10/2/2013
SECURITY UPDATE 2013 David M. Cieslak, CPA.CITP, CGMA, GSEC Arxis Technology, Inc.
David M. Cieslak, CPA.CITP, CGMA, GSEC
Principal at Arxis Technology, Inc. The Association for Accounting Marketing Frequent speaker for AICPA, Flagg Management, Sleeter Group, K2 & numerous state accounting societies Currently serves on the AICPA Council & Sage Mid-Market ERP Partner Advisory Council Named one of Accounting Today’s 100 Most Influential People in Accounting Phone: 805-306-7800 ten times [email protected]
www.arxistechnology.com CPA Practice Advisor – 2011-13 Top 25
Twitter: @dcieslak Thought Leader AKA “Inspector Gadget”
IT Security
Goals of IT Security The Association for Accounting Marketing Current Threats Key issues & initiatives • Mobile • Privacy • Cloud Certifications User Authentication Cloud Apps
1 10/2/2013
GOALS OF IT SECURITY
Goals of IT Security
Confidentiality The Association for Accounting Marketing • Data is only available to authorized individuals Integrity • Data can only be changed by authorized individuals Availability • Data and systems are available when needed
Accountability • Changes are traceable/attributable to author
Threats & Vulnerabilities
Threats The Association for Accounting Marketing • Active agent that seeks to violate or circumvent policy • Part of the environment – beyond user’s control Vulnerability • A flaw or bug • Part of the system – within user’s control Risk • Likelihood of harm resulting of exploitation of vulnerability by threat
2 10/2/2013
IT Security Response
No single product, vendor or strategy The Association for Accounting Marketing Defense in Depth, i.e. Layers of Security
** IT Security – “Short List” **
Anti- Firewall • Virus • Perimeter • Botnets • Personal/Application • Spam • Web Application Firewall • Spyware Web-based e-mail/ Passwords / Passphrases file sharing Patches Router/IP Addressing Wireless Security Physical Access Unprotected Shares Backups
CURRENT THREATS
3 10/2/2013
Social engineering abounds!
The Association for Accounting Marketing Filtering systems not perfect Infected content (e-mail & web pages) presented to end users End users CLICK! Malware starts collecting login credentials
4 10/2/2013
5 10/2/2013
MICROSOFT SECURITY INTELLIGENCE REPORT
6 10/2/2013
Vulnerabilities
The Association for Accounting Marketing
Exploits
The Association for Accounting Marketing
Java Alert!
Recommendations: The Association for Accounting Marketing • Always update to most recent version • Disable Java (in all browsers)
7 10/2/2013
Threat Categories
The Association for Accounting Marketing
Microsoft security
Microsoft’s security team is killing it: Not one product onThe AssociationKaspersky’s for Accounting Marketing top 10 vulnerabilities list
MS Windows - Malware Infections
The Association for Accounting Marketing
8 10/2/2013
Malware from the Web
Modern Malware Review (March 2013) study by Palo AltoThe AssociationNetworks for Accounting Marketing finds that a majority of malware variants have been delivered through the web, going completely undetected by anti-virus (AV) solutions. Web browsing is responsible for 90 percent of the fully undetected malicious files, taking AV vendors four times as long to detect the malware from web-based applications compared to emails. Malware is now being delivered and behaving in ways that AV is not designed to stop.
How good is your AV?
New winners and losers The Association for Accounting Marketing Current top products: • Kaspersky 2013 • Norton 2013 • Bitdefender 2013 FAIL • Microsoft Security Essentials • McAfee 2013
Fake Antivirus
One of the most significant threat The Association for Accounting Marketing vectors/cyber crimes since 2011 “Scareware” entices user to install fake AV Fake AV may then… • Shut down real AV • Prompt user for payment in order to “clean” detected problems • Roots machine – keyboard logging (?) • Results in a zombie Apple Mac OS now a target Very effective!
9 10/2/2013
10 10/2/2013
Apple Macintosh
Macintosh operating system has long had reputation ofThe invincibility, Association for Accounting inMarketing part due to obscurity But increasingly popular Apple has had to patch many of security vulnerabilities in MacOS
Recommend: • Keep OS up to date • Install/use AV solution • Strong passwords
Apple Macintosh Security
Flashback The Association for Accounting Marketing • Discovered Sept 2011 • 14 variants to date • Based on vulnerabilities in Java • Masquerades as installer or software update • Harvests user names & passwords to authorize banking transactions • Half a million Macs infected to date
Unofficial Guide to Hacking iOS
The Association for Accounting Marketing Published May 2012
11 10/2/2013
IRS Woes
A 2012 GAO audit report indicates the IRS has not always…The Association for Accounting Marketing • Implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time; • Appropriately restricted access to certain servers; • Ensured that sensitive data were encrypted when transmitted; • Audited and monitored systems to ensure that unauthorized activities would be detected • Ensured management validation of access to restricted areas • Promptly corrected known vulnerabilities (76 out of 105 previously reported weaknesses open at the end of the GAO's prior year audit had not yet been corrected).
KEY ISSUES & INITIATIVES
AICPA 2013 North America Top Technology Initiatives Survey
1. Managing and retaining data The Association for Accounting Marketing 2. Securing the IT environment 3. Managing IT risks and compliance 4. Ensuring privacy 5. Managing system implementation 6. Preventing and responding to computer fraud 7. Enabling decision support and analytics 8. Governing and managing IT investment and spending 9. Leveraging emerging technologies 10.Managing vendors and service providers
12 10/2/2013
MOBILE / BYOD
Mobile Security
Today, 45% of American cell phone users are using smartThe Association phones for Accounting Marketing Other consumer and mobile devices (tablets) rapidly increasing in popularity BYOD (Bring your own device) trend is quickly becoming a significant security threat to organizations.
BYOD Risks
From a Microsoft survey – Sept 2012 The Association for Accounting Marketing • 67% of people are using personal devices in the workplace whether it's officially sanctioned by the organization or not. • 53% of organizations officially condone BYOD in some way, but only 22% of organizations support them through their IT department. • Cost savings resulting from employees using their own PCs and mobile devices is often a driving factor to BYOD. Less than half of organizations provide any financial subsidy for users who supply their own equipment. • A majority of companies are somewhat or very concerned about the risk of data breaches or intellectual property leaks.
13 10/2/2013
Mobile Security
Specific risks include: The Association for Accounting Marketing • Malicious hacks of cell phones and tablets (malware written for Android quadrupled in the last half of 2011) • Data leakage from device theft • Geo-stalking - unwanted tracking based on GPS app loaded on cell phone… think Apple and Google location databases
Mobile Security
Response: The Association for Accounting Marketing • Require use of lock codes • Policy against local data storage unless encrypted • Enable remote wipe • Carefully consider applications with geo tracking functionality
14 10/2/2013
Mobile security
• Mobile Security apps The Association for Accounting Marketing - Bullguard - McAfee - AVG - Lookout Mobile Security - Webroot • User education – careful what you click on / purchase • Geo-locating • Bluetooth leash / tethering
Find your iOS device
The Association for Accounting Marketing
Download free app Configure via iCloud
ZOMM Wireless Leash
Alarm sounds when phone and leash are separated The Association for Accounting Marketing Speaker & microphone One-touch 911 assistance with concierge assistance $89
15 10/2/2013
Cobra Tag
Attach a Cobra Tag™ sensor to your keys, purse, computer bag, or any other item you want to The Association for Accounting Marketing protect from loss. The sensor communicates with the phone’s free app and will remind you if you leave your phone or valuables behind. Also a 2 way finder. Tap the button on the Cobra Tag to ring your Smartphone. If you are looking for your Cobra Tag™ protected item, use the phone’s application to make the Cobra Tag™ ring. To secure your phones data, the powerful PhoneHalo application can be set to lock your phone when out of range of your tagged item. Never loose your valuables again! BlackBerry, Android and iPhone $60
Public Wi-Fi
If using public Wi-Fi (hot spots), remember The Association for Accounting Marketing to… • Use HTTPS (Secure Sockets) whenever possible. Many popular web apps, such as Gmail, Twitter & Facebook, support HTTPS • Disable sharing • Route (tunnel) all traffic through a VPN - A private, secure (encrypted) connection to host server using a public network (Internet)
Novatel Jetpack MiFi 4620L
4G mobile hotspot The Association for Accounting Marketing Interactive OLED display Supports up to 10 concurrent connections Global ready Verizon – • $50/mo for 5GB • $80/mo for 10GB
16 10/2/2013
Clear Spot
Unlimited 4G data The Association for Accounting Marketing No long-term contract 15 day guarantee Up to 8 connected users $125 one time cost $50/mo.
Check coverage @ www.clear.com
WINDOWS 8
Windows 8 - Key Features
Windows 8 UI The Association for Accounting Marketing Support for Intel and ARM processors Built for all devices – PCs, laptops, tablets & phones Integration with Windows Store & Skydrive
17 10/2/2013
Windows 8 – Why Upgrade?
Speed The Association for Accounting Marketing • MUCH faster boot times (using UEFI) – less than half the time • Speedier web browsing • Higher benchmark scores Multi-monitor support Touch screen Security – better kernel protection (also part of UEFI – only signed apps load) Storage spaces – span drives / treat as single data store
Start button apps are available – Classic Shell, Pokki, Power8 & Stardock ($5) It’s not a monster! Use it just like Windows 7!
18 10/2/2013
Windows 8
Secure Boot (feature The Association for Accounting Marketing in the Unified Extensible Firmware Interface - UEFI) Windows 8 Trusted Boot Together, create an architecture that is fundamentally resistant to bootkits and rootkits.
Windows 8.1
Remote business data removal The Association for Accounting Marketing
Encryption using TCM chip
Biometrics – particularly fingerprint readers
IE 11
Windows Defender updates – network behavior monitoring
PRIVACY
19 10/2/2013
Personal privacy
The problem: The Association for Accounting Marketing • We worry about data miners and identity theft but put our life stories up on Facebook! • Social-networking sites such as Facebook, Twitter, and LinkedIn — which many people see as legitimate and benign — ask for more and more information about our past, our employment, and our interests. • Online information is searchable. Powerful Internet search engines and data-crunching tools make it easy for criminals to build a full profile of you. • Records maintained by government agencies are searchable. • Criminal networks exchange huge databases of personal information that can be used for everything from scamming credit-card companies to creating botnets
Personal privacy
Response - Ten Tips: The Association for Accounting Marketing 1. Use unique “Forgot your password?” questions 2. Protect your friends (don’t let social networking sites scan your address book). 3. Check privacy policies 4. Use privacy settings 5. Don’t post your location (GPS, ie. Foursquare) 6. Monitor your own on-line presence 7. Approach all links with caution 8. Do your banking at home 9. Shop only on encrypted sites 10. Keep your computer safe
AICPA Generally Accepted Privacy Principles (GAPP)
Generally Accepted Privacy Principles―A Global PrivacyThe AssociationFramework for Accounting Marketing GAPP (Business Version) GAPP (Practitioners Version) Executive Overview Building a Privacy Practice in Small and Medium-Sized CPA Firms Privacy and Outsourcing (Brochure) Privacy Incident Response Plan (Template)
20 10/2/2013
AICPA Generally Accepted Privacy Principles (GAPP) Steps to Protect Personal Information (PI) • Don’t collect more PI than • Dispose of PI appropriately.The Association for Accounting Marketing needed. • Keep anti-virus software and • Don’t retain PI longer than security patches current. legally required and/or • Instill awareness and train necessary for business employees on the proper purposes. handling of PI. • Protect PI you collect, use, • Know federal, state and local disclose and retain. laws and the rights consumers • Ensure additional protection and employees have under methods on sensitive PI those laws. retained. • Conduct regular audits to • Restrict access to PI to only ensure PI is protected. individuals with a business need to access information.
Cloud Concepts
21 10/2/2013
Definitions
Cloud computing… The Association for Accounting Marketing • The word "cloud" is used as a metaphor for "the Internet" • Cloud computing is the process of outsourcing IT services – such as servers, storage and applications – to a shared platform accessed via the Internet. • End users access cloud based applications through a web browser or a light weight desktop or mobile apps while business software and data are stored on servers at a remote location. • Services are provided as a utility, most often on a subscription basis • Saves money and energy, as a vendor maintains the infrastructure and applications that run in the cloud environment instead of the organization.
Cloud Computing Models
PaaS SaaS On Premise IaaS
Applications Applications Applications Applications The Association for Accounting Marketing
Data Data Data Data You manage You
Runtime Runtime Runtime Runtime by vendor Managed
You manage You Middleware Middleware Middleware by vendor Managed Middleware
O/S O/S O/S O/S Managed by vendor
Virtualization Virtualization Virtualization Virtualization You manage You
Servers Servers Servers Servers
Storage Storage Storage Storage
Networking Networking Networking Networking
22 10/2/2013
Why Cloud Computing?
Reduced internal IT infrastructure The Association for Accounting Marketing Backup & redundancy in the Cloud Predictable monthly costs Low/no cost upgrades – always running the latest version Anywhere, anytime access, on ANY device, i.e. everything through a browser No/limited install of local files & programs
Compared to On-Premises The Cloud Offers Better ROI + Shifts Fixed CAPEX to Variable OPEX On-Premises Software Cloud Computing The Association for Accounting Marketing
Ongoing Costs Ongoing Costs • Apply Fixes, Patches, • Ongoing burden on IT • Subscription fee Upgrade • Maintain/upgrade • Training • Downtime hardware • Configuration • Performance tuning • Maintain/upgrade network • Rewrite customizations • Maintain/upgrade security • Rewrite integrations • Maintain/upgrade • Upgrade dependent database applications • Training
* Yankee Group DecisionNote Technology Analysis
Security, Infrastructure, and Operations Evaluate Cloud Vendor Operating Capabilities
• Should be far better than you can afford to The Association for Accounting Marketing deploy yourself • Tier one data center(s) • Encryption & hardened systems • 24x7x365 operations • Disaster recovery center • Redundant hardware and networking • SAS 70 type II audited – becoming SSAE 16 • Possible because costs are spread across thousands of organizations
23 10/2/2013
Deployment Models
Deployment Models
Public cloud The Association for Accounting Marketing Private cloud Hybrid cloud
Public Cloud
Applications, storage, and other resources are made availableThe Association forto Accounting the Marketing general public by a service provider. These services are free or offered on a pay-per-use model. Generally, public cloud service providers like Microsoft and Google own and operate the infrastructure and offer access only via Internet (direct connectivity is not offered).
24 10/2/2013
Private Cloud
Dedicated system of servers, managed for a single enterprise.The Association for Accounting Marketing Servers can be either maintained on-premise or off-premise at a third party location. Private cloud provides greater control and performance, besides providing greater security for data and applications. Best suited for industries that are highly regulated (defense, healthcare, etc) and enterprises that run strategic applications that require high performance.
Hybrid Clouds
Combine the best of private cloud (security, control) andThe publicAssociation for cloudAccounting Marketing (flexibility, cost) installations. In a hybrid cloud installation, the enterprise maintains a private cloud that takes care of the normal workloads and utilize the public cloud during peak workloads and dealing with less sensitive data. Best suited for organizations dealing with data of various sensitivity and with highly variable workloads.
CLOUD SECURITY
25 10/2/2013
Questions for you/your company
Does the data you want to move to the cloud The Association for Accounting Marketing fall under any compliance-related regulations or requirements? This includes data such as Personally Identifiable Information (PII), Personal Health Information (PHI), or corporate finance- related information. If the answer is yes, which regulations does it fall under and what controls are necessary?
Security Questions for Potential Cloud Service Providers
What encryption mechanisms do you use for customers’The data?Association for Accounting Marketing In how many locations do you store customer data? What safeguards do you employ to ensure that different customers’ data in a multitenant cloud is kept separate? How is your data center physically protected? Which of your employees have access to customers’ data? How do you authenticate users? How precisely can you specify the degree of access that individual users have to data?
Security Questions for Potential Cloud Service Providers
What tracking, reporting, and auditing capabilities do youThe Association offer? for Accounting Marketing Do you comply with all relevant government and industry laws and regulations? Have you passed an SAS 70 audit? What happens to data when you “delete” it? Is it actually wiped out? Who owns the rights to the data? What SLAs do you offer? How many and what types of security breaches have you experienced in the last 12 months? If you had any, what were they? What new protections have you put into place?
26 10/2/2013
Security Questions for Potential Cloud Service Providers
What disaster recovery protections do you have in place?The Association for Accounting Marketing What are your security scenarios? Why should I trust you? What happens if we decide we want to discontinue using your services?
Service Level Agreements are Important
Key to creating a successful ongoing The Association for Accounting Marketing relationship with your vendor Sets expectations and guarantees performance for how your system is operated Recognizes both concerns and advantages of cloud computing Vital tool to reduce risk and establish shared performance goals
What should be in every SLA
Service Summary or Description The Association for Accounting Marketing Hardware Software Service Availability – • Look for >= 99.5% up time • Definition of down time Service Requests • Hours of operation • Number of requests • Emergency vs. standard Monitoring and reporting
81
27 10/2/2013
Security, Infrastructure, and Operations
Should be far better than you can The Association for Accounting Marketing afford to deploy yourself • Tier one data center(s) • Encryption & hardened systems • 24x7x365 operations • Disaster recovery center • Redundant hardware and networking • SAS 70 type II audited – becoming SSAE 16 Possible because costs are spread across thousands of organizations
CERTIFICATIONS
28 10/2/2013
SAS 70 / SSAE 16 (SOC)
SAS 70 - History
Statement on Auditing Standards (SAS) 70 – Service OrganizationsThe Association for Accounting Marketing Increasingly misused to indicate “cloud security” Auditing Standard’s Board “Clarity Project” (guidance on the examination of financial controls at service organizations) addresses this situation SSAE 16 issued to replace SAS 70
SSAE 16
The Association for Accounting Marketing Statement on Standards for Attestation Engagement (SSAE) 16 (Reporting on Controls at a Service Organization) • Issued in April 2010 • Effective for service auditors’ reports for periods ending on or after June 15, 2011 • Early implementation permitted Enables service organizations to demonstrate reliability and trust in their services to current and potential customers
29 10/2/2013
SSAE 16
SSAE16 – Provides a framework for three Service The Association for Accounting Marketing Organization Control (SOC) reports that address market demands and uphold the profession’s commitment to the public interest. Reports: • SOC 1 - controls over financial reporting • SOC 2 - controls over security, availability processing integrity, confidentiality or privacy • SOC 3 - simplified report on the same subject matter as SOC 2 and available for public use AICPA Trust Services Principles and Criteria incorporated into SOC2 & SOC3
@DCIESLAK
30 10/2/2013
Arxis Technology – Overview
The Association for Accounting Marketing Established in 1994; merger of two CPA firms Locations: Simi Valley, Huntington Beach, Chicago, Phoenix 28 employees; 18 consultants Charter member: Information Technology Alliance Resellers of Sage, SAP, Intacct, Intuit & Microsoft software
31