A company I worked for was hit with the CryptoLocker ransomware last year. In the aftermath, we found that some security measures were in place and others were not. We all hear that we need “best practices” in place every day to mitigate risks for events such as these. Are we reviewing our best practices regularly to ensure they are in place and working as intended?
Implementing current patches is the key deterrent to events such as the recent WannaCry attacks. If timely patches are not accomplished, risk is elevated for any vulnerabilities in a company.
Let’s cover some ransomware Do’s and Don’t’s:
DO have a “good” backup you can rely upon. How do you know that it is good? You have tested the backups and can be confident the recovery is 100 percent. Relying on the backup itself is not considered a best practice. We were able to recover the encrypted files on a share drive to which the employee’s infected machine had access, and did not pay a ransom.
DO limit who has administrative rights on local machines. No one had administrative rights to their machine in the company I worked at. It is a special request and reserved mostly for developers. We also used a tool that provides administrative rights when necessary, where the function was elevated at the time of need and was not tied continuously to the person or machine. This is an IT industry best practice standard that is not generally done in companies and could alleviate risk by 80% or more.
DO provide continuous cyber security awareness training, with training information posted on the company’s intranet site. Have employees take quizzes on the training to ensure understanding, and provide them as much explanation as possible. After all, this is not a secret – we are all subject to infections, vulnerabilities and risks in using both corporate and personal computers every day.
DO use filtering tools for both Internet use and email tools use. The filters will provide some level of mitigation.
DO patch all machines and devices regularly. Review the recommended updates, and then put them on to the appropriate devices at the earliest opportunity. We often hear of infection when patches have been out for years, yet are not applied. Have a monthly review board to study the patches, their outstanding application, and require a signed justification from the department or system owner if the patch is not applied in timely fashion.
Now a few DONT’S:
DON’T allow personnel to access personal email accounts from work machines. A former company had a setting turned on that enabled this, but virtually everyone has a smartphone now and can get to their personal email and information that way.
DON’T rely on the IT experts by default. Ask them the questions necessary to ensure they are doing their due diligence. That firewall setting allowing access to personal email accounts at my former company was in place for years; they would have been able to have that audited. Different teams in IT should all be discussing their configurations together and determining the best practices necessary, and then advising the CIO or director what needs to be put in place. I had to instruct the network people to turn off the setting NOW. I had no opportunity to review why it was on, whether it was necessary, etc. Just turn it off.
DON’T allow non-standard machines to connect to the network, unless IT can review them and determine their use, and are able to sandbox them, VLAN them, etc. You can’t manage what you don’t know about.
There are many measures that can be taken to mitigate risks. The best approach is to evaluate your environment, infrastructure, systems, and people minimally once a year – and sooner as circumstances dictate – to determine how to strengthen the tools and techniques used to minimize damage when an event occurs.
Yes, an attack at some level will happen to everyone, so being prepared, as a good Girl Scout would say, is the best line of defense.Category: Security Published: 5/26/2017 3:10 PM
Editor’s note: ISACA Belgium Chapter President Marc Vael, CISA, CISM, CGEIT, CRISC, recently took a creative approach to spread awareness about General Data Protection Regulation (GDPR), spearheading a game about the coming regulations that will affect enterprises worldwide. Competitors can win the game by answering GDPR questions correctly and with a little luck with the dice. ISACA Now recently visited with Vael about the game, which will be available on a limited basis at the ISACA chapter leadership event, this weekend in Munich, Germany, prior to EuroCACS. The following is an edited transcript.
ISACA Now: How did this GDPR game come about, and who was primarily involved with its development?
Basically, at my IT company, Smals, we were looking to bring the content of the EU GDPR to this group of IT developers, IT analysts, IT project managers and even management differently, avoiding PowerPoint or brochures or self-assessment questionnaires.
Initially, my colleague Nathalie Dewancker and myself started building “the journey to become EU GDPR compliant,” but that journey was too simple, and we started adding gaming effects, and before we knew it ourselves, we had a full-blown EU GDPR game. We loved the reactions so much that we didn’t want to keep it within our company or for ourselves, and thus we decided to ask ISACA Belgium for support, which the board of ISACA Belgium did by funding the professional look and feel of the EU GDPR game.
ISACA Now: ‘Game’ is probably not the first word that comes to mind when people think about GDPR. Why did you think this format would be a good fit?
True. Most of the messaging happens via PowerPoints, brochures and information on websites. Here and there we discover some apps with the searchable EU GPDR text in different languages or some EU GDPR self-assessment questionnaires. We found out that up to today, we are the only ones with a proper EU GDPR game box. Gamification is a well-known concept, but it is not used enough, in our humble opinion. Moreover, we notice huge discussions between the players, and that is just what we want to achieve: not just “acquiring” knowledge, but critically looking at this knowledge.
ISACA Now: Did it really only take a few weeks to put the game together? How were you able to execute the idea so swiftly?
Yes, we build from initial journey to full game in three weeks, with some tryouts. Then, molding it into a professional looking game box took another three weeks, thanks to the help of our external PR agency that we use here in Belgium. So, six weeks in all. And we were just in time to bring our game boxes for the main Belgian INFOSECURITY exhibition in Brussels, where over 3,000 attendees came in the end of March this year. Thus, it was plain teamwork.
ISACA Now: What has been the preliminary response to the game’s release?
Initially, skepticism that participants would learn about “such a complex matter as EU GDPR” via a game. But then, when playing, a lot of discussions happen between the participants and between participants and observers (since there can only be a maximum four participants, more people can join as observers of the game). It is great fun to see how some people really want to win.
We only made 300 EU GDPR game boxes and almost all are sold now. We initially wanted to give them away for free as marketing, but since we only had 300 game boxes, we did not want to have people take them and throw them away, so we ask only 5 Euro per game box as a token of appreciation and eagerness to have the box.
When we launched the game box at INFOSECURITY BELGIUM, our stand was very popular and people bought all 100 game boxes we brought over there in two days. We were surprised.
ISACA Now: What was the most remarkable reaction you got on the game?
Actually, some players asked why we did not include more information about the EU GDPR in the game box (like a manual on EU GDPR or some form of brochure or leaflet). We did not do that on purpose, and we responded by saying to them “If you play Monopoly, do you first have to follow a real estate course? No. If you play Stratego or Risk, do you first have to follow a military course? No.” So, if you play the EU GPDR game, we believe you do not have to follow some privacy course before playing either since the objective is to learn about EU GDPR during the game. People truly liked our reaction very much.
ISACA Now: What are some of the biggest implications GDPR could have on organizations that are affected by it?
The need to review and update the inventory of processes and suppliers, execute the privacy risk assessments on the core processes and suppliers, execute privacy awareness amongst employees and external personnel, and test the incident escalation process (to check if they can make it within 72 hours).
ISACA Now: What are a few misconceptions that technology professionals have about GDPR?
Very good question; here are some of the misconceptions I hear frequently by IT experts:
ISACA Now: What is the best way for someone to purchase a copy of the game?
When living in Belgium (since the game is in Dutch/French combined), people can come and collect game boxes in our office (if they warn us upfront). When living outside of Belgium, we try to arrange for the cheapest way to get a game box shipped (I can be reached by email at firstname.lastname@example.org). We will also bring some game boxes to the ISACA European chapter leadership meeting this weekend since some ISACA chapter leaders have asked to bring a box over there.
One thing is certain: The need for cyber security professionals isn’t going away any time in the near future. As our digital footprint and the Internet of Things (IoT) continue to expand, we become increasingly vulnerable to having our private information poached with a single click, swipe or utterance. As a result, this is a field where 95 percent of people are certified, and within that group, 87 percent are specifically certified in security or privacy.
As major data breaches have demonstrated time and time again, cyber security and compliance is the responsibility of all employees—not just those who formally specialize in cyber security efforts. Of course, if you’re reading this blog, you’re probably already well aware of the importance of everyday cyber security measures and know it’s not a matter of “if” so much as “when” your organization or company will experience a breach.
We can’t move fast enough
There’s one statistic circulating that lends itself to a real sense of urgency in the field.
According to the consulting firm Frost & Sullivan, there is expected to be a 1.8 million person worldwide workforce shortage in cyber security by 2022. Let that sink in for a minute. Nearly 2 million people are needed to cultivate cyber security know-how to protect their organizations from breaches in the next five years. That’s a huge vacancy in skills and, more importantly, leadership.
And who is helping create cyber security and business technology leaders of today and tomorrow? Meet ISACA. As an organization driven to promote cyber security awareness and skills, ISACA provides a deeper validation of skills for those working in governance, IT audit and assurance, risk, as well as information and cyber security.
ISACA enables professionals to take a leadership role by increasing their depth of knowledge. Greater skills validation translates to being better able to leverage that background into leadership positions.
As a result of those advanced, validated skills, ISACA-certified professionals typically have average salaries 44 percent higher than those of their non-certified peers worldwide, according to the Global Knowledge 2017 IT Skills and Salary Report. In fact, ISACA certifications (CRISC and CISM) earned the top two spots in top-paying certifications this year, and overall, six of the top 20 highest-paying certifications are in the field of cyber security.
“It’s clear from the growth in certifications from organizations like ISACA that companies and employees put increasing value on investment in skills and abilities. We see that investment across the board as the IT industry realizes that the return on investment for people exceeds the ROI for technology,” said Dave Buster, Global Senior Portfolio Director for Cybersecurity at Global Knowledge.
Never content and always learning
What’s more, the report revealed ISACA-certified professionals weren’t content to rest on their laurels once certified. Globally, 89 percent of industry professionals holding ISACA credentials trained in the last year, and on top of that, 75 percent of respondents said they did so in order to cultivate new skills. Compared to their peers that are not ISACA-certified, professionals holding at least one ISACA certification were more likely to attend a webinar or conference and download white papers or articles to stay informed with industry trends and best practices.
Given their more senior-level roles within their organizations, generally, ISACA-certified professionals are more apt than their counterparts to report training in areas of business process improvement and leadership.
Driven to succeed
The takeaway: ISACA-certified professionals are driven to succeed and consistently re-evaluate the definition of success through continued engagement and learning. While ISACA can’t single-handedly solve the worldwide personnel shortage for those working in cyber security and related fields, according to the IT Skills and Salary Report, those who turn to ISACA for skills development and certification are committed to the cause and tend to be rewarded with higher salaries.
Ransomware attacks are not new. In fact, ISACA has been sounding the alarm on the increasing spate of ransomware for quite a while. Unfortunately, it takes a massive-scale cyber attack like the recent WannaCry incident for such cyber crimes to gain national and international notoriety. In fact, another recent ransomware attack that caught the public’s attention in the U.S. came when San Francisco’s transportation department was hit last November, impacting the city’s light rail transit system.
There is a reason why ransomware attacks are becoming popular: For the bad guys, it simplifies the crime and the process of monetization.
Think about it. Earlier, even a simple computer crime involved two steps to get to monetization. First, the criminals have to break in and steal personal information like credit card details, and then secondly, sell it on the dark web, often to organized crime groups, in order to get paid. The buyers in turn use the credit card or other information to commit fraudulent transactions.
With ransomware, crime has become an easy, one-step monetization process. Attackers break in to a computer system, install ransomware and get the payment directly from the person or organization impacted. It’s a one-to-one interaction, and payment is easily received. While accepting ransomware payment in bitcoins may seem a bit more challenging than accepting a credit card payment, anonymity is crucial to cybercriminals, making it well worth the modest additional effort.
But even with increased awareness on cyber attacks and the heightened need for cyber security, the question remains: why are organizations still so vulnerable? And what can they do about it?
• Whitelisting: Sometimes a ransomware attack can start off with a phishing episode where someone within an organization downloads and runs a malicious executable. Once that happens, the company’s end-point security products (typically an antivirus software solution) is often not enough to detect the attack. That’s why organizations like ISACA, US-CERT and the National Association of Corporate Directors (NACD) also recommend implementing whitelisting or application control – a process by which an organization runs only “known good applications.”
In the past, whitelisting has been hard to manage and maintain. For example, when a company implements the whitelisting approach, every person and device in the company will run only known good code. But the problems arose in keeping the lists up to date, such as when an executive had to run an application like WebEx or GotoMeeting. When the application ran and automatically installed a new version of the solution, the executive would be prevented from launching it, until it was entered into the whitelist. The lack of productivity with old versions of whitelisting solutions spelled doom for that approach.
However, in the last year or so, the next generation of whitelisting solutions have hit the market, and they are far superior to the old ones. Newer solutions can trust entire families of software and pull the latest whitelists, making the process of managing “known good software” more intuitive and convenient for IT departments. So, it’s critical for organizations that earlier discarded the whitelisting approach to revisit that consideration again, especially in the face of increasing ransomware attacks.
• Patching: Keeping systems patched and up to date is important, but it is not a panacea since spear phishing attacks can still trick victims into installing ransomware.
• Backups: Maintaining a good backup helps organizations navigate the waters of a ransomware attack far more deftly. For example, when San Francisco’s transportation system was hit last fall, the city refused to pay hackers the $70,000 ransom that was being demanded. Instead, it took a few days to painstakingly restore backups and during that time, the city let the residents ride in the transit system for free.
Interestingly, we are also seeing the emergence of quirky trends among ransomware criminals. These hackers are increasingly adopting best practices to close ransom transactions quickly, as the ransom demands are often not too high compared to the time and effort it would take to restore the backup.
So, to motivate the victim to pay the ransom, ransomware attackers are:
But despite these best practice claims by cybercriminals, organizations that have become victim to ransomware attacks need to make sure a thorough cleanup process is executed as part of the incident response – perhaps even scrubbing and restoring the entire system and network – to make sure the attackers are no longer there.Category: Security Published: 5/19/2017 3:09 PM
During the risk analysis process, information is availed through internal reports, external reports, surveys and face-to-face meetings during risk workshops. The amount of information to be analyzed depends on the risk maturity of an organization, as some risk managers continuously collect information that they deem relevant to improving the risk process. The question is, to what level is the information used objectively? How much reliance is placed on what we remember or what we deem as being important?
Behavioral physiologists believe the amount of information we remember has an impact on how we analyze and rate risks. Prior to analyzing risks, we identify events or threats that can exploit vulnerabilities identified in organizations’ processes and systems. It is during the “What can go wrong?” stage that we need to be careful. In his book “Thinking, Fast and Slow,” Daniel Kahneman notes three factors that can manipulate our minds:
A salient event. Get a team of executives and ask them what is an important asset to their organization. I bet you will get different responses. The level of importance on organizational assets differs, and this bears the most influence on the agenda each executive is pushing. As part of environmental reviews, I have come across some organizations (especially small enterprises) that do not carry out fire drills or train employees on any natural disasters. When reviewing risk registers of such organizations, it is normally not surprising to note that there are no risks pertaining to employees in those organizations.
How were employees’ lives not regarded as critical? At the time of the assessment, memory on what is important shifted to assets management. Risk managers should be mindful that what is deemed important influences which assets are identified as vulnerable, subsequently shaping the risk profile of the organization.
A dramatic event. The majority of risk managers come to the table with a list of serious events for a period, audit reports and market intelligence information. Some events tend to come to mind more quickly than others, especially political events over which the organization does not have control. Deciding which event might translate to one asset being more vulnerable than another can be influenced heavily by recent media or internal incident reports if these reports are not scrutinized carefully.
Personal experiences. We can never divorce our personal experiences from the analysis process. It is indeed every risk manager’s dream that some of the employees can divorce themselves from such during risk workshops, but risk managers also are guilty of bringing along databases of risks they have been compiling for years from different organizations, particularly so for consulting risk managers, who tend to influence their organizations to focus on the risks they identified in similar organizations. However, strategies, policies, processes, organizational structure and culture all change the risk landscape of every organization.
Kahneman further contends that effort is required to reconsider impressions and intuitions by asking questions. Simply because a risk has been identified in an audit report does not mean the risk manager needs to include it in his risk register. Simply because a charismatic executive says everything in his department is on fire does not mean every asset in that department is critical. Risk managers need to develop questions that they can ask to eliminate natural bias. Every report’s merits should be verified.
Without nullifying the importance of the systematic approach risk managers take to identify and analyze risks, it is equally important that risk managers take the cognitive human element into account to develop objective lists of risks and ratings.Category: Risk Management Published: 5/18/2017 3:04 PM
Some Internet of Things (IoT) security issues and incidents can be attributed to poor knowledge, failure of the security manager to properly educate stakeholders or lack of stakeholder interest in investing in security measures. Some of this hesitance to invest in security comes from the desire to defer upfront or preventive security costs to operational or reactive costs. The cost deferment can be due to the lack of a proper risk model and failing to account for risk costs. In some situations, time pressures may also aid in deferring upfront security measures.
About 5 years ago, I started managing automobile sensors’ data integration architecture, and the term “IoT” was not even used at that time. Centralized device and security policy management was done through software built in-house, as commercial device management hubs were not available. Security policy management was not comprehensive. It was difficult and not cost-effective for every vendor to develop and maintain proprietary hub management software, so we needed to depend on a few industry leaders for such capabilities.
In my recent experience, I have come to realize that the IoT scope is not only limited to sensors, but should also include everything connected to the network in an organization, e.g., the IoT scope should include printers. This requirement arose from the fact that executives need to print extremely sensitive or extremely confidential documents. A few of my clients have now implemented smart card and pin-based authentication for such printers, which are also integrated with Active Directory. Printer security policies are managed through a proprietary printer management hub. The time to have a common printer management hub is still in the future.
Information departments in secure industries or in organizations lacking mature information management capabilities struggle with information silos. IoT environments in such organizations will also have similar devices or sensor silos, and implementing a common management hub to manage IoT security will pose a challenge. Thus, IoT security is not only technical in scope, but will also require a better understanding about departments, IoT hubs and data boundaries.
Read Hemant Patel’s recent Journal article:
“IoT Needs Better Security,” ISACA Journal, volume 3, 2017.
As I watched the news, I was struck by the inaccuracy of much of the initial coverage of the massive wave of ransomware attacks that surfaced on 12 May. Even my partner thought that the National Health Service (NHS) computers, as well as other targets around the world, were being intentionally targeted by a coordinated global cyberattack.
The truth was far worse. This was no more than an infection designed to take advantage of environments that failed to have even the most basic of cyber security protection in place.
This malware, known by various names including WannaCry and Wanna Decrypt0r, is understood to have originated from a leak of the US NSA cyber tools. However, the leak and the malware tools were widely known about. There were plenty of fixes available to prevent the malware from working.
To prevent this particular malware from operating, all organizations had to do was be running on a supported operating system that had applied the latest software updates. (The patch to prevent this malware from working had been released by Microsoft to their supported operating systems back in March).
Even if your computers were not patched, or were running an unsupported operating system, if your organization had selected a more effective anti-malware solution, that also would have been enough to prevent the malware from working.
Where the malware entered an unprotected computer on a network, it had the ability to then seek out other undefended computers on the same network. Almost like a red team identifying vulnerabilities, the malware highlighted organizations and computers that were running with unsupported operating systems, unpatched operating systems, wide open network topologies and less effective, or completely absent, anti-malware protection. One-by-one, the worst configured and maintained environments that received the malware started to experience substantial disruption.
The consequences of this event are devastating. The interruption has affected services that included the provision of healthcare services, and some healthcare staff have already alleged that this event is likely to have led to several unnecessary deaths due to many clinical services becoming temporarily unavailable. In fact, the ISACA publication on healthcare IT governance I had just finished drafting had included some statistics about how faulty technology in healthcare environments leads to hundreds of deaths and thousands of serious injuries each year, based just on the UK figures from the UK regulator MHRA (Medicines and Healthcare products Regulatory Authority – the UK equivalent of the US Food and Drug Administration).
So, will this event finally help cyber security practitioners that have failed to get buy-in from their management to make the changes they need? I hope so.
This event should be a wake-up call. The Internet is a dangerous place IF your computers and networks are not taking at least basic precautions.
For those executives who thought that because this type of event never used to happen, it never will, it is time for a rapid rethink while you still have an organization to protect.
Editor’s note: Raef Meeuwisse, CISM, CISA, is author of several cyber security publications, including “How to Keep Your Stuff Safe Online,” available at iTunes: https://itunes.apple.com/gb/book/how-to-keep-your-stuff-safe-online/id1212130763?mt=11&ign-mpt=uo%3D4Category: Security Published: 5/15/2017 6:57 AM
I had just typed the last word of a new ISACA publication on governance of enterprise information technology for healthcare environments when today’s news on the National Health Service (NHS) ransomware attack broke.
As we now know (as of the time of this writing):
• At least 16 UK National Health Service (NHS) trusts are affected, as well as unspecified other UK government departments and agencies
• The malware used has been identified as “Wanna Decryptor,” which is preventable by some forms of anti-malware.
• The action of the malware is to encrypt desktop-based files and position a ransomware message on the desktop and as a readme file.
The interruption of basic services such as email and network-dependent telephony (VOIP) can be devastating in healthcare environments. Targeted healthcare providers are particularly vulnerable to ransomware attacks. This is especially concerning, because according to ISACA’s global State of Cyber Security 2017 study, just half (53 percent) of organizations have a process in place to deal with ransomware attacks.
Most cyber attacks rely on basic deficits, such as not locking out administrative access, running unpatched operating systems or running ineffective anti-malware products.
My takeaway is this:
As I finish this post, the news is still breaking, and the impact of this cyberattack appears to be targeting a much larger number of international organizations.
If you are not getting the traction you need for investment in basic cyber security measures, please use this as a valuable moment in time to give your management a wake-up call.Category: Security Published: 5/12/2017 3:47 PM
There are a lot of exciting things happening in the IT field, which means there’s a tremendous amount of growth occurring in a lot of businesses. With that growth comes the need to hire cost-effective talent. This begs the question: How can we get more young people excited about launching careers in IT?
When you ask children what they want to be when they grow up, you’ll hear an array of answers. From firefighter and police officer to professional athlete or doctor, there are a handful of occupations that always seem to draw interest from children.
Kids typically don’t grow up pretending they’re IT pros or dream about fixing computers, coordinating corporate security strategies or deploying advanced new software programs, but maybe that’s our fault as adults. The IT career field is an exciting one, and we’re doing our youth a disservice by failing to get them excited at a young age.
For starters, there’s the positive industry outlook, with both wages and employment opportunities outpacing most other industries.
Then there’s the fact that IT pros can work in just about any environment. There are Fortune 500 positions, as well as opportunities to contract with small businesses. This change of scenery can be refreshing for people who like to move around and see new things.
Making IT attractive to young students
As you can see, there are a lot of positive things happening in the IT industry. The goal has to be for educators, adults, and those already in the field to shine a light on its positive trajectory. Here are a few ideas:
IT isn’t exciting in the sense that you get to fight fires or hit a 95-mph fastball in front of 40,000 fans, but that doesn’t mean today’s children can’t grow up wanting to pursue a career in this growing field. It’s up to us to shed light on just how stimulating it can be.Category: ISACA Published: 5/16/2017 3:08 PM
It is no secret that vendor management is one of the top security challenges we face today. But what compounds the challenge is not knowing the relationships beyond our direct vendors. What are the vendors of my vendor doing?
I don’t know what I don’t know
The scenario: A recent project was initiated by the business group that would greatly improve our customers’ experience with us as well as streamline internal processes. Great! But, and I know this is common with any organization, the assigned managers involved on the project are not trained in project management and most certainly are not focused on security issues.
We have vendor management report into the risk department so we are fortunate to have security “eyes” on it but, in this case, the vendor did not disclose that additional relationships would be required. It turns out that the additional vendors would be involved in processing funds and documents containing sensitive data. Isn’t that interesting? Now the vendor’s vendor, the one processing funds, has a vendor for backups and is backing up the sensitive data. So, my data is three vendors away and the PMs are shrugging their shoulders.
We were fortunate because we did have time to do our due diligence on those additional third-parties, but we might not be so lucky the next time and could find ourselves in damage control.
Here are three actions that will help with the vendor management security struggle:
In my recent Journal article, I present a strategy to mitigate the risk that the Internet of Things (IoT) evolution is already engendering. The IoT landscape, connecting thousands of systems, devices and sensors, is unlike the traditional IT environment to which we all are accustomed; however, we can certainly leverage the same well-known IT governance methodologies along with state-of-the-art technologies and process changes to manage IoT risk efficiently. Ramping up IoT security alleviates IoT risk momentously, but the common notion is that it is easier said than done.
My Journal article provides an overview of how this can be orchestrated at each stage of the IoT life cycle. The strategy commences primarily by adopting a security-by-design approach to secure any IoT asset. This essentially starts right at the hardware level of IoT device manufacturing and up until the device/sensor’s end of life. Along the way there are various regulations, standards and consortiums that need to be factored to maneuver smoothly through the compliance maze. It is critical to closely monitor these variations in IoT as they greatly influence (either positively or negatively) the privacy and security implications surrounding the IoT.
Adhering to the basics and best practices of information security is recommended. Most of the traditional security controls and frameworks, such as public key infrastructure (PKI), multifactor authentication, network security and secure coding practices, still apply to the IoT use case. Emerging technologies, such as the application of machine learning and analytics to various sub-domains of cyber security, may reap the benefit of an early detection of an IoT breach. Efficient project management is also key to a sustainable IoT program that facilitates baking security into the IoT life cycle.
Even with all of these strategies, tools and controls in place, the organization needs have or develop an indispensable ethos to embrace security as part of their IT DNA and, more importantly, their IoT DNA.
In summary, the following 4 tenets will help you to build a more resilient IoT infrastructure as we lurch into the unkempt, yet rosy world of IoT:
Read Indrajit Atluri’s recent Journal article:
“Managing the Risk of IoT,” ISACA Journal, volume 3, 2017.
From an information security perspective, companies often have perceived their own organization as a castle with well-defined walls, with few entry points sufficiently staffed with guards monitoring what information is coming in or leaving the organization. If further protection is needed, it is obvious what to do: build higher or thicker walls or add additional security guards. What is inside the castle can be considered safe.
However, there have been several significant changes in the past few years, namely:
This means that reliance on traditional perimeter security is no longer sufficient, a mindset that information security professionals have been advocating for several years. The National Institute of Standards and Technology (NIST) in the US, for instance, has developed a model by mandating an ‘Identify – Protect – Detect – Response – Recover’ approach.
The next generation CISO
So why are so many companies still struggling to adopt this approach? A CISO of a reputable company once said: “I was hired for my technical security skills; however, I do not know how to build an organizational change program.” The next-generation CISO not only needs an understanding of security challenges, but also needs to deliver this change in a programmatic approach.
The need for a step-change in information security
What is needed is a way to package the NIST thinking into an information security transformation framework considering the organizational model of companies.
The goal of the different components:
By first comparing the current organizational capabilities against future need, we can determine how fast and in which areas a company needs to act. Derived from this assessment, the projects can be planned and budgeted covering several years, including sourcing requirements (in-house or managed security provider). Each year, the required capabilities are re-assessed considering the threat landscape, business strategy and technological advances.
One key element is the definition of KPIs to measure the progress for each framework component. These KPIs help to communicate the benefits of a multi-year program to senior management. The assignment of skilled project/program management resources also helps to maintain the focus rather than daily operational tasks superseding project/program goals.
Experience so far
Taking this approach, we have experienced the following changes:
New threats demand a new mindset – and approach – for information security professionals.
Editor’s note: Monika Josi will present on “Building a Sustainable Security Program” at ISACA’s EuroCACS 2017 conference, which will take place 29-31 May in Munich, Germany.Category: Security Published: 5/8/2017 3:07 PM
In this age of growing technology, we trust the Internet. We trust it with making secure payments, storing our medical history and sharing personal photos with family and friends. We trust a website when it claims our information is safe from intruders and that when our information is posted privately, it is only ours to see.
However, once information is posted, sent, or clicked, it is public. Hackers can crawl into these supposedly private portals and extract information.
The vast Internet consists of three layers. The first layer is public, consisting of sites we use frequently such as Facebook, Twitter, Amazon and LinkedIn. This layer makes up only 4 percent of the entire Internet.
What is the other 96 percent? The deep web and the darknet. The deep web, the second layer, is a network where data is stored in inaccessible databases. The darknet is the third, deeper layer of the Internet where hackers congregate and facilitate illegal meetings. Customers whose data is breached do not have access to the darknet.
Tor (originally short for The Onion Router) began life as a U.S. Navy project for anonymous online activity but is now used by a wide range of groups, including the military, journalists, bloggers, activists and, yes, criminals. Tor makes communications harder to trace through traffic analysis by routing Internet activity through a series of network nodes, each ignorant of the whole route from beginning to end. The trade-off for increased security is slower speed.
To surf the darknet, we use a browser that allows us to access .onion sites with call browsers like:
Or, websites like “Tor2Web” and “Onion2web” can be used, which allow users to easily access .onion sites on browsers like Google Chrome. As easy as this may be, it guarantees that your IP address is exposed – and when this happens, you’re open to all sorts of attacks from hackers.
Here are some steps to protect your computer:
What are some reasons to search the darknet? There could be company data that may be on the darknet now, such as user name and passwords, network maps, and other confidential data that could be problematic. Once users become good at searching the darknet, they can create a seed file. A seed file is kept internally by companies. Finding them on the darknet is an indication that the company has been compromised.
Editor’s note: To learn more about this topic, an archived webinar, “The Dark Web – A Threat To Your Business?,” is available at www.isaca.org/Education/Online-Learning/Pages/Webinar-The-Dark-Web-a-Threat-to-Your-Business.aspx.Category: Security Published: 5/5/2017 3:07 PM
Cloud computing, Internet of Things devices, cognitive and robotics automation, blockchain, virtual reality, drones and a variety of mobile technologies are among the disruptive technologies mounting challenges for IT auditors.
How audit professionals must adapt to the shifting technology landscape was among the major topics discussed by about 50 participants in the IT Audit Leaders Forum, held Monday during the North America CACS 2017 conference in Las Vegas.
Emerging technologies prompted participants to consider some of the new or enhanced skills auditors will need to develop over the next decade to thrive. Skills discussed included:
The proliferation of IoT devices – and how they are being deployed by enterprises – raises concern for some audit leaders, who must determine how best to manage and mitigate the increased risk, as well as navigate new security, privacy and compliance considerations. The challenge is even more pronounced given that IoT security investment often lags behind the pace of expanding threats.
“It’s not just about the devices,” said Martin Sokalski, managing director, emerging technology risk, KPMG. “It’s really about the full ecosystem, use cases, and the environment that these devices reside in.”
Sokalski said addressing IoT-related audit and assurance considerations does not only include emerging threats and vulnerabilities but also is largely about “going back to some of the basics,” such as asset management and data governance. It is essential to be aware, for example, of how many IoT devices an enterprise has in its network and who has access to them.
“If you don’t know that those devices exist, how do you then approach patch management or security and firmware updates?” Sokalski asked. “It’s a major concern.”
Several forum participants addressed the difficulty of attracting and retaining audit professionals with the right skills and training to address disruptive technologies. Undertakings such as building a sustainable data analytics function or conducting reliable, real-time assessments become much more difficult when dealing with understaffing or high turnover rates.
To enhance the IT audit workforce, alternatives, such as working with local universities on incorporating IT audit into curricula; initiating guest auditor programs to provide professionals initial exposure to the audit field; and making use of AI for simple tasks so resources can focus on value-add; were noted as possibilities.Category: Audit-Assurance Published: 5/3/2017 9:22 AM
There are more mobile devices than people on Earth. It is no surprise that the smart phone is one of the preferred devices to access information. Organizations embrace mobile technology for business advantages. The frequent publication of knowledge resources by ISACA on mobility/the Internet of Things (IoT) indicates the relevance of these technologies and the importance of securing them.
Application software is one of the important components that enables mobilizing information access. Thus, securing mobile apps from security vulnerabilities and risk is fundamental. In fact, many recent security breaches have exploited vulnerabilities in application layers to gain access into an organization’s network.
To differentiate a known good from an avoidable adverse, one must know what good looks like. From an information security and assurance perspective, knowing how things work helps to identify avenues used by bad guys to orchestrate cybercrime.
Mobility will remain popular until a futuristic technology emerges to replace it. I believe that mobile application security is not for the development team alone to handle; it is also equally important to assurance/security professionals to endorse that it is secure.
A study by a well-known security testing vendor indicates that most of the mobile applications vetted by them contained the following 5 common risk factors:
My recent Journal article describes techniques to embed information security in the software development life cycle, and it provides approaches to democratize information security ownership in development.
Empowerment to embed security in development happens when the expectations are explicit and practical guidance is provided. My article contains insights on setting up a mobile application security testing lab to perform a security test with both static and dynamic analysis.
Several test cases are recommended to address 5 common risk factors to Andriod and iOS platforms. Practical usability of test cases are ensured by mapping them to freely available open source tools, which are outlined in the article. Incorporating security in all phases of the software development life cycle not only benefits the organization from an economic and efficiency perspective, it also ensures that the business services are enabled securely.
Read Sakthivel Rajendran’s recent Journal article:
“Safeguarding Mobile Applications With Secure Development Life Cycle Approach,” ISACA Journal, volume 3, 2017.Published: 5/1/2017 3:40 PM BlogAuthor: Sakthivel Rajendran, CISA, CRISC, CISM, CEH, GMOB PostMonth: 5 PostYear: 2,017
Planning is well underway to lead into ISACA’s 50th year in 2019, mark the anniversary, and carry momentum forward into the next decade and beyond. From outreach nearly a year ago to ISACA’s past presidents —an early tap of their ideas and insights — to anniversary footings now in place, importance, inclusivity, curiosity and enthusiasm characterize efforts to date.
And today is an important date, as ISACA debuts one of those footings — and a digital one at that. The first phase of our anniversary microsite, www.ISACA50.org, is up and running. The site will serve as a hub for stories, to gather and share history, for celebrating toolkits, to post anniversary news and updates from around the global, and to predict our future. It will lead the way to bring our anniversary theme to life:
Honor Our Past. Innovate Our Future.
As you read this, the site is having its first show-and tell during the ISACA Regional Leadership Conference, beginning today in Las Vegas. The site, the celebration underway and to come, is theirs, yours, ours. It has taken a collective effort to reach such a proud milestone, so it is only natural that the global ISACA community enjoys the celebration together: ISACA50.org is just the start. We encourage you to share your story of what ISACA means to you, as well as any images, videos or other materials — whether related to ISACA or the professions we serve — that will help enhance anniversary programming.
The anniversary logo is featured prominently on ISACA50.org. There is meaning to its design, and we hope you sense its energy. Concentric circles in the “50” represents the perpetual motion and innovation that have been hallmarks of ISACA’s past and present, and will be even more prominent going forward. Fittingly for a future-minded tech organization such as ISACA, envisioning and embracing the possibilities of the next 50 years will be a rallying point of our celebration.
Beyond the web portal, there are many other in-progress plans to commemorate this demarcation of the past and future. Another foundational element is an immersive, innovatively designed event exhibit. Preliminary concepts feature interactive, responsive technologies to illustrate history, ISACA contributions and milestones, people and impact, and a central “Future Visions” booth to capture and enhance visitor experiences and aspirations — for themselves, for ISACA, for our industry and for the world.
A third and just as essential early anniversary element are plans, creative programs and packaged toolkits to prompt celebrations of all shapes, sizes and durations by and for ISACA chapters, volunteers, leaders, members and engaged professionals the world over. The anniversary provides a clarion call, as ONE global community, to deliver ISACA’s Purpose and Promise:
Indeed, you will see, hear and feel the impact of Purpose and Promise as we honor, and as we innovate over the course of our anniversary years.
ISACA has an incredible story to tell. Consider the seismic shifts in technology that have unfolded since 1969, when a small group of individuals in the Los Angeles area formed the EDP Auditors Association, which eventually became ISACA. For the past five decades, ISACA has been at the forefront of helping professionals and their enterprises navigate the fast-moving technology landscape. Our ability to do so for the next 50 years is even more imperative given the scale of global digital disruption we’re experiencing.
This is a special time for ISACA. Our global professional community — growing each year in number and impact — will honor our past and innovate our future together. It will be a fun, enlightening and rewarding celebration.
Stay tuned – there will be much more to share, know and do in the coming months and years. It is time to Honor Our Past. Innovate Our Future. A first visit to www.ISACA50.org is a great place to start!
Editor’s note: The ISACA Now series titled “Faces of ISACA” highlights the contributions of ISACA members to our global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight Maria Divina C. Gregorio, CISA, CRISC, PCI-ISA, PCIP, internal audit manager, VSP Global, a US resident from the state of California.
ISACA Now: What motivated you to pursue a career in audit?
I chose a career in audit because it allows me to have a comprehensive understanding of and exposure to all facets of the business. I am able to use my knowledge, analytical techniques and people skills to effectively contribute to the betterment of the organization. I was also influenced by a mentor early in my career who encouraged me to explore opportunities in this field and introduced me to ISACA’s CISA certification.
ISACA Now: How do you see technological advancements having the greatest impact on audit in the next 3-5 years?
I believe that technological advancements have and will pave the way for more efficient, more effective and more economical audits.
ISACA Now: What are a few professional achievements of which you’ve been most proud?
I am proud to have achieved my CISA, CRISC, PCI ISA and PCIP certifications. They allowed me to lead highly impactful audits that resulted in major cost savings to the organization. I am very proud to have authored our cyber crisis management plan, and I am now leading the global business continuity initiative in my organization.
ISACA Now: How long have you been an ISACA member, and what has that added to your professional development?
I have been a member of ISACA since October 2005 – 12 years! I believe that the benefits derived from my ISACA and other professional association membership, certifications, active participation in my local chapter, passion toward my profession and continued quest to educate myself have been a great formula for my professional development.
ISACA Now: You’ve been active in Habitat for Humanity – what have you taken from that experience?
I’ve always been guided by a personal commitment to leave this place a little better than I found it. I believe that serving with Habitat is my small contribution to that commitment.
ISACA Now: What is the most fun aspect of living in California?
Do I feel like having authentic dim sum breakfast in San Francisco this morning, then heading to a Napa vineyard for lunch and some wine? Or how about some honest to goodness mole in the Mission, then heading to the beach and gazing at migrating whales in Bodega Bay? Or maybe picking up my skis and hitting the slopes at South Lake Tahoe, or lounging in a houseboat in Shasta Lake? As you can see, there is something for everyone in California. I feel very blessed to have these choices – all within hours from each other!
ISACA Now: What are some of your favorite things to do outside work?
I read, go on hikes with my dog; tend my organic garden; feed the ducks, peacocks (yes, we have them “wild” around my neighborhood) and turkeys; swim; work out; and have lunch dates with my mom.
It’s National Volunteer Week in the US. ISACA, however, is global in its reach, as is our corps of dedicated volunteers, and I want us to honor them all. So, I am choosing to declare this period as “ISACA Volunteer Appreciation Week.” In this spirit, I ask you, members of our professional community worldwide, to join me in thanking our organization’s over 4,000 members who provide us with their generous gifts of time and expertise to support advancing ISACA’s purpose to help realize the positive potential of technology.
Here, in their own words, are a few examples of volunteers’ contributions, and their motivations to give back to ISACA and our profession:
In 1969, it was a small group of volunteers in Los Angeles who had the foresight to see the need for our work as a result of companies investing in technology capability to support financial and business operations. They established the EDPAA, and sowed the seeds of opportunity that led to our current day ISACA. As we approach our 50th anniversary, volunteering has always been at the foundation of ISACA’s evolution. Increasing this engagement will be a hallmark of how we write the next 50 years of ISACA’s history.
On behalf of the entire ISACA family, we thank our chapter leaders who work tirelessly to increase ISACA’s visibility, influence and impact locally. We thank those who contribute to keeping our certifications and continuing education relevant in a constantly changing workplace as a result of a rapidly changing technology landscape and an increasingly complex legal, regulatory and compliance environment. We extend our gratitude to those volunteers committed to advocating for and strengthening our professions, creating opportunities for career growth and, perhaps most importantly, helping all of us to share the value of what we do to enable the organizations for which we work.
In a world where time is our most precious commodity, your willingness to give back inspires us all, especially knowing that you do so above and beyond your many other professional and personal responsibilities.
Author’s note: This post was inspired by the discussions among CISOs attending ISACA’s 2016 CISO Forums, plus additional readings and personal experience. The opinions are my own. For more insights from the CISO Forums, read ISACA’s CISO Board Briefing 2017.
A study by K logix Research titled "CISO Trends" found that "53% of CISOs state that one of their main objectives is to align security with business goals while 46% want to partner with business leaders to help them solve problems.”
This will have implications that go far beyond resource allocation. The CISO’s contribution to the organization is fundamentally to enable growth and support the attainment of the strategic objectives. The CISO will achieve this by ensuring that the information security posture is commensurate with the risk appetite and compliant with industry requirements.
When a group of CISOs discuss reporting, you rapidly come to realize that there is not a unique global best practice. In fact, as indicated in ISACA’s CISO board briefing, "there is not one correct organizational map, not one universal title and not even one universally applicable job description for the information security executive.”
To best fulfill this role, a key success factor is having the CISO as close as possible to those who set the tone at the top. Direct reporting to the CEO is what first comes to mind. Working closely with the CEO helps ensure best alignment of security with business imperatives. This requires an excellent working relationship between the CISO and the CEO.
Being perceived as part of the inner circle has its ups and downs. Other executives and directors will want to display a collaborative attitude and deal with the CISO as a key player but might also see the CISO as a threat to their own agenda.
The same study by K logix points out that "more than half of CISOs report to the CIO, and just 15% report to the CEO, with the rest reporting to the COO, or Risk-related organizations. But when asked about the future of the security organization, 50% of CISOs responded that the role will report into the CEO."
There are some public examples in which even the CEO had an agenda that made her avoid her CISO. Googling Yahoo’s Marissa Mayer will provide an example of a situation in which no CISO wants to be part.
A very prevalent option is reporting to the CIO. As information security gained recognition and started to be recognized as no longer a technical issue, the person in charge was promoted and reported directly to the CIO. At the time, this was a very positive enhancement of the role. But while may work well for some, it comes with some risk. The CIO is under heavy pressure to deliver the required projects on time and within budget. In this model, the CIO, who has a supervisory function for security and other matters, may also be influenced by personal financial considerations, such as a bonus – particularly in the private sector.
The CIO will eventually be confronted with conflicting objectives when the project does not meet the security requirements and is running out of time or budget. Security is at risk of being sidetracked. There is a clear rationale for having the CISO function independent of IT.
Other reporting lines may be to the chief risk officer, chief financial officer, chief operations officer and even the chief audit executive.
In “Determining Whether the CISO Should Report Outside of IT, Refreshed” from research firm Gartner, it is noted that:
When the opportunity comes to revisit the reporting lines for the CISO, it’s no time to try to be idealistic. One must determine which is the best option within the context/culture/environment of his or her organization.
Among other considerations, one must assess the organization’s vision and strategic goals, culture, management style, security maturity, IT maturity, risk appetite and all relevant dynamics involving the current security posture and reporting lines.Category: Security Published: 4/24/2017 3:03 PM
My transition from internal IT auditor to CISO in banking felt natural because, while working as an auditor, I developed a strong knowledge of information security and control concepts while also improving my communication skills.
Communication skills are crucial to the success of a CISO. Effective communication helps build positive relationships with employees at all levels within the organization. As an auditor, I presented audit reports to the Audit Committee. This served as excellent experience because I learned how to communicate effectively with top-level personnel, which was also required in my role as CISO.
Internal auditors are facing new challenges. Sensitive information is pervasive in the digital world because users expect it to be available when needed. Prior to the Internet-connected world, the focus in banking tended to be on business continuity planning, the exposure of sensitive information from threats to physical media, and other financial fraud activity such as physical credit card theft.
In the connected world, data is readily available through connected networks, and that data is the target of cyber attacks. Given the rise of successful attacks, IT auditors must continually educate themselves on the new types of threats and be knowledgeable of information security controls and how to test those controls.
There are many resources available to auditors. Just as a mechanic needs to acquire a toolset, an IT auditor must also assemble an array of resources. An auditor must network with other IT audit and information security professionals by participating in professional organizations. In addition to networking, websites such as ISACA’s and SANS’ provide audit and information security resources. ISACA has an online library with information security and audit books. These are useful resources for professionals new to IT audit.
IT auditors must remain relevant by constantly educating themselves regarding the latest information security threats, trends and controls by using all available resources. IT auditors are no longer an asset to their organization when they stop learning.
Changing career paths from IT audit to CISO was a smooth transition because I developed strong communication skills as an auditor, I had a strong knowledge of the latest security threats and trends, continuous education was a priority to me, and I assembled a set of resources. For those who are interested in a career path change from IT audit to CISO, these key items should help ensure success.Category: Audit-Assurance Published: 4/21/2017 3:00 PM