Embed Size (px)
Citation preview
A Practical Approach to Network
Vulnerability Assessment
BRYAN MILLER, IT DIRECTOR
JOHN KEILLOR, CPA, AUDIT PARTNER
“AN AUDITOR’S PERSPECTIVE”
1
• Organization &
Administrative Controls
• Data Backup and Business
Continuity
• Physical Security • Network & Internet Security
• Environmental Controls • Segregation of Functions
Agenda
Audits
Articles/Examples
Classify Your Data
IT Control Objectives (Best Practices)
Summary & Take Away
2
Here Come the Auditors…..
Statement on Auditing Standards (SAS) 94, The Effect of Information
Technology on the Auditor’s Consideration of Internal Control in a
Financial Audit, requires the auditor to consider the importance of IT
processes and controls in the preparation of financial statements.
A report from the Public Oversight Board’s Panel on Audit Effectiveness
recommended that:
“... audit firms place a high priority on enhancing the overall
effectiveness of auditors’ work on internal control, particularly with
respect to the depth and substance of their knowledge about the
entity's information technology.”
3
Here Come the Auditors…..
Audits that Impact the Clerk of Courts:
Annual Financial Statement Audit
Internal Control Audits of Service Organizations
(SOC 1 Audits)
Florida Courts E-Filing Portal:
Court Filings and Electronic Commerce
MyFloridaCounty.com
Traffic Citations, Child Support, Ordering Official Records and Other
4
MyFloridaCounty.com and Florida
Courts E-Filing Portal SOC 1 Workflow
5
Understanding Controls over Technology
Source: Journal of Accountancy 6
• Organization &
Administrative Controls
• Data Backup and Business
Continuity
• Physical Security • Network & Internet Security
• Environmental Controls • Segregation of Functions
Agenda
Audits
Articles/Examples
Classify Your Data
IT Control Objectives (Best Practices)
Summary & Take Away
7
Threat/Damage Examples
Data Theft
Political
Competitive Advantage
Monetary Gain
Data Loss (Permanently removed or destroyed)
External hacker
Ransomware
DoS (Denial of Service)
Employee
Disgruntled
Hired or motivated by outside source
8
Breach Examples – Stay out of the News!
9
• Organization &
Administrative Controls
• Data Backup and Business
Continuity
• Physical Security • Network & Internet Security
• Environmental Controls • Segregation of Functions
Agenda
Audits
Articles/Examples
Classify Your Data
IT Control Objectives (Best Practices)
Summary & Take Away
10
Classify Your Data –What are you trying
to protect?
Assign levels to data
Critical
Sensitive
Low Level
Public
Restrict access
By Department
User Groups
Higher level doesn’t always mean access should be granted
Common Issue
Misclassification
Storage in wrong location
Top 10 threat action within Insider Misuse
Verizon 2014 Data Breach Investigations Report
11
• Organization &
Administrative Controls
• Data Backup and Business
Continuity
• Physical Security • Network & Internet Security
• Environmental Controls • Segregation of Functions
Agenda
Audits
Articles/Examples
Classify your Data
IT Control Objectives (Best Practices)
Summary & Take Away
12
IT Control Overview
Organization & Administrative Controls
Physical Security
Environmental Controls
Network and Internet Security
Segregation of Functions
Data Backup, Business Continuity and Disaster
Recovery
13
Organization & Administrative
Control Example
Information Security Policy
Do you have one? If so, are you following it?
Develop the Policy
Group effort from multiple departments
Months to develop
Risk versus cost and operational functionality
Implement, Follow, Enforce
Test
Continuously Revise
14
Example Security Policy Content
Client Data and Retention
Privacy & Monitoring
User Responsibilities
Email and Remote Access
Internet Security
Hardware and Software
Virus Protection
Software Licensing and Use
Mobile Device Policy (BYOD)
Personal Use
SANS – Information Security Policy Templates
15
Organization & Administrative
Control Example
User Awareness & Education (Training a must!)
Present the Security Policy and revisions
Signed copy in every staff member’s personnel file
Vigilance - What to look for
Safe browsing techniques (Lookout for “Social Engineering” attacks)
Examples of breaches and attacks (How they happened)
Difficult to protect your network with “uneducated” users
Approximately 58% of cyber security incidents in the public sector were
caused by employees (34% Accidents & 24% Unapproved or Malicious
Data)1
16
Physical Security
Building Access
Key card or fob access
Visitor badges and escorted
Data Center Access
Restricted access to authorized users
Monitoring
Security and fire monitoring from third-party vendor
Annual Third-Party Security Review
If the attacker can gain access to physical workstations or other hardware, you are toast!
17
Environmental Controls
Redundant Cooling Systems
Fire Suppression System
Uninterruptible Power Supply (UPS) Units
Backup Power
Diesel/Natural Gas Generator
Temperature & Humidity Monitoring
18
Network & Internet Security
Network Diagram,
Documentation and
Labeling
Security Devices &
Firewalls
Anti-Virus Protection
Password Management
Change Management
Encryption
Patch Management
Monitoring (internal logs,
IPS)
User Roles (IT and Staff)
19
Layered Security
Network
Platform/OS
Application
Data
Response
Firewalls, routers, DMZ, VLAN, VPN
Active Directory, Password Management, Antivirus,
patching (Windows, Java, Flash, BIOS)
Secure coding, change management,
database security (i.e. SQL)
Encryption, backup, access groups
Monitoring (logs), intrusion detection,
remediation
20
Layered Security (Good Example)
Symantec website: Jan 30 2012
21
User Security Example
Password Management
Domain/Network Security Examples
Minimum 10 characters
Password complexity
Required change every six months
Unsuccessful attempt lockout
Two-factor authentication (especially Internet facing)
Include in Security Policy and User Education
Never use the same password for other logins (i.e. banking, Facebook, third-party email)
Never use linkable names and/or dates (i.e. family members, pets, birthdays and anniversaries)
22
Segregation of Functions
User/Staff
Access groups based on data classification
Application Access
Roles within applications (i.e. accounting software)
IT Staff
Access groups based on data classification
Operating staff and programmers separated
Creating user silos
Local Admins and Domain Admins very dangerous!
23
Popular Attack - PtH (Pass-the-Hash)
24
Data Backup, Business Continuity
and Disaster Recovery
Backup Documentation (Disaster Recovery Policy)
Schedule
Hourly, Daily, Monthly, Annual (based on classification)
Offsite backup and replication (hot-site)
Retention Policy
Test, Test, Test! (i.e. periodic restores of all areas)
Contingency Plans – Still have a breach
Structured plan of remediation
PR Protocol
Who’s talking to the press? 25
• Organization &
Administrative Controls
• Data Backup and Business
Continuity
• Physical Security • Network & Internet Security
• Environmental Controls • Segregation of Functions
Agenda
Audits
Articles/Examples
Classify Your Data
IT Control Objectives (Best Practices)
Summary & Take Away
26
Summary and Takeaway
Audits
What we look at
Breach Examples
Stay out of the news!
IT Control Examples
Importance of Information Security Policy and other documentation
User Education & Awareness
Most important yet least utilized
Layered Network Security Approach
Contingency
Ready if the breach still takes place? 27
Helpful Resources
Verizon 2014 Data Breach Investigations Report
http://www.verizonenterprise.com/DBIR/2014/
AICPA – Service Organization Control (SOC) Reports
http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx
SANS – Information Security Policy Templates
http://www.sans.org/security-resources/policies/
Microsoft Whitepaper - Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques
http://www.microsoft.com/en-us/download/details.aspx?id=36036
28
Questions?
Lanigan Group
John Keillor, CPA, Audit Partner
Bryan D Miller, IT Director
Lanigan & Associates, P.C.
Lanigan Wealth Management 314 Gordon Avenue
Thomasville – Tallahassee - Atlanta
(229) 226-8320
www.lanigancpa.com
29
