Cyber Security Institute of Internal Auditors - PRES-3U

Cyber Security –
Recent Trends and Threats
Institute of Internal
Auditors
Sep 21, 2019

Objectives
 Define Cyber Security

 Understand the types of attacks, type of data loss, industries impacted, and
methods of attacks
 Discuss risk exposure of cyber security
 Understand relevant control processes
 Understand the value of a Cyber Maturity Assessment
 Key Questions to ask as Internal Audit
 Understand the NIST CyberSecurity Framework
 Case Study: Target Breach
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 1
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Introduction
The focus on cyber security is increasing rapidly due to highly

disruptive/damaging security breaches threatening financial and physical
damage across corporate infrastructures. Given that, cyber security is now an
important concern for every organization.
For those who are looking for right questions navigating through the
complexity of cyber security, this presentation will provide:
 Cyber attack landscape
 Leading approach of cyber attack countermeasure – threat intelligence
 Right questions for the first step of cyber security enhancement
World’s Biggest Data Breaches from 2004 through 2013

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-
hacks/
NDPPS 259923
Cyber Security Defined
Encompasses all that protects organizations and individuals from intentional

attacks, breaches, and incidents related to its Information Systems as well as
the consequences
Focus recently has been on advanced persistent threats (APTs), cyber
warfare and their impact on organizations and individuals.
In the current environment, cyber security typically focuses on those types of
attacks, breaches or incidents that are targeted, sophisticated and difficult to
detect or manage
*Mitigating the risks of exploitation of your assets through the internet
Definition by NIST
The ability to protect or defend the use of cyberspace from cyber attacks.
Increasing attention at Executive and Board level

NDPPS 259923
Threat Update – Recent Case Study
NDPPS 259923
Information Protection has Become an Executive Driven
Issue
Top 10 concerns for directors and General Counsel Directors who say their company has a crisis Top Concerns for Audit Committees
general counsel: Data security 55% management plan in place to respond to a cyber
Operational risk 47% attack.  Governance, Processes, Controls
Directors
Data security 48% Management of outside and Risk
Operational risk 40% legal fees 38%
Unsure
Company reputation 40% Company reputation 35%
31%
 Management
M&A transactions 37% Disaster recovery 35%
Investor relations 30% E-discovery 33% No 27%  IT Risk and Emerging Technologies
FCPA 30% Yes 42%
Executive compensation 30%
SEC/regulatory compliance 28% Global business expansion 29%  Uncertainty
Disaster recovery 27% Internal controls 26%
Internal controls 26% Executive compensation 26%  Information Privacy/
Global business expansion 26% Security/Cyber Security
“Is Governance Keeping Pace?”,

KPMG LLP (U.S.) 2012
Division of Corporation Finance October 7, 2012

Securities and Exchange Commission “Six big U.S. banks had their websites jammed, one
CF Disclosure Guidance: Topic No. 2 after another, preventing their customers from
logging on to their personal or business accounts, “The cyber threats we
Cybersecurity
and from paying bills online. The banks affected face are real and
Date: October 13, 2011 were Bank of America, JPMorgan Chase, Citigroup, immediate…”
Disclosure by Public Companies Regarding U.S. Bank, Wells Fargo and PNC.” – CNN News,
Cybersecurity Risks and Cyber Incidents Bob Greene Sen. Jay Rockefeller
September 19, 2012

By Siobhan Gorman
WASHINGTON—Heads of major U.S. companies could be in for some interestingmail Wednesday.
Frustrated by congressional failure to pass a cybersecurity bill, a top lawmaker is sending letters to the chief executives of
every Fortune 500 company, asking them to describe their company’s handling of computer security. Companies won’t be
required legally to respond to the letters, but it shows how lawmakers continue to press companies to step up
cybersecurity measures.
“The cyber threats we face are real and immediate, and Congress’s failure to pass legislation this year leaves the country
increasingly vulnerable to a catastrophic cyber attack,” Sen. Jay Rockefeller (D., W.Va.), the Senate Commerce
Committee chairman, writes in a copy of the letter, which was reviewed by The Wall Street Journal.
NDPPS 259923
Cyber Attacks – How are they being attacked?
Motivations Behind Attacks

August 2013
6%
10% Cyber Crime
49% Hacktivism
35%
Cyber Warfare
Cyber Espionage
Source: Hackmaggedon.com
NDPPS 259923
Cyber Attacks – What are the Types of Attacks?
New malware distributions Q1 2013
0.79% 0.24%
11.79%
Trojans
Malware (Malicious software)-

12.73% Worms
Malware includes viruses, Trojan
horses, key loggers, spyware and Virus
74.46%
adware.
Adware
Spyware
Others
Phishing- A way of attempting to Sample phishing email

acquire information such as
usernames, passwords, and credit
card details by masquerading as a
trustworthy entity in an electronic
communication such as email.
NDPPS 259923
Architecture of a DDoS Attack

Distributed Denial of
Service (DDoS)- ATTACKER
is an attempt to make a
machine or network resource Handler Handler
unavailable to its intended
users. Although the means
to carry out, motives for, and Zombie Zombie Zombie Zombie Zombie Zombie Zombie Zombie
targets of a DoS attack may
vary, it generally consists of
efforts to temporarily or
indefinitely interrupt or
suspend services of a host
VICTIM
connected to the internet.
NDPPS 259923
APT (Advanced Persistent

Threat)- APT attacks follow a loosely defined process
refers to a group, such as a
foreign government, with Cover tracks
and remain Define Target
both the capability and the undetected
Exfiltrate Find and
intent to persistently and data organize
effectively target a specific accomplices
entity. Strengthen
foothold Commodity Build or
Threats acquire tools
Advanced
Expand Persistent Threat
access and Research
obtain “Hactivism” target
credentials infrastructure/
employees
Outbound
connection Test for
initiated detection
Initial
intrusion Deployment
NDPPS 259923
Cyber Attacks – What do attackers want?
Approximately 50 % of total data loss incidents are associated with personally

Identifiable Information such as name, address and email address.
By data type: Number of records/people affected
Name – 191,447,792
Misc./Unknown – 184,244,196
Address – 180,491,088
Financial Information – 153,792,140
Passwords – 40,065,366
eMail Address – 29,500,807
Credit/Debit Card Information – 29,475,045
Government ID Number – 13,419,571
Date of Birth – 6,754, 341
Account Information – 6,009,819
Medical Records – 2,298,115
- 50 100 150 200

Millions
KPMG “Data Loss Barometer – A global insight into lost and stolen information”
NDPPS 259923
Cyber Attacks - Which industry sectors are being attacked?
Over the past five years, more than one billion people globally have been
affected by data loss incidents.
Over the last five years, 60% of all incidents reported were due to Hacking.
And, more than half of hacking incidents are reported in business sector
Number of hacking incidents as a % of total
5 year trend (By Sector)
60.0%
50.0% 52.0%
40.0%
% of 30.0%
67.2% incidents of 24.5%
total 20.0%
11.1%
8.3%
10.0%
8.0%
0.0%
2008 2009 2010 2011 2012
Government Medical Education Business
NDPPS 259923
Understanding Risk Exposure
NDPPS 259923
Dynamic World of Change
BUSINESS DELIVERY “STACK” AREAS OF DYNAMIC CHANGE
KPMG
Approach
BUSINESS LAYER
■ Slow economic recovery
Geopolitical Drivers ■ Driving Growth & Profitability
■ New Products/Services
Industry Leading Practices ■ Mergers/Acquisitions
■ Globalization
Corporate Objectives
■ Strategic Sourcing
Business Process ■ Competitive Differentiation
■ Increased Regulatory Scrutiny
ENABLEMENT LAYER
Application ■ Mobile & Cloud Deployments

■ “Big Data,” BI & Analytics
Data ■ Self service & Consumerization
INFRASTRUCTURE LAYER
■ Virtualization & Cloud Platforms
Servers/Hosts ■ Internetworking/VPNs
■ New Operating Systems
Networks
■ Low cost computing models
Traditional Physical Environment ■ Changing DataCenter models
Approach
NDPPS 259923
Key Standard Control Processes
Keeping pace means shifting focus

Advanced security techniques evenly distribute resources Future Security Investment
Historical Security Investment
Response Prevention Monitoring
Monitoring 33% 33%
5%
15%
Response
Prevention 33%
80%
Policies,
Procedures,
Awareness
A layered approach to intrusion security minimizes Physical

chances of the system’s lifecycle.
Perimeter
Defense in depth- A concept in which multiple layers of security
controls (defense) are placed throughout an information Internal
Network
technology (IT) system. Its intent is to provide redundancy in
the event a security control fails or a vulnerability is exploited Application
that can cover aspects of personnel, procedural, technical and
physical for the duration Data
Source: RSA
NDPPS 259923
Cyber Maturity Assessment Methodology
NDPPS 259923
Cyber Maturity Assessment Methodology – Areas of
Focus
Legal & Compliance Leadership and Governance
 Inventory of compliance  Board involvement

requirements  Third-party supplier relationships
 Compliance program components  Identification of critical data
 Role of the Audit Committee Legal &  Ownership and governance for data
 Litigation inventory Compliance protection
 Cyber insurance  Program management
Operations & Leadership &

Operations and Technology Technology Governance Human Factors
 Threat and vulnerability
management  Training and awareness
 Logical security controls  Culture
 Physical security controls  Personnel security measures
 Security monitoring  Talent management
 Incident response  Organizational roles and
 Integration w/IT service Business responsibilities
Human Factors
management Continuity
Business Continuity and Crisis Management Information Information Risk Management

Risk
 Ability to manage cyber events Management  Risk management approach and policies
 Financial ramifications and budget  Risk tolerance identification
 Resources required and training  Risk assessment and measures
 Detailed plans  Change management
 Communications  Information sharing
 Testing  Third party accreditation
 Information communication architecture
NDPPS 259923
Cyber Attack Countermeasure – How can we fight with
them?
Cyber threat intelligence is the ‘mechanism’ that drives cyber security

investment and operational risk management.
Prepare is about understanding and
improving your current state of
preparedness against cyber attack
Protect: is about designing and Prepare Protect
implementing your cyber defence

infrastructure
Detect & Respond is about THREAT
INTELLIGENCE
responding to and investigating
attacks
Integrate is about embedding cyber Detect &
Integrate
security in the culture and decision Respond
making of an organization
KPMG “Cyber threat intelligence and the lessons from law enforcement”
NDPPS 259923
NIST Cybersecurity Framework
NDPPS 259923
Overview of NIST Draft Framework
Framework has five core functions:

 Identify – Develop the institutional understanding of which organizational systems, assets,
data, and capabilities need to be protected, determine priority in light of organizational
mission, and establish processes to achieve risk management goals.
 Protect – Develop and implement the appropriate safeguards, prioritized through the
organization’s risk management process, to ensure delivery of critical infrastructure
services.
 Detect – Develop and implement the appropriate activities to identify the occurrence of a
cybersecurity event.
 Respond – Develop and implement the appropriate activities, prioritized through the
organization’s risk management process (including effective planning), to take action
regarding a detected cybersecurity event.
 Recover – Develop and implement the appropriate activities, prioritized through the
organization’s risk management process, to restore the appropriate capabilities that were
impaired through a cybersecurity event.
Five core functions support orderly discussion of

organization’s risk profile and control processes
NDPPS 259923
Key Questions to Ask
In addition to the five core functions, there are general governance topics that
cross all of them:
 Who is responsible for cyber security and is it positioned appropriately in the
organization?
 Do we have enough/the right resources and capabilities?
 Do we have enough/right training?
 What is the internal audit program in this area?
 Do results from internal audits indicate potential weaknesses related to cyber
security risk?
NDPPS 259923
Function: Identify
Question: What is our Risk Level today and how is that measured qualitatively
and quantitatively?
Supporting  Do we have an inventory of authorized and unauthorized
Control devices?
Questions:  Do we have an inventory of authorized and unauthorized
software?
 What is our Risk Appetite?
 What is our current Risk Profile?
Types of  Inventory of Authorized and Unauthorized Devices

Security  Inventory of Authorized and Unauthorized Software
Controls:
 Data Loss Prevention
NDPPS 259923
Function: Protect
Question: Do we have strong policies in place for secure configuration of
applications, databases, and infrastructure and are we complying
with these standards?
Supporting  Do we have secure configurations for hardware and software on
Control mobile devices, laptops, workstations, and servers?
Questions:  What is the state of our malware defenses?
 What is our application software security?
 What is our wireless device control?
 Do we have secure configurations for network devices, such as
firewalls, routers, and switches?
 Do we limit and control network ports, protocols, and services?
 Do we/how do we control the use of administrative privileges?
 Do we control access based on need to know?
 Do we have a robust, secure engineering process to protect
security controls from being circumvented?
NDPPS 259923
Function: Protect (continued)

Types of  Secure Configurations for Hardware and Software on Mobile
Security Devices, Laptops, Workstations, and Servers
Controls:  Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
 Malware Defenses
 Application Software Security
 Wireless Device Control
 Limitation and Control of Network Ports, Protocols, and Services
 Controlled Use of Administrative Privileges
 Boundary Defense
 Maintenance, Monitoring, and Analysis of Audit Logs
 Controlled Access Based on the Need to Know
 Secure Network Engineering
 Penetration Tests and Red Team Exercises
NDPPS 259923
Function: Detect
Question: Do we have processes to inform us when we have had a cyber
security attack?
Supporting  Do we conduct continuous vulnerability assessment and
Control remediations?
Questions:  Do we have processes to maintain, monitor, and analyze audit
logs?
 Do we have boundary defense controls that look for attacks and
evidence of compromised machines?
 Do we monitor and control accounts to remove timely system or
individual accounts that are not needed?
 Do we scrutinize movement of data across network boundaries,
both electronically and physically?
Types of  Continuous Vulnerability Assessment and Remediation
Security  Account Monitoring and Control
Controls:
 Penetration Tests and Red Team Exercises
NDPPS 259923
Function: Respond
Question: What is our incident response plan in the event of a cyber security
attack?
Supporting  Do we have such a plan and does it have clearly defined roles
Control and responsibilities?
Questions:  Do we conduct simulated attacks (such as penetration tests) to
improve the organization’s readiness?
Types of  Security Skills Assessment and Appropriate Training to Fill Gaps
Security  Incident Response and Management
Controls:
NDPPS 259923
Function: Recover
Question: What are our processes for recovering if we have experienced an
incident?
Supporting  Do we have plan for removing all traces of an attack from our
Control environment?
Questions:  Do we have appropriate back-up processes in place to support a
recovery and are they regularly tested?
Types of  Data Recovery Capability
Security  Data Loss Prevention
Controls:
NDPPS 259923
Summary
“Cyber” risks are real – while such risks have existed previously:
 Businesses rely more on their IT infrastructure than historically with mobile
devices, etc.
 There is greater interdependency due to outsourcing, third party service
providers, cloud computing, etc.
 The internet provides additional avenues for cyber attacks
Regulatory expectations of board oversight are increasing and more
regulatory oversight and guidance is likely
Be wary of techno-babble in the board room  cyber security should not be
the domain of the “techies”
It is not possible to eliminate the risk-monitoring, and response capabilities
are crucial
Well managed IT departments with a focus on information security are
effective in managing the cyber risk
NDPPS 259923
Questions/Discussion
Contacts:
Ann Armstrong
Advisory, Managing Director
KPMG LLP
annarmstrong@kpmg.com
Dhawal Thakker
Advisory, Director
KPMG LLP
dthakker@kpmg.com © 2014 KPMG LLP, a Delaware limited liability partnership and the U.S.
member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
Dana Mabes entity. All rights reserved. NDPPS 259923
Advisory, Manager
KPMG LLP The KPMG name, logo and “cutting through complexity” are registered
dmabes@kpmg.com trademarks or trademarks of KPMG International.
www.kpmg.com

Cyber Security Institute of Internal Auditors - PRES-3U

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Cyber Security Institute of Internal Auditors - PRES-3U

Hochgeladen von

Copyright:

Verfügbare Formate

Cyber Security –

Recent Trends and Threats

Sep 21, 2019

 Define Cyber Security

The focus on cyber security is increasing rapidly due to highly

World’s Biggest Data Breaches from 2004 through 2013

Encompasses all that protects organizations and individuals from intentional

*Mitigating the risks of exploitation of your assets through the internet

Increasing attention at Executive and Board level

“Is Governance Keeping Pace?”,

Division of Corporation Finance October 7, 2012

September 19, 2012

Motivations Behind Attacks

Malware (Malicious software)-

Phishing- A way of attempting to Sample phishing email

Architecture of a DDoS Attack

APT (Advanced Persistent

Approximately 50 % of total data loss incidents are associated with personally

- 50 100 150 200

Application ■ Mobile & Cloud Deployments

Keeping pace means shifting focus

A layered approach to intrusion security minimizes Physical

Legal & Compliance Leadership and Governance

 Inventory of compliance  Board involvement

Operations & Leadership &

Business Continuity and Crisis Management Information Information Risk Management

Cyber threat intelligence is the ‘mechanism’ that drives cyber security

implementing your cyber defence

Framework has five core functions:

Five core functions support orderly discussion of

Types of  Inventory of Authorized and Unauthorized Devices

Function: Protect (continued)

Das könnte Ihnen auch gefallen