How do we stop hackers without understanding their true nature? What are they after, what is valuable to them? And how does what is valuable to them translate to our losses?
Being in the business of threat intelligence, we see how disproportionate hackers’ gains are when compared to the losses they inflict upon affected organizations. By far, not every stolen record gets abused. Yet, since there is no easy way to determine what becomes of the stolen data, the organization has to declare a total loss, even in a case of a minor breach.
Let’s try to understand hackers a little bit more. Who are they? Who do they work for? Where do they reside? What motivates them? How did they learn their craft? What do they do with the stolen data? What are they afraid of?
Today, brazened hackers take over our systems and demand a ransom. They give interviews to the press, they walk around their hometowns with their head held high, far away from justice. The world’s current political environment serves as their encouragement and provides cover for their evil acts.
In our plans to discuss these issues at North America CACS 2017, we will take real-life examples from personal experience and make them relatable to your realm of expertise. That includes how to combat seamless or unstoppable threats, like DDoS or ransomware, by understanding who is behind these attacks. Further, we will illustrate how to avoid being collateral damage or the lowest-hanging fruit.
The practical defense advice detailed in the presentation should prove invaluable. Sure, we have regulatory security to give us the guidelines on what is the standard of care for our data, yet the hackers do not care about “certified” secure sites. They look for the vulnerabilities beyond patches and beyond application faults. They are moving into the arena of exploiting the end-users.
You cannot “patch” a person. Yet, hackers are getting smarter and creating repeatable formulas playing on people’s empathy and/or feelings.
The primary goal is to stop hackers. Even with the current level of knowledge and experience gained from previous hacks, stopping hacking is not an easy task. There are no universal hacker deterrents, but there are ways to slow down their advances over time.
Better access management is one of the keys. That not only focuses on better passwords, but on leveraging available authentication techniques, variances and safety measures. We also will address the development of honeypots, not only as systems that are perceivably weaker, but as applications, components and even credentials, where a compromise will alert when attempted to be exploited.
At the end of the talk, we are not going to be afraid of the unknown. Each attendee will come out with a list of viable steps to formulate a plan to deter hackers – to make them turn away at the door, and even if they try their virtual assault, to ensure they are met with alarms and proactive actions specific to their attack type.
Editor’s note: Alex Holden will present on “Threat Intelligence – Exploiting Hackers” at North America CACS 2017, which will take place 1-3 May in Las Vegas, Nevada, USA.Category: Security Published: 3/24/2017 3:08 PM
Deloitte Technology, Media and Telecommunications predicted recently that more than 1B devices would be reader-enabled for biometrics by the end of 2017. This is a very significant milestone for many reasons.
Over the years, there has been a lot of hype about the potential of biometrics for authentication and other purposes, but the lack of availability to consumers meant adoption was behind the hype curve. Device manufacturers have since changed this picture with native biometric support of mobile and tablet devices.
In a broader sense, it is important to understand the benefits of biometrics and how they can fit into an organization’s security strategy.
The death of the password – are we there yet?
Biometrics are used for individuals to authenticate to a service or a device. In some instances, authorization of a transaction has been built into applications. Due to its many intuitive uses, biometrics have long been a favorite of those who sing the tales of the demise of the password. While it is unlikely that we’ll get rid of passwords anytime soon, biometrics can offer a lot of value.
Biometrics have some significant benefits. Their adoption into ever more uses bring with it a number of benefits.
For a start, biometrics are user-friendly. After years of passwords and pins on fiddly mobile device keyboards, having a simple fingerprint reader is a welcomed alternative, particularly when, as Deloitte research noted, biometric readers are used on main devices, on average, 30 times a day.
Another benefit of biometrics is increased accountability. As biometrics rely on something you are, the days of sharing authenticators could be numbered.
Biometrics also are cheap. The device manufacturers have already distributed upwards of a billion readers to date.
Lastly, where the system is properly architected, biometrics can have the advantage that attacks won’t scale. Proper design entails not using the representation of the body feature as a secret and, in turn, not storing such representations in a central location. Often it is these databases that are a target for motivated attackers.
How do I embed biometrics in my digital strategy?
Organizations should definitely consider using biometrics in their consumer authentication strategy, but this should be part of a wider security model. Having a single factor (in this case of biometrics, something you are) might be enough for simple uses – for example, to log into your electricity provider to review your latest bill. This will not be enough for other uses, though, such as authorizing a major payment from your bank current account. There are a few things to keep in mind for organizations in all industries:
Multifactor authentication is here to stay, and biometrics are fast gaining pace. As part of your overall customer-facing initiatives, build in a strong authentication mechanism, and leverage the growing presence of biometrics to enhance security and user experience.
Category: Security Published: 3/21/2017 1:57 PM
One of the most influential conversations in Cheryl Santor’s career required plenty of gumption.
Santor, working in IT at a mortgage banking firm in the 1990s, had major concerns about non-proprietary memory that had been installed, jeopardizing the main system for collecting loan information. She voiced her concerns to her CIO in no uncertain terms, believing the integrity of the loan origination system was at stake.
It turns out, Santor’s candor – and insights – were respected more than she could have anticipated. About a year later, that same CIO hired her to work at a national bank where she eventually became CISO.
“He appreciated my diligence, integrity and forthrightness,” Santor said. “This boosted my career and provided the backdrop for my future.”
Santor, a longtime ISACA member, recently retired as the Information Security Manager of Metropolitan Water District of SoCal, where she ensured the security of the business and SCADA network systems. Her responsibilities included review of all national and global intelligence that might affect water system reliability. She continues her ISACA involvement, and work with the FBI InfraGard and other professional organizations, to provide expertise in her areas of focus.
The fourth-generation Californian recently was nominated by a colleague as a finalist in the Los Angeles Business Journal’s CTO Awards.
“I have been in this work for 28-plus years and it has always been a passion, so to be recognized for that passion is reward in itself,” Santor said.
An information security professional “before there was such a title,” Santor said she emphasizes awareness of security best practices, including disaster recovery exercises and access controls.
Santor has been actively involved in ISACA’s Los Angeles chapter for 17 years. She was an IT auditor when she first joined.
“Seeing that audit and security went hand-in-hand, in providing the best for any organization, I joined ISACA,” Santor said. “I knew that ISACA would provide me the intelligence and expertise as I moved through my career.”
In recent years, Santor has become especially passionate about ISACA’s Cybersecurity Nexus (CSX) program as a resource for cyber security professionals to gain the needed skills and training to keep pace with fast-evolving cyber threats.
“Whether they are entering the field, changing careers or just becoming the person who is taking cyber security on for their company, they can look to ISACA’s knowledge to support their efforts,” Santor said.
Santor and her husband, Louis, have four children and eight grandchildren. Rather than having a hard time keeping up with her grandchildren, it might be the other way around; Santor is a car enthusiast whose hobbies include racing Corvettes and Cadillacs. A less adrenaline-infused passion is quilting, which Santor said benefits from a similar mindset to her professional wiring.
“I like to take fabric, cut it up and create a new version or outcome,” she explained. “To me it is somewhat like computer forensics. You are presented with a puzzle and you need to make sense of it as the final outcome – an investigative process in both instances.”
Business leaders must take accountability for governing and managing IT-related assets within their units and functions just as they would other assets, such as those involving physical plant or human resources.
This is critical as achieving enterprise goals becomes increasingly interconnected with successfully managing and governing its technology. COBIT 5 provides the framework needed to connect business goals with IT goals while utilizing non-technical, business language, as explored in a recent ISACA podcast. John Jasinski, a COBIT certified assessor, discusses the framework’s core principles and enablers, and ways in which enterprises can successfully leverage them.
“The main purpose of the governance of enterprise IT is to achieve strategic alignment of information and related technology with the goals of the enterprise,” Jasinski said. “However, a continuing challenge for enterprises is how to achieve and maintain the alignment as stakeholder needs and enterprise goals change. The COBIT goals cascade provides context, structure and content for consistency of goals and meeting stakeholder needs.”
The COBIT 5 goals cascade provides a model to define and link enterprise goals and IT goals in support of stakeholder needs.
Decisions on how to utilize IT assets and resources should be made by business managers in an overall governance and management context, according to Jasinski. Directors should govern IT through three main tasks:
COBIT 5, which aligns with other relevant standards and frameworks used worldwide, provides a technology-agnostic common language to more effectively address information and cyber security, risk, vendor management, cloud controls and many other challenges faced by enterprises. Distinctions between governance and management also are addressed.
“If you’re looking for context, structure and content to address your biggest digital business challenges and opportunities, you must have an understanding the COBIT goals cascade, enabling processes and the entire COBIT library,” Jasinski said. “COBIT can help you understand how to connect all the dots, and fit the puzzle pieces together. This is important stuff.”
Further ISACA insights on the topic can be found in the white paper, “COBIT 5 Principles: Where Did They Come From?”
Editor’s note: The ISACA Podcast is now available on iTunes, Google Play and SoundCloud. Listen to experts in cyber security, audit, governance and more as they explain the latest trends and issues facing professionals.Category: COBIT-Governance of Enterprise IT Published: 3/15/2017 3:04 PM
The Authority to Operate (ATO) is necessary to work in the system of US federal government agencies. My recent Journal article provides details on how to obtain the authority to operate. The following steps can help US enterprises gain the approval to operate with the federal government:
● Ensure confidentiality, integrity and availability—The first necessary step toward achieving ATO is confidentiality, integrity and availability (CIA). This means that only approved people can get in, any changes to the system or data are genuine, and the system is up and ready for use.
● Embrace the NIST 800-53 control families—Every family is a tightly knit assembly of control with a dash-one, or parent control, followed by offspring controls that dive deep into the security measure. For instance, the Access Control Family starts with the dash one control of access control policy. It is followed by more detailed controls to be implemented and assessed such as Account Management and Access Enforcement. Using the lists of controls within each of the 18 NIST control families allows users to demonstrate security that is in place or that it is being planned.
● Keep the evidence—Just like in any operational process, you create or gather documentation to delineate the process and what has taken place. Just like any trail or audit, you keep evidence of the path you have taken. The ATO process allows you to gather and store all the security documentation. This serves well in building a case for the security posture of your system and how it fits into your federal agency’s risk profile.
In addition to these steps, following the US National Institute of Standards and Technology Risk Management Framework can help your system be granted with the ATO.
Read Jo Anna Bennerson’s recent Journal article:
“Navigating the US Federal Government Agency ATO Process for IT Security Professionals,” ISACA Journal, volume 2, 2017.
Editor’s note: Daymond John, the FUBU clothing founder, Shark Tank reality TV judge and a self-made multimillionaire, will deliver the closing keynote address at ISACA’s North America CACS 2017 conference, which will take place 1-3 May in Las Vegas, Nevada, USA. John visited with ISACA Now about what innovation means to him, his approach to taking business risks and the Shark Tank experience. The following is an edited transcript:
ISACA Now: The word ‘innovative’ is thrown around a lot. What does that mean to you, and in what ways has that kind of mindset allowed you to achieve such a high level of success with FUBU and your other ventures?
Innovation is the process of creating something new, which oftentimes is just a newer version of something that already existed. For example, to me, Twitter was a note on a pigeon's leg hundreds of years ago. It’s just a new form of delivery.
There’s a huge misconception about innovation, which is that it starts with some grand idea. The truth is that it typically begins with people collaborating and working together on ordinary ideas that transform into something innovative.
When I started FUBU, I didn't put three sleeves on my T-shirts. I didn't start trying to be “innovative.” I just did what I could with what I had, and the brand became more than what even I imagined it could be.
ISACA Now: What advice would you give somebody who has a business idea that he or she is excited about but is nervous about taking that entrepreneurial plunge?
Take affordable steps. You don't need to take great leaps of faith. Again, start with whatever you can afford to lose.
The idea is not to get over your fear of taking a plunge – it’s not to take a plunge at all. Baby steps; that way, you don’t hurt yourself too much when you run into problems. That way, you can survive your mistakes and live to take another step.
ISACA Now: What has it been like to be involved with Shark Tank, and what aspects of the show do you think resonate most with viewers?
It has been a great learning experience for me. I learn as much from the entrepreneurs as they learn from me sometimes.
What resonates with people? I think the show illustrates that the American Dream is still achievable. It shows that ordinary people can do extraordinary things if they're willing to act on their ideas.Category: ISACA Published: 3/14/2017 8:53 AM
The overall objective for security controls is to support the organization’s services and infrastructure by identifying risks, improving the security level, and enabling rapid detection and response to security attacks.
It is also true that, in practice, no organization can place all the security controls against every cyberattack by itself. Consequently, it is now a growing practice that many organizations leverage a hybrid model for their security controls. For example, organizations put in place onsite or locally deployed security controls in the form of people, process and technology, together with cloud-based security controls.
On the other hand, risks, regulatory and compliance requirements drive business values of highly regulated industries, such as financial services and healthcare. Therefore, using a hybrid model for security controls in highly regulated industries raises compliance implications. Especially for highly regulated industries, the multitude of risk, regulatory and compliance requirements, such as PCI DSS, SOX, HIPAA and many others related to privacy and sensitive data, are increasing. There is more complexity, cost and operational overhead in the infrastructure – consequently, cloud-driven security controls are a natural choice for many organizations to address complexity, cost and operational issues. However, this also leads to new challenges to remain compliant with ever-increasing requirements.
Many compliance regulations cover specific requirements on processing personal information and cloud compliance for sensitive data. Organizations are required to ensure that their security polices, controls and IT systems remain compliant with these requirements. Selecting adequate cloud-based security control for specific data or applications would be a challenge if it is related to personally identifiable information (PII). Organizations must assess if PII needs to be part of the data processed in third-party cloud locations/data centers.
Furthermore, data may be stored and processed across different jurisdictions. It is important that while sharing data for security purposes, organizations remain compliant with pertinent laws. While choosing any particular cloud-based security control, organizations should be aware of related compliance requirements.
Organizations must also analyze technological aspects of particular compliance requirements – for example, how encryption/decryption will be performed inside or outside a particular jurisdiction, and where and how the data (alerts, logs) will be stored and handled. While decrypting traffic externally, who will have access to that decrypted data? More importantly, in the case of a breach or data leakage, how will accountability be established and how will fines be paid that are imposed by regulatory authorities?
Compliance and security are critical when protecting sensitive data and infrastructure. However, organizations often have a false sense of security, and consider their infrastructure secured if they are compliant. Instead, compliance can be considered a snapshot of overall security controls.
Being compliant does not guarantee a secured infrastructure. Many organizations make security more complex by developing separate programs for compliance and security, which leads to overlapping solutions. This adds significant expense to an overall organizational budget. Hence, for strengthened security, security initiatives must not be driven by compliance, and should go beyond particular sets of compliance requirements. Compliance and security initiatives should be tightly coupled. This will reduce cost, minimize overlapping solutions and deliver effective security infrastructure.
Compliance and security complement each other in various aspects. However, being compliant does not necessarily mean that an organization is covering all aspects of security required to protect infrastructure. There have been significant known breaches of many companies that were considered “compliant.” An effective security program integrated with an efficient compliance plan will strengthen overall security infrastructure and ensure compliance.Category: Security Published: 3/13/2017 3:04 PM
Many of us ask ourselves: “How can I differentiate myself from others in the workplace? I have plenty of drive and ambition to improve my professional skills – what can I do to demonstrate this to employers?”
Increasingly, for many, the answer is professional certifications. The Certified Public Accountant (CPA) exam and associated credential were created in 1917. Since then, mostly within the past several decades, professional certifications have flourished. One can earn certifications in just about any professional field.
As the explosive growth of our reliance on information systems continues, in all aspects of our personal and professional lives, we all need to be able to place reasonable trust in these systems. This creates an increasing demand for competent professionals to review information systems, identify areas for improved security and quality, and make cost-effective recommendations for improvement.
This is where the Certified Information Systems Auditor (CISA) certification comes in. In the realm of technology, including all the associated risks and controls, there are a variety of well-respected certifications. The holders of these certifications have demonstrated their dedication to and achievement within their profession. The CISA has historically been one of the top-paying and most respected certifications. Many employers, including some government agencies, will not consider hiring someone to perform audits of information systems and technology unless they are CISAs.
CISA is a globally recognized certification within the fields of technology audit, control and security. Of the many available technology-related certifications, CISA is the gold standard. It was created in 1978 by a non-profit organization known at the time as the EDP Auditors Association – now ISACA.
The CISA certification is ANSI-accredited and recognized globally. It has been earned by more than 129,000 professionals since inception. The exam is offered globally at computer-based testing centers.
ISACA offers a wealth of resources that candidates can use to prepare for this challenging exam, both through ISACA HQ and through exceptional review courses offered by local ISACA chapters.
After passing the exam, in order to become certified, candidates are required to provide evidence of at least five years of professional IS audit experience. Related work experience and higher education programs can provide credit against the five-year requirement. Candidates must also comply with the ISACA Code of Professional Ethics and adhere to ISACA’s auditing standards.
After obtaining the CISA, certification-holders must complete a minimum of 20 hours of training per year and a total of 120 hours in a three-year period to retain the certification.
The efforts are well worthwhile. CISA certification can be a career game-changer – now more than ever.
Being a CISA has certainly made a difference in my career. I was fresh out of IT, having spent 12 years doing everything you could possibly do in the data center, 24 hours a day, and wanted something else. I “stumbled” across something that would allow me to utilize my IT background without having people calling me in the middle of the night because the system crashed. One of the first things my new manager told me to do was “go take this EDPAA review course and pass the CISA exam." The what course and exam?
I passed the exam after much hard work, and went on to better jobs, higher income and professional recognition. It also led me to try my hand at teaching. I volunteered to teach some sessions in our Chicago chapter’s CISA review course. That was more than 20 years ago. Not only have I been teaching CISA review ever since, the teaching experience I acquired enabled me to join the staff of Elmhurst College as an adjunct faculty member. I am now in my ninth year at the college, teaching accounting and technology courses. Recently, I have been asked to develop and present a course in IT auditing at a major university in Chicago.
None of this would have been possible without my CISA. Being a CISA will open doors for you that you may not presently envision.
Editor’s note: An ISACA webinar, “How to Prepare for and Pass the Certified Information Systems Auditor (CISA) Examination,” will be offered 14 March. To find out more, visit http://www.isaca.org/Education/Online-Learning/Pages/Webinar-How-to-Prepare-for-and-Pass-the-CISA-Examination.aspx.
Artificial intelligence this, artificial intelligence that … everyone wants to talk about how AI technology is changing various aspects of society. And while it’s true that AI will have an impact on just about everything we see and do in the next decade, it’s likely that no single aspect of society will be more transformed than business.
Over the past couple of years, I’ve noticed just how much AI has influenced strategic business decisions and actions in my industry. I want to be careful not to over-exaggerate the impact AI technology is having, but the results are nothing short of astonishing.
Let’s ditch the hypotheticals and instead make it really simple and personal. Here are six specific ways AI will revamp your business in the very near future.
AI and Business: An Inseparable Tandem
We will never again know a business world without heavy influence from artificial intelligence – that’s just the simple truth. We’ve reached a point of no return where AI will forever play a role in how businesses function on a daily basis. The best thing to do is be prepared.
Jan Babiak draws upon her decades of high-level career experience to work toward expanded opportunities for women working in technology – all the way to the top.
Babiak, a longtime ISACA member and board member with Walgreens Boots Alliance., Inc., Bank of Montreal and GHD Group, has made advocating for women advancing to upper management one of her core priorities. She is involved in the International Women’s Forum and Women Corporate Directors, among other organizations, in her efforts to connect women with leadership opportunities.
“There aren’t a lot of women who have been successful in the C-suite themselves available to help women make that last step, and that last step is actually one of the most difficult, so that’s an area I have real passion around,” Babiak said.
Babiak has encountered many of the barriers noted by respondents in The Future Tech Workforce: Breaking Gender Barriers report throughout her career, which included 28 years with EY – 20 of those based in London working in leadership roles related to information security and regulatory issues. She has been in hundreds of meetings – counting those with clients – in which she was the only woman, given the male-dominated state of the field.
“Sometimes I was welcome, but sometimes there was clear resentment or, worse yet, patronization,” Babiak said. “As I earned the right to influence who else would be admitted to leadership, I worked to sponsor the best talent, and that included both men and women in equal measure. Interestingly, I found I always had a much higher percentage of women in my leadership teams than my male peers, and our results were usually much better. Now that really feels great, and is a testament to the tangible benefits of diverse experiences.”
Babiak believes a comprehensive approach must be taken to seriously address a wide range of systemic issues that have created the gender disparity in the technology field.
“A great starting point is having measurement, transparency and accountability for gender equality at every level – in the schools, in the workplace, in government, etc.,” Babiak said. “Another key area of emphasis would include educating the parents and teachers of young girls about the opportunities in technology for their daughters. They are the greatest influence and, sadly, they often have biases that actively discourage interests in STEM related areas.”
In addition to promoting career advancement for women, Babiak directs much of her focus toward helping boards and senior management better understand cyber security priorities, as well as advising those on technical career paths how they can grow into management roles.
While Babiak has lived in Nashville, Tennessee, since 2010, she considers herself “a global citizen.” She returns to the United Kingdom several times a year and travels extensively on a global scale.Category: ISACA Published: 3/6/2017 8:00 AM
I recently met a young woman in Ireland who was working toward a technology-oriented degree, and she recalled being among three women in her course at the beginning of the semester. By the end of the semester, she was the last woman standing.
My new acquaintance suspected that her female classmates wavered on continuing their course of study because their classes were so male-dominated. And who can blame them? While some women are more comfortable than others being vastly outnumbered, the shortage of female mentors and role models in the technology sector poses a major concern, further illuminated by ISACA’s The Future Tech Workforce: Breaking Gender Barriers report.
The scarcity of mentors and female role models were the main barriers to career advancement cited by the survey’s respondents, with workplace gender bias and unequal growth opportunities also rating among the main factors.
I can empathize with the respondents, having experienced more than my share of conferences and board meetings lacking friendly female faces. I recall attending one conference where I was one of two women among about 200 delegates.
While there has been occasional progress during my 25-plus years working in IT and information security, the gender disparity in the technology field remains pronounced – a source of major concern from both societal and workforce perspectives. A Deloitte Global projection indicated less than 25 percent of IT jobs in developed countries would be held by women at the close of 2016, and nearly 9 in 10 respondents to ISACA’s study indicated they are concerned with the number of women in the technology sector.
Addressing this gender gulf is everyone’s responsibility – men, women, employers, educators and industry associations such as ISACA, which last year launched its Connecting Women Leaders in Technology program. Promoting networking and mentorship is a key piece of the program. Women should be encouraged to be confident and persistent in pursuit of their technology careers, and a mentor in the field – whether male or female – can be the most effective person to make that case.
There also is much that enterprises can do, such as ensuring they are offering equitable pay for men and women and providing flexible working arrangements. Having ‘Keep in touch’ days when women are on maternity leave, in addition to encouraging professional development opportunities such as webinars and online courses, are other worthwhile ways to ensure that women remain connected to the organization while on leave.
In addition to promoting a more just society, enterprises have bottom-line motivation to hire and promote women. Research from The Peterson Institute for International Economics and EY shows that an organization with at least 30 percent female leaders could add up to 6 percentage points to its profit margin.
This does not surprise me. The women I have worked with are highly motivated, focused and encouraging of their colleagues. They are as knowledgeable – if not moreso – than their male counterparts.
Yet even at a time when more women are urgently needed, given the global shortage of skilled technology professionals, women still deal with too few career opportunities and too many barriers to advancement. Even as technology transforms the global economy at a staggering pace, we are still dealing with gender bias that hampered our mothers and grandmothers.
A challenge this large and this persistent can feel overwhelming, but there are steps each of us can take to make meaningful progress. If we are resolute, the day will come when our classrooms, offices and board rooms are filled with empowered women ready to make their mark on the technology workforce.
It is no secret that in today’s world, information is more at risk than ever before. Unfortunately, we now must deal with the realization that it’s not if an attempted breach will occur on your network, but rather when. Despite an organization’s best efforts to secure networks and information, human error and system vulnerabilities will continue to exist. Considering that reality, organizations must be sure to prepare an actionable plan for when the worst-case scenarios play themselves out.
Incident response is the process of establishing a plan for responding to these worst-case scenarios. The ability of an organization to react to and contain incidents in a prompt and efficient manner is equally as important as the tools and procedures that are put in place to prevent such scenarios. This means not only having the tools in place to detect potential threats, but also having the personnel on hand to respond and react efficiently.
Who needs incident response?
In short: everyone. All businesses have intellectual property, personally identifiable information (PII), financials or some form of sensitive information that can be dangerous when in the wrong hands. Establishing an actionable plan will result in faster response times and minimize damages as a result of an incident.
The potential risks your organization faces as the result of poorly responding to an incident are vast and may vary based on industry. That said, below are some of the more common risks to consider when evaluating the value of your organization’s incident response plan:
Operational risks. An incident such as a system breach could result in critical systems and applications becoming inoperative. This may lead to a loss of core business functions (such as a production line being shut down) as well as potential security vulnerabilities.
Reputational risks. Responding poorly to an incident can have severely negative impacts on your organization’s public image, as well as in the eyes of your current and potential customers/clients.
Compliance risks. In some instances, an incident may result in an inability to meet regulatory requirements and introduces the potential for fines and/or penalties from governing bodies.
Financial risks. All the previously mentioned risks have the potential to result in negative financial impact to your organization. These, along with the potential for lost assets, the cost of repairs, legal fees and other unexpected costs should be considered.
Determining the components of a successful incident response plan will vary from business to business, but at its core should deliver the following:
A successful incident response program should align with standards set forth by the National Institute of Standard and Technology (NIST), the International Organization for Standardization (ISO) and the Information Technology Infrastructure Library (ITIL).Category: Risk Management Published: 3/3/2017 3:02 PM
Unmanned aerial system (UAS) technology has the potential to revolutionize a broad cross-section of industries, ranging from media and telecommunications to agriculture and construction. In the future, a forward-leaning regulatory framework will allow businesses of all sizes to leverage this technology to maximize revenue, create efficiencies, and expand the scope of goods and services available to consumers, not to mention deliver hundreds of billions of dollars to the economy. The Small UAV Coalition was founded on the principle that ‘technology always wins,’ and that philosophy is more apropos now than ever before. However, federal regulators determine when businesses, consumers, and our economy can begin to benefit.
In June 2016, the Federal Aviation Administration (FAA) took an important step toward achieving this reality. After a nine-month delay, the FAA released its long-awaited Final Rule for commercial UAS operations (Part 107). The rule, effective 29 August, 2016, expanded opportunities for commercial drone operators and businesses to test and integrate a wider range of commercial UAS applications. While beneficial to industry, Part 107 was merely a small first step. Operators must travel to a designated FAA testing facility to take an Aeronautical Knowledge Test in order to obtain a remote pilot certificate and entities interested in integrating extended operations – including those beyond visual line of sight (BVLOS), at night, over people, and with multiple UAS – are subject to a lengthy and arduous waiver process.
In the six months since Part 107 went into effect, the FAA has granted just over 300 of these waivers, the vast majority of which only allow for highly restricted nighttime operations. These lingering limitations on expanded operations stifle innovation and truncate the vast economic and social benefits possible through widespread integration of UAS technology.
Many companies that utilize UAS technology saw a glimpse of the future when the FAA announced plans to release a notice of proposed rulemaking (NPRM) for operations over people by the end of 2016. This NPRM would open a public comment period that would allow industry, consumers, and government stakeholders to provide input in support of a forward-leaning final rule that embraces innovation, safety and security. With no sign of progress at year’s end, FAA Administrator Michael Huerta publicly acknowledged an indefinite postponement of the NPRM on 6 January.
The promise of a NPRM took another hit in early 2017 when the new US Administration implemented a regulatory freeze and announced intentions to require two regulations to be repealed for every new one that goes into effect in an effort to reduce regulatory burdens on businesses. Let’s celebrate the reduction of redundant or burdensome regulations while recognizing that some regulation provides clarity to industry and actually promotes investment, innovation, and job creation through removing government prohibitions. Huerta’s “steadfast commitment to… ensur[ing] drones can fly over people without sacrificing safety or security” remains a hollow promise to companies eager to integrate operations over people, but stalled by the delay. Even initiatives that face no uncertainty or interagency “miscommunication,” such as digital education tools, consumer information centers/representatives, and an automated and expedited waiver process are in some nebulous queue.
While there are undoubtedly sectors of the economy in dire need of reduced regulatory burdens and less red tape, many rapidly developing sectors of the 21st century economy are at a standstill amidst legal and regulatory uncertainty. Commercial UAS technology is evolving at a pace that has exceeded nascent regulations. The industry needs a forward-leaning, progressive regulatory framework to in order to realize the vast economic and social benefits of this transformative technology.
Security issues must never be taken lightly and safety is always paramount, but we can, at the very least, initiate this critical dialogue and have transparency about reasons why we are not. A NPRM would provide an opportunity for industry stakeholders to sit down at the proverbial table and consider all questions and concerns – safety, security, or otherwise – alongside key lawmakers and regulators. Countries around the world continue to adopt progressive UAS regulations and authorize expanded operations, outpacing US progress and our government’s commitment to American innovation. Aggressive pursuit of US leadership in the research, development, production and application of UAS technology is more important than ever – time is of the essence because, as we all know, technology always wins.
Editor’s note: A new ISACA white paper on drone usage and a related checklist can be downloaded at www.isaca.org/drones.Category: Government-Regulatory Published: 3/2/2017 3:01 PM
Adults don’t really like new ideas, and while cyber risk may have been born around the time of the first mainframes, it can still feel new today. CEB reported last month that 66 percent of business leaders don’t understand the cyber security information that goes to the board. This isn’t a failure of business leaders but of the messages they’re receiving.
While children consume and learn voraciously, adults struggle with finding context, skepticism, and social conditioning. Overcoming these cognitive biases to drive your company toward more risk-savvy behavior means you’re going to have to deliver a pretty clear and effective message. Keep in mind these three rules of thumb to improve how well your risk reporting is understood.
One message at a time. Yes, IT risk is complicated and often there are many steps between a threat and the preventative actions needed to keep them from happening. Keep those connections in your appendix for later questions. Instead, focus your reports on the actions needed to be taken. Don’t contrast vulnerability scans with failures in change management controls on the same page. The risk is different, the response is different, and you’re inviting confusion.
A single message has another benefit: if you are only trying to change one behavior, you’ll have a much easier time tracking the effectiveness of your message and adjusting in the future.
Risks become consequences. A focus on threat vectors, incidents and trends is good for figuring out where controls are weak or strong, but sometimes bad for grounding the danger in something meaningful for a non-cyber savvy professional.
Focus on the consequences of the risks being reported. Phishing simulations may show an increase of management clicking on suspicious links, but other than potentially receiving a scolding, why should people care? Link phishing to a particularly painful data loss event, or laptops held ransom, and include recovery time as well. There may be no effective recovery from ransomware, and reparations for exposed personal information could cost millions and take years. The Anthem data breach from February 2015 is still in the courts.
Consider your audience. One kind of message will rarely work for everyone. Not only will managers, VPs and executives all have different perspectives on the world and the work that IT security is doing, but they all have different backgrounds and interests.
Take a look at your audience. Will executive management be making decisions about change control check gates? Generally not, so your one message to them shouldn’t be to get them to improve the sign-off process in application development. Maybe the better message is that investments in release management software haven’t been effective in reducing production failures.
Tailoring risk reporting to the people receiving it is the best way to increase the odds that your message is received. It’s cumbersome, but this is the heart of risk management: to reveal connections between sometimes esoteric events and business opportunities so that leaders can make the right calls at the right time.
Editor’s note: Adam Leigh will present on “Consequences That Matter – IT Risk” at North America CACS 2017, which will take place 1-3 May in Las Vegas, Nevada, USA.Category: Risk Management Published: 2/28/2017 3:06 PM
My recent ISACA Journal article discusses what every chief information security officer (CISO) must know about Secure Shell (SSH) key management. This is a topic that keeps me awake at night and should be of major concern to the whole audit community.
In short, SSH is a tool for systems management, automation and file systems, and it is used in every data center in every major enterprise. It introduced a new authentication mechanism based on cryptographic keys, called public key authentication. Unfortunately, in the default configuration, OpenSSH allows any user to provision new credentials for themselves and their friends, and these credentials never expire—not even when the user’s account is removed if the credentials have been added to a service account.
SSH keys can be used to violate segregation of duties—passwordless access using them from development into production systems is common. Attackers can also use them to spread laterally from server to server or data center to data center. This introduces an existential risk to enterprises, involving not only ransomware and exfiltration but also outright destruction and cyberwarfare.
We have found that many large enterprises have unprecedented numbers of these credentials configured—one customer found 3 million, and another had 4.5 million keys granting access to their environment—on tens of thousands of servers. The probability of being able to pivot from server to server using the keys is very high when combined with other attacks for privilege escalation (such as the recent memory management vulnerability in all Linux versions).
In my opinion, SSH access management has been the biggest risk in identity and access governance since we realized 20 years ago that many organizations had not terminated accounts for users that had left the organization. Today, most organizations do not have a process for terminating SSH key-based access, and some have accumulated 10 times as many SSH keys as they have users.
What keeps me awake at night is the thought of ransomware and other attacks spreading to practically all servers in a Fortune 500 company—including backup systems and disaster recovery data centers—using SSH keys. It can be done in a very stealthy fashion, and the outage could last months.
Read Tatu Ylonen’s recent Journal article:
“What Every CISO Must Know About SSH Keys,” ISACA Journal, volume 1, 2017.
What is needed to begin to bridge that gap is an increased focus combining education and experience with both federal and private sector job markets.
While this has been a difficult combination to obtain in the past, more and more countries are seeing the need for and instituting programs to fill the gap and stack their bench.
In the United Kingdom, the UK government’s CyberFirst Initiative will collaborate with private companies on not only providing the education but, more importantly, the experience needed for new cyber security professionals to succeed.
Further, those enrolled in this program receive “both financial assistance for those studying relevant science, technology, engineering, and mathematics (STEM) courses at undergraduate level and include work experience with government or UK private sector firms within the field of national security. There is a guarantee of employment upon graduation.”
Israel is another country that applies this concept. In Israel, those selected for Talpiot are considered the best of the best, not just in hand-to-hand combat, or military tactics, but also in cyber warfare. This generates a labor force with a variety of skills and capabilities.
Even beyond government efforts, corporations are tackling the problem collaboratively. This can be seen by Lockheed Martin’s endorsement of the UK initiative, or the joint venture between an Israeli and Japanese company that set up a training facility to provide hands-on experience to cyber security professionals to help address the cyber security workforce shortage in Japan.
In contract, most US-led initiatives lack the experience and job components that would further incentivize individuals to obtain the required skills needed.
For instance, the National Institute for Standards and Technology’s National Initiative for Cybersecurity Careers and Studies provides a consolidation of course information, but unless you are currently working in the federal government or a veteran, most courses require fees to third parties, such as SANS.
A recent government report indicates that much more needs to be done to address the lack of skilled cyber security professionals. The US needs to build stronger relationships with industry knowledge centers such as ISACA and (ISC)², as well as private corporations, to ensure that individuals receive the training, experience and vocations needed to strengthen the cyber security workforce.Category: Security Published: 2/27/2017 3:00 PM
Your website needs to be well-designed, functional, and aesthetically reflective of your brand. But — don’t forget—it also needs to be safe. Website security is a vital path of development that makes your data less vulnerable to cybercriminals, and increases the security of your customers’ financial transactions.
You’ll also prevent the possibility of a massive consumer data breach—like the one faced by Target a few years back, which cost the company $39 million and even more in lost consumer trust. And, you’ll build your reputation and trustworthiness simply by having tighter security standards on display.
Unfortunately, website security is a somewhat complicated issue. Top data security experts have decades of experience and work tirelessly to come up with ingenious new ways to protect against digital vulnerabilities. Today’s entrepreneur has access to tools like Website Setup that make it easy to launch and manage a website, but it’s difficult to match this level of dedication — especially when you don’t have the technical knowledge to back up your efforts.
Today’s website building tools and practically unlimited online resources make it easier to make your site safe — but you still must be familiar with your top priorities.
Website Safety Features
These are some of the most important website safety features to have integrated for your customers:
With these security factors in place, your company and your customers will both be better protected from digital threats. Your security doesn’t have to be top-of-the-line or ridiculously expensive to be effective; most cybercriminals spare effort by targeting only the most vulnerable companies, so even these simple features can help protect you.
Make the effort to step up your website’s security, and you’ll improve both customer acquisition and retention. What’s more, you will rest well knowing you have improved protection against possible attacks.Category: Security Published: 2/24/2017 3:13 PM
Senior IT Auditor, Fortune 500 global manufacturing organization: “I joined a Big 4 firm advisory practice out of college, did two years, and then moved over to IT Internal Audit a year ago. Information security is my next goal. When I look at information security job postings, they all seem more technical than my current skill set, which is heavily ITGC focused. What should I do to build skills that will be marketable to information security?”
IT Audit Director, large financial services company: “Can you please help us find a technical Senior IT Auditor with 3-5 years of experience who has application auditing skills at the level where they can do code review? Some programming skills would be very helpful. We also need mainframe, cyber security, cloud, IoT, and data analytics experience – from an audit project perspective. We need actual experience with IT operational audits – not just ITGC / SOX experience.”
CISO, global eCommerce company: “I’ve met a number of auditors lately (from audits that have hit us), that can't understand why something is NOT a high risk. They are just following a check list and it is really frustrating. Maybe that is something you call "mind-set"? These auditors just want to go through the motions, without really understanding either technology and/or the risk it really represents.”
These comments are real. More importantly, they are BIG signals that point to the critical career directions for IT audit professionals in 2017:
IT audit functions are quickly becoming more focused on technical audits. There is a huge drive for value-added that can be gained from operational IT audits and advisory projects performed by IT internal auditors. Concurrently, information security, IT risk, and data analytics continue to grow, presenting more job opportunities for IT auditors—if they are adequately technical, and develop the thought process needed to join info sec and IT risk teams.
The CISO quoted above provided additional insight into the perspective that career-mobile IT audit professionals need to cultivate: “The advent of cloud computing and the concept of DevOps is challenging the controls that traditional IT auditors have grown comfortable with. For example, cloud represents a way to do infrastructure in a quick and non-structural way (think creating an entire data center by coding/scripting it), while DevOps breaks the segregation of duty model, which makes auditors uncomfortable. But what the auditor does not see is that DevOps is a way that we have developed to ensure we still have ‘control’ in an agile development cycle.”
Beyond mindset and a change in perspective, the problem for hiring managers and practitioners is that the on-the-job experience that many IT auditors have received is in the ITGC space. In the end, both sides of the equation depend on professionals gaining more technical skills.
For the IT auditors, staff through light manager, the task to immediately jump on is a skills gap assessment. What hot skills do you need to acquire to become more marketable internally and externally? If you are in IT internal audit, the annual plan is your guide. For a broader perspective, review professional journals and job descriptions; both will provide clues.
Next, create your road map to your next role. Are you looking to deepen your skills for a step-up promotion within your team, or are you looking to take your skills to an information security or IT risk team? Plot the timeline for skill attainment, which will come from a combination of hands-on work, internal/external training, post-grad coursework, or certification.
Todd Miller, who has led IT audit functions at two global Fortune 500 companies, suggests a 70-20-10 model: 70% on-the-job training; 20% mentoring; 10% formal classroom work.
Let’s start with on-the-job-training through project work.
Determine a technical area that interests you and is feasible within the scope of projects done within your department. Let’s say you want to become more fluent with networks and network security. Explain your plan to your manager and lobby to participate on the upcoming network audit.
Do your homework for the project so you can ramp up quickly and are able to build good rapport with the network team. Once you’ve done a project, and your skills and knowledge deepen, you might see if you can do a stint as a guest resource on a project for the network security team.
Ed Dudek, an IT audit manager at a Fortune 100 company who gained expertise in SAP by moving out of audit into an SAP team before moving back to audit, stresses the need for mentoring. To this end, you’ll want to foster dialogue with the network team members who you have now met on that technical audit you just completed. Get to know team members over lunch or coffee. Ask interesting questions and share what you have been reading, learning. Your goal is to demonstrate intelligence, intellectual curiosity and readiness to learn.
Through this interaction, you’ll be able to identify people on the team who are knowledgeable and might be good mentors. By the same token, various team members will get to know you, and may be receptive to being mentors. Mentoring relationships are developed step-by-step. It takes time.
The goal with mentoring is also to eventually build such trust and mutual respect that the mentor becomes a sponsor. A sponsor will talk up your skills and interest. Through mentors and sponsors, you have the chance to be tapped for an internal opening when it comes along.
At some point in the process, you will need to add coursework, training, or certification to the mix – the final 10% of the 70-20-10 plan. If your employer will pay for training, communicate your plan to your manager and get buy-in. If your company will not pay for the training you want, determine a cost-effective way to get it on your own. It is your career in the end, and investing in your skills is one of the smartest things you can do to create long-term career sustainability.
To cement the concept that a focused action plan for technical skill development really works, here’s the story shared by the head of IT audit and data analytics for a global airline. He explained that he had developed a passion for data analytics when he was a senior IT auditor at a company running SAP. He joined the local ACL users group, studied on his own, and got a data analytics certification. He was then recruited by another company that wanted to build out a new data analytics function within audit.
Once on board, he took post-grad courses in data analytics at a local university to gain additional skills in Structured Query Language (SQL) and Statistical Analysis System (SAS). The build-out of the data analytics program at his company was successful, and this was the stepping stone to a data analytics management role with a Big 4 firm. From there, he was recruited to lead the IT audit function by his current employer.
As a recruiter and career coach, I see similar career planning and skill attainment in the candidates who land the best jobs. Your career is your opportunity to direct a mission-critical project and bring it to fruition.
Technical skill development is the best thing you can do for your career this year and for the foreseeable future. No time like the present: Develop your 70-20-10 plan, and start executing!Category: Audit-Assurance Published: 2/22/2017 3:05 PM
ISACA Now: You’re Southeast Region Geographic Information Systems Coordinator with the U.S. Fish & Wildlife Service; Partner at White Mile Consulting, LLC; and an adjunct professor at Tennessee Technological University – where do you find time for all of that?
JD: I have always been a strong proponent of time management. I work four 10-hour-days with the U.S. Fish & Wildlife Service in a role where I lead our Geographic Information Systems (GIS) program in the southeastern U.S. and the Caribbean. I also serve in an IT role with a focus on IT security and help desk issues. My GIS classes at Tennessee Technological University are taught in the evenings a few days a week after I get off from my primary job. I took the fifth day of the week to start a consulting firm to provide IT auditing, policy creation and penetration testing for commercial banks and credit unions, after working to support them on the side for years. When I am not at work, I spend all of that time with my family traveling or in family activities. I’ve never been one to sit idle and spend any time watching TV. I like to always be doing something and challenging myself. I guess I took that story that I could “grow up and be what I wanted to be” to be true.
ISACA Now: It’s an interesting combination of roles. How does all of that fit together with your skill set and interests?
JD: Geography and computers have fascinated me my entire life. I have always been able to stare at maps and envision layouts of cities and countries and picture them in my mind. From the moment I first opened my Commodore Vic 20 in 1982, I knew that I wanted to have a job where computers were my focus. I guess I was just lucky and in the right place at the right time to make that happen. I get to use some of the most powerful computers available to model our ever-changing planet and assist those working on solutions for the complex environmental and geographic challenges our society faces today. I mix in a strong IT background and travel to remote offices to configure and install servers, firewalls, web cams, and be a general jack-of-all trades.
ISACA Now: You have a lot of experience supporting small and medium businesses’ IT needs. What are some unique challenges – and opportunities – for smaller organizations from a technology standpoint?
JD: I started an IT firm on the side with a partner in 1993. That business grew to the point where it took my wife to help run it and another business partner along the way. We always focused on small-to-medium businesses and served their every need related to IT. … To a small business, all IT issues are vital. That means they care as much about their website most days as their paper shredder or point-of-sale. They need things that work and don't want to hear a bunch of mumbo-jumbo terms from someone acting like they are small fries in a big world. We all have skill sets that we would like to focus on, such as scripting or ethical hacking, but you have to be as excited troubleshooting a faulty motherboard as you are with a social engineering project or a new server virtualization project. The business owner does not understand the IT universe, and that is why they have you there to help. Treating them like they are a part of your own team goes a long way in developing a long-term partnership that creates long-term clients who trust you and need your constant input and services.
ISACA Now: You have several certifications, including ISACA’s CISA, CISM and CSXP certifications. What have each of those certifications added to your professional development?
JD: The first ISACA certification I earned was the CISA certification as I entered the IT auditing field. After completing dozens of audits, I decided to pursue CISM to deepen my IT management credibility based on experience in the field. I work on penetration testing, vulnerability assessments, social engineering and both physical and network security for clients, so the CSXP certification was the next logical step for me. The certification exam for CSXP was challenging and really was a good test of ability for the standards it sets to examine. My next endeavor is CRISC, and I am taking that exam in June 2017. I develop IT risk assessments, business impact assessments, disaster recovery plans and business continuity plans for clients, and the CRISC certification will complete the ISACA certifications that I think will position me to be a leader in my field and challenge me to attain the knowledge I need to do my job better and more effectively.
ISACA Now: What are a few skills that you consider especially critical to keep pace in the fast-moving worlds of IT audit and information security?
JD: Cyber security assessments and security awareness training and simulations for staff are critical. People are still the weakest link in IT security. A great IT staff can secure your network, but hackers are becoming more sophisticated with phishing attempts, and social engineering tests show just how easy it is to get yourself someplace you do not need to be. The proliferation of mobile devices and the disappearance of the desktop, and even many laptops, are making physical security of devices a real priority. With the decreasing physical size of storage media and the powerful devices that fit in your hand, it is too easy to lose devices and not be able to account for data. It is easy to count desktops and servers. Imagine trying to count USB drives, track smartphones that are upgraded on an annual basis and find the 256 GB micro SD card that is somewhere near your desk. Throw in the rapid migration to cloud services as software vendors move to software as a service, and the game just got real.
ISACA Now: What are your major interests outside work?
JD: My personal interests reflect the complex work arrangement I have. I love to restore old cars and have nine Mustangs, a Camaro, an old Ford pickup and a Trans Am. I tinker with them and three motorcycles every chance I get. It is fun to hop in a car with my wife and kids in the others and take a caravan trip. Restoring old cars is not a material thing. It’s the challenge of bringing a classic vehicle back from the dead and the accomplishment you get from doing it. Folks who restore anything will understand that statement. I’ve had my pilot’s license since 1993 and have a plane at an airport near the house that we escape to destinations unknown at times. That allows me to make trips quickly and lets one explore different places without getting tired of the same vacation destination. I love to collect and tinker with old clocks, as well, and collect Coca-Cola machines and memorabilia. My current project is setting up indoor and outdoor wireless access around my church, which is spread across a large area and three large buildings.Category: ISACA Published: 2/20/2017 3:07 PM
A study in 2016 found that 80% of the more than 500 chief information security officers (CISOs) surveyed consider privileged access management (PAM) a significant topic, and a number of them have already implemented specific PAM solutions. In general, these solutions try to attain the following goal(s):
Over the course of a variety of implementation projects, we found that implementing PAM is not only a question of technical functionality; a successful PAM solution, in fact, requires a comprehensive framework comprising the following building blocks:
Why is this comprehensive framework necessary? New privileged accounts and privileged access channels are constantly created in today’s fast-changing IT organizations. These channels are the most desirable target for attackers and any diligent IT organization must strive to protect them. An important enabler in this effort is technology, which allows these channels to be detected. Another important enabler is appropriate processes to manage and protect channels. Governance, in turn, focuses and sustains this technological and organizational effort. Only if governance succeeds in creating a strong security culture can PAM truly succeed. Thus, PAM must not be regarded as a tool, but as an integral part of an ongoing organizational effort to increase the security of the organization.
In our recent Journal article, we introduced our framework to enable organizations to evaluate PAM implementations with regard to their completeness and, thus, viability and efficiency.
What are your thoughts about the building blocks, and dos and don’ts of PAM implementations? Questions, recommendations, hints and amendments to our framework are highly welcomed.
Read Richard Hoesl, Martin Metz, Joachim Dold and Stefan Hartung’s recent Journal article:
“Capability Framework for Privileged Access Management,” ISACA Journal, volume 1, 2017.