This document discusses strategies for assessing an organization's cybersecurity risk management program. It begins with an overview of the current state of cybersecurity, highlighting that the majority of breaches are caused by human error or outside hackers. The document then provides 10 must-ask questions to help prevent a cybersecurity breach, such as having an accurate inventory of systems and understanding how well employees can resist phishing. Finally, it outlines various methods for assessing a cybersecurity program, including a SOC for Cybersecurity examination, maturity assessment, vulnerability assessment, and penetration testing.
1. Strategies for Preventing a Breach and
Assessing Your Cybersecurity Risk Management
Program
Colorado Society of Certified Public Accountants
February 8, 2018
Troy Fine - Manager, Risk Advisory Services
Dan Desko - Senior Manager, Risk Advisory Services
2. Who is Schneider Downs?
• One of the top 60 largest accounting and business advisory
firms in the United States
• Established in 1956; headquartered in Pittsburgh, PA
• Largest regional independently owned, registered public
accounting and business advisory firm in Western Pennsylvania,
with an office in Columbus, Ohio
• Approximately 450 personnel in total, including 42 shareholders
• Registered with the PCAOB
• Risk Advisory Services
– Cybersecurity
– SOX Section 404 compliance
– Internal control outsourcing/co-sourcing
– SOC Reports
2
3. Troy Fine
• Manager, Risk Advisory Services
• CPA/CITP, CISA
• Joined Schneider Downs in 2011
• Areas of expertise:
– SOC 1 and 2 assurance services
– SOC 2+ assurance services (HITRUST)
– SOC for Cybersecurity assurance services
– SOX Section 404 compliance
– Internal control assessments
– HIPAA assessments
• Industry experience: Cloud Computing/Software-as-a-
Service, Higher Ed, Banking, Financial Services, Healthcare,
Manufacturing, Non-profit
• AICPA CITP Credential Committee Member
3
4. Dan Desko
• Senior Manager of IT Risk Advisory Services at Schneider Downs
• CISA (Certified Information Systems Auditor)
• CISSP (Certified Information Systems Security Professional)
• CTPRP (Certified Third Party Risk Professional)
• 14 years of experience; began career working in IT
• Current Outgoing ISACA Pittsburgh Chapter President
• Experience in delivering IT Audit, IT Security Services, Penetration
Testing and Vendor Risk Management Services to a variety of
industries
• Responsible for product delivery, client satisfaction and quality
control
4
5. Agenda
• Current State of Cybersecurity
• Must-Ask Questions to Prevent Your Organization
from Being Breached
• Methods for Assessing Your Organization’s
Cybersecurity Risk Management Program
• Q&A
5
6. State of Cybersecurity
The following slides are highlights of
the 2017 Verizon Data Breach
Incident Report (DBIR)
6
7. State of Cybersecurity
• The important thing to note on
this slide is that the majority of
breaches occur in one of two
ways:
1. Human error
2. Outside hackers
• Bonus: Combination of the two!
• The other important takeaway is
that the attackers are organized
criminal groups; they’re run like
businesses
7
8. State of Cybersecurity
• Contrary to common belief, not all
hacks involve a virus/malware.
51% of these breaches involved
malware: what were the other
49%?
– Stolen User Credentials
– User Error
– Physical Access
– Incorrect Privileges
8
9. State of Cybersecurity
• A large mass of breaches occur
through some sort of email attack
such as Phishing.
– Firewall technology has come a long
way, humans are now the weakest
link in your security.
– Traditional AV alone isn’t great at
spotting malware.
• A very large majority of the
breaches were financially
motivated.
• A good number of breaches were
not discovered by the breached
entity, but rather by a third party;
Nightmare PR scenario.
9
11. • Phishing deservedly warrants some additional
attention
– It was found in over 90% of all incidents and
breaches.
– Once phished, a number of things can occur:
• Installation of software (e.g., ransomware, command and
control systems, etc.)
• Influencing disclosure of sensitive data (e.g., business email
compromise)
• Using the compromised computer or accounts as a foothold
and pivot to other more interesting systems
• Using a compromised email account to then phish internally
State of Cybersecurity
11
12. State of Cybersecurity
• According to report
from Osterman
Research conducted in
June among more than
1,000 small and
medium businesses --
about 22% of
businesses with less
than 1,000 employees
that experienced a
ransomware attack in
the last year had to stop
business operations
immediately. About
15% lost revenue.
12
13. Agenda
• Current State of Cybersecurity
• Must-Ask Questions to Prevent Your Organization
from Being Breached
• Methods for Assessing Your Organization’s
Cybersecurity Risk Management Program
• Q&A
13
14. Question One
How well do you know your IT
environment?
– Accurate inventory of devices
– Accurate inventory of
software
– Accurate inventory of Internet-
facing systems
14
15. Question Two
What data do the hackers want and where does it
live?
• Look at not only structured data, but unstructured as well (e.g.,
spreadsheets, user reports, downloads from ERP or CRM
systems)
• What data lives in your employee’s email accounts?
15
16. Question Three
If you have identified critical systems and data, how
do you further protect access to it?
• Do you require complex passwords?
• Do you require two-factor authentication to critical
systems and the network?
– Email
– VPN
– ERP
– CRM
16
17. Question Four
Are your employees
susceptible to being
phished?
• Statistics show the
answer is likely “yes”.
• Have you
tested/trained them?
• What technical
controls have you put
in place to stop it?
– e.g., Advanced Email
Protection
17
18. Question Five
If phishing succeeds, do
you have additional
protection methods?
• Advanced endpoint
protection
complements
traditional anti-virus
• Encryption of data
• Whitelisting of allowed
applications
18
19. Question Six
Does your IT staff concentrate
more on security or
operations?
• Management often believes
that their IT staff focuses on
security more than they
actively do in reality.
• Reality is that security and
IT operations often conflict
with each other
• Having an independent
security group or security
consulting partner helps
bridge the gap
19
20. Question Seven
Do you know where you are
vulnerable?
• A large amount of breaches take
advantage of unpatched operating
systems and application software.
– e.g., Equifax breach leveraged
vulnerability in Apache Struts
software toolkit.
• How often does your IT team patch
systems and software?
• Have you run vulnerability scans to
test the effectiveness of the
patching process?
20
21. Question Eight
Have you simulated an
external attack to
determine how
secure/vulnerable you
really are?
• Penetration tests or
ethical hacking
exercises are
valuable because
they help identify
issues before the bad
guys do.
21
22. Question Nine
How prepared are you
for a breach?
• Its not a matter of “IF,”
but, “WHEN”
• Having a solid incident
response plan that is
tested may not prevent a
breach, but will surely
limit the impact
• Practice common
scenarios (e.g., phishing,
ransomware, business
email compromise, etc.)
22
23. Question Ten
Have you adopted and
assessed yourself
against a standard
security framework?
• Allows for continuous
improvement
• Set a road map for long-
term information
security success
23
24. Extra Credit!
Do you know what vendors
have access to, or store,
your data?
• You can outsource certain
business operations, but
you can’t outsource the
risk.
• Ask business service
providers for a SOC report
or similar attestation
report regarding their
security controls to gain
transparency.
24
25. Agenda
• Current State of Cybersecurity
• Must-Ask Questions to Prevent Your
Organization from Being Breached
• Methods for Assessing Your Organization’s
Cybersecurity Risk Management Program
• Q&A
25
26. Assessing Cybersecurity Risk
• SOC for Cybersecurity Examination
– Assurance engagement performed by an independent CPA
firm
– Examined against suitable control criteria
• i.e., SOC 2 Trust Services Criteria
– Results in a Cybersecurity Risk Management Examination
Report that consists of:
• Management's description of the entity's cybersecurity risk
management program
• Management’s assertion
• CPA’s opinion on the effectiveness of the entity’s cybersecurity
risk management program
– Report covers a specific time period
26
27. Assessing Cybersecurity Risk
• Cybersecurity Maturity Assessment
– Evaluate your cybersecurity risk management
program against industry best practices
• NIST Cybersecurity Framework
• ISO 27001
• HITRUST
• PCI-DSS
– Results in a Cybersecurity Maturity Assessment
Report that consists of:
• Completed cybersecurity risk assessment report
• Prioritized list of control gaps with recommended plans of
action
27
28. Assessing Cybersecurity Risk
• External Footprint Analysis
– Use commonly available open source tools, scanners
and databases to obtain a blueprint of the network
and its Internet profile
– Black box approach
– Gather data about hosts
– Results in a report that consists of:
• List of identified hosts, including operating systems,
applications, domain names, IP ranges
• May discover hosts or applications that management was
not aware existed
28
29. Assessing Cybersecurity Risk
• Vulnerability Assessment
– Provides a comprehensive view of potential security
flaws in an environment
– Check for misconfigurations, unpatched services,
open ports and other architectural mistakes
– Results in a report that consists of:
• Summary of identified vulnerabilities
• Vulnerabilities ranked by criticality
• Remediation plans
29
30. Assessing Cybersecurity Risk
• Penetration Test
– Builds on the external footprint analysis and vulnerability
assessment
– Simulate actions of an internal/external attacker and attempt
to exploit vulnerabilities and misconfigurations
– Attempt to use multiple attack vectors
• Expose unpatched systems
• “Phishing for compromise”
• Physical access
• USB flash drive drop
– Results in a report that consists of:
• Summary of vulnerabilities
• Results of exploitation attempts
• Criticality rankings
• Remediation strategies
30
31. Assessing Cybersecurity Risk
• Phishing Assessments
– Simulate realistic phishing campaigns
– Results in a report that consists of:
• Summary of customized phishing campaign
• Results about user’s actions, including:
– Percentage of employees who opened the email
– Percentage of employees who clicked on the
link/attachment
– Percentage of employees who provided account details
31
32. CITP Credential
• A CITP is a CPA:
– Credentialed by the AICPA
– Recognized for the unique ability to provide business
insight by leveraging knowledge of information
relationships and supporting technologies
– Specializing and demonstrating specific skills, expertise
and experience in the following areas:
• IT Assurance
• IT Risk
• Data Analytics
• Security & Privacy
• Business Solutions
• Emerging IT Trends
32
33. Questions?
Contact Information
Troy Fine – tfine@schneiderdowns.com - 412-697-5238
Dan Desko – ddesko@schneiderdowns.com - 412-697-5285
Visit our blog for more information on cybersecurity:
https://www.schneiderdowns.com/our-thoughts-on
33
Editor's Notes
Thank you Rebecca for the nice introduction.
Before we get started, I wanted to first thank Jim Gilbert for connecting us with the Colorado Society of CPAs. As Rebecca mentioned, I work directly with Jim on the AICPA’s CITP Credential Committee. Jim is great to work with and is extremely passionate about growing the technology section of the Colorado Society of CPAs. I have witnessed first-hand his passion for technology and commend him for his efforts thus far in growing the technology section within your state society.
Dan and I are excited to present to you today on strategies for preventing a breach and for assessing your organization's cybersecurity risk management program. Dan and I are involved with the Pennsylvania and Ohio state societies, so its always nice to get a chance to speak and network with members of other state societies.
Before we get started, we wanted to provide some background information on our firm and ourselves.
-Schneider Downs is one of the top 60 largest CPA firms and business advisory firms in the US.
-We were established in 1956 and we are headquartered in Pittsburgh, PA with another office in Columbus, Ohio
-We are the largest regional, independently owned CPA firm in Western Pennsylvania
-We have approximately 450 personnel, including 42 shareholders.
-We are also registered with the PCAOB and are subject to their peer review guidelines
-Dan and I work in the Risk Advisory Services practice. Our practice consists of about 50 personnel and we focus on the following services:
-Cybersecurity Assurance and Assessments
-Sarbanes-Oxley Section 404 compliance
-Internal control outsourcing/co-sourcing
-SOC Reports
-I am a Manager in our Risk Advisory Services practice
-I am a CPA, CITP and a Certified Information Systems Auditor
-I Joined Schneider Downs in 2011
-The areas I primarily focus on are:
-SOC 1 and SOC 2 assurance services
-SOC 2+ assurance services, specifically SOC 2+ HITRUST
-SOC for Cybersecurity assurance services
-SOX Section 404 compliance
-Internal control assessments
-HIPAA assessments
-Industry experience includes:
-Cloud Computing/Software-as-a-Service
-Higher Education,
-Banking
-Financial services,
-Healthcare
-Manufacturing
-Non-profit
I will now hand it off to Dan to tell a little about himself and to jump into our presentation.
Thank you Dan for presenting on the current state of cybersecurity and for the insight on simple questions that every organization can be asking their security group. With that, we will now get into the methods that can be used to assess your organization’s Cybersecurity Risk Management Program.
The first method I would like to talk about is the new assessment that is now part of the AICPA’s SOC Suite of Services. In April of 2017, the AICPA came out with a new type of SOC Report called the “SOC for Cybersecurity Report”. The SOC for Cybersecurity Report is an assurance engagement that is performed by an independent CPA firm. The engagement examines an organizations cybersecurity risk management program against suitable control criteria. Suitable control criteria are considered the SOC 2 Trust Services Criteria or any other recognizable cybersecurity or control framework such as NIST’s cybersecurity framework or ISO 27001. At the end of the engagement a CPA firm will present a report that contains the following:
-Management’s description of the entity’s cybersecurity risk management program
-Management's assertion
-And the CPA’s opinion on the effectiveness of the cybersecurity risk management program, which includes an opinion on the design and operating effectiveness of the entity’s cybersecurity controls
The report will cover a time period, usually no less than 6 months.
For those of you familiar with SOC audits, you are probably noticing some similarities between a SOC 2 Report and a SOC for Cybersecurity Report. There are many similarities but there are also distinct differences. For the purpose of this presentation, I don’t want to get into the specific differences, but if you are interested, feel free to contact us after the presentation.
The next method for assessing your organization’s cybersecurity risk management program is to perform a cybersecurity maturity assessment. A cybersecurity maturity assessment evaluates your organization’s cybersecurity maturity utilizing industry best practices and frameworks. Not all frameworks are appropriate for every organization. It is important to choose a framework that makes the most sense for your organization. Some factors that should be considered when choosing a framework are:
-the services being provided
-the industry your organization operates in
-the industries your primary customer base operates in
-the types of regulatory requirements that you must adhere to
-and type of data currently being collected and stored by your organization
For instance, if your organization primarily focuses on serving healthcare entities, then the best framework to measure your cybersecurity maturity would probably be HITRUST or HIPAA.
A cybersecurity maturity assessment includes performing walkthroughs and interviews with key security control owners and key personnel responsible for security. It would include testing of high risk controls and also would involve performing network reviews and scans.
The assessment results in a cybersecurity maturity assessment report that includes a completed cybersecurity risk assessment along with a prioritized list of control gaps with recommended remediation plans.
The next type of assessment is an External Footprint Analysis. An external footprint analysis includes gathering information about a network using commonly available open source tools, scanners and databases. Essentially, the person performing the analysis would be obtaining a “blueprint” of your network and internet profile.
When performing this analysis, the assessor uses a black box approach, meaning that the assessor has no prior knowledge about the organization’s network. The analysis would include gathering data about hosts, such as domain names, operating systems and applications.
The analysis would result in a report that consists of all identified hosts and applications, including ones that management may not have been aware existed.
The next type of method for assessing cybersecurity risk is a vulnerability assessment. The goal of the Vulnerability Assessment is to provide organizations with a summary of potential security flaws in their environment by looking for misconfigurations, unpatched services, open ports and other architectural mistakes.
The first step in a vulnerability assessment is to map the an organization’s IP address ranges to appropriately identify the active devices on an organization’s network. Once all active devices are identified, automated tools are used to identify misconfigurations, missing patches, and any other vulnerabilities that may exist on a particular host. The results are then analyzed to determine if false positives were identified and to determine the actual threat and risk that the identified vulnerability poses to the organization. In addition, other compensating controls and security factors are reviewed to determine if risks can be mitigated to appropriate level for the organization.
The vulnerability assessment results in a report that consists of the following:
-a summary of identified vulnerabilities
-a risk ranking for each identified vulnerability based on criticality
-Agreed upon remediation plans to reduce risk to an acceptable level
The next method for assessing cybersecurity risk is a penetration test. This is probably the most common method used for analyzing cybersecurity risk. Penetration tests build upon the external footprint analysis and vulnerability assessment and take them a step further. The goal of a penetration test is to assess whether vulnerabilities and other potential misconfigurations are actually exploitable and what risks they ultimately represent in an organization’s overall IT security posture.
Penetration testers attempt to simulate actions of an external or internal attacker in a controlled environment. Based on the identified vulnerabilities from the vulnerability scan, they will attempt to use various attach vectors in order to gain access. Such attack vectors could be:
-exposing unpatched systems.
The recent Equifax breach was caused by an exploitation in an unpatched system. A lot of the time, patches are available for a significant period of time before the unpatched system is breached. The problem is that organizations do not have a sound patch management process in place.
-Another attack vector is Phishing for compromise - Phishing for compromise is when a pen tester uses phishing methods to provide avenues into an organization’s systems.
-Another attack vector is Physical access – If agreed upon by an organization, a pen tester would attempt to gain physical access to a building and attempt to plug into an organization’s network
-Another attack vector is the USB Drop – This would involve dropping a USB Flash drive near an organization’s office and seeing if someone picked it up and plugged it into their computer. Once it is plugged in, it would install malicious files.
The penetration test report consists of:
-A summary of vulnerabilities
-Results of exploitation attempts
-How the exploitation was performed
-Criticality rankings and remediation strategies
The last method we will talk about today is a Phishing assessment. Phishing assessments simulate realistic phishing attempts. They are performed in a controlled and secure environment. The goal of a phishing assessment is to provide an organization with an idea of how likely their workforce is to fall to a phishing attack while at the same time providing feedback on the impact of an organization’s security awareness program.
A phishing assessment would result in report that consists of the following:
-A summary of the customized phishing campaign that was utilized
-Results about user’s actions, including:
-The percentage of employees wo opened the email
-The percentage of employees who clicked on the malicious link or attachment
-The percentage of employees who provided account details after clicking on the link
Now is a great time to perform a phishing assessments, especially with it being tax filing season. Many users will click on a link or attachment in an email that looks like it came from HR stating that the employee will get a tax refund if they click the link or attachment.
To end the presentation, I wanted to briefly circle back to the CITP credential. For any of you with a CPA and roles that perform IT assurance services, you should strongly consider obtaining a CITP certification. The CITP credential allows a CPA to differentiate yourself from the rest of your peers as you are recognized as having the unique ability to provide business insight by leveraging your information technology expertise. Anybody who performs IT control testing for SOC examinations is a perfect candidate. In addition, it opens opportunities that may not be available for individuals with just a CPA. Feel free to reach out to me directly if you are interested in learning more.
Thank you for having us today and feel free to contact us directly and to visit our blog for information on accounting and cybersecurity topics.
