Nathan Anderson, Director Internal Audit, Sears Holdings

Lucas Morris, Senior Manager, Crowe Horwath

#NACACS

WHO WE ARE

• Nate Anderson

– IT Audit Director, Sears Holdings Corporation

• Lucas Morris

– Senior Manager, Crowe Horwath LLP

#NACACS

AGENDA

“ security is no longer a function of IT, it’s part of enterprise risk

management”

1. the case for cybersecurity

2. three lines of defense model and security roles

3. rethinking the role of internal audit

#NACACS

THE CASE FOR CYBERSECURITY

#NACACS

HIGH-PROFILE 2014 BREACHES¹

¹ dell security 2015 threat report (modified): http://bit.ly/1UhOmyF

40m

56m

#NACACS

HIGH-PROFILE 2015 BREACHES¹

¹ dell security 2016 threat report: http://dell.to/1QeaJ4X

80m 37m

#NACACS

BREACHES BY THE NUMBERS

58% 24%

15%

2% 2%

source of breach

maliciousoutsider

accidental loss

maliciousinsider

hacktivist

state sponsored

43%

19%

17%

12%

6% 3%

breaches by industry

government

healthcare

other

technology

retail

education

¹ breach level index: http://breachlevelindex.com

#NACACS

BREACHES BY THE NUMBERS

• Average cost per record lost in 2015 is $217

IBM 2015 Cost of Breach Study: http://ibm.co/1rnnBN3

#NACACS

THREE LINES OF DEFENSE MODEL AND

SECURITY ROLES

#NACACS

THREE LINES OF DEFENSE MODEL

Own &

manage risk

and control

(front line

operating

management

Monitor risk and

control in support of

management (risk,

control, compliance

functions put in place by

management).

Provide independent

assurance to board & senior

management concerning the

effectiveness of management

of risk and control.

10

coso: three lines of defense: http://bit.ly/1I4XrQT

#NACACS

THREE LINES – ROLES & RESPONSIBILITIES

• integrate risk

management into

daily ops

• mitigate risks

• escalate risks

1

2

3

• set risk baselines,

policies, & standards

• monitor & call for

action

• oversight, checks &

balances, consultation

• review program

effectiveness

• update senior

management &

leaders

• holistic risk view

#NACACS

THREE LINES EXAMPLE: EMPLOYEE DATA

Internal audit

information security / it compliance

human resources

control requirements – cobit / nist

risk assessment

control gaps

global view

system & asset inventory

control set

#NACACS

ROLE OF BOARD OF DIRECTORS & AUDIT COMMITTEE

40% of boards deal with computer & information security issues

48% have board-level risk committee for privacy & security

65% [of directors] want at least “some” additional time and focus

on IT risks like cybersecurity¹

83% of the board or its committees are very or moderately

engaged with overseeing/understanding the risk of cyberattacks.

65% of board or its committees are very or moderately engaged

with overseeing/understanding the level of spend on cybersecurity.

Deloitte: http://bit.ly/1pnZCN5 PwC: http://pwc.to/1RMkXWK

#NACACS

RETHINKING THE ROLE OF INTERNAL AUDIT

#NACACS

SECURITY AS ENTERPRISE RISK MANAGEMENT

• identify your threat landscape: assets, threat actors, and

threats¹

• assess defense and determine relevancy of attacks

• audit and test defenses and technical controls

• communicate and collaborate with other lines of defense and

audit committee

¹ refer to appendix A. for recommended reading list.

#NACACS

SECURITY AS ENTERPRISE RISK MANAGEMENT

• identify your threat landscape: assets, threat actors,

and threats

• assess defense and determine relevancy of attacks

• audit and test defenses and technical controls

• communicate and collaborate with other lines of defense and

audit committee

#NACACS

IDENTIFY YOUR THREAT LANDSCAPE: ASSETS¹

what are your crown jewels?

¹ refer to appendix B. for security frameworks supporting

an asset-driven approach.

#NACACS

IDENTIFY YOUR THREAT LANDSCAPE: ASSETS

where are your crown jewels?

“an organization cannot properly protect

[assets] it does not know about.” - nist¹

points of entry servers

databases

staging warehouse

third parties cloud

unstructured reports

¹ NIST Protecting PII: http://1.usa.gov/1DgxrRy

#NACACS

IDENTIFY YOUR THREAT LANDSCAPE: THREAT ACTORS

relevant external

threat actors are

relevant based on:

- assets

- industry

nation states

hacktivists

criminal organizations

terrorists

individuals

(internal &

external)

attack origination¹

external internal partner

80%+ 17% 3%

relevant internal &

third party threat

actors

¹ verizon data breach investigations report: http://vz.to/1ILoZPv

#NACACS

• Highly knowledgeable, highly

funded

• Looking for targets of value

• Example: Lulzsec, Stuxnet,

Nation Sponsored

• Advanced attacks with specific

targets

• Worms, Application Vulnerabilities

• Example: Conficker, Sasser

• Leverage widely available tools

• Look for targets of opportunity

• Example: Website defacement

• Employee, partners, contractors

• Typically highest likelihood of monetary impact

• Example: WikiLeaks

THREAT ACTOR SOPHISTICATION

insider threats

“script kiddies”

targeted attacks

advanced

persistent threats

#NACACS

# OF BREACHES BY THREAT ACTIVE MOTIVE

¹ verizon dbir 2016: http://vz.to/1Svr72f

#NACACS

IDENTIFY YOUR THREAT LANDSCAPE - THREATS

phis

hin

g

data leakage credentials

trojan

backdoor

command & control

malware

#NACACS

THREATS – USER CREDENTIALS

• at risk credentials

– weak, reused, default credentials

– easy method for attackers to gain and expand access

• how do they obtain them:

– guessing

– stealing them encrypted from memory or storage

– stealing them while in use (unencrypted)

– stealing the users session or token

• enable attacker to:

– gather significant amounts of low risk information

– access files

– search and scan for additional access, moving both laterally and vertically

credentials

#NACACS

THREATS – THIRD PARTIES

• it’s 10:30 am monday morning and IT gets a call…

“Hello, this is Tom from procurement. We have a vendor that will be here

at 2:00 and they are requesting that we provide them an internal IP

address for the installation.”

• recent breaches show compliance is not the goal

• right to audit clause

• more hands on testing

– vendors will hate this

– small organizations will struggle

credentials

#NACACS

THREATS – DATA LEAKAGE

internet third parties

shares

email printers

intranet applications

backups

media

database

local files

data leakage

#NACACS

THREATS – SOCIAL ENGINEERING

From: “Client Content Filter System" <client-web-filter@FAKEBUTLOOKSREAL.org>

Subject: Potential Acceptable Use Violation

Michael,

Our web traffic monitoring service has reported that your account has visited potentially malicious web

sites, including sites that are restricted per ABC’s Acceptable Use Policy.

We do realize that this type of activity is often caused by viruses and other types of malware. The

following link will direct you to the detailed report of the malicious web sites your system has visited as

reported by the monitoring service; please review this list for accuracy.

https://www.FAKEBUTLOOKSREAL.org/ABC/?sessionid=chris.wilkinson@abc.com

The file has been encrypted for privacy and requires Microsoft Word macros to be enabled for viewing.

If you believe that any of the sites listed in the report have been reported erroneously or that all sites

noted are false positives, please reply to this email and a manual review will be conducted by

Information Security.

phis

hin

g

#NACACS

THREATS – PHISHING SCENARIO EXAMPLE

1 user receives phishing

Email; clicks attachment 2

malicious malware installed

that enables backdoor

3 communication between

User system & attacker 4

attacker scans network

for targets, lateral movement

phis

hin

g

#NACACS

SECURITY AS ENTERPRISE RISK MANAGEMENT

• identify your threat landscape: assets, threat actors, and

threats

• assess defense and determine relevancy of attacks

• audit and test defenses and technical controls

• communicate and collaborate with other lines of defense and

audit committee

#NACACS

ASSESS DEFENSE

Initial Point of Entry The Point of Entry represents how the attacker obtains initial access. Examples could include social engineering, unpatched Internet accessible systems, or weak passwords on externally accessible systems.

Fortify Access and Access Data As the attacker pivots around the network, they continue to attempt to escalate their authority until they have the necessary access. They will typically fortify their access by installing malware or backdoors to maintain access. Persistent Administrator access is the end goal.

Pivot Point The initial access typically does not provide the information the attacker is looking for. They will leverage the access they do have to try to increase authority on the network. This could be occur through shared passwords, unpatched systems, or excessive privileges.

Data Exfiltration Once the attacker has data, they need to get it out of the network. This can be completed through a variety of vehicles email or FTP. This has forced the maturity in the approach to Information Security from only focusing on prevention to include detection and response.

#NACACS

ASSESS RELEVANCY – ATTACK SCENARIOS & PATTERNS¹

¹ refer to appendices C. through F. for additional threat

pattern and scenario details.

² verizon dbir 2015: http://vz.to/1ILoZPv

³ verizon data breach digest 2016: http://vz.to/21zkult

social engineering

financial pretexting

insider threat

usb infection

peripheral tampering

rogue connection

logic switch

sql injection

cms compromise

backdoor access

ram scraping

credential theft

over the previous

three years, just 12

attack scenarios

represent over 60% of

our investigations.³

pos intrusions

web application attacks

cyberespionage

crimeware

insider/privilege misuse

payment card skimmers

miscellaneous errors

physical theft & loss

denial of service

“while we saw many

changes in the threat

landscape the last 12

months, [9] patterns

still covered the vast

majority of incidents

(96%).” ²

#NACACS

ASSESS THREAT RELEVANCY – TOP PATTERNS

frequency of

incident

patterns across

all security

incidents¹

frequency of

incident

patterns with

confirmed data

breaches¹

¹ verizon dbir 2015: http://vz.to/1ILoZPv

#NACACS

# OF BREACHES PER THREAT ACTION TYPE

top 5

C2 (malware)

use of stolen creds

export data (malware)

use of backdoor or C2

phishing (social)

¹ verizon dbir 2016: http://vz.to/1Svr72f

#NACACS

SECURITY AS ENTERPRISE RISK MANAGEMENT

• identify your threat landscape: assets, threat actors, and

threats

• assess defense and determine relevancy of attacks

• audit and test defenses and technical controls

• communicate and collaborate with other lines of defense and

audit committee

#NACACS

AUDIT & TEST – IDENTIFICATION OF SENSITIVE ASSETS

focus on completeness of inventory during data security audits

create data flows

create system & asset inventory

hold management

accountable for upkeep

“entity should confirm the accuracy of their PCI DSS scope by identifying all locations

and flows of cardholder data, and identify all systems that are connected to or,

if compromised, could impact the CDE.” – PCI DSS 3.1

#NACACS

AUDIT & TEST – ALIGN WITH SECURITY FRAMEWORK

example security frameworks: COBIT, ISO 2700X, NIST or OCTAVE

COBIT 5 ISO 27001/27002 NIST cybersecurity

framework

OCTAVE allegro

- more focus on

alignment with

business goals,

governance

roles (2nd & 3rd

line of defense)

- control set (no

risk language)

- maps to ISO

27001, NIST

CSF

- controls have

wider coverage

than NIST CSF

- accepted

standard in

many countries

- supports

certification

process

- Maps to NIST

CSF, COBIT

- subset of verbose

sp 800-53 NIST

framework

- control set (no risk

language)

- detailed guidance

for technical

controls

- Maps to ISO

27001, COBIT

- many publications

- risk-based

approach

- aligns with NIST

risk assessment

publication sp

800-39

- Provides steps,

worksheets,

questionnaires;

not a control

framework

#NACACS

AUDIT & TEST – ASSESS MEASUREMENT CAPABILITY

Risk & Control Activity Intellectual

Property

Cardholder

(PCI)

Health

(ePHI)

Employee

(PII)

Customer

(PII)

Financial

(SOX)

System & Asset

Inventory

Third Party Inventory

Identify & Classify Risks

Define Control

Requirements

Identify Existing Controls

Control Assessment

Measure Residual Risks

Identify & Manage

Incidents

establish method to measure

key risks & controls

#NACACS

AUDIT & TEST – ACROSS THE ATTACK CHAIN

Internet Application Infrastructure Endpoint

Third Party

Firewall

Remote Users

Mobile Devices

Web Application

Applications

Network Employees

Workstations

ServersPrinters

Cloud

Database

#NACACS

AUDIT & TEST – SOCIAL ENGINEERING AUDIT

malicious email

filtering

phishing incident

management

security awareness

program - blocking sufficient %

of malicious emails

- filters updated based

on incidents - accurate, complete list of

incidents

- analysis of nature and

severity

- remediation effective &

complete; includes cleaning

user systems, blocking at

network-level, identifying any

command & control activity

- evaluate effectiveness

& reach of training &

communications

- determine how

effectiveness of

program is evaluated

#NACACS

AUDIT & TEST – PHISHING SIMULATIONS

1 email ploy crafted by audit

(similar to actual)

phishing engine selects

appropriate random targets

across areas of organization

3

2

measure % that click,

open, provide credentials 4

repeat different ploys

regularly, collecting stats

- % open email (30% avg.¹)

- % open link / attachment (12% avg.)

- % report suspicious email (3% avg.)

- track % over time

- track % by area

- adjust awareness program

¹ verizon dbir 2016: http://vz.to/1Svr72f

#NACACS

INFORMATION SECURITY AUDITS TO CONSIDER

cloud & data lake governance it asset management

security vulnerabilities & patching assessment

phishing & security awareness

network segmentation assessment

security logging & event detection

penetration testing

web & mobile application assessment

program assessments: PCI & PHI

information security overall assessment

firewall ruleset assessment

#NACACS

SECURITY AS ENTERPRISE RISK MANAGEMENT

• identify your threat landscape: assets, threat actors, and

threats

• assess defense and determine relevancy of attacks

• audit and test defenses and technical controls

• communicate and collaborate with other lines of

defense and audit committee

#NACACS

RELEVANT COMMUNICATION TO LEADERS

3rd line of defense

what are you communicating

to the audit committee,

security, IT, and the business

about cybersecurity?

#NACACS

QUESTIONS?

#NACACS

THANK YOU

Lucas Morris lucas.morris@crowehorwath.com

www.github.com/CroweCybersecurity

214-777-5257

Nate Anderson nate.anderson@searshc.com

#NACACS

APPENDIX: REFERENCE MATERIALS

#NACACS

A. CYBERSECURITY THREAT REPORTS

• key data breach / cybersecurity reports

– verizon data breach investigations report

• 2014: http://vz.to/1pMX6xZ | 2015: http://vz.to/1ILoZPv

• 2016: http://vz.to/1Svr72f

– verizon data breach digest: 2016: http://vz.to/21zkult

– dell security annual threat report:

• 2015: http://bit.ly/1UhOmyF | 2016: http://dell.to/1QeaJ4X

– symantec internet security threat report:

• 2015: http://symc.ly/1MBxADq | supplement: http://symc.ly/1aVPSSs

– mcafee labs threats predictions: 2015: http://intel.ly/1No3xh0

– poneman global megatrends in cybersecurity: http://rtn.co/1KmCqRS

#NACACS

B. POPULAR FRAMEWORKS ON ASSET IDENTIFICATION

¹ nist csf: http://1.usa.gov/1dIqXf5

² octave allegro: http://bit.ly/1LTaH2F

methodology system & asset reference

nist

cybersecurity

framework¹

step 2: orient. Once the scope of the cybersecurity program has been determined for

the business line or process, the organization identifies related systems and assets,

regulatory requirements, and overall risk approach. The organization then identifies

threats to, and vulnerabilities of, those systems and assets.

octave allegro² step 2: develop an information asset profile

The methodology focuses on the information assets of the organization and Step 2

begins the process of creating a profile for those assets… The methodology’s profiling

process ensures that an asset is clearly and consistently described, that there is an

unambiguous definition of the asset’s boundaries, and that the security requirements for

the asset are adequately defined. The profile for each asset is captured on a single

worksheet that forms the basis for the identification of threats and risks in

subsequent steps.

step 3: identify information asset containers

Containers describe the places where information assets are stored, transported, and

processed. Information assets reside not only in containers within an organization’s

boundaries but they also often reside in containers that are not in the direct control of the

organization. Any risks to the containers in which the information asset lives are inherited

by the information asset.

#NACACS

C. THREAT ACTIONS – TOP 9 INCIDENT PATTERNS

¹ verizon data breach digest 2016: http://vz.to/21zkult

#NACACS

D. THREAT ACTIONS – 12 MOST COMMON SCENARIOS¹

¹ verizon data breach digest 2016: http://vz.to/21zkult

# scenario freq threat actor(s) sophistication threat source

1 social engineering 16% organized crime, state-affiliated 3-4-5 China, Argentina, North Korea,

Russian Federation

2 financial pretexting 7% organized crime 2-3 varies

3 insider threat 12% Cashier/bank teller/waiter, end

users, organized crime, finance

employees, call center employees

1 varies

4 usb infection 33% State-affiliated, organized crime 4-5 China, North Korea, Russian

Federation

5 peripheral

tampering <1% organized crime 2 Bulgaria, Romania, Armenia, Brazil, the

U.S.

6 rogue connection 4% organized crime 1-2-3 varies

7 logic switch 53% Organized crime, una liated,

state-affiliated, activist group 1-2-3-4-5 The U.S., China

8 sql injection 23% Activist, organized crime, state-

affiliated 3 varies

9 cms compromise 46% organized crime 3 China, Malaysia, the U.S., Russian

Federation

10 backdoor access 51% State-affiliated, organized crime 3-4-5 Romania, China, Russian

Federation

11 ram scraping 55% organized crime, state-affiliated 2-3 Romania, Germany, China, Russian

Federation

12 credential theft 42% organized crime, state-affiliated 2-3-4-5 Ukraine, China, Romania, Germany,

Russian Federation, the U.S.

#NACACS

E. THREAT ACTIONS – 6 LETHAL SCENARIOS¹

¹ verizon data breach digest 2016: http://vz.to/21zkult

# scenario freq threat actor(s) sophistication threat source

1 digital extortion 9% organized crime 2 varies

2 partner misuse 4% business-2-business partner 1 varies

3 hacktivist attack 3% activist group 1-2 unknown, syria

4 dns tunneling <1% state-affiliated, organized

crime 3 varies

5 data ransomware 4% organized crime 1-2 varies

6 sophisticated malware 32% state-affiliated, organized

crime 4-5 varies

#NACACS

F. TOP 25 VERIS (VERIZON) THREAT ACTIONS # scenario # threat actor(s)

1 Phishing—Phishing (or any type of *ishing) 13 Downloader—Downloader (pull updates or other malware)

2 Use of stolen creds—Use of stolen credentials 14 Scan network—Scan or footprint network

3 RAM scraper—RAM scraper or memory parser 15 Password dumper—Password dumper

4 Brute force—Brute force attack 16 Privilege abuse—Abuse of system access privileges

5 Export data—Export data to another site or system 17 Skimmer—Payment card skimmers

6 Use of backdoor or C2—Use of backdoor or C2 18 Adminware—System or network utilities (e.g., , PsTools)

7 Unknown—Malware unknown 19 Rootkit—Rootkit (maintain local privileges and stealth)

8 Backdoor—Backdoor (enable remote access) 20 SQL injection—SQL injection attack

9 Spyware/Keylogger—Spyware, keylogger, etc. 21 Exploit vuln—Exploit vulnerability in code

10 Unknown—Hacking unknown 22 Disable controls—Disable or interfere with security controls

11 C2—Command and control (C2) 23 Brute force—Brute force attack

12 Capture stored data—Capture data stored on disk 24 Unapproved hardware—Use of unapproved hardware

25 Packet sniffer—Packet sniffer (capture data from network)

¹ verizon data breach digest 2016: http://vz.to/21zkult

#NACACS

ICON CREDITS – 1 OF 2¹

¹ thenounproject.com

icon credit icon credit icon credit

invoice 1 alex auda samora invoice 2 alex auda samora cloud server icon 54

credit card redfusion bank anbileru adaleru black database sergio luna

money gregor cresnar mystery person yamini ahluwalia building lil squid

health joao proenca brain jessie_vp white server mister pixel

diamond rflor report aldredo hernandez server w/legs chameleon design

thumbprint wilson joseph cash register icon 54 spreadsheet useiconic

license olivia stelan elephant ted mitchner circle lifecycle yamini ahluwalia

process flow mantisshrimpdesign black hoodie olivier guin black hat spy alex auda samora

black mask luis prado white mask icon 54 black mask hat creative stall

#NACACS

ICON CREDITS – 2 OF 2¹

¹ thenounproject.com

icon credit icon credit icon credit

download creative stall trojan horse luis prado open lock chameleon design

phishing juan pablo bravo broken lock james mayor safe luis prado

pass crack matt wasser keyring william j salvador