SlideShare una empresa de Scribd logo

Cyber Security Threats | IIA Boise Chapter

Patricia M Watson
Patricia M Watson
Tecnología
1 de 21
Cyber Security Threats: Are You at Risk? Boise Chapter, Institute of Internal Auditors January 2012 Patricia Watson Digital Forensics Program Manager Boise Inc. Mark Pearson Director, Internal Audit Services Boise Inc.
Outline  What is the current cyber security landscape?  What is the role of internal audit?  Boise Inc. internal audit approach  Leveraging digital forensic skills  Resources  Questions/discussion Internal Audit Services| Page 2
Awareness is key…  Video: Amazing mind reader reveals his “gift” http://www.youtube.com/watch?v=LABVsSC0H4g Internal Audit Services| Page 3
President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America's economic prosperity in the 21st century will depend on cybersecurity.” Source: http://www.whitehouse.gov/administration/eop/nsc/cybersecurity Internal Audit Services| Page 4
What is the current landscape? “…With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failing to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security.” Source: Forbes, December 2012: Tom Cross, Five Key Computer Network Challenges for 2013 As we enter 2013, security experts say that the top threats are posed by organized crime, hacktivists, nation-states and insiders. Source: Bankinfosecurity.com, January 2013 “Defense Secretary Leon Panetta recently outlined new warfare terrain: The Internet. Cyber security concerns do not simply include hackers and criminals. Panetta said the greater danger is a cyber attack carried out by nation states or extremist groups that could be as destructive as the terrorist attack on Sept. 11, 2001 and ‘virtually paralyze the nation’.” Source: Inquisitor.com, December 2012 Internal Audit Services| Page 5
What is the current landscape (cont.)? According to a report from the US Department of Homeland Security's (DHS's) Cyber Emergency Response Team for Industrial Control Systems (ICS-CERT) cyberattacks on systems at organizations that are part of the US energy infrastructure are on the rise. In the 12 months ending in September 2012, nearly 200 cyber incidents were reported to ICS-CERT. More than 40 percent of those incidents were directed at energy sector companies. Source: SANS Institute, January 2013 The US Office of the Comptroller of the Currency (OCC) has issued an alert about the recent wave of distributed denial-of-service (DDoS) attacks against financial institutions. SANS News Source: SANS News, December, 2012 Nearly 12 million people are affected by identity fraud each year. Source: http://gpluspro.hubpages.com/hub/Identity-Theft-Statistics-2012 CERT reports that malicious insiders within the financial industry typically get away with their fraud for nearly 32 months before being detected. Source: Forbes.Com – Cybersecurity Threats of 2013 DHS reports that “The majority of corporate security breaches occur when hackers exploit employees through social engineering and scams”. Source: DHS.gov – Defending against cybercriminals Internal Audit Services| Page 6
From openspace.com and networkworld.com:  Over six million passwords were stolen in a hack of the professional networking site linkedin.com. Earlier today, it was reported that a user in a Russian forum uploaded 6,458,020 hashed LinkedIn passwords.  Ars Technica reported that a list of about 1.5 million passwords appeared to include users of dating website eHarmony.  U.K.-based security researchers have found a backdoor that was “deliberately” inserted into an American military chip to help attackers gain unauthorized access and reprogram its memory, according to a draft research paper. Production of the chip had been outsourced to the Chinese.  At least 228,000 Social Security numbers were exposed in a March 30 breach involving a Medicaid server at the Utah Department of Health.  A 31-year-old Russian national living in New York, Petr Murmylyuk, was charged with hacking into accounts at Fidelity, Scottrade, E*Trade and Schwab in a complex scheme that involved making unauthorized trades that profited the gang he recruited to open bank accounts to receive the illegal proceeds. The brokerage firms said they lost $1 million because of Murmylyuk's fraud. From Gizmodo.com  Hacker Leaks 300,000 Verizon Customer Records and claims to have millions more. Recent (2012) security breaches Internal Audit Services| Page 7
 2008: 134 million credit cards exposed at Heartland.  2006: 94 million credit cards exposed at TJX.  2011: Names and e-mails of millions of customers at Epsilon were exposed.  2011: Possibly 40 million employee records stolen at RSA Security.  2010: Stuxnet attack on the Iran nuclear power program.  2006: An unencrypted national database at the Department of Veterans Affairs with names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans, active-duty military personnel and spouses was stolen.  2011: 77 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month.  2011: The personal information of 35 million South Koreans was exposed after hackers breached the security of a popular software provider, ESTsoft. Worst breaches recent history Source: csoonline.com Internal Audit Services| Page 8
Cybersecurity is a key area of concern for Boards, Audit Committees, and Governance Committees:  Cybersecurity is in Deloitte’s top 10 issues for Audit Committees: “Cyber- security risks and incidents have risen to the top of audit committee agendas…” Source: Deloitte Audit Committee Brief, Top Issues for Audit Committees for 2013.  IIA’s Tone at the Top, a publication for Directors, lists emerging technologies as a top 8 risk for organizations in 2013, with cybersecurity specifically mentioned. Source: IIA Tone at the Top, Issue 59  Publications aimed at Directors include Director’s Role in Cybersecurity Oversight, Mark Camillo; and Information Security Oversight: A 2007 Survey Report. And, It is getting the attention of the SEC:  SEC requires disclosure of cyber-security risks and incidents: “Registrants should address cyber-security risks and cyber incidents in their …(MD&A), Risk Factors, Description of Business, Legal Proceedings and Financial Statement Disclosures.” Source: Deloitte Audit Committee Brief, Top Issues for Audit Committees for 2013. Stakeholder view Internal Audit Services| Page 9
Are organizations/individuals doing enough to protect themselves? A recent survey by the National Cyber Security Alliance and Symantec found that 77% of small and medium-size businesses believe they’re safe from hackers, viruses and malware. And 83% of SMBs take no formal measures against cyberthreats — even though almost half of all attacks are aimed at SMBs. Source: Forbes, December 2012: Tom Devany, Five Ways Small Businesses Can Protect Against Computer Crime The two most common computer passwords today are “password” and “123456” Source: Splashdata,com 15% of Americans have never checked their social networking privacy and security account settings. Source: http://www.internetsafety101.org/Socialnetworkingstats.htm Internal Audit Services| Page 10
The Standards for the Professional Practice of Internal Auditing require the internal audit activity to (see addendum A):  Assess information technology governance  Evaluate the risk management processes and contribute to their improvement  Evaluate risk exposures related to the organizations information systems  Evaluate the potential for fraud and how fraud risk is managed  Assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement  Maintain sufficient knowledge of key IT risks and controls Other Guidance, strongly recommended by the IIA (see addendum B):  Evaluate key risk management processes, facilitate identification and evaluation of key risks, coach management in responding to key risks. The Role of Internal Audit in ERM  Assess the organization’s information reliability and integrity practices PA 2130.A1-1  Assess the adequacy of management’s identification of risks related to its privacy objectives and the adequacy of the controls PA 2130.A1-1  Benchmark information security governance against independent standards GTAG 15  Evaluate fraud risks and related controls and help management establish fraud prevention measures GTAG 13  Assess the effectiveness of preventive, detective, and mitigation measures against cyber threats and attacks GTAG 6 What is the role of Internal Audit? Internal Audit Services| Page 11
Said Simply:  Identify and assess key cyber security risks  Develop an appropriate audit plan  Understand and assess key cyber-security controls, tools and processes  Evaluate the risk of fraud and how fraud risks are managed  Promote continuous improvement  Evaluate key risk management processes, facilitate identification and evaluation of key risks  Assess the effectiveness of preventive, detective, and mitigation measures against cyber threats and attacks  Help develop and maintain the ERM framework  Support management in identifying and responding to key risks  Ensure that you have the expertise, or co-source, to do the above What is the role of Internal Audit? Internal Audit Services| Page 12
Boise Inc. Internal Audit approach General • Maintain strong IT audit staffing and co-source where we don’t have the skills in-house • Collaborate with IT & Legal to improve computer policies, and information security and awareness • Participate in project teams to improve controls and processes • Monitor the cyber security landscape • Maintain a quarterly information security monitoring process • Assist management with risk assessment • Perform digital forensic investigations of suspected WF&A • Use COBIT as a framework for IT reviews Review key compliance areas • Personal sensitive information • HIPAA privacy and security provisions • Payment card industry (PCI) compliance • SOX compliance (controls over network security, data base security, other key IT areas) Internal Audit Services| Page 13
Boise Inc. Internal Audit approach (cont.) Review cyber security processes and controls • Virtual server environment (co-source & internal audit) • Web application development (co-source & internal audit) • Boise IT strategy including information security (co-source) • Security penetration tests (co-source) • Cybersecurity of mill process control networks (team with internal audit, IT, engineering, consultants) • Wireless network controls • Application development, particularly with major systems development • File transfer protocol • Access management and security including Active Directory Internal Audit Services| Page 14
Leveraging Digital Forensic Skills  Forensic Skills Set • A broad range of technical, investigative, procedural, and legal skills  Disk geometry, file system anatomy, reverse engineering, evidence integrity, COC and criminal profiling • The ability to function in a complex, dynamic environment  Computer technology as well as legal and regulatory environments are constantly changing • The ability to objectively testify in a court of law  Reproduce incident, interpret results, be prepared for cross- examination Internal Audit Services| Page 15
Leveraging Digital Forensic Techniques  Incident Response • NIST has a great “Guide to Integrating Forensic Techniques into Incident Response”  Malware Analysis • Forensic image is a great sandbox for malware analysis  Cyber Security Risk Assessments • Forensic tools are passive, non-intrusive and for the most part, transparent to the end user  Litigation Support • Preservation of ESI, complex keyword crafting/searching, & FRCP  IT Governance & Compliance • PCI, HIPAA, antitrust compliance, sensitive and proprietary data & testing controls Internal Audit Services| Page 16
Questions??
Addendums and Resources
Excerpts from The Standards for the Professional Practice of Internal Auditing:  Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. Standard 1210.A3  The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives. Standard 2110.A2  The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Standard 2120  The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems. Standard 2120.A1  The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. Standard 2120.A2  The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Standard 2130 Addendum A: Applicable IIA Standards (The Standards are mandatory guidance) Internal Audit Services| Page 19
Excerpts from The Role of Internal Audit in ERM (IIA position paper):  Evaluate and provide assurance on key risk management processes  Evaluate the reporting management of key risks  Facilitate and coordinate identification and evaluation of key risks  Coach management in responding to key risks  Developing and maintaining inn the ERM framework Excerpts from IIA Practice Advisories:  Internal auditors periodically assess the organization’s information reliability and integrity practices…PA 2130.A1-1  Assess the adequacy of management’s identification of risks related to its privacy objectives and the adequacy of the related controls. PA 2130.A1-2 IIA Practice Guides  Auditing Privacy Risks, 2nd Edition  GTAG 2: Change and Patch Management Controls, 2nd Edition  GTAG 6: Managing and Auditing IT Vulnerabilities  GTAG 9: Identity and Access Management  GTAG 11: Developing the IT Audit Plan  GTAG 13: Fraud Detection and Prevention in the Automated World  GTAG 15: Information Security Governance  GTAG 17: Auditing IT Governance Addendum B: Other IIA Guidance (strongly recommended by the IIA) Internal Audit Services| Page 20
Resources • StaySafeOnline.Org: http://www.staysafeonline.org/business-safe-online/assess-your- risk • FBI Cyber Crime: http://www.fbi.gov/about-us/investigate/cyber/cyber • US-CERT CSET: http://www.us-cert.gov/control_systems/satool.html • INL Control System Security Program : http://www.inl.gov/research/control-systems- security-program/ • NIST - Guide to Integrating Forensic Techniques into Incident Response: http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf • Fighting to Close the Gap, E&Y 15th annual Global Information Security Survey http://www.ey.com/Publication/vwLUAssets/Fighting_to_close_the_gap:_2012_Global_ Information_Security_Survey/$FILE/2012_Global_Information_Security_Survey___Fig hting_to_close_the_gap.pdf • KPMG Institute http://www.kpmginstitutes.com/government-institute/insights/2011/ppa- cybersecurity-and-data-driven-issues.aspx • Local Professional Organizations: IIA, ISACA, ISSA, HTCIA, ACFE

Recomendados

IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security Services
Rainer Mueller
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
EMC
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
Jonny Nässlander
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
Akshay Ajgaonkar
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Randall Chase
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
Dawn Yankeelov
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9
seadeloitte
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
NetIQ
 

Recomendados

IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security Services
Rainer Mueller
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
EMC
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
Jonny Nässlander
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
Akshay Ajgaonkar
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Randall Chase
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
Dawn Yankeelov
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9
seadeloitte
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
NetIQ
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attacker
seadeloitte
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
Robert Craig
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
Abdul-Hakeem Ajijola
 
The CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber InsuranceThe CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber Insurance
Joseph Brunsman
 
In the news
In the newsIn the news
In the news
Rob Wilson
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Jay Kesan
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
seadeloitte
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
PwC France
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBaker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in Cybersecurity
BakerTillyConsulting
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
seadeloitte
 
Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In Technology
CSCJournals
 
Heidi
HeidiHeidi
Heidi
kategat
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
Constantin Cocioaba
 
2017 october supplementary_reading
2017 october supplementary_reading2017 october supplementary_reading
2017 october supplementary_reading
seadeloitte
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015
James Sheehan
 
Informationsecurity
InformationsecurityInformationsecurity
Informationsecurity
Umme habiba
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Stanford GSB Corporate Governance Research Initiative
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
galagirishp
 
Not Prepared for Hacks .docx
Not Prepared for Hacks .docx Not Prepared for Hacks .docx
Not Prepared for Hacks .docx
hallettfaustina
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
ramsetl
 

Más contenido relacionado

La actualidad más candente

August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attacker
seadeloitte
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In Technology
CSCJournals
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
Constantin Cocioaba
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015
James Sheehan
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Stanford GSB Corporate Governance Research Initiative
 

La actualidad más candente (19)

August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attacker
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
 
The CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber InsuranceThe CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber Insurance
 
In the news
In the newsIn the news
In the news
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBaker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in Cybersecurity
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In Technology
 
Heidi
HeidiHeidi
Heidi
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
 
2017 october supplementary_reading
2017 october supplementary_reading2017 october supplementary_reading
2017 october supplementary_reading
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015
 
Informationsecurity
InformationsecurityInformationsecurity
Informationsecurity
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
 

Similar a Cyber Security Threats | IIA Boise Chapter

We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
galagirishp
 
Not Prepared for Hacks .docx
Not Prepared for Hacks .docx Not Prepared for Hacks .docx
Not Prepared for Hacks .docx
hallettfaustina
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
ramsetl
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment Report
Divya Kothari
 
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
Daniel Kapellmann Zafra
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
AnastaciaShadelb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
ChantellPantoja184
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
Ulf Mattsson
 

Similar a Cyber Security Threats | IIA Boise Chapter (20)

We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
 
Not Prepared for Hacks .docx
Not Prepared for Hacks .docx Not Prepared for Hacks .docx
Not Prepared for Hacks .docx
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment Report
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
 
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Sel03129 usen
Sel03129 usenSel03129 usen
Sel03129 usen
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary
 
Social Media & Cybersecurity
Social Media & CybersecuritySocial Media & Cybersecurity
Social Media & Cybersecurity
 
The 10 Fastest Growing Cyber Security Companies of 2017
The 10 Fastest Growing Cyber Security Companies of 2017The 10 Fastest Growing Cyber Security Companies of 2017
The 10 Fastest Growing Cyber Security Companies of 2017
 

Más de Patricia M Watson

CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
Patricia M Watson
 
CyberSecThreats_R_U_atRisk_Watson
CyberSecThreats_R_U_atRisk_WatsonCyberSecThreats_R_U_atRisk_Watson
CyberSecThreats_R_U_atRisk_Watson
Patricia M Watson
 
ISACA President Letter | Patricia Watson | 2013
ISACA President Letter | Patricia Watson | 2013ISACA President Letter | Patricia Watson | 2013
ISACA President Letter | Patricia Watson | 2013
Patricia M Watson
 
Computer Forensics | Patricia Watson | 2004
Computer Forensics | Patricia Watson | 2004Computer Forensics | Patricia Watson | 2004
Computer Forensics | Patricia Watson | 2004
Patricia M Watson
 
IT Governance | 2013 Interface Conf | Watson
IT Governance | 2013 Interface Conf | WatsonIT Governance | 2013 Interface Conf | Watson
IT Governance | 2013 Interface Conf | Watson
Patricia M Watson
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
Cyber Security | Patricia Watson
Cyber Security | Patricia WatsonCyber Security | Patricia Watson
Cyber Security | Patricia Watson
Patricia M Watson
 
Leveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonLeveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia Watson
Patricia M Watson
 

Más de Patricia M Watson (9)

CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
 
CyberSecThreats_R_U_atRisk_Watson
CyberSecThreats_R_U_atRisk_WatsonCyberSecThreats_R_U_atRisk_Watson
CyberSecThreats_R_U_atRisk_Watson
 
Securing your cyberspace_Watson
Securing your cyberspace_WatsonSecuring your cyberspace_Watson
Securing your cyberspace_Watson
 
ISACA President Letter | Patricia Watson | 2013
ISACA President Letter | Patricia Watson | 2013ISACA President Letter | Patricia Watson | 2013
ISACA President Letter | Patricia Watson | 2013
 
Computer Forensics | Patricia Watson | 2004
Computer Forensics | Patricia Watson | 2004Computer Forensics | Patricia Watson | 2004
Computer Forensics | Patricia Watson | 2004
 
IT Governance | 2013 Interface Conf | Watson
IT Governance | 2013 Interface Conf | WatsonIT Governance | 2013 Interface Conf | Watson
IT Governance | 2013 Interface Conf | Watson
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
Cyber Security | Patricia Watson
Cyber Security | Patricia WatsonCyber Security | Patricia Watson
Cyber Security | Patricia Watson
 
Leveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonLeveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia Watson
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Cyber Security Threats | IIA Boise Chapter

  • 1. Cyber Security Threats: Are You at Risk? Boise Chapter, Institute of Internal Auditors January 2012 Patricia Watson Digital Forensics Program Manager Boise Inc. Mark Pearson Director, Internal Audit Services Boise Inc.
  • 2. Outline  What is the current cyber security landscape?  What is the role of internal audit?  Boise Inc. internal audit approach  Leveraging digital forensic skills  Resources  Questions/discussion Internal Audit Services| Page 2
  • 3. Awareness is key…  Video: Amazing mind reader reveals his “gift” http://www.youtube.com/watch?v=LABVsSC0H4g Internal Audit Services| Page 3
  • 4. President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America's economic prosperity in the 21st century will depend on cybersecurity.” Source: http://www.whitehouse.gov/administration/eop/nsc/cybersecurity Internal Audit Services| Page 4
  • 5. What is the current landscape? “…With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failing to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security.” Source: Forbes, December 2012: Tom Cross, Five Key Computer Network Challenges for 2013 As we enter 2013, security experts say that the top threats are posed by organized crime, hacktivists, nation-states and insiders. Source: Bankinfosecurity.com, January 2013 “Defense Secretary Leon Panetta recently outlined new warfare terrain: The Internet. Cyber security concerns do not simply include hackers and criminals. Panetta said the greater danger is a cyber attack carried out by nation states or extremist groups that could be as destructive as the terrorist attack on Sept. 11, 2001 and ‘virtually paralyze the nation’.” Source: Inquisitor.com, December 2012 Internal Audit Services| Page 5
  • 6. What is the current landscape (cont.)? According to a report from the US Department of Homeland Security's (DHS's) Cyber Emergency Response Team for Industrial Control Systems (ICS-CERT) cyberattacks on systems at organizations that are part of the US energy infrastructure are on the rise. In the 12 months ending in September 2012, nearly 200 cyber incidents were reported to ICS-CERT. More than 40 percent of those incidents were directed at energy sector companies. Source: SANS Institute, January 2013 The US Office of the Comptroller of the Currency (OCC) has issued an alert about the recent wave of distributed denial-of-service (DDoS) attacks against financial institutions. SANS News Source: SANS News, December, 2012 Nearly 12 million people are affected by identity fraud each year. Source: http://gpluspro.hubpages.com/hub/Identity-Theft-Statistics-2012 CERT reports that malicious insiders within the financial industry typically get away with their fraud for nearly 32 months before being detected. Source: Forbes.Com – Cybersecurity Threats of 2013 DHS reports that “The majority of corporate security breaches occur when hackers exploit employees through social engineering and scams”. Source: DHS.gov – Defending against cybercriminals Internal Audit Services| Page 6
  • 7. From openspace.com and networkworld.com:  Over six million passwords were stolen in a hack of the professional networking site linkedin.com. Earlier today, it was reported that a user in a Russian forum uploaded 6,458,020 hashed LinkedIn passwords.  Ars Technica reported that a list of about 1.5 million passwords appeared to include users of dating website eHarmony.  U.K.-based security researchers have found a backdoor that was “deliberately” inserted into an American military chip to help attackers gain unauthorized access and reprogram its memory, according to a draft research paper. Production of the chip had been outsourced to the Chinese.  At least 228,000 Social Security numbers were exposed in a March 30 breach involving a Medicaid server at the Utah Department of Health.  A 31-year-old Russian national living in New York, Petr Murmylyuk, was charged with hacking into accounts at Fidelity, Scottrade, E*Trade and Schwab in a complex scheme that involved making unauthorized trades that profited the gang he recruited to open bank accounts to receive the illegal proceeds. The brokerage firms said they lost $1 million because of Murmylyuk's fraud. From Gizmodo.com  Hacker Leaks 300,000 Verizon Customer Records and claims to have millions more. Recent (2012) security breaches Internal Audit Services| Page 7
  • 8.  2008: 134 million credit cards exposed at Heartland.  2006: 94 million credit cards exposed at TJX.  2011: Names and e-mails of millions of customers at Epsilon were exposed.  2011: Possibly 40 million employee records stolen at RSA Security.  2010: Stuxnet attack on the Iran nuclear power program.  2006: An unencrypted national database at the Department of Veterans Affairs with names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans, active-duty military personnel and spouses was stolen.  2011: 77 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month.  2011: The personal information of 35 million South Koreans was exposed after hackers breached the security of a popular software provider, ESTsoft. Worst breaches recent history Source: csoonline.com Internal Audit Services| Page 8
  • 9. Cybersecurity is a key area of concern for Boards, Audit Committees, and Governance Committees:  Cybersecurity is in Deloitte’s top 10 issues for Audit Committees: “Cyber- security risks and incidents have risen to the top of audit committee agendas…” Source: Deloitte Audit Committee Brief, Top Issues for Audit Committees for 2013.  IIA’s Tone at the Top, a publication for Directors, lists emerging technologies as a top 8 risk for organizations in 2013, with cybersecurity specifically mentioned. Source: IIA Tone at the Top, Issue 59  Publications aimed at Directors include Director’s Role in Cybersecurity Oversight, Mark Camillo; and Information Security Oversight: A 2007 Survey Report. And, It is getting the attention of the SEC:  SEC requires disclosure of cyber-security risks and incidents: “Registrants should address cyber-security risks and cyber incidents in their …(MD&A), Risk Factors, Description of Business, Legal Proceedings and Financial Statement Disclosures.” Source: Deloitte Audit Committee Brief, Top Issues for Audit Committees for 2013. Stakeholder view Internal Audit Services| Page 9
  • 10. Are organizations/individuals doing enough to protect themselves? A recent survey by the National Cyber Security Alliance and Symantec found that 77% of small and medium-size businesses believe they’re safe from hackers, viruses and malware. And 83% of SMBs take no formal measures against cyberthreats — even though almost half of all attacks are aimed at SMBs. Source: Forbes, December 2012: Tom Devany, Five Ways Small Businesses Can Protect Against Computer Crime The two most common computer passwords today are “password” and “123456” Source: Splashdata,com 15% of Americans have never checked their social networking privacy and security account settings. Source: http://www.internetsafety101.org/Socialnetworkingstats.htm Internal Audit Services| Page 10
  • 11. The Standards for the Professional Practice of Internal Auditing require the internal audit activity to (see addendum A):  Assess information technology governance  Evaluate the risk management processes and contribute to their improvement  Evaluate risk exposures related to the organizations information systems  Evaluate the potential for fraud and how fraud risk is managed  Assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement  Maintain sufficient knowledge of key IT risks and controls Other Guidance, strongly recommended by the IIA (see addendum B):  Evaluate key risk management processes, facilitate identification and evaluation of key risks, coach management in responding to key risks. The Role of Internal Audit in ERM  Assess the organization’s information reliability and integrity practices PA 2130.A1-1  Assess the adequacy of management’s identification of risks related to its privacy objectives and the adequacy of the controls PA 2130.A1-1  Benchmark information security governance against independent standards GTAG 15  Evaluate fraud risks and related controls and help management establish fraud prevention measures GTAG 13  Assess the effectiveness of preventive, detective, and mitigation measures against cyber threats and attacks GTAG 6 What is the role of Internal Audit? Internal Audit Services| Page 11
  • 12. Said Simply:  Identify and assess key cyber security risks  Develop an appropriate audit plan  Understand and assess key cyber-security controls, tools and processes  Evaluate the risk of fraud and how fraud risks are managed  Promote continuous improvement  Evaluate key risk management processes, facilitate identification and evaluation of key risks  Assess the effectiveness of preventive, detective, and mitigation measures against cyber threats and attacks  Help develop and maintain the ERM framework  Support management in identifying and responding to key risks  Ensure that you have the expertise, or co-source, to do the above What is the role of Internal Audit? Internal Audit Services| Page 12
  • 13. Boise Inc. Internal Audit approach General • Maintain strong IT audit staffing and co-source where we don’t have the skills in-house • Collaborate with IT & Legal to improve computer policies, and information security and awareness • Participate in project teams to improve controls and processes • Monitor the cyber security landscape • Maintain a quarterly information security monitoring process • Assist management with risk assessment • Perform digital forensic investigations of suspected WF&A • Use COBIT as a framework for IT reviews Review key compliance areas • Personal sensitive information • HIPAA privacy and security provisions • Payment card industry (PCI) compliance • SOX compliance (controls over network security, data base security, other key IT areas) Internal Audit Services| Page 13
  • 14. Boise Inc. Internal Audit approach (cont.) Review cyber security processes and controls • Virtual server environment (co-source & internal audit) • Web application development (co-source & internal audit) • Boise IT strategy including information security (co-source) • Security penetration tests (co-source) • Cybersecurity of mill process control networks (team with internal audit, IT, engineering, consultants) • Wireless network controls • Application development, particularly with major systems development • File transfer protocol • Access management and security including Active Directory Internal Audit Services| Page 14
  • 15. Leveraging Digital Forensic Skills  Forensic Skills Set • A broad range of technical, investigative, procedural, and legal skills  Disk geometry, file system anatomy, reverse engineering, evidence integrity, COC and criminal profiling • The ability to function in a complex, dynamic environment  Computer technology as well as legal and regulatory environments are constantly changing • The ability to objectively testify in a court of law  Reproduce incident, interpret results, be prepared for cross- examination Internal Audit Services| Page 15
  • 16. Leveraging Digital Forensic Techniques  Incident Response • NIST has a great “Guide to Integrating Forensic Techniques into Incident Response”  Malware Analysis • Forensic image is a great sandbox for malware analysis  Cyber Security Risk Assessments • Forensic tools are passive, non-intrusive and for the most part, transparent to the end user  Litigation Support • Preservation of ESI, complex keyword crafting/searching, & FRCP  IT Governance & Compliance • PCI, HIPAA, antitrust compliance, sensitive and proprietary data & testing controls Internal Audit Services| Page 16
  • 19. Excerpts from The Standards for the Professional Practice of Internal Auditing:  Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. Standard 1210.A3  The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives. Standard 2110.A2  The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Standard 2120  The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems. Standard 2120.A1  The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. Standard 2120.A2  The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Standard 2130 Addendum A: Applicable IIA Standards (The Standards are mandatory guidance) Internal Audit Services| Page 19
  • 20. Excerpts from The Role of Internal Audit in ERM (IIA position paper):  Evaluate and provide assurance on key risk management processes  Evaluate the reporting management of key risks  Facilitate and coordinate identification and evaluation of key risks  Coach management in responding to key risks  Developing and maintaining inn the ERM framework Excerpts from IIA Practice Advisories:  Internal auditors periodically assess the organization’s information reliability and integrity practices…PA 2130.A1-1  Assess the adequacy of management’s identification of risks related to its privacy objectives and the adequacy of the related controls. PA 2130.A1-2 IIA Practice Guides  Auditing Privacy Risks, 2nd Edition  GTAG 2: Change and Patch Management Controls, 2nd Edition  GTAG 6: Managing and Auditing IT Vulnerabilities  GTAG 9: Identity and Access Management  GTAG 11: Developing the IT Audit Plan  GTAG 13: Fraud Detection and Prevention in the Automated World  GTAG 15: Information Security Governance  GTAG 17: Auditing IT Governance Addendum B: Other IIA Guidance (strongly recommended by the IIA) Internal Audit Services| Page 20
  • 21. Resources • StaySafeOnline.Org: http://www.staysafeonline.org/business-safe-online/assess-your- risk • FBI Cyber Crime: http://www.fbi.gov/about-us/investigate/cyber/cyber • US-CERT CSET: http://www.us-cert.gov/control_systems/satool.html • INL Control System Security Program : http://www.inl.gov/research/control-systems- security-program/ • NIST - Guide to Integrating Forensic Techniques into Incident Response: http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf • Fighting to Close the Gap, E&Y 15th annual Global Information Security Survey http://www.ey.com/Publication/vwLUAssets/Fighting_to_close_the_gap:_2012_Global_ Information_Security_Survey/$FILE/2012_Global_Information_Security_Survey___Fig hting_to_close_the_gap.pdf • KPMG Institute http://www.kpmginstitutes.com/government-institute/insights/2011/ppa- cybersecurity-and-data-driven-issues.aspx • Local Professional Organizations: IIA, ISACA, ISSA, HTCIA, ACFE