1 / 31

Cybersecurity Threats and Impact on Internal Audit

Explore the increasing cybercrime landscape, the potential threats to organizations, and the role of internal auditors in safeguarding their information systems. Gain insights into the motivations, attack methods, and strategies to enhance cybersecurity readiness.

parkerj
Download Presentation

Cybersecurity Threats and Impact on Internal Audit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber security: Threats and Influence on Internal Audit Meringoh Lenya, J. Chief Solutions Architect and CTO, Varnah Group

  2. Some Statistics and projections: Global Cybercrime cost is projected to be more than USD2.T by 2020 90% of companies will embrace smart devices Intel project 200b devices on the internet by 2020 There will be 6.1 b smartphones by 2020 Kenya has a mobile penetration of 88% - CA Safaricom has more than 10M devices on the network World population projected to be 7.5 B BY 2020 IPV6 support 7.8 quintillion((1,000,000,000,000,000,000) concurrently transactions

  3. ERPs will migrate to the cloud by 2020 There will be 2.91b people on social media globally bt 2020 Facebook has 1.79 billion active users(2016), 2,67b by 2020, while twitter will hit 369M, as whatsapp goes to 1.4b, 3b email users by 2020 Google processes 2.4million searches per minute(only 16% of indexed traffic: http://www.internetlivestats.com/google-search-statistics/ The future of money and finance is dark Software is eating the world- all companies will become IT companies Devices will occupy the Earth- multiple avenues for attack Criminals can take up to a year to attack Statistics .../Ctd

  4. Cybercrime: Criminal or unlawful acts perpetrated using computer- based tools and network. Most common is the internet (hacking) Cybersecure: An institution is Cyber secure if it has deployed tools, strategies and capabilities to detect, contain, eradicate and remediate cyber crime KV2030 Aspiration. Make Kenya a globally competitive and prosperous nation with a high quality of life by 2030. Cybersecurity is a real threat INTRODUCTION

  5. Networks and Information systems • Databases (rest, transit, end-points) • Devices on networks/internet- any IP-based- ANY, including home’s • Servers including DNS, onprem, cloud etc • Cloud infrastructure -applications, etc • Homes • Industrial systems(Stuxnet) • Communication systems etc • Everything will be hackable • Life support systems. - case of iStan(patient simulator- pace settter, insulin pump Cyber crime becomes a manifold Prime Targets for Cyber criminals

  6. HTTP- web services are the most focused FTP SMTP, SMAP Naked Public ips Open ports on the firewall P2P activities e.g. torrenting Open application IPS Common attack fronts ( vectors)

  7. Social engineering- duping users and sweet talking to surrender identity Phishing- mainly e-mails, baits to lure victims in communication to click, install or reply etc. click click , touch touch SQL injections- DB manipulations using code- e.g dump data to a CnC or change figures and values Port scanning- probe servers and routing devices for open ports for attack Spoofing- identity masquerades in applications and persons Brute force- crypto-analytical permutations for passwords/passphrases breaches Backdoor- by-passing normal authentication (trojan attack) Man in the middle attack- eavesdropping tools and devices/ wiretaps Attack Method: How will they get in?

  8. DDOS- network, applications, PCs, phones other IP based devices Identity theft---- most targetted in attack Loss of data Delays in service delivery System overloads Errors in data Wrong reports etc. Wing or no communication Wrong direction etc Manifestation of an attack

  9. Sabotage- denial of service for the sake of it… < syrian nuclear plan><stuxnet> • Espionage- internal insights <<Clip on China>, industrial, business, research, innovation, trade secrets • Identity theft- to commercialize e.g IP, case of reverse engineering • Terrorism- cyber arms race-- Stuxnet radar case of Syria • Warfare: competition, hatred, cold war, industrial war- China, Russia US mistrusts • Hacktivism: political or social pressure e.g operation Tunisia to push for the Arab Spring, wikileaks etc • To be happy- Anonymous. To prove/ expose weaknesses/ • Government driven in support of espionage- China, US, Russia • Ransomware/extortions - new development- malware-as-a-service: careers?? • See below: • http://www.computerworlduk.com/galleries/security/worst-10-ransomware-attacks-2016-we-name-internets-nastiest-extortion-malware-3641916/ Motivation

  10. “Hackers can take over GPS and direct the victim to go down a cliff” https://www.hackread.com/hacking-smartphones-gps-in-car-navigation-system/

  11. Points to Ponder: Security is subtle and no silver bullet- Auditing security a concert of strategies- tool, controls and human interventions. Auditors will require: • Domain knowledge of threat and vulnerabilities landscape- attack vectors and treatment is critical for a secure business environment. (Offense informs defence) • Availability of tools that strengthen detection and control including threat intelligence • Focus on availability management – zero down times with Resilient architectures. Systems need to be available to be audited- offensive • Realisation that Data has value (crown jewels). The new crime scene and battlefield is the computer with data in contention Cybercrime and the future of audit

  12. With the sophistication of cyber crime corroborated by rapid evolution of technology, Auditors are in most cases handicapped in delivery of audit function. Challenges include: • Disruptive technologies complicate audit. They increase the surface for attack. IOT- 200b devices to hack. BOYD Sprawl debate and nano science(power,size and cost-- IOT CLIP -SACM -Stack • Social media- next frontier for insight for; business growth, sabotage • Predictive Analytics - death of Sampling in audit and the need to mine deep leads by looking at every bit- is this realistic? • Cloud- Web-scale IT, growth of as -a- a service model (cloud links you and your data and applications as devices are mere endpoints) • Mobility- Young, mobile, socially enabled workforce- Mobility deliver BC faster- Banks, education, insurance etc. an new attack surface area Common challenges to Auditors

  13. 2. Largely integrated and complex systems: • Hyper converged complex infrastructure- • ERPs and integrating solutions) that complicate audit: Where would you start? Is it a solution • Intermediation of core systems through apps- service is everything • Delivery of multiple apps and data across the service bus-(SOA)- • The 360 degree view requirement of business and the customer- CRM, DMS, Dashboards, EPMs etc. where do we start- Veripark Clip • Integration MUST be audited and sanctioned before development. Challenges ...ctd/

  14. 3. Non- approved SaaS applications in business – new threat, BYOA and appetite to touch and install, - Audit dilemma? 4. ALM flaws that create headaches to auditors- poor design, failed QA, DevOps challenges etc Others : • BlockChain and the future of financial infra. • The deep web- a big challenge. What can/nt we see • It shadowing • Cognitive computing and device dominance including nano- how will you audit a robot? <Clip> Challenges ...ctd/

  15. SOME POSSIBLE SOLUTIONS

  16. Infrastructure convergence ( end to end) including BYOD. convergence provides a single neck to hold or a single point of failure • CBIS- ERPs and integrating solutions, and SOA security • Web applications- un authorised SaaS proliferation in business • Browser Activities across the firewall- what can we see-- deep web • Financials and IT spends • Governance, risk and compliance • Service management especially with the rise of as-a-service model • Buying models and the growth of managed services -business model. E.g Tech-bill of materials( BOMs), collocation, • IT teams activities and performance • Access Management on core systems • Security installations • Configurations and configurables items Audit CBK: Extend auditable domain

  17. Technical Solutions- making IT and Systems security strategy immersive and inclusive (DevOps approach) in securing and ring-fencing business ecosystem : • Developing technical / process capabilities to auditors for visibility : • The right mix of security tools and technologies that strengthen each other., vulnerability management and business continuity. E.g defense in depth, DAM, tokens, multi factor authentication(MFA) etc, SOC/NOC, dashboards, alerts etc. etc- (NAGIOS, OPMS MAn, Man.Engine) • Exposing/ incorporating auditors in the Security teams: monitor, detect, contain, eradicate, remediate threats targeting networks and applications via alerts and dashboard • Mobile Device Management(MDM) capability: remote wipe, encryption etc, on-boarding policies, whitelisting etc. most attacks will potentially initiate at the end points. • Deep domain expertise in security tools and technologies - need to be purposeful Technical Solutions

  18. 2. Participate in Developing cyber security architecture vision that works. a. Focus on Business processes in addition financial process: • Develop/ review /define/ align security policies, procedures and standards e.g business continuity plans(DR/BCP), SOPs, (RTP/RTO metrics) etc. clustering and fail-over clusters • Benchmark and implement best practices in security Standards, and frameworks e.g. ISO 27001, COBIT,, SIEM , ITIL, etc. • Develop a hybridized people driven proactive threat intelligence and counter attack capabilities • Good application development regimes- DevOps, QA, rigorous testing etc (systems will evolve continuously with incremental in-house or outsourced development of components and plug-ins • Liaise and collaborate with relevant bodies e.g CAK(CIRT, CA), ICTA etc Technical …./…

  19. b. Auditors’ to develop a sufficient understanding of Information Systems- data and application architecture: 1. Data security architecture - ensure integrity, confidentiality and availability • Define and categorise/ segregate data accordingly • Guard against DB attacks e.g SQL injection- strong authentication and alerts- DAM, WAF etc • Deploy Data Encryption for data at rest, transit and endpoint (attack focus)- e.g Commvault, Veeam, etc • Deploy DLP strategies- device encryption, strong authentication (FBI iPhone) , backup, • Ensure secure cloud infrastructure provisioning and deployment - certificates, VPN etc., wildfire, fireeye tools are rich in cloud protection capabilities Technical…./…

  20. b. Information Systems security…./ctd 2. Focus on applications security architecture: • Manage integration security across an ESB/SOA (API, Webservices) • Defence in depth architecture. burry application servers deep in the network /DMZ • Strong authentication (MFA, security tokenization, bio-metric) –going beyond the password • Effective controls for IT Shadowing- rules for BOYD& BYOA, rogue SAAS apps whitelisting, • High availability deployment and Fault tolerance strategies e.g active-active • Failover/failsafe, Clustering, Redundancy for app. Dbs. • NB: Unauthorised SaaS apps’ source code is potentially risky. We do not own the app nor the infra. But we keep passing data to them. Technical…./…

  21. C. Infrastructure security architecture- visibility of the network servers and active components on the network • Deploys robust Antivirus and anti-Malware, Hardware security – strong domain presence, access management and device policies for visibility • Harden Network security - the primary target for cyber-attacks: • Deepen border/periphery patrol via a UTM firewalls • Strong authentication and identity management e.g. Single sign-on and tokenization, captive portals for wifi, VLAN segments etc • Clear BYOD policies- these are the weakest links on a network- onboarding policies • Regular pen tests and VA assessments Technical…./…

  22. 1. Develop and communicate a comprehensive framework for I.T. related risks • Assess, map and categorise IT related risks in business and address their corresponding mitigations/ treatments using a detailed risk register • Deploy help desk based risks module to monitor risks by users for those in service industry 2. Put people first- building security-centric culture liaising with HR and IT • Train teams on exposures- attack lifecycle( reconnaissance to execution) • Build capability within the technical team –detect, contain, eradicate and remediate • Good cyber governance- involving all • Social engineering and individual responsibilities campaigns • Ethical evangelism- Preaching about being deliberately ethical and a COP Suggested Social Solutions- Most effective

  23. 2. Deploying incident management strategies to identify, contain, eradicate, and remediate security incidents and enhance response • Benchmark on standards such as SIEM, ISO 27001 • Effective Communication more ( the RACI model) and damage control - Samsung Note7 • Need- to- know basis- • Out-of-band communication • Sit in security committees with a responsibility e.g Chairperson 3. Benchmark, collaborate and share information and security data with the right stakeholder • Governmental initiatives e.g. NPKI, , CIRT, (driven by CAK and ICTA)etc. • Private sector players - security technology dealers and consultants Social solutions…/ ctd

  24. Individual due care It is important to know that your behaviour and activities can predispose your entire organisation- case of Australia. Please UPDATE: • Update software- licensed and authentic • Password management- strong, MFA • Download Management- Appetite to touch • Avoid running systems in admin mode- use user mode • Turn off open channels-wifi, data, GPS, NFC, RFID, Blurtooth- case of China attack on Australia • Encrypt your device and data Social….cotd/

  25. Administrative– enforcement of compliance: • Take cognisance of the existing cybercrime and related laws(Kenya) and invoke where necessary BUT: Are there laws? Will making laws and arresting criminal deter enough? Suggested Legal solutions

  26. 1. The National ICT master plan 2014-2017 provides for: • The National Cybersecurity Strategy • The National Public Key Infrastructure (NPKI) • The National Computer Incident Response Government Commitment

  27. 2. Legal treatment of data, systems and CBIS. e.g. • Cybercrimes Bill 2014 • Critical infrastructure protection Bill • Data protection Act 2013 3. Lots of private sector participation in IT programs of Government • Various cable landing to facilitate ecommerce • Increased R&D in software development and related innovation • Private-sector-led IT hubs and incubation programs supported • Many Telcos supporting security deployments- Safaricom and MPESA- APIs integration and entire security Legal …./ctd

  28. Two types of companies: one already hit, one hit but clueless- so they will come, but just close the doors. We know not the hour (Matthew 24:36 • Who will solve this fundamental problem of technology if auditors remain mum or just focus on financial? What is the future of finance • Auditors Have to get it right every time but the attacker only has to be right just once • Criminal can stay unnoticed for up to a year before they strike. Sleeping with an invisible stranger • Hard Target is the game. Do not put your crown jewels in a fragile case. so Assess and prepare, Detect and prevent, Analyze and respond. Conclusion

  29. Thank You

More Related