Cyber Resilience Webinar Presentation · Source: “M-Trends 2015: A View From the Front Lines,”...
Transcript of Cyber Resilience Webinar Presentation · Source: “M-Trends 2015: A View From the Front Lines,”...
©2016 Crowe Horwath LLP
Cyber (In)Security
October 27, 2016
Steel Manufacturers Association
Board of Directors Fall Interim Meeting
©2016 Crowe Horwath LLP 22
Overuse of the “Cyber” Prefix
Cyber-overload within the Media
• “These days CyberPatriots go to CyberCamps”
•“Director of National Intelligence told Congress a ‘cyber Armageddon’ is
unlikely.”
•CBS has introduced “CSI: Cyber” as a show in the CSI series.
•Twitter account @cybercyber tracks use or abuse of the prefix “cyber”
•Purpose “All the cyberpanic you can cyberhandle.”
•Cyber Security or Cybersecurity…
Source: Danny Yadron and Jennifer Valentino-Devries, “This Article Was Written With the Help of a ‘Cyber’ Machine,” The Wall Street Journal, March 3, 2015,
http://www.wsj.com/articles/is-the-prefix-cyber-overused-1425427767
©2016 Crowe Horwath LLP 33
Simplest Definition of Cybersecurity
• “Measures taken to protect a computer or computer system (as on the internet)
against unauthorized access or attack”*
•Regardless of the definition, cybersecurity objectives still continue to be:
•The triad of security for your data and operations
•Confidentiality
• Integrity
•Availability
•Who does it impact?
•Anyone, individual or organization, connected to a network or the internet
* Source: Merriam-Webster Dictionary, http://www.merriam-webster.com/dictionary/cybersecurity
©2016 Crowe Horwath LLP 44
Cybersecurity Strategy
• Who is leading the initiative?
• Is everyone on the same page?
• What’s our top priority?
• Would we know if we were hacked?
• Who would respond and how?
• What does our Board think?
Management tends to regard cybersecurity predominantly a technology issue rather than a business issue.
Key Steps
1. Information Security Officers (ISOs) or Chief Information Security Officers (CISOs) and CIOs
should maintain focus on business impacts and outcomes from cyber risks for their
organization
2. Provide reports that help the Board (Audit and Risk Committees) focus on your
organization's specific cyber risk situation, instead of distracting media headlines.
3. Consider new technology and skilled personnel to organize, execute and maintain the
cybersecurity initiative.
©2016 Crowe Horwath LLP 55
Understanding Risk
•An asset is what we are trying to protect.
•A threat is what we are trying to protect against.
•A vulnerability is a weakness or gap in our protection efforts.
•Risk – The potential for loss, damage or destruction of an asset as a result of a
threat exploiting a vulnerability.
Asset + Threat + Vulnerability = Risk
©2016 Crowe Horwath LLP 66
The World Today – Recent Cybersecurity Breaches
• Chase
• Target
• Jimmy John’s
• P.F. Chang’s
• Community Health Systems
• The Home Depot
• Adobe
• Apple iCloud
©2016 Crowe Horwath LLP 77
2015 Statistics Snapshot
•717 Breaches (176M records lost) through 2015
•$254/record; The forecast average loss for a breach of 1,000 records is between
$52,000 and $87,000.
0
100
200
300
400
500
600
700
800
900
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Number of Breaches
Verizon Data Breach Report - http://www.verizonenterprise.com/DBIR/
Identify Threat Resource Center - http://www.idtheftcenter.org/
©2016 Crowe Horwath LLP 88
Anatomy of a Cyber Incident
Internet Application Infrastructure Endpoint
Third Party
Firewall
Remote Users
Mobile Devices
Web Application
Applications
Network Employees
Workstations
ServersPrinters
Cloud
Database
Source: Crowe analysis
©2016 Crowe Horwath LLP 99
Source: “M-Trends 2015: A View From the Front Lines,” Mandiant, 2015, https://www2.fireeye.com/WEB-2015RPTM-Trends.html
Initial Point of Entry
The point of entry represents how the attacker obtains initial access. Examples include
social engineering, unpatched internet-accessible systems, or weak passwords on
externally accessible systems. In a 2015 Mandiant case study, the initial point of entry
was achieved by logging into an externally accessible virtual system.
Fortify Access and Access Data
As the attacker pivots around the network, they continue to attempt to escalate their
authority until they have the necessary access. They will typically fortify their access by
installing malware or backdoors to maintain access. In the Mandiant case study, the
administrator credentials the attacker obtained also had authority to the cardholder
network, where they installed a card harvesting malware to capture credit card data.
Pivot Point
The initial access typically does not provide the information the attacker is looking for.
They will take advantage of the initial access to try to increase authority on the network.
This could occur through shared passwords, unpatched systems, or excessive
privileges. In the Mandiant case study, the attackers took advantage of misconfigured
devices and shared passwords to eventually obtain domain administrator authority.
Data Exfiltration
Once the attacker has data, they need to get it out of the network. This can be
completed through email or FTP. In the Mandiant case study, the malware wrote the
cards to a temp file on the database, which was copied to a server, then to a
workstation that had internet access, where it was sent via FTP to the attacker.
Attack Scenario
©2016 Crowe Horwath LLP 1010
Verizon Data Breach Report - http://www.verizonenterprise.com/DBIR/
2015 Detection and Reaction Times
©2016 Crowe Horwath LLP 1111
Evolving Threats
•The threat landscape is continually evolving…
• Ransomware
• Whaling
• Distributed Denial of Service Attack (DDoS)
• 10/21/2016 DDoS - DDoS attack that disrupted internet was largest of its kind in history, experts say
• Third-Parties Within Your Supply Chain
• Newly Acquired Businesses
• Internet of Things
©2016 Crowe Horwath LLP 1212
Third-Party Risk Management
• The Ponemon Institute’s study called U.S. Cost of a Data Breach found that 42 percent of
breaches (as identified from survey respondents) were caused by a third-party vendor.
• Source:
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_0
9_012209_sec.pdf
• Most organizations don’t have a comprehensive list of the vendors they share data with.
• Lines of business have the ability to engage vendors with little to no involvement of security
personnel.
• Organizations perform minimal oversight of vendors’ control environments.
©2016 Crowe Horwath LLP 1313
An Ideal Process
©2016 Crowe Horwath LLP 1414
Merger and Acquisition Due Diligence
• Cybersecurity should be part of your due diligence process
• Not just what ERP application are they running
• Scope should include:
• Management and Oversight
• Employee Management
• Third-Party Risk Management
• Business Continuity and Disaster Recovery
• Incident Response
• Asset Management
• Threat and Vulnerability Management
• Network Architecture
• Logging and Monitoring
• Logical Access Management
• Secure Configuration Management
• Physical Security
• Review through questionnaires, surveys, interviews, review of recent audit and penetration
testing, and walkthroughs
©2016 Crowe Horwath LLP 1515
Trends in Cybersecurity – “The Internet of Things”
•Everything has an IP
•HVAC
•Cars
•Garage Door Opener
•Refrigerator
•Webcams
What about the equipment, controllers, and
computers within your factory?
©2016 Crowe Horwath LLP 1616
Cyber Resilience
• In the face of a continually evolving and maturing threat environments,
organizations must be resilient in order to effectively manage risks.
•Cyber resilience includes concepts such as information security, business
continuity management, and organizational resilience.
•Components of cyber resilience include:
• Asset management
• Controls management
• Configuration and change management
• Vulnerability management
• Incident management
• Service continuity management
• Risk management
• External dependencies management
• Training and awareness
• Situational awareness
©2016 Crowe Horwath LLP 1717
Why IT Risk Management Fails
• It’s all a matter of perception…• IT Risk is not viewed as a shared risk with the business
• In reality, the business is part of the first line of defense!
• Management and IT view risk differently• Minimal linkage between ERM and IT Risk Management
• Security is not prioritized or measured comparative to other operational factors (time to
market, budget, etc.)
•Cybersecurity is a component of IT Risk Management
©2016 Crowe Horwath LLP 1818
IT Risk Management Process
Asset Risk AssessmentInherent Risk
Risk Management
Programs
Residual Risk
Treatment Remediation Acceptance Transfer Avoid
Risk Tolerance
FacilitiesThird Parties
Technologies Infrastructure Applications Endpoints
IT Risk Management
Threat Assessment
Impact
Likelihood
Security Assessments
Password ManagementPassword Management
Risk Appetite
Threat & Vulnerability Management
Unified Control FrameworkIndustry
Standards ISO NIST CoBIT/COSO
Compliance PCI DS HIPAA Sox State
Privacy
Threat Likelihood
Threat Capability
Go
vern
ance
Advanced Endpoint Protection
Security Incident and Event Management
Data Loss Prevention
Business Continuity / Disaster Recovery
Security Awareness Training
Data Classification
Data Inventory
Managed Security Services
Control Objectives
Security Assessment
Penetration Testing
Security
Inte
lligen
ce C
enter
Security O
pe
ratio
ns
Information Feeds
Incident Planning
Incident Response
External Audit
Internal Audit
•Step 1
• Risk assessment
•Step 2
• Define control
objectives
•Step 3
• Implement risk
management
programs
•Step 4
• Assess programs
Source: Crowe analysis
©2016 Crowe Horwath LLP 1919
How is Cybersecurity Different
•Risk Velocity for cybersecurity risks is high• The time between a risk scenario occurring and the organization realizing the impact
is short.
•The direction for most cybersecurity risks is increasing• This is due to heightened awareness (both internally and externally,) increased threat
activity, and awareness of multiple attack vectors.
•There is still a lack of understanding, even amongst IT professionals, on the true impact of even ‘low’ risk systems.
• This is often times due to the inability to understand how an attack could traverse the environment.
©2016 Crowe Horwath LLP 2020
Cybersecurity Maturity
•Maturity focuses on the capabilities of the people, processes and technologies supporting the organization’s cybersecurity program.
• People – The necessary skills and abilities to execute necessary tasks.
• Process – The procedures needed to achieve the goals and objectives.
• Technology – The supporting IT management tools and infrastructure needed to enable the processes to be carried out.
Effectiveness Efficiency Responsiveness
The ability of the organization to achieve the desired results of the control objective.
The ability of the organization to achieve results cost-effectively.
The ability of the organization to react to external and internal influences on information security.
©2016 Crowe Horwath LLP 2121
The NIST Cybersecurity Framework – Implementation Tiers
Framework Core
•Functions
• Identify
• Protect
• Detect
• Respond
• Recover
•Categories
•Subcategories
• Informative References
Framework Link:
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
©2016 Crowe Horwath LLP 2222
The NIST Cybersecurity Framework – Implementation Tiers
Tier 1: Partial
• Not formalized
• Adhoc
• Limited awareness
• Limited external coordination
Tier 2: Risk Informed
• Approved but not established
• Not consistent across the organization
• Informal
Tier 3: Repeatable
• Formal Risk Management
• Organizationally consistent
• Respond to risk changes
• Collaborates with external parties
Tier 4: Adaptive
• Improve based on lessons and indicators
• Risk management part of culture
• Active information sharing with external parties to drive action
©2016 Crowe Horwath LLP 2323
Common Cybersecurity Risks
•The top cybersecurity risk areas in our experience
Key Risk Areas
Risk Examples Comments
Security Governance
Phishing / Social
Engineering
Shadow IT (mobile, personal cloud)
Organizations have been providing training for a while. However
employees continue to be the weakest link to security. Organizations
must find solutions to make security part of the organization’s culture,
empowering employees to understand and manage the risks independently.
Change Management
Patch ManagementUnsecured deployments
Vulnerabilities are identified regularly, and with the proliferation of
technologies and applications, organizations are unable to keep these
technologies up to date. In addition, there is a continue struggle
between innovation and security. Employees are still incentivized by
meeting deadlines and staying on budget, with minimal security
expectations. Organizations need to set the right tone as it relates to
security, including providing the right incentives to employees to manage critical risk effectively.
Third-PartiesData ProtectionDenial of Service
Organization’s reliance on third parties has increased significantly,
providing them more access than ever to sensitive data, and increasing
the criticality third-party solutions play in day to day
operations. Organizations need to develop programs around
identification and management of critical vendors commensurate with their potential impact on the business.
©2016 Crowe Horwath LLP 2424
Common Cybersecurity Risks
•The top cybersecurity risks in our experience
Key Risk Areas
Risk Examples Comments
Incident Response
Inappropriate
response during an incident
As public awareness of breaches and their impact continue to rise, potential
impacts on companies are also increasing. Organizational perspectives are
shifting from incident avoidance to breach mitigation. However, organizations fail
to properly plan their response when an incident does occur. Organizations
need to clearly define and test incident response procedures that triage, respond, and remediate incidents when they occur.
BalanceImproper
balance between
security risk and
business risk
Organizations continue to struggle to find the right balance between innovation
and security, often taking reactionary approaches to prioritizing strategies. With
the heightened sensitivity to breaches, organizations may over correct and
emphasize security to a point that other business goals are negatively impacted.
Organization’s need to establish programs to proactively identify and manage risks to levels acceptable to the organization.
©2016 Crowe Horwath LLP 2525
Asset Management – Data Protection
•Risks and Threats:
• Lost or misplaced data
• Unknown secondary and tertiary data stores
• Third-party vendors
• Cloud computing storage
• Oversharing of data
• Keeping unnecessary sensitive data
•Threat Responses:
• Data classification system
• Data custodians
• Digital rights management
• E-discovery
• Cloud access security brokers
©2016 Crowe Horwath LLP 2626
Passwords
•Risks and Threats:
• Phishing and spear phishing
• Personal versus business email
• Reset processes
• Unnecessary accounts
• Test accounts
• Temp accounts
• Weak passwords
• Blank
• “Joe” password
• Username = password
• Guessable (Summer2015)
• Password sharing
• Temp1
• Intern1
•Threat Responses:
• Multi-factor authentication
• Personal computing
restrictions
• Network segmentation
• Password management
systems
©2016 Crowe Horwath LLP 2727
Password Strength
https://www.xkcd.com/936/
©2016 Crowe Horwath LLP 2828
Data Exfiltration
Source: Crowe analysis
•Risk and Threats:
• Incidents lead to breach
• Data is accidentally or maliciously disclosed
• Oversharing of data
•Threat Responses:
• Content filtering
• Personal email
• Online storage
• Firewall rules
• Portable storage
• Data loss prevention
©2016 Crowe Horwath LLP 2929
•Risk and Threats:
• Breach activity
• Bot activity
• Data compromise
• Lack of data for forensic investigation
• Privacy violations
•Threat Responses:
• Centralized log storage
• Trend detection and response
• Privacy alerts
Logging and Monitoring
©2016 Crowe Horwath LLP 3030
Common Breach Vectors
• Viruses/Malware
• 0-day vulnerabilities• Heartbleed, Shellshock, POODLE
• SQL Injections
• Stolen/re-used credentials
• More than 80% of breaches “have a root cause in employee negligence”• Misconfiguration/Default Configuration
• Lack of Patching
• Weak Passwords
• Social Engineering
• Awareness Training is Key!
©2016 Crowe Horwath LLP 3131
Security Awareness
* Source: Don Reisinger, “Younger Workers Pose Big Security Risks,” Baseline, Dec. 21, 2011,
http://www.baselinemag.com/c/a/Security/Younger-Workers-Pose-Big-Security-Risks-888439/
• Sometimes, employees don’t understand the risks:
• “One-third of employees say they break IT policies because they don’t believe they’re doing
anything wrong when doing so.”*
• “61% say its up to IT staff, not them, to safeguard information and devices”*
• What are the big risks?
• Phishing
• Social engineering
• Drive-by attacks
• Access to third parties
©2016 Crowe Horwath LLP 3232
Ransomware [Defined]
•Per the FBI Cyber Division
• Ransomware is a form of malware that targets both human and technical weaknesses in
organizations and individual networks in an effort to deny the availability of critical data and
systems.
•Evolution
• First reported instances of Ransomware… 1989 using floppy disks!
• 1996 produced research on the subject matter
• Modern-day Ransomware began in 2005
• First “mass-deployed Ransomware” in 2012
Source: http://blog.talosintel.com/2016/04/ransomware.html#ch2
©2016 Crowe Horwath LLP 3333
Ransomware [Attack-flow]
•Primary attack vector: social
engineering
•Takeaway: results are different;
attack vectors and
recommendations are not
•Preparedness activities on next
slides
•Moment to pause:
• What would the impact to your
organization be? Loss of:
• Files
• Workstation(s)
• ServersSource: Courtesy of the Information Assurance Directorate at the National Security Agency
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/ransomeware-locky.cfm
©2016 Crowe Horwath LLP 3434
Case Study
Case Study 1: Ransomware Infection
A staff member has downloaded a virus containing Ransomware from a malicious email attachment. It has
begun to encrypt or lock all files available to them on their computer as well as all of the files available to
them on shared drives. The staff member has a message on their screen with instructions on how to pay
the criminals to unlock the files as well as links to news stories about large organizations paying to
successfully unlock their files. The ransom is 12 chatcoin, an anonymous cryptocurrency, or approximately
$20,000 USD.
Currently about 40% of the 70,000 files that the staff member has access to have been locked by the
Ransomware. The files that have been locked and have become unavailable to other users on the
network. The files contain important intellectual property, CAD drawings and financial data for their
manufacturing processes.
Questions to consider include:
• What key players should be involved in the work to resolve this issue?
• What tactical steps need to be taken to contain the Ransomware?
• What are some of the key factors in deciding whether to pay the ransom?
• What are some of the repercussions of deciding to pay the ransom?
• What kinds of technical protections/controls could have prevented the situation?
• How do we estimate the impact of the potential intellectual property?
• Will you disclose any details surrounding the compromise? How and which details?
©2016 Crowe Horwath LLP 3535
Ransomware [Preparedness]
•This is a global issue which does not appear to be dissipating anytime soon and
your chances of successfully thwarting an attacker are rooted in basic
information security 101 activities:
•Strategic…
• Know where all of your critical data is located
• This is a security fundamental most organizations cannot effectively answer to drive their
IT operations
• Ensure external access is as minimalistic as possible
• Understanding what exposure your enterprise has externally is key (e.g. the last VOIP
upgrade, were any ports opened externally? How about for the new MDM solution?)
• Have realistic/practical logging in place
• Logging should not be treated like a check box; it needs to be practical and actionable
• Isolate systems that cannot be patched /upgraded/ or protected with cybersecurity
controls
• If you can’t fix them, securely isolate them
©2016 Crowe Horwath LLP 3636
Ransomware [Preparedness]
•Tactically, what should we be reviewing…
•Email Content Filtering: What is able to be delivered to employees?
•Security Awareness: How well are employees trained?
•Endpoint Protection: Is there a layered approach?
•Propagation: Are we limiting the avenues for privilege escalation, including local
administrator? Share permissions?
•Data Backups: Have procedures been tested?
•Data Exfiltration: What channels of communication are available outbound?
• Incident Response: Can we respond in a timely manner with the right skills?
©2016 Crowe Horwath LLP 3737
Incident Response Planning
• 27% of organizations don’t have a breach response plan or team in place
• 37% have not reviewed or updated their plan since it was created
• Questions to consider:
• What will I do?
• What are the laws?
• What will my regulator say?
• How much will my customers ask?
• Who will I call?
• How do I stop it?
©2016 Crowe Horwath LLP 3838
Incident Response Planning
Plan & Practice
Identify & Respond
Investigate,
Contain, & Remove
Reflect & Refine • Metrics
• Measures
• Proof of performance
• Specialized training, techniques
• Specialized tools/solutions
• Outside help predetermined
• Your alarms• Malware, whitelisting, DLP, SIEM, etc…
• Tip lines
• Risk assessments
• Deployed security controls/solutions
• Routine testing/audits
• User awareness/education
©2016 Crowe Horwath LLP 3939
Incident Response Planning – Observed Shortfalls From Our
Investigations
•Lack of awareness about what critical data is actually on an IT system
• Improper handling of a compromised IT system
•No available IT system backups
•No reasonable security detection, logging, or monitoring on key IT systems
•No/poor detective controls – typically another system breaks as a symptom of the
original breach situation before action is taken
•No plan to communicate with internal employees, external customers, or law
enforcement/reporting agencies
©2016 Crowe Horwath LLP 4040
Incident Response Planning – Minimum Requirements
• Know where all of your critical data is on your IT systems
• Ensure that external IT system access is as minimal as possible
• Have real-time and archived logs available for all critical IT systems
• Keep all malware software enabled and updated
• Routinely patch all software – at a minimum, monthly
• Isolate systems that cannot be patched, upgraded, or protected with software-
based firewalls or anti-malware
©2016 Crowe Horwath LLP
Questions or Additional Information Requests
Jim Stempak, Partner
Technology Risk Consulting
+1 214-777-5203 Office
+1 214-422-6801 Cell
https://www.linkedin.com/in/jstempak
Cybersecurity Watch Blog:
https://www.crowehorwath.com/cybersecurity-watch/
Follow Our Cybersecurity Watch Blog (RSS)
Follow Crowe Risk on Twitter