Worried your passwords are not strong enough for today’s sophisticated hackers? Cyber security breaches happen every day, as evidenced in recent headlines. Presentation covers key User Access threats both internal and external and ways to protect yourself and your company from malicious hackers. Learn from key case studies.
3. 3Compliance Made Simple ™
Today’s Presenters
Sonia Luna, CEO, Aviva Spectrum
Mrs. Luna CPA, CIA with over 16 Years in public and
internal audit professional. Appointed to Smaller &
Emerging Companies Advisory Comm. By the SEC.
Karla Sasser, Senior Associate, Aviva Spectrum
Mrs. Sasser has over 20 years of finance, accounting
and audit experience. Mrs. Sasser is an active CPA, CIA
& CITP and has a Master’s in Information Technology.
Author of fast selling book “Friggin Bean Counters”
sold on Amazon & Barnes and Noble.
3
4. Agenda
1. Insider Threats vs. External Threats
2. State of Affairs: Internal and External Threats
3. Case Study Internal Threats
4. Cost of a BREACH!
5. User Access Rights (Best Practices)
6. Sony Breach Lessons Learned
7. Cloud Applications (what are “targets”?)
8. Home Depot & Target Breach (Lessons Learned)
9. Final Q&A
4
5. POLLING QUESTION?
WHERE ARE MOST OF THESE THREATS COMING
FROM?
A. INTERNAL (EMPLOYEES, VENDOR ACCESS/SUB-
CONTRACTORS)?
B. EXTERNAL THREATS (UNKNOWN HACKER)?
5
6. Disgruntled employees, insiders pose big
hacking risk
Some 29% of the survey takers said they were most
concerned about the lack of visibility into applications and
networks, while 28% said their top concern was insider
threats. Both of those concerns relate to how a disgruntled
employee, or an insider aligned with criminals, could
disrupt a company's network, or steal valuable intellectual
property. By contrast, just 14% said financially-motivated
hackers worried them most, while 6% cited political
hacktivists.
6
7. Annual reports on – insider threats
89% - More at risk from insider threats
7
11. Polling Question:
What’s your network access password change
policy?
A.Expires 1 year
B. Expires every 180 days
C.NEVER EXPIRES (I’m an admin!)
11
12. Notable IT and Cybersecurity standard
setters
1. International Organization for Standardization (ISO)
2. International Information Systems Security Certifications
Consortium (ISC2)
3. PCI Security Standards Council, LLC (PCI-DSS)
4. Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
5. ISACA (COBIT)
12
13. Polling Question?
Which IT Guidance/Frameworks are you predominantly working with now?
A. COSO and/or COBIT
B. ISO and/or ISC2
C. PCI and/or ISO
D. Most of the above
13
15. Principle of Least Privilege Access
Defined as the practice of limiting access to the minimal level that will
allow normal functioning and is applied to both human and system user
access
Originated by the US Department of Defense in the 1970’s to limit
potential damage of any accidental or malicious security breach
It is the underlying principle and the predominate strategy used to
assure confidentiality within a network
Role-based access, was developed to group users with common access
needs, simplifying security
15
16. Users with Elevated Access
By default systems will process commands based on the level of access the user
who initiated the command has.
System and domain administrators pose unique problems within a software
application.
Group Description Default user rights
Administrators
Members of this group have full control of all
domain controllers in the domain. By default, the
Domain Admins and Enterprise Admins groups are
members of the Administrators group. The
Administrator account is also a default member.
Because this group has full control in the domain,
add users with caution.
Access this computer from the network; Adjust memory quotas for a process;
Back up files and directories; Bypass traverse checking; Change the system
time; Create a pagefile; Debug programs; Enable computer and user
accounts to be trusted for delegation; Force a shutdown from a remote
system; Increase scheduling priority; Load and unload device drivers; Allow
log on locally; Manage auditing and security log; Modify firmware
environment values; Profile single process; Profile system performance;
Remove computer from docking station; Restore files and directories; Shut
down the system; Take ownership of files or other objects.
16
17. Polling Question
How much does SOX 404 compliance resolve your IT user access concerns?
A. A lot, we sleep well at night
B. Some but not enough
C. Very little
D. We haven’t started on user access reviews
17
18. Number of Cloud Apps a Company is Using
Survey results released by Netskope, July 2014 revealed that
On average 508 apps are in use within each enterprise with the top categories
being marketing, human resources, collaboration, storage and finance /
accounting
88% of these apps have areas of concern from a security perspective
85% of data is uploaded to apps that enable file sharing
81% of data download occurred in apps with no data at rest encryption
77% of total apps reside and are processed in multi-tenant environments
18
20. As was widely reported, the hackers apparently gained access to Sony’s computer
systems by obtaining the login credentials of a high-level systems
administrator. Once the credentials were in the hands of the hackers, they were
granted “keys to the entire building,” according to a U.S. official.
They hacked into one server that was not well protected, and escalated the attack
to gain access to the rest of the network.
Sony’s network was not layered well enough to prevent breaches occurring in one
part from affecting other parts. In addition, the password “password” was used in 3
certificates.
A combination of weak passwords, lack of server layering, not responding to alerts
or setting up alerts, inadequate logging and monitoring, and lack of Security
Education Training and Awareness all contributed to the Sony Breach.
20
21. Problems with Passwords
People, process and technology are all needed to adequately secure a system
When left on their own, people will make the worst security decisions
Without any security training, people can be easily tricked into giving up their
passwords
Passwords can be insecure
People will choose easily remembered and easily guessed passwords
Passwords can be easily broken
Free programs are available on the Internet that can “crack” the password
Passwords are inconvenient
Computer generated passwords can be difficult to remember are written down
Passwords do not have any authority
Use of a password does not confirm the identity of the user entering the password
21
22. In 2014, Cox was hacked by "EvilJordie," a
member of the "Lizard Squad" hacker
collective.
The FCC's investigation found that by posing
as a Cox IT staffer, the hacker convinced a Cox
customer service representative to enter their
account IDs and passwords into a fake
website.
Under the terms of the settlement, Cox will
pay the fine, identify all victims of the breach,
notify them and give them a year of credit
monitoring. The agreement also requires Cox
to conduct internal system audits, internal
threat monitoring, penetration testing and
other security measures to prevent further
hacks
22
23. Passwords - Cloud Apps and Remote
Contractors
Cloud apps and remote contractors represent a significant risk to the overall
security of the company’s information assets because:
Cloud apps can be implemented and remote contractors can be engaged without any
knowledge from IT
Most companies do not have one central point of authority for cloud apps and remote
contractors
There is a general lack of understanding of the scope of work for cloud apps and remote
contractors so elevated access is generally granted without any consideration of the risks
User access cannot be validated against active directory or there are exceptions to
the company’s password policy granted
One user account is shared among multiple users
23
25. Single Sign-On and Password Emerging
Trends
Single sign-on is an authentication process that allows users to enter one user
name and password to access multiple applications they have been given rights to.
Two-factor authentication requires additional factors to establish a users identity
such as, a password and a pin number, a password and a fingerprint, retina scan
and a fingerprint, etc.
Establishing complex user names, such as K$@ssEr
Establishing meaningful, easy to remember complex passwords
t3chRock$ or $omething2about!
25
26. 26Compliance Made Simple ™
Community & Sharing
User Access Rights Webinar
Join Our LinkedIn Group
COSO Framework Discussion & Webinars
https://www.linkedin.com/groups/COSO-
Implementation-4888186/about
Technical Community sharing Ideas ,Templates, WEBINARS, Advise
and Learn from others implementing new framework.
Share your latest templates here!
26
27. 27Compliance Made Simple ™
Community & Sharing
User Access Rights Webinar
LinkedIn Group: Friggin’
Bean Counters
https://www.linkedin.com/groups/6985169
27
28. Chat TIME?
Does your organization have a PROVEN
SYSTEM in monitoring it’s user access
policies?
28
30. 30Compliance Made Simple ™
User Access Procedure Diagnostic
Email us for 5 SPOTS ONLY:
Info@avivaspectrum.com
SUBJECT: USER ACCESS
Internal
Threat
Analysis
BenchmarkIn-take
31. 31Compliance Made Simple ™
Aviva Spectrum is HIRING
1. SOX 404 – Senior Internal Auditors
2. IT auditors
3. SEC Reporting Managers
4. Cyber security consultants
Email:
Careers@avivaspectrum.com
User Access Rights Webinar
31
Sonia (Lead) The global edition of the 2015 Vormetric Insider Threat Report provides present-day insight and opinion into the host of data breach threats that enterprise organizations face on a daily basis. The report is based on survey responses from more than 800 senior business managers and IT professionals in major global markets, roughly half from the US and the rest from the UK, Germany, Japan and ASEAN countries. Their views on the changes that are needed to keep business systems safe are insightful, as are their opinions on the types of user that put key business information assets at most risk. Interviews were conducted online by Harris Poll on behalf of Vormetric in September-October 2014.
Sonia (Lead)
Sonia (Lead)
(Sonia – Lead)
Sonia (Lead)
Karla (LEAD)
ISO – was founded in 1947 and is headquartered in Geneva Switzerland. Members of ISO are standard setting organizations from 164 member countries.
ISO is financed by:
Organizations that manage the specific projects or loan experts to participate in the technical work.
Subscriptions from member bodies which are assessed in proportion to each country's gross national product and trade figures.
Sale of standards.
International Information Systems Security Certifications Consortium – formed in mid-1989 s a non-profit organization head-quartered in the US, with offices in London, Hong Kong, Tokyo, Mumbai, and an authorized China agency in Beijing, they specialize in information security education and certifications, such as the Certified Information Systems Security Professional (CISSP) for professionals in 160 countries.
PCI-DSS is a consortium standard setter – that was launched in 2006 and is funded, by MasterCard Worldwide, Visa International, American Express, Discover Financial Services, and JCB to establish principles for Data Security Standards (PCI-DSS), Payment Application Data Security Standards (PA-DSS) and PIN Transaction Security (PTS).
COSO was organized in 1985 and is a joint initiative of five private sector organizations, American Accounting Association, AICPA, Financial Executives International, Association of Accountants and Financial Professionals in Business and the Institute of Internal Auditors. COSO provides thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. COSO is fairly new to the IT standard setting space with the inclusion of Principle 11 – in the 2013 revision of the framework.
ISACA – was established in 1969 by a small group of individuals that recognized a need for a centralized source of information and guidance in auditing controls for computer systems. Today, ISACA serves 140,000 professionals in 180 countries. ISACA is funded by member dues, certifications and sales of standards and other reference materials. Control Objectives for Information and Related Technology (COBIT) is a framework for information technology (IT) management and IT governance.
Sonia’s Comment (“Tell us what you would recommend to clients on how they should determine which standards they use for cybersecurity”)
Sonia (Lead)
Karla (LEAD)
2015 estimates are beginning to come in at 23% higher than 2014.
(if needed)
In another survey of breached organizations conducted by Kroll
44% of data loss was from a malicious or criminal attack and had the highest average cost per compromised record at $246
31% of data loss was from employee negligence at an average cost of $160
and 25% from system glitches had an average cost of $171
IN ADDITION
The cost of lost business increased from $3.03 million to $3.2 million in 2014. These costs include:
Abnormal customer turnover
Increased customer acquisition costs
Reputation loss and diminished goodwill.
Karla (Lead)
Sonia – Comment (Look at the org chart such as Controller and Asst. Controller and noting common access point to the “least” amount they need).
Karla (Lead)
https://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx
The table reflects default user access rights:
Default administrator rights include several permissions that don’t adhere to least privilege, such as, DEBUG PROGRAMS which is used for finding programming coding errors. If an administrators credentials are compromised, this permission could be used to launch nasty attacks by hackers, such as DLL injections.
**DLL injection is used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend.
Sonia (Lead)
Karla (LEAD):
Netskope is the leading Cloud Access Security Broker.
SaaS spending to grow from $39.8 billion in 2014 to $82.7 billion in 2018.
IT has traditionally been responsible for installing/enabling apps, however, users and lines of businesses are now procuring and deploying their own apps. Because of this, cloud app usage is underestimated by more than 90% and much of the 90% percent are apps that are essential to the business. They perform critical functions such as payroll, billing, expense management, sales forecasting, and more.
Karla (LEAD)
Sonia comment – We were both surprised that Paychex and ADP didn’t make this list, as they have cloud applications.
Karla (Lead)
Hackers obtained login credentials of a high-level system administrator, they took over one server that was not well protected, from there, the hackers were able to gain access to the rest of the network.
Sony’s network was not layered well enough to prevent breaches occurring in one part from affecting other parts. In addition, “password” was used as a password in 3 certificates.
A combination of weak passwords, lack of server layering, not responding to alerts or setting up alerts, inadequate logging and monitoring, and lack of Security Education Training and Awareness all contributed to the Sony Breach.
Sonia’s comment about office fire drills, you get so conditioned you “pass” on reacting because you know it’s just a drill.
Karla (Lead)
Sonia comment about post-it notes
Karla (LEAD)
Cox Communication was fined $595,000 in a settlement with the FCC. EvilJordie, a member of the Lizard Squad hacker collective posed as an IT staffer and convinced a customer service rep to enter their user name and password into a fake website.
Under the terms of the settlement, Cox will pay the fine, identify and notify all victims and provide a year of credit monitoring. Cox is also required to conduct internal system audits, internal threat monitoring, penetration testing and other security measures to prevent further hacks.
Karla (Lead)
Sonia’s comment: I’ve seen cloud apps shared user’s IDs and passwords done to save money on licensing fees.
Karla (LEAD)
For Target, the initial intrusion was traced to stolen network credentials from a 3rd party vendor that was hired to monitor the physical environments of the stores.
In one year Target’s full-year net breach expenses were $145 million ($191 million offset by $46 million insurance receivable).
In the Home Depot breach, hackers used a 3rd party vendor’s user name and password to enter the perimeter of the network. Once in, they were able to acquire elevated rights that allowed them to deploy malware on the self-checkout systems in the US and Canada.
Sonia (Lead):
Quick polling question: “How many of you are using the ERM framework?”
“How many of you know it will soon change?”
Sonia: I wanted to share some insight on a very fast growing technical community and more importantly thank Monica who is a member of the COSO Implementation community for being here with us and sharing her insights on risk assessments best practice items and practical approaches in this webinar.
Karla (LEAD):
Friggin’ Bean Counters was established as a forum for IT professionals to interact with accounting professionals.
Sonia (Amazon.com or Barnes & Noble)
Sonia (Lead):
I know a lot of you got a lot of value from this webinar and some of you for sure are starting to thing about “what’s next for me”?
You’re not alone! Karla and I have spent several hours and weeks developing this webinar and we decided that we wanted to do more than the average webinar series on cyber security. We actually sat down and took apart over 400 pages of Guidance materials, from COBIT, PCI and ISO standards. And we developed a unique diagnostic to identify the top potential internal threats that a company should consider addressing. What we’ve done is created a 1 hour analysis with me & Karla together to identify if your organization has things buttoned up tightly or if you have a few missing things you’ll need to address on your own. So imagine a Priority driven and proven “road map” that will guide you on where to start first for your user access review and what should be fixed first. It’s complimentary and here’s how it functions:
NDA
Intake scheduled
Benchmark
Custom industry focused user access “Internal Threat” Recommendation report