Technology Security:27th Annual Accounting Show Seminar

Chris Fraser: Consulting Services Manager

Infinity Technology Solutions

September 21, 2012

Quick Poll

Agenda

• Know your Risks

• Cloud and Security

• Virtualization

• Smartphones/Tablets

• Mobile Devices / BYOD

• Social Media

• Next Steps (Including DR)

Know Your Risks – Why Cloud

• Fires, Floods, Hurricanes, Power Outages

• Only 6% of companies that suffer catastrophic data loss fully recover

• 43% never reopen

• 51% close within 2 years of the disaster

• Advantage: Cloud vs. Premise-based

Statistics compiled from 2005 Gartner Group Report

Leverage the Cloud

• Connect from anywhere (but so can the bad guys)

• Cloud providers will add further redundancy with geographically dispersed data centers

• Physical security of data centers is simply not affordable to SMBs on your own ($$$)

• Power Protection

• Fire Protection

• Temperature and Humidity Controls

• Physical Security

• Data Security

What is the Cloud

• Virtual Server Hosting

• SasS (Software as a Service) (ie QB Online)

Co-location Services

Website Hosting

Application Hosting

Hosted Exchange

Hosted SharePoint

What about Cloud Problems?

• High profile cases in the news

• In the Summer of 2012 nearly half a million email addresses and passwords of Yahoo account holders were published online. In June, more than six million passwords for the professional social networking service LinkedIn were published online. Days later music website Last.fm warned users of a potential password theft. Then Drop box…

What aboutCloud Security?

• Addresses Risk of Complacency

• Just pay someone else to worry about it, right?

• Lower probability of occurrence if done right

• Higher profile disruption – local server crash doesn’t make the news

• Different Threats – Update your risk assessment

Great Quote:

“Trust but Verify”

Cloud Security

• Cloud computing security (sometimes referred to simply as "cloud security") is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.

• Source: http://en.wikipedia.org/wiki/Cloud_computing_security

Passwords Protected by Hash?

• The passwords often stolen in “hashed” form, meaning some computing work is required to convert them back into usable passwords.

• Yet…By Wednesday afternoon the hackers said they had already recovered hundreds of thousands.

• Source: http://www.telegraph.co.uk/technology/news/9316218/LinkedIn-hacker-also-stole-1.5m-passwords-from-dating-site-eHarmony.html

Know Your Security

• COBIT

• SOC 2 (SAS 70)

• Controls such as

• Data Encryption

• 2 factor authentication

• (can use the smartphone)

• Monitoring

Tips for selecting for Cloud Vendors

• Do they have their Service Level Agreements?

• What type of encryption is used to transmit and store data?

• What are the credentials of the data center?

• Ask for the SOC2 report, and any other 3rd party audits

• What regular security testing do they perform?

• Bandwidth limits? Breach History? Training

Dropbox Response

• Dropbox will now offer two-factor authentication for members, giving the option of using two forms of identity before access to an account is granted. The company was also adding new automated systems to monitor suspicious activity and a new page allowing members to see all active logins on their account.

Virtualization

• This is BIG!

• Virtualization adds a low-level software layer that allows multiple, even different operating systems and applications to run simultaneously on a host

• Can move physical server to virtual, No longer directly tied to physical equipment

• Competition:

• VMware

• Microsoft Hyper-V Server 2012

Virtualization

• One option – Use it for Disaster Recovery

• Local/Onsite Virtualization

• Stored images of the server environment on the local device which can be mounted following hardware failure or disaster bringing critical systems up and running.

• Off-site Virtualization (Cloud)

• Images of the server environment which are stored at off-site data centers and can be mounted following hardware failure or disaster to bring critical systems up and running.

Leverage the Cloud

• With a major disaster, there may not be any equipment to restore to. Those backups are useless!

• Cloud providers also provide valuable virtualization features

• Offsite Virtualization allows for the use of servers remotely

• Server images that are backed up offsite can be fully virtualized within hours, or less

• Access to your data is available with an Internet connection only

Virtualization Security

• secure all elements of a full virtualization solution and maintain their security;

• restrict and protect administrator access to the virtualization solution;

• ensure that the hypervisor, the central program that runs the virtual environment, is properly secured; and

• carefully plan the security for a full virtualization solution before installing, configuring and deploying it.

• http://www.nist.gov/itl/csd/virtual-020111.cfm

Your Biggest Risk

•No Policy

Smartphones/Tablets

• Getting smarter…it’s a mobile computer

• iPad and competitors

• New iPhone 5

• Android

• Samsung Galaxy S III

• Secure it

• Use a password

• Track it – catch a thief

• Encrypt it

Mobile Devices / BYOD

• “Bring Your Own Device” - You can’t stop it

• Allows your employees to be more connected

• If the device is not owned by the company, what rights do you have?

• How do you know if its safe to bring into your network?

• Demand passwords and encryption

• Policy to allow company to anything company related from the device

Mobile Device Risks

• Human Error – We love and trust our employees… Until we don’t.

• Unintentional Threats

• Accidental File Deletion

• Failure to Backup

• Accidental Infection

• Device Loss

• Location Data – good and bad

Social Media

• Know your risks

• Rapidly changing

• Facebook owns everything you post

• SEO

Update your DR Plan

• A Disaster Recovery (DR) Plan is a document detailing how you will respond to a disaster. Can, and should, be an extensive document

• New technologies change the old DR plan

• At a minimum, it should include:

• Full technical documentation

• List of vendor contacts and any support agreements

• Onsite and Offsite backup solution

• Detailed recovery steps based on different disaster levels

• Test it!

Managed Services

• Best Practice for new technologies: Managed IT Service Providers

• Expertise in changing arena (IT)

• Option that Ensures Alignment of Interests

• Best ‘Bang for the Buck’

• Scalable

• Fixed Cost for Unlimited Support

• Provide Fortune 100 Grade Support for Price that SMB Can Afford

Security Tip

• Your take away from today:

• Improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk

• Password complexity matters

• Don’t keep your password static (Change every # days/months)

What are the Next Steps?

• Develop a policy and plan – even if it is brief

• Adapt to new technologies

• Ensure that a reliable security is in place

• Ensure that critical data and systems have propercontrols

• Plan for BYOD devices

For CPAs

• FICPA Business Technology Section

• CITP Credential

CITP Credential

• A Certified Information Technology Professional ( CITP) is a Certified Public Accountant recognized for his or her unique ability to provide business insight by leveraging knowledge of information relationships and supporting technologies. The CITP credential focuses on information management and technology assurance, making a CPA among the most trusted business advisor.

Distinguish yourself from other information management and technology assurance professionals. Only CPAs can be CITPs, allowing CITPs to capitalize on profession’s trusted reputation and helping them to differentiate themselves from other professionals in the marketplace.

CITP Body of Knowledge

IT AUDIT AND ATTEST SERVICES

INFORMATION CONTROL AND ASSURANCE (on financial statements, a segment, or operations)

Summary Descr.

Specific Application Related AICPA Initiatives Market Impact/ Trend

Types - Fin. Stmt Audit

- SAS 70s

- Trust Services

- Privacy

- Peer Review

- Risk-Based Auditing Stds (SASs)

- Stmt on Auditing Stds (SASs)

- Exposure drafts

- PCAOB & SEC

- AICPA ASB

Internal

Control

- Sarbanes Oxley

- COSO, CoBIT

- Center of Audit Quality - PCAOB & SEC

- Economic crisis

Fraud - Digital Evidence

- SAS 99

- Forensic Valuation Svcs

- Certified in Fin. Forensics (CFF)

- Stmt on Auditing Stds (SASs)

- Economic crisis

- Computer Forensics

Risk

Assessment

- Risk-based auditing - Risk-Based Auditing Stds (SASs)

- Center of Audit Quality

- PCPS Firm Management

- AICPA ASB

- Risk Management

IT General

Controls

- IT Audit/ Compliance

- Governance

- Security

- Risk-Based Auditing Stds (SASs)

- Center of Audit Quality

- AICPA ASB

Auditing

Techniques

- App. Testing

- CAATTs

- Data Analytics

- Forensic Valuation Svcs

- Certified in Fin. Forensics (CFF)

- Center of Audit Quality

- Continuous Auditing

Assessment

of IT

Controls

- Deficiency/ Mat. Weakness

- Unqualified/ Qual. Opinion

- Risk-Based Auditing Stds (SASs)

- Center of Audit Quality

- PCAOB & SEC

- AICPA ASB

AICPA, Certified Information Technology Professional Credential - Informatio

Version: July 2009

Thank You

Chris Fraser, CPA, CITP

Consulting Services Manager

Infinity Technology Solutions

infinityIT.com

cfraser@infinityIT.com

Which is Scarier?