Month: February 2017

As the business benefits from technology grow rapidly, so do related risks.

The ability to communicate and interact with remote stakeholders seamlessly requires points of entry into the enterprises network that would otherwise not be present. Such entries could result in vulnerabilities for organizations that should be identified and assessed. In like manner, the identification and assessment of threats that could potentially exploit such vulnerabilities is also necessary. Once there has been sufficient analysis of the potential risks, the enterprise must decide how to respond to them.

Business leaders have a heightened awareness of the existence of cyber risks due to frequent news reports of attacks affecting all sectors, including the government. Thus, we are starting to see significant investments in countermeasures designed to respond and mitigate risks to protect the assets of the enterprise.

The real question is, are the investments appropriate. Studies show most boards of directors and senior management are not educated enough in cyber security to make sound business decisions in this area. However, in most organizations, these are the individuals with the authority to make decisions when it comes to a significant investment in resources. A main goal of most enterprises is to make money and reduce costs. Therefore, the natural question is what will be the return on investment. This is where the audit professional comes in, which includes the audit committee of the board of directors. It is the role of audit to educate those responsible for the protection of the company’s assets on the need for effective and efficient cybersecurity controls.

It is important to note it is management that bears the responsibility of implementing controls to protect the assets of the enterprise. Audit is responsible for determining if controls are in place and whether the controls’ design will be effective in mitigating the risks associated with the asset. Of course, the ultimate goal is to prevent an attack or breach from occurring. Common controls implemented in an effort to prevent this includes authentication techniques such as passwords or biometric technology.

An auditor evaluating such controls usually determines if a password management policy exists and if there is required password syntax in place, as well as periodic password changes and automatic account lockouts after a pre-determined number of failed login attempts. Firewalls also are common. The existence, type and placement of a firewall in a corporate network is important when evaluating these controls. The auditor will also spend some time with the firewall administrator to understand the firewall rules and if they are based on an overall firewall policy. These are just two of many possible controls that may be in place to prevent attacks.

However, controls, as we know, can be circumvented, which is why there are preventative, detective and corrective controls. The hope is management has done a good job in implementing effective and efficient controls in each of these areas.

Ultimately, the audit professional produces a report reflecting its opinion of the effectiveness of the control environment based on the objective and scope of the audit. It is also common for the auditor to provide recommendations regarding how to improve the controls to better protect assets. It is important for auditors to also be proficient in articulating the potential consequences of ineffective controls and the impact it has on the assets of the organization.

Editor’s note: ISACA has produced a new white paper on auditing cyber security.

ISACA also created a cyber security audit program based on the NIST Cybersecurity Framework that contains detailed controls and testing steps.

Paul Phillips, Technical Research Manager, ISACA

[ISACA Now Blog]

Organizations are understandably concerned about how difficult and time consuming it is to find quality cyber security talent. While the fundamental causes of this skills crisis will take time and sustained focus to effectively address, there are steps that organizations can take in the short term to better position themselves to deal with their challenges.

In ISACA’s State of Cyber Security 2017 study, 37 percent of respondents say less than one in four applicants are qualified for jobs, while only 59 percent of organizations receive at least five applicants for open cyber security positions. Consider a Glassdoor survey that found most corporate job openings draw 250 applicants, and the scarcity of qualified cyber security professionals becomes all the more striking.

Until the pipeline of qualified applicants can be more adequately filled, organizations will need to be creative, resourceful and resolute in their pursuit of cyber security talent.

That includes placing heavy emphasis on grooming and retaining existing talent through a defined program of training and skills refresh. Investing in professional development and technical upskilling are among the ways to incentivize employees to stay, and job rotations – which round out employees’ skill sets and ward off the frustration that comes with repetitive tasks – can be another effective tactic. These retention efforts are critically important, as allowing cyber security professionals to walk out the door, given how difficult they are to replace, often becomes a crippling setback.

Hiring from within is another approach that is a necessity for many organizations. Given the shortage of qualified cyber security professionals, grooming employees with related skills – such as application developers, data analysts, and network specialists – is a sensible and effective way to fill crucial gaps. Many employees with these tangential skills are interested in learning more about cyber security and applying their skills in new areas, so this approach can be a win-win scenario for professionals and their organizations.

Among the study’s respondents, 55 percent noted practical, hands-on experience as the most important security qualification for cyber security candidates. The ability to demonstrate those capabilities – such as though ISACA’s Cybersecurity Nexus Practitioner (CSXP) certification – provides measureable credibility to employers, but there are additional considerations that should not be overlooked when pursuing cyber security talent.

The cyber security community is relatively small and tight-knit. In a landscape where hiring talented cyber professionals is so difficult, drawing upon industry contacts and personal networks for recommendations can be essential to both find and vet quality candidates. Identifying the right educational backgrounds also should not be discounted, as many hard-to-find skills, such as malware analysis or management of a security program, would benefit from computer science or business degrees, respectively.

The State of Cyber Security Study 2017 shows the immense amount of long-term work ahead, but organizations dealing with urgent cyber security threats now must be proactive and strategic to make the best of a challenging workforce landscape.

Eddie Schwartz, EVP Cyber Services, Dark Matter, LLC, and ISACA Board Director

[ISACA Now Blog]

Most organisations, after being impacted by a cyber-attack, began looking at the design of their Security Operations Center (SOC) operating model – their existing engagement with the managed service provider or their in-house SOC program – to identify the missing link because business challenged their effectiveness. This is a reality.

Here is my perspective on how your SOC program can establish this effectiveness proactively and bring value to the business through a couple of measures, though these are not the only measures to strengthen the governance of your SOC program.

Under a well-defined structure, SOC gets initial visibility on the threats from the business, risk management and intelligence function. These (top) threats get translated to specific use cases. These specific use cases will map to business systems – both critical and non-critical relevant data sources.

Now let’s look at two different types of the threats to get a practical view, one of which dictates the availability of the system (DDoS attack), and the other that steals the sensitive information (malware/APT attack).

When the SOC monitors the threats, they should map these threats and their monitoring to kill chain, where these threats are intercepted using a specific KPI – stage of threats intercepted on kill chain. The outcome of this mapping helps SOC advise IT/security/business whether the preventive control in place is effective or not. For example, a malware caused by a spear phishing attack through a zero day exploit on the user browser, operating on a business critical system within retail banking, is passed through on stage 1 of kill chain. This scenario clearly indicates that either the advanced malware protection control on the end user machine did not detect it, or the local event manager did not raise an alert within Security Information and Event Management (SIEM), and hence these controls are not effective.

This type of advisory augments the role of SOC beyond just monitoring the security incidents. Also, the SOC teams have the knowledge of the underlying impacted systems. To that end, the SOC can provide a full visibility on threats, from use case scenario to kill chain stage to the underlying business system that is under attack.

Another KPI is linked to response time to threat incidents. By conjugating these two KPIs, business gets visibility on how SOC is able to protect business systems, which is a primary goal of SOC program by intercepting the threat early and responding to the incident in an agreed time frame (KPI on response time will indicate if time to respond was more than the agreed timeframe). Finally, SOC should provide the estimated value of impact that was safeguarded by the SOC, taking into account the underlying asset value, though this exercise involves a bit subjectivity.

Sometimes business leaders demand that the SOC team should tell them the downtime of critical business systems during an attack, especially in the situations when the organization experiences DDoS attacks. This is a reason some SOC structures have allocated dedicated team to DDoS monitoring. Apart from the above approach, the SOC will use an established process which checks the heartbeat of the underlying data source/asset, which is mapped to the use case(s) in this category. In case of DDoS, when a critical business system is not available, an alert is generated based on this event. When a report is generated from the SOC, business gets visibility on the downtime of the system due to a DDoS type of attack. This report can be compared with one from the IT/business continuity function, which generates a report on non-availability of the system.

In summary, SOC programs are maturing to augment their role beyond serving just as an operational entity to bring in value to the business by implementing business KPIs and SOC processes. Mapping the use-case scenarios to kill chain is a crucial step in building this value by increasing the possibility of intercepting threats at an early stage.

Manohar Ganshani, Associate Partner, IBM Security

[ISACA Now Blog]

More than four in five global IT professionals (82 percent) see vulnerabilities in Internet of Things (IoT) devices as significant security concerns for organizations.

Those concerns, highlighted in ISACA’s annual IT Risk/Reward Barometer, are reflective of insufficient security measures by IoT device manufacturers.

One of the main culprits is IoT devices running old versions of Linux – sometimes as much as 10 years old. This happens for a variety of reasons, such as the version becoming outdated while the device is in development, or manufacturers building on top of existing devices and sticking with the old software to speed up development time. The result is devices hitting the market with easily anticipated vulnerabilities.

IoT manufacturers also need to make sure their devices have the capability to automatically and reliably run security updates. This should be considered a must-have feature by consumers and businesses when making their purchases. If the devices are able to be updated, without it being a time-intensive process for users, security threats can be addressed much more quickly and effectively.

Making some of these adjustments will be critical, or trust in IoT devices’ security among professionals and consumers will be further damaged, given the threat landscape in 2017 and beyond. The proliferation of IoT devices will result in escalating instances of DDoS attacks this year, according to Deloitte – potentially along the lines of the massive Mirai DDoS attack that used infected IoT devices to cause widespread disruption in October.

That attack, while certainly a wakeup call to some device manufacturers, might not have resonated with many consumers, who did not see a direct impact on their lives, even if their own device was infected and part of the attack. But there is little doubt more and more individuals will be affected by IoT security shortcomings as the devices – and the related threats – grow at a staggering rate.

That could include the emergence of IoT ransomware threats. Ransomware exploded on PCs in 2016, resulting in estimates of about US $1 billion in payments. Given how lucrative the attacks have proven to be, it’s not much of a stretch to anticipate that criminals will explore how they can target IoT devices in their ransomware schemes. For example, imagine a smart lock on your home or car that won’t open until you pay a small ransom. From a criminal perspective, ransomware attacks on IoT devices could make for an efficient strike, with the possibility of holding customers’ device or data hostage and extracting money from the same individual or organization in a single step.

As attacks on IoT devices continue to evolve, none of us will be able to say we didn’t see them coming – 80 percent of professional respondents in the Risk-Reward Barometer survey expressed a high or medium belief in the likelihood of an organization being breached through an IoT device. Enterprises can use network segmentation to isolate IoT devices from their production network. Consumers also recognize the security threats; more than 75 percent of consumer respondents in each of five regions surveyed – Australia, India, Singapore, the US and the UK – expressed concern that augmented reality enhancements could make their IoT devices more vulnerable to a breach. Home IoT network security devices like Dojo by BullGuard, CUJU, and BitDefender BOX can help consumers protect their IoT devices from cyber attacks – some even have enterprise-like network segmentation capability.

Connected devices are becoming increasingly prominent in our daily lives. It is up to consumers and organizations to send the message to device manufacturers that insufficient security design will be a deal-breaker when it is time to consider a purchase.

Rob Clyde, CISM, Board Director of ISACA and Executive Advisor at BullGuard Software

[ISACA Now Blog]