Month: May 2017

A company I worked for was hit with the CryptoLocker ransomware last year. In the aftermath, we found that some security measures were in place and others were not. We all hear that we need “best practices” in place every day to mitigate risks for events such as these. Are we reviewing our best practices regularly to ensure they are in place and working as intended?

Implementing current patches is the key deterrent to events such as the recent WannaCry attacks. If timely patches are not accomplished, risk is elevated for any vulnerabilities in a company.

Let’s cover some ransomware Do’s and Don’t’s:

DO have a “good” backup you can rely upon. How do you know that it is good? You have tested the backups and can be confident the recovery is 100 percent. Relying on the backup itself is not considered a best practice. We were able to recover the encrypted files on a share drive to which the employee’s infected machine had access, and did not pay a ransom.

DO limit who has administrative rights on local machines. No one had administrative rights to their machine in the company I worked at. It is a special request and reserved mostly for developers.  We also used a tool that provides administrative rights when necessary, where the function was elevated at the time of need and was not tied continuously to the person or machine. This is an IT industry best practice standard that is not generally done in companies and could alleviate risk by 80% or more.

DO provide continuous cyber security awareness training, with training information posted on the company’s intranet site. Have employees take quizzes on the training to ensure understanding, and provide them as much explanation as possible. After all, this is not a secret – we are all subject to infections, vulnerabilities and risks in using both corporate and personal computers every day.

DO use filtering tools for both Internet use and email tools use. The filters will provide some level of mitigation.

DO patch all machines and devices regularly. Review the recommended updates, and then put them on to the appropriate devices at the earliest opportunity. We often hear of infection when patches have been out for years, yet are not applied. Have a monthly review board to study the patches, their outstanding application, and require a signed justification from the department or system owner if the patch is not applied in timely fashion.

Now a few DONT’S:

DON’T allow personnel to access personal email accounts from work machines. A former company had a setting turned on that enabled this, but virtually everyone has a smartphone now and can get to their personal email and information that way.

DON’T rely on the IT experts by default. Ask them the questions necessary to ensure they are doing their due diligence. That firewall setting allowing access to personal email accounts at my former company was in place for years; they would have been able to have that audited. Different teams in IT should all be discussing their configurations together and determining the best practices necessary, and then advising the CIO or director what needs to be put in place. I had to instruct the network people to turn off the setting NOW. I had no opportunity to review why it was on, whether it was necessary, etc. Just turn it off.

DON’T allow non-standard machines to connect to the network, unless IT can review them and determine their use, and are able to sandbox them, VLAN them, etc. You can’t manage what you don’t know about.

There are many measures that can be taken to mitigate risks. The best approach is to evaluate your environment, infrastructure, systems, and people minimally once a year – and sooner as circumstances dictate – to determine how to strengthen the tools and techniques used to minimize damage when an event occurs.

Yes, an attack at some level will happen to everyone, so being prepared, as a good Girl Scout would say, is the best line of defense.

Cheryl Santor, CGEIT, CISM, CISA, CISSP, former Information Security Manager of Metropolitan Water District of SoCal, Chief Compliance Officer of the ISACA Los Angeles Chapter

[ISACA Now Blog]

Connected Vehicles are in the news for introducing new features and capabilities to the modern automobile. Headlines also highlight security hacks that compromise vehicle operations and usability. While sources note that the vulnerabilities identified so far have been addressed, a greater understanding is needed on how tomorrow’s Connected Vehicle will operate in an environment composed of both legacy and modernized traffic infrastructure. The Connected Vehicle will be designed to communicate with countless other devices and interfaces. Security systems, tools, and guidance are needed to aid in protecting vehicles and the supporting infrastructure.Through research and development within the CSA Internet of Things Working Group and the United States Department of Transportation Federal Highway Administration, CSA is introducing “Observations and Recommendations on Connected Vehicle Security” to keep consumers and manufacturers up to date on the evolution of vehicle connectivity, areas of concern, and recommendations for securing the connected vehicle environment. The paper will provide a “big picture” view of the various aspects of vehicles and infrastructure components to better understand their interrelationships, dependencies and threats to the traffic ecosystem.

• Connected Vehicle reference architectures and messaging protocols
• V2V, V2I, V2X interactions
• Potential System-of-System attacks and outcomes
• Cross collaboration of IoT devices and systems
• Vehicle design, platform, and infrastructure security best practices

The CSA Internet of Things Working Group continually evaluates and conducts research on new technologies involving cloud and the Internet of Things. CSA collaborates with other industry organizations to bring the latest guidance and security best practices to IT and enterprise.

John Yeoh, Research Director/Americas, Cloud Security Alliance

[Cloud Security Alliance Blog]

Editor’s note: ISACA Belgium Chapter President Marc Vael, CISA, CISM, CGEIT, CRISC, recently took a creative approach to spread awareness about General Data Protection Regulation (GDPR), spearheading a game about the coming regulations that will affect enterprises worldwide. Competitors can win the game by answering GDPR questions correctly and with a little luck with the dice. ISACA Now recently visited with Vael about the game, which will be available on a limited basis at the ISACA chapter leadership event, this weekend in Munich, Germany, prior to EuroCACS. The following is an edited transcript.

ISACA Now: How did this GDPR game come about, and who was primarily involved with its development?
Basically, at my IT company, Smals, we were looking to bring the content of the EU GDPR to this group of IT developers, IT analysts, IT project managers and even management differently, avoiding PowerPoint or brochures or self-assessment questionnaires.

Initially, my colleague Nathalie Dewancker and myself started building “the journey to become EU GDPR compliant,” but that journey was too simple, and we started adding gaming effects, and before we knew it ourselves, we had a full-blown EU GDPR game. We loved the reactions so much that we didn’t want to keep it within our company or for ourselves, and thus we decided to ask ISACA Belgium for support, which the board of ISACA Belgium did by funding the professional look and feel of the EU GDPR game.

ISACA Now: ‘Game’ is probably not the first word that comes to mind when people think about GDPR. Why did you think this format would be a good fit?
True. Most of the messaging happens via PowerPoints, brochures and information on websites. Here and there we discover some apps with the searchable EU GPDR text in different languages or some EU GDPR self-assessment questionnaires. We found out that up to today, we are the only ones with a proper EU GDPR game box. Gamification is a well-known concept, but it is not used enough, in our humble opinion. Moreover, we notice huge discussions between the players, and that is just what we want to achieve: not just “acquiring” knowledge, but critically looking at this knowledge.

ISACA Now: Did it really only take a few weeks to put the game together? How were you able to execute the idea so swiftly?
Yes, we build from initial journey to full game in three weeks, with some tryouts. Then, molding it into a professional looking game box took another three weeks, thanks to the help of our external PR agency that we use here in Belgium. So, six weeks in all. And we were just in time to bring our game boxes for the main Belgian INFOSECURITY exhibition in Brussels, where over 3,000 attendees came in the end of March this year. Thus, it was plain teamwork.

ISACA Now: What has been the preliminary response to the game’s release?
Initially, skepticism that participants would learn about “such a complex matter as EU GDPR” via a game. But then, when playing, a lot of discussions happen between the participants and between participants and observers (since there can only be a maximum four participants, more people can join as observers of the game). It is great fun to see how some people really want to win.

We only made 300 EU GDPR game boxes and almost all are sold now. We initially wanted to give them away for free as marketing, but since we only had 300 game boxes, we did not want to have people take them and throw them away, so we ask only 5 Euro per game box as a token of appreciation and eagerness to have the box.

When we launched the game box at INFOSECURITY BELGIUM, our stand was very popular and people bought all 100 game boxes we brought over there in two days. We were surprised.

ISACA Now: What was the most remarkable reaction you got on the game?
Actually, some players asked why we did not include more information about the EU GDPR in the game box (like a manual on EU GDPR or some form of brochure or leaflet). We did not do that on purpose, and we responded by saying to them “If you play Monopoly, do you first have to follow a real estate course? No. If you play Stratego or Risk, do you first have to follow a military course? No.” So, if you play the EU GPDR game, we believe you do not have to follow some privacy course before playing either since the objective is to learn about EU GDPR during the game. People truly liked our reaction very much.

ISACA Now: What are some of the biggest implications GDPR could have on organizations that are affected by it?
The need to review and update the inventory of processes and suppliers, execute the privacy risk assessments on the core processes and suppliers, execute privacy awareness amongst employees and external personnel, and test the incident escalation process (to check if they can make it within 72 hours).

ISACA Now: What are a few misconceptions that technology professionals have about GDPR?
Very good question; here are some of the misconceptions I hear frequently by IT experts:

1. Some organisations believe they are too small for EU GDPR so they pretend not to fall under the regulation
2. Believing EU GDPR is merely an information security issue which can be solved by encrypting all data
3. Stating that May 2018 is still far away to handle such compliance topic
4. Believing EU GDPR is a legal topic so legal counsel will handle it
5. IT is mainly a data processor so the responsibility for EU GDPR is for the data controller (which is not IT)

ISACA Now: What is the best way for someone to purchase a copy of the game?
When living in Belgium (since the game is in Dutch/French combined), people can come and collect game boxes in our office (if they warn us upfront). When living outside of Belgium, we try to arrange for the cheapest way to get a game box shipped (I can be reached by email at president@isaca.be). We will also bring some game boxes to the ISACA European chapter leadership meeting this weekend since some ISACA chapter leaders have asked to bring a box over there.

[ISACA Now Blog]

One thing is certain: The need for cyber security professionals isn’t going away any time in the near future. As our digital footprint and the Internet of Things (IoT) continue to expand, we become increasingly vulnerable to having our private information poached with a single click, swipe or utterance. As a result, this is a field where 95 percent of people are certified, and within that group, 87 percent are specifically certified in security or privacy.

As major data breaches have demonstrated time and time again, cyber security and compliance is the responsibility of all employees—not just those who formally specialize in cyber security efforts. Of course, if you’re reading this blog, you’re probably already well aware of the importance of everyday cyber security measures and know it’s not a matter of “if” so much as “when” your organization or company will experience a breach.

We can’t move fast enough
There’s one statistic circulating that lends itself to a real sense of urgency in the field.

According to the consulting firm Frost & Sullivan, there is expected to be a 1.8 million person worldwide workforce shortage in cyber security by 2022. Let that sink in for a minute. Nearly 2 million people are needed to cultivate cyber security know-how to protect their organizations from breaches in the next five years. That’s a huge vacancy in skills and, more importantly, leadership.

And who is helping create cyber security and business technology leaders of today and tomorrow? Meet ISACA. As an organization driven to promote cyber security awareness and skills, ISACA provides a deeper validation of skills for those working in governance, IT audit and assurance, risk, as well as information and cyber security.

ISACA enables professionals to take a leadership role by increasing their depth of knowledge. Greater skills validation translates to being better able to leverage that background into leadership positions.

As a result of those advanced, validated skills, ISACA-certified professionals typically have average salaries 44 percent higher than those of their non-certified peers worldwide, according to the Global Knowledge 2017 IT Skills and Salary Report. In fact, ISACA certifications (CRISC and CISM) earned the top two spots in top-paying certifications this year, and overall, six of the top 20 highest-paying certifications are in the field of cyber security.

“It’s clear from the growth in certifications from organizations like ISACA that companies and employees put increasing value on investment in skills and abilities. We see that investment across the board as the IT industry realizes that the return on investment for people exceeds the ROI for technology,” said Dave Buster, Global Senior Portfolio Director for Cybersecurity at Global Knowledge.

Never content and always learning
What’s more, the report revealed ISACA-certified professionals weren’t content to rest on their laurels once certified. Globally, 89 percent of industry professionals holding ISACA credentials trained in the last year, and on top of that, 75 percent of respondents said they did so in order to cultivate new skills. Compared to their peers that are not ISACA-certified, professionals holding at least one ISACA certification were more likely to attend a webinar or conference and download white papers or articles to stay informed with industry trends and best practices.

Given their more senior-level roles within their organizations, generally, ISACA-certified professionals are more apt than their counterparts to report training in areas of business process improvement and leadership.

Driven to succeed
The takeaway: ISACA-certified professionals are driven to succeed and consistently re-evaluate the definition of success through continued engagement and learning. While ISACA can’t single-handedly solve the worldwide personnel shortage for those working in cyber security and related fields, according to the IT Skills and Salary Report, those who turn to ISACA for skills development and certification are committed to the cause and tend to be rewarded with higher salaries.

Editor’s note: For more information, visit Global Knowledge’s cybersecurity certification page and scroll to ISACA. To learn more about ISACA certifications, visit ISACA’s certification page.

Casey Wasserman, Ph.D, Content Marketing Manager for Global Knowledge

[ISACA Now Blog]