Phil Livingston

Contact:  908.938.6412

Cyber Security for Audit Committees


Some Essential Cyber Security Questions to Ask

  •  What firewall systems do we employ?
    •  Is our firewall system documented?  Sharable format?
    • Do we establish network zones and put monitoring apps in certain zones behind special firewalls?
  • What malware detection tools do we employ?
  • What monitoring system do we employ to track changes to active directory and access to it?
  • What intrusion detection application is employed?
  • Do we have an incident tracking system?
  • Cyber exercises - can we implement a Network defense covert test – a simulation of a real attack – this is considered a key control by many


Cyber Security Basics


Create a Cyber Security Control Framework – link risk and the control set


Establish business rationale for omitting certain controls


Control testing

  • Test design effectiveness
  • Test operational effectiveness


Payment Card Industry – PCI – data security standard for cardholder data


Data Breach

  •  Investigation
  •  Safe Harbor from fines if standard followed
  •  Remediation
  •  Compensation


PCI – 200 mandatory controls

  • Firewall configuration must be documented
  • Segregated PCI Zone inside the network and firewalled
  • Stored cardholder data – very specific rules
  • Encryption across public networks


The Heartbleed Bug – corrupted certain encryption methods


Under the standard software upgrades must be installed within one month of review and publication


ATMs and Gas pump card readers regularly have skimmers attached by hacker


PCI Council has a good website re Cyber Security


Cyber Essentials from UK – low cost and light touch – you can submit a self-assessment to get a certification


User access controls problems – too many legacy users and users with too many authorities


Cyber Blacklist - known problem sites, attackers, attack types and botnets


Patch management – Timely, licensed software not cracked copies (often a source of malware infection)


The Cyber Attack Process

  •  Reconnaissance – attacker casing the joint; port scan of active hosts; use of botnets
  •  Weaponization – purchased malware
  •  Delivery – embedded malware in a document, PDF, website link to a site that’s been compromised
  • Exploitation
  • Installation – drops payload into memory or disk
  • Command and Control
  • Actions to complete the theft


Typical Cyber Frauds

• Theft of bank and credit card information

• Ghost employees that get paid

•  Salami shaving – taking a few cents every transaction

• Payment for non-existent goods (online payments for goods never delivered)


Hacking – started with teen hackers – bored teenagers that loved getting into other computers and networks


Denial of Service attacks – overwhelming websites; botnets coordinate attacks


Famous Cyber data thefts - Anthem 80M records; JP Morgan 76M accounts exposed; Home Depot


Botnet – components – network of hijacked network devices and computers

 Botmaster – the criminal

 Command & Control systems


 Compromise legit websites


Zeus is the most famous Botnet

Steals online credentials – Internet Explorer passwords; bank account credentials; modifying banking websites

 Targets computers and smartphones


Botnets are rented actively from and between criminals


Professional Money Mules – are hired by the criminals to retrieve the money


Hiding Malware

There are ways to hide files in Windows that the directory listing command doesn’t display – hides even subdirectories


Ransomware – locks out owners of websites until a ransom is paid

 Crytolocker – TorrentLocker – Cryptowall

  Used UPS and Fed Ex e mails – you have a package

Ransomware - encrypts all files on the attacked server – no encryption key to unlock the server until payment is made



Security Architecture


Architecture risk and controls

• Access is controlled

• Access is reviewed

• Privileged access is strongly controlled

• Staff approve storage of processing of data outside network

• Stored personal data is encrypted


Access and identity management key

• Employees, contractors and suppliers

• Mechanisms

o Windows active directory

o Unix LDAP Lightweight Directory Access Protocol

o File access rights

o Federated directories

• Cyberark – privileged access management app

o Network administrators and security personnel – control even their access


Malware control objectives

• Filter incoming traffic

• Implement malware detection

• Detection of malware

• Network filtering

• Network zoning

• Data loss prevention


Router Access Controls Lists



• Checks packets coming into the system and either redirects them

• Ruleset


Other Resources

• Palo Alto Firewalls using Wildfire environment


• Fortinet appliance for e mail filtering

• Splunk automates log tracking and analysis

• Sourcefire

• Thor APT Scanner – detection of attacker activity


Monitoring the environment

• Log all security related events

• Logs must be secure

• Regular review of logs

• Real time direct reports from sensors

• Network defense covert test – a simulation of a real attack – key control


Incident Management

• NIST established a forum of incident management and information sharing

• `Cyber exercises considered very useful

• – has a tool available to assess readiness for an attack

• establish response playbooks

• No decision making by committee in a crisis training courses that are good resources

 Practical Cybersecurity

 IT Security Fundamentals



From a 2015 Gartner Report about tools for managing the Cyber Security risks and systems:


There are three primary security operations analytics and reporting technology types:


Threat and Vulnerability Management: Threat and vulnerability management solutions are

designed to support an organization's vulnerability life cycle management, providing formalized

workflow, reporting and collaboration capabilities. They usually do not execute vulnerability

assessments themselves, but consolidate and normalize output from multiple vulnerability,

application security and penetration testing solutions. Methods are supplied that analyze and

prioritize vulnerabilities by applying threat intelligence and organizational context, or via

advanced risk modelling approaches such as attack path analysis. This permits more granular

and intelligent remediation strategies than simplistic severity or CVSS-based approaches,

especially at scale and when remediating with limited resources.


Security Incident Response: A security incident response platform is software designed

specifically for the purpose of supporting an organization's ability to plan, manage and track

their response to the evolution of a security incident. This is supported by analytical and

reporting capabilities enabling different prioritization strategies, as well as to coordinate the

actions required to respond to that incident. Incident and threat detection are not the primary

focus, with SIRP technologies frequently relying on third-party technologies for this, although

detection capabilities may be present in some solutions (see "Technology Overview for Security

Incident Response Platforms").


Security Operations Automation: Security operations management solutions support an

organization's security operational work by providing management and automation capabilities

for workflow, process and policy execution and reporting. Collaboration features such as

granular role access, multitenancy, role-focused dashboards and reporting are common. Some

offerings automate remediation and response by providing connectors and script libraries for

remote connectivity to third-party technologies. They are designed to provide command and control capabilities to security teams and security operations centers.

Copyright 2017 Philip Livingston

Legacy Website