565 DB 4
AlmightyFluff
Cybersecruity.pptxCybersecurity and Auditing
H-1
©McGraw-Hill Education
1
Learning Objectives
Recognize key cybersecurity concepts and terms.
Recognize the regulatory Landscape for Cybersecurity
Recognize common cybersecurity frameworks and standards (e.g., NIST, AICPA Trust Services Criteria).
Introduce SOC reporting
©McGraw-Hill Education.
2
Defining Cybersecurity
Monteith, T. Cybersecurity. Black & Veatch Management Consulting
Cybersecurity is only part of a holistic security risk and resilience effort that is required to protect people, assets, and operations.
Cybersecurity is the concept of protecting information and technology systems from attacks, damages or unauthorized access.
Cybersecurity encompasses solutions against all sorts of breaches and hacking, including internal misuse, corporate espionage, ransomware, crypto-mining and denial of service attacks.
Due Care: Putting reasonable measures in place to protect assets or data.
Due Diligence: Ensuring that security measures remain sufficient to protect that assets or data.
Risk/Resilience
©McGraw-Hill Education.
3
OT Security
IT Security
Physical Security
Incident vs. breach
Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.
Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party
Cyber and reliability incidents are real, recent, and relevant.
Most incidents are preventable with cybersecurity best practices.
©McGraw-Hill Education.
4
Primary Driver: Cyber threats are increasing across all sectors
Bluefin 2021
WXYZ-TV Detroit | Channel 7
www. SkyFlok.com
©McGraw-Hill Education.
5
Primary Driver: Cyber threats are increasing across all sectors
Colonial Pipeline
Ransom Paid: $2.3 million in Bitcoin
Pumps in the eastern U.S. screeched to a halt earlier this year after a ransomware attack on a major fuel provider disrupted the petroleum supply chain. Colonial Pipeline, which carries 45% of the East Coast’s supply of petroleum, diesel and jet fuel, was compromised by a hacking organization called DarkSide.
.
Facebook, Instagram and LinkedIn via Socialarks
Records Breached: 214 million
Tens of millions of Facebook, Instagram and LinkedIn profiles have been exposed by a company you’ve probably never heard of: Socialarks.
Due to an unsecured database, the quickly growing Chinese social media management company leaked personally identifiable information (PII) of some 214 million social media users, some of whom were major influencers and celebrities.
Bluefin 2021
©McGraw-Hill Education.
6
State of Cybersecurity
The 2021 Verizon Data Breach Incident Report (DBIR)
Frequency 1,295 incidents, 84 with confirmed data disclosure
Threat Actors External (87%), Internal (17%), Multiple (5%), Partner (1%)
Actor Motives Financial (100%) (breaches)
Data Compromised Personal (80%), Medical (43%), Bank (9%), Other (7%) (breaches)
©McGraw-Hill Education.
7
State of Cybersecurity
The 2021 Verizon Data Breach Incident Report (DBIR)
Northern American organizations continue to be the target of Financially motivated actors.
Social Engineering, Hacking and Malware continue to be the favored tools utilized by these actors.
Social Engineering: Psychological compromise of a person, which alters their behavior into taking an action or breaching confidentiality.
| Frequency | 13,256 incidents, 1,080 with confirmed data disclosure |
| Top Patterns | Social Engineering, System Intrusion and Basic Web Application Attacks represent 92% of breaches |
| Threat Actors | External (82%), Internal (19%), Multiple (2%), Partner (1%) (breaches) |
| Actor Motives | Financial (96%), Espionage (3%), Grudge (2%), Fun (1%) (breaches) |
| Data Compromised | Credentials (58%), Personal (34%), Other (27%), Internal (11%) (breaches) |
©McGraw-Hill Education.
8
The Compelling Issues
Lack of business focus-only IT involved
Inadequate resourcing and training-viewing incident response as a sunk cost
Inadequate understanding of the risks-performing a cybersecurity framework risk assessment
Lack of an incident response plan (IRP)- in small and medium-sized companies
Auditing for Cybersecurity Risk - The CPA Journal
©McGraw-Hill Education.
9
The Compelling Issues
Lack of updating and testing of the IRP - not testing plans on a regular basis
Lack of third-party support - getting an unbiased view of the problem
Lack of audit involvement - key component in risk assessment and prevention
Auditing for Cybersecurity Risk - The CPA Journal
©McGraw-Hill Education.
10
Regulatory Landscape for Cybersecurity
Monteith, T. Cybersecurity. Black & Veatch Management Consulting
ITIL (Network Operations and Services Mgmt.)
ISO 27001/27002 (IS-MS/InfoSec)
NIST RMF, 800-53 Controls Framework
COBIT (Security Operations Services Mgmt.)
SOX, HIPAA
University Programs (Carnegie Mellon)
Cisco Systems (PPDIOO)
Network Project Management Industry (Deloitte / Price-Waterhouse / Accenture / SAIC / BoozAllen / BAE / Boeing / KPMG / Microsoft / General Dynamics
©McGraw-Hill Education.
11
Monteith, T. Cybersecurity. Black & Veatch Management Consulting
Regulatory Landscape alignment to Cybersecurity
Privacy Act 1974 –
PII Protection, fair use, and systems maintained by the Federal Government. Growing number of states have consumer data protection laws. (ex. Mass 201 CMR 17)
Sarbanes-Oxley Act (SOX) – Government
Protection from accounting errors and Corp Fraud. Internal controls, data storage, data transmission, encryption, key mgt, segregation of duties. Aligns with Control Objectives for Information and Technologies (COBIT) for auditing.
Health Insurance Portability and Accountability Act (HIPAA, 1996) – Government
Protects Patient Care, Treatments, Payment details, and health care operations. Includes administrative, physical, and technical safeguards. Includes: Access Control, Audit Controls, Data Integrity, Authentication
Transmission Security, and Encryption for PHI and PII.
Payment Card Industry (PCI) Data Security Standard (DSS) – Commercial Industry
A continuous compliance process of Assess, Remediate, Report. PIN Security, Vendor Security, Data Security, Vulnerability Assessment & Mgt Requirements, Data Storage, Data Encryption
Government
©McGraw-Hill Education.
12
Prevent Your Organization from Being Breached
How well do you know your IT environment?
Accurate inventory of devices
Accurate inventory of software
Accurate inventory of Internet- facing systems
What data do the hackers want and where does it live?
Look at not only structured data, but unstructured as well (e.g., spreadsheets, user reports, downloads from ERP or CRM systems)
What data lives in your employee’s email accounts?
Schneiderdowns.com & Colorado Society of Certified Public Accountants, 2018
©McGraw-Hill Education.
13
Prevent Your Organization from Being Breached
If you have identified critical systems and data, how do you further protect access to it?
Do you require complex passwords? (e.g. letter&number&symbol)
Do you require two-factor authentication to critical systems and the network?
VPN
ERP
CRM
Schneiderdowns.com & Colorado Society of Certified Public Accountants, 2018
©McGraw-Hill Education.
14
Prevent Your Organization from Being Breached
Are your employees susceptible to being phished?
Statistics show the answer is likely “yes”.
Have you tested/trained them?
What technical controls have you put in place to stop it?
e.g., Advanced Email Protection
If phishing succeeds, do you have additional protection methods?
Advanced endpoint protection complements traditional anti-virus
Encryption of data
Whitelisting of allowed applications
Schneiderdowns.com & Colorado Society of Certified Public Accountants, 2018
©McGraw-Hill Education.
15
Prevent Your Organization from Being Breached
Does your IT staff concentrate more on security or operations?
Management often believes that their IT staff focuses on security more than they actively do in reality.
Reality is that security and IT operations often conflict with each other
Having an independent security group or security consulting partner helps bridge the gap
Do you know where you are vulnerable?
A large amount of breaches take advantage of unpatched operating systems and application software.
e.g., Equifax breach leveraged vulnerability in Apache Struts software toolkit.
How often does your IT team patch systems and software?
Have you run vulnerability scans to test the effectiveness of the patching process?
Schneiderdowns.com & Colorado Society of Certified Public Accountants, 2018
©McGraw-Hill Education.
16
Prevent Your Organization from Being Breached
Have you simulated an external attack to determine how secure/vulnerable you really are?
Penetration tests or ethical hacking exercises are valuable because they help identify issues before the bad guys do.
How prepared are you for a breach?
Its not a matter of “IF,” but, “WHEN”
Having a solid incident response plan that is tested may not prevent a breach, but will surely limit the impact
Practice common scenarios (e.g., phishing, ransomware, business email compromise, etc.)
Have you adopted and assessed yourself against a standard security framework?
Allows for continuous improvement
Set a road map for long-term information security success
Schneiderdowns.com & Colorado Society of Certified Public Accountants, 2018
©McGraw-Hill Education.
17
Intro to SOC Reporting
Viator, J., pncpa.com
©McGraw-Hill Education.
18
Intro to SOC Reporting
Viator, J., pncpa.com
©McGraw-Hill Education.
19
Intro to SOC Reporting
SViator, J., pncpa.com
©McGraw-Hill Education.
20
SOC 2 Framework
Viator, J., pncpa.com
©McGraw-Hill Education.
21
SOC 2 Framework
Viator, J., pncpa.com
©McGraw-Hill Education.
22
Assessing Cybersecurity Risk
SOC for Cybersecurity Examination
Assurance engagement performed by an independent CPA firm
Examined against suitable control criteria
i.e., SOC 2 Trust Services Criteria
Results in a Cybersecurity Risk Management Examination Report that consists of:
Management's description of the entity's cybersecurity risk management program
Management’s assertion
CPA’s opinion on the effectiveness of the entity’s cybersecurity risk management program
Report covers a specific time period (6 months)
Schneiderdowns.com & Colorado Society of Certified Public Accountants, 2018
©McGraw-Hill Education.
23
Assessing Cybersecurity Risk
Cybersecurity Maturity Assessment
Evaluate your cybersecurity risk management program against industry best practices
NIST Cybersecurity Framework
ISO 27001
HITRUST
PCI-DSS
Results in a Cybersecurity Maturity Assessment Report that consists of:
Completed cybersecurity risk assessment report
Prioritized list of control gaps with recommended plans of action
Schneiderdowns.com & Colorado Society of Certified Public Accountants, 2018
©McGraw-Hill Education.
24
Assessing Cybersecurity Risk
External Footprint Analysis
Use commonly available open source tools, scanners and databases to obtain a blueprint of the network and its Internet profile
Black box approach
Gather data about hosts
Results in a report that consists of:
List of identified hosts, including operating systems, applications, domain names, IP ranges
May discover hosts or applications that management was not aware existed
Schneiderdowns.com & Colorado Society of Certified Public Accountants, 2018
©McGraw-Hill Education.
25
Assessing Cybersecurity Risk
Vulnerability Assessment
Provides a comprehensive view of potential security flaws in an environment
Check for misconfigurations, unpatched services, open ports and other architectural mistakes
Results in a report that consists of:
Summary of identified vulnerabilities
Vulnerabilities ranked by criticality
Remediation plans
Schneiderdowns.com & Colorado Society of Certified Public Accountants, 2018
©McGraw-Hill Education.
26
Assessing Cybersecurity Risk
Penetration Test
Builds on the external footprint analysis and vulnerability assessment
Simulate actions of an internal/external attacker and attempt to exploit vulnerabilities and misconfigurations
Attempt to use multiple attack vectors
Expose unpatched systems
“Phishing for compromise”
Physical access
USB flash drive drop
Results in a report that consists of:
Summary of vulnerabilities
Results of exploitation attempts
Criticality rankings
Remediation strategies
Schneiderdowns.com & Colorado Society of Certified Public Accountants, 2018
©McGraw-Hill Education.
27
Assessing Cybersecurity Risk
Phishing Assessments
Simulate realistic phishing campaigns
Results in a report that consists of:
Summary of customized phishing campaign
Results about user’s actions, including:
Percentage of employees who opened the email
Percentage of employees who clicked on the link/attachment
Percentage of employees who provided account details
Schneiderdowns.com & Colorado Society of Certified Public Accountants, 2018
©McGraw-Hill Education.
28
The CPA’s Role in Addressing Cybersecurity Risk
Cybersecurity Reporting Framework
Management’s Description of the entity’s cybersecurity risk management program based on suitable criteria for management to describe its cybersecurity risk management program.
Management’s Assertion to the presentation of their description and that the controls management implemented are operating effectively to achieve the entity’s cybersecurity objectives.
the CPA’s Opinion on that description and the effectiveness of the controls to meet the entity’s cybersecurity objectives.
Center for Audit Quality 2017
©McGraw-Hill Education.
29
The CPA’s Involvement with Auditing IT Controls
Center for Audit Quality 2017
©McGraw-Hill Education.
30
How CPAs Promote Cybersecurity Resilience
Auditing standards require auditor to obtain an understanding of how the company uses IT and the impact of IT on the financial statements.
Auditors consider whether the information, or the manner of its presentation, is materially inconsistent with information appearing in the financial statements or a material misstatement of fact.
Auditors use a top-down approach to the audit of ICFR to select the controls to test.
The auditor’s focus is on access and changes to systems and data
Center for Audit Quality 2017
©McGraw-Hill Education.
31
Cybersecurity Risk Management Oversight
Understanding How the Financial Statement Auditor Considers Cybersecurity Risk
SOX 2002 requires auditors assessing the effectiveness of the company’s ICFR
Board members with cybersecurity risk oversight may use when discussing roles and responsibilities of the financial statement auditor related to cybersecurity risks.
Understanding the Role of Management and Responsibilities of the Financial Statement Auditor Related to Cybersecurity Disclosures
The SEC is focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed.
Investor groups have also asked company boards to strive for transparency in reporting efforts to prevent and mitigate cyber threats.
©McGraw-Hill Education.
32
Cybersecurity Risk Management Oversight
Understanding Management’s Approach to Cybersecurity Risk Management
Executives and board members are increasing their oversight of management’s development, implementation and monitoring of a comprehensive enterprise-wide cybersecurity risk management program
The board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility.
©McGraw-Hill Education.
33
Cybersecurity Risk Management Oversight
Understanding How CPA Firms Can Assist Boards of Directors in Their Oversight of Cybersecurity Risk Management
The AICPA recently issued a cybersecurity risk management reporting framework.
The framework can be used by auditors as part of an attestation service
©McGraw-Hill Education.
34
