victorian chapter – fs sig auditing for cyber security
TRANSCRIPT
Victorian Chapter – FS SIG Auditing for Cyber security preparedness
Presented by
Ashutosh Kapsé CISM, CISA, CRISC, ISO27001LA, CCSK, IRAP
Head – Information security, technology risk & audit IOOF Holdings Ltd.
Discalimer Any logos, trademarks used, belong to the respective organisations and they own the sole right to use and reproduce them. This presentation is intended to provide general information only and has been prepared without taking into account, any particular person's / organisation’s objectives, business situation, needs or risk profile. Any person / organisation, before acting on this information, should consider the appropriateness of this information with regards to their personal / organisation’s objectives, business situation, needs or risk profile. We recommend you obtain Audit and Risk advice specific to your situation before making any Risk / Audit related decisions. Reference to any tools, technologies or organisations is not meant as endorsement, advertising or support of those products/technologies. The reference is purely to relay my experience and personal opinion. Acknowlgements: National Institute of Standards and Technology Steven Ross – Risk Masters Inc, USA Lockheed Martin whitepaper – Eric M. Hutchins, Michael Cloppert & Rohan Amin.
What we will cover today (Agenda)
• Cyber attacks – myths and reality • ASIC report 429 • Auditing - Cyber attack preparedness
Myth no 2 Cyber attacks are unstoppable • Bad things do happen (pandemics, war, crime,
terrorism…) but we treat them as manageable problems
• Cyber attacks are no different
Myth no 3 Each cyber attack is different (more advanced than previous) hence prevention is impossible
• Huge differences depending on cause & effect of each type of attack
Cyber a7ack-‐flow
• Successful a7ack breeds similar a7acks • Re-‐use of code by cyber criminals
Reconnaissance 1
Cra- A/ack 2
Infiltrate / Deliver (bypass perimeter)
3
Create footprint / install malware
4
Move laterally 5
Establish 6
ExfiltraIon 7
Source: Cyber kill chain® -‐ Intelligence driven cyber defense – Lockheed MarCn
What this means
• With appropriate preparation and control framework, organisations, regulators and customers can create comprehensive cyber security programs & use it to assess and improve readiness.
ASIC Report 429 “Cyber resilience: Health Check” Report highlights importance of Cyber resilience to ASIC’s regulated population “ASIC intends to “incorporate cyber resilience in our surveillance programs across our regulated population”
Control Framework
NIST (NaConal InsCtute of Standards and Technology) Cyber security framework Improving CriCcal Infrastructure Cybersecurity ExecuCve Order 13636
Accept
Slightly modified for cyber-‐assessor
Accept Note: this is my modifica3on not NIST or by any other standards body
• This framework is the closest thing we have to a “standard” of cyber security controls
• It provides structure but not necessarily content
Elements of the framework
Accept Understand that cyber a7acks are a real threat and this may occur in your organisaCon
IdenCfy
Develop your organisaCon’s understanding to manage the cyber security risk to organisaCon’s systems, assets, data and capabiliCes
Protect Develop and implement a prioriCsed set of safeguards to ensure delivery of organisaCon’s business acCviCes
Detect Develop and implement appropriate aCviCes to idenCfy occurrence of a cybera7ack
Elements…. Cont’d
Respond Develop and implement prioriCsed set of acCviCes to respond to detected cyber a7ack event
Recover Develop and implement prioriCsed set of processes to restore business criCcal acCviCes and operaCons aZer a cybera7ack event.
AudiCng “Acceptance” Accept Understand that cyber a7acks are a real threat and this may
occur in your organisaCon
• Is there a management direcCve to deal with cyber a7ack threat?
§ Board level § ExecuCve level § CIO level
• Is there appropriate funding § Personnel § Insurance § Technology § Expert assistance (3rd party)
• Is there appropriate structure? • Who owns the problem? The soluCon ?
AudiCng -‐ IdenCfy
IdenCfy
Asset management
Business environment
Governance
Risk assessment
Risk management
AudiCng “IdenCfy” • Is there an inventory of informaCon assets?
• Does every business funcCon know § What system it relies on? § What data these systems have access to? § Where those systems are?
• Are the “owners” idenCfied? § Governance § Business owners (risk management) § IT owners § DR champion (both IT & business) § Expert assistance (3rd party)
• Business conCnuity
Protect
Protect
Access control
Awareness & training
Data security
InformaCon protecCon processes & procedures
ProtecCon technologies
PreparaCon
PrevenCon
AudiCng “PreparaCon” • Is there an organisaConal structure to prepare for prevenCon, detecCon & recovery?
NaConal & regional CERT
ExecuCve Management
Business conCnuity
management
IT Management
Corporate communicaCons
Business funcCons IT Ops / Staff
Crisis Management Team(CMT)
OrganisaCon’s CERT
AudiCng “PreparaCon” -‐ 2 • Is there a ProacCve Computer Emergency Response team (internal)?
• Some organisaCons do have exisCng CERT • Cyber a7acks require CERT somewhat different, from a tradiConal CERT
• A proacCve CERT requires specific mandate, investment in personnel, tools, emergency procedures and communicaCon protocols
• Requires very Cght co-‐ordinaCon with business Crisis Management Team
Cyber-‐a7ack ready CERT a TradiIonal CERT Cyber CERT
Membership of CERT
Flexible & incident dependent. FuncConal leaders with others added at Cme of incident.
Pre-‐selected. IT ExecuCves, funcConal leaders, IT ops,
systems admins, technicians, operators. (potenCal external
expert)
PreparaCon Extension of current jobs Focused team & roles,
rehearsals, scenario preparaCon, Prepare recovery environment
AcCvaCon At Cme of problem On-‐going. Preparedness, monitoring, daily acCvity
Decision-‐making Limited Complete with IT
AudiCng “PreparaCon” -‐ 3 • Is there plan ? • Do exisCng plans address cyber a7acks?
CMT
Crisis Management Plan
CERT
Computer Emergency
Response Plan
IT Staff
Recovery in place Plan
BCM
Business conCnuity plan
MarkeCng
Crisis communicaCon plan
FuncConal Mgt
FuncConal Business conCnuity plans
AudiCng “ProtecCon” 1 • Does the organisaCon have basic prevenCve tools? § Firewalls § Intrusion detecCon / prevenCon tools § EncrypCon § Web / mail filters § End point protecCon § The people to make them all work
o CERT o Operators o Security administrators o Help/service desk o End users
• Training ? – appropriate for cyber protecCon • Change control in IT
AudiCng “ProtecCon” -‐ 2 • Does the organisaCon have advanced prevenCve tools? 1. Air gap data center? 2. Next GeneraCon firewall? 3. Zero trust architecture?
Air-‐gap data center
• Repository for trusted images • Backups of data
Media transfer
SAN
ProducCon data center
Air-‐gap data center
Next GeneraCon Firewall
• Not new technology as such • Integrates mulCple security point soluCons into a single device
• User and applicaCon aware (not just IP address and port aware)
• Content and context awareness • Dynamic posture through “sandboxing”
Nxt Gen firewall. Single integrated plagorm
enabling centralised monitoring and management
Deep packet inspecCon (IP)
Encrypted traffic
inspecCon IDS/IPS
Wildfire threat detecCon
User idenCficaCon and policy implement
ApplicaCon firewall
DNS/DHCP forwarding
Malware protecCon
VPN / remote access
Data leak prevenCon
(DLP)
ApplicaCon and context awareness
URL / content filtering
AudiCng “Detect” • More about process/procedures • Is any one “awake” at the switch • DetecCon roles & processes • Security conCnuous monitoring
§ Vulnerability and Patch status? § On-‐going tesCng of web facing applicaCons? § CMDB and configuraCon management?
• Any advanced detecCon systems? § Anomaly detecCon / HeurisCcs § User behavior monitoring § Database monitoring
• Usually weakest point in the chain
AudiCng “Respond” • Does CERT pracCce rouCnely for cyber-‐a7ack response?
• Are there response procedures? § Taken from scenarios § Learning from previous incidents
• Log of a7acks / a7empts? § Is root cause analysis performed § Lessons learnt / implemented
AudiCng “Recover” • Weakest audiCng point • No a7ack – nothing to audit? • If there was a7ack & recovery – audit
§ Quality of recovery process & effecCveness § Report on opportunity for improvement
• Audit whether BCP/DR caters for Cyber a7ack recovery (usually only caters to natural disasters)
• In a way you are audiCng recovery while audiCng preparaCon
Ashutosh Kapsé MBA, CISM, CRISC, CISA, ISO27001LA, IRAP Certified, CCSK
Head – Information security, technology risk & audit IOOF Holdings Ltd. (ASX : IFL)
Three Key things
Three Key things to remember for Auditors 1. Cyber kill chain (how a7ackers behave) 2. Forget the hype – KIS principle (cyber basics) 3. Use the “Accept – IdenCfy – Protect – Detect
– Respond – Recovery” pillars for audiCng
Cyber a7ack flow
Reconnaissance 1
Cra- A/ack 2
Infiltrate / Deliver (bypass perimeter)
3
Create footprint / install malware
4
Move laterally 5
Establish 6
ExfiltraIon 7
Source: Cyber kill chain® -‐ Intelligence driven cyber defense – Lockheed MarCn
Cyber security basics
Audit the basics to start with 1. Where is your most sensiCve data located? 2. How many applicaCons/servers/endpoint devices do you have
to patch and protect? 3. Do you have a security awareness program for all your
employees? 4. Are your office locaCons and faciliCes protected from
unauthorized access? 5. Who do employees call when there's a security incident? 6. Is your network being monitored for malicious traffic? 7. Are you collecCng logs for your most criCcal systems?
Thank you
Ashutosh Kapsé MBA, CISM, CRISC, CISA, ISO27001LA, IRAP CerCfied, CCSK
Head – InformaCon security, technology risk & audit IOOF Holdings Ltd. (ASX : IFL)