IT AUDIT AND SECURITY COMPLIANCE: WHERE TO FOCUS YOUR EFFORTS FOR - - PowerPoint PPT Presentation

IT AUDIT AND SECURITY COMPLIANCE:

WHERE TO FOCUS YOUR EFFORTS FOR 2014-15

IT Audit and Security O’Connor & Drew, P.C. www.ocd.com @ocdcpa Jake McAleer @johnjakem

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

1

March 2014

Jake McAleer, CISA

jmcaleer@ocd.com @johnjakem

Professional Profile

• Senior IT Audit and Security Manager, O’Connor & Drew, P.C.
• Director of Operations, Dyn
• Senior IT Auditor, State Street Bank
• Network and Systems Engineer, Raytheon Company

Industry Expertise

• Internet Services and Infrastructure (IaaS, PaaS, SaaS, Colocation, Data Center)
• Financial Services
• Manufacturing
• Government
• Not-for-Profit Organizations
• Family-Owned Businesses

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

2

INFORMATION SECURITY PROGRAM

An Overview Of A Security Program and Review of IT Control Terminology

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

3

Risk Rating

• Many people confuse the risk event for the risk rating
• Risk Event = The description of the risk
• Risk Rating = Likelihood + Impact

Prioritizing your audit program by risk is called a “Risk-Based Audit Approach”

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

6

Security Programs Vary By Business

• Every business is different
• No one framework or law will completely protect you
• Vendors can help, but don’t rely entirely on them

You know your business better than anyone, so your input is key!

• Internal owners manage and enforce the process
• Employees must be provided direction and training
• All programs need proper ownership, employee

education, and enforcement

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

8

• The password must be exactly 8 characters long.
• It must contain at least one letter, one number, and one special character.
• The only special characters allowed are: @ # $
• A special character must not be located in the first or last position.
• Two of the same characters sitting next to each other are considered to be a “set.”

No “sets” are allowed.

• Avoid using names, such as your name, user ID, or the name of your company or

employer.

• Other words that cannot be used are Texas, child, and the months of the year.
• A new password cannot be too similar to the previous password.
• Example: previous password - abc#1234, acceptable new password - acb$1243
• Characters in the first, second, and third positions cannot be identical. (abc*****)
• Characters in the second, third, and fourth positions cannot be identical. (*bc#****)
• Characters in the sixth, seventh, and eighth positions cannot be identical. (*****234)
• A password can be changed voluntarily (no Help Desk assistance needed) once in a

15-day period. If needed, the Help Desk can reset the password at any time.

• The previous 8 passwords cannot be reused.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

11

http://portal.cs.oag.state.tx.us/OAGStaticContent/portal/login/help/listPasswordRules.htm

Focus On The Objective

• Prevent guessing
• 8+ Characters and some basic variation (upper and lower case,

number, special character, etc.) to prevent just a word as the password

• Prevent brute force
• Lock out after 5-10 attempts and lock out across the organization!
• Protect the encrypted/hashed values
• Prevent reuse
• Check against DB of old passwords
• Prevent compromise
• User education (don’t reuse passwords, don’t write them on your

laptop, etc.)

• Force a change every 90-180 days
• Enforce use
• Automatic password/PIN enforcement on devices
• Automatic screen locks after 10 minutes
• Review how password resets are managed

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

13

IT AUDITING IN 2014-2015

Focusing on the three inputs:

Business Needs Legal and Regulatory Customers and Partners

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

15

Legal And Regulatory Requirements

• Focuses on a specific:
• Industry
• Consumer
• Type of data
• Geographic region
• Often:
• Long and complex
• Cross-references other sections or laws
• Subjective and broadly worded
• Reference dated (now outdated) terms

Intended to protect someone else, not your business

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

17

Regulatory Examples

• Credit card account information

Payment Card Industry (PCI)

• Electronic patient health information

Health Insurance Portability and Accountability Act (HIPAA)

• Consumers private banking information

Gramm–Leach–Bliley Act (GLBA)

• Government data and systems

Federal Information Security Management Act (FISMA)

• Public company accounting

Sarbanes-Oxley Act (SOX)

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

18

Legal, Regulatory, Industry-Specific

• What laws must the business comply with?
• Is there a legal/compliance group to rely on?
• Do you have an international presence?

International customers? What laws apply?

• Are these areas being reviewed for changes?
• Are there periodic requirements?
• Example: PCI – Quarterly Scans, Yearly Attestation
• Can the work be done by another group or external

resource?

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

19

PCI-DSS v3.0 Enforcement Date

• Version 3.0 will introduce more changes than Version 2.0. The

core 12 security areas remain the same, but the updates will include several new sub-requirements that did not exist

• previously. Recognizing that additional time may be necessary

to implement some of these sub-requirements, the Council will introduce future implementation dates accordingly. This means until 1 July 2015 some of these sub-requirements will be best practices only, to allow organizations more flexibility in planning for and adapting to these changes. Additionally, while entities are encouraged to begin implementation of the new version of the Standards as soon as possible, to ensure adequate time for the transition, Version 2.0 will remain active until 31 December 2014.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

20 https://www.pcisecuritystandards.org/documents/DSS and PA-DSS Change Highlights.pdf

Examples - PCI v3.0 Requirements

• 2.4 - New requirement to maintain an inventory of system

components in scope for PCI DSS to support development of configuration standards.

• 9.3 - New requirement to control physical access to

sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.

• 11.3 - New requirement to implement a methodology for

penetration testing

• Perhaps use a standard such as NIST SP 800-115.
• 12.9 - New requirement for service providers to provide

the written agreement/acknowledgment to their customers.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

21 https://www.pcisecuritystandards.org/documents/PCI DSS v3 Summary of Changes.pdf

M.G.L. c. 93H and MA 201 CMR 17

• Requires:
• Designated program owner/maintainer
• Identifying where PII might be within the organization
• Encryption
• Monitoring and effectiveness testing
• Anti-virus and patching
• Employee training
• 3rd party service provider compliance
• Timely disclosure of a breach
• Written Information Security Program (WISP)
• Documents your methodologies, processes, procedures,

technologies, PII data types, etc

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

24

MA 201 CMR 17 – Definition of PII

• Personal information, a Massachusetts resident's first

name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

25

HR Rep: “Welcome To The Company!”

We need an ID for your I-9 Form. We need your routing number so we can pay you.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

26

http://www.theonion.com/articles/manny-being-manny-during-massachusetts-state-drive,9801/ http://www.psdgraphics.com/psd/blue-check-psd-template/

Computer Access

Nearly every employee has access to a PC at work

• Lawyer’s Office
• Doctor’s Office
• Accountant
• Car Repair Shop
• Retail
• Banks
• Restaurants
• Grocery Store
• Non-profit
• Call Center

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

28

http://www.blogcdn.com/jobs.aol.com/articles/media/2009/04/ptw12target.jpg

Access To A Computer At Work

Are employees surfing the web

• n business critical systems?
• If so, is it necessary?
• Can you provide them alternatives such as a virtual machine
• r protected area of the system or limit user privileges?
• Anti-malware/virus software?
• Are you segregating general PCs from sensitive networks?
• Do you have open network shares?
• Are you blocking the right websites?
• Social Media
• Cloud Storage
• Known malicious sites
• TOR, P2P, anonymous browsing sites
• Google Drive

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

29

End User Systems - Internet Access

• Do users have Java installed? Do they NEED it?
• First half of 2013, Java was the most common zero-day focus for
• attackers. http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-2013.pdf
• Internet Explorer (IE) vs. Firefox or Chrome?
• Second half of 2013, observed a burst of IE zero-days.

http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-2013.pdf

• Still using Windows XP?
• General support and updates discontinued April of 2014
• A wave of attacks is rumored to be coming

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

30

To The Cloud!

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

32

Cloud Service Providers (SaaS, PaaS,…)

• Is the provider responsible for safeguarding your information
• r simply providing software/hardware? If so, how are they

safeguarding it?

• Who is reviewing/approving contracts with providers? What

SLAs and other commitments are they agreeing to?

• Who in the organization has access to these resources?
• Are they being used to circumvent traditional IT groups?
• Is your business able (legal, regulatory, etc) to use them?
• Who (if anyone) is managing them?
• Firewall rules
• Patching
• Testing

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

33

SOC 2 and 3 Reports

• AICPA - Service Organization Control (SOC)
• Started in the 1990s as a SAS70 report

SOC 1 (SSAE 16) – Internal Financial Reporting SOC 2 – Service Provider – Detailed Report SOC 3 – Service Provider – Summary Report

• SOC 2 report may be shared under NDA
• SOC 3 report is for public release, put right on the website
• Ask for a SOC 2 or 3 report from your service providers
• Cloud/Hosting
• SaaS

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

37

IMPORTANT SECURITY TOPICS FOR 2014-2015

Timely topics to investigate

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

38

Egress Filtering

• Simply blocking by ports isn’t enough
• Deep packet inspection
• HTTP
• DNS
• SSH/FTP
• Encryption complicates the topic
• Malicious URL/destination filtering
• Different rules for different systems
• Block all external traffic to/from PCI and other protected

systems

• Whitelist updates/patching

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

41

Event Monitoring and Alerting

• IDS/IPS – Monitors can block suspicious traffic
• Where are these devices?
• What are they monitoring?
• Are they up-to-date?
• SIEM - Real-time collection and analysis of security alerts

generated by network hardware and applications

• What devices are reporting to it? Who is monitoring it?
• What activities are being logged and analyzed?
• How does the system correlate activities?
• Are employees able to take corrective action in a timely manner?
• Are different teams using different SIEMs? Are they sharing info?
• How often are they truly tested to ensure effectiveness?

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

42

Encryption and DLP

• Encryption is a must!
• Laptops and desktops
• USB thumb drives
• Backup media and hard drives
• Passwords and other sensitive data
• Data Loss Prevention
• Monitoring of USB thumb drives and removable media
• Files being e-mailed in and out of the company
• Files being uploaded to 3rd party systems

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

44

MDM – Mobile Device Management

• Do you allow personal phones to connect to your network
• r e-mails servers?
• Are you able to remotely check settings and wipe data in

the event of a loss or employee termination?

• PIN and encryption enforcement
• Do you limit what applications can be installed?
• Do you limit what websites employees can go to on their

phones?

• Would an employee know who to report a loss to?

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

45

DDoS Mitigation

• Excess bandwidth
• ISP filters
• Dedicated and specialized equipment
• Customer and server segregation
• DNS and low TTLs
• 3rd Party Protection
• CloudFlare
• Prolexic (now part of Akamai)

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

47

SCADA Controls

Supervisory Control And Data Acquisition

• Monitor and control heating, ventilation, and air conditioning

systems (HVAC), physical access, and energy consumption

• Many Fortune1000 companies have these somewhere (data

center, facilities, etc)

• Specialized hardware that often runs small, dedicated

software/web servers

• Some tips:
• Separate with VLANs, firewalls/routers, MPLS
• Limit access to necessary personnel only
• Have maintenance work with IT staff to ensure proper configuration
• Investigate how to keep system up-to-date

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

48

Policies and Procedures

• AUP (Acceptable Use Policy)
• Users understand potentially everything they do is

monitored

• No outside software may be installed
• Limited personal use
• Consequences for not following policies
• Don’t leave laptops in plain view or unlocked vehicles

Example Template:

http://www.sans.org/security-resources/policies/Acceptable Use Policy.pdf

• Written Information Security Program - WISP
• Legally required document for businesses with

Massachusetts customers

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

49

SECURITY CONTROLS BASELINE

General IT Controls any business should have in place.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

51

Frameworks

• ITIL
• COBIT
• ISO 27001, 27002, etc
• NIST
• COSO
• Others…

They can be long, complex, generic (too high-level), industry specific, etc… In other words: Many have similar pitfalls as legal and regulatory compliance!

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

52

SANS 20 Critical Security Controls

• A list of the top 20 critical security controls (CSCs) were

agreed upon and outlined, taking risk into consideration.

• Collaborative work across various governmental, public,

and private organizations

• U.S. Department of Homeland Security
• U.S. Department of State, Office of the CISO
• MITRE Corporation
• SANS Institute
• A great foundation for any security program
• Tangible, measurable, free advice that includes examples of

processes and technologies to implement

http://www.sans.org/critical-security-controls

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

53

SANS CSCs Numbers 1-10

1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Access Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training 10: Secure Configurations for Network Devices

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

54

Wording shortened to fit on slide, full text available at http://www.sans.org/critical-security-controls/controls

SANS CSCs Numbers 11-20

11: Limitation and Control of Network Ports, Protocols, Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Protection 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

55

Wording shortened to fit on slide, full text available at http://www.sans.org/critical-security-controls/controls

Example: 1 - Inventory Devices

Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that

• nly authorized devices are

given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

56 https://www.sans.org/media/critical-security-controls/spring-2013-poster.pdf

Why Do We Care About Inventory?

Helps understand what’s out there…

• Are rogue devices on your network?
• Is old hardware still online that shouldn’t be?
• Are people bringing in personal devices?
• Are there DR systems?
• Are they being backed up?
• Are departments buying equipment outside of

supply chain process?

• Did equipment suddenly go missing?

Helps to track down devices quickly in the event of a breach or security incident.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

57

How To Implement Inventory Control

• CSC 1-1

Deploy an automated asset inventory discovery tool

• CSC 1-2

Deploy dynamic host configuration protocol (DHCP) server logging

• CSC 1-3

Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network

• CSC 1-4

Maintain an asset inventory

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

58

Easy Win More Effort

How To Implement Inventory Control

• CSC 1-5

Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network

• CSC 1-6

Deploy network access control (NAC) to monitor authorized systems

• CSC 1-7

Utilize client certificates to validate and authenticate systems prior to connecting to the private network

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

59

More Effort Advanced

Some Final Thoughts… 1/3

• Social media
• Who manages your social media pages?
• Are they taking precautions to secure your brand?
• If you don’t have a twitter feed, what’s to stop me from pretending to be you?
• Are they available in an emergency?
• Are you monitoring the web for your company name/files?
• pastebin.com
• Google
• Forums
• Mobile tethering/hotspots to circumvent internal protections
• DNS service: Who manages the account? How is that account

protected?

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

60

Some Final Thoughts… 2/3

• Declaring a “digital” emergency
• Who would be involved?
• Who makes the final call?
• How is communication managed within the organization?
• BC/DR site?
• Mass notification during an emergency
• Employee call list
• E-mail addresses of all customers in the event of a breach
• Honeypots and Open Source/Cheap Scanning Software
• Metasploit, Nexpose, Nessus,
• wasp.org (Open Web Application Security Project)

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

61

Some Final Thoughts… 3/3

• Code scanning software
• Known poor coding standards
• Copy/paste of OSS code
• The insider threat
• Users with elevated privileges
• Who’s watching the watchers?
• What happens when an IT administrator leaves?
• Get rid of old devices (securely)
• Printers, ancient servers, hard drives
• Recycle and make some money!

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

62

Statistics About Data Breaches

• Two-thirds of the breaches took months or more to

discover.

http://adage.com/article/datadriven-marketing/nrf-offensive-data-breaches/291476/

• 69% of all breaches were discovered by someone outside

the affected organization.

http://adage.com/article/datadriven-marketing/nrf-offensive-data-breaches/291476/

• German and US companies had the most costly data

breaches ($199 and $188 per record, respectively).

https://www4.symantec.com/mktginfo/whitepaper/053013 GL NA WP Ponemon-2013-Cost-of-a-Data-Breach- Report daiNA cta72382.pdf O'Connor & Drew, P.C. www.ocd.com @ocdcpa

63

Questions?

Jake McAleer

jmcaleer@ocd.com Senior IT Security and Audit Manager O’Connor & Drew, P.C.

www.ocd.com @ocdcpa

www.jakemcaleer.com @johnjakem

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

64

Download Link

• Please visit the following link to download a digital copy of

the presentation:

http://www.ocd.com/2014secureworld/

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

65