Scribd Logo
Upload

Welcome to Scribd!

  • Tips For Auditing Cybersecurity - 18october - Final PDF

    Uploaded by

    Justin L
    3 views33 pages

    Original Title

    Tips for Auditing Cybersecurity_18October_Final.pdf.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views33 pages

    Tips For Auditing Cybersecurity - 18october - Final PDF

    Uploaded by

    Justin L

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 33

    TIPS FOR AUDITING

    CYBERSECURITY
    Dr. Vilius Benetis, ISACA Lithuania Chapter, NRD CS

    18 October 2016

    © 2016 ISACA. All Rights Reserved


    TODAY’S SPEAKER

    Dr. Vilius Benetis


    Cybersecurity Practice Leader
    Norway Registers Development
    (NRD Cybersecurity)
    ISACA Lithuania Chapter

    © 2016 ISACA. All Rights Reserved


    AGENDA

    Tip #0 on please enable personal account strong authentication:


    google, Facebook, Evernote, office365, dropbox, ..
    Read more: https://twofactorauth.org/

    Tip #1 on Clarification on Cybersecurity Domain

    Tip #2 on Auditing Process and Cybersecurity

    Tip #3 on CIS Critical Security Controls

    Tip #4 on Auditing Cybersecurity Skills

    © 2016 ISACA. All Rights Reserved


    #1 ON CLARIFICATION ON
    CYBERSECURITY DOMAIN

    © 2016 ISACA. All Rights Reserved


    GOOGLE IT:
    CYBERSECURITY
    DEFINITION
    Where do we start?
    Let’s ground the terms

    © 2016 ISACA. All Rights Reserved


    GOOGLE IT:
    CYBERSECURITY
    DEFINITION
    Where do we start?
    Let’s ground the terms

    © 2016 ISACA. All Rights Reserved


    7
    © 2016 ISACA. All Rights Reserved
    ISO 27032:

    8
    © 2016 ISACA. All Rights Reserved
    ISO 27032:

    9
    © 2016 ISACA. All Rights Reserved
    ISO 27032 (&…):
    SECURITY CONCEPTS
    AND TECHNIQUES

    10

    © 2016 ISACA. All Rights Reserved


    #1 ON CLARIFICATION ON CYBERSECURITY DOMAIN

    1. Are you sure you want to limit with Cybersecurity?


    And not e-Information Security?

    2. Please adjust terms as fits your organisation

    11

    © 2016 ISACA. All Rights Reserved


    #2 ON AUDITING PROCESS AND
    CYBERSECURITY

    12

    © 2016 ISACA. All Rights Reserved


    Automation of
    business
    functions

    Ex. Assess
    org./IS resilience
    to cyber threats

    From ISACA publication: 13


    Information Systems Auditing: Tools and Techniques—Creating Audit Programs © 2016 ISACA. All Rights Reserved
    #3 ON CIS CRITICAL SECURITY
    CONTROLS

    14

    © 2016 ISACA. All Rights Reserved


    CIS CRITICAL SECURITY CONTROLS (V6.1)

    1: Inventory of Authorized and Unauthorized Devices 10: Data Recovery Capability (8)
    2: Inventory of Authorized and Unauthorized Software 11: Secure Configurations for Network Devices such as Firewalls,
    Routers, and Switches (10)
    3: Secure Configurations for Hardware and Software on
    Mobile Devices, Laptops, Workstations, and Servers 12: Boundary Defense (13)
    4: Continuous Vulnerability Assessment and Remediation 13: Data Protection (17)
    14: Controlled Access Based on the Need to Know (15)
    5: Controlled Use of Administrative Privileges (12)
    15: Wireless Access Control (7)
    6: Maintenance, Monitoring, and Analysis of Audit Logs (14)
    16: Account Monitoring and Control (16)
    7: Email and Web Browser Protections (new)
    17: Security Skills Assessment and Appropriate Training to Fill
    8: Malware Defenses (5) Gaps (9)
    9: Limitation and Control of Network Ports, Protocols, and 18: Application Software Security (6)
    Services (11)
    19: Incident Response and Management (18)
    10: Data Recovery Capability (8)
    20: Penetration Tests and Red Team Exercises (20)

    15
    © 2016 ISACA. All Rights Reserved
    THE FIVE CRITICAL TENETS OF CYBER DEFENSE:

    1. Offense informs defense


    2. Prioritization
    3. Metrics
    4. Continuous diagnostics and mitigation
    5. Automation

    16
    © 2016 ISACA. All Rights Reserved
    CSC 1:
    INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES

    Actively manage (inventory, track, and correct)


    all hardware devices on the network so that:
    only authorized devices are given access, and
    unauthorized and unmanaged devices are:
    found and
    prevented from gaining access.

    17
    © 2016 ISACA. All Rights Reserved
    CSC 1:
    INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES

    1.1 Deploy an automated asset inventory discovery tool and use it to build a
    preliminary inventory of systems connected to an organization’s public and
    private network(s). Both active tools that scan through IPv4 or IPv6 network
    address ranges and passive tools that identify hosts based on analyzing their
    traffic should be employed.
    1.2 If the organization is dynamically assigning addresses using DHCP, then
    deploy dynamic host configuration protocol (DHCP) server logging, and use
    this information to improve the asset inventory and help detect unknown
    systems.
    1.3 Ensure that all equipment acquisitions automatically update the inventory
    system as new, approved devices are connected to the network.

    18
    © 2016 ISACA. All Rights Reserved
    CSC 1:
    INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES

    1.4 Maintain an asset inventory of all systems connected to the network and the network devices
    themselves, recording at least the network addresses, machine name(s), purpose of each
    system, an asset owner responsible for each device, and the department associated with
    each device. The inventory should include every system that has an Internet protocol (IP)
    address on the network, including but not limited to desktops, laptops, servers, network
    equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP
    telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must
    also include data on whether the device is a portable and/or personal device. Devices such as
    mobile phones, tablets, laptops, and other portable electronic devices that store or process
    data must be identified, regardless of whether they are attached to the organization’s
    network.
    1.5 Deploy network level authentication via 802.1x to limit and control which devices can be
    connected to the network. The 802.1x must be tied into the inventory data to determine
    authorized versus unauthorized systems.

    19
    © 2016 ISACA. All Rights Reserved
    CSC 1:
    INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES

    20
    © 2016 ISACA. All Rights Reserved
    CSC 1:
    INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES
    ID Lower Risk Moderate Risk Higher Risk
    Metric
    Threshold Threshold Threshold
    1.1 How many unauthorized devices are presently on the
    Less that 1% 1%-4% 5%-10%
    organization's network (by business unit)?
    1.2 How long, on average, does it take to remove
    1,440 Minutes 10,080 Minutes
    unauthorized devices from the organization's network 60 Minutes
    (1 Day) (1 Week)
    (by business unit)?
    1.3 What is the percentage of systems on the
    organization's network that are not utilizing Network
    Less that 1% 1%-4% 5%-10%
    Level Authentication (NLA) to authenticate to the
    organization's network (by business unit)?
    1.5 How long does it take to detect new devices added to
    1,440 Minutes 10,080 Minutes
    the organization's network (time in minutes - by 60 Minutes
    (1 Day) (1 Week)
    business unit)?
    1.6 How long does it take to isolate/remove unauthorized
    1,440 Minutes 10,080 Minutes
    devices from the organization's network (time in 60 Minutes
    (1 Day) (1 Week)
    minutes - by business unit)?
    21
    © 2016 ISACA. All Rights Reserved
    Relationship to COBIT processes

    22
    © 2016 ISACA. All Rights Reserved
    #4 ON AUDITING
    CYBERSECURITY SKILLS

    23

    © 2016 ISACA. All Rights Reserved


    1) Risk: Lack of Methodologies
    skilled people
    2) Skills required to (NICE, CSC, e-
    assess CF, SFIA)
    Should we include
    skills audit?

    Automation of
    business
    functions

    Ex. Assess
    org/IS resilience
    to cyber threats

    24

    © 2016 ISACA. All Rights Reserved


    CYBERSECURITY/ICT SKILLS MODELS

    1. NIST NICE - United States

    2. e-CF - European Union / Dutch

    3. SFIA6 – UK

    25
    © 2016 ISACA. All Rights Reserved
    ADDITIONAL REASONS FOR SKILLS AUDIT

    HR:
    • Re-organization preparation. What skillsets we need to plan?
    • What skillset to hire?

    CISO office:
    • Information security should be handled better. What skills are
    missing?

    Career planning:
    • What should I focus for my cybersecurity career?

    26
    © 2016 ISACA. All Rights Reserved
    HOW TO RUN SKILLS AUDIT?

    Simplest:
    • Ask: what skills are missing to reach the goals?

    Medium:
    • Inventory/assess existing skills via questionnaires (list competences,
    ask to self-assess)

    Sophisticated:
    • Run serious tests to assess

    27
    © 2016 ISACA. All Rights Reserved
    OUTPUT OF SKILLS AUDIT

    Simplest:
    • List of skills/competences and who covers them
    • Items without people – missing competences

    Medium:
    • Skills/competences with required levels, and fulfilled
    levels
    • Gap is visible

    Sophisticated:
    • Detail report of professional skills assessors
    28
    © 2016 ISACA. All Rights Reserved
    SUMMARY

    Tip #1 on Clarification on Cybersecurity Domain

    Tip #2 on Auditing Process and Cybersecurity

    Tip #3 on CIS Critical Security Controls

    Tip #4 on Auditing Cybersecurity Skills

    & Tip #0 on please enable personal accounts strong authentication

    29

    © 2016 ISACA. All Rights Reserved


    RELEVANT RESOURCES:

    1. SFIA: https://www.sfia-online.org

    2. NIST NICE: http://csrc.nist.gov/nice/

    3. CIS CSC: https://www.cisecurity.org/critical-controls/

    4. ISO 27032:
    http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_det
    ail.htm?csnumber=44375

    5. http://www.isaca.org/Knowledge-
    Center/Research/ResearchDeliverables/Pages/Information-
    Systems-Auditing-Tools-and-Techniques-Creating-Audit-
    Programs.aspx

    30

    © 2016 ISACA. All Rights Reserved


    Questions?

    31

    © 2016 ISACA. All Rights Reserved


    THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL
    FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING
    THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-
    INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.
    YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS
    DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND
    THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE
    PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR
    CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF
    THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING
    PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE
    APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.

    Copyright © 2016 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This
    webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or
    transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
    32

    © 2016 ISACA. All Rights Reserved


    THANK YOU
    FOR ATTENDING THIS
    WEBINAR

    © 2016 ISACA. All Rights Reserved

    You might also like