Tips For Auditing Cybersecurity - 18october2016 - Final PDF

TIPS FOR AUDITING
CYBERSECURITY
Dr. Vilius Benetis, ISACA Lithuania Chapter, NRD CS
18 October 2016
2016 ISACA. All Rights Reserved
TODAYS SPEAKER
Dr. Vilius Benetis

Cybersecurity Practice Leader
Norway Registers Development
(NRD Cybersecurity)
ISACA Lithuania Chapter
2
AGENDA
Tip #0 on please enable personal account strong authentication:
google, Facebook, Evernote, office365, dropbox, ..
Read more: https://twofactorauth.org/
Tip #1 on Clarification on Cybersecurity Domain
Tip #2 on Auditing Process and Cybersecurity
Tip #3 on CIS Critical Security Controls
Tip #4 on Auditing Cybersecurity Skills
3
#1 ON CLARIFICATION ON
CYBERSECURITY DOMAIN
4
GOOGLE IT:
CYBERSECURITY
DEFINITION
Where do we start?
Lets ground the terms
5
GOOGLE IT:
CYBERSECURITY
DEFINITION
Where do we start?
Lets ground the terms
6
7
ISO 27032:
8
ISO 27032:
9
ISO 27032 (&):

SECURITY CONCEPTS
AND TECHNIQUES
10
#1 ON CLARIFICATION ON CYBERSECURITY DOMAIN

1. Are you sure you want to limit with Cybersecurity?
And not e-Information Security?
2. Please adjust terms as fits your organisation
11
#2 ON AUDITING PROCESS AND

CYBERSECURITY
12
Automation of
business
functions
Ex. Assess
org./IS resilience
to cyber threats
From ISACA publication:

Information Systems Auditing: Tools and TechniquesCreating Audit Programs
13
#3 ON CIS CRITICAL SECURITY

CONTROLS
14
CIS CRITICAL SECURITY CONTROLS (V6.1)

1: Inventory of Authorized and Unauthorized Devices
10: Data Recovery Capability (8)
2: Inventory of Authorized and Unauthorized Software
11: Secure Configurations for Network Devices such as Firewalls,

Routers, and Switches (10)
3: Secure Configurations for Hardware and Software on

Mobile Devices, Laptops, Workstations, and Servers
12: Boundary Defense (13)
4: Continuous Vulnerability Assessment and Remediation 13: Data Protection (17)

14: Controlled Access Based on the Need to Know (15)
5: Controlled Use of Administrative Privileges (12)
15: Wireless Access Control (7)
6: Maintenance, Monitoring, and Analysis of Audit Logs (14)
16: Account Monitoring and Control (16)
7: Email and Web Browser Protections (new)
17: Security Skills Assessment and Appropriate Training to Fill
8: Malware Defenses (5)
Gaps (9)
9: Limitation and Control of Network Ports, Protocols, and
18: Application Software Security (6)
Services (11)
19: Incident Response and Management (18)
10: Data Recovery Capability (8)
20: Penetration Tests and Red Team Exercises (20)
15
THE FIVE CRITICAL TENETS OF CYBER DEFENSE:

1. Offense informs defense
2. Prioritization
3. Metrics
4. Continuous diagnostics and mitigation
5. Automation
16
CSC 1:
INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES
Actively manage (inventory, track, and correct)

all hardware devices on the network so that:
only authorized devices are given access, and
unauthorized and unmanaged devices are:
found and
prevented from gaining access.
17
CSC 1:
1.1 Deploy an automated asset inventory discovery tool and use it to build a
preliminary inventory of systems connected to an organizations public and
private network(s). Both active tools that scan through IPv4 or IPv6 network
address ranges and passive tools that identify hosts based on analyzing their
traffic should be employed.
1.2 If the organization is dynamically assigning addresses using DHCP, then
deploy dynamic host configuration protocol (DHCP) server logging, and use
this information to improve the asset inventory and help detect unknown
systems.
1.3 Ensure that all equipment acquisitions automatically update the inventory
system as new, approved devices are connected to the network.
18
CSC 1:
1.4 Maintain an asset inventory of all systems connected to the network and the network devices
themselves, recording at least the network addresses, machine name(s), purpose of each
system, an asset owner responsible for each device, and the department associated with
each device. The inventory should include every system that has an Internet protocol (IP)
address on the network, including but not limited to desktops, laptops, servers, network
equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP
telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must
also include data on whether the device is a portable and/or personal device. Devices such as
mobile phones, tablets, laptops, and other portable electronic devices that store or process
data must be identified, regardless of whether they are attached to the organizations
network.
1.5 Deploy network level authentication via 802.1x to limit and control which devices can be
connected to the network. The 802.1x must be tied into the inventory data to determine
authorized versus unauthorized systems.
19
CSC 1:
20
CSC 1:
ID
1.1
1.2
1.3
1.5
1.6
Metric
Lower Risk
Threshold
How many unauthorized devices are presently on the

Less that 1%
organization's network (by business unit)?
How long, on average, does it take to remove
unauthorized devices from the organization's network 60 Minutes
(by business unit)?
What is the percentage of systems on the
organization's network that are not utilizing Network
Less that 1%
Level Authentication (NLA) to authenticate to the
organization's network (by business unit)?
How long does it take to detect new devices added to
the organization's network (time in minutes - by
60 Minutes
business unit)?
How long does it take to isolate/remove unauthorized
devices from the organization's network (time in
60 Minutes
minutes - by business unit)?
Moderate Risk
Threshold
Higher Risk
Threshold
1%-4%
5%-10%
1,440 Minutes
(1 Day)
10,080 Minutes
(1 Week)
1%-4%
5%-10%
1,440 Minutes
(1 Day)
10,080 Minutes
(1 Week)
1,440 Minutes
(1 Day)
10,080 Minutes
(1 Week)
21
Relationship to COBIT processes
22
#4 ON AUDITING
CYBERSECURITY SKILLS
23
Should we include
skills audit?
1) Risk: Lack of
skilled people
2) Skills required to
assess
Methodologies
(NICE, CSC, eCF, SFIA)
Automation of
business
functions
Ex. Assess
org/IS resilience
to cyber threats
24
CYBERSECURITY/ICT SKILLS MODELS

1. NIST NICE - United States
2. e-CF - European Union / Dutch
3. SFIA6 UK
25
ADDITIONAL REASONS FOR SKILLS AUDIT

HR:
Re-organization preparation. What skillsets we need to plan?
What skillset to hire?
CISO office:
Information security should be handled better. What skills are
missing?
Career planning:
What should I focus for my cybersecurity career?
26
HOW TO RUN SKILLS AUDIT?

Simplest:
Ask: what skills are missing to reach the goals?
Medium:
Inventory/assess existing skills via questionnaires (list competences,
ask to self-assess)
Sophisticated:
Run serious tests to assess
27
OUTPUT OF SKILLS AUDIT

Simplest:
List of skills/competences and who covers them
Items without people missing competences
Medium:
Skills/competences with required levels, and fulfilled
levels
Gap is visible
Sophisticated:
Detail report of professional skills assessors
28
SUMMARY
Tip #1 on Clarification on Cybersecurity Domain
Tip #2 on Auditing Process and Cybersecurity
Tip #3 on CIS Critical Security Controls
Tip #4 on Auditing Cybersecurity Skills
& Tip #0 on please enable personal accounts strong authentication
29
RELEVANT RESOURCES:
1. SFIA: https://www.sfia-online.org
2. NIST NICE: http://csrc.nist.gov/nice/
3. CIS CSC: https://www.cisecurity.org/critical-controls/
4. ISO 27032:
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_det
ail.htm?csnumber=44375
5. http://www.isaca.org/KnowledgeCenter/Research/ResearchDeliverables/Pages/InformationSystems-Auditing-Tools-and-Techniques-Creating-AuditPrograms.aspx
30
Questions?
31
THIS TRAINING CONTENT (CONTENT) IS PROVIDED TO YOU WITHOUT WARRANTY, AS IS AND WITH ALL
FAULTS. ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING
THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NONINFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.
YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS
DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND
THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE
PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR
CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF
THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING
PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE
APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.
Copyright 2016 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This
webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or
transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
32
THANK YOU
FOR ATTENDING THIS
WEBINAR

Tips For Auditing Cybersecurity - 18october2016 - Final PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tips For Auditing Cybersecurity - 18october2016 - Final PDF

Uploaded by

Copyright:

Available Formats

TIPS FOR AUDITING

2016 ISACA. All Rights Reserved

Dr. Vilius Benetis

ISO 27032 (&):

#1 ON CLARIFICATION ON CYBERSECURITY DOMAIN

#2 ON AUDITING PROCESS AND

From ISACA publication:

#3 ON CIS CRITICAL SECURITY

CIS CRITICAL SECURITY CONTROLS (V6.1)

10: Data Recovery Capability (8)

2: Inventory of Authorized and Unauthorized Software

11: Secure Configurations for Network Devices such as Firewalls,

3: Secure Configurations for Hardware and Software on

12: Boundary Defense (13)

4: Continuous Vulnerability Assessment and Remediation 13: Data Protection (17)

THE FIVE CRITICAL TENETS OF CYBER DEFENSE:

Actively manage (inventory, track, and correct)

How many unauthorized devices are presently on the

Relationship to COBIT processes

CYBERSECURITY/ICT SKILLS MODELS

ADDITIONAL REASONS FOR SKILLS AUDIT

HOW TO RUN SKILLS AUDIT?

OUTPUT OF SKILLS AUDIT

2016 ISACA. All Rights Reserved

You might also like