WIXLIB

CybersecurityThreats to NonprofitsChris DeboSenior Manager, IT AuditAugust 14, 2014

What is Cybersecurity? NIST definition:– “The process of protecting information by preventing,detecting, and responding to attacks. “– Key: PROTECTING INFORMATION ---------- Theft Misuse Threats not limited to Internet hackers Manipulation Damage– Social engineering Loss– Phishing– Disgruntled employees– Human error2

Learning Objectives1.2.3.4.5.6.7.Understand CybersecurityAssess Current State of Cybersecurity ThreatsEffectively Assess RiskBuild an Execute a Plan to Mitigate RiskNavigate Barriers to SuccessHow to Monitor and EvolveEvaluate Need for Cybersecurity Insurance3

What Cybercrimals Steal – And Why Bank credentials– Theft of funds Personally Identifiable Information (PII)– Identity theft Debit/credit card data– Access to credit, sale of data Intellectual property, data, other content– Blackmail, sale of data, avoid paying IP royalties, sabotage4

Verizon Data Breach Report

Verizon Data Breach Report – Biggest Takeaways Employees at core of most attacks– Stolen credentials primary cause 80% of time– 78% of intrusions “relatively easy” Social engineering most common attack vector––––––PhishingGaining unauthrorized physical access (“tailgating”)Targeted telephone callsPersonal solicitation attemptsDistribution of rogue devices“Dumpster diving”

Verizon Data Breach Report – Other Takeaways 92% of breaches came from outside the organization– 55% from organized crime– 19% affiliated with other state agencies 75% of breaches driven by financial motives 76% exploited weak or stolen credentials 69% discovered by external parties 66% took months or more to discover 75% of attacks were opportunistic (companies nottargeted directly)7

Verizon Data Breach Report – Industry Dispersion8

Verizon Data Breach Report – Attack Origin9

Verizon Data Breach Report – Malware Sources10

Attackers Time to Exploit Vulnerability versus Source: Verizon Risk11

Organization’s Ability to DefendSource: Verizon Risk12

Notable Data Breaches in US History 2013 Target – 110 million customers (40 million creditcards) 2013 Adobe Systems – 130 million customers 2011 Sony – 77 million customers 2008 Heartland Payment Systems – 130 millioncustomers 2007 TJX Companies – 94 million customers (46 millioncredit card) 1984 TRW/Sears – 90 million customersSource: CNN Money

Target Breach14

Target Response to Hack Target had already deployed 1.6 million malware detection tool (FireEye).– Round-the-clock monitoring from security specialists in Bangalore November 30: FireEye detects loading of exfiltration software.– Target security team in Minneapolis notified– No action taken Mid-December: Security experts monitoring underground markets forstolen data detect large influx of credit card information.– US Department of Justice notified December 12: Target notified by Department of Justice of potentialbreach. December 15: Target confirms breach. December 19: Target releases public statement confirming breach. March 5: Target CIO Beth Jacob resigns15

Target Control Failures16

Target Breach – Inherent Flaws Flaws in system design– Lack of network segmentation– Lack of encryption of credit card data while storedin RAM Flaws in internal control– Lack of third-party oversight and compliance– Lack of monitoring and reaction17

Is Your Organization Prepared?Source: IIA Tone at the Top; April 2014

Information Security’s Role in Combatting ThreatsDesign and implement security planRespond to threatsMaintain vigilance and level of knowledgeIdentify, understand and respond to changes in theoperating environment Provide timely, accurate and complete information toInternal Audit 19

Management’s Role in Combatting Cyber ThreatsSet tone at the topEvaluate and approve strategyAssess and evaluate the functioning of planCommunicate findings and monitor remediationactivities Build advisory relationship with IS Maintain frequent collaboration and interaction with IS Maintain level of diligence and knowledge about cybersecurity 20

Steps for an Effective Cybersecurity Strategy1. Adopt a Framework2. Understand the Environment3. Assess Risk4. Build and Implement a Cybersecurity Plan5. Audit the Environment - Planning and Scoping6. Audit the Environment – Execute the Audit7. Identify/Remediate Vulnerabilities8. Monitor/Refresh21

1. Adopt a Framework - Examples ISO 27000 Series Department of Energy– Cybersecurity Capability Maturity Model (C2M2) Electronic Subsector (ES-C2M2) Oil and Gas Subsector (ONG-C2M2) National Institute of Standards and Technology (NIST)– Cybersecurity Framework– Roadmap for Improving Critical Infrastructure Cybersecurity National Initiative for Cybersecurity Education (NICE)– Capability Maturity Model (CMM) ISACA - Transforming Cybersecurity Using COBIT 5

1. C2M2 Maturity Levels23

1. C2M2 – Recommended Approach24

1. Areas Covered in C2M2 Risk ManagementAsset, change, and configuration managementIdentity and access managementThreat and vulnerability managementSituational AwarenessInformation sharing and communicationsEvent and incident response, continuity of operationsSupply chain and external dependencies managementWorkforce managementCybersecurity program management25

1. NIST Framework Objectives

1. NIST Framework Objectives - Continued Identify– Asset Management– Governance– Risk Assessment Protect– ITGCs (Access Control)– Awareness and Training– Data Security– Information/Asset Protection– Maintenance– Protective Technology Detect– Monitoring Respond– Planning– Communications– Analysis– Mitigation Recover– Improvement27

1. NIST Framework Implementation

2. Understand the Environment Operating environmentHardware type and locationApplicationsDatabasesFile systemsSecurityNetwork architectureThird-partiesMiddleware29

2. Start with Asset Identification Identify all assets:– Databases– Files– Servers– Applications– Hardware– Web sitesAsset classification– Location– Owner– Usage– Type– Status– Risk level30

3. Assess RiskIdentify risks (interviews, artifact review)Assign risk rankingDetermine risk toleranceAddress areas at or above thresholdIsolate/note threats covered by standard ITGCsLook at external and internal threats, and differentiatebetween them Added emphasis on areas inherent to cybersecurity (seeCSC) Identify recent/ongoing changes in the environment

3. Assessing Risk: Common Mistakes Not understanding the environment (see step 2) Avoiding unfamiliar technical content Underestimating the complexity of cybersecuritythreats and/or overestimating internal audit’sknowledge of network architectures Not allocating sufficient time for a comprehensivereview Making assumptions about IS’s level ofknowledge/proficiency (taking them at their word)

3. Technical Proficiency: What’s Wrong With This Picture?33

3. Typical Network Security Questions Security policy? Network diagram? Firewall and intrusion detection/prevention? DMZ? Anti-virus/malware? Server hardening standards? Vulnerability scan and penetration test performed? Logging and monitoring?34

3. Enlisting the Help of Security Professionals Benefits of Utilizing External Specialists– Cost– Expertise– Independence– Ability to focus– Benchmarking relative to other organizations Assessing Specialist Ability– Certifications– Examples– Experience– References35

4. Build a Plan - Utilize Existing Control Frameworks as a GuideCouncil on Cybersecurity Top 20 Critical Security Controls (v5)AreaAssetManagementMonitoring andResponseWireless/BYODCritical Security Control1. Inventory of Authorized andUnauthorized Devices2. Inventory of Authorized andUnauthorized Software3. Maintenance, Monitoring, and Analysisof Audit Logs4. Incident Response and Management5. Wireless Device Control

4. Utilize Existing Control Frameworks as a Guide (cont)Council on Cybersecurity Top 20 Critical Security Controls (v5)AreaLogical AccessNetwork DesignCritical Security Control6. Limitation and Control of Network Ports,Protocols, and Services7. Controlled Use of AdministrativePrivileges8. Controlled Access Based on the Need toKnow9. Account Monitoring and Control10. Boundary Defense11. Secure Network Engineering

4. Utilize Existing Control Frameworks as a Guide (cont)Council on Cybersecurity Top 20 Critical Security Controls (v5)AreaCritical Security ControlServer and DeviceHardening12. Secure Configurations for Hardware andSoftware on Mobile Devices, Laptops,Workstations, and Servers13. Secure Configurations for NetworkDevices such as Firewalls, Routers, andSwitches14. Security Skills Assessment andAppropriate Training to Fill GapsHuman Resources

4. Utilize Existing Control Frameworks as a Guide (cont)Council on Cybersecurity Top 20 Critical Security Controls (v5)AreaVulnerability andPen TestingApplicationSecurityCritical Security Control15. Continuous Vulnerability Assessmentand Remediation16. Penetration Tests and Red TeamExercises17. Malware Defenses18. Application Software SecurityData Management 19. Data Recovery Capability20. Data Protection

4. Align Control Objectives with ControlsControl ObjectiveControlsAttacks and breaches are Confirm monitoring andidentified and treated in aspecific technical attackrecognition solutions.timely and appropriate manner. Assess interfaces to securityincident management andcrisis management processesand plans. Evaluate the timeliness andadequacy of attack response.40

4. Categorize Controls Based on Type of RiskSource: ISACA41

4. Categorize Controls Further (Org. Example)Source: ISACA42

5. Audit - Planning and Scoping Define the scope and clear boundaries– Vulnerability and penetration testing? Elaborate on audit objectives by adding auditactivities Break down into manageable audits and reviews Allocate resources responsible for audit execution– Align skills/experience to risk and activity– Allot sufficient time to perform a comprehensivereview based on risk43

6. Perform the Audit Communicate high/critical findings immediately Look for changes/deviations from the expectedstate Collaborate with IS but don’t let them know exactlywhen certain tests will be performed Review with IS as-you-go44

6. Useful Network Assessment Tools Netcraft.com (website IP address and configuration)NMAP (network address and port scanner)Nipper (firewall/appliance configuration scan)Vulnerability Scanners– PCAT– Nessus– Nexpose– OpenVASPenetration Test– Metasploit– w3afIasa.disa.mil/stigs (Security Technical Implementation Guides)Nist.gov– Security Configuration Checklists Program– National Vulnerability Database45

7. Identify/Remediate Vulnerabilities Review with IS and validate finding Assign risk rating Development a remediation plan with IS– Establish action plan– Assign responsibility– Assign timeline Update documentation/communication as necessary Review findings with management46

8. Monitor/Refresh Evaluate IS compliance with established actionplans Communicate deviations from action plans withmanagement Monitor existing IS and business activities that mayimpact action plans or inherent risks Strive for continuous monitoring to ensure rapidcommunication and remediation cycles47

8. Static Compliance Model48

8. Continuous Compliance49

Recommendations - Tone at the topCreate and reinforce the perception/understanding ofcybersecurity threats Established, supported and communicated by seniormanagement Establish awareness that controls and processes have beenspecifically designed to prevent attacks– New hire orientation– Ongoing awareness and communication– Visible to the organization50

Recommendations - Protecting Your Network Restrict Remote AccessEnforce Password and Lockout PoliciesBlock Malicious Web ContentDeploy Anti-Virus SoftwareMonitor Network ActivityEducate EmployeesRestrict and Review User Access51