Transcript - Internal Audit

Cyber security: Threats and Influence on Internal Audit
Meringoh Lenya, J.
Chief Solutions Architect and CTO,
Varnah Group
Some Statistics and projections:
●
●
●
●
●
●
●
●
Global Cybercrime cost is projected to be more than USD2.T by 2020
90% of companies will embrace smart devices
Intel project 200b devices on the internet by 2020
There will be 6.1 b smartphones by 2020
Kenya has a mobile penetration of 88% - CA
Safaricom has more than 10M devices on the network
World population projected to be 7.5 B BY 2020
IPV6 support 7.8 quintillion((1,000,000,000,000,000,000) concurrently
transactions
● There will.../Ctd
be 2.91b people on social media globally bt 2020
Statistics
● Facebook has 1.79 billion active users(2016), 2,67b by 2020, while twitter will hit
369M, as whatsapp goes to 1.4b,
● 3b email users by 2020
● Google processes 2.4million searches per minute(only 16% of indexed traffic:
http://www.internetlivestats.com/google-search-statistics/
● The future of money and finance is dark
Software is eating the world- all companies will become IT companies
Devices will occupy the Earth- multiple avenues for attack
Criminals can take up to a year to attack
INTRODUCTION
Cybercrime:
Criminal or unlawful acts perpetrated using computer- based tools and network.
Most common is the internet (hacking)
Cybersecure:
An institution is Cyber secure if it has deployed tools, strategies and capabilities to
detect, contain, eradicate and remediate cyber crime
KV2030 Aspiration.
Make Kenya a globally competitive and prosperous nation with a high quality of life
by 2030.
Cybersecurity is a real threat
Prime Targets for Cyber criminals
Networks and Information systems
Databases (rest, transit, end-points)
Devices on networks/internet- any IP-based- ANY, including home’s
Servers including DNS, onprem, cloud etc
Cloud infrastructure -applications, etc
Homes
Industrial systems(Stuxnet)
Communication systems etc
Everything will be hackable
Life support systems. - case of iStan(patient simulator- pace settter,
insulin pump
Cyber crime becomes a manifold
Common attack fronts ( vectors)
HTTP- web services are the most focused
FTP
SMTP, SMAP
Naked Public ips
Open ports on the firewall
P2P activities e.g. torrenting
Open application IPS
Attack Method: How will they get in?
Social engineering- duping users and sweet talking to surrender identity
Phishing- mainly e-mails, baits to lure victims in communication to click,
install or reply etc. click click , touch touch
SQL injections- DB manipulations using code- e.g dump data to a CnC or
change figures and values
Port scanning- probe servers and routing devices for open ports for attack
Spoofing- identity masquerades in applications and persons
Brute force- crypto-analytical permutations for passwords/passphrases
breaches
Backdoor- by-passing normal authentication (trojan attack)
Man in the middle attack- eavesdropping tools and devices/ wiretaps
Manifestation of an attack
DDOS- network, applications, PCs, phones other IP based devices
Identity theft---- most targetted in attack
Loss of data
Delays in service delivery
System overloads
Errors in data
Wrong reports etc.
Wing or no communication
Wrong direction etc
Motivation
1. Sabotage- denial of service for the sake of it… < syrian nuclear plan><stuxnet>
2. Espionage- internal insights <<Clip on China>, industrial, business, research,
innovation, trade secrets
3. Identity theft- to commercialize e.g IP, case of reverse engineering
4. Terrorism- cyber arms race-- Stuxnet radar case of Syria
5. Warfare: competition, hatred, cold war, industrial war- China, Russia US mistrusts
6. Hacktivism: political or social pressure e.g operation Tunisia to push for the Arab
Spring, wikileaks etc
7. To be happy- Anonymous. To prove/ expose weaknesses/
8. Government driven in support of espionage- China, US, Russia
9. Ransomware/extortions - new development- malware-as-a-service: careers??
10.See below:
11.http://www.computerworlduk.com/galleries/security/worst-10-ransomwareattacks-2016-we-name-internets-nastiest-extortion-malware-3641916/
“Hackers can take over GPS
and direct the victim to go
down a cliff”
https://www.hackread.com/hacking-smartphones-gps-incar-navigation-system/
Cybercrime and the future of audit
Points to Ponder:
Security is subtle and no silver bullet- Auditing security a concert of strategiestool, controls and human interventions. Auditors will require:
• Domain knowledge of threat and vulnerabilities landscape- attack vectors
and treatment is critical for a secure business environment. (Offense
informs defence)
• Availability of tools that strengthen detection and control including threat
intelligence
• Focus on availability management – zero
down times with Resilient
architectures. Systems need to be available to be audited- offensive
• Realisation that Data has value (crown jewels). The new crime scene and
battlefield is the computer with data in contention
Common challenges to Auditors
With the sophistication of cyber crime corroborated by rapid evolution of technology,
Auditors are in most cases handicapped in delivery of audit function. Challenges
include:
1. Disruptive technologies complicate audit. They increase the surface for attack.
IOT- 200b devices to hack. BOYD Sprawl debate and nano science(power,size
and cost-- IOT CLIP
-SACM -Stack
• Social media- next frontier for insight for; business growth, sabotage
• Predictive Analytics - death of Sampling in audit and the need to mine
deep leads by looking at every bit- is this realistic?
•
Cloud- Web-scale IT, growth of as -a- a service model (cloud
links you and your data and applications as devices are mere endpoints)
• Mobility- Young, mobile, socially enabled workforce- Mobility deliver BC
faster- Banks, education, insurance etc. an new attack surface area
Challenges
...ctd/
2. Largely integrated
and complex systems:
Hyper converged complex infrastructureERPs and integrating solutions) that complicate audit: Where would
you start? Is it a solution
Intermediation of core systems through apps- service is everything
Delivery of multiple apps and data across the service bus-(SOA)The 360 degree view requirement of business and the customerCRM, DMS, Dashboards, EPMs etc. where do we start- Veripark Clip
Integration MUST be audited and sanctioned before development.
Challenges ...ctd/
3. Non- approved SaaS applications in business – new threat, BYOA and
appetite to touch and install, - Audit dilemma?
4. ALM flaws that create headaches to auditors- poor design, failed QA,
DevOps challenges etc
Others :
BlockChain and the future of financial infra.
The deep web- a big challenge. What can/nt we see
It shadowing
Cognitive computing and device dominance including nanohow will you audit a robot? <Clip>
SOME POSSIBLE SOLUTIONS
Audit CBK: Extend auditable domain
1. Infrastructure convergence ( end to end) including BYOD. convergence
provides a single neck to hold or a single point of failure
2. CBIS- ERPs and integrating solutions, and SOA security
3. Web applications- un authorised SaaS proliferation in business
4. Browser Activities across the firewall- what can we see-- deep web
5. Financials and IT spends
6. Governance, risk and compliance
7. Service management especially with the rise of as-a-service model
8. Buying models and the growth of managed services -business model. E.g
Tech-bill of materials( BOMs), collocation,
9. IT teams activities and performance
10.Access Management on core systems
11.Security installations
Technical Solutions
Technical Solutions- making IT and Systems security strategy immersive and
inclusive (DevOps approach) in securing and ring-fencing business ecosystem :
1. Developing technical / process capabilities to auditors for visibility :
• The right mix of security tools and technologies that strengthen each other.,
vulnerability management and business continuity. E.g defense in depth, DAM,
tokens, multi factor authentication(MFA) etc, SOC/NOC, dashboards, alerts etc.
etc- (NAGIOS, OPMS MAn, Man.Engine)
• Exposing/ incorporating auditors in the Security teams: monitor, detect, contain,
eradicate, remediate threats targeting networks and applications via alerts and
dashboard
• Mobile Device Management(MDM) capability: remote wipe, encryption etc, onboarding policies, whitelisting etc. most attacks will potentially initiate at the end
points.
• Deep domain expertise in security tools and technologies - need to be
purposeful
Technical …./…
2. Participate in Developing cyber security architecture vision that works.
a. Focus on Business processes in addition financial process:
• Develop/ review /define/ align security policies, procedures and standards
e.g business continuity plans(DR/BCP), SOPs, (RTP/RTO metrics) etc.
clustering and fail-over clusters
• Benchmark and implement best practices in security Standards, and
frameworks e.g. ISO 27001, COBIT,, SIEM , ITIL, etc.
• Develop a hybridized people driven proactive threat intelligence and counter
attack capabilities
• Good application development regimes- DevOps, QA, rigorous testing etc
(systems will evolve continuously with incremental in-house or outsourced
development of components and plug-ins
•
Liaise and collaborate with relevant bodies e.g CAK(CIRT, CA), ICTA etc
Technical…./…
b. Auditors’ to develop a sufficient understanding of Information Systems- data
and application architecture:
1. Data security architecture - ensure integrity, confidentiality and availability
• Define and categorise/ segregate data accordingly
• Guard against DB attacks e.g SQL injection- strong authentication and
alerts- DAM, WAF etc
• Deploy Data Encryption for data at rest, transit and endpoint (attack focus)e.g Commvault, Veeam, etc
• Deploy DLP strategies- device encryption, strong authentication (FBI iPhone)
, backup,
• Ensure secure cloud infrastructure provisioning and deployment certificates, VPN etc., wildfire, fireeye tools are rich in cloud protection
capabilities
Technical…./…
b. Information Systems security…./ctd
2. Focus on applications security architecture:
•
Manage integration security across an ESB/SOA (API, Webservices)
•
Defence in depth architecture. burry application servers deep in the network
/DMZ
•
Strong authentication (MFA, security tokenization, bio-metric) –going beyond
the password
•
Effective controls for IT Shadowing- rules for BOYD& BYOA, rogue SAAS
apps whitelisting,
•
High availability deployment and Fault tolerance strategies e.g active-active
Failover/failsafe, Clustering, Redundancy for app. Dbs.
NB: Unauthorised SaaS apps’ source code is potentially risky. We do not own
the app nor the infra. But we keep passing data to them.
Technical…./…
C. Infrastructure security architecture- visibility of the network servers and active
components on the network
• Deploys robust Antivirus and anti-Malware, Hardware security – strong
domain presence, access management and device policies for visibility
Harden Network security - the primary target for cyber-attacks:
• Deepen border/periphery patrol via a UTM firewalls
• Strong authentication and identity management e.g. Single sign-on and
tokenization, captive portals for wifi, VLAN segments etc
• Clear BYOD policies- these are the weakest links on a networkonboarding policies
• Regular pen tests and VA assessments
Suggested Social Solutions- Most effective
1. Develop and communicate a comprehensive framework for I.T. related risks
• Assess, map and categorise IT related risks in business and address their
corresponding mitigations/ treatments using a detailed risk register
• Deploy help desk based risks module to monitor risks by users for those in
service industry
2. Put people first- building security-centric culture liaising with HR and IT
• Train teams on exposures- attack lifecycle( reconnaissance to execution)
• Build capability within the technical team –detect, contain, eradicate and
remediate
• Good cyber governance- involving all
• Social engineering and individual responsibilities campaigns
• Ethical evangelism- Preaching about being deliberately ethical and a COP
Social solutions…/ ctd
2. Deploying incident management strategies to identify, contain, eradicate, and
remediate security incidents and enhance response
• Benchmark on standards such as SIEM, ISO 27001
• Effective Communication more ( the RACI model) and damage control - Samsung
Note7
• Need- to- know basis• Out-of-band communication
• Sit in security committees with a responsibility e.g Chairperson
3. Benchmark, collaborate and share information and security data with the right
stakeholder
• Governmental initiatives e.g. NPKI, , CIRT, (driven by CAK and ICTA)etc.
• Private sector players - security technology dealers and consultants
Social….cotd/
Individual due care
It is important to know that your behaviour and activities can predispose your
entire organisation- case of Australia. Please UPDATE:
1. Update software- licensed and authentic
2. Password management- strong, MFA
3. Download Management- Appetite to touch
4. Avoid running systems in admin mode- use user mode
5. Turn off open channels-wifi, data, GPS, NFC, RFID, Blurtooth- case of
China attack on Australia
6. Encrypt your device and data
Suggested Legal solutions
Administrative– enforcement of compliance:
Take cognisance of the existing cybercrime and related laws(Kenya) and
invoke where necessary
BUT:
Are there laws? Will making laws and arresting criminal deter enough?
Government Commitment
1. The National ICT master plan 2014-2017 provides for:
• The National Cybersecurity Strategy
• The National Public Key Infrastructure (NPKI)
• The National Computer Incident Response
Legal …./ctd
2. Legal treatment of data, systems and CBIS. e.g.
• Cybercrimes Bill 2014
• Critical infrastructure protection Bill
• Data protection Act 2013
3. Lots of private sector participation in IT programs of Government
• Various cable landing to facilitate ecommerce
• Increased R&D in software development and related innovation
• Private-sector-led IT hubs and incubation programs supported
• Many Telcos supporting security deployments- Safaricom and
MPESA- APIs integration and entire security
Conclusion
1. Two types of companies: one already hit, one hit but clueless- so they
will come, but just close the doors. We know not the hour (Matthew 24:36
2. Who will solve this fundamental problem of technology if auditors
remain mum or just focus on financial? What is the future of finance
3. Auditors Have to get it right every time but the attacker only has to be
right just once
4. Criminal can stay unnoticed for up to a year before they strike. Sleeping
with an invisible stranger
5. Hard Target is the game. Do not put your crown jewels in a fragile case.
so
Assess and prepare, Detect and prevent, Analyze and respond.
Thank You