From Control to Enablement: Key Lessons From the IT Audit Director Forums

Digital transformation, emerging technologies, cybersecurity, Internet of Things (IoT), increased adoption/understanding of technology by business areas and other trends are having a huge impact on organizations and the IT audit profession.

Speed to market and innovative implementation of technologies are more important today than even five years ago. It’s innovate or perish. At the same time, organizations are intent on increasing their understanding of cybersecurity threats and managing their exposure.

Enterprises want to guarantee that their capital investments are of high quality, address and/or create market demands, and do not expose themselves to cyber threats. The world of audit and assurance is evolving quickly to ensure that these challenges are met.

Changing IT Audit’s Perspective
Organizations are looking to IT auditors to not only ensure quality but also realize the positive potential of technology. By leveraging new technologies to measure quality and ensure compliance and proper operations, the assurance profession will continue to play a critical role in the success of organizations. Fundamental to this thinking is changing our perspective from one of control to one of enablement. This change raises numerous important questions:

  • How are your peers addressing the evolution to enablement?
  • How have they redefined their roles to be enablers?
  • What can ISACA do to help with this evolution?
  • How do we facilitate discussion among our stakeholders to address these emerging and highly relevant topics?
  • Do we have the right skilled people in the right positions to provide the value that organizations require from us?
  • How do we retool our existing audit professionals?
  • How do we attract the best talent and then keep them motivated and committed?

We’ll be discussing these very issues during a live webinar entitled Key Lessons from the IT Audit Director Forums on Tuesday, 14 June, at 11 a.m. (CDT). Click here to attend.

IT Audit Thought Leadership
ISACA has been hosting IT Audit Director Forums at our CACS conferences as a way to present thought leadership from key experts, gather constituent insights and challenges and facilitate discussions around topics chosen by our constituents. The IT Audit Director Forums facilitate and encourage peer to peer discussions around relevant topics, such as the impact of data analytics and IoT on the assurance profession.

During this webinar, we will walk through the key lessons of the most recent IT Audit Director Forums and identify the top challenges that you face today and in the future. If you were unable to attend the IT Audit Director Forums at the recent CACS conferences, I highly recommend that you attend this webinar. This is a great opportunity to hear what your peers are doing, their concerns and their solutions.

This is an exciting and challenging time within the IT audit profession as organizations work to meet the challenges of digital transformation and other critical issues. It’s up to us as professionals to help lead the way. In the future, we would like to hear from you on the biggest challenges you face and how we at ISACA can provide the right tools, templates, knowledge assets and research to help you.

To attend the Key Lessons from the IT Audit Director Forums webinar on Tuesday, 14 June, at 11 a.m. (CDT), click here.

Frank Schettini, Chief Innovation Officer, ISACA

[ISACA Now Blog]

CISA, Audit Thyself

It is 9:30 p.m. on Sunday—Mother’s Day. I am in my home office reformatting my laptop as a result of a mysterious Windows 10 EVENT_TRACING_FATAL_ERROR. As I sit at my desk playing Mahjong on my cell phone and cursing Bill Gates, I wait for Windows 10 to reload and check for updates. Thank goodness I keep all of my data on a separate hard disk. As I sigh with exasperation, my husband’s voice sounds from the other room as he suggests “Just restore it to the last point that worked.” Silence. “You do create restore points before you load updates, don’t you?” he asks, snickering. I growl under my breath and respond “No” in a tone that grudgingly implies that I did not and never have.

Oh, did I mention that I am a home-based worker? If I have technology issues, I am 1,900 miles away from my office, so I can’t just hop in the car and get somebody else to fix my problems.

By now you might be wondering why, as an IS auditor, do I not practice what I preach?

I know that my problem, if not caused by my own ignorance, was at least exacerbated by not following the best practice of creating a restoration point. If creating backups of data is a prerequisite for recovery,1 then the corresponding code and system configuration should also be required for successful recovery. However, lest you think I am a complete Luddite, please know that I do back up my confidential data to a separate hard disk not connected to the Internet and use a personal cloud as back up for non-confidential data. I also have a UPS, several extra modems and routers, and a backup laptop. In case my Internet goes down, I even have a nifty business resumption plan (e.g., go to Starbucks, enjoy a latte, and use their free Wi-Fi). Yet why, despite my education, certification and years of experience in IS auditing, do I place my systems at risk by employing some best practices while blatantly ignoring others?

Cost was obviously not a factor as creating a restore point is a built-in Windows OS function. Nor is lack of understanding the ramifications of failing to employ restoration points. As far as I can tell, my only excuse for failing to create a restoration point was my perception of the risk of OS failure being low compared to other types of risk, such as loss of connectivity or data loss.

An individual’s willingness to adopt or to reject an IT control is reliant not only upon the real security risk, but also the perceived risk.2Perception plays a far more important role in decision making than we realize. This means that some people (and organizations) will accept the possibility that something might happen rather than use precious resources to implement controls to prevent it. This false optimism is simply human nature,3 and sometimes it is only after experiencing the pain of one’s actions (or lack thereof) that individuals and organizations change.

How can we, as CISAs, ensure our clients perceive the real risk? As IS auditors, it is important that we understand why our clients might be resistant to change and reluctant to employ controls. If we can relate to them, then perhaps we can more effectively communicate our recommendations. After all, isn’t auditing another method of education?

At the very least…I might start taking my own advice.

Editor’s note: The ISACA Now Blog section is celebrating Women in Technology Month throughout June by featuring female bloggers. If you are a female blogger and would like to contribute a blog, please contact us at news@isaca.org.

1  ISACA, CISA Review Manual, USA, 2009
2  Huang, Ding Long, Pei-Luen Patrick Rau, Gavriel Salvendy, “Perception of information security,” Behaviour & Information Technology 29 (3): 221-232, May 2010
3  University of Kansas, “People By Nature Are Universally Optimistic, Study Shows,” Science Daily, 5 May 2009,www.sciencedaily.com/releases/2009/05/090524122539.htm

Stephanie Mahlig, CISA, MIS, Information Risk Management Technician, Allstate Insurance Company, Northbrook, IL

[ISACA Now Blog]

Cybersecurity Is Not a Cost – Leverage the Fourth Industrial Revolution for Economic Growth

On June 7, 2016, Palo Alto Networks held an international cybersecurity conference in Tokyo called Palo Alto Networks Day. Over 1,200 participants from government organizations and industry came together to learn about the latest global trends in cybersecurity, threat intelligence, legal and policy issues as well as to look for networking opportunities with each other. Compared to last year, the size of this year’s conference almost tripled – highlighting the ongoing importance of and interest in cybersecurity.

Multiple participants shared challenges they face in getting their leadership and management teams’ buy-in to invest in and commit to cybersecurity technology and the people and processes needed to defend their organization against cyberattacks. Some struggle with keeping their executives up to date on new cyberthreats that are attacking today’s organizations. Until recently, most executives didn’t often consider cybersecurity in the context of their most common concerns, such as managing risk, preserving business operations and hitting sales targets. Because new threats are “unknown,” they often cannot attract enough attention from executives to take any immediate action to pay for “unknown costs.”

This is understandable. It is hard to invest resources in something not easily measurable when we have multiple things to worry about in today’s complicated and interconnected world. Nonetheless, it is also true that cyberattackers take advantage of such a mindset. This means culprits can keep winning as long as they adjust the ways they mount successful cyberattacks for the purpose of stealing proprietary information, customers’ personal data, sensitive government intelligence, or even crippling the operations of critical infrastructure to harm people.

During Palo Alto Networks Day, Mark McLaughlin, our chairman, president and CEO, reiterated the importance of automated prevention and the sharing of threat intelligence, saying that it is crucial to take unknown threats, turn them into known threats, and share the threat intelligence as openly and quickly as possible to bring greater security to the world. The Cyber Threat Alliance and Financial Services – Information Sharing and Analysis Center (FS-ISAC) are two good examples of organizations that use sharing frameworks to provide threat intelligence among member companies in the same industry. Their efforts jointly raise awareness at the global cybersecurity level and bring greater value to their customers in the form of protection from advanced cyberattacks.

William H. Saito, Special Advisor to the Japanese Cabinet Office and vice chairman of Palo Alto Networks K.K. pointed out that this kind of framework may sound odd to traditional business minds; some businesses would rather keep what they know than give it up for free, because information can be a source of power. However, that action may lead to the loss of an opportunity to utilize the information to protect other companies within the same industry against similar cyberattacks. The global threat of cyberattacks is too great not to share threat information among peers.

The U.S. defense and intelligence communities learned this the hard way during the 9/11 terror attacks, which prompted the paradigm shift from “need-to-know” to “need-to-share” to make relevant threat intelligence available to all stakeholders as soon as possible. Such a revolutionary change is needed for cybersecurity as well. Bad guys – whether cybercriminals, hacktivists, terrorists or state actors – work organizationally, tactically and strategically to achieve their adverse goals by cyber means. Defenders also need to collaborate in the same manner to increase the cost of successful cyberattacks – and make that cost prohibitive for attackers.

Second, organizations must switch from reactive defense to proactive and automated prevention. This does not mean denying the importance of incident response. Since there is no 100 percent effective security, incident response is an indispensable part of cyber resiliency. Automation allows defenders to compress the time for incident response, which involves time-consuming manual work and eventually reduces costs for cyber defenses.

The World Economic Forum argues that the Fourth Industrial Revolution relies on digital technology to push global economy and quality of life. The concept is dependent on people’s trust in the Internet. In his keynote speech, former Internal Affairs and Communications Minister Heizo Takenaka analyzed that economies are increasingly connected and only security can make them robust and successful. If people lose confidence in Internet security and use it less, the strength of the global economy will be diminished. In the 21st century, cybersecurity is not simply a cost as some people believe. Cybersecurity is, in fact, leverage to drive the Fourth Industrial Revolution.

See photos and read more details from Palo Alto Networks Day in Tokyo.

[Palo Alto Networks Research Center]

Using IDAPython to Make Your Life Easier: Part 6

In Part 5 of our IDAPython blog series, we used IDAPython to extract embedded executables from malicious samples. For this sixth installment, I’d like to discuss using IDA in a very automated way. Specifically, let’s address how we’re going to load files into IDA without spawning a GUI, automatically run an IDAPython script, and extract the results. Using this technique, we’ll be able to process many samples very quickly without needing to manually open each file in a new instance of IDA and run the IDAPython script.

Many may be surprised to learn that IDA can be executed purely on the command-line without spawning a GUI. In order to do so, the user must run the IDA executable with the ‘-A’ switch. This particular switch will instruct IDA to run in autonomous mode, ensuring that no windows or dialog boxes are presented to the user.

The following command-line examples demonstrate this technique being used in both OSX and Microsoft Windows . In these examples, the ‘-c’ switch generates a new IDB file, even in the event one already exists. Additionally, the ‘-S’ switch specifies the IDAPython script that will be run upon execution. We’ll be using these switches later on in the post.

The Scenario

For this example, I’m going to use the Cmstar malware family, previously discussed by Unit 42. For those unfamiliar with this malware family, it is a downloader that will transfer a file hosted at a specific URL over HTTP(S) and execute it on the victim’s system. The URL in question can be de-obfuscated using the following routine.

Knowing this, our next task is to identify where this data resides within a Cmstar sample. Correlating across a few samples, we conclude that two encrypted strings are being stored into a variable using calls to memcpy. One of the strings contains the domain or IP address that the malware will connect to, while the other contains the URI.

We also notice that the same sequence of instructions are executed when this memcpy instruction takes place:

mov esi, [offset]
pop ecx
lea edi, [variable]
rep movsd

Figure 1 Function containing encoded strings in Cmstar

Armed with this information, we can attempt to identify this sequence of instructions using IDAPython. To do so, we’ll iterate through every function IDA identifies, and proceed to ignore any functions marked as a jump function or belonging to a known library. The remaining functions will then be iterated through using a sliding window where we’ll inspect four instructions at a time, seeking the markers previously identified to determine if there are any matches:

In the above example, I’m simply printing out a debug string if I find any matches. Running this code against the sample with an MD5 hash of 4BEFA0F5B3F981E498ACD676EB352D45 in IDA, we get the following output. As we can see below, we’ve successfully identified the addresses of both obfuscated strings.

Figure 2 Running script against Cmstar sample

At this point, we can take the offsets we’ve identified and extract the strings to which they point. These strings can then be decoded using the previously defined decode() function.

Putting this all together, we come up with the following script:

At this stage, we can use the automation technique of running IDA in non-GUI mode and use the above script. This will allow us to run this script against a number of samples without the need for user interaction. We’ll run the script on our OSX machine as follows:

for x in ls; do /Applications/IDA\ Pro\ 6.9/idaq.app/Contents/MacOS/idaq -c -A -S/tmp/script.py $x; done

After a few minutes, we’re treated to the following within /tmp/output.txt, which is where we instructed our script to store results.

Figure 3 Output of /tmp/output.txt

Conclusion

By leveraging both the power of IDAPython, along with IDA’s command-line switches, we’ve successfully automated the extraction of the download location of a number of Cmstar samples. This technique can easily be applied to a larger number of samples, allowing us to execute IDAPython actions without needing to manually open each file in IDA. For those readers who were not aware of this IDA capability, I implore you to investigate it, as it can not only save you time, but also make things much easier when working with a large number of files.

[Palo Alto Networks Research Center]

A Look Back at Palo Alto Networks Day 2016 In Japan

(This post is also available in Japanese on our Japan website.)

Over 1,200 people attended Palo Alto Networks Day at the Prince Park Tower in Tokyo yesterday, underscoring how security continues to be a top, strategic priority for organizations and the industry at large in Japan.

The morning session of the conference kicked off with a welcome speech by Hiroshi Alley, chairman and president of Palo Alto Networks K.K.

Mark McLaughlin, chairman, president CEO of Palo Alto Networks, then delivered his keynote on protecting our way of life in the digital age and our prevention-based approach to doing so.

Other speakers include René Bonvanie, chief marketing officer and executive vice president of Palo Alto Networks and Heizo Takenaka, Director of the Global Security Research Institute at Keio University, and Japan’s former Minister for Internal Affairs & Communications and Minister of Economic/Fiscal Policy. Rene talked about the Palo Alto Networks Next-Generation Security Platform as well as recent enhancements made to Global Protect, updates to WildFire and AutoFocus and PAN-OS Panorama 7.1 release.

Professor Takenaka delivered a keynote speech on how the economy – global and in Japan – is interconnected and only security can make them robust and successful.

Check out some of the pictures below from the successful event, which also featured William Saito, Vice Chairman, Palo Alto Networks K.K., and Mihoko Matsubara, CSO, Japan, Palo Alto Networks.

Last, don’t forget to follow Palo Alto Networks Japan and Unit 42 on social media!

Facebook
Twitter
Unit 42 日本拠点ブログ
Unit 42 Twitter

* Event photos taken by Tsugunori Sugawara from Palo Alto Networks, and Hiroshi Haneda, official photographer for Palo Alto Networks Day 2016. 

[Palo Alto Networks Research Center]

English
Exit mobile version