, ongoing, development) CONTAINING DATA BREACHES  Need to Identify:  What type of data has been breached?  Is there any sensitive information?  How many people could be affected?  How many records? 11 12
  • 7. 1/20/2020 7 POLLING QUESTION DO YOU KNOW? • 75% of attacks today happen at the Application Layer (Gartner). • Many “easy hacking recipes” published on web. • Security holes in the web application layer can make a perfectly patched and firewalled server completely vulnerable. The cost and reputation savings of avoiding a security breach are “priceless” 13 14
  • 8. 1/20/2020 8 OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Injection : Injection attacks occur when the user is able to input untrusted data tricking the application/system to execute unintended commands. Injections can be – SQL queries, PHP queries, LDAP queries and OS commands. • Broken Authentication : Broken authentication occurs when the application mismanages session related information such that the user’s identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc. to either get into someone else’s session or use a session which has been ended by the user or steal session related information. • Sensitive data exposure : Attackers can sniff or modify the sensitive data if not handled securely by the application. A few examples include use if weak encryption keys, use of weak TLS. In order to identify sensitive data bits and exploit them. • XML External Entities (XXE) : An application is vulnerable to XXE attacks if it enabled users to upload a malicious XML which further exploits the vulnerable code and/or dependencies for example to execute code, steal data and perform other malicious tasks. OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Broken Access control : Applications have various account types depending on the users: admins, operators and reporting groups etc. One common problem is that the developers restrict the privileges just on the UI side and not on the server side. If exploited, each user can have admin rights. • Security misconfigurations : Developers and IT staff ensure functionality and not the security. Many of the security requirements get missed unless identified by experts or hackers. Security misconfigurations can include weak passwords, default passwords, default scripts stored on the servers, default directories, default error messages etc. • Cross Site Scripting (XSS) : Cross-site scripting occurs when an attacker is able to insert untrusted data/scripts into a web page. The data/scripts inserted by the attackers get executed in the browser can steal users data, deface websites etc. 15 16
  • 9. 1/20/2020 9 OWASP- TOP 10 VULNERABILITIES IN WEB APPLICATIONS • Insecure Deserialization : Many applications which rely on the client to maintain state may allow tampering of serialized data. • Using Components with known vulnerabilities : When components with known vulnerabilities are used by the application, this may lead to security breaches or server takeover. The components can be coding frameworks, libraries, vulnerable functions, network frameworks etc. • Insufficient logging and monitoring: Attacks still happen and get noticed only after an incident has happened. To ensure the malicious intent of the attackers gets noticed beforehand, it is essential to log all the activity and monitor it for any suspicious behavior. POLLING QUESTION 17 18
  • 10. 1/20/2020 10 AI and ML MACHINE LEARNING Algorithmic ways to “describe” data Supervised We are giving the system a lot of training data and it learns from that Unsupervised We give the system some kind of DEEP LEARNING A “newer” machine learning algorithm Eliminates the feature engineering step Explainability / verifiability issues DATA MINING Methods to explore data - automatically ARTIFICIAL INTELLIGENCE A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.” ML IN SECURITY SUPERVISED Malware classification Deep learning on millions of samples - 400k new malware samples a day Has increased true positives and decreased false positives compared to traditional ML Spam identification Analyzing massive amounts of firewall data to predict and score malicious sources (IPs) UNSUPERVISED DNS analytics Domain name classification, lookup Threat Intelligence feed curation IOC prioritization, deduplication, … Tier 1 analyst automation Reducing workload from 600M raw events to User and Entity Behavior Analytics (UEBA) Uses mostly regular statistics and rule-based approaches * See Respond Software Inc. 19 20
  • 11. 1/20/2020 11 MALWARE ATTACKS  General misconception among people  Malware = “malicious software”  Malware is any kind of unwanted software that is installed without your consent on your computer.  Viruses, worms, Trojan horses, bombs, spyware, adware are subgroups of malware. VIRUS TYPES 22 Multipartite – a multi-part virus, a virus that attempts to attack both the boot sector and the executable, or program, files at the same time. When the virus attaches to the boot sector, it will in turn affect the system files, and when the virus attaches to the files, it will in turn infect the boot sector. Appending - A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself. Overwriting - A type of computer virus that will copy its own code over the host computer system's file data, which destroys the original program. After your computer system has been cleaned using an antivirus program, users will need to install the original program again. 21 22
  • 12. 1/20/2020 12 VIRUS TYPES 23 Polymorphic - A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program. Tunneling – A type of virus that attempts installation beneath the antivirus program by directly intercepting the interrupt handlers of the operating system to evade detection. Stealth – A computer virus that actively hides itself from antivirus software by either masking the size of the file that it hides in or temporarily removing itself from the infected file and placing a copy of itself in another location on the drive, replacing the infected file with an uninfected one that it has stored on the hard drive. VIRUS TYPES 24 Bimodal - Also called a Boot Sector Infector, a bimodal virus is one that infects both boot records and files on the computer system. Self-garbling - A type of computer virus that will attempt to hide from an antivirus program by garbling its own code. When a self-garbling virus propagates it will change the encoding of its own code to trick antivirus programs and stay hidden on the computer system. Memory resident - A virus that stays in memory after it executes and after its host program is terminated. In contrast, non-memory-resident viruses only are activated when an infected application runs. 23 24
  • 13. 1/20/2020 13 CLOUD ANTIVIRUS  New form of antivirus program  The virus scanning is done from a remote location(not on the computer).  Why this is so popular is because it relieves the physical computer resources.  Constant functionality (Nonstop scanning)  Security Issues TWO-FACTOR AUTHENTICATION OVERVIEW 26  Single Factor passwords  A major biometric hack shows the weakness of single-factor authentication  Two-factor authentication requires the use of two of the three authentication factors: Something only the user: 1. Knows (e.g. password, PIN, secret answer) 2. Has (e.g. ATM card, mobile phone, hard token) 3. Is (e.g. biometric – iris, fingerprint, etc.) 25 26
  • 14. 1/20/2020 14 POLLING QUESTION INSIDER THREATS Insider attacks account for as much as 80% of all computer and Internet related crimes [1] 70% of attacks causing at least $20,000 of damage are the direct result of malicious insiders Majority of insiders are privileged users and majority of attacks are launched from remote machines 27 28
  • 15. 1/20/2020 15 TYPICAL INSIDER THREATS Data corruption, deletion, and modification Leaking sensitive data Denial of service attacks Blackmail Theft of corporate data Etc. Etc. Etc INSIDER THREAT REMEDIATION Minimize the size of the user population to decrease the number of possible insiders Distribute trust amongst multiple parties to force collusion Most insiders act alone Question trust assumptions made in computing systems Treat the LAN like the WAN BroLAN, SANE, etc… Others? 29 30
  • 16. 1/20/2020 16 SHADOW IT SYSTEMS  Shadow IT  Unsanctioned apps or services in use  Shadow Data  Unmanaged content that users put into: sanctioned apps or services meant for other purposes or unsanctioned apps or services  In GDPR terms  Shadow IT = Technology environments where there is a lack of control over which personal data is handled by whom within the organization  Shadow Data in sanctioned apps / services may be processed out of policy  Shadow Data in unsanctioned apps / services cannot be accounted for SHADOW IT SYSTEMS More than 5,000 personal devices connect to enterprise networks every day with little or no endpoint security enabled in one of every three companies in the U.S., U.K., and Germany. More than 1,000 shadow IoT devices connect to enterprise networks every day in 30% of the U.S., U.K., and German companies. 12% of U.K. organizations are seeing more than 10,000 shadow IoT devices connect to their enterprise networks every day. Forbes 31 32
  • 17. 1/20/2020 17 RISKS ASSOCIATED WITH SHADOW IT  The organization loses control and visibility into the data migrated to Shadow IT systems.  The risks include:  security and regulatory noncompliance,  data leaks and inability to perform disaster recovery measures involving data in Shadow IT systems when required. CRIME, ESPIONAGE AND SABOTAGE BY ROGUE NATION-STATES  Utilities and Industrial Control Systems targeted with Ransomware  A Nation-State Launches a “Fire Sale” Attack  Attackers hold the Internet Hostage  US cyber security strategy is built around four tenets:  Protect the American People, the Homeland and the American Way of Life  Promote American Prosperity  Preserve Peace through Strength  Advance American Influence  More nations developing offensive cyber capabilities  Isolationist trade policies will incentivize nation states and corporate entities to steal trade secrets and use cyber tactics to disrupt government, critical infrastructure, and vital industries  China's Belt and Road Initiative to drive cyber espionage activity 33 34
  • 18. 1/20/2020 18 POLLING QUESTION Components of IoT  IoT consists of three principal components:  The things themselves that, in most cases, represent the devices or sensors with the ability to capture or produce data, and the time to create an effect on the environment in which they have some influence  The communications network that interconnects the things (this network connectivity, in most cases, is wireless)  The computing systems that process and use the data received and/or transmitted by the things, with, in most cases, a minimal computational capability  Source: https://www.isaca.org/journal/archives/2015/volume-2/pages/internet-of-things-offers-great-opportunities-and-much-risk.aspx 35 36
  • 19. 1/20/2020 19 GAO Highlights INTERNET OF THINGS RISKS What GAO Found The Internet of Things (IoT) is the set of Internet-capable devices, such as wearable fitness devices and smartphones, that interact with the physical environment and typically contain elements for sensing, communicating, processing, and actuating. Even as the IoT creates many benefits, it is important to acknowledge its emerging security implications. Highlights of GAO-17-668, a report to congressional committees IT Risk Areas Deserving Increased Focus IT Governance: Mission: The mission of IT is not aligned to protect the value of its existing assets and create new or future value. IT and Business Alignment: Corporations increasingly do not coordinate IT with business processes to realize their true value. Portfolio Management: The IT Portfolio is not reliable or adequately available. IT Risk Management: IT compliance with laws and regulations. 37 38
  • 20. 1/20/2020 20 IT Risk Areas Deserving Increased Focus Enterprise Security:  Security Configuration Management: Security administration processes are undefined.  Identity and Access Management: System Configurations are not in line with the security policy. Access to systems is not managed to ensure access is appropriately administered timely. Firewalls are not properly configured or monitored to prevent/detect unauthorized access and malicious attacks.  Security Penetration & Vulnerability Testing: Tools and techniques are not in place or not properly configured to periodically test and report to management.  Security Awareness & Training: Security notifications and training do not exist to make users aware of their responsibilities in securing corporate data.  Security Compliance: Management has not implemented a security compliance program to address regulatory requirements (HIPPA, GLBA, SOX, etc.)  Source: Deloitte IT Risk Awareness Presentation IT Risk Areas Deserving Increased Focus Crisis Management:  Business Impact Assessment: An enterprise-wide disaster recovery plan has not been prepared or is not based on a business impact assessment.  Communications / Crisis Management Plans: Management has not prepared or coordinated with cross-functional business units to ensure appropriate escalation and communication of crisis management (declaration and ongoing communication).  Service Level Agreements: Relationships with third party vendors do not exist to ensure IT operations continuity in case of disaster/crisis.  Insurance: Insurance agreements do not exist for the IT infrastructure or Business Impact  Site Reconstruction / Relocation: The disaster recovery plan does not contain a strategy to either rebuild or relocate IT operations permanently to ensure continuity in the case of total loss of production systems.  Disaster Recovery Testing: Management has not periodically tested the disaster recovery plan or has not documented results and incorporated improvements into the disaster recovery plans. Source: Deloitte IT Risk Awareness Presentation 39 40
  • 21. 1/20/2020 21 POLLING QUESTION MORE LEGISLATION  California Consumer Privacy Act Ma  State statute intended to enhance privacy rights and consumer protection for residents of California  Took effect on January 1, 2020 Six Statutory rights: 1.To be provided with information on what personal information is collected about them and the purposes for which that personal information is used. 2. To be provided with information on what personal information is sold or disclosed for a business purpose and to whom. 3. To opt out of the sale of their personal information to third parties (or in the case of minors under age 16, to require an opt in before the sale of their personal information). 4. To request the deletion of their personal information. 5. Not to be subject to discrimination for exercising any of the above rights, including being denied goods or services or being charged a different price, or being subjected to a lower level of quality, of such goods or services. 6. To seek statutory damages of $100 to $750 for breaches of unencrypted personal information that arise as a result of a business’ violation of its duty to implement and maintain reasonable security procedures.  41 42
  • 22. 1/20/2020 22 APPLIES TO  For profit business entities in CA that:  Gross revenue of 25 million dollar or more  Receives or share more then 50,000 consumers, households, or devices  More than 50% of revenue from the sale of PHI Exception for HIPAA, CMIA ( California Medical Information Act), GLBA (Gramm Leach Bliley Act ) statues REQUIREMENTS  Business required to post details on website or other public means how they’re using or not using consumer data for rolling 12 months and opt out instructions  Businesses will have to develop processes and procedures to accommodate all consumer rights including data mapping / access reports  Requirements for businesses to reasonably safeguard consumer data  Significant damage implications for business if fail to comply (enforced by CA AG)  Consumers have a private right of action but it’s limited ($100 to $750 per violation)  Fines for business $7500 per violation 43 44
  • 23. 1/20/2020 23 WHAT IS GDPR? On 4 May 2016, the EU Regulation on Data Protection (GDPR) was published in the Official Journal of the European Union The GDPR entered into force on 24 May 2016 to replace the former 1995 EU Data Protection Directive and create a harmonized data protection law across Europe To more effectively manage data on their customers, employees, contacts and any other relevant persons WHAT IS DATA PROTECTION? Data Protection is about avoiding harm to individuals by misusing or mismanaging their personal data. So if you collect, use, or store personal data then the Data Protection Act applies to you. It sets out eight principles you have to adhere to, which include: Only collect information for specific purposes and don’t then use it for other purposes Only collect what you need for the specific purpose Keep it accurate and up to date; and safe and secure Process information lawfully and allow subject access in line with the Act. 45 46
  • 24. 1/20/2020 24 GDPR & WHY IT’S IMPORTANT Why is it important? Significant impact for organisations and how they manage data with some potentially very large penalties for violations – 4% of global revenues Impacts the storage, processing, access, transfer, and disclosure of an individual’s data records Who is affected? These protections apply to any organisation (anywhere in the world) that processes the personal data of EU data subjects POLLING QUESTION 47 48
  • 25. 1/20/2020 25 CYBER ATTACKS ON UTILITIES AND PUBLIC INFRASTRUCTURE We are increasingly dependent on the Internet: Directly Communication (Email, IM, VoIP) Commerce (business, banking, e-commerce, etc) Control systems (public utilities, etc) Information and entertainment Sensitive data stored on the Internet Indirectly Biz, Edu, Gov have permanently replaced physical/manual processes with Internet-based processes CYBERSECURITY ROADBLOCKS No metrics to measure (in)security Internet is inherently international Private sector owns most of the infrastructure “Cybersecurity Gap”: a cost/incentive disconnect?  Businesses will pay to meet business imperatives  Who’s going to pay to meet national security imperatives? 49 50
  • 26. 1/20/2020 26 CORPORATE VS NATIONAL corporate cybersecurity = availability, integrity and secrecy of information systems and networks in the face of attacks, accidents and failures with the goal of protecting a corporation’s operations and assets national cybersecurity = availability, integrity and secrecy of the information systems and networks in the face of attacks, accidents and failures with the goal of protecting a nation’s operations and assets (preventing an electronic Pearl Harbour) National Infrastructure Protection Plan (NIPP) From DHS THE NIPP PROVIDES A STRATEGIC CONTEXT FOR INFRASTRUCTURE PROTECTION/RESILIENCY 52  Dynamic threat environment  Natural Disasters  Terrorists  Accidents  Cyber Attacks  A complex problem, requiring a national plan and organizing framework  18 Sectors, all different, ranging from asset-focused to systems and networks  Outside regulatory space (very few security-focused regimes)  85% privately owned  100% in State and local jurisdictions 51 52
  • 27. 1/20/2020 27 CRITICAL INFRASTRUCTURE & KEY RESOURCES (CIKR) 53 Critical Infrastructure: Systems and assets, whether physical or virtual, so vital to the United States that the incapacitation or destruction of such systems and assets would have a debilitating impact on national security, national economic security, public health or safety, or any combination of those matters Key Resources: Publicly or privately controlled resources essential to the minimal operations of the economy or government Why is CIKR Protection Important? Essential to the Nation’s security, public health and safety, economic vitality, and way of life QUESTIONS? Any Questions? Don’t be Shy! 53 54
  • 28. 1/20/2020 28 AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week THANK YOU! Page 56 Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Follow Me on Twitter for Special Offers - @auditnet Join my LinkedIn Group – https://www.linkedin.com/groups/44252/ Like my Facebook business page https://www.facebook.com/pg/AuditNetLLC Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) Tel: +1 970 367 5429 eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino 55 56