Cyber Security for Audit Committees

 

Some Essential Cyber Security Questions to Ask

•  What firewall systems do we employ?
  •  Is our firewall system documented?  Sharable format?
  • Do we establish network zones and put monitoring apps in certain zones behind special firewalls?
• What malware detection tools do we employ?
• What monitoring system do we employ to track changes to active directory and access to it?
• What intrusion detection application is employed?
• Do we have an incident tracking system?
• Cyber exercises - can we implement a Network defense covert test – a simulation of a real attack – this is considered a key control by many

 

Cyber Security Basics

 

Create a Cyber Security Control Framework – link risk and the control set

 

Establish business rationale for omitting certain controls

 

Control testing

• Test design effectiveness
• Test operational effectiveness

 

Payment Card Industry – PCI – data security standard for cardholder data

 

Data Breach

•  Investigation
•  Safe Harbor from fines if standard followed
•  Remediation
•  Compensation

 

PCI – 200 mandatory controls

• Firewall configuration must be documented
• Segregated PCI Zone inside the network and firewalled
• Stored cardholder data – very specific rules
• Encryption across public networks

 

The Heartbleed Bug – corrupted certain encryption methods

 

Under the standard software upgrades must be installed within one month of review and publication

 

ATMs and Gas pump card readers regularly have skimmers attached by hacker

 

PCI Council has a good website re Cyber Security

 

Cyber Essentials from UK – low cost and light touch – you can submit a self-assessment to get a certification

 

User access controls problems – too many legacy users and users with too many authorities

 

Cyber Blacklist - known problem sites, attackers, attack types and botnets

 

Patch management – Timely, licensed software not cracked copies (often a source of malware infection)

 

The Cyber Attack Process

•  Reconnaissance – attacker casing the joint; port scan of active hosts; use of botnets
•  Weaponization – purchased malware
•  Delivery – embedded malware in a document, PDF, website link to a site that’s been compromised
• Exploitation
• Installation – drops payload into memory or disk
• Command and Control
• Actions to complete the theft

 

Typical Cyber Frauds

• Theft of bank and credit card information

• Ghost employees that get paid

•  Salami shaving – taking a few cents every transaction

• Payment for non-existent goods (online payments for goods never delivered)

 

Hacking – started with teen hackers – bored teenagers that loved getting into other computers and networks

 

Denial of Service attacks – overwhelming websites; botnets coordinate attacks

 

Famous Cyber data thefts - Anthem 80M records; JP Morgan 76M accounts exposed; Home Depot

 

Botnet – components – network of hijacked network devices and computers

 Botmaster – the criminal

 Command & Control systems

 Obscurity

 Compromise legit websites

 

Zeus is the most famous Botnet

Steals online credentials – Internet Explorer passwords; bank account credentials; modifying banking websites

 Targets computers and smartphones

 

Botnets are rented actively from and between criminals

 

Professional Money Mules – are hired by the criminals to retrieve the money

 

Hiding Malware

There are ways to hide files in Windows that the directory listing command doesn’t display – hides even subdirectories

 

Ransomware – locks out owners of websites until a ransom is paid

 Crytolocker – TorrentLocker – Cryptowall

  Used UPS and Fed Ex e mails – you have a package

Ransomware - encrypts all files on the attacked server – no encryption key to unlock the server until payment is made

 

 

Security Architecture

 

Architecture risk and controls

• Access is controlled

• Access is reviewed

• Privileged access is strongly controlled

• Staff approve storage of processing of data outside network

• Stored personal data is encrypted

 

Access and identity management key

• Employees, contractors and suppliers

• Mechanisms

o Windows active directory

o Unix LDAP Lightweight Directory Access Protocol

o File access rights

o Federated directories

• Cyberark – privileged access management app

o Network administrators and security personnel – control even their access

 

Malware control objectives

• Filter incoming traffic

• Implement malware detection

• Detection of malware

• Network filtering

• Network zoning

• Data loss prevention

 

Router Access Controls Lists

 

Firewalls

• Checks packets coming into the system and either redirects them

• Ruleset

 

Other Resources

• Palo Alto Firewalls using Wildfire environment

• ModSecurity.org

• Fortinet appliance for e mail filtering

• Splunk automates log tracking and analysis

• Sourcefire

• Thor APT Scanner – detection of attacker activity

 

Monitoring the environment

• Log all security related events

• Logs must be secure

• Regular review of logs

• Real time direct reports from sensors

• Network defense covert test – a simulation of a real attack – key control

 

Incident Management

• NIST established a forum of incident management and information sharing

• `Cyber exercises considered very useful

• crest-approved.org – has a tool available to assess readiness for an attack

• establish response playbooks

• No decision making by committee in a crisis

 

Lynda.com training courses that are good resources

 Practical Cybersecurity

 IT Security Fundamentals

 practical

 

From a 2015 Gartner Report about tools for managing the Cyber Security risks and systems:

 

There are three primary security operations analytics and reporting technology types:

 

■ Threat and Vulnerability Management: Threat and vulnerability management solutions are

designed to support an organization's vulnerability life cycle management, providing formalized

workflow, reporting and collaboration capabilities. They usually do not execute vulnerability

assessments themselves, but consolidate and normalize output from multiple vulnerability,

application security and penetration testing solutions. Methods are supplied that analyze and

prioritize vulnerabilities by applying threat intelligence and organizational context, or via

advanced risk modelling approaches such as attack path analysis. This permits more granular

and intelligent remediation strategies than simplistic severity or CVSS-based approaches,

especially at scale and when remediating with limited resources.

 

■ Security Incident Response: A security incident response platform is software designed

specifically for the purpose of supporting an organization's ability to plan, manage and track

their response to the evolution of a security incident. This is supported by analytical and

reporting capabilities enabling different prioritization strategies, as well as to coordinate the

actions required to respond to that incident. Incident and threat detection are not the primary

focus, with SIRP technologies frequently relying on third-party technologies for this, although

detection capabilities may be present in some solutions (see "Technology Overview for Security

Incident Response Platforms").

 

■ Security Operations Automation: Security operations management solutions support an

organization's security operational work by providing management and automation capabilities

for workflow, process and policy execution and reporting. Collaboration features such as

granular role access, multitenancy, role-focused dashboards and reporting are common. Some

offerings automate remediation and response by providing connectors and script libraries for

remote connectivity to third-party technologies. They are designed to provide command and control capabilities to security teams and security operations centers.