ISACA celebrated its 45th anniversary in 2014, and marked this accomplishment with a year of great advancements. One of the most visible and impactful events was the launch of Cybersecurity Nexus(CSX). At a time when cybersecurity breaches and devastating hacks make news daily, CSX offers innovative ways to help provide resources for cybersecurity professionals at all levels and fill the global skills gap. ISACA also successfully introduced the Cybersecurity Fundamentals Certificate and several workshops were sold out, which further supports the need and acceptance of CSX worldwide.
In addition, the online version of COBIT 5 was released, complete with a new Goals and RACI (responsible, accountable, consulted, informed) planner. This tool helps organizations of all sizes and industries improve governance and management of enterprise IT. COBIT 5 is used globally to help create value and address business issues.
We also implemented our digital strategy and are able to provide members with fresher content more frequently and in an easy-to-use format. Most notably, the ISACA Journal—one of the top member benefits—is now publishing online articles every two weeks instead of every two months. COBIT Focus, which provides the latest news and case studies about COBIT, is also publishing articles more frequently.
And in September, ISACA took another step toward its future by welcoming our new chief executive officer, Matt Loeb. Matt brings to ISACA a depth of experience, and he will be an instrumental factor in our future growth.
Driving all of these activities is ISACA’s commitment to what ultimately makes us a successful organization—our valued members around the world. For all of you who have attended chapter meetings, obtained CISA, CISM, CGEIT or CRISC certifications, participated in a Training Week or conference, or read the ISACA Journal or one of our many other excellent research publications, the board of directors and I thank you for your support and expertise. The future of ISACA has never looked brighter.
Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President
“We have about 800 users using internal and external applications, one main office and four external locations,” explains Ursula Dickmann, Head of IT Operations for RheinLand Versicherungsgruppe in Germany. “Our challenge is weighing security risks against not restricting employees to the point where it hinders their ability to do work.”
Like all insurance companies, RheinLand Versicherungsgruppe, manages highly sensitive financial and personal data for individuals and businesses. Its employees have to be productive, but RheinLand’s customers must trust its ability to protect their data above all else. Therefore, Ursula and her team must ensure they can safely enable business applications, control access, meet compliance regulations and protect the network, all while keeping IT costs manageable.
RheinLand had previously relied on firewalls from Check Point and WatchGuard, but were pointed to Palo Alto Networks by longtime IT advisory partners Helmich.
I invite you to read about how RheinLand’s IT decision-makers, initially skeptical, became believers in our Enterprise Security Platform. They put us to the test, did their homework — and are now saving 40% of previous time spent managing infrastructure and thousands of Euros in IT costs while getting better features, better visibility and better performance.
It can be done!
This case study is also available in German. Click here to access.
Customer Spotlight is our regular look at how various customers use Palo Alto Networks enterprise security platform to solve their toughest challenges. See below for Customer Spotlight blogs from throughout 2014:
Don’t look in the crystal ball, look in the mirror to protect data and defend against threats in 2015.
As the year draws to a close, security gurus begin the annual ritual of predicting what horrors will befall us after the calendar turns from December to January. While this gloomy approach ignores the potential for actually improving infosec, it also sidesteps the opportunity for reflection. The truth is, any security incidents that will occur in 2015 will be the result of lingering errors created in the past. Here are four dangers that will continue unless we resolve to act now.
Legacy code, present danger
Just because some bit of code has been used since the dawn of time does not mean it has been thoroughly vetted. In the past few months, we saw years-old (or even decades-old) vulnerabilities unearthed in the form of the Heartbleed,Shellshock, Poodle, and Unicorn bugs. It’s nearly impossible to predict where the next of these ancient vulnerabilities will surface, but it’s a fair bet that you’ll find them wherever there is a piece of code that has been used by millions and has been largely unchanged for years. In 2015, security teams should resolve to give that legacy code a thorough review.
Expedience at the expense of security
Last year was not a good one as far as major payment card security goes. It brought us breaches at Neiman Marcus, Michael’s craft store, P.F. Chang’s, Dairy Queen, Jimmy Johns, Goodwill, Staples, and Home Depot, among others. Predicting another year full of yet more breaches seems like something of a no-brainer. In the largest of these breaches, at Home Depot, company officials had been warned about flaws in their security. Instead of taking action, they chose expediency over security, and they are now paying the price of millions of unhappy customers. The causes of all these breaches are all basic security concerns: loss of login credentials, lack of adequate network segmentation, absence of encryption, use of default device passwords, and disabling of security features. While we can’t say better security would have prevented all of these events, we can resolve to make breaking-in far more difficult for the attackers.
Malware: Everything old is new again
The headlines may be all about the newest and most unusual malware, but the majority of what affects the average person is still the same old, boring stuff that has been around for ages. Infecting computers usually doesn’t require the newest vulnerabilities, and it doesn’t necessitate the stealthiest tactics. The most effective threats often still rely on old-fashioned social engineering, because criminals are not going to pull out the metaphorical “big guns” if they know they can get their payday with tactics that are simply “good enough.”
Right now, the cost of entry for malware writers is exceedingly low, and the return on investment is very high. Until that equation changes, we’re not likely to see much of a decrease in malware in particular or cybercrime in general. The coming year is likely to bring some improvements, but in fits and starts rather than as a complete sea change. Let’s get that process moving faster.
Looking back to look ahead
For most people, technology is a new and often confusing thing. Many organizations are going digital fairly reluctantly, choosing only the easiest and most user-friendly aspects to deploy. Historically, this has led to a general perception that information security is a drag on innovation — not an essential feature of the technology infrastructure. As people become more informed, as security products become easier to implement, and as more people become aware of the costs of leaving themselves open to attack, this situation is likely to evolve for the better.
The good news is that old problems, by and large, already have solutions: All we have to do is recognize and implement them. There are a lot of things that we can all do to improve our security. Once we remove the low-hanging fruit, we will make it more costly and difficult for criminals to do their jobs. That’s not to say that removing that fruit will be an easy task — in fact, it’s far more difficult than our current policy of worrying about the most challenging (one might even say “advanced, persistent”) fruit.
It is my hope that in the coming year, the brilliant minds in this industry will reflect on what we can do to make security simpler and more approachable for the general public.
What are your infosec resolutions for 2015? Please share them in the comments.
Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all this change can be difficult for even the most tech-savvy users, she enjoys explaining security issues in an approachable manner for companies and consumers alike. Over the years, Myers has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a Security Researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.
Unit 42 is the Palo Alto Networks threat intelligence team. Made up of accomplished cybersecurity researchers and industry experts, Unit 42 gathers, researches, analyzes, and provides insights into the latest cyber threats, then shares them with Palo Alto Networks customers, partners and the broader community to better protect enterprise, service provider, and government computing environments.
You can now have up-to-the-minute threat intelligence updates from Unit 42 delivered right to your inbox, as they’re posted. Click here to subscribe.
Regular research analysis is posted to the Unit 42 threat intelligence blog. Unit 42 also publishes whitepapers examining, in detail, threats to mobile device ecosystems, APTs, malware attack patterns and other subjects crucial to any security practitioner or business executive’s understanding of the current cyber threat landscape.
Unit 42 team leads will lead a track at Ignite 2015, where they will discuss all your toughest security challenges and work out ways to help you solve them. Register now to join Palo Alto Networks in Las Vegas, March 30-April 1, 2015.
