Professional Documents
Culture Documents
Agenda
Understanding the
cyber threat landscape
Last year, over 800 million records were breached globally, up from 250 million in 2012
The Economist, July 2014
Target missed signs of a data breach (40 million credit card numbers compromised)2
NY Times, March 13, 2014
$55 million
800 million
40 million
3
Why?
Changing
regulatory
environment
Corporate
change
& innovation
Evolving
threat
environment
http://www.ibj.com/lilly-employees-stole-55-million-in-trade-secrets-indictment-alleges/PARAMS/article/43949
http://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-data-breach.html?_r=0
http://www.nytimes.com/2012/07/27/us/cyberattacks-are-up-national-security-chief-says.html?_r=0
Cyber risk
High on the agenda
Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent
headlines and increased government and regulatory focus
Recent U.S. Securities and Exchange Commission (SEC) guidance regarding disclosure obligations relating to
cybersecurity risks and incidents..
Ever-growing concerns about cyber-attacks affecting the nations critical infrastructure prompted the signing of the
Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity.
The Executive Order highlights the focus on an improved cybersecurity framework and the rapid changes of regulatory
agency expectations and oversight
One of the foundational drivers behind the update and release of the 2013 COSO Framework was the need to address
how organizations use and rely on evolving technology for internal control purposes
Deloitte LLP and affiliated entities.
3rd Line of
defense
internal audit
Given recent high profile cyber attacks and data losses, and the SECs and other regulators expectations, it is
critical for Internal Audit to understand cyber risks and be prepared to address the questions and concerns
expressed by the audit committee and the board
Deloitte LLP and affiliated entities.
Attack patterns are increasingly starting to look like normal behavior. Threats are increasingly
hiding in plain sight. Some of the threats are adaptive and have the ability to go into dormant
mode, making them difficult to detect.
Criminals, state actors and even Hactivists are building better intelligence, capability and have a
wider network of resources than organizations (i.e., wideningcapability gap).
Supply chain and business partner poisoning or lateral entry are on the rise.
Incident patterns
of incidents can be
described by just
nine basic patterns
Card skimmers
Cyber-espionage
Physical theft/loss
Point-of-sale
intrusions
Miscellaneous errors
Web application
attacks
Everything else
Insider misuse
Crimeware
Denial of service attacks
of incidents in an
industry can be
described by just
three of the nine
patterns
What tactics
might they use?
Cyber criminals
Sensitive data
Nation states
Malicious insiders
Financial fraud
(e.g., wire transfer,
payments)
Rogue suppliers
Business disruption
(building systems, etc.)
Competitors
Stolen credentials
Control systems
compromise
Cyber
Crime
Who
Did it?
Espionage
What
Warfare
When
Do we fight back?
Terrorism
Why
Security
How
Do we prevent it (again)?
10
How
Reconnaissance
Gain intelligence and identify vulnerabilities
Research the internet, call call-centers,
trawl social media etc.
Your
business
Attack
Target identified vulnerabilities
Targeted email attacks, unsuspecting
downloads from malicious or compromised
websites, exploit application or
infrastructure software vulnerabilities etc.
Strategic assets,
financial assets,
data & intelligence
Exploit
Gain broad deep access
Escalate privileges, gain increased access,
observe/control network or servers,
increase sophistication of attacks, hide
tracks, etc.
Fulfill objective
Steal/damage/disrupt
Encrypt then exfiltrate data being stolen,
stay hidden for long periods of time, erase
digital footprint
Vulnerability
Deloitte LLP and affiliated entities.
Target
11
72%
Data leaks occur
within minutes
(nearly half)
46%
59%
72%
Containment
(post-discovery)
requires
weeks or longer
Discovery
takes
weeks or longer
12
Case study
JP Morgan Chase & Co.
News agencies report
of FBI investigating the
bank
JP learns of attack,
closes all network
access path
JP maintains the
statement isnt
seeing any unusual
fraud activity
State attorneys
seek information
from JP about the
breach
Oct 2
Jan 08
Victim timeline
Mid-June
Mid-August
Aug 27
Aug 28
Sept 11
Attacker timeline
Attackers gain
access to JP
servers steals
Personal
information
*http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-million.html?_r=0
Deloitte LLP and affiliated entities.
13
Building a resilient
Cyber Risk capability
Vigilant
Resilient
Cyber governance
15
Conventional
warfare
Conventional
(Conventional warfare, symmetric vectors)
Guerilla
(Hide among civilians (hide in plain sight))
Cyber
warfare
Infrastructure threats
(Retail threats, open toolkits, general Botnet, Distributed
denial of service)
Targeted attacks
(Hide within business traffic))
System 1 learning
Cyber-espionage
(Seek, analyze and exfiltrate)
System 2 learning
Effective
Espionage
(Seek, analyze and exfiltrate)
Marginally effective
In-effective
16
Insource
Outsource
Co-source
17
Operating model
Benefits and challenges
Insource
Outsource
Co-source
Capex
Opex
18
An internal audit
approach
19
Secure
Compliance monitoring
Issue and corrective action planning
Regulatory and exam management
Risk and compliance assessment and mgmt.
Integrated requirements and control framework
Third-party management
Vigilant
Resilient
Change management
Configuration management
Network defense
Security operations management
Security architecture
Account provisioning
Privileged user management
Access certification
Access management and governance
Risk analytics
Security operations
Security training
Security awareness
Third-party responsibilities
* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.
As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its
subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
20
Secure
Compliance monitoring
Issue and corrective action planning
Regulatory and exam management
Risk and compliance assessment and mgmt.
Integrated requirements and control framework
Third-party management
Vigilant
Resilient
Change management
Configuration management
Network defense
Security operations management
Security architecture
Account provisioning
Privileged user management
Access certification
Access management and governance
Risk analytics
Security operations
Security training
Security awareness
Third-party responsibilities
* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.
BCP/DRP Testing
21
Cyber risk
Assessment approach
Deliverables
Key activities
Phase
Activities:
Identify specific internal and
external stakeholders: IT,
Compliance, Legal, Risk, etc.
Understand organization mission
and objectives
Identify industry requirements and
regulatory landscape
Perform industry and sector risk
profiling (i.e., review industry
reports, news, trends,
risk vectors)
Identify in-scope systems
and assets
Identify vendors and third-party
involvement
Activities:
Conduct interviews and workshops
to understand the current profile
Perform walkthroughs of in-scope
systems and processes to
understand existing controls
Understand the use of third-parties,
including reviews of applicable
reports
Review relevant policies and
procedures, including security
environment, strategic plans, and
governance for both internal and
external stakeholders
Review self assessments
Review prior audits
Activities:
Document list of potential risks
across all in-scope capabilities
Collaborate with subject matter
specialists and management to
stratify emerging risks, and
document potential impact
Evaluate likelihood and impact of
risks
Prioritize risks based upon
organizations objectives,
capabilities, and risk appetite
Review and validate the risk
assessment results with
management and identify criticality
Activities:
Document capability assessment
results and develop assessment
scorecard
Review assessment results with
specific stakeholders
Identify gaps and evaluate
potential severity
Map to maturity analysis
Document recommendations
Develop multiyear cybersecurity/IT
audit plan
Deliverable:
Assessment objectives and scope
Capability assessment scorecard
framework
Deliverable:
Understanding of environment and
current state
Deliverable:
Prioritized risk ranking
Capability assessment findings
Deliverables:
Maturity analysis
Assessment scorecard
Remediation recommendations
Cybersecurity audit plan
22
Stage 2: Managed
Stage 3: Defined
Process is managed
Responsibility defined
Defined procedures with
deviations
Process reviews
Defined process
Communicated procedures
Performance data collected
Integrated with other
processes
Compliance oversight
Stage 4: Predictable
Stage 5: Optimized
Continuously improved
Improvement objectives
defined
Integrated with IT
Automated workflow
Improvements from new
technology
Maturity analysis
Initial
Cybersecurity domain
Managed
Defined
Predictable
Optimized
Secure
Third-party management
Secure development life cycle
Information and asset management
Security program and talent management
Current state CMMI maturity*
Resilient
Vigilant
Cybersecurity domain
Secure
Third-party management
Process
Vigilant
Ref.
Recommendations
People
Ref.
Findings
The organization has
some resources within
the ISOC that can
conduct penetration
testing, but not on a
routine basis due to
operational constraints
and multiple roles that
those resources are
fulfilling
Resilient
2:
Managed
3:
Defined
4:
Predictable
2.6.6
5:
Optimized
24
Cyber risk
Representative internal audit plan
A cybersecurity assessment can drive a risk-based IT internal audit plan. Audit
frequency should correspond to the level of risk identified, and applicable
regulatory requirements/expectations.
Internal Audit
FY 2015
FY 2016
FY 2017
Notes (representative)
SOX IT General
Computer Controls
X
X
X
X
Third-party Management
Risk Analytics
Crisis Management
Social Media
X
Cybersecurity Proactively managing the cyber threat landscape
Closing thoughts
26
Key considerations
1.
2.
3.
4.
5.
6.
7.
8.
9.
Know your crown jewels not just what you want to protect,
but what you need to protect
Know your friends contractors, vendors and suppliers can be security allies or liabilities
Understand the threat landscape and assess incremental threat scenarios that expose your
organization to risk
Assess controls and Identify gaps in policies, standards, processes, metrics and reporting, etc.
Maintain cyber security as an organizational priority and standing agenda item in audit
committee updates
Apprise the Audit Committee of key risks, enterprise level risk trends related to cyber security
Make awareness a priority within every internal department
and among external partners
Fortify and monitor situational awareness, diligently gather intelligence, build, maintain and
proactively monitor
Prepare for the inevitable Test your incident management process
27
Michael Juergens
Managing Principal | IT Internal
Audit
Deloitte
213-688-5338
michaelj@deloitte.com |
28
Cyber risk
Deloitte IT internal audit
Leading cybersecurity risk management services Specifically suited to collaborate with you
The right resources at the right time
Deloitte has provided IT audit services for the past 30 years and IT audit
training to the profession for more than 15 years. Our professionals
bring uncommon insights and a differentiated approach to IT auditing,
and we are committed to remaining an industry leader.
The only organization with the breadth, depth, and insight to help
complex organizations become secure, vigilant, and resilient
Named as a Kennedy Vanguard Leader in cyber security consulting: [Deloitte] continually develops, tests, and launches methodologies that
reflect a deep understanding of clients cyber security and help the firm set the bar.
Source: Kennedy Consulting Research & Advisory; Cyber Security Consulting 2013; Kennedy Consulting Research & Advisory estimates 2013
Kennedy Information, LLC. Rreproduced under license.
29
www.deloitte.ca
Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, an
Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member
firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal
structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte LLP and affiliated entities.