310 likes | 325 Views
Learn how to incorporate cyber security into everyday auditing practices and stay relevant in the digital age. Gain insights from Kenneth Mory, an experienced auditor and IT expert. Explore key IT risks, threats, and governance. Simplify your approach with practical steps and IT audit intelligence tools.
E N D
STRONGHOLD SOLUTIONS IIA Government Auditor Conference February 23rd 2015 How to Make IT Part of Everyday Auditing: Focusing on Cyber Security Kenneth Mory CISA, CIA, CPA, CRM
Kenneth J. Mory - CISA, CIA, CRMA, CPA Ken is a recognized speaker at professional seminars. He has over 30 years experience in audits, IT, finance, operations, and strategic planning. He has worked in both the public and private sectors. He has extensive experience in IT auditing, governance, planning, systems development, operations, security and DR/CP. Previously, Ken was the City Auditor for Austin Texas, Chief of Audits for the County of San Diego and the CFO for several companies, including Bellsouth Wireless Data, RAM Mobile Data, TelCel Cellular, SA, and Link Telecommunications. He also worked for BellSouth Corporations’ General Internal Audits and began his career with Arthur Young & Company, CPAs. Currently he serves as the on the GAO’s Green Book Advisory Committee, IIA’s Advisory Committee for the American Center for Government Auditing and the IIA’s Editorial Advisory Committee, ALGA’s Professional Issues Committee and was 2013 Chair of the IIA’s Public Sector Committee Ken has an MS from the University of Pennsylvania and MBA from University of Alabama – Birmingham.,
Making IT Part of Everyday Auditing IT has become the backbone of every business and increasingly pervades every area that we might touch as auditors. Unfortunately, auditors continue to be intimidated by the "shamans and lingo" of technology and often avoid technology audits. However, auditors can no longer afford to dodge their responsibility for engaging in technology auditing without at best risking losing relevance or at worst being viewed as negligent or incompetent.
2011 IIA’s IPPF Proficiency – Standard 1210.A3 & PA 1210.A1.1 - Sufficient knowledge of key IT Risks, controls, techniques for assigned work Proficiency Standard 1220..A2 Must consider the use of technology based audit or other data analysis tools CPE PA 1230-1 - Specialized CPE (such as IT…) needed to perform with proficiency Resource Management - PA 2030-1 Governance Assessment Standard 2110-A2
Objective Comfortably delve into the world of “dark matter," "zombies," "clouds," "Judas threats" and other Cyber threats and vulnerabilities.
Removing the Mystique? • IT is a technical area where the “Shamans” perpetrate the idea that the “uninitiated”can never understand. • To reinforce this they have created their own cryptic codes.
Zombie Snow Flake Packet MTM Whitelisting Cloud Computing Spoofing Zombies Hackers Scareware Cracker/Hacker Judas Threat Zero Day Attacks Social Engineering
IT Governance IT Strategy & Planning IT Processes Technology User & Vendor Support Project Management Change & Configuration Management Data Center Operations Enterprise Security Disaster Recovery & Business Continuity IT Risk Framework Infrastructure & Tools
Focusing on IT Security Changing risk horizon and vulnerabilities? Best Practice hacking; keeping up! Where do we start... it is easy! More on social engineering. By P.W Singer & Allan Freidman Mary Lou Hastings
Some BASIC FACTS • The “snowflake theory” is true • A large percentage of key controls are likely to be technology driven • Technology control failures have bigger impact • IT security is more dependent on non-technical policies, procedures and business process than on technical hardware and software solutions • To stay relevant all auditors must become IT audit savvy at some level • We are in the “Cloud”!
SimplifiedBASELINE Approach Purchase XXX for Dummies! • Use Common Sense • Identify Criteria & obtain Documentation (Policies, Procedures, Standards) • Compare actual to policy (or other authority) • Obtain Performance Reports and Budgets • Review QA, acceptance tests, peer reviews • Interview knowledgeable users and IT resources, & Vendors • Obtain Audit approaches/procedures from sources such as AuditNet, IIA GTAG, ISACA ...
(FISCAM) Federal Information System Controls Audit Manual SimplifyApproach Obtain Audit approaches & procedures from sources such as: GAIT Methodology AuditNet
More simple stepsyou can take! • IT risk Assessments and mitigation planning • Review access authorization tables • Request functional & security configuration tables • Review documentation on data, security system, and application priority categorization • Use Programs with IT audit intelligence built-in • Use data analysis tools ACL, IDEA, Access, Excel TEAMMATE
Logical Access Security • Anythingthat gives you access to data, programs, networks • Key Components of Logical Access Control • Who is it? • What can they do? • What did they do? • How is security maintained?
“City Workers Accused of Hacking LA Traffic System” • 2 employees pled “not guilty” to deliberately causing a traffic jam • From the city’s centralized traffic-control center they allegedly tied up 4 intersections on the eve of a major strike by city workers
Cracker is a Criminal Hacker Famous Hackers Captain Crunch & Kevin Mitnick They know most organizations do not have formal data classifications, access control systems, incident response plans, security awareness programs.
But It IS Changing! FAST! South Korean government targeted in cyber attack The government detected the first wave of the attack Thursday. It was coordinated from outside South Korea using "zombie" computers Israel Cyber-Attacks Iranian Nuke Plant With Stuxnet Computer Virus
And More!! 5 in China Army Face U.S. Charges of Cyberattacks The indictment named members of Unit 61398, which was publicly identified last year as the Shanghai-based cyberunit of the People’s Liberation Army, including its best-known hackers known online by the noms de guerre “UglyGorilla” and “KandyGoo.
And Even More!! Security Experts Warn Of Possible Russian Cyberattack Against The U.S., Ukraine similar to Georgia, Crimea, Estonia. What they can do … is a cyberattack to get back at us … attacking our financial institutions . Panetta said. “[Our] adversaries are looking at computer systems that run our electrical grid … chemical systems … water systems … gas systems… transportation systems … financial systems.”
ISIS-related hackers infiltrate US CENTCOM • Another tweet on the enemy-controlled account bragged the terrorists had gained control of all military computers. • Others appeared to show internal documents outlining multiple military scenarios involving China and the Korean peninsula. • Documents alleged to detailing Pentagon employees' personal info were posted to the account.
Changing Environment “Old school” DOS attacks have resurged but not to the large companies but rather to small and medium size ones. Cloud requires a different kind of security thinking What Next?
Steps to perform Social Engineering • Perform research of organization • Build trust • Exploit relationship • Malicious use of information
Social Engineers' Favorite Pick-Up Lines • "I'm traveling in London and I've lost my wallet. Can you wire some money? • "Someone has a secret crush on you! Download this application to find who it is!“ • "Did you see this video of you? Check out this link!“ • "This is Chris from tech services. I've been notified of an infection on your computer.“ • "Hi, I'm from the rep from Cisco and I'm here to see Nancy.“ • "Can you hold the door for me? I don't have my key/access card on me.“ • “Your account has been closed”. • Great conference! Why don’t we hook up later to discuss how to leverage what we learned!
Social Engineering • Just ask • Inattentive security • Location of security • Unapproved security badges / key • Failure to challenge stranger • Intimidation by title, dress, demeanor • Friendly / smiley I belong behavior • Herd hiding • Tailgating • Blow the Buffer • Default Password from Internet • Key stroke capture device • Use Security Audit Software • False employee • False Vendor • Hackers/Crackers/Script Babies • New Employee • False Support • Phishing emails • Turn over the keyboard • Mi casa es su casa • Dumpster Diving • False address • Guess password • Search Desk • Shoulder Surfing • Dictionary Attacks
Password AuditConcerns • Lack of strong passwords • Not Changed every 6 to 12 months and terminated • Lack of different P/W for each system • Lack of Variable length • Use of common slang or dictionary words • Reuse of passwords • Storing passwords • Store in a usual location • Do not enable security monitoring • Do not maintain user IDs • Not automatically reset REALLY OUTDATED!
THE TOP 500 WORST PASSWORDS OF ALL TIMESTOP Do not Read if you are Easily Offended STOP THIS HANDOUT INCLUDES OFFENSIVE WORDS that were left on this list as reported to give you an accurate listing of what people are actually using as passwords so you can better use the information to improve the security of your entity. If you feel that you will be offended PLEASE DO NOT READ this handout.
More on Passwords!! There are some interesting passwords show how people try to be clever, but even cleverness is predictable. For example:ncc1701- The ship number for the Starship Enterprisethx1138 -The name of George Lucas’s first movie, a 1971 remake of an earlier……student projectqazwsx - Follows a simple pattern when typed on a typical keyboard6666667777777ou812 The title of a 1988 Van Halen album8675309 The number mentioned in the 1982 Tommy Tutone song. The song…supposedly caused an epidemic of people dialing 867- 5309 and asking …………for “Jenny” “…Approximately one out of every nine people uses at least one password on the list shown on the prior slide! And one out of every 50 people uses one of the top 20 worst passwords...”
Especially Administrators’ Computers PhysicalSecurity • Unattended computers easiest way into the system • All technical security measures can be bypassed if physical security is weak • Auditing Controls include: • - Harden the perimeter of building • - Control access with traps & alert security • - Utility misuse / vulnerability • - Office layouts & access to confidential data access controls • - “Audit to” checklists available
STRONGHOLD SOLUTIONS “Let me assert my firm belief that the only thing we have to fear is fear itself.” Franklin D. Roosevelt Kenneth J. Mory keenmory@aol.com 512/516-7999