Abstract image of a woman sitting on books and studying on a laptop

Auditing-Cybersecurity in the enterprise

Thilak Pathirage -Senior IT Gov and Risk Consultant, profile picture
Thilak Pathirage -Senior IT Gov and Risk Consultant

This article discusses approaches to assessing the adequacy of a firm's cybersecurity posture. It proposes that assessments should be conducted in phases focusing on attack vectors, using skilled assessors with a variety of tools. Assessments should take a risk-based approach, ensure patch management is adequate, review defense-in-depth strategies, and use standards like NIST SP 800-53 to test the actual security state. The assessments aim to identify vulnerabilities and ensure perimeter defenses and compliance-based strategies are updated to address evolving cyber risks.

Education
1 of 5
Download to read offline
1
2
3
4
5
1 ISACA JOURNAL VOLUME 1, 2016 Feature Information security risk has dramatically evolved; however, security strategies that are typically compliance-based and perimeter-oriented have not kept pace. Consequently, sophisticated intruders can bypass perimeter defenses to perpetrate attacks that are highly targeted and difficult to detect. This article discusses an approach to assess the adequacy of a firm’s cybersecurity posture. The results of the Global State of Information Security Survey published by PricewaterhouseCoopers (PwC) in September of 2013 show that while information security risk factors have dramatically evolved, security strategies that are typically compliance-based and perimeter-oriented have not kept pace.1 Consequently, sophisticated intruders can bypass perimeter defenses to perpetrate dynamic attacks that are highly targeted and difficult to detect. The results of the PwC survey suggest that today’s elevated risk landscape demands a new approach to security—one that is driven by knowledge of threats, assets and adversaries. Given the need for a strong cybersecurity posture, there have been various efforts to create cybersecurity standards. One such standard is ISO 27001, Information security management systems,2 which provides a set of specifications against which an organization can have its information security management system independently certified. ISO 27001 is tied to ISO 27002, Information technology—Security techniques—Code of practice for information security controls,3 which contains 39 control objectives for protecting information assets from threats to their confidentiality, integrity and availability. Each of the 39 objectives is then broken down into many specific controls. The standard does not require any specific controls to be implemented, but rather leaves it to the user to select those controls appropriate for their specific requirements. Another standard is the US National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations.4 NIST SP 800-53 identifies 198 security practices that are divided into 18 families and three classes. Each of these security practices has been mapped to ISO 27001. SP 800-53 defines three security baselines that provide a starting point for determining the security controls that should be implemented for low-impact, moderate-impact and high-impact IT systems. These baselines could serve as the basis for a risk-based security standard for various categories and subcategories of assets. In February 2013, recognizing that the national and economic security of the US depends on the reliable functioning of critical infrastructure, US President Barack Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity.5 The order directed NIST to work with stakeholders to develop a voluntary framework (based on existing standards, guidelines and practices) for reducing cyberrisk to critical infrastructure. NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on 12 February 2014.6 The framework, created through collaboration between industry and government, consists of standards, guidelines and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable and cost-effective approach of the framework was designed to help owners and operators of critical infrastructure to manage cybersecurity-related risk. While the certified public accountant’s (CPA’s) external audit responsibilities do include the responsibility to assess security as part of certain engagements, such as audits of controls at service organizations, the CPA’s financial statement audits do not usually include the responsibility to assess cybersecurity. However, the internal IT audit function frequently does include the responsibility to assess cybersecurity. Indeed, assessing security is a key component of the Certified Information Systems Auditor® (CISA® ) job practice analysis, which reflects the responsibilities of IT auditors.7 Regarding cybersecurity assessment approaches, Martin Coe, DBA, CISA, CISM, CPA, is an accounting professor at Western Illinois University (USA). His research has been published in professional and academic journals and he is regarded as an expert in the fields of accounting, accounting information systems and information systems auditing. He is also the president of Vistabon, an IT auditing firm. Coe has managed information technology vulnerability assessments since 1998. Auditing Cybersecurity Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www.isaca. org/journal), find the article and choose the Comments tab to share your thoughts. Go directly to the article:
2 ISACA JOURNAL VOLUME 1, 2016 IT audit standards include a procedure related to cybersecurity assessment. ISACA’s IS Auditing Procedure P8 Security Assessment—Penetration Testing and Vulnerability Analysis, (P8)8 provides scope and procedure guidance related to cybersecurity assessments. CYBERVULNERABILITY ASSESSMENT APPROACH Managing many cybervulnerability projects has revealed valuable insights into approaches used to assess a firm’s cybersecurity posture. Utilizing ISACA’s IS Auditing P8 offers an approach that focuses on attack vectors and has assessment phases for the relevant attack vectors (i.e., the Internet and the internal network). The assessment phases are typically conducted utilizing the Tenable Network Security Nessus vulnerability scanning tool (Nessus)9 combined with other assessment procedures. Nessus utilizes the Common Vulnerability Scoring System (CVSS) to facilitate risk assessment. A risk assessment requires a qualitative analysis of vulnerabilities within a network. The Forum of Incident Response and Security Teams (FIRST)10 created CVSS to normalize the methodology of analyzing risk. CVSS provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of three metric groups: base, temporal and environmental.11 The base metric represents the intrinsic qualities of a vulnerability. The temporal metric reflects the characteristics of a vulnerability that change over time. The environmental metric represents the characteristics of a vulnerability that are unique to any user’s environment. When the base metrics are assigned values by an analyst, the base equation computes a score ranging from 0.0 to 10.0 as illustrated in figure 1. The Nessus reports use the base metric group to aid in the performance of qualitative risk analysis.12 Vulnerabilities with a CVSS base score in the 7.0-10.0 range are critical, those in the 4.0-6.9 range are major, and those in the 0.0-3.9 range are minor. The CVSS scores correspond to the Tenable severity levels, which are: • 10.0 = Critical • 7.0-9.9 = High • 4.0-6.9 = Medium • 0.0-3.9 = Low At each severity level, the number of vulnerabilities is displayed along with the percentages of those vulnerabilities in each CVSS score grouping. The assessment team uses the Nessus results to identify hosts that warrant interrogation. In general, the team focuses on hosts that have vulnerabilities rated as medium, high or critical. The team then performs procedures to confirm the validity of the findings and rule out false positives. The team uses a variety of tools to assist in the interrogation of vulnerabilities. Another term for this aspect of the assessment is exploitation. Often the goal of exploitation is to gain control over a system. More specifically, an exploit is a way to leverage a Figure 1—CVSS Metrics and Equations Source: FIRST.Org, Inc., https://www.first.org/cvss/specification-document#i1.1. Reprinted with permission. CVSS Score Vector String 0 + 10 Base Metrics Temporal Metrics Environmental Metrics Exploit (AV, AC, PR, UI) Impact (C, I, A), S Temp (E, RL, RC) Optional Env (CR, IR, AR,…)
3 ISACA JOURNAL VOLUME 1, 2016 security flaw or circumvent security controls. The process can take many forms; however, the goal is usually to gain administrative access to a computer or device. The wide range of activities, tools and options related to exploitation make this step more of an art than a science. Indeed, exploitation is one of the most ambiguous phases of the cybersecurity assessment process. The reason for this is simple; each system is different and each target is unique. Depending on a multitude of factors, the attack vectors will vary from target to target, so skilled attackers have to understand the nuances of each system they are attempting to exploit.13 While the assessment approach discussed here is an effective way to assess cybersecurity, there are several propositions to improve the cybervulnerability assessment process. SKILLS AND TOOLS The assessment team needs to include skilled attackers who understand the nuances of each system they are attempting to exploit. For example, assessors should have a current and thorough understanding of security related to operating systems, firewalls, routers and other network devices. The team should also utilize a mix of tools to perform the assessment. For example, assessors should utilize a variety of programs to discover potential vulnerabilities and determine if the vulnerability can be exploited. • Proposition 1a—Cybersecurity assessments should require a step to ensure that assessors understand the nuances of each system they are attempting to exploit. • Proposition 1b—Cybersecurity assessments should require a step to ensure that assessors have a variety of tools at their disposal. RISK FOCUS It is important to eliminate false positives. Given the large number of vulnerabilities identified by Nessus, the task to eliminate false positives can be significant. The assessment team should utilize a risk-based approach to focus audit energy on areas of greatest risk. Such an approach is consistent with the NIST framework. • Proposition 2a—Cybersecurity assessments should be risk-based. • Proposition 2b—Cybersecurity assessments should require a step to ensure that false positives are eliminated. PATCH MANAGEMENT IT change and patch management can be defined as the set of processes executed within the organization’s IT department designed to manage the enhancements, updates, incremental fixes and patches to production systems, which include application code revisions, system upgrades and infrastructure changes.14 Patch management tasks include: • Maintaining current knowledge of available patches • Deciding what patches are appropriate for particular systems • Ensuring that patches are installed properly • Testing systems after installation • Documenting all associated procedures, such as specific configurations required Patches often are designed to fix security vulnerabilities. Indeed, many of the recommendations to address vulnerabilities identified in a cybersecurity assessment include the installation of a specific patch. Accordingly, implementing patch management practices such as a tactical, integrated and automated approach to handling vulnerabilities can boost a company’s cybersecurity posture. Likewise, successful patch management policies can also help with security audits and compliance audits. For example, continuous auditing routines could be developed to ensure that patches are applied on a timely basis. In response to increased cyberattacks, there is a need for models to focus limited administrator attention and build cases for additional resources. One proposed method is based on Markov-decision processes for the generation and graphical evaluation of relevant maintenance policies for cases with limited data availability.15 Since cybersecurity assessments provide security information by host, steps should be taken to categorize hosts (i.e., ordinary host with no sensitive data, critical host with sensitive data) to ensure that maintenance policies are directed toward the most critical hosts. • Proposition 3a—Cybersecurity assessments should include an assessment of patch management policies. ” “ Exploitation is one of the most ambiguous phases of the cybersecurity assessment process.The reason for this is simple; each system is different and each target is unique.
4 ISACA JOURNAL VOLUME 1, 2016 • Proposition 3b—Cybersecurity assessments should leverage continuous auditing procedures to ensure that patches are applied on a timely basis. • Proposition 3c—Cybersecurity assessments should categorize hosts to ensure that maintenance recommendations can be directed toward the most critical hosts. ATTACK VECTORS AND DEFENSE-IN-DEPTH Given that adversaries can attack a target from multiple points using either insiders or outsiders, an organization needs to deploy protection mechanisms at multiple locations to resist all classes of attacks. Defense-in-depth is a practical strategy for achieving information assurance in today’s highly networked environments.16 Accordingly, some information security postures utilize a defense-in-depth model. Such a model refers to the way hardware and software is configured to provide different levels of security. A defense-in-depth model recognizes that not all resources require the same level of security. In addition, this model can mitigate exposures that might otherwise exist. For example, if a server is vulnerable to an exploit because it is not able to be updated, a defense- in-depth layer can be added to mitigate the exposure. Accordingly, cybersecurity assessments should include a review of defense-in-depth security layers. Likewise, since a company may accept a risk related to one attack vector by relying on defense-in-depth, the assessment should include various exploitation paths to test defense-in-depth. • Proposition 4—Cybersecurity assessments should include a review of defense-in-depth security layers. • Proposition 4b—Cybersecurity assessments should include various exploitation paths to test defense-in-depth. STANDARDS Given the fact that a cybersecurity assessment should test an actual state against a desired state, it is necessary to have a standard against which to audit. At this point in time, NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations,17 which has been mapped to ISO 27001, is a logical standard to utilize. In addition, specific regulatory security standards that must be met for categories of assets or specific assets (e.g., ports/ services and default account requirements related to critical infrastructure protection assets) should be utilized. • Proposition 5a—Cybersecurity assessments should utilize standards such as NIST SP 800-53. • Proposition 5b—Cybersecurity assessments should utilize specific regulatory security standards that must be met for applicable categories of assets or specific assets. CONCLUSION Cybersecurity assessments should be conducted in phases and focus on attack vectors, as indicated in IS Auditing P8. In addition, cybersecurity assessments should include steps to ensure that the assessment team has adequate skills and tools to perform the assessment. The assessment should focus on the greatest risk and include steps to reduce false positives. Given the importance of patch management, assessments should include steps to assess the adequacy of patch management. Since attacks can come from multiple points, assessments should include a review of defense-in-depth security layers. Since cybersecurity assessments should test an actual state against a desired state, assessments should utilize standards. ENDNOTES 1 PricewaterhouseCoopers, The Global State of Information Security Survey 2013, USA, www.pwc.ru/en/riskassurance/publications/information- security-survey.html 2 International Organization for Standardization, ISO/IEC 27001, Information security management, www.iso.org/iso/home/standards/management-standards/ iso27001.htm 3 International Organization for Standardization, ISO 27002, Information technology—Security techniques—Code of practice for information security controls, www.iso.org/iso/home/store/catalogue_tc/ catalogue_detail.htm?csnumber=54533 4 National Institute of Standards and Technology, Security and Privacy Controls for Federal Information Systems and Organizations, SP 800-53, Revision 4, USA, 30 April 2013, http://csrc.nist.gov/publications/PubsSPs. html#800-53 5 National Archives and Records Administration, Executive Order 13636, Improving Critical Infrastructure Cybersecurity, USA, 19 February 2013, www.gpo.gov/ fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf 6 National Institute for Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, USA, 2014, www.nist.gov/ cyberframework/
5 ISACA JOURNAL VOLUME 1, 2016 7 ISACA® , Certified Information Systems Auditor Job Practice, USA, June 2011, www.isaca.org/Certification/ CISA-Certified-Information-Systems-Auditor/Job-Practice- Areas/Pages/CISA-Job-Practice-Areas.aspx 8 ISACA, IS Auditing Procedure P8, Security Assessment- Penetration Testing and Vulnerability Analysis, IS Standards, Guidelines and Procedures for Auditing and Control Professionals, USA,15 March 2008 9 Tenable Network Security, Nessus, www.tenable.com/ products/nessus-vulnerability-scanner 10 Forum of Incident Response and Security Teams, www.first.org/ 11 Mell, P.; K. Scarfone; “A Complete Guide to the Common Vulnerability Scoring System Version 2.0,” First.org, June 2007, www.first.org/cvss/cvss-v2-guide.pdf 12 Dumont, Cody; “Understanding Risk,” Tenable Network Security, 14 October 2014, www.tenable.com/ sc-dashboards/understanding-risk 13 Engebretson, Patrick; The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy, Elsevier, USA, 2013 14 Institute of Internal Auditors, Global Technology Audit Guide Change and Patch Management Controls: Critical for Organizational Success, 2012 15 Afful-Dadzie, A.; T. Allen; “Data-driven Cyber- vulnerability Maintenance Policies,” Journal of Quality Technology, vol. 46, no. 3, 2014, p. 234-250 16 National Security Agency, “Defense in Depth,” USA, www.nsa.gov/ia/_files/support/defenseindepth.pdf 17 Op cit, National Institute for Standards and Technology 2013

More Related Content

PDF
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
PDF
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 
PPTX
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
PPTX
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
PDF
Cyber Risk Quantification | Safe Security
Rahul Tyagi
 
PPT
NH Bankers 10 08 07 Kamens
kamensm02
 
PPT
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
PDF
Understanding Vulnerability Assessment.pdf
247 tech
 
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
Cyber Risk Quantification | Safe Security
Rahul Tyagi
 
NH Bankers 10 08 07 Kamens
kamensm02
 
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Understanding Vulnerability Assessment.pdf
247 tech
 

Similar to Auditing-Cybersecurity in the enterprise (20)

PPTX
PACE-IT, Security+3.7: Overview of Security Assessment Tools
Pace IT at Edmonds Community College
 
PPTX
Module 6.pptx
ssuser66c4d5
 
PPTX
Vapt life cycle
penetration Tester
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
PPTX
IT Best Practices IT Security Assessments 2010
Donald E. Hester
 
PPTX
10 fa it_security-1
adiloki
 
PPTX
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
PPT
M Kamens Iia Financial Services Presentation At Disney
kamensm02
 
PDF
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
PPT
Introduction_to_Security_Assessments.ppt
sudsdeep
 
PDF
Health-ISAC Risk-Based Approach to Vulnerability Prioritization [EN].pdf
Snarky Security
 
PPTX
ISAA PPt
RishabhAgrawal695188
 
PPTX
UNIT I PPT.pptxsdVDSVDAVDSBGVGNhfzgnnzgdngfh
Tejaswini Vontela
 
PPTX
Week 1&2 intro_ v2-upload
Vinoth Sn
 
PDF
Vulnerability scanning report by Tareq Hanaysha
Hanaysha
 
PDF
OSB50: Operational Security: State of the Union
Ivanti
 
PPTX
CISSP - Security Assessment
Karthikeyan Dhayalan
 
PDF
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
PDF
System and Enterprise Security Project - Penetration Testing
Biagio Botticelli
 
PPTX
So You Want a Job in Cybersecurity
2nd Sight Lab
 
PACE-IT, Security+3.7: Overview of Security Assessment Tools
Pace IT at Edmonds Community College
 
Module 6.pptx
ssuser66c4d5
 
Vapt life cycle
penetration Tester
 
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
IT Best Practices IT Security Assessments 2010
Donald E. Hester
 
10 fa it_security-1
adiloki
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
M Kamens Iia Financial Services Presentation At Disney
kamensm02
 
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
Introduction_to_Security_Assessments.ppt
sudsdeep
 
Health-ISAC Risk-Based Approach to Vulnerability Prioritization [EN].pdf
Snarky Security
 
ISAA PPt
RishabhAgrawal695188
 
UNIT I PPT.pptxsdVDSVDAVDSBGVGNhfzgnnzgdngfh
Tejaswini Vontela
 
Week 1&2 intro_ v2-upload
Vinoth Sn
 
Vulnerability scanning report by Tareq Hanaysha
Hanaysha
 
OSB50: Operational Security: State of the Union
Ivanti
 
CISSP - Security Assessment
Karthikeyan Dhayalan
 
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
System and Enterprise Security Project - Penetration Testing
Biagio Botticelli
 
So You Want a Job in Cybersecurity
2nd Sight Lab
 
Ad

More from Thilak Pathirage -Senior IT Gov and Risk Consultant (12)

PDF
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Capability_Assessment_of_IT_Governance_Using_the_2.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
cobit 2019 -current-user - ISACA Publication
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Introduction to ISACA COBIT-2019 Framwork.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Social media-assessment
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PPT
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Cissp nda
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Risk based it auditing for non it auditors (basics of it auditing) final 12
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
314
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Composite indicators
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Capability_Assessment_of_IT_Governance_Using_the_2.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
cobit 2019 -current-user - ISACA Publication
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Introduction to ISACA COBIT-2019 Framwork.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Social media-assessment
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Cissp nda
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Risk based it auditing for non it auditors (basics of it auditing) final 12
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
314
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Composite indicators
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Ad

Recently uploaded (20)

PDF
Horaris_Grups_25-26_Definitiu_15_07_25.pdf
rpujol11
 
PDF
CAT 2024 VARC One - Shot Revision Marathon by Shabana.pptx.pdf
VaibhavBhardwaj394603
 
PDF
WHAT NURSES SAY_ COMMUNICATION BEHAVIORS ASSOCIATED WITH THE COMP.pdf
shaheraharby
 
PDF
BSc-Zoology-02Sem-DrVijay-Comparative anatomy of vertebrates.pdf
ps6013234
 
PDF
Health aspects of bilberry: A review on its general benefits
Open Access Research Paper
 
PDF
Compact First Student's Book Cambridge Official
TunHng48
 
PPTX
2025 High Blood Pressure Guideline Slide Set.pptx
Ramesh Kumar
 
PPTX
Neurological complocations of systemic disease
BisratAlex2
 
PPTX
BSCE 2 NIGHT (CHAPTER 2) just cases.pptx
TristanLimotan
 
PDF
Hospital Case Study .architecture design
Amlan Priyadarshan
 
PPTX
Key-Features-of-the-SHS-Program-v4-Slides (3) PPT2.pptx
abdurakibtingsonjali
 
PPT
hemostasis and its significance, physiology
rakshasb
 
PPTX
Neurology of Systemic disease all systems
BisratAlex2
 
PDF
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
PPTX
Diploma pharmaceutics notes..helps diploma students
zonuntluangimph
 
PDF
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
PPTX
MMW-CHAPTER-1-final.pptx major Elementary Education
kimberlydespair4
 
PPTX
Power Point PR B.Inggris 12 Ed. 2019.pptx
FirdaFauziah14
 
PDF
faiz-khans about Radiotherapy Physics-02.pdf
FrancisKazoba
 
PPTX
ACFE CERTIFICATION TRAINING ON LAW.pptx
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
Horaris_Grups_25-26_Definitiu_15_07_25.pdf
rpujol11
 
CAT 2024 VARC One - Shot Revision Marathon by Shabana.pptx.pdf
VaibhavBhardwaj394603
 
WHAT NURSES SAY_ COMMUNICATION BEHAVIORS ASSOCIATED WITH THE COMP.pdf
shaheraharby
 
BSc-Zoology-02Sem-DrVijay-Comparative anatomy of vertebrates.pdf
ps6013234
 
Health aspects of bilberry: A review on its general benefits
Open Access Research Paper
 
Compact First Student's Book Cambridge Official
TunHng48
 
2025 High Blood Pressure Guideline Slide Set.pptx
Ramesh Kumar
 
Neurological complocations of systemic disease
BisratAlex2
 
BSCE 2 NIGHT (CHAPTER 2) just cases.pptx
TristanLimotan
 
Hospital Case Study .architecture design
Amlan Priyadarshan
 
Key-Features-of-the-SHS-Program-v4-Slides (3) PPT2.pptx
abdurakibtingsonjali
 
hemostasis and its significance, physiology
rakshasb
 
Neurology of Systemic disease all systems
BisratAlex2
 
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
Diploma pharmaceutics notes..helps diploma students
zonuntluangimph
 
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
MMW-CHAPTER-1-final.pptx major Elementary Education
kimberlydespair4
 
Power Point PR B.Inggris 12 Ed. 2019.pptx
FirdaFauziah14
 
faiz-khans about Radiotherapy Physics-02.pdf
FrancisKazoba
 
ACFE CERTIFICATION TRAINING ON LAW.pptx
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 

Auditing-Cybersecurity in the enterprise

  • 1. 1 ISACA JOURNAL VOLUME 1, 2016 Feature Information security risk has dramatically evolved; however, security strategies that are typically compliance-based and perimeter-oriented have not kept pace. Consequently, sophisticated intruders can bypass perimeter defenses to perpetrate attacks that are highly targeted and difficult to detect. This article discusses an approach to assess the adequacy of a firm’s cybersecurity posture. The results of the Global State of Information Security Survey published by PricewaterhouseCoopers (PwC) in September of 2013 show that while information security risk factors have dramatically evolved, security strategies that are typically compliance-based and perimeter-oriented have not kept pace.1 Consequently, sophisticated intruders can bypass perimeter defenses to perpetrate dynamic attacks that are highly targeted and difficult to detect. The results of the PwC survey suggest that today’s elevated risk landscape demands a new approach to security—one that is driven by knowledge of threats, assets and adversaries. Given the need for a strong cybersecurity posture, there have been various efforts to create cybersecurity standards. One such standard is ISO 27001, Information security management systems,2 which provides a set of specifications against which an organization can have its information security management system independently certified. ISO 27001 is tied to ISO 27002, Information technology—Security techniques—Code of practice for information security controls,3 which contains 39 control objectives for protecting information assets from threats to their confidentiality, integrity and availability. Each of the 39 objectives is then broken down into many specific controls. The standard does not require any specific controls to be implemented, but rather leaves it to the user to select those controls appropriate for their specific requirements. Another standard is the US National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations.4 NIST SP 800-53 identifies 198 security practices that are divided into 18 families and three classes. Each of these security practices has been mapped to ISO 27001. SP 800-53 defines three security baselines that provide a starting point for determining the security controls that should be implemented for low-impact, moderate-impact and high-impact IT systems. These baselines could serve as the basis for a risk-based security standard for various categories and subcategories of assets. In February 2013, recognizing that the national and economic security of the US depends on the reliable functioning of critical infrastructure, US President Barack Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity.5 The order directed NIST to work with stakeholders to develop a voluntary framework (based on existing standards, guidelines and practices) for reducing cyberrisk to critical infrastructure. NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on 12 February 2014.6 The framework, created through collaboration between industry and government, consists of standards, guidelines and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable and cost-effective approach of the framework was designed to help owners and operators of critical infrastructure to manage cybersecurity-related risk. While the certified public accountant’s (CPA’s) external audit responsibilities do include the responsibility to assess security as part of certain engagements, such as audits of controls at service organizations, the CPA’s financial statement audits do not usually include the responsibility to assess cybersecurity. However, the internal IT audit function frequently does include the responsibility to assess cybersecurity. Indeed, assessing security is a key component of the Certified Information Systems Auditor® (CISA® ) job practice analysis, which reflects the responsibilities of IT auditors.7 Regarding cybersecurity assessment approaches, Martin Coe, DBA, CISA, CISM, CPA, is an accounting professor at Western Illinois University (USA). His research has been published in professional and academic journals and he is regarded as an expert in the fields of accounting, accounting information systems and information systems auditing. He is also the president of Vistabon, an IT auditing firm. Coe has managed information technology vulnerability assessments since 1998. Auditing Cybersecurity Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www.isaca. org/journal), find the article and choose the Comments tab to share your thoughts. Go directly to the article:
  • 2. 2 ISACA JOURNAL VOLUME 1, 2016 IT audit standards include a procedure related to cybersecurity assessment. ISACA’s IS Auditing Procedure P8 Security Assessment—Penetration Testing and Vulnerability Analysis, (P8)8 provides scope and procedure guidance related to cybersecurity assessments. CYBERVULNERABILITY ASSESSMENT APPROACH Managing many cybervulnerability projects has revealed valuable insights into approaches used to assess a firm’s cybersecurity posture. Utilizing ISACA’s IS Auditing P8 offers an approach that focuses on attack vectors and has assessment phases for the relevant attack vectors (i.e., the Internet and the internal network). The assessment phases are typically conducted utilizing the Tenable Network Security Nessus vulnerability scanning tool (Nessus)9 combined with other assessment procedures. Nessus utilizes the Common Vulnerability Scoring System (CVSS) to facilitate risk assessment. A risk assessment requires a qualitative analysis of vulnerabilities within a network. The Forum of Incident Response and Security Teams (FIRST)10 created CVSS to normalize the methodology of analyzing risk. CVSS provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of three metric groups: base, temporal and environmental.11 The base metric represents the intrinsic qualities of a vulnerability. The temporal metric reflects the characteristics of a vulnerability that change over time. The environmental metric represents the characteristics of a vulnerability that are unique to any user’s environment. When the base metrics are assigned values by an analyst, the base equation computes a score ranging from 0.0 to 10.0 as illustrated in figure 1. The Nessus reports use the base metric group to aid in the performance of qualitative risk analysis.12 Vulnerabilities with a CVSS base score in the 7.0-10.0 range are critical, those in the 4.0-6.9 range are major, and those in the 0.0-3.9 range are minor. The CVSS scores correspond to the Tenable severity levels, which are: • 10.0 = Critical • 7.0-9.9 = High • 4.0-6.9 = Medium • 0.0-3.9 = Low At each severity level, the number of vulnerabilities is displayed along with the percentages of those vulnerabilities in each CVSS score grouping. The assessment team uses the Nessus results to identify hosts that warrant interrogation. In general, the team focuses on hosts that have vulnerabilities rated as medium, high or critical. The team then performs procedures to confirm the validity of the findings and rule out false positives. The team uses a variety of tools to assist in the interrogation of vulnerabilities. Another term for this aspect of the assessment is exploitation. Often the goal of exploitation is to gain control over a system. More specifically, an exploit is a way to leverage a Figure 1—CVSS Metrics and Equations Source: FIRST.Org, Inc., https://www.first.org/cvss/specification-document#i1.1. Reprinted with permission. CVSS Score Vector String 0 + 10 Base Metrics Temporal Metrics Environmental Metrics Exploit (AV, AC, PR, UI) Impact (C, I, A), S Temp (E, RL, RC) Optional Env (CR, IR, AR,…)
  • 3. 3 ISACA JOURNAL VOLUME 1, 2016 security flaw or circumvent security controls. The process can take many forms; however, the goal is usually to gain administrative access to a computer or device. The wide range of activities, tools and options related to exploitation make this step more of an art than a science. Indeed, exploitation is one of the most ambiguous phases of the cybersecurity assessment process. The reason for this is simple; each system is different and each target is unique. Depending on a multitude of factors, the attack vectors will vary from target to target, so skilled attackers have to understand the nuances of each system they are attempting to exploit.13 While the assessment approach discussed here is an effective way to assess cybersecurity, there are several propositions to improve the cybervulnerability assessment process. SKILLS AND TOOLS The assessment team needs to include skilled attackers who understand the nuances of each system they are attempting to exploit. For example, assessors should have a current and thorough understanding of security related to operating systems, firewalls, routers and other network devices. The team should also utilize a mix of tools to perform the assessment. For example, assessors should utilize a variety of programs to discover potential vulnerabilities and determine if the vulnerability can be exploited. • Proposition 1a—Cybersecurity assessments should require a step to ensure that assessors understand the nuances of each system they are attempting to exploit. • Proposition 1b—Cybersecurity assessments should require a step to ensure that assessors have a variety of tools at their disposal. RISK FOCUS It is important to eliminate false positives. Given the large number of vulnerabilities identified by Nessus, the task to eliminate false positives can be significant. The assessment team should utilize a risk-based approach to focus audit energy on areas of greatest risk. Such an approach is consistent with the NIST framework. • Proposition 2a—Cybersecurity assessments should be risk-based. • Proposition 2b—Cybersecurity assessments should require a step to ensure that false positives are eliminated. PATCH MANAGEMENT IT change and patch management can be defined as the set of processes executed within the organization’s IT department designed to manage the enhancements, updates, incremental fixes and patches to production systems, which include application code revisions, system upgrades and infrastructure changes.14 Patch management tasks include: • Maintaining current knowledge of available patches • Deciding what patches are appropriate for particular systems • Ensuring that patches are installed properly • Testing systems after installation • Documenting all associated procedures, such as specific configurations required Patches often are designed to fix security vulnerabilities. Indeed, many of the recommendations to address vulnerabilities identified in a cybersecurity assessment include the installation of a specific patch. Accordingly, implementing patch management practices such as a tactical, integrated and automated approach to handling vulnerabilities can boost a company’s cybersecurity posture. Likewise, successful patch management policies can also help with security audits and compliance audits. For example, continuous auditing routines could be developed to ensure that patches are applied on a timely basis. In response to increased cyberattacks, there is a need for models to focus limited administrator attention and build cases for additional resources. One proposed method is based on Markov-decision processes for the generation and graphical evaluation of relevant maintenance policies for cases with limited data availability.15 Since cybersecurity assessments provide security information by host, steps should be taken to categorize hosts (i.e., ordinary host with no sensitive data, critical host with sensitive data) to ensure that maintenance policies are directed toward the most critical hosts. • Proposition 3a—Cybersecurity assessments should include an assessment of patch management policies. ” “ Exploitation is one of the most ambiguous phases of the cybersecurity assessment process.The reason for this is simple; each system is different and each target is unique.
  • 4. 4 ISACA JOURNAL VOLUME 1, 2016 • Proposition 3b—Cybersecurity assessments should leverage continuous auditing procedures to ensure that patches are applied on a timely basis. • Proposition 3c—Cybersecurity assessments should categorize hosts to ensure that maintenance recommendations can be directed toward the most critical hosts. ATTACK VECTORS AND DEFENSE-IN-DEPTH Given that adversaries can attack a target from multiple points using either insiders or outsiders, an organization needs to deploy protection mechanisms at multiple locations to resist all classes of attacks. Defense-in-depth is a practical strategy for achieving information assurance in today’s highly networked environments.16 Accordingly, some information security postures utilize a defense-in-depth model. Such a model refers to the way hardware and software is configured to provide different levels of security. A defense-in-depth model recognizes that not all resources require the same level of security. In addition, this model can mitigate exposures that might otherwise exist. For example, if a server is vulnerable to an exploit because it is not able to be updated, a defense- in-depth layer can be added to mitigate the exposure. Accordingly, cybersecurity assessments should include a review of defense-in-depth security layers. Likewise, since a company may accept a risk related to one attack vector by relying on defense-in-depth, the assessment should include various exploitation paths to test defense-in-depth. • Proposition 4—Cybersecurity assessments should include a review of defense-in-depth security layers. • Proposition 4b—Cybersecurity assessments should include various exploitation paths to test defense-in-depth. STANDARDS Given the fact that a cybersecurity assessment should test an actual state against a desired state, it is necessary to have a standard against which to audit. At this point in time, NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations,17 which has been mapped to ISO 27001, is a logical standard to utilize. In addition, specific regulatory security standards that must be met for categories of assets or specific assets (e.g., ports/ services and default account requirements related to critical infrastructure protection assets) should be utilized. • Proposition 5a—Cybersecurity assessments should utilize standards such as NIST SP 800-53. • Proposition 5b—Cybersecurity assessments should utilize specific regulatory security standards that must be met for applicable categories of assets or specific assets. CONCLUSION Cybersecurity assessments should be conducted in phases and focus on attack vectors, as indicated in IS Auditing P8. In addition, cybersecurity assessments should include steps to ensure that the assessment team has adequate skills and tools to perform the assessment. The assessment should focus on the greatest risk and include steps to reduce false positives. Given the importance of patch management, assessments should include steps to assess the adequacy of patch management. Since attacks can come from multiple points, assessments should include a review of defense-in-depth security layers. Since cybersecurity assessments should test an actual state against a desired state, assessments should utilize standards. ENDNOTES 1 PricewaterhouseCoopers, The Global State of Information Security Survey 2013, USA, www.pwc.ru/en/riskassurance/publications/information- security-survey.html 2 International Organization for Standardization, ISO/IEC 27001, Information security management, www.iso.org/iso/home/standards/management-standards/ iso27001.htm 3 International Organization for Standardization, ISO 27002, Information technology—Security techniques—Code of practice for information security controls, www.iso.org/iso/home/store/catalogue_tc/ catalogue_detail.htm?csnumber=54533 4 National Institute of Standards and Technology, Security and Privacy Controls for Federal Information Systems and Organizations, SP 800-53, Revision 4, USA, 30 April 2013, http://csrc.nist.gov/publications/PubsSPs. html#800-53 5 National Archives and Records Administration, Executive Order 13636, Improving Critical Infrastructure Cybersecurity, USA, 19 February 2013, www.gpo.gov/ fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf 6 National Institute for Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, USA, 2014, www.nist.gov/ cyberframework/
  • 5. 5 ISACA JOURNAL VOLUME 1, 2016 7 ISACA® , Certified Information Systems Auditor Job Practice, USA, June 2011, www.isaca.org/Certification/ CISA-Certified-Information-Systems-Auditor/Job-Practice- Areas/Pages/CISA-Job-Practice-Areas.aspx 8 ISACA, IS Auditing Procedure P8, Security Assessment- Penetration Testing and Vulnerability Analysis, IS Standards, Guidelines and Procedures for Auditing and Control Professionals, USA,15 March 2008 9 Tenable Network Security, Nessus, www.tenable.com/ products/nessus-vulnerability-scanner 10 Forum of Incident Response and Security Teams, www.first.org/ 11 Mell, P.; K. Scarfone; “A Complete Guide to the Common Vulnerability Scoring System Version 2.0,” First.org, June 2007, www.first.org/cvss/cvss-v2-guide.pdf 12 Dumont, Cody; “Understanding Risk,” Tenable Network Security, 14 October 2014, www.tenable.com/ sc-dashboards/understanding-risk 13 Engebretson, Patrick; The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy, Elsevier, USA, 2013 14 Institute of Internal Auditors, Global Technology Audit Guide Change and Patch Management Controls: Critical for Organizational Success, 2012 15 Afful-Dadzie, A.; T. Allen; “Data-driven Cyber- vulnerability Maintenance Policies,” Journal of Quality Technology, vol. 46, no. 3, 2014, p. 234-250 16 National Security Agency, “Defense in Depth,” USA, www.nsa.gov/ia/_files/support/defenseindepth.pdf 17 Op cit, National Institute for Standards and Technology 2013