Risk Management - Audcis PDF

Summary

This document provides information on risk management, covering topics such as risk mitigation, risk transfer, and risk acceptance. It details the role of businesses in managing risk and internal and external audit roles.

Full Transcript

RISK MANAGEMENT - AUDCIS 1.2. Risk Transfer e.g., outsource the project

US SOX History 1.3. Risk Reduction e.g., outsource part of project
Twenty years ago, a series of financial reporting 1.4. Risk Sharing e.g., outsource part of project
scandals severely shook this confidence. The
U.S. Congress responded with the Sarbanes- 2. Risk Mitigation/Control
Oxley Act of 2002 (“SOX”), which aimed to 3. Risk Acceptance
strengthen investor confidence and restore trust
in the capital markets. -------------------------------------------------------------
ENTERPRISE RISK MANAGEMENT –
About SOX 404 RESPONSIBILITY
primarily focuses on Internal Controls over
Financial Reporting (ICFR) Business Process Owners
- Primary responsible for the application of risk
Evaluation of Design and Operating
treatment in the achievement of business
Effectiveness
objectives.
Section 404 (a) requires management to
conduct an annual evaluation of the Internal Audit
operational effectiveness of its ICFR with
- Secondary responsible for the assessment of
documentation of both the controls and
the risk treatment applied by the business
the mandated testing thereof, and to
process owners.
report the results publicly in its annual
report Form 10-K. - Maintains independence from those who
achieves the objectives and performs the
Attestation over Effectiveness of Internal oversight function of the governing body.
Controls
Section 404 (b) requires an auditor Those Charged with Governance
attestation with respect to an issuer‘s - Tertiary responsible for the oversight of
ICFR. compliance with legal, regulatory, and ethical
expectations.
Enterprise Risk Management
- The process of identifying vulnerabilities to - Performs stakeholder management to monitor
information assets by an enterprise in achieving their interests on the achievement of objectives.
its business objectives to implement and apply - Provides resources and discharges
countermeasures and reduce risk to an responsibility to management for achieving the
acceptable level. objectives.

Definition of Terms: External Audit
1. Risk is uncertainty of an event that affects - Provide assurance to legislative and regulatory
on the achievement of an objective. body
2. Uncertainty is the lack of information over
the impact and timing of an event. -------------------------------------------------------------
REPORTORIAL REQUIREMENT
Risk Treatment: 1.Material Weakness
1. Risk Avoidance -potential financial misstatement could occur
1.1. Risk Avoidance e.g., stop the project
2.Significant Deficiency VULNERABILITIES, THREATS AND ATTACK
-less severe than material weakness, where risks Definition of Terms:
are compensated through risk acceptance and
1. Risk is uncertainty of an event that affects
monitoring
on the achievement of an objective.
3.Deficiency
2. Uncertainty is the lack of information over
less severe than significant deficiency, where the impact and timing of an event.
compensating controls were in place and
3. Vulnerability is the result of flaws in a
operating effectively
system.
Design Gap
4. Threat is the result of flaws in a system
risks identified with no appropriate and sufficient that can be taken advantage by any
controls in place malicious act to access, damage or delay
any information asset.
Operating Ineffectiveness
5. Attack is any intentional act to maliciously
controls were not operating as intended access, damage or delay any information
------------------------------------------------------------- asset.

INFORMATION SECURITY PRINCIPLE Therefore:

Confidentiality IT Risk is the lack of information over the impact
and timing of an event resulting from any flaw in
restrictions against unauthorized access and the system that may be actually or potentially
disclosure taken advantage to access, damage or delay any
Integrity information asset.

restrictions against improper modification or
destruction EXAMPLE OF VULNERABILITIES
Availability Security requirements include:
protection against untimely and unreliable 1. Authenticity - a third party must be able to
access to and use of information verify that the content of a message has
------------------------------------------------------------- not been changed in transit.

FRAUD RISK FACTORS 2. Nonrepudiation - the origin or the receipt
of a specific message must be verifiable by
Motivation a third party.
refers to any incentive (e.g., bonus, promotion, 3. Accountability - the actions of an entity
etc.) or pressure (e.g., debt, employment) that must be uniquely traceable to that entity.
causes the intentional act of the perpetrator.
4. Network availability - the IT resource
Rationalization must be available on a timely basis to
refers to the behavioral thought process of the meet mission requirements or to avoid
perpetrator to justify the act. substantial losses. Availability also
includes ensuring that resources are used
Opportunity only for intended purposes.
refers to the method by which the perpetrator
performed the act e.g., poor internal controls
PERPETRATORS MAY USE AND THEIR immediately removed at the time of the
CONTROL: employee’s termination or if the system has back
doors
Unauthorized hardware and software
b. Employees - authorized or
- Implementation of inventory of equipment
unauthorized personnel given with system
and software application
access based on job responsibilities that causes
Untrusted wireless network significant harm to an organization

- Use of a secured network c. IT personnel - authorized personnel
that have better knowledge to exploit information
Untrusted devices assets
- Use of endpoint protection
Social engineering to view data to further Malware (Malicious software) (WHAT?)
access sensitive information
- any software program that contains codes
- Use of encryption tool (SSL/TSL) to mask that has malicious intent to access,
any sensitive information (e.g., password, damage or delay any information asset.
date of birth)
Types of malwares according to manner of
Steal identity to legitimate users to access activation:
sensitive information
1. Virus - requires to be triggered to be activated.
- Use of digital certificates to prove identity
for secure communication a. Trojan - a virus that hides in a legitimate
software to be activated.
Various attacks to access sensitive
information 2. Worm - does not require to be further triggered
to be activated but rather replicates on its own
- Use of Security Information and Event once triggered.
Management (SIEM) tool
Type of malwares according to intent:
-------------------------------------------------------------
1.Spyware secretly collects sensitive
TYPES OF ATTACKS information.
Attack 2. Ransomware demands payment.
- is any intentional act to maliciously
access, damage or delay any information
asset. Type of malwares according to method of code
injections:
Possible perpetrators include: (WHO?)
1. Script kiddies - uses codes written by others 1. SQL Injection - directly injects malicious
and are often incapable of writing similar scripts queries to extract or manipulate data from
on their own. databases
2. Malvertising - displays advertisements with
2. Hackers/Crackers - with the ability to explore creative imagery or video that when clicked
and exploit programmable systems injects a malicious software.
3. Insiders: 3. Cross Site Scripting (XSS) - disguises as
legitimate website that when accessed injects a
a. Former employees - unauthorized
malicious software.
personnel that may have access if it was not
Social Engineering (HOW?) (4) Spoofing - disguises themselves as a known or
trusted source i.e., like spoof or imitation
- exploitation that relies on human behavior
to gain physical or security access. >>> According to victim's profile:
(1) Tailgating/Piggybacking - tagging along a. Honeytrap - target individuals looking
behind a company employee and asking them to for love or friendship on dating apps/websites by
hold the door open. creating fake profiles
a. Eavesdropping - listens to private >>> According to method:
communications.
a.Domain Spoofing - disguises using
b. Shoulder surfing - physically spies on known organization
someone.
b. Email Spoofing - disguises using known
email
(2) Brute Force - a trial-and-error attempt to crack c.ARP Spoofing - disguises using
passwords by trying every possible combination. recipient's device protocol i.e., known as ARP
poisoning
a. Keylogging - records every keystroke on
a device. d. Pretexting - poses a false scenario to
gain the victim's trust
b. Credential Stuffing - re-using stolen
credentials that user may have used across e. Quid Pro Quo - offers victims to pay or
multiple applications or websites. share sensitive information in exchange for a
product or service
c. Kerberoasting - a brute-force password
attack on Kerberos, an identity authentication
system of MS Active Directory, that disguises as
(5) Man-in-The-Middle - alters communications
user account and sends ticket requests to victims
between two parties
to provide passwords to advance the attacks.
a. Session Hijacking - alters (swaps) the
d. Downgrading - take advantage of a
client’s IP address to access server by creating a
system’s backward compatibility to force it into
new user session without any authentication.
less secure environment (e.g., https to http).
b. Pass-the-Hash - uses a stolen hashed
(i.e. encrypted) credential.
(3) Phishing - entice a victim to share sensitive
c. DNS tunneling - disguises within
information
domain name system queries to evade firewalls.
>>> According to victim's profile:
a. Spear Phishing - specific individual or
(6) Denial of Service (DoS) - floods a network
organization
with false requests to disrupt business operations
b. Whaling - targeted to senior i.e., see also spamming
management
a. Distributed Denial of Service (DDoS) -
>>> According to method: uses multiple compromised computers (i.e., a
botnet) to generate massive traffic volumes
a. Smishing - through text messages
b. Vishing - through phone calls i.e., voice
phishing
(7) Zero-day Exploits - taking advantage of the IPFs must secure fire (smoke), humidity, and
time between discovering a flaw and developing a water detectors that when activated produces
patch audible alarm for building and security personnel
(8) Deepfake - AI-generated forgeries that appear Fire Safety Certification, including fire
very real to reshape public opinion, damage suppression system
reputations, and even sway political landscapes
IPFs must secure hand-pull fire alarms, fire
(9) Adversarial AI/ML - misleads AI/ML by extinguishers, and fire suppression system (i.e.,
introducing inaccuracies in training data water-sprinkler, heptafluoropropane) tested at
least annually
-------------------------------------------------------------
Emergency Evacuation Plans
PHYSICAL AND ENVIRONMENTAL CONTROLS
Emergency evacuation plan must be posted in a
Overview
conspicuous place.
Information assets requires physical and
-------------------------------------------------------------
environmental controls. These controls are
designed and implemented by facility Business Continuity Plan
management and not by the information security
A formal document that identifies critical
manager, such as temperature, humidity and
business infrastructure and procedures to ensure
power.
that business objectives are achieved in the event
Preventive Controls of a disaster.
- attempts to prevent an incident i.e., also known Disaster Recovery Plan
as safeguards (e.g., warning signs, access doors)
A formal document and a subset of business
Detective Controls continuity plan that identifies:
- allow the detection, containment and recovery a. Recovery Time Objectives (RTO)
from an incident i.e., also known as
The maximum acceptable downtime after an
countermeasures (e.g., fire suppression system)
outage or failure due to a disaster
b. Recovery Point Objectives (RPO)
Examples of Issues and Controls to IT
The maximum acceptable data loss after an
Environment
outage or failure due to a disaster
1. Fire and Humidity Hazard
Examples of Issues and Controls to IT
Information Processing Facilities (IPFs) must be Environment
protected from risk of fire and humidity (and
2. Power Failure
flood, if applicable)
a. Total failure (blackout) - complete loss of
Warning Signs
electrical power
IPFs must have overt prohibition of flammable
b. Severely reduced voltage (brownout) - failure to
items e.g., thinner, liquid petroleum, cigarette,
supply power within an acceptable range
etc.
c. Temporary and rapid decreases (sags) or
Humidity/Temperature Control, including fire
increases (spikes and surges) - anomalies that
detection and alarms
can cause data transmission errors, loss, or
corruption or physical damage to hardware
devices
d. Electromagnetic interference (EMI) - caused by Identification badges
electrical storms or noisy electrical equipment
Guest badges, preferably with a different color
(e.g., radio transmitters) that may cause
from employee badges, should always be worn
computer systems to hang or crash
inside the facility.
Electrical Surge Protectors
Security guards and closed-circuit television
- automated voltage regulators reduce the risk of
Guests should be inspected by security guards at
damage to equipment due to power spikes
entry/exit points, or preferably escorted and
Uninterruptible Power Supply monitored inside the facility.
- battery or gasoline-powered generator that Electronic door locks
interfaces with the electrical power
A magnetic or embedded chip-based plastic card
------------------------------------------------------------- that uses a sensor reader to gain access. A
special code stored in the card or token is read by
Physical Access Controls
the sensor device that then activates the door
Information Processing Facilities (IPFs) must be locking mechanism.
designed to protect the organization from
-------------------------------------------------------------
unauthorized access and limit access to only
those individuals authorized by management. An SECURITY AWARENESS, TESTING AND
IS auditor should evaluate all paths of physical MONITORING
entry for proper security.
Security Awareness Training
Identity and Access Management (I&A) -Users are the front line for the detection of
threats that may not be detectable by automated
I&A is the first line of defense because it prevents
means i.e., social engineering.
unauthorized access to a computer system or an
information asset through: Penetration Tests (Ethical Hacking or Intrusion
Test)
a. Authorization
-Attempts to exploit an identified vulnerability
Process of granting rights to an individual based and circumvent security features.
on the job function.
Phishing Simulation
b. Authentication -Simulated phishing email to mimic real phishing
attack to gauge employee awareness
Process of verifying the authorization of a role or
individual to access the information asset. Honeypot/Honeynet
-Pretends to be a vulnerable server on the
Activities over the use of default access i.e., Internet that acts as a decoy system that lures
mandatory or discretionary access, must be hackers.
evaluated.
Threat Intelligence
Examples of Issues and Controls to IT Physical -This refers to an analyzed information about
Access potential or current attacks to help organizations
Manual logging understand common vulnerabilities and
exposures e.g., zero-day threats and advanced
All guests (visitors) are required to sign a visitor’s persistent threats (APTs).
log typically done at the front reception desk or
entrance, indicating their name, the company
they are representing, reason for visiting, person
to see and date and time of entry and departure.
VIRTUALIZATION hardly be forged, cannot be reused and
any alteration renders the signature
Virtualization (on-prem server)
invalid.
- Increase efficiency and decrease costs in IT
operations, by allowing multiple operating Mobile (Edge) Computing
systems (guests machine) to coexist on the
- End-user devices e.g., smartphones are
same physical server (host machine) in isolation
used to process data. To reduce the risk of
of one another.
inappropriate disclosure, mobile device
Cloud Computing (third-party or backup management (MDM) systems can be
server) enforced to segregate enterprise and
- an on-demand access of computing resources personal data.
over the Internet with pay-per-use pricing
Bring your own device
-------------------------------------------------------------
- BYOD uses personal devices to conduct
EMERGING TECHNOLOGIES work-related tasks to reduce costs of end-
user hardware and software.
Private Branch Exchange
Internet of Things (IoT)
- PBX reduces used of a communication
line for each user, but rather uses a single - Physical objects have embedded
line where only few digits need to be computing elements and can
dialed. communicate with other objects over a
network.
Peer-to-Peer Computing
Cloud Computing
- There is no specific server, and connection
is established between two peers. - Enables convenient and on-demand
Voice over Internet Protocol network access to a shared pool of
configurable computing resources:
- VoIP is a technology where voice traffic is
carried over Internet or any IP network
using packet switching; hence, protecting Cloud Models according to service:
the security of conversations in VoIP by
segregating the infrastructure using virtual 1. Infrastructure as a Service (IaaS)
local area networks and firewalls. End-user is capable to deploy and run
Wireless Network arbitrary software.

- An access point communicates with 2. Platform as a Service (PaaS)
devices within a specific range i.e., usually End-user is capable to deploy and run using
100 meters, known as a cell or range. programming languages and tools supported by
Instant Messaging the provider

- IMs enables a user to chat in real time over 3. Software as a Service (SaaS)
the Internet. End-user uses the provider’s applications
Digital Signatures running on cloud infrastructure.

- Emails may be digitally signed (i.e.,
encrypted) by the sender using public key
cryptograph. Digital signatures are a good
method because digital signature can
Cloud Models according to deployment:
1. Private Cloud
Cloud infrastructure is solely for an
organization.
2. Community Cloud
Cloud infrastructure is shared by several
organizations.
3. Public Cloud
Cloud infrastructure is available to the
general public.
4. Hybrid Cloud
Cloud infrastructure is composition of two or
more clouds that enables data portability i.e.,
cloud bursting for load balancing
-------------------------------------------------------------

IT FORENSICS

Process of identifying, preserving, analyzing and
presenting digital evidence in a manner that is
legally acceptable in any legal proceedings to
substantiate whether an incident happened:

Provide validation that an attack has
actually occurred

Gather digital evidence that can be used in
legal proceedings and that any electronic
document are in their original state and
have not been tampered with or modified
during the process of collection and
analysis