Presentation is loading. Please wait.

Presentation is loading. Please wait.

Matt Devlin, CISA, CISM Deputy State Auditor September 30, 2014.

Similar presentations

Presentation on theme: "Matt Devlin, CISA, CISM Deputy State Auditor September 30, 2014."— Presentation transcript:

1 Matt Devlin, CISA, CISM Deputy State Auditor September 30, 2014

2 Overview  Colorado OSA and IT Audit Background  State of Colorado IT and InfoSec Organizational Structures  OSA’s Cybersecurity Assessment Approach  General description of what we have done in the past and what we are doing now  Prior VA / Pen Test Audit (Nov. 2010)  Current VA / Pen Test Audit (Dec. 2014 )  Not a detailed or technical “How To” on VA / pen testing 2

3 Colorado OSA: Background Info  OSA is under the Legislative Branch  Reports to a nonpartisan Legislative Audit Committee (LAC)  State Auditor is appointed to a 5 year term  3 Audit Divisions:  Financial, Performance, and IT  Approx. 70 auditors  Produce about 50 to 55 products/reports year 3

4 Colorado OSA: Organizational Chart 4

5 Colorado OSA: Statutory Authority  OSA has statutory authority to:  Conduct audits of all state departments and agencies (Sec. 2-3- 103, C.R.S)  “Access at all times…all of the books, accounts, reports, vouchers, or other records or information in any department, institution, or agency, including but not limited to records or information required to be kept confidential or exempt from public disclosure…” (Sec. 2-3-107(2), C.R.S.) 5

6 Colorado OSA: IT Audit Division  IT Audit Division:  Est. in February 2006 (8 yrs., 8 mos. young!)  4 IT Audit Staff, Mainly Senior-level Auditors  IT Audit Engagement Types: 1. Financial Audit Support (Statewide Single Audit)  E.g., Fin. system ITGCs, SSAE 16 reviews, contractor audit reviews 2. Performance Audit Support  E.g., MMJ, Vocational Rehab, Health Exchange, etc. 3. Standalone IT and InfoSec Audits (Technologies / Systems / Processes / Projects / Org. Unit) 6

7 FY 2014 Allocation of Audit Staff 7

8 State of Colorado: IT Org. Structure  Executive Branch  Office of Information Technology (OIT)  Est. in 2008 through legislation (SB 08-155)  Consolidation of IT from a decentralized model  OIT sits under the Governor’s Office  Judicial Branch  Separate IT (i.e., ITS)  Legislative Branch  Separate IT (i.e., LIS) 8

9 State of Colorado: InfoSec Org. Structure  Executive and Judicial Branch  Office of Information Security (OIS)  Est. in 2006 through legislation (HB 06-1157)  Consolidation of InfoSec (from a decentralized model?)  OIS sits under OIT (i.e., the Exec. Branch IT Unit)  Legislative Branch & Higher Ed. Institutions  Excluded from OIS oversight, but have info. sec. reporting requirements 9

10 State of Colorado: IT & InfoSec Org Charts 10


12 Audit Objectives  Objective #1  To review the Governor’s Office of Cyber Security’s progress in fulfilling the requirements of the Colorado Cyber Security Program (Section 24- 37.5-401 through 406, C.R.S.) 12

13 Audit Objectives  Objective #2  To perform a “covert” penetration test of state networks, applications, and information systems  Gain unauthorized access to state systems and data  Simulate hacking attempts  Test incident response 13

14 Audit Scope 14

15 VA vs. Pen Test  Vulnerability Assessment – assessment approach used to identify system weaknesses or vulnerabilities.  Penetration Test – assessment approach used to gain access to systems by exploiting or circumventing system weaknesses or vulnerabilities.  Hacking vs Pen Test Difference  Get Permission!!!  Authorized by Governor’s Office, State CISO, and other Dept. Mgt. 15

16 Audit Methodology  In-house & Contract Audit – OSA Partnered with 2 Contractors specializing in VA/pen testing  Nonrisk-Based Approach – Open to all state networks, applications, and systems  Black Box – no advance information on systems/networks/departments/agencies, etc.  All attacks available; Nothing off limits! 16

17 Audit Methodology (cont.)  Tests performed included:  Network Scans (external /internal) – Ports and Services  Application/DB/OS Scans – Patch Levels, Configuration Settings/Hardening Standards, Vendor Defaults, Brute Force,  Website Security - Attacks to gain access to backend apps and DBs  Social engineering – Spam, Impersonation  Physical-based attacks – gaining unauthorized access to facilities and DCs  What did we find?? 17

18 Office of Cyber Security “Overall, the results of the Pen Test demonstrate that the State is at high risk of a system compromise and/or data breach.” 18

19 Audit Results Relating to Objective #1:  The Office of Cyber Security failed to successfully implement the Colorado Cyber Security Program, as required by statute.  Info Sec Program Governance & Org. Structure  Policy, procedures, and plans lacked definition, implementation, and enforcement  InfoSec Operations & Controls  InfoSec processes and controls lacked definition, implementation, and compliance  All findings and recommendations were agreed to (or partially agreed to). 19

20 Audit Results (cont.) Relating to Objective #2:  The State was at high risk of a system compromise and/or data breach by malicious individuals, including individuals both internal and external to the State.  Hundreds of vulnerabilities identified  Unnecessary and Insecure Ports, Services, and Utilities  Exposed Management Interfaces  Default and Easily Guessable Usernames and Passwords  Unsecured Web Applications  Lack of Internal Network Security Controls (e.g., network segmentation, hardening and patching, use of insecure network protocols, lack of IDS/IPS) 20

21 Audit Results (cont.)  Relating to Objective #2 (cont.):  Compromised or gained unauthorized access to:  Numerous State Networks and Systems  Lots of Sensitive and Confidential Information:  Usernames and passwords (belonging to state employees and others non-state individuals)  state employee records  SSNs  income levels  birth dates  contact information—i.e., phone numbers and physical addresses.  A data breach of this magnitude would have cost the State between $7 and $15 million to remediate (based on national averages at the time).  All findings and recommendations were agreed to (or partially agreed to). 21

22 Audit Results (cont.) State of Colorado Penetration Test Results Risk Ranking by Network/System Network/System Component TestedRisk Ranking External Network TestingHIGH Internal Network TestingHIGH Physical Security Testing HIGH Web Application TestingHIGH Social EngineeringHIGH Modem TestingLOW Wireless Network TestingLOW Source: Office of the State Auditor penetration test results. 22

23 Audit Results (cont.) Source: Colorado Office of the State Auditor. 23

24 Challenges  “First of It’s Kind” Audit  OSA Authority to Conduct Pen Test? -Not “specific”  Communication/Coordination  All Business Management (as well as IT/InfoSec Mgt.)  Very Complex IT Org, Systems, and Technologies  Took a lot to plan, execute, and report  Reporting  Public vs. Private Info  Diff. contractors partnering with OSA 24

25 Successes  Information Security Posture – Identified a Baseline!  Raised Information Security Awareness – within State Ops, the Legislature, and Public  Increased OSA Authority – new statute was created to allow our office to conduct ongoing VA’s, pen tests, and technical security assessments… after consultation and in coordination with, but not requiring the approval of, the CIO (Sec. 2-3-103(1.5) et al, C.R.S.) 25


27 Audit Objectives  Objective #1: To conduct a vulnerability assessment, penetration test, and technical information security evaluation on state networks, applications, and systems.  Objective #2: To gain an understanding of the root cause of identified information system security vulnerabilities. 27

28 Key Differences (vs. Prior Audit)  Scope Size & Complexity  Risk-based/Targeted (vs. Statewide/All-inclusive)  White/Grey Box (vs. Black Box)  Resulted in Fewer Networks, Systems, & Depts.  No InfoSec Program Review  Root Cause Analysis Focus  Shorter Timeline  Mar.-Dec. 2014 (vs. more than 12 mos.)  One Contractor (vs. 2 Prior)  Simplify Communications & Processes  Reports to Match OSA Style  Communication With Management  Simplified with 2 Entrance Meetings with IT/InfoSec Mgt. (vs. Business Mgt.)  Reporting  Public vs. Private Content  Evaluation vs. Audit – did not have to follow Yellow Book standards 28

29 Audit Scope  Left Scope and Schedule Open in RFP  The engaged contractor was required to work with us (OSA) to: 1.Define the networks, applications, and/or systems to be included in the scope,, based on risk; 2.Develop the audit schedule (working backwards from our LAC date).  List of Scope Areas  External Network (89,614 IP addresses)  Internal Network (3, across diff. departments)  Firewalls (10, mix of external & internal)  Enterprise Apps (2, across diff. depts.)  Web Apps (5, across diff. depts.)  Social Engineering (spam email to all Executive and Judicial Branch agencies) 29

30 Audit Results  TBD – Report to be released in December!!!  Generalization:  Lots of very similar findings as last time, indicating slow progress in maturing the state’s info sec program 30

31 Outcomes (Expected) TBD…but we’re hoping to:  Issue Two Reports Again:  Management-level Report (Public )  Technical-level Report (Private)  Provide Transparency & Value  Identify System Vulnerabilities/Findings  Identify Root Causes  Raise Awareness of InfoSec Posture  Provide Accountability  Track Audit Findings & Recs  Annual Report on Recommendations not Fully Implemented 31

32 Challenges  New (and few) IT audit staff – 1 contract monitor  Independence – Concern due to prior audit deputy moving into the CISO role  New Contractor – Get up to speed!  Risk-based Scoping - Very complex IT organization and systems:  Outdated technologies and systems  Redundant systems  New system developments 32

33 Challenges (cont.)  Lots of Staff Turnover/Reorgs.  Significant IT management turnover during the review, including:  Secretary of Technology & State Chief Information Officer (CIO)  Chief Technology Officer (CTO)  Chief Operating Officer (COO)  Chief Information Security Officer (CISO)  Chief Customer Officer  Director of HR  Director of Enterprise Applications  Communication/Coordination with appropriate management and staff 33

34 Challenges (cont.)  Authority to conduct Pen Test Evaluations  2 separate but similar “Rules of Engagement” (for Exec. And Judicial Branch agencies/systems subject to our evaluation)  Obtaining access to systems for credential testing  Despite statutory authority (to access all state information and records) 34

35 Improvement Opportunities  Tie Current Results to Prior Results – to analyze trends about whether InfoSec is improving over time  Multi-year Plan – Continue risk-based coverage?  Simplify Further – smaller audits, dept.-specific  Incident Response Testing  Contractor Consistency – to improve efficiencies in coordination of planning, fieldwork and reporting  Develop In-house Expertise – perform VA/pen tests using available tools and techniques 35

36 Questions?  Contact me:   303-869-2800  36

Download ppt "Matt Devlin, CISA, CISM Deputy State Auditor September 30, 2014."

Similar presentations

Ads by Google