Cyber and Data Security May 2015 - Elliott DavisPassword Security Best Practices – Short Reminder...

Cyber and Data Security May 2015

© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

Richard Cook, CISA, CISM & CRISC Director: IT Audit & Security Bonnie Bastow CISA, CIA Manager: IT Audit & Security

This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

Cyber and Data Security

Agenda

• Cyber Security - Overview - Update on Common Data Breaches/Threats - Strategies to Mitigate Cyber Terrorism Risks

• Data Security - Overview - Top 5 Control Areas to Review

3 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

Overview of Cyber Terrorism

• Cyber Terrorism defined…. Criminal acts using computers and networks as tools or targets


4

• Cybersecurity Update for 2015 - Intel Security Report - 2015 - Kaspersky Carbanak Report - 2015 - Verizon’s Data Breach Investigations Report - 2015

• Common Themes • Integrating Cybersecurity Responses into your

Existing Programs

Cybersecurity Agenda

5 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

Intel Security Report


• People, processes and technology are needed to help mitigate risk

• Technology alone is not enough to protect users - email is the most prevalent initial target

• 2015 and beyond, no slowdown in sight for social engineering attacks

- "The reality is that social-based attacks will continue for the foreseeable future."




• Launched an online quiz to show how easy it is to get people hooked on a social engineering phishing email

• Social engineering >> low-tech attack due to the limited technical resources required to execute

• Organizations must channel resources into education and cultural change


Kaspersky – Carbanak Report

• Attacks still active • Motivation – Financial gain (not espionage or access

to private information) • Started with a spear phishing email that appeared to

be legitimate banking communications • Email attachments exploited Microsoft Office 2003,

2007, 2010 vulnerabilities


• Highly sophisticated once they gained ‘some’ access • Important point >> Initial access was via phishing

emails and then exploitation of known vulnerabilities

Kaspersky - Carbanak Report


Verizon Security Report


• Top Seven Human Risks - Phish-ability - Not patching or using outdated systems - Posting too much information about self or work - Reusing passwords across sites - Indiscriminate use of mobile media - Lack of situational awareness (believing you are not a target)

- Accidental loss or disclosure of sensitive information



• 23% of recipients open phishing email and 11% click on the attachments

• 99.9% of the exploited vulnerabilities were compromised more than a year after the Common Vulnerabilities and Exposures (CVE) (the patch/fix) was published




The first 4 account for 90% - and are all ‘People’ related


Attack Patterns

• Multi-frontal approach is mandatory • Social Engineering is here to stay

- Human nature • Virus Protection and Patching Programs

- As important as ever • Monitoring tools – necessary, but not preventive • Assessment tools, frequent assessments

Common Themes


Strategies to Mitigate Cyber Terrorism Risks

There are so many risks…where to start?


18

You may already have… - Information Security Program - Business Continuity Plan - Training Programs - IT Strategic Plan

•Must be aware of your current security posture

- What do we have in place - How does it all work/fit together

Integrating Cyber Security Responses


• Know where you stand - Scans – Internal and External - Social Engineering assessments - IT General Controls

• It’s about integrating your: - Business Continuity Plan or Incident Response Programs - Training - Policies and Procedures

• With your: - Employees , Contractors , Vendors, Physical assets

What to Do Next


Strategies to Mitigate Cyber Terrorism Risks

Other strategies to consider • Create a response team to handle issues, often called

a Computer Emergency Response Team (CERT) - Much like a Business Continuity/Disaster Recovery

Plan • Network with local cyber experts to understand

emerging threats


21

Data Security

• Management controls over IT • User Access Reviews • Layered Approach • Privilege Users • Vendor Management • Passwords

Management Review of IT Controls

• Focus will be on IT controls that are generally reviewed by financial management team(s)


User Access Reviews

• Obtain system generated list of all users and their system privileges (helps with financial statement assertions for completeness and accuracy)

• No spreadsheets for tracking user access - This process only validates that the spreadsheet is

correct – actual system access may vary • User review may be difficult to do if the system is not

using either role or group security for applying access rights


User Access Reviews, continued

• During the review; check for: - Users are current employees, contractors, 3rd party users

and temps - Users access rights are appropriate for their job function - Users do not have SoD (Segregation of Duties) conflicts

• If SoD conflicts exist – point to mitigating control (ex. Reconciliations or other business process control)

• SoD conflicts do not exist across systems (credit approval management system – loan origination system)

• Maintain all User Access Review documents (the user access review detail – completed by reviewer - is the most important piece of evidence that the review occurred)



• Maintain User Access Review Tracking sheet, should note:

- Reviewer’s name - List of users to be reviewed - Date sent to reviewer - Date received from reviewer - If changes were requested (Yes/No) - When changes were applied - Users should not review their own access rights (very risky)

• Note: User Access Review Tracking sheet is often times maintained by IT group. User Access Reviews should be performed by management.



• Concentrate on Contractors, Temps, 3rd Party Users and Transfers – this is where most companies fall short

• What are the nature of the changes requested by the reviewers? Do we have some other inherent problems?

- User provisioning process is breaking down? • Do we segregate the user provisioning process (performed by

IT group) from users that have functional access rights (performed by financial users)?

• For each in scope application – be sure to review the application, operating and database layers


Basic Security (layers of an onion)

• Most secure should be the center of the onion


Privileged User Reviews

• Always review 100% of privileged users – this is the highest risk area for users

• Privileged users are any users that can perform the following functions: user provisioning (Add, Change Delete user access rights), administrator level access, change configuration settings and users that have back end access to databases (can make changes directly to the database, i.e. DBA)

• Any 3rd party user that have access rights to your systems should be logged and monitored (we cannot outsource risk)

• 3rd party access should be limited and only granted when needed. It should not be open ended access 7X24


Privileged Users Review – Database Users

• Database user reviews are often overlooked

• Privileged database users are those users who can access the data directly via the back end

• The business owners are responsible for reviewing backend access for database users

• SQL database only has one backend database account - the Security Administrator or SA account. Hence, the password must be shared and changed periodically


Vendor Management Reviews

• Vendor Management Review - What is the opinion on the SOC report? - Does the SOC report have a carveout? Are these carveout

processes significant to our environment? If yes, how do we get comfort around these processes? (Ex, obtain another SOC report for carveout process)

- What is the reporting period? Need to cover at least 6 months of the financial period under review.

- Are there any exceptions in the SOC report? Do they apply to our environment? If yes, how do we get comfort that the exceptions will not affect our financial reporting process.

- Do we have the proper User Control Considerations (UCC’s) in place? Have we validated the key UCC’s? Do we have evidence of the validation process?


Vendor Management Reviews/UCCs

• When reviewing UCCs be sure to include these steps: - List all UCCs from key SOC reports - Review each UCC to determine if the UCCs are key or

not (no need to test non-key UCCs) - For each key UCC for each key SOC report, provide

evidence that the UCC is designed appropriately and operating effectively

- Maintain all documentation of the UCC reviews/testing


Password Security Best Practices – Short Reminder

• We would recommend that the following best practices be applied to password security and account lockout parameters:

• Minimum password length – 6 to 8 characters • Maximum password age – 60 to 90 days • Minimum password age – 1 day (or more) • Password history – no password re-use for the trailing 12 months • Password complexity – enabled (at least require one alpha and one

numeric) • Unsuccessful log on attempts – 5 invalid attempts before user lock out • Lockout duration – at least 15 minutes • Reset lockout counter – at least 15 minutes • Domain inactivity timeout setting – 15 to 30 minutes


Did you know?

• The biggest violators of IT Security are the senior members of the IT/IS team – the team that is responsible for securing the enterprise

- So I ask you – how do you know that your enterprise is secure and only approved users have access to systems and their access is appropriate for their job function?


Questions


Providing Additional Resources to Meet Your Needs

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

Subscribe at www.elliottdavis.com/subscribe

Richard Cook, CISA, CISM, CRISC Email: [email protected] Phone: 704.808.5243 Bonnie Bastow CISA, CIA Email: [email protected] Phone: 704.808.5275 Website: www.elliottdavis.com

Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With sixteen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.


mailto:[email protected]

http://www.elliottdavis.com/

Cyber and Data Security May 2015 - Elliott DavisPassword Security Best Practices – Short Reminder...

Documents

Transcript of Cyber and Data Security May 2015 - Elliott DavisPassword Security Best Practices – Short Reminder...