MONDAY CS 1 7 Nick Galletto Michael Juergens

Cyber-Security: Proactively
managing the cyber threat

landscape
Agenda
Understanding the cyber threat landscape

Building a resilient Cyber Risk capability
An Internal Audit approach
Closing thoughts
Understanding the
cyber threat landscape
The evolving threat landscape

Lilly scientists stole $55 million in trade secrets1
Indianapolis Business Journal, October 8, 2013
Last year, over 800 million records were breached globally, up from 250 million in 2012
The Economist, July 2014
Target missed signs of a data breach (40 million credit card numbers compromised)2
NY Times, March 13, 2014
On a scale of 1 to 10American preparedness for a large-scale cyber attack is around a 33

NY Times, July 2012
$55 million
800 million
40 million
3
Why?
Changing
regulatory
environment
Technology innovations that drive

business growth also create cyber risk.
New technology-enabled business
models create new opportunities for
malicious actors to exploit and higher
likelihood of accidental vulnerabilities.
1
2
3
Corporate
change
& innovation
Regulatory changes continue

to absorb resources and attention.
Evolving
threat
environment
Cyber threats are asymmetrical risks. Cyber crime

grows in sophistication, and attacks increase in
speed and number, while time to respond
decreases. Targeted attacks on operations, brand,
and competitive advantage are more impactful
than ever.
http://www.ibj.com/lilly-employees-stole-55-million-in-trade-secrets-indictment-alleges/PARAMS/article/43949
http://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-data-breach.html?_r=0
http://www.nytimes.com/2012/07/27/us/cyberattacks-are-up-national-security-chief-says.html?_r=0
Deloitte LLP and affiliated entities.
Cybersecurity Proactively managing the cyber threat landscape
Cyber risk
High on the agenda
Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent
headlines and increased government and regulatory focus
Recent U.S. Securities and Exchange Commission (SEC) guidance regarding disclosure obligations relating to
cybersecurity risks and incidents..
Registrants should address cybersecurity risks and cyber incidents in their

Managements Discussion and Analysis of Financial Condition and Results of
Operations (MD&A), Risk Factors, Description of Business, Legal Proceedings
and Financial Statement Disclosures. SEC Division of Corporate Finance
Disclosure Guidance: Topic No. 2 Cybersecurity
Ever-growing concerns about cyber-attacks affecting the nations critical infrastructure prompted the signing of the
Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity.
The Executive Order highlights the focus on an improved cybersecurity framework and the rapid changes of regulatory
agency expectations and oversight
One of the foundational drivers behind the update and release of the 2013 COSO Framework was the need to address
how organizations use and rely on evolving technology for internal control purposes
Cyber risk (contd)

Roles and responsibilities
Effective risk management is the product of multiple layers of risk defense. Internal Audit should support the boards need
to understand the effectiveness of cybersecurity controls.
Roles and responsibilities
1st Line of defense

business and IT
functions
2nd Line of defense

information and technology
risk management
function
3rd Line of
defense
internal audit
Incorporate risk-informed decision making into day-to-day operations

and fully integrate risk management into operational processes
Define risk appetite and escalate risks outside of tolerance
Mitigate risks, as appropriate
Establish governance and oversight

Set risk baselines, policies, and standards
Implement tools and processes
Monitor and call for action, as appropriate
Provide oversight, consultation, checks and balances, and
enterprise-level policies and standards
Independently review program effectiveness

Provide confirmation to the board on risk management effectiveness
Meet requirements of SEC disclosure obligations focused on
cybersecurity risks
Given recent high profile cyber attacks and data losses, and the SECs and other regulators expectations, it is
critical for Internal Audit to understand cyber risks and be prepared to address the questions and concerns
expressed by the audit committee and the board
What are we seeing?

1
Attack vector shifting from technology to people.
Attack patterns are increasingly starting to look like normal behavior. Threats are increasingly
hiding in plain sight. Some of the threats are adaptive and have the ability to go into dormant
mode, making them difficult to detect.
Criminals, state actors and even Hactivists are building better intelligence, capability and have a
wider network of resources than organizations (i.e., wideningcapability gap).
Supply chain and business partner poisoning or lateral entry are on the rise.
Advanced Threat Adversaries' Calling Card defy traditional signature-based approaches.
Incident patterns
of incidents can be
described by just
nine basic patterns
Card skimmers
Cyber-espionage
Physical theft/loss
Point-of-sale
intrusions
Miscellaneous errors
Web application
attacks
Everything else
Insider misuse
Crimeware
Denial of service attacks
of incidents in an
industry can be
described by just
three of the nine
patterns
It starts by understanding your

organizational risk appetite
What are they after
and what key business
risks must we mitigate?
Who might attack?
What tactics
might they use?
Cyber criminals
Sensitive data
Hactivists (agenda driven)
Nation states
Malicious insiders
Financial fraud
(e.g., wire transfer,
payments)
Spear phishing, drive by

download, etc.
Software or hardware
vulnerabilities
Rogue suppliers
Business disruption
(building systems, etc.)
Third party compromise
Competitors
Stolen credentials
Threats to health & safety
Skilled individual hacker
Control systems
compromise
Ultimately cyber is about brand and reputation

with your tenants and investors
Cyber
Crime
Who
Did it?
Espionage
What
Did they see & take?
Warfare
When
Do we fight back?
Terrorism
Why
Did they do it?
Security
How
Do we prevent it (again)?
What is the actual threat?
10
New technologies, new threats

What
How
Reconnaissance
Gain intelligence and identify vulnerabilities
Research the internet, call call-centers,
trawl social media etc.
Your
business
Attack
Target identified vulnerabilities
Targeted email attacks, unsuspecting
downloads from malicious or compromised
websites, exploit application or
infrastructure software vulnerabilities etc.
Strategic assets,
financial assets,
data & intelligence
Exploit
Gain broad deep access
Escalate privileges, gain increased access,
observe/control network or servers,
increase sophistication of attacks, hide
tracks, etc.
Fulfill objective
Steal/damage/disrupt
Encrypt then exfiltrate data being stolen,
stay hidden for long periods of time, erase
digital footprint
Vulnerability
Target
11
Speed of attack is accelerating
Initial attack to initial

compromise takes place
within minutes
(almost 3 of 4 cases)
72%
Data leaks occur
within minutes
(nearly half)
46%
59%
72%
Containment
(post-discovery)
requires
weeks or longer
Discovery
takes
weeks or longer
Time is of the essence

12
Case study
JP Morgan Chase & Co.
News agencies report
of FBI investigating the
bank
JP learns of attack,
closes all network
access path
JP maintains the
statement isnt
seeing any unusual
fraud activity
JP reports to USSEC, reveals

details of cyberattack
State attorneys
seek information
from JP about the
breach
Oct 2
Jan 08
JP says it isn't seeing

unusual fraud
Victim timeline
Mid-June
Mid-August
Aug 27
Aug 28
Sept 11
Attacker timeline
Attackers gain
access to JP
servers steals
Personal
information
*http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-million.html?_r=0
13
Building a resilient
Cyber Risk capability

14
Build a resilient cyber security

organization
This means having the agility to prevent, detect and respond quickly and effectively, not
just to incidents, but also to the consequences of the incidents
Secure
Vigilant
Resilient
Are controls in place to guard

against known and emerging
threats?
Can we detect malicious or

unauthorized activity, including
the unknown?
Can we act and recover quickly

to minimize impact?
Cyber governance
Cyber threat intelligence
Cyber threat mitigation
Cyber incident response
15
Changes in threat landscape versus

capability
Cat A SIEM (Near real time analysis)
Cat B Behavioral analysis and

machine learning (mid term analysis)
Cat C Cyber analytics

(long term analysis)
Signature based (e.g., correlation)
Behavioral analysis and machine learning model
Risk analytics (including BDSA)
Conventional
warfare
Conventional
(Conventional warfare, symmetric vectors)
Guerilla
(Hide among civilians (hide in plain sight))
Cyber
warfare
Infrastructure threats
(Retail threats, open toolkits, general Botnet, Distributed
denial of service)
Targeted attacks
(Hide within business traffic))
System 1 learning
Cyber-espionage
(Seek, analyze and exfiltrate)
System 2 learning
Effective
Espionage
(Seek, analyze and exfiltrate)
Marginally effective
In-effective
16
Building your defenses

Options
Insource
Outsource
Co-source
17
Operating model
Benefits and challenges
Insource
Outsource
Co-source
Industry and business alignment
Industry and risk profile alignment
Business, industry and

risk profile alignment
Level one monitoring

and management
Level one, two and three

monitoring and management
Level one, two and three

monitoring and management
Maintain and enhance existing

use cases
Alignment of use cases

to evolving threat landscape
Alignment of use cases

to evolving threat landscape
Limited threat intelligence

gathering
Proactive cyber threat intelligence
Proactive cyber threat intelligence
Resourcing required to operate

three shifts
Round the clock monitoring,

management and incident response
Round the clock monitoring,

management and incident response
Hardware, build, run and maintain

costs
Cloud based service

utility based costing
Hardware, build, run

and maintain costs
Capex
Opex
Capex and Opex
18
An internal audit
approach
19
Cyber risk Deloitte cybersecurity framework*

An assessment of the organizations cybersecurity should evaluate specific
capabilities across multiple domains
Secure
Cybersecurity risk and compliance management
Compliance monitoring
Issue and corrective action planning
Regulatory and exam management
Risk and compliance assessment and mgmt.
Integrated requirements and control framework
Secure development life cycle
Third-party management
Vigilant
Threat and vulnerability management
Incident response and forensics

Application security testing
Threat modeling and intelligence
Security event monitoring and logging
Penetration testing
Vulnerability management
Resilient
Recover strategy, plans & procedures

Testing & exercising
Business impact analysis
Business continuity planning
Disaster recovery planning
Information and asset classification and inventory

Information records management
Physical and environment security controls
Physical media handling
Data classification and inventory

Breach notification and management
Data loss prevention
Data security strategy
Data encryption and obfuscation
Records and mobile device management
Change management
Configuration management
Network defense
Security operations management
Security architecture
Account provisioning
Privileged user management
Access certification
Access management and governance
Risk analytics
Security operations
Security direction and strategy

Security budget and finance management
Policy and standards management
Exception management
Talent strategy
Identity and access management
Data management and protection
Crisis management and resiliency
Information and asset management
Evaluation and selection

Contract and service initiation
Ongoing monitoring
Service termination
Secure build and testing

Secure coding guidelines
Application role design/access
Security design/architecture
Security/risk requirements
Security program and talent management
Information gathering and analysis around:

User, account, entity
Events/incidents
Fraud and anti-money laundering
Operational loss
Security awareness and training
Security training
Security awareness
Third-party responsibilities
* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.
As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its
subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
20
Cyber risk Deloitte cybersecurity framework* (contd)

Certain cybersecurity domains may be partially covered by existing IT audits,
however many capabilities have historically not been reviewed by internal audit
Secure
Cybersecurity risk and compliance management
Compliance monitoring
Issue and corrective action planning
Regulatory and exam management
Risk and compliance assessment and mgmt.
Integrated requirements and control framework
Evaluation and selection

Contract and service initiation
Ongoing monitoring
Service termination
Vigilant
Incident response and forensics

Application security testing
Threat modeling and intelligence
Security event monitoring and logging
Penetration testing
Vulnerability management
Resilient
Recover strategy, plans & procedures

Testing & exercising
Business impact analysis
Business continuity planning
Disaster recovery planning
Information and asset classification and inventory

Information records management
Physical and environment security controls
Physical media handling
Data classification and inventory

Breach notification and management
Data loss prevention
Data security strategy
Data encryption and obfuscation
Records and mobile device management
Change management
Configuration management
Network defense
Security operations management
Security architecture
Account provisioning
Privileged user management
Access certification
Access management and governance
Risk analytics
Security operations
Security direction and strategy

Security budget and finance management
Policy and standards management
Exception management
Talent strategy
Secure build and testing

Secure coding guidelines
Application role design/access
Security design/architecture
Security/risk requirements
Information gathering and analysis around:

User, account, entity
Events/incidents
Fraud and anti-money laundering
Operational loss
Security training
Security awareness
Third-party responsibilities
* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.
SOX (financially relevant systems only

Penetration and vulnerability testing
BCP/DRP Testing
21
Cyber risk
Assessment approach
Deliverables
Key activities
Phase
An internal audit assessment of cybersecurity should cover all domains and

relevant capabilities, and involve subject matter specialists when appropriate
Phase I: Planning and
scoping
Phase II: Understand

current state
Phase III: Risk

assessment
Phase IV: Gap

assessment and
recommendations
Activities:
Identify specific internal and
external stakeholders: IT,
Compliance, Legal, Risk, etc.
Understand organization mission
and objectives
Identify industry requirements and
regulatory landscape
Perform industry and sector risk
profiling (i.e., review industry
reports, news, trends,
risk vectors)
Identify in-scope systems
and assets
Identify vendors and third-party
involvement
Activities:
Conduct interviews and workshops
to understand the current profile
Perform walkthroughs of in-scope
systems and processes to
understand existing controls
Understand the use of third-parties,
including reviews of applicable
reports
Review relevant policies and
procedures, including security
environment, strategic plans, and
governance for both internal and
external stakeholders
Review self assessments
Review prior audits
Activities:
Document list of potential risks
across all in-scope capabilities
Collaborate with subject matter
specialists and management to
stratify emerging risks, and
document potential impact
Evaluate likelihood and impact of
risks
Prioritize risks based upon
organizations objectives,
capabilities, and risk appetite
Review and validate the risk
assessment results with
management and identify criticality
Activities:
Document capability assessment
results and develop assessment
scorecard
Review assessment results with
specific stakeholders
Identify gaps and evaluate
potential severity
Map to maturity analysis
Document recommendations
Develop multiyear cybersecurity/IT
audit plan
Deliverable:
Assessment objectives and scope
Capability assessment scorecard
framework
Deliverable:
Understanding of environment and
current state
Deliverable:
Prioritized risk ranking
Capability assessment findings
Deliverables:
Maturity analysis
Assessment scorecard
Remediation recommendations
Cybersecurity audit plan
22
Cyber risk Assessment maturity analysis

Maintaining and enhancing security capabilities can help mitigate cyber threats
and help the organization to arrive at its desired level of maturity
Stage 1: Initial
Recognized the issue

Ad-hoc/case by case
Partially achieved goals
No training, communication, or
standardization
Stage 2: Managed
Stage 3: Defined
Process is managed
Responsibility defined
Defined procedures with
deviations
Process reviews
Defined process
Communicated procedures
Performance data collected
Integrated with other
processes
Compliance oversight
Stage 4: Predictable
Defined quantitative performance

thresholds and control limits
Constant improvement
Automation and tools implemented
Managed to business objectives
Stage 5: Optimized
Continuously improved
Improvement objectives
defined
Integrated with IT
Automated workflow
Improvements from new
technology
Maturity analysis
Initial
Cybersecurity domain
Managed
Defined
Predictable
Optimized
Cybersecurity risk and compliance mgmt.
Secure
Current state CMMI maturity*
Resilient
Vigilant

Risk analytics
Security operations
*The industry recognized

Capability Maturity Model
Integration (CMMI) can be
used as the model for the
assessment. Each domain
consists of specific
capabilities which are
assessed and averaged to
calculate an overall domain
maturity.
23
Cyber risk Assessment scorecard

A scorecard can support the overall maturity assessment, with detailed cyber
risks for people, process, and technology. Findings should be documented and
recommendations identified for all gaps
Assessment scorecard
Capability assessment findings and

recommendations
People Process Technology
Cybersecurity domain
Threat and vulnerability managementPenetration testing
Cybersecurity risk and compliance mgmt.

Area
Secure
Process
The organization should

expand its penetration
testing capability to include
more advance testing,
2.6.5
2.6.5
more advanced social
engineering, and develop
greater control over the
frequency of testing
Vigilant
Ref.
The organization has

limited capability to
conduct penetration
testing in a staged
environment or against
new and emerging
threats
Recommendations
People
Ref.
The organization may find

it of more value and cost
benefit to utilize current
resources to conduct
internal penetration testing
2.6.4
2.6.4
on a routine and dedicated
basis since they do have
individuals with the
necessary skills to perform
this duty.
Findings
The organization has
some resources within
the ISOC that can
conduct penetration
testing, but not on a
routine basis due to
operational constraints
and multiple roles that
those resources are
fulfilling

Risk analytics
The organization lacks

standard tools to perform
Either through agreement
its own ad-hoc and onwith a third-party vendor,
the-spot penetration
or through technology
Technology
tests to confirm or
2.6.6
acquisition, develop the
support potential
technology capability to
vulnerability assessment
perform out of cycle
alerts and/or incident
penetration testing.
investigation findings.
Resilient

Security operations
1: Initial
2:
Managed
3:
Defined
4:
Predictable
2.6.6
5:
Optimized
24
Cyber risk
Representative internal audit plan
A cybersecurity assessment can drive a risk-based IT internal audit plan. Audit
frequency should correspond to the level of risk identified, and applicable
regulatory requirements/expectations.
Internal Audit
FY 2015
FY 2016
FY 2017
Notes (representative)
SOX IT General
Computer Controls
Annual requirement but only covers

financially significant systems and
applications
External Penetration and

Vulnerability Testing
Cover a portion of IP addresses each year
Internal Vulnerability Testing

Business Continuity
Plan/Disaster Recovery Plan
X
X
Data Protection and

Information Security
X
X
Third-party Management
Risk Analytics
Crisis Management
Social Media
Data Loss Protection (DLP)

Lower risk due to physical access controls
Coordinate with annual 1st and 2nd line of

defense testing
Lower risk due to
Lower risk due to
Annual testing to cycle through risk areas,

and continuous monitoring
Cyber war gaming scenario planned

Social media policy and awareness program
X
Shared drive scan for SSN/Credit Card #

25
Closing thoughts
26
Key considerations
1.
2.
3.
4.
5.
6.
7.
8.
9.
Know your crown jewels not just what you want to protect,
but what you need to protect
Know your friends contractors, vendors and suppliers can be security allies or liabilities
Understand the threat landscape and assess incremental threat scenarios that expose your
organization to risk
Assess controls and Identify gaps in policies, standards, processes, metrics and reporting, etc.
Maintain cyber security as an organizational priority and standing agenda item in audit
committee updates
Apprise the Audit Committee of key risks, enterprise level risk trends related to cyber security
Make awareness a priority within every internal department
and among external partners
Fortify and monitor situational awareness, diligently gather intelligence, build, maintain and
proactively monitor
Prepare for the inevitable Test your incident management process
27
For more information

If you would like more information on cyber security or how Deloitte can help your organization, please
contact one of the following professionals:
Nick Galletto
Americas Cyber Risk Leader
Deloitte
416-601-6734
ngalletto@deloitte.ca
Michael Juergens
Managing Principal | IT Internal
Audit
Deloitte
213-688-5338
michaelj@deloitte.com |
28
Cyber risk
Deloitte IT internal audit
Leading cybersecurity risk management services Specifically suited to collaborate with you
The right resources at the right time
Number 1 provider of cyber risk management solutions
Deloitte has provided IT audit services for the past 30 years and IT audit
training to the profession for more than 15 years. Our professionals
bring uncommon insights and a differentiated approach to IT auditing,
and we are committed to remaining an industry leader.
The only organization with the breadth, depth, and insight to help
complex organizations become secure, vigilant, and resilient
1000+ cyber risk management projects in the U.S. alone in 2014

executed cross industry
We have distinct advantages through:
11,000 risk management and security professionals globally across

the Deloitte Touche Tohmatsu Limited network of member firms
Access to a global team of IA professionals, including IT subject

matter specialists in a variety of technologies and risk areas
A differentiated IT IA approach that has been honed over the years in

some of the most demanding environments in the world, with tools
and methodologies that help accelerate IT audit
Assisted National Institute of Standards and Technology in

developing their cybersecurity framework in response to the 2013
Executive Order for Improving Critical Infrastructure Cybersecurity
Third-party observer of the Quantum Dawn 2 Cyber Attack

Simulation, conducted by the Securities Industry and Financial
Markets Association in July 2013
Working with government agencies on advanced threat solutions
Access to leading practices and the latest IT thought leadership on

audit trends and issues
Contributing to the betterment of cyber risk management

practices
A responsive team of cyber risk specialists with wide-ranging

capabilities virtually anywhere in the world, prepared to advise as
circumstances arise or as business needs change
Named as a Kennedy Vanguard Leader in cyber security consulting: [Deloitte] continually develops, tests, and launches methodologies that
reflect a deep understanding of clients cyber security and help the firm set the bar.
Source: Kennedy Consulting Research & Advisory; Cyber Security Consulting 2013; Kennedy Consulting Research & Advisory estimates 2013
Kennedy Information, LLC. Rreproduced under license.
Deloittes ability to execute rated the highest of all the participants

Forrester Research, Forrester WaveTM: Information Security Consulting Services Q1 2013, Ed Ferrara and Andrew Rose, February 1, 2013
29
www.deloitte.ca
Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, an
Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member
firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal
structure of Deloitte Touche Tohmatsu Limited and its member firms.

MONDAY CS 1 7 Nick Galletto Michael Juergens

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MONDAY CS 1 7 Nick Galletto Michael Juergens

Uploaded by

Copyright:

Available Formats

Cyber-Security: Proactively

managing the cyber threat

Understanding the cyber threat landscape

The evolving threat landscape

On a scale of 1 to 10American preparedness for a large-scale cyber attack is around a 33

Technology innovations that drive

Regulatory changes continue

Cyber threats are asymmetrical risks. Cyber crime

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

Registrants should address cybersecurity risks and cyber incidents in their

Cybersecurity Proactively managing the cyber threat landscape

Cyber risk (contd)

1st Line of defense

2nd Line of defense

Incorporate risk-informed decision making into day-to-day operations

Establish governance and oversight

Independently review program effectiveness

Cybersecurity Proactively managing the cyber threat landscape

What are we seeing?

Attack vector shifting from technology to people.

Advanced Threat Adversaries' Calling Card defy traditional signature-based approaches.

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

It starts by understanding your

Who might attack?

Hactivists (agenda driven)

Spear phishing, drive by

Third party compromise

Threats to health & safety

Skilled individual hacker

Ultimately cyber is about brand and reputation

Cybersecurity Proactively managing the cyber threat landscape

Did they see & take?

Did they do it?

What is the actual threat?

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

New technologies, new threats

Cybersecurity Proactively managing the cyber threat landscape

Speed of attack is accelerating

Initial attack to initial

Time is of the essence

Cybersecurity Proactively managing the cyber threat landscape

JP reports to USSEC, reveals

JP says it isn't seeing

Cybersecurity Proactively managing the cyber threat landscape

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

Build a resilient cyber security

Are controls in place to guard

Can we detect malicious or

Can we act and recover quickly

Cyber threat intelligence

Deloitte LLP and affiliated entities.

Cyber threat mitigation

Cybersecurity Proactively managing the cyber threat landscape

Cyber incident response

Changes in threat landscape versus

Cat B Behavioral analysis and

Cat C Cyber analytics

Signature based (e.g., correlation)