Upload
bakertillyconsulting
View
925
Download
1
Embed Size (px)
Citation preview
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International.
29th Annual FMA Conference
Wednesday, May 4, 2016 - Friday, May 6, 2016
Emerging Trends in CybersecurityBrian Sanvidge / Baker Tilly Virchow Krause LLP
Patrick Yu / Baker Tilly Virchow Krause LLP
1
Agenda
> Introduction
> Organizational Data Breach Examples and Advisory
> Cybersecurity Risk Landscape Overview
> Cyber Risk Governance
> Implement Controls and Breach Response
2
Objectives of this presentation
> Raise awareness of the emerging trends in cybersecurity, such as
the threats and the potential cost that a breach could have on your
organization
> Establish an understanding of what your organization and board
can do to reduce the likelihood and impact of a breach
> Identify key characteristics and aspects within an incident/breach
response plan and how this plan will reduce the impact of the
unfortunate event
3
Organizational data breach examples and
advisory
4
Target Stores - Data Breach
5
Target Stores - Data Breach
In November 2013 Target Corporation announced that data from
around 40 million credit and debit cards was stolen. It is the second
largest credit and debit card breach in history.
> Engaged a third-party forensic expert to conduct an extensive investigation
> The initial intrusion into Target store networks was possible thanks to
network passwords stolen from an air conditioning and heating contractor
based in Pennsylvania, Fazio Mechanical Services.
> Target agreed to reimburse thousands of financial institutions as much as
$67 million
> The data breach cost Target $252 million in total
> Target also spent $100 million shoring up digital security
> Sales fell by 46% in the Fourth Quarter of 2013
6
Goodwill - Data Breach
7
Goodwill - Data breach
In July 2014 Goodwill Industries fell victim to a breach that lead to the
theft of customer credit and debit card data. The stolen data comprised
of 868,000 credit cards (names, card numbers, and expiration date)
from 330 store locations across 20 states.
> Engaged a third-party forensic expert to conduct an extensive investigation
> Third-party vendor’s systems was attacked by malware, enabling criminals
to access some payment card data of a number of the vendor’s customers
> The impacted Goodwill members used the same affected third-party vendor
to process credit card payments
> Impacted 20 of 158 Goodwill member locations
- Krebs on Security
8
Anthem - Data Breach
9
Anthem - Data Breach
In January 2015, Anthem Health suffered a data breach
exposing patient and employee names, DOB, Social
Security numbers, emails, employment info, and income
data.
>Anthem did not encrypt their data
>Anthem exhausted their $100 million cybersecurity
insurance policy from the customer notifications alone
(ZDNet: Technology News)
>The cost to Anthem well exceeded this amount
>Data breaches cost the healthcare industry as a whole
about $5.6 billion annually (Forbes)
10
JPMorgan Chase - Data Breach
11
JPMorgan Chase - Data Breach
In July 2014, JPMorgan Chase fell victim to a
cyberattack that compromised customer
usernames, addresses, phone numbers, and
email addresses
>Protection Group International estimated the
cost of the breach at $1 billion
>76 million households and 7 million small
businesses were exposed to the hack
>JPMorgan Chase invests $250 million in cyber
security a year
12
E-mail Phishing Advisory
Phishing is the attempt to gather sensitive information (such as
usernames, passwords and credit card information using a fake
request via electronic communication (i.e., a website, e-mail, etc.) that
appears to originate from a trustworthy entity.
> The NYS Information Technology Services (ITS) Cyber Security Operations
Center (CSOC) has been notified of an active phishing email threat
targeting government agencies and have received reports of a well-crafted
phishing email circulating in the past two weeks at several US universities.
The email notifies employees that their electronic W-2s are available and
encourages them to click to login and view/print their W-2s. The link takes
them to a landing page which has been made to look like the organization’s
Human Resources site.
> Those who fall victim to the phishing email may have their personal
information compromised, including login, password, tax information, bank
account information, personal contact information and benefit information.
13
E-mail Phishing Advisory
Measures to prevent E-Mail Phishing
> Do not reply to e-mails with any personal information or passwords, and do
not click a link in an unsolicited e-mail message. If you have reason to
believe the request is real, call the institution or company directly to confirm.
> Avoid using the same password for your work computer login, bank
accounts, Facebook, etc. In the event you do fall victim to a phishing
attempt, the thieves will try the compromised password in as many places
as they can.
> If you suspect any account you have access to may be compromised,
change ALL of your passwords.
> Be equally cautious when reading email on your phone. It may be easier to
miss telltale signs of phishing attempts when reading the email on a smaller
screen.
14
IRS - Phishing Hack
15
IRS - Phishing Hack
Taxpayers often fall victim to criminals perpetrating
phishing schemes. Callers contact individuals via phone or
email and demand tax information and immediate
payment.
> The Phishers appear legitimate by using personal
information like taxpayers’ names and addresses
> They also utilize false badge numbers and IRS titles
> 2016 has seen a 400% increase in phishing schemes
> Since October 2013, there have been 896 thousand
phishing scam reports
> 5,000 victims have paid a total of $26.5 million
− Fortune Magazine
16
Home Depot - Phishing Hack
17
Home Depot - Phishing Hack
In November 2014, hackers used a vendor’s stolen log-in
credentials to perpetrate a massive hack on Home Depot.
The breach allowed the criminals to gain access to 53
million email addresses as well as millions of credit card
information.
> Customers were alerted to look out for phishing
scammers
> The false emails attempted to lure customers into
revealing personal data by “signing up” for exclusive
savings
> The breach cost the company $62 million
− SC Magazine
18
Cybersecurity risk landscape overview
19
Changing cyber risk landscape
Past Present Implications
Mostly physical assets (plants,
equipment) - relatively few digitized
assets.
Highly digitized asset base
(IP, financial, PII), mobile and cloud
technologies.
Strong cybersecurity controls and processes
are required to protect these assets.
Simple, unsophisticated attacks
(e.g., web site defacement intended to
embarrass).
Advanced Persistent Threats (APTs)
involve high degree of complexity
and sophistication; hacker “gangs”
steal IP and other assets for
financial gain, sometimes using
ransom to hold the data “hostage”.
Company must have adequate resources and
capabilities to protect the IT environment; may
even require obtaining third-party assistance or
even using Managed Security Services (MSS)
provider. May require working closely with law
enforcement.
IT budgeted hardware and software
expenditures; managed deployment and
use.
Ability of IT to manage alone may be
insufficient; budgets increasing.
Budget for cybersecurity should be rolled up at
an enterprise level, not necessarily tied to one
dept.
Relatively insulated, self-contained IT
environment with limited complexity.
Application support provided in-house
with limited use of 3rd parties for hosting
and cloud services.
Cybersecurity needs to be managed
in the context of extended “digital
ecosystem” involving outside
stakeholders and 3rd
parties/vendors.
Cybersecurity must be managed as an
enterprise-wide risk, not just an IT issue.
Limited use of mobile data access. IT
provided a restricted list of mobile device
choices which provided robust security
support.
Mobile user access to applications
containing personal/financial data
and use of Bring Your Own Device is
nearly commonplace.
More challenging for IT to assure security of
“end point” devices.
20
What is cybersecurity risk?
> For most organizations, value resides in its data and systems
> A sophisticated community of hacktivists, cyber criminals, organized crime
syndicates, and foreign governments wants to cause competitive harm or
profit by exploiting technical and social vulnerabilities of information assets
> This combination leads to a high-likelihood of data breaches
21
Data at Rest vs. Data in Motion
> Data at Rest – data in computer storage
> Data in Motion – data exiting in the network
> Encryption – scrambling contents of a file to
increase security. The contents can only be
read by an individual with the encryption key.
22
Types of Data Breaches
Hackers come in different stripes and perpetrate
data breaches for a variety of goals. The following
are some of the more common hacks
> Denial of Service (DoS)
> Website Defamation
> Ransomware
> Data Theft
23
Types of Data Breaches -
Denial of Service
A denial-of-service (DoS) attack is an attempt to
make a machine or network resource unavailable
to its intended users
> Buffer Overflow Attacks – overwhelm a network
address with traffic
> Teardrop Attack – attacker’s IP crashes the
system by placing a confusing offset value in a
packet fragment
> Smurf Attack – flood the host network with IP
pings
24
Types of Data Breaches -
Website Defamation
> In 2013, hacking group anonymously hacked the
website of the US Sentencing Commission to avenge
the death of internet activist Aaron Swartz, reported
RYOT
> The group posted a warning that “a line was crossed”
> Swartz allegedly committed suicide after being
investigated my federal prosecutors
25
Types of Data Breaches -
Data Theft
> Hackers utilize “Man in the Browser” (MITB)
attacks to steal sensitive information from
websites
> The victim’s website is infected with malware
that monitors activity
> When a sensitive site is visited, the malware
pounces and gathers the relevant data
26
Types of Data Breaches -
Ransomware
> Ransomware gains access to a computer either
via an email attachment or a malicious website
> The malware then automatically encrypts files
and issues an electronic ransom note
> Typically, payment is demanded in the form of a
cryptocurrency Bitcoin
27
Impacts of data breaches
Negative
publicity
Regulatory
sanctions
Refusal
to share personal
information
Damage
to brand
Regulator
scrutiny
Legal
liability
Fines
Damaged
customer
relationships
Damaged
employee
relationships
Deceptive or
unfair trade
charges
!
28
Cyber Risk Governance
29
What to do now - Five Principles
Source: National Association of Corporate Directors
Understand the legal implications of cyber risks as they relate to their organization’s specific circumstances.
Understand and Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
Gain adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time.
Management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget.
Discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.
V
IV
III
II
I
30
Principle I
Issue Risk Recommendation
Is often seen as an IT issue
requiring little involvement
from business stakeholders.
Lacks alignment with
strategic business and
cross-departmental
initiatives.
Require active
participation across
the enterprise.
IT may lack visibility into
risks from business activities
(e.g. M&A, social media,
breaches from 3rd party
cloud and Business Process
Outsourcing providers,
customers).
May raise the company’s
cybersecurity risk profile;
breaches may be difficult
to address or even go
undetected.
Involve Chief
Information Security
Officer (CISO) in new
initiatives that may
raise cyber risk profile.
Directors need to understand and approach cybersecurity as an
enterprise-wide risk management issue, not just an IT issue.
31
Principle I - Board Questions for Management
> Is management focused on making cyber-risk part of everyone’s
job, not just IT? Is there a formal cyber awareness program in
place?
> Does the organization have an enterprise-wide cyber-risk
management team? Has the organization risk appetite been
established?
> How does the organization ensure that the CISO is involved in
assessing new, high-risk business initiatives?
> In a M&A context, what is the level of cyber due diligence done on a
acquisition target? How is this information used?
> Has the organization performed an analysis of the “cyber-
robustness” of the organization’s products and services to analyze
potential vulnerabilities that could be exploited by hackers?
32
Principle II
Issue Risk Recommendations
Contractual obligations to
customers (e.g. compliance,
breach notification requirements)
may not be identified and
monitored over time.
Lack of awareness of specific
contractual obligations to protect
data.
Perform an enterprise-wide
contract review to ensure that
cyber-related contract obligations
are well understood.
Lacks a comprehensive, risk-
based vendor management
program that includes all third-
party relationships across the
vendor lifecycle (from risk
assessment through monitoring).
Use of vendors with poor
cybersecurity controls may
increase risk; inconsistent
expectations around notification
requirements may complicate
timely resolution of data breaches.
Implement and maintain
comprehensive vendor
management program.
Company may be unaware of
Personal Identifiable Information
(PII) held across the enterprise
and corresponding legal
requirements to protect it.
Insufficient understanding of the
cyber risks posed by “overlooked”
data.
Ensure that data is properly
classified (confidential, internal use
only, public) and that an
enterprise-wide data inventory is
completed. Inventory should reflect
how data should be shared as well
as the data “owner”.
Directors should understand the legal implications of cyber risks
as they relate to their company’s specific circumstances.
33
Principle II - Board Questions for Management
> Has the organization conducted a review of legal contracts in
place with vendors, stakeholders, etc. to determine cybersecurity
and compliance commitments? Are new contracts reviewed for
cyber-risk?
> Is there a comprehensive program to ensure that outsourced
providers and contractors have cyber controls and policies in
place and are clearly monitored? Do those policies align with the
organization’s expectations?
> Has a formal breach response plan been put in place? Is it
practiced at least annually? Who is part of the response team?
> What is the organization’s volume of cyber incidents on a weekly
or monthly basis? What is the magnitude/severity of those
incidents? What is the time taken and cost to respond to those
incidents?
34
Principle III
Issue Risk Recommendations
Directors lack regular
interaction with a
knowledgeable and
independent Chief
Information Security
Officer (CISO) and/or
third-party that can
brief them on the state
of company cyber
risks.
Directors may not have
full awareness of cyber
risks faced by the
company, nor internal
obstacles that may
hamper effectiveness to
address.
Meet with the company CISO at least
annually to:1. Understand key issues from the CISO’s
perspective
2. Discuss the CISO’s security strategy and current
projects
3. Provide the CISO with an opportunity to identify
any roadblocks (e.g. budget, political agendas)
4. Understand activities around data breaches within
the company’s industry and how such knowledge
is applied to the company
5. Ensure that relevant management metrics are
reviewed regularly on an entity level
Boards should have adequate access to cybersecurity expertise, and
discussions about cyber risk management should be given regular and
adequate time on the board meeting agenda.
35
Principle III - Board Questions for Management
> Where do business operations and the IT team disagree on cybersecurity? How is this disagreement resolved?
> Is the audit committee and full board briefed regularly on cyber-risk?
> Given the sheer complexity and magnitude of many cyber security issues, should the Board hire its own “cyber advisers” to consult on cyber security issues, and to be available to ask questions of the organization’s senior management, CTOs, and CIOs?
36
Principle IV
Directors should set the expectation that management will establish an
enterprise-wide cyber risk management framework with adequate
staffing and budget.
Issue Risk Recommendations
Lacks comprehensive
cybersecurity risk
management framework;
audit committee lacks ability
to track relevant metrics
over time.
Unable to identify changes
in the company’s cyber risk
profile.
Establish comprehensive
risk management framework
(e.g. NIST) and appropriate
metrics.
Lack of regular, independent
assessment of current
cybersecurity environment
against framework.
Weaknesses in current
cybersecurity environment
may be missed or
overlooked.
Annual review by Internal
Audit or outside consultants.
37
Principle IV - Board Questions for Management
> Does the organization use a systematic framework, such as
the NIST Framework, in place to address cybersecurity to
assure adequate cyber hygiene?
> Are policies currently mapped to the framework?
> Does the organization have the right gauges to measure the
success of its cybersecurity risk management program?
> What are the critical assets that must be protected?
> Does the organization work with law enforcement and
appropriate government agencies to monitor cyber-threats
industry-wide?
38
Principle V
Board-management discussion of cyber risk should include
identification of which risks to avoid, accept, mitigate or
transfer through insurance, as well as specific plans
associated with each approach.
Issue Risk Recommendations
Breaches may expose the
company to fines,
penalties, consumer
credit monitoring,
legal/consulting
assistance and other
costs.
Financial Regularly review the
company’s cyber liability
insurance coverage to
determine whether
coverage is appropriate.
39
Principle V – Board Questions for Management
> When was the organization’s cyber liability insurance
coverage last reviewed, who reviewed it and what were
results of review (e.g., deductibles and amount and
coverage)?
> How does the organization determine which cyber-risks to
avoid, accept, mitigate or transfer?
> How frequently are these decisions discussed with the
board?
40
Implement controls and breach response
41
Action: implementing cybersecurity controls
01
02
0304
06
05
Conduct risk assessment
Categorize information &applications
Select and implementsecurity controls
Test security controls for vulnerabilities
Remediatevulnerabilities
Monitor securitycontrols continually
42
Ongoing Monitoring
Ongoing monitoring is where either in house or a managed service,
someone is watching over your security environment. This can be in
many forms:
> Log Based is the easiest and most common as these systems leverage the
output of your current security estate, however this method is subject to the
device manufacturers’ interpretation of how a digital environment should
operate.
> SoC services for ongoing monitoring are the next step up, as these are
security professionals looking over your environment for you. These are
predominately log based, and the same rules as above apply.
> The best way to ensure security is through ongoing monitoring using a Full
Packet Capture based system. These systems pull the raw data off of the
network, store it, and run analytics against it. The data cannot be skewed,
and the data is not open to the interpretation of the manufacturer. These
systems give you near immediate visibility into your environment. Also in
the event of a breach, these systems can aid a forensic examiner in
identifying pertinent evidence.
43
Why is cybersecurity incident/breach
response important?
FrequencyBreaches are happening more frequently.
Media attention2015 was a record year for breaches in the press/media.
Requirements Regulations require incident/breach response plans
DamageInappropriate or inadequate response can lead to reputational and financial
damage
44
Why is cybersecurity incident/breach
response important?
> According to Symantec, 60% of all targeted attacks in 2014 affect small and
medium size organizations.
> It is estimated that 25% of all mobile devices encounter a threat each month
(Source: Skycure Mobile Threat Defense).
> As one example, from September 2013 through May 2014, a viral program
known as CrytoLocker affected thousands of computers, before the spread
was stopped by the US Department of Justice, the FBI, Interpol and security
software vendors. During this time, the program would infect a computer,
encrypt files on the local machine and on network drives (making them
inaccessible to the user), and display a prompt for an online payment of as
much as $400 within 72 hours in order for the files to be unlocked. The
operators of this scheme are believed to have extorted around $3 Million. It is
estimated that as many as 3% of users who were infected chose to pay. Many
others had unaffected offline backups in place, and used these backups to
recover the lost data. The use of offline backups for data recovery is an
important response tool when cybersecurity threats impact data and daily
operations.
45
What is a cybersecurity
incident/breach
response plan?
“Capability to effectively manage unexpected
disruptive events with the objective of
minimizing impacts and maintaining or
restoring normal operations within defined
time limits”
– ISACA (formerly known as Information
Systems Audit and Control Association)
46
What goes into a cybersecurity
incident/breach response?
Cybersecurity incident/breach response plan
Laws, regulations
IT Risk framework
Data and system
inventory
47
What should a cybersecurity
incident/breach response plan
accomplish?
Preparation
Detection and Analysis
Containment, Eradication,
and Recovery
Post-Incident Activity
48
Breach Response - Digital Forensics &
Forensic Analysis
SCENARIOS
When to call a digital forensic expert…
SERVICES
Our digital forensic experts provide…
• Employee suddenly departs from an
organization (especially on less than positive
terms)
• Employee leaves to join a competitor and
there is a concern that trade secrets or other
intellectual property may have been stolen
• Suspicion of vendor / employee collusion
• Suspicion of employee conflict of interest
• Suspicion that an employee is creating
fictitious invoices and submitting for
reimbursement
Forensically acquiring and
analyzing digital devices such as
computers, iPads, and smartphones
Tracing internet activity
Identifying a timeline of user activity
Identifying files copied to external
devices such as USB drives
49
Quote
> “I am convinced that there are only two types of
companies: those that have been hacked and
those that will be. And even they are
converging into one category: companies that
have been hacked and will be hacked again.”
- Robert S. Mueller (Director of the FBI)
50
Key cybersecurity program element #1
Cyber Risk Assessment
> Understand all information systems at a granular level
> Figure out what assets really matter (crown jewels)
> Translate and align to business objectives and priorities
> A clear definition of risk tolerance levels is required
> The assessment must be unique to the organization and its industry
> The process must be iterative and dynamic to adopt to constant change
> Standard frameworks improve effectiveness (e.g., NIST, COSO)
51
Key cybersecurity program element #2
Cybersecurity Countermeasures
> Policies and procedures must be documented
> Layered security is critical (Multiple Lines of Defense)
> Use a combination of preventative and detective controls
(IT and Business Controls)
> Support with cyber-focused standards (e.g., ISO, COBIT, NIST)
> Event correlation is becoming increasingly important
> Ongoing assessment is critical to keep pace with change
> Ultimately, controls must be deployed that are commensurate with the
value of the assets you are trying to protect
52
Key cybersecurity program element #3
Training and Communication
> Reaching beyond the boundaries of the organization is critical
> Embed security within key business processes
> IT topics must be translated into meaningful information
(Common language)
> Involve everyone - Education and building consensus is critical among
all stakeholders.
> Train continually, and look for active learning scenarios
> Leadership must establish the tone at the top
53
Board Questions for Management
> What do we consider our most valuable assets (e.g., data)? How
does our IT system interact with those assets? Do we believe we
can fully protect those assets?
> Do we think there is adequate protection in place if someone
wanted to get at or damage our corporate “crown jewels”? If not,
what would it take to feel comfortable that our assets were
protected?
> Are we investing enough so that our corporate operating and
network systems are not easy targets by a determined hacker?
54
Questions for the Board
to consider:
− What training do employees receive regarding privacy and
security?
− What are the organization’s cybersecurity policies and
procedures?
− What is the organization doing to test and update its
incident response plan?
− What is the organization doing to monitor and address
cybersecurity legal, regulatory and industry developments?
− What is being communicated to the Board about
developments and addressing them?
55
Questions for the Board
to consider:
− What are criteria for an incident to be communicated to the the
Board (e.g., type and amount of information at issue, legal,
regulatory and industry requirements and practices, financial
amount at issue, etc.)?
Decision point: the Board needs to define what constitutes an
incident that is reportable to the Board
− What are the channel and means of communication for
reporting an incident to the Board? What and how much
information about an incident is reported?
− What are timing and other considerations regarding reporting
(e.g., incident is disclosed first by the media, law enforcement is
involved, etc.)
56
Questions for the Board
to consider:
− Actions the organization takes (e.g., whether notification is
made and basis for making or not making notification)
− Actions other parties take (e.g., other parties involved in or
affected by incident, litigants, regulators, law enforcement,
insurers, media, service providers, etc.)
− Whether to request additional information about incident
− Impact of incident on the organization and consequences (e.g.,
legal, business, financial, public relations, etc.)
− Determinations or actions for the Board to take
57
Questions for the Board
to consider:
− Is there a defined process for determining whether, how and
when notification regarding an incident needs to be made?
− Who is involved in making this decision?
− Which parties are notified (e.g., affected parties, regulators,
insurers, media, credit reporting agencies, etc.)?
− What are possible consequences of making notification (e.g.,
litigation, regulator enforcement, notifications become public,
media attention, financial, etc.)?
− What are risks in not making notification (e.g., litigation,
regulator enforcement, violation of law or guidance or where
required by policy or contract, reasons for making or not making
notification, etc.)
58
Questions for the Board
to consider:
− Has a reserve been established for incidents? If yes, when was
this reserve established and what is the amount of reserve?
− When was the organization’s cyber liability insurance coverage
last reviewed, who reviewed and what were results of review
(e.g., deductibles and amount and coverage)?
− Should directors’ and officer’s liability insurance coverage be
reviewed regarding cybersecurity and data breaches?
− Do any developments regarding the organization (e.g.,
acquisitions) or impacting the organization (e.g., legal,
regulatory, litigation, business, insurance, etc.) warrant a review
of the reserve and insurance coverage?
59
Questions?
60
Contact Information:
Brian Sanvidge, CIG, CFE
Principal, National Forensic Litigation and Valuation Services
(212) 792-4836
Patrick Yu, CPA
Not-For-Profit Assurance Service Partner
(212) 792-4802