MEETS THE CHALLENGE OF CHANGE

Robert BaldiDirector of IT Audit, ACI Worldwide

Warren FishManager of IT Audit, ACI Worldwide

Auditing emerging cyber threats and IT controls

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Competency“The trouble with competence is that it is always stale.“*

CDR Chris Hadfield, first Canadian to walk in space

*Quoted from 2015 IIA Conference, Vancouver, British Columbia, Canada

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Agenda

• The state of cybersecurity (IIA perspective)

• Recent breaches

• IIA Standards 1210: Proficiency

• Cutting Edge IT Auditing: IT Skills required, auditing skills second

• Fruit Tree of IT Auditing

• Emerging Cyber Threats

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

The state of cybersecurity (IIA)

The Cybersecurity Imperative: To help organizations lock down security, internal auditors must raise their skills and understand the latest threats, IIA July 31, 2015

• https://iaonline.theiia.org/2015/the-cybersecurity-imperative• The Board is asking questions: This year for the first time, cybersecurity broke into the top

10 risk priorities. Small wonder then that 80 percent of public company board members report their board discusses cybersecurity at most or all board meetings.

• A Common Language: Bridging those gaps is difficult because there is no generally accepted cybersecurity framework. The Board, Management, IT, information security, and internal audit may all have their own points of reference. Recommend establishing a common framework that enables everyone in the organization to speak the same language about cyber risk.

• Recruit Cybersecurity Specialists Internal audit departments that lack IT auditors can gain expertise by hiring cybersecurity experts and then training them in internal audit. 

Tim McCollum is Internal Auditor magazine's associate managing editor.

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE 5

• Internal Auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. 

• Interpretation:• 1210.A1 - The chief audit executive must obtain competent advice and assistance if the internal

auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

• 1210.A2 - Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

• 1210.A3 - Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

• 1210.C1 - The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. 

IIA (Standards 1210) Proficiency

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Cutting Edge IT Auditing: IT Skills required, auditing skills second

• Maintaining IT competencies: IT Auditors at ACI Worldwide are maintaining their IT skills by maintaining membership in the following organizations, pursing certifications and staying current and connected via social media.• Institute of Internal Auditors• ISACA • Nebraska Computer Emergency Response Team (CERT)• Armed Forces Communications and Electronics Association• InfraGARD (Public-Private Partnership between FBI and US business)• National Cyber Security Alliance (DHS and home, small US business)• International Information Systems Security Certification Consortium (ISC²)• Open Web Application Security Project (OWASP-Omaha) Risk

* 7 Attributes of Highly Effective Internal Auditors, By Chambers, McDonald, IIA, 2013

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Fruit Tree of Internal Auditing

7

High Hanging Fruit- Simulated Breach Exercises (war gaming)- Penetration Testing (In house)- Data Loss Prevention (Insider Threat)- Bring Your Own Device (BYOD)- Database Security- Two-Factor Controls

Medium Hanging Fruit- Data backup processes- Asset Management and/or Identity Management- WiFi Security Assessment- Vulnerability & Patch Management- Configuration Management

Low Hanging Fruit- Credential (Admin) Verification/Appropriateness- Default & weak passwords- Unpatched devices (routers, switches, servers,

workstations)- Poorly configured firewalls, IPS, IDS< SIEM- Applications not working as configured on

workstations (Virus, Web Filtering, etc…)

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Emerging Cyber Threats & IT Controls

• Recent Breaches & Cyber War gaming

• Social Media

• Data Loss Prevention

• Bring (or Wear) Your Own Device

• Penetration Testing

• Incident Response

• Social Engineering

• Phishing

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Cyber Security Breaches – 2014 & 2015

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Cybersecurity: war gaming

10

The cybersecurity imperativeBy: Tim McCollum (Page 27)

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Social Media

• Every employee with a social media account tied to your company e-mail is an ambassador of the company. Possible risks: Reputation/brand, stock prices, or injury/workplace violence.• Example: TD Ameritrade uses a company to monitor Social Media

• List every company-based social media account• Do not limit just to Facebook, Twitter, LinkedIn, etc – imperative that you use GoogleDorks or

obtain an external “objective” subject matter expert to assist you

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Data Loss Prevention (DLP)

• Where are your egress points?• What controls are in place?• What do your policies state?• What training is provided to your staff?• Which of the 45 popular cloud hosting providers (DropBox.com, Cloud.com, etc) are blocked?

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Bring (or Wear) Your Own Device (BYOD)

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Penetration Testing? But we just passed our PCI Audit!

• Vulnerabilities Exist? But we just passed our PCI audit!

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Incident Response

• Yes, you probably have a plan. But do you have a letter vetted through legal for each state / country in which you operate to comply with breach notification laws?

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE 16

Social Engineering

http://www.social-engineer.org/

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

• Phishing still remains the easiest way to compromise a company• Unsuspecting employee in any business unit clicks on a perfectly legitimate looking email which says,

“Please click here to check on the status of your order.”

• Access/Compromise• Once the attacker has compromised the company workstation, they will install a key logger to • collect logins, passwords, etc…

• 23% of recipients now open phishing messages• 11% click on attachments• 50% open e-mails with the first hour• Awareness and training are the most effective defense

Phishing

MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE

Contact Info

18

Rob BaldiDirector of Information Technology Internal Audit402-778-1929robert.baldi@aciworldwide.com

Warren FishManager of Information Technology Internal Audit402-778-2044warren.fish@aciworldwide.com

ACI Worldwide is looking for an IT Audit Intern. Please contact Rob or Warren for more details!