Worried your passwords are not strong enough for today’s sophisticated hackers? Cyber security breaches happen every day, as evidenced in recent headlines. Presentation covers key User Access threats both internal and external and ways to protect yourself and your company from malicious hackers. Learn from key case studies.

1. Cyber Security: User Access
Pitfalls
Dec. 10th, 2015
1

2. House Keeping Items2

3. 3Compliance Made Simple ™
Today’s Presenters
Sonia Luna, CEO, Aviva Spectrum
Mrs. Luna CPA, CIA with over 16 Years in public and
internal audit professional. Appointed to Smaller &
Emerging Companies Advisory Comm. By the SEC.
Karla Sasser, Senior Associate, Aviva Spectrum
Mrs. Sasser has over 20 years of finance, accounting
and audit experience. Mrs. Sasser is an active CPA, CIA
& CITP and has a Master’s in Information Technology.
Author of fast selling book “Friggin Bean Counters”
sold on Amazon & Barnes and Noble.
3

4. Agenda
1. Insider Threats vs. External Threats
2. State of Affairs: Internal and External Threats
3. Case Study Internal Threats
4. Cost of a BREACH!
5. User Access Rights (Best Practices)
6. Sony Breach Lessons Learned
7. Cloud Applications (what are “targets”?)
8. Home Depot & Target Breach (Lessons Learned)
9. Final Q&A
4

5. POLLING QUESTION?
WHERE ARE MOST OF THESE THREATS COMING
FROM?
A. INTERNAL (EMPLOYEES, VENDOR ACCESS/SUB-
CONTRACTORS)?
B. EXTERNAL THREATS (UNKNOWN HACKER)?
5

6. Disgruntled employees, insiders pose big
hacking risk
Some 29% of the survey takers said they were most
concerned about the lack of visibility into applications and
networks, while 28% said their top concern was insider
threats. Both of those concerns relate to how a disgruntled
employee, or an insider aligned with criminals, could
disrupt a company's network, or steal valuable intellectual
property. By contrast, just 14% said financially-motivated
hackers worried them most, while 6% cited political
hacktivists.
6

7. Annual reports on – insider threats
89% - More at risk from insider threats
7

8. Reuter’s Case Study
Ex-Employee & Passwords
8

9. Editor – 2 months w/access AFTER
TERMINATION
9

10. IT Community Comments10

11. Polling Question:
What’s your network access password change
policy?
A.Expires 1 year
B. Expires every 180 days
C.NEVER EXPIRES (I’m an admin!)
11

12. Notable IT and Cybersecurity standard
setters
1. International Organization for Standardization (ISO)
2. International Information Systems Security Certifications
Consortium (ISC2)
3. PCI Security Standards Council, LLC (PCI-DSS)
4. Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
5. ISACA (COBIT)
12

13. Polling Question?
Which IT Guidance/Frameworks are you predominantly working with now?
A. COSO and/or COBIT
B. ISO and/or ISC2
C. PCI and/or ISO
D. Most of the above
13

14. The Cost of a Data Breach14

15. Principle of Least Privilege Access
 Defined as the practice of limiting access to the minimal level that will
allow normal functioning and is applied to both human and system user
access
 Originated by the US Department of Defense in the 1970’s to limit
potential damage of any accidental or malicious security breach
 It is the underlying principle and the predominate strategy used to
assure confidentiality within a network
 Role-based access, was developed to group users with common access
needs, simplifying security
15

16. Users with Elevated Access
 By default systems will process commands based on the level of access the user
who initiated the command has.
 System and domain administrators pose unique problems within a software
application.
Group Description Default user rights
Administrators
Members of this group have full control of all
domain controllers in the domain. By default, the
Domain Admins and Enterprise Admins groups are
members of the Administrators group. The
Administrator account is also a default member.
Because this group has full control in the domain,
add users with caution.
Access this computer from the network; Adjust memory quotas for a process;
Back up files and directories; Bypass traverse checking; Change the system
time; Create a pagefile; Debug programs; Enable computer and user
accounts to be trusted for delegation; Force a shutdown from a remote
system; Increase scheduling priority; Load and unload device drivers; Allow
log on locally; Manage auditing and security log; Modify firmware
environment values; Profile single process; Profile system performance;
Remove computer from docking station; Restore files and directories; Shut
down the system; Take ownership of files or other objects.
16

17. Polling Question
How much does SOX 404 compliance resolve your IT user access concerns?
A. A lot, we sleep well at night
B. Some but not enough
C. Very little
D. We haven’t started on user access reviews
17

18. Number of Cloud Apps a Company is Using
 Survey results released by Netskope, July 2014 revealed that
 On average 508 apps are in use within each enterprise with the top categories
being marketing, human resources, collaboration, storage and finance /
accounting
 88% of these apps have areas of concern from a security perspective
85% of data is uploaded to apps that enable file sharing
81% of data download occurred in apps with no data at rest encryption
77% of total apps reside and are processed in multi-tenant environments
18

19. Top Cloud Apps Identified by Netskope19

20.  As was widely reported, the hackers apparently gained access to Sony’s computer
systems by obtaining the login credentials of a high-level systems
administrator. Once the credentials were in the hands of the hackers, they were
granted “keys to the entire building,” according to a U.S. official.
 They hacked into one server that was not well protected, and escalated the attack
to gain access to the rest of the network.
 Sony’s network was not layered well enough to prevent breaches occurring in one
part from affecting other parts. In addition, the password “password” was used in 3
certificates.
 A combination of weak passwords, lack of server layering, not responding to alerts
or setting up alerts, inadequate logging and monitoring, and lack of Security
Education Training and Awareness all contributed to the Sony Breach.
20

21. Problems with Passwords
 People, process and technology are all needed to adequately secure a system
 When left on their own, people will make the worst security decisions
 Without any security training, people can be easily tricked into giving up their
passwords
 Passwords can be insecure
 People will choose easily remembered and easily guessed passwords
 Passwords can be easily broken
 Free programs are available on the Internet that can “crack” the password
 Passwords are inconvenient
 Computer generated passwords can be difficult to remember are written down
 Passwords do not have any authority
 Use of a password does not confirm the identity of the user entering the password
21

22.  In 2014, Cox was hacked by "EvilJordie," a
member of the "Lizard Squad" hacker
collective.
 The FCC's investigation found that by posing
as a Cox IT staffer, the hacker convinced a Cox
customer service representative to enter their
account IDs and passwords into a fake
website.
 Under the terms of the settlement, Cox will
pay the fine, identify all victims of the breach,
notify them and give them a year of credit
monitoring. The agreement also requires Cox
to conduct internal system audits, internal
threat monitoring, penetration testing and
other security measures to prevent further
hacks
22

23. Passwords - Cloud Apps and Remote
Contractors
 Cloud apps and remote contractors represent a significant risk to the overall
security of the company’s information assets because:
 Cloud apps can be implemented and remote contractors can be engaged without any
knowledge from IT
 Most companies do not have one central point of authority for cloud apps and remote
contractors
 There is a general lack of understanding of the scope of work for cloud apps and remote
contractors so elevated access is generally granted without any consideration of the risks
 User access cannot be validated against active directory or there are exceptions to
the company’s password policy granted
 One user account is shared among multiple users
23

24. 24

25. Single Sign-On and Password Emerging
Trends
 Single sign-on is an authentication process that allows users to enter one user
name and password to access multiple applications they have been given rights to.
 Two-factor authentication requires additional factors to establish a users identity
such as, a password and a pin number, a password and a fingerprint, retina scan
and a fingerprint, etc.
 Establishing complex user names, such as K$@ssEr
 Establishing meaningful, easy to remember complex passwords
t3chRock$ or $omething2about!
25

26. 26Compliance Made Simple ™
Community & Sharing
User Access Rights Webinar
Join Our LinkedIn Group
COSO Framework Discussion & Webinars
https://www.linkedin.com/groups/COSO-
Implementation-4888186/about
Technical Community sharing Ideas ,Templates, WEBINARS, Advise
and Learn from others implementing new framework.
Share your latest templates here!
26

27. 27Compliance Made Simple ™
Community & Sharing
User Access Rights Webinar
LinkedIn Group: Friggin’
Bean Counters
https://www.linkedin.com/groups/6985169
27

28. Chat TIME?
Does your organization have a PROVEN
SYSTEM in monitoring it’s user access
policies?
28

29. System Best practices29
Monthly
QuarterlyAnnual
Weekly

30. 30Compliance Made Simple ™
User Access Procedure Diagnostic
Email us for 5 SPOTS ONLY:
Info@avivaspectrum.com
SUBJECT: USER ACCESS
Internal
Threat
Analysis
BenchmarkIn-take

31. 31Compliance Made Simple ™
Aviva Spectrum is HIRING
1. SOX 404 – Senior Internal Auditors
2. IT auditors
3. SEC Reporting Managers
4. Cyber security consultants
Email:
Careers@avivaspectrum.com
User Access Rights Webinar
31

32. Questions?32

33. 33Compliance Made Simple ™
Speaker Contacts
Sonia Luna, CEO, Aviva Spectrum
 CONNECT: www.linkedin.com/in/sonialuna
 EMAIL:Sonia.luna@avivaspectrum.com
 PHONE: (424) 625-0241
Karla Sasser, Senior Associate, Aviva Spectrum
 CONNECT: www.linkedin.com/in/karlasasser
 EMAIL: Karla.Sasser@avivaspectrum.com
 PHONE: (818)384-8846
33