Information Systems Asset Protection: Monitoring SYSTEM ATTACKS Kevin Henry CISA CISM CRISC CISSP Kevinmhenry@msn.com
Asset Protection – Monitoring Agenda: Security Testing Investigating Systems Attacks and Monitoring Incidents
Systems Attacks
Systems Attacks Incidents that impact: - Confidentiality • Theft or exposure of data - Integrity • Non-repudiation - Availability • Denial of service • Distributed denial of service § Botnets and zombies
Systems Attacks In order to ensure appropriate and adequate protection from attacks, the auditor should review and assess the accuracy, timely and thoroughness of: - Risk assessment - BIA - Previous incidents - Previous audits - External sources threat intelligence • Actions taken on identified threats
Computer Crime Most crimes are crimes using a computer: - Fraud - Abuse / stalking These are usually addressed through traditional laws, however the investigation is often challenging as seen in Module three of this course
Computer Crime A computer crime is a crime against a computer or network Malware Denial of Service
Factors That Contribute to Computer Crime Causal factors that affect computer crime Globally accessible No time limits on access Lack of skilled staff Insecure implementations Prevention, detection, investigation Unpatched and misconfigured
Impact of Computer Crime Financial loss - Direct • Cost to repair / recover - Indirect • Fines, customer confidence Loss of intellectual property - Competitive advantage Greater costs of compliance Increased insurance costs
Attacks Understanding the threat source: - Human factor: • Accidental/Intentional § Employees § Customers § Criminals - APTs § Hackers
Threat Source Continued Natural events Circumstantial Utility Supply chain Storms, earthquake, Neighboring building Defective products flood
Attack Types Passive Active Stealth
Vulnerabilities The auditor seek to identify any vulnerabilities: - Patches - Policy - Procedures • Being followed - Training - Monitoring
Control Review Controls may be Physical / Managerial / Technical / Environmental Administrative Logical Operational
s s h h s s Most compromises of networks and systems are the result of a combination of factors – usually not related to the skill of Key Points the attacker: Review - Misconfiguration - Poor controls - Poor monitoring
Examining Attacks
System Attacks Attacks may come via: - Networks • Denial of service • Compromise of devices connected to the network • Misrouting of traffic • Sniffing, eavesdropping • Alteration of traffic
Auditor Responsibility Regarding Network Attacks Review for: - Network management • Diagrams § Network segmentation • Training of staff • Change control - Single points of failure • Redundancy - Monitoring
System Attacks Attacks may come via: - Software • Applications • Operating systems • Drivers, utilities, hypervisors • Application Program Interfaces (APIs)
System Attacks Software attack surface - Inputs • Validation - Outputs • Distribution - Logic flaws - Bugs - Version control • Regression testing
Auditor Responsibility Regarding Software Attacks Review for: Software management Baseline configurations Version control Change control Hardening Designed-in and Monitoring Built-in Security
System Attacks Attacks may come via: - Hardware • Process isolation § Meltdown, Specter • Failure § Unpatched, unmaintained
Auditor Responsibility Regarding Hardware Attacks Review for: - Hardware management • Age • Maintenance • Patching • Redundancy § Reliance on a single dependency - Power - Backplane - Vendor
System Attacks Attacks may come via: - Physical • Theft or loss of equipment • Loss of power • Heating, ventilation and air conditioning malfunction • Fire • Water damage § Flooding § Broken water pipes, leaky roof
Auditor Responsibility Regarding Physical Attacks Review for Adequate backup power Review of fire Preparedness for suppression UPS natural events systems Generators Labeling of Asset inventory equipment
System Attacks Attacks may come via: - People • Untrained • Discontent • Not following procedures or policy • Pressure to ‘get the job done’ • Stress / overwork
Fraud The auditor should assess the risk of fraud or irregular acts during every audit Escalated Senior staff ‘Trusted staff’ permissions
Auditor Responsibility Regarding People Attacks Review for: - Training - Procedures / policy - Access controls • Least privilege / Need-to-know • Separation of duties - Monitoring - Human Resources practices • Hiring, development, termination • Promotion – treated fairly
s s h h s s An information system is built using many components – technical, people and processes Key Points - The auditor must evaluate the Review performance of all components in order to ensure reliable and secure system operations
Malware Attacks
Examples of Malware Attacks Malware Ransomware Virus Worm Trojan Horse Logic Bomb Spyware
Preventing or Responding to Malware Training and awareness Technical solutions Patching Monitoring Backups Network segmentation Virtual environments
Targeted Attacks Many attacks are based on opportunity - Not targeted Some (such as APTs) are targeted against a specific industry or organization - Governments • Municipal - Military - Research and development - Industry sectors • Health care • Financial
Preparation for Attacks Threat intelligence Incident management Events affecting similar organizations program Honeypots Prevent, detect, respond IDS / IPS
t h s Attacks are inevitable – and perhaps so are incidents Summary - But due care requires taking steps to avoid or minimize the effect of attacks - Due diligence is following up and ensuring that there are adequate and appropriate controls in place • Managerial • Technical • Physical
Recommend
More recommend
