Nathan Anderson, Director Internal Audit, Sears Holdings
Lucas Morris, Senior Manager, Crowe Horwath
#NACACS
WHO WE ARE
• Nate Anderson
– IT Audit Director, Sears Holdings Corporation
• Lucas Morris
– Senior Manager, Crowe Horwath LLP
#NACACS
AGENDA
“ security is no longer a function of IT, it’s part of enterprise risk
management”
1. the case for cybersecurity
2. three lines of defense model and security roles
3. rethinking the role of internal audit
#NACACS
HIGH-PROFILE 2014 BREACHES¹
¹ dell security 2015 threat report (modified): http://bit.ly/1UhOmyF
40m
56m
#NACACS
HIGH-PROFILE 2015 BREACHES¹
¹ dell security 2016 threat report: http://dell.to/1QeaJ4X
80m 37m
#NACACS
BREACHES BY THE NUMBERS
58% 24%
15%
2% 2%
source of breach
maliciousoutsider
accidental loss
maliciousinsider
hacktivist
state sponsored
43%
19%
17%
12%
6% 3%
breaches by industry
government
healthcare
other
technology
retail
education
¹ breach level index: http://breachlevelindex.com
#NACACS
BREACHES BY THE NUMBERS
• Average cost per record lost in 2015 is $217
IBM 2015 Cost of Breach Study: http://ibm.co/1rnnBN3
#NACACS
THREE LINES OF DEFENSE MODEL
Own &
manage risk
and control
(front line
operating
management
Monitor risk and
control in support of
management (risk,
control, compliance
functions put in place by
management).
Provide independent
assurance to board & senior
management concerning the
effectiveness of management
of risk and control.
10
coso: three lines of defense: http://bit.ly/1I4XrQT
#NACACS
THREE LINES – ROLES & RESPONSIBILITIES
• integrate risk
management into
daily ops
• mitigate risks
• escalate risks
1
2
3
• set risk baselines,
policies, & standards
• monitor & call for
action
• oversight, checks &
balances, consultation
• review program
effectiveness
• update senior
management &
leaders
• holistic risk view
#NACACS
THREE LINES EXAMPLE: EMPLOYEE DATA
Internal audit
information security / it compliance
human resources
control requirements – cobit / nist
risk assessment
control gaps
global view
system & asset inventory
control set
#NACACS
ROLE OF BOARD OF DIRECTORS & AUDIT COMMITTEE
40% of boards deal with computer & information security issues
48% have board-level risk committee for privacy & security
65% [of directors] want at least “some” additional time and focus
on IT risks like cybersecurity¹
83% of the board or its committees are very or moderately
engaged with overseeing/understanding the risk of cyberattacks.
65% of board or its committees are very or moderately engaged
with overseeing/understanding the level of spend on cybersecurity.
Deloitte: http://bit.ly/1pnZCN5 PwC: http://pwc.to/1RMkXWK
#NACACS
SECURITY AS ENTERPRISE RISK MANAGEMENT
• identify your threat landscape: assets, threat actors, and
threats¹
• assess defense and determine relevancy of attacks
• audit and test defenses and technical controls
• communicate and collaborate with other lines of defense and
audit committee
¹ refer to appendix A. for recommended reading list.
#NACACS
SECURITY AS ENTERPRISE RISK MANAGEMENT
• identify your threat landscape: assets, threat actors,
and threats
• assess defense and determine relevancy of attacks
• audit and test defenses and technical controls
• communicate and collaborate with other lines of defense and
audit committee
#NACACS
IDENTIFY YOUR THREAT LANDSCAPE: ASSETS¹
what are your crown jewels?
¹ refer to appendix B. for security frameworks supporting
an asset-driven approach.
#NACACS
IDENTIFY YOUR THREAT LANDSCAPE: ASSETS
where are your crown jewels?
“an organization cannot properly protect
[assets] it does not know about.” - nist¹
points of entry servers
databases
staging warehouse
third parties cloud
unstructured reports
¹ NIST Protecting PII: http://1.usa.gov/1DgxrRy
#NACACS
IDENTIFY YOUR THREAT LANDSCAPE: THREAT ACTORS
relevant external
threat actors are
relevant based on:
- assets
- industry
nation states
hacktivists
criminal organizations
terrorists
individuals
(internal &
external)
attack origination¹
external internal partner
80%+ 17% 3%
relevant internal &
third party threat
actors
¹ verizon data breach investigations report: http://vz.to/1ILoZPv
#NACACS
• Highly knowledgeable, highly
funded
• Looking for targets of value
• Example: Lulzsec, Stuxnet,
Nation Sponsored
• Advanced attacks with specific
targets
• Worms, Application Vulnerabilities
• Example: Conficker, Sasser
• Leverage widely available tools
• Look for targets of opportunity
• Example: Website defacement
• Employee, partners, contractors
• Typically highest likelihood of monetary impact
• Example: WikiLeaks
THREAT ACTOR SOPHISTICATION
insider threats
“script kiddies”
targeted attacks
advanced
persistent threats
#NACACS
# OF BREACHES BY THREAT ACTIVE MOTIVE
¹ verizon dbir 2016: http://vz.to/1Svr72f
#NACACS
IDENTIFY YOUR THREAT LANDSCAPE - THREATS
phis
hin
g
data leakage credentials
trojan
backdoor
command & control
malware
#NACACS
THREATS – USER CREDENTIALS
• at risk credentials
– weak, reused, default credentials
– easy method for attackers to gain and expand access
• how do they obtain them:
– guessing
– stealing them encrypted from memory or storage
– stealing them while in use (unencrypted)
– stealing the users session or token
• enable attacker to:
– gather significant amounts of low risk information
– access files
– search and scan for additional access, moving both laterally and vertically
credentials
#NACACS
THREATS – THIRD PARTIES
• it’s 10:30 am monday morning and IT gets a call…
“Hello, this is Tom from procurement. We have a vendor that will be here
at 2:00 and they are requesting that we provide them an internal IP
address for the installation.”
• recent breaches show compliance is not the goal
• right to audit clause
• more hands on testing
– vendors will hate this
– small organizations will struggle
credentials
#NACACS
THREATS – DATA LEAKAGE
internet third parties
shares
email printers
intranet applications
backups
media
database
local files
data leakage
#NACACS
THREATS – SOCIAL ENGINEERING
From: “Client Content Filter System" <[email protected]>
Subject: Potential Acceptable Use Violation
Michael,
Our web traffic monitoring service has reported that your account has visited potentially malicious web
sites, including sites that are restricted per ABC’s Acceptable Use Policy.
We do realize that this type of activity is often caused by viruses and other types of malware. The
following link will direct you to the detailed report of the malicious web sites your system has visited as
reported by the monitoring service; please review this list for accuracy.
https://www.FAKEBUTLOOKSREAL.org/ABC/[email protected]
The file has been encrypted for privacy and requires Microsoft Word macros to be enabled for viewing.
If you believe that any of the sites listed in the report have been reported erroneously or that all sites
noted are false positives, please reply to this email and a manual review will be conducted by
Information Security.
phis
hin
g
#NACACS
THREATS – PHISHING SCENARIO EXAMPLE
1 user receives phishing
Email; clicks attachment 2
malicious malware installed
that enables backdoor
3 communication between
User system & attacker 4
attacker scans network
for targets, lateral movement
phis
hin
g
#NACACS
SECURITY AS ENTERPRISE RISK MANAGEMENT
• identify your threat landscape: assets, threat actors, and
threats
• assess defense and determine relevancy of attacks
• audit and test defenses and technical controls
• communicate and collaborate with other lines of defense and
audit committee
#NACACS
ASSESS DEFENSE
Initial Point of Entry The Point of Entry represents how the attacker obtains initial access. Examples could include social engineering, unpatched Internet accessible systems, or weak passwords on externally accessible systems.
Fortify Access and Access Data As the attacker pivots around the network, they continue to attempt to escalate their authority until they have the necessary access. They will typically fortify their access by installing malware or backdoors to maintain access. Persistent Administrator access is the end goal.
Pivot Point The initial access typically does not provide the information the attacker is looking for. They will leverage the access they do have to try to increase authority on the network. This could be occur through shared passwords, unpatched systems, or excessive privileges.
Data Exfiltration Once the attacker has data, they need to get it out of the network. This can be completed through a variety of vehicles email or FTP. This has forced the maturity in the approach to Information Security from only focusing on prevention to include detection and response.
#NACACS
ASSESS RELEVANCY – ATTACK SCENARIOS & PATTERNS¹
¹ refer to appendices C. through F. for additional threat
pattern and scenario details.
² verizon dbir 2015: http://vz.to/1ILoZPv
³ verizon data breach digest 2016: http://vz.to/21zkult
social engineering
financial pretexting
insider threat
usb infection
peripheral tampering
rogue connection
logic switch
sql injection
cms compromise
backdoor access
ram scraping
credential theft
over the previous
three years, just 12
attack scenarios
represent over 60% of
our investigations.³
pos intrusions
web application attacks
cyberespionage
crimeware
insider/privilege misuse
payment card skimmers
miscellaneous errors
physical theft & loss
denial of service
“while we saw many
changes in the threat
landscape the last 12
months, [9] patterns
still covered the vast
majority of incidents
(96%).” ²
#NACACS
ASSESS THREAT RELEVANCY – TOP PATTERNS
frequency of
incident
patterns across
all security
incidents¹
frequency of
incident
patterns with
confirmed data
breaches¹
¹ verizon dbir 2015: http://vz.to/1ILoZPv
#NACACS
# OF BREACHES PER THREAT ACTION TYPE
top 5
C2 (malware)
use of stolen creds
export data (malware)
use of backdoor or C2
phishing (social)
¹ verizon dbir 2016: http://vz.to/1Svr72f
#NACACS
SECURITY AS ENTERPRISE RISK MANAGEMENT
• identify your threat landscape: assets, threat actors, and
threats
• assess defense and determine relevancy of attacks
• audit and test defenses and technical controls
• communicate and collaborate with other lines of defense and
audit committee
#NACACS
AUDIT & TEST – IDENTIFICATION OF SENSITIVE ASSETS
focus on completeness of inventory during data security audits
create data flows
create system & asset inventory
hold management
accountable for upkeep
“entity should confirm the accuracy of their PCI DSS scope by identifying all locations
and flows of cardholder data, and identify all systems that are connected to or,
if compromised, could impact the CDE.” – PCI DSS 3.1
#NACACS
AUDIT & TEST – ALIGN WITH SECURITY FRAMEWORK
example security frameworks: COBIT, ISO 2700X, NIST or OCTAVE
COBIT 5 ISO 27001/27002 NIST cybersecurity
framework
OCTAVE allegro
- more focus on
alignment with
business goals,
governance
roles (2nd & 3rd
line of defense)
- control set (no
risk language)
- maps to ISO
27001, NIST
CSF
- controls have
wider coverage
than NIST CSF
- accepted
standard in
many countries
- supports
certification
process
- Maps to NIST
CSF, COBIT
- subset of verbose
sp 800-53 NIST
framework
- control set (no risk
language)
- detailed guidance
for technical
controls
- Maps to ISO
27001, COBIT
- many publications
- risk-based
approach
- aligns with NIST
risk assessment
publication sp
800-39
- Provides steps,
worksheets,
questionnaires;
not a control
framework
#NACACS
AUDIT & TEST – ASSESS MEASUREMENT CAPABILITY
Risk & Control Activity Intellectual
Property
Cardholder
(PCI)
Health
(ePHI)
Employee
(PII)
Customer
(PII)
Financial
(SOX)
System & Asset
Inventory
Third Party Inventory
Identify & Classify Risks
Define Control
Requirements
Identify Existing Controls
Control Assessment
Measure Residual Risks
Identify & Manage
Incidents
establish method to measure
key risks & controls
#NACACS
AUDIT & TEST – ACROSS THE ATTACK CHAIN
Internet Application Infrastructure Endpoint
Third Party
Firewall
Remote Users
Mobile Devices
Web Application
Applications
Network Employees
Workstations
ServersPrinters
Cloud
Database
#NACACS
AUDIT & TEST – SOCIAL ENGINEERING AUDIT
malicious email
filtering
phishing incident
management
security awareness
program - blocking sufficient %
of malicious emails
- filters updated based
on incidents - accurate, complete list of
incidents
- analysis of nature and
severity
- remediation effective &
complete; includes cleaning
user systems, blocking at
network-level, identifying any
command & control activity
- evaluate effectiveness
& reach of training &
communications
- determine how
effectiveness of
program is evaluated
#NACACS
AUDIT & TEST – PHISHING SIMULATIONS
1 email ploy crafted by audit
(similar to actual)
phishing engine selects
appropriate random targets
across areas of organization
3
2
measure % that click,
open, provide credentials 4
repeat different ploys
regularly, collecting stats
- % open email (30% avg.¹)
- % open link / attachment (12% avg.)
- % report suspicious email (3% avg.)
- track % over time
- track % by area
- adjust awareness program
¹ verizon dbir 2016: http://vz.to/1Svr72f
#NACACS
INFORMATION SECURITY AUDITS TO CONSIDER
cloud & data lake governance it asset management
security vulnerabilities & patching assessment
phishing & security awareness
network segmentation assessment
security logging & event detection
penetration testing
web & mobile application assessment
program assessments: PCI & PHI
information security overall assessment
firewall ruleset assessment
#NACACS
SECURITY AS ENTERPRISE RISK MANAGEMENT
• identify your threat landscape: assets, threat actors, and
threats
• assess defense and determine relevancy of attacks
• audit and test defenses and technical controls
• communicate and collaborate with other lines of
defense and audit committee
#NACACS
RELEVANT COMMUNICATION TO LEADERS
3rd line of defense
what are you communicating
to the audit committee,
security, IT, and the business
about cybersecurity?
#NACACS
THANK YOU
Lucas Morris [email protected]
www.github.com/CroweCybersecurity
214-777-5257
Nate Anderson [email protected]
#NACACS
A. CYBERSECURITY THREAT REPORTS
• key data breach / cybersecurity reports
– verizon data breach investigations report
• 2014: http://vz.to/1pMX6xZ | 2015: http://vz.to/1ILoZPv
• 2016: http://vz.to/1Svr72f
– verizon data breach digest: 2016: http://vz.to/21zkult
– dell security annual threat report:
• 2015: http://bit.ly/1UhOmyF | 2016: http://dell.to/1QeaJ4X
– symantec internet security threat report:
• 2015: http://symc.ly/1MBxADq | supplement: http://symc.ly/1aVPSSs
– mcafee labs threats predictions: 2015: http://intel.ly/1No3xh0
– poneman global megatrends in cybersecurity: http://rtn.co/1KmCqRS
#NACACS
B. POPULAR FRAMEWORKS ON ASSET IDENTIFICATION
¹ nist csf: http://1.usa.gov/1dIqXf5
² octave allegro: http://bit.ly/1LTaH2F
methodology system & asset reference
nist
cybersecurity
framework¹
step 2: orient. Once the scope of the cybersecurity program has been determined for
the business line or process, the organization identifies related systems and assets,
regulatory requirements, and overall risk approach. The organization then identifies
threats to, and vulnerabilities of, those systems and assets.
octave allegro² step 2: develop an information asset profile
The methodology focuses on the information assets of the organization and Step 2
begins the process of creating a profile for those assets… The methodology’s profiling
process ensures that an asset is clearly and consistently described, that there is an
unambiguous definition of the asset’s boundaries, and that the security requirements for
the asset are adequately defined. The profile for each asset is captured on a single
worksheet that forms the basis for the identification of threats and risks in
subsequent steps.
step 3: identify information asset containers
Containers describe the places where information assets are stored, transported, and
processed. Information assets reside not only in containers within an organization’s
boundaries but they also often reside in containers that are not in the direct control of the
organization. Any risks to the containers in which the information asset lives are inherited
by the information asset.
#NACACS
C. THREAT ACTIONS – TOP 9 INCIDENT PATTERNS
¹ verizon data breach digest 2016: http://vz.to/21zkult
#NACACS
D. THREAT ACTIONS – 12 MOST COMMON SCENARIOS¹
¹ verizon data breach digest 2016: http://vz.to/21zkult
# scenario freq threat actor(s) sophistication threat source
1 social engineering 16% organized crime, state-affiliated 3-4-5 China, Argentina, North Korea,
Russian Federation
2 financial pretexting 7% organized crime 2-3 varies
3 insider threat 12% Cashier/bank teller/waiter, end
users, organized crime, finance
employees, call center employees
1 varies
4 usb infection 33% State-affiliated, organized crime 4-5 China, North Korea, Russian
Federation
5 peripheral
tampering <1% organized crime 2 Bulgaria, Romania, Armenia, Brazil, the
U.S.
6 rogue connection 4% organized crime 1-2-3 varies
7 logic switch 53% Organized crime, una liated,
state-affiliated, activist group 1-2-3-4-5 The U.S., China
8 sql injection 23% Activist, organized crime, state-
affiliated 3 varies
9 cms compromise 46% organized crime 3 China, Malaysia, the U.S., Russian
Federation
10 backdoor access 51% State-affiliated, organized crime 3-4-5 Romania, China, Russian
Federation
11 ram scraping 55% organized crime, state-affiliated 2-3 Romania, Germany, China, Russian
Federation
12 credential theft 42% organized crime, state-affiliated 2-3-4-5 Ukraine, China, Romania, Germany,
Russian Federation, the U.S.
#NACACS
E. THREAT ACTIONS – 6 LETHAL SCENARIOS¹
¹ verizon data breach digest 2016: http://vz.to/21zkult
# scenario freq threat actor(s) sophistication threat source
1 digital extortion 9% organized crime 2 varies
2 partner misuse 4% business-2-business partner 1 varies
3 hacktivist attack 3% activist group 1-2 unknown, syria
4 dns tunneling <1% state-affiliated, organized
crime 3 varies
5 data ransomware 4% organized crime 1-2 varies
6 sophisticated malware 32% state-affiliated, organized
crime 4-5 varies
#NACACS
F. TOP 25 VERIS (VERIZON) THREAT ACTIONS # scenario # threat actor(s)
1 Phishing—Phishing (or any type of *ishing) 13 Downloader—Downloader (pull updates or other malware)
2 Use of stolen creds—Use of stolen credentials 14 Scan network—Scan or footprint network
3 RAM scraper—RAM scraper or memory parser 15 Password dumper—Password dumper
4 Brute force—Brute force attack 16 Privilege abuse—Abuse of system access privileges
5 Export data—Export data to another site or system 17 Skimmer—Payment card skimmers
6 Use of backdoor or C2—Use of backdoor or C2 18 Adminware—System or network utilities (e.g., , PsTools)
7 Unknown—Malware unknown 19 Rootkit—Rootkit (maintain local privileges and stealth)
8 Backdoor—Backdoor (enable remote access) 20 SQL injection—SQL injection attack
9 Spyware/Keylogger—Spyware, keylogger, etc. 21 Exploit vuln—Exploit vulnerability in code
10 Unknown—Hacking unknown 22 Disable controls—Disable or interfere with security controls
11 C2—Command and control (C2) 23 Brute force—Brute force attack
12 Capture stored data—Capture data stored on disk 24 Unapproved hardware—Use of unapproved hardware
25 Packet sniffer—Packet sniffer (capture data from network)
¹ verizon data breach digest 2016: http://vz.to/21zkult
#NACACS
ICON CREDITS – 1 OF 2¹
¹ thenounproject.com
icon credit icon credit icon credit
invoice 1 alex auda samora invoice 2 alex auda samora cloud server icon 54
credit card redfusion bank anbileru adaleru black database sergio luna
money gregor cresnar mystery person yamini ahluwalia building lil squid
health joao proenca brain jessie_vp white server mister pixel
diamond rflor report aldredo hernandez server w/legs chameleon design
thumbprint wilson joseph cash register icon 54 spreadsheet useiconic
license olivia stelan elephant ted mitchner circle lifecycle yamini ahluwalia
process flow mantisshrimpdesign black hoodie olivier guin black hat spy alex auda samora
black mask luis prado white mask icon 54 black mask hat creative stall