Cybersecurity Series

  • Categories IT
  • Last Update January 13, 2021


Cybersecurity Lecture Series Program Overview
As new information technologies and approaches emerge, associated business risks undergo minor to significant transformation, and, in many cases, have far-reaching consequences for the
organizations adopting such technologies and its stakeholders. Organizations are increasingly looking up to their Internal Auditors to provide independent assurance whether risks to the enterprise are managed well and advise thereon. With information technology becoming an inherent critical success factor for every business and the emerging threat landscape, there is significant urgency on internal auditors to equip themselves on IT audit essentials.

This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn
about the emerging technologies and their underlying risks.

This lecture series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.

The webinar series will also cover 9 key technologies and related risks and issues that seizes the attention of the IT Risk & Audit world:

IS Audit Approach & Methodologies – Aligned with international best practices in auditing, more specifically COSO® & COBIT® being highly recognized standards, approaches to Risk based internal audits, IT controls evaluations today, form a critical foundation to effectiveness and business risk alignment for internal audits from a Board and Audit Committee perspective. In todays’ scenario, an internal audit that does not encompass relevant IT audit strategies and testing presents with significant audit risks and with the audit objectives not being achieved effectively. IT controls evaluations by Internal auditors, though highly pertinent, involve knowledge and skills that are different from those used in traditional internal audits. Internal Auditors need to aware of not only the methods and techniques underlying planning, performance and integration of IT audits but also need to be update with the emerging technologies, the underlying benefits & risks and methodologies to evaluate relevant automated and IT dependent controls. This webinar series would highlight the step by step approach to performing IT Control evaluations by Internal Auditors.

IT Governance – IT is now no more merely one of the enablers, but a driver of business processes that presents a strategic value perspective as well as presents with key business risks. Hence IT is increasingly engaging the attention of the key management. Governance encompasses management oversight processes that ensure that IT is strategically aligned with business needs while balancing the associated risks thereof. Understanding and applying enterprise-based IT management and governance is essential to success of every enterprise that is dependent on IT today.

Project management – Businesses often experience adverse outcomes and stakeholder displeasure due to inadequate/ ineffective management project oversight and poor project management
processes over systems development and acquisition. Management are increasingly looking upon IT & Risk Professionals in assessing successful management of IT project management controls and practices is a critical success factor in ensuring investments in IT projects deliver promised benefits and on time.

IT Outsourcing, is increasingly becoming an accepted way of achieving cost-effective process objectives, with the increasing accent on organization’s need to focus on core competencies and
outsource supporting processes. In outsourcing, while the operational responsibilities may get delegated, the associated strategic risks and accountability to stakeholders cannot be passed on. IT &
Risk Professionals have a significant role in evaluating outsourcing decisions, underlying contractual obligations, performance measurement and providing independent assurance.

Cloud Computing, is gradually moving from a mere buzz to reality with cost-benefits propositions engaging the interest of more business organizations. While the benefits from putting your
organization onto the clouds is no doubt enticing, it comes with several hidden inherent risks that need careful attention. Moving critical applications onto the clouds are also challenging the
traditional internal audit paradigms and methodologies.

Smart mobility, is rapidly transforming business user end points and capabilities. The implications to the organization are profound, including potential risks such as loss of privacy, security, device loss and intellectual property. With B(ring) Y(our) O(wn) D(evice) forcing its way into enterprises, organizations are grappling with ways and means to managing the associated risks that are demolishing traditional business-personal use perimeters. Managing and Auditing associated risks while effectively administering mobility need well thought our game plans.

Data Analysis & Mining, is becoming a strategic business requirement with concepts of Big Data fast becoming a reality. Digging into enterprise data archives and data analysis is key to right decisions, enterprise agility, innovation and staying ahead of the growth curve. Besides Audit analysis can provide valuable insights into current & emerging business risks hidden in enterprise data and significantly increase audit effectiveness, hence a must-have strategic weapon in every auditor’s arsenal.

Social Media, rates amongst the rapidly adopted technologies in business since there is increasingly recognition of social media in business as a unique and highly effective communication medium. However, the issues with separating social media for private/individual from that for business purposes presents very high risks both from outsiders as well as employees. BYOD and mobility have enhanced the reach and risks from use of social media. Auditors need to draw up the right approach to auditing social media and help the managements in keeping the threats at bay.

Advanced Persistent Threats and targeted cyber-attacks are the latest and most lethal of the threats on the IT threat landscape. APTs involve very high level of sophisticated attacks where the
perpetrators work on achieving intended objectives using persisting but varied and several attack vectors. With the covert nature of APTs, organizations need to be equipped in detecting and
systematically dealing with and protecting from the impact of such threats.

Digital Forensics, deals with capabilities required for organizations to deal with bringing cyber criminals to book and involves investigation of cyber frauds, misuse of organization’s computer
resources by insiders, hack attacks on sensitive data, cyber espionage etc. The subject involves special aspects when dealing with cyber criminals, digital evidence and capabilities required thereof.

Learning Outcomes

You will leave this webinar series with an understanding of:

  • Business Risks of using IT, related controls and IS assurance and audit concepts
  • What does an IT Audit engagement involve and approach to risk based IS audits
  • Overview of IS assurance and audit standards, tools and techniques
  • Planning & performing risk-based IS audit procedures
  • Reporting and follow up
  • an understanding of the scope of the emerging technology concepts, related issues & business risks
  • what factors to consider in your approach to auditing such technologies
  • gaining understanding of the underlying assurance risks
  • learn about global best practices and latest key research happenings

Who should attend?

  • Internal Audit Professionals, Chief Audit Executives
  • IT Management Professionals
  • Risk Officers & strategic management members
  • Internal control professionals

Program Outline

Lecture 1

Cyber Defense

  • Threats/Threat actors/Common Cyber Attack methods
  • Attacks and vulnerabilities exposed
  • Layered protection measures against Cyber threats
  • Firewalls and levels of protection they provide
  • Traffic profiling and monitoring for inbound and outbound traffic
  • Intrusion Detection
  • Incidences of Compromises
  • Penetration testing regimes and vulnerability testing
  • NIST Vulnerability Checklist
  • The Security Content Automation Protocol (SCAP)

Lecture 2

SANS SEC440: Critical Security Controls

  • Inventory of Authorized and Unauthorized Devices
  • Inventory of Authorized and Unauthorized Software
  • Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  • Continuous Vulnerability Assessment and Remediation
  • Controlled Use of Administrative Privileges
  • Maintenance, Monitoring, and Analysis of Audit Logs
  • Email and Web Browser Protections
  • Malware Defenses
  • Limitation and Control of Network Ports, Protocols, and Services

Lecture 3

Malware Defense

  • Types of Malware
  • Blended Threats
  • Infection Mechanisms
  • Semantic, or Heuristics Based Malware Detection
  • Polymorphic Malware
  • Metamorphic Malware
  • Hiding techniques and Detection of Malware

Lecture 4

Boundary Defense Mechanisms

  • Denying communications with known malicious IP addresses
  • Rapidly deployment of filters on internal networks
  • Deploying network-based IDS sensors on Internet and extranet DMZ systems
  • Seeking unusual attack mechanisms
  • Implementing Network-based IPS devices
  • Implementing a secure Network Architecture
  • Implementing two-factor authentication
  • Designing internal network segmentation
  • Designing and implementing network perimeter proxy servers
  • Denying communications with known malicious IP addresses

Lecture 5

Controlling Ports and Network Devices

  • Ports and Protocols
  • Network Mappers
  • Protocol Attacks
  • Use of Firewalls
  • Identifying Network Boundaries
  • NIST 800 framework and CIS
  • Switches and Routers
  • Routing Protocols
  • Switch Security
  • Hardening the Network
  • Good Network Administration
  • Internet Control Message Protocol
  • Anti-spoofing and logging
  • Configuring a secure network perimeter
  • Secure IOS-based Routers using automated features
  • Securing Desktops, Notebooks, Servers and Mobile Devices

Lecture 6

Application Security

  • Application security logging and monitoring
  • Issues in current logging practices
  • Resources required by developers for security logging
  • Correlating and alerting from log sources
  • Logging in multi-tiered architectures and disparate systems
  • Application securit logging requirements

Lecture 7

 SEIM Log Analysis

  • Logging Sources & Servers
  • What is a SIEM?
  • Advantages of a SIEM?
  • Using SIEM
  • Detection of outbound sensitive information
  • Data Collection
  • Aggrefation, Normalization and Enrichment
  • Reporting and Forensics
  • Challenges in log management

Lecture 8

Administrative Control Breaches

  • Security Administration
  • Purpose of Security Tools
  • Examples of Security Tools
  • Security Incident Manager (SIM)
  • Problems with Security Administration
  • Improving Administration

Lecture  9

Vulnerability Assessment

  • Ongoing identification of potential risks and areas of weakness
  • Hazard Assessment and Risk Identification
  • Problems in Vulnerability Assessment
  • Use of Penetration Testing
  • Network Vulnerability Testing
  • Web Vulnerability Testing
  • Wireless War Driving / Walking
  • Phone Network Testing
  • Social Engineering Testing
  • Walk-throughs and Dumpster Diving
  • Physical Security Auditing

Lecture 10

Advanced Persistent Threats and targeted cyber attacks:

  • Advanced Persistent Threats – the shifting paradigm to targeted attacks
  • Understanding Advanced Persistent threats
  • Overview of popular types of APTs
  • Impact of APTs on sensitive data as well as organisation reputation
  • Characteristics and Attack sequence of APT attacks and the challenges in detecting APTs
  • Assessing, Managing and Auditing APT Risks
  • Data loss and Cyber intrusions

Topics for this course

10 Lessons

Cyber Defense

Video Lecture

Critical Security Controls

Malware Defenses

Border Defense Mechanism

Controlling Ports and Network

Application Security

SIEM Log Analysis

Administrative Control Breaches

Vulnerability Assessment

Advance Persistent Threats

About the instructors

4.50 (2 ratings)

6 Courses

7 students

Expert Trainer: Richard E. Cascarino, MBA, CRMA, CIA, CISM, CFE Well known in international auditing circles as one of the most knowledgeable practitioners in the field, Richard is principal of Richard Cascarino & Associates, a highly successful audit training and consultancy company. He has worked extensively with banks across Africa, the USA, the Caribbean, the Middle East and the Indian Ocean Isles. He is a regular speaker to National and International conferences and has presented webinar series throughout Africa, Europe, the Middle East and the USA. Richard is a Past President of the Institute of Internal Auditors in South Africa, was the founding Regional Director of the Southern African Region of the IIA-Inc and is a member of ISACA and the Association of Certified Fraud Examiners. Richard was the chairman of the Audit and Risk Committee of the Department of Public Enterprises in South Africa and served as chairman of the Audit Committee of Gauteng cluster 2 (Premier's office, Shared Services and Health). He is also a visiting Lecturer at the University of the Witwatersrand, author of the book “Internal Auditing - an Integrated Approach”, 3rd edition Jan 2015, published by Juta Publishing. This book is extensively used as a university textbook worldwide. In addition, he is the author of the "Auditor's Guide to IT Auditing" and “Data Analytics for Internal Auditors”
0 (0 ratings)

3 Courses

0 students


Enrolment validity: Lifetime