Cybersecurity A presentation to the National Association of Black - - PowerPoint PPT Presentation
Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix
A presentation to the National Association of Black Accountants – Cleveland Chapter
Cybersecurity and risk management 1 Appendix 3 4 Cybersecurity and the audit
Cybersecurity and the regulatory environment 2
Page 2
“Resources devoted to cyber-based threats are expected to eclipse resources devoted to terrorism.”
The Honorable James B. Comey, Jr., Director of the Federal Bureau of Investigation Statement of the Federal Bureau of Investigation before the Committee on Homeland Security and Governmental Affairs United States Senate
“The constant threat of cyber attack is real, lasting and cannot be ignored.”
Luis Aguilar Commissioner of the Securities and Exchange Commission SEC Cybersecurity Roundtable
What is it and what is the risk landscape
Page 3
What is cybersecurity
► Cybersecurity is the body of:
► Technologies ► Processes ► Practices
► Designed to protect networks, computers, applications and data
from attack, damage or unauthorized access, typically via the internet or other forms of connectivity.
Page 4
What is cybersecurity risk
► Represents the possibility that these technologies, processes and
practices can be circumvented, allowing unauthorized users to:
► Access or exfiltrate protected or sensitive information, such as: ► Intellectual property ► Proprietary information ► Credit card information ► Personally identifiable information ► Protected health information ► Modify and/or delete key applications and information, which could
affect the accuracy and/or integrity of processing (both financial and/or operating).
► Disrupt computer-controlled operations
Page 5
Is every company a target? Common misconception
“I don’t process credit card transactions internally; therefore, my company is not a target.”
Reality
Companies can be targeted for many reasons:
►
Company is a vendor of the ultimate target
►
Gain access to research and development information
►
Stock price manipulation
►
Gain access to sensitive merger and acquisition information
►
Disrupt operations
Page 6
How have cybersecurity threats evolved?
Unsophisticated attackers (script kiddies)
You are attacked because you are
vulnerability.
Sophisticated attackers (hackers)
You are attacked because you are
information of value.
Corporate espionage (malicious insiders)
Your current or former employee seeks financial gain from stealing and selling your intellectual property (IP).
State-sponsored attacks and advanced persistent threat1 (APT)
You are targeted because of who you are, what you do
Risk Attacker resources and sophistication
Revenge, personal gain, stock price manipulation Organized crime (criminal gangs)
You are attacked because you have money or something else of value that can be sold.
Script kiddies Hackers Malicious insiders Criminal gangs APT Amusement, experimentation, nuisance, notoriety State-sponsored espionage Market manipulation Competitive advantage Military/political objectives Cash, credit cards, Identities, inside information Money, embarrassment, political, social or environmental causes
1
An advanced persistent threat (APT) is a set of sophisticated, stealthy and continuous computer attacks often targeting a specific entity with business or political motives. The processes used involve a high degree of covertness over a long period of time using sophisticated techniques to exploit vulnerabilities in systems.
Page 7
What can a targeted attack look like?
Enable persistence Conduct enterprise reconnaissance Move laterally to new systems Escalate privileges Gather and encrypt data of interest Maintain persistent presence Exfiltrate data from victim systems Conduct background research
Intelligence gathering Command and control Privilege escalation Data exfiltration
Execute initial attack Establish foothold
Initial exploitation
Point where most targets are notified of the attack (generally by third parties) Potential detection point with robust threat intelligence
Degrading security posture or health as the attack life cycle progresses Accelerating attack detection Page 8
How are security programs positioned to deal with today’s cyber risks?
Some top-of-mind questions for today’s information security executives are:
►
How does my information security program compare with those of my peers in the industry?
►
Is my information security strategy aligned with business objectives?
►
How well do we protect high-value information, especially given today’s increasingly mobile workforce?
►
Are we well prepared to monitor, detect and respond to information security threats?
►
Do we have the right people and skill sets?
►
Are we spending on the right information security priorities?
►
Am I or have I been the victim of an attack or a breach?
Source – Global Information Security Survey, Ernst & Young LLP, 2015.
Today’s information security programs must enable business objectives and defend against threats while investing in the right priorities.
Page 9
unlikely they would be able to detect a sophisticated attack
lack of skilled resources is challenging Information Security’s contribution and value to the organization
see criminal syndicates as the most likely source of an attack today
Source – Global Information Security Survey, Ernst & Young LLP, 2015.
Spend considerations
Page 10
Respondents were asked to choose all that apply.
Page 11
59% 56% 54% 43% 36% 35% 14% 13% 12% 3% 0% 10% 20% 30% 40% 50% 60% 70% Criminal syndicates Employee Hacktivists Lone Wolf hacker External contractor working on our site State sponsored attacker Supplier Other business partner Customer Other (please specify)
Source – Global Information Security Survey, Ernst & Young LLP, 2015.
What are the motivations and who are the common attackers?
Motivations Common targets Common attackers Financial gain through the theft of Intellectual Property and/or proprietary information
and development
Companies that manufacture/produce products that leverage certain IP to maximize their advantage in the marketplace (e.g., aerospace and defense, drug manufacturing, companies negotiating M&A transactions)
Financial gain through access to non- monetary assets (e.g., personally identifiable information - PII), which can be sold to others Companies with credit card information and/or
contractors Financial gain through direct access to monetary assets and/or financially relevant information Banks, insurance companies, trading firms
Political disruption, terrorism, service disruption Financial markets, power generation and distribution facilities, oil and gas exploration and distribution facilities
Manipulation of stock price Companies competing in emerging or expanding markets
Page 12
3rd Party Attack Vector
Cyber criminals attacking company networks using 3rd party vendor connections.
Ransomware
Criminals disabling company networks with ransomware such as “CryptoLocker” demanding ransom payment.
Market Manipulation Attacks
Compromised corporate assets leading to manipulation of financial markets (e.g. Twitter attacks on AP and Burger King) as well as compromising trading activity and acting on it and/or front running
Convergence of Attacks
Cybersecurity attacks are converging with physical security attacks to cause comprehensive damage ( e.g. cyber attack
Page 13
What is the current risk landscape
Page 14
What is the current risk landscape?
until the right moment to pounce
environment – including people and process
Page 15
Historical approaches to security are not good enough
► Historically:
►
Companies relied on “layers of defense”
►
Controls at the firewall, network, host and application levels
►
Focused on managing the risks you were aware of and implementing point solutions
► Today & into the future:
►
The perimeter of your network can no longer be defined and effectively controlled (cloud, mobile devices, connections to 3rd parties)
►
Attackers have learned to be patient and exploit lower risk vulnerabilities that are often ignored, thus allowing their exploits to go unnoticed
►
Gain a foothold
►
Expand their level of access
►
Broaden their level of access to other networks and applications
►
Focus on predicting where the next risks will be and evolving solutions (“active defense”)
Page 16
The “new normal” for cybersecurity
Your approach needs to evolve to ‘Complicate, Detect, Respond and Sustain Since absolute prevention is not feasible, companies must move to a posture of preparedness and response Adversaries are using social engineering and social networks to target sensitive roles or individuals within an organization that either have knowledge, use of or access to the data targeted
Sustain Detect
Govern
Respond Complicate Design and execute a formal, sustainable strategy Effectively and efficiently respond and remediate an attack Complicate an attacker’s ability to achieve their objective Implement controls to detect the attack before meaningful business impact is accomplished
Page 17
The response gap
► Companies continue to make
progress to respond to information security threats
► However, the number and
sophistication of threats are increasing faster
► As a result, the gap is widening
Roadblocks:
► Lack of agility ► Lack of budget ► Lack of cybersecurity skills
The gap
2006 2016
Page 18
Page 19
► Companies can no longer operate and execute their cybersecurity program in
each other, so too must a company’s cybersecurity risk management culture be dependent on many groups, needs, and risks. Recent trends in Cybersecurity risk management:
►
Development of IT Risk processes, risk and controls framework integration into the Company’s risk reporting, and relevant metrics / dashboards that are correlated into the Company’s overall risk appetite.
►
Increase in sophistication of simulated attacks (table top exercises)
►
Increase in complexity of external party penetration testing including:
►
Malicious insider consideration
►
Social engineering aspects
►
Coordinated incident response attacks ►
Controls Based Defense in Depth Models
►
Identification of Company’s “Crown Jewels” and agreed to at the Board level
►
Audit Committee and Board presentation of program health, recent potential incidents, and planned activities
►
Cybersecurity Examination Preparation and Execution
Page 20
Standard of due care - disclosure Enterprise risk management - cyber Acceptable level
Cyber Risk Mgt
Operations CEO GC BOD CFO CRO COO CISO Incident Response
CIO
< Exfiltration prevention & breach investigation Business assurance >
Cyber legal risk Cyber financial risk Cyber operational risk
Protect most valued assets & critical business systems
Cyber Risk Mgt
Page 21
How are cybersecurity risk management activities typically allocated?
Function (stakeholder) Risk management for cybersecurity risks Govern (ongoing) Respond (incident and breach) Contain (damages and liabilities) Board/audit committee
► Set standard of due care ► Periodically evaluate
cybersecurity risk governance and review annual cybersecurity risk assessment
► Oversight of management’s
cybersecurity risk disclosures per SEC guidance
► Monitor breach
notifications and governance process and updates
► Re-evaluate cybersecurity risk
governance oversight
► Re-evaluate standard of due
care
► Re-evaluate cybersecurity risk
disclosures Executive management
► Identification of critical assets ► Prepare cyber risk assessment ► Prepare incident response plan ► Prepare cybersecurity risk
disclosures per SEC guidance
► Categorize and assess
incidences
► Develop short-term and long-
term remedial actions Risk management (e.g., CRO)
► Define and oversee ongoing
technology risk management program for cybersecurity risks
► Monitor breach and
cybersecurity risk trends and measure risk management execution
► Evaluate effectiveness of
cybersecurity breach response and technology risk management
Page 22
How are cybersecurity risk management activities typically allocated?
Function (stakeholder) Risk management for cybersecurity risks Govern (ongoing) Respond (incident and breach) Contain (damages and liabilities) Legal (e.g., GC)
► Develop cybersecurity risk legal
response strategy
► Approve cybersecurity breach
response program
► Execute breach
communications plan
► Execute
authority/regulator response plan
► Perform cybersecurity risk
liability control (long lived) Information security (including incident response team) (e.g., CISO)
► Build threat mitigation program
to plan/protect most critical assets
► Establish incident, investigation
and forensics response programs and conduct tests
► Detect and respond to
incident
► Execute investigation
plans, including incident forensics
► Assess effectiveness of
cybersecurity incident response
► Execute incident remediation
plan and assess effectiveness
Notice that Complicate and Sustain are NOT RISK MANAGEMENT FUNCTIONS
Page 23
Page 24
► Cyber disclosure guidance (SEC) - October 2011 ► Cybersecurity Presidential Executive Order-
February 2013
► SEC Announces Cybersecurity to be a focus
during their 2014 reviews of Investment Advisors
► US Commerce Departments National Institute of
Standards issues Cybersecurity Framework- February 2014
► SEC Cybersecurity focused roundtable- March
2014
► Increased fiduciary responsibility of boards,
► Cyber Insurance coverage expanding ► 2015 NYDFS declarations of increased focus for
banks AND insurance companies.
► Theft of financial assets ► Brand and reputational impact ► Theft of intellectual property, or other
sensitive information
► Loss or destruction of confidential company,
client, and investor data
► Disruption to the operations of the company
and/or their business partners
► Large scale attack due to overflow can result
in loss of credentials, and customer information
► Compromise of Personal Identity data may
lead to compliance and regulatory fines
Regulations are increasing Risks that regulations address
Increased regulatory compliance for Cybersecurity is the new normal
Page 25
Page 26
What impact does cybersecurity have on the audit?
► Based on the our knowledge of past high-profile breaches, cyber risks
are unlikely to represent risks of material misstatement to the financial statements:
►
Cyber risks are not typically exploited within the transaction stream
►
The likelihood of an attacker making material unauthorized changes to production data or programs that would go undetected is not significant, among other reasons.
► Further, the auditor does not presume that cyber threats represent a
risk of material misstatement to the financial statements, even when there is a risk of a cyber-breach or a breach has occurred.
► However, the auditor considers cybersecurity as part of understanding
the entity and its environment, which includes considering whether cyber risks represent a risk of material misstatement to the financial statements.
Page 27
What is covered in an external audit of financial statements and internal control over financial reporting relative to IT risks?
► During the risk assessment procedures, auditing standards require that
auditors obtain an understanding and evaluate the various “business risks” that affect the Company
► As IT typically has a material impact on the internal controls of most
companies, the standards also require that auditors obtain an understanding of how:
►
The company uses IT
►
IT’s affect the financial statements
►
The extent of the company’s use of automated controls and the impact of these controls (including IT general controls) relative to financial reporting.
► Based on this understanding, auditors develop an audit approach
Page 28
What is covered relative to cybersecurity risk?
►
Auditing standards do not require that Cybersecurity be given any special consideration; it is evaluated like various other potential business risks
►
Another consideration:
►
A company’s overall IT environment is made up of components that support:
►
An audit of financial statements only covers the portion of IT that supports internal controls over “financial reporting.”
►
Security breaches typically occur within the “operational” components of a company’s IT environment; therefore, cybersecurity not a primary focus.
Business Activity IT Component Financial reporting
►
Financial applications
►
Supporting databases
►
Supporting operating systems All other operating activities
►
Other business applications
►
Other databases
►
Other supporting operating systems
►
Internal networks
►
Perimeter networks
Page 29
What is the nature and extent of audit procedures
►
Through inquiry and observation, the auditor must develop an informed view
assessment process related to cybersecurity and the actions management has taken to manage its cyber risk. Focus areas include:
►
Privileged account access
►
Governance / Risk assessment program
►
Security monitoring activities / Incident management program
►
Security awareness program
►
Threat and vulnerability management program
►
Patch management program
►
Vendor risk management program
►
Data classification program (i.e., Information asset safeguarding)
►
If the auditor determines that cyber threats represent a risk of material misstatement to the financial statements, the auditor designs and implements appropriate responses to address the identified risks.
Page 30
What represents a cybersecurity breach of audit significance? (continued) A breach of audit significance generally occurs when:
1.
An unauthorized user gaining administrator-level access rights to a system
►
Access or exfiltrate protected or sensitive information
►
Could result in: (1) fines / penalties, (2) lawsuits requiring the recording of material liabilities, and/or (3) commitment and contingency disclosures
►
Modify and/or delete protected financially-relevant applications and information
►
Could affect the accuracy and/or integrity of processing
►
Disrupt significant computer-controlled operations
Page 31
What represents a cybersecurity breach of audit significance? (continued) A breach of audit significance generally occurs when:
2.
An authorized user leverages their access to perform unauthorized activity
►
Access/modify protected financially-relevant applications or information
►
Exhilarate protected information
►
etc.
Page 32
What are the audit considerations when a breach is identified? When a known or suspected cyber breach comes to the auditor’s attention (through inquiries, other audit procedures or through other sources):
Auditors expect that management will investigate the matter, as appropriate in the circumstances as well as:
and records) may have been manipulated in a way that could cause a material misstatement in the financial statements
identified risks of potential misstatement in the financial statements
Page 33
Board reporting Cyber security has historically been a topic of discussion in board rooms, the increase in the volume and severity of attacks, coupled with the increased scrutiny by regulators, has significantly elevated its importance. Audit committees are now expected to have an appropriate understanding of the business implications of cybersecurity risks on the company to enable them to evaluate:
guidance.
Page 34
Board reporting Leading boards expect regular (e.g., quarterly) updates from management on information security and cyber threat intelligence that is both meaningful and actionable. The report should address the following:
what other actions management considered, but elected not to pursue.
management evaluate and categorize incidents identified and determine which incidents to elevate to senior leadership? What activity has been seen since the last report?
Page 35
Questions / comments / discussion Presenter information:
Calvin Slegal | calvin.slegal@ey.com | 412.644.7473
EY thought leadership / other materials
www.ey.com/GRCinsights www.ey.com/GL/en/Services/Advisory/EY-cybersecurity www.ey.com/US/en/Industries
Page 36
Achieving resilience in the cyber ecosystem
www.ey.com/cyberecosystem To be published December 2014
Security Operations Centers
www.ey.com/SOC
Using cyber analytics to help you get on top
www.ey.com/3SOC Cybersecurity and the Internet of Things
www.ey.com/IoT
Managed SOC EY’s Advanced Security Center; world class cybersecurity working for you
www.ey.com/managedSOC
Get ahead of cybercrime: EY’s Global information Security Survey 2014
www.ey.com/GISS2014
Please visit our Insights on governance, risk and compliance series at www.ey.com/GRCinsights
Cyber program management: identifying ways to get ahead of cybercrime
www.ey.com/CPM
Cyber threat intelligence: how to get ahead of cybercrime
www.ey.com/CTI Published November 2014
Unlocking the value of your program investments
www.ey.com/prm
Page 37