Information Systems Asset Protection: Monitoring SYSTEM ATTACKS - - PowerPoint PPT Presentation

Kevinmhenry@msn.com

CISA CISM CRISC CISSP

Kevin Henry

SYSTEM ATTACKS

Information Systems Asset Protection: Monitoring

Investigating Incidents Security Testing and Monitoring Systems Attacks

Asset Protection – Monitoring

Agenda:

Systems Attacks

Systems Attacks

Incidents that impact:

• Confidentiality
• Theft or exposure of data
• Integrity
• Non-repudiation
• Availability
• Denial of service
• Distributed denial of service

§ Botnets and zombies

Systems Attacks

In order to ensure appropriate and adequate protection from attacks, the auditor should review and assess the accuracy, timely and thoroughness of:

• Risk assessment
• BIA
• Previous incidents
• Previous audits
• External sources threat intelligence
• Actions taken on identified threats

Computer Crime

Most crimes are crimes using a computer:

• Fraud
• Abuse / stalking

These are usually addressed through traditional laws, however the investigation is often challenging as seen in Module three of this course

Malware Denial of Service

Computer Crime

A computer crime is a crime against a computer or network

Lack of skilled staff

Prevention, detection, investigation

Insecure implementations

Unpatched and misconfigured

No time limits on access Globally accessible

Factors That Contribute to Computer Crime

Causal factors that affect computer crime

Impact of Computer Crime

Financial loss

• Direct
• Cost to repair / recover
• Indirect
• Fines, customer confidence

Loss of intellectual property

• Competitive advantage

Greater costs of compliance Increased insurance costs

Attacks

Understanding the threat source:

• Human factor:
• Accidental/Intentional

§ Employees § Customers § Criminals

• APTs

§ Hackers

Natural events

Storms, earthquake, flood

Threat Source Continued

Circumstantial

Neighboring building

Utility Supply chain

Defective products

Passive

Stealth

Active

Attack Types

Vulnerabilities

The auditor seek to identify any vulnerabilities:

• Patches
• Policy
• Procedures
• Being followed
• Training
• Monitoring

Physical / Environmental

Operational

Technical / Logical Managerial / Administrative

Control Review

Controls may be

s h s s h s

Most compromises of networks and systems are the result of a combination of factors – usually not related to the skill of the attacker:

• Misconfiguration
• Poor controls
• Poor monitoring

Key Points Review

Examining Attacks

System Attacks

Attacks may come via:

• Networks
• Denial of service
• Compromise of devices connected to

the network

• Misrouting of traffic
• Sniffing, eavesdropping
• Alteration of traffic

Auditor Responsibility Regarding Network Attacks

Review for:

• Network management
• Diagrams

§ Network segmentation

• Training of staff
• Change control
• Single points of failure
• Redundancy
• Monitoring

System Attacks

Attacks may come via:

• Software
• Applications
• Operating systems
• Drivers, utilities, hypervisors
• Application Program Interfaces (APIs)

System Attacks

Software attack surface

• Inputs
• Validation
• Outputs
• Distribution
• Logic flaws
• Bugs
• Version control
• Regression testing

Monitoring Designed-in and Built-in Security

Baseline configurations

Hardening

Change control Version control

Auditor Responsibility Regarding Software Attacks

Review for: Software management

System Attacks

Attacks may come via:

• Hardware
• Process isolation

§ Meltdown, Specter

• Failure

§ Unpatched, unmaintained

Auditor Responsibility Regarding Hardware Attacks

Review for:

• Hardware management
• Age
• Maintenance
• Patching
• Redundancy

§ Reliance on a single dependency

• Power
• Backplane
• Vendor

System Attacks

Attacks may come via:

• Physical
• Theft or loss of equipment
• Loss of power
• Heating, ventilation and air

conditioning malfunction

• Fire
• Water damage

§ Flooding § Broken water pipes, leaky roof

Asset inventory Labeling of equipment Preparedness for natural events Review of fire suppression systems

Adequate backup power

UPS Generators

Auditor Responsibility Regarding Physical Attacks

Review for

System Attacks

Attacks may come via:

• People
• Untrained
• Discontent
• Not following procedures or policy
• Pressure to ‘get the job done’
• Stress / overwork

‘Trusted staff’ Escalated permissions Senior staff

Fraud

The auditor should assess the risk of fraud or irregular acts during every audit

Auditor Responsibility Regarding People Attacks

Review for:

• Training
• Procedures / policy
• Access controls
• Least privilege / Need-to-know
• Separation of duties
• Monitoring
• Human Resources practices
• Hiring, development, termination
• Promotion – treated fairly

s h s s h s

An information system is built using many components – technical, people and processes

• The auditor must evaluate the

performance of all components in order to ensure reliable and secure system

• perations

Key Points Review

Malware Attacks

Worm Logic Bomb Ransomware Virus Trojan Horse Spyware

Examples of Malware Attacks

Malware

Preventing or Responding to Malware

Training and awareness Technical solutions Patching Monitoring Backups Network segmentation Virtual environments

Targeted Attacks

Many attacks are based on opportunity

• Not targeted

Some (such as APTs) are targeted against a specific industry or organization

• Governments
• Municipal
• Military
• Research and development
• Industry sectors
• Health care
• Financial

Threat intelligence

Events affecting similar organizations Honeypots IDS / IPS

Incident management program

Prevent, detect, respond

Preparation for Attacks

t h s

Attacks are inevitable – and perhaps so are incidents

• But due care requires taking steps to

avoid or minimize the effect of attacks

• Due diligence is following up and

ensuring that there are adequate and appropriate controls in place

• Managerial
• Technical
• Physical

Summary