Month: June 2017

Two of the most pressing cybersecurity tasks of our time are the need to dramatically grow the size of the workforce, and to create one that is agile enough to keep up with the shifting sands of today’s business landscape. Infosec Europe’s keynote panel session “Building an Agile Security Team for the Future,” chaired by (ISC)²s EMEA managing director Adrian Davis, saw leading frontline professionals from travel search giants Skyscanner, to transport operator Network Rail and the UK government, discuss how these challenges might be addressed.

The first key insight was that an agile cybersecurity team cannot have fixed, traditional role boundaries. Having fluid job roles allows cybersecurity professionals the ability to learn new skills, aspire to achieve managerial positions and help other business units by working outside their “techie” comfort zones. Crucially, the ability to transcend fixed role boundaries gives the flexibility to adapt to a diverse array of threats. Network Rail CISO, Paul Watts, explained how professionals in his team are constantly talking to, and working with, professionals from other teams and departments, as they recognise that innovations must draw on as wide a pool of expertise as possible, and that cybersecurity now encompasses all business units.

Vicki Gavin, head of information security at The Economist Group explained that the key to achieving a team that transcends traditional role boundaries was to “hire for inclusivity, not exclusivity.” Pruning the job specs helped to draw in a more diverse pool of talent. Women, for example, are less likely to apply for roles with lengthy job specs, unless they believe they are fully competent at each one of them. It is also vital to remove unconscious bias from the recruitment process; for example, building role profiles around the last person who did the role means that recruiters are continuously hiring the same kind of person – largely older males – and failing to open doors to millennials, women and people from other professions.

Rather than exclusively hiring qualified off-the-shelf tech specialists, cybersecurity employers should broaden the talent net by hiring for attributes, rather than qualifications, and investing more in training. Instead of recruiters searching for superman. The truth is that it may be necessary to build superman from scratch. There are many ways to attract new people into the industry, and the answer can be on your doorstep. Watts explained that he found someone in marketing who had an interest in cybersecurity, but no experience in the role. He offered her a brief secondment with his team and she quickly picked up the skills and brought a completely new perspective to the team.

The panel remarked that while traditional recruits to the industry can be risk-averse and afraid of chaos, an agile security team is one that is innovative, prepared to “fail forward” and “doesn’t ask for permission, but asks for forgiveness.”

In a world where cybersecurity transcends any one business department, an agile security team must also be one that can speak the language of every business unit, from the board to the marketing team. It must be a team as diverse as the business it operates in, and a team that has technical knowledge garnished with soft skills. As one panellist remarked “in an increasingly amorphous industry, we need an amorphous workforce.”

[(ISC)² Blog]

When I began performing digital forensics more than 10 years ago, things were relatively simple. At that time, the complexity of digital forensics revolved around ensuring each artifact of relevance was identified, and the proper tools to analyze them were available to leverage against computers used by the suspect.

The computer(s) of the suspect were typically the only focus. In some instances, we were also having to deal with mailbox exports of corporate users. When mobile devices came onto the scene in 2008 timeframe, our single device analysis approach to investigations was disrupted significantly. What are these things? Why don’t my hard drive forensics tools work on phones? We “forensicators” had no idea what challenges we would face in the next decade.

The significant challenges facing digital forensics experts today are the vast amounts of devices and locations that may house the valuable information. It is no longer always the case that all data sought to derive a conclusion is on a single device or in a single location. While it is now common to analyze both the computer(s) and phones used by the suspect, there now must be consideration given to other mobile devices (tablets), cloud-based email, cloud-based storage, social media activity, game consoles, IoT devices and even wearables.

Forensics tools for mobile devices were historically valued based on how many phones were supported. We are now arguably down to four phone types that you will likely encounter. Even now as the forensics tools have advanced considerably, the collection of mobile devices requires different approaches than computers. In many instances, the trusted full forensic image of the evidence is not always available – only the data the phone manufacturer will allow you to have. With the drastic reduction in the types of phones you will now encounter, the value is now in the parsers for the applications. With the millions of mobile applications available, and the frequent updates, it continues to be a challenge for the mobile phone forensic platforms to keep up with the rapid pace.

Over the past decade, users have traded in their locally stored email from their Internet service provider (ISP) for the convenience of webmail platforms such as Gmail, Yahoo Mail, or Outlook.com. When users are using webmail services, it is very unlikely that their email will be stored locally and, compared to years past, only fragments of the email are available in Internet cache files. Depending on the nature of the investigation, forensicators may be given the needed access to collect this information from the provider for analysis. When involved in internal investigations involving employees, it is very unlikely that forensicators will be given this access. In addition, even if you can obtain the webmail credentials from the device analyzed, you are not permitted to log into their personal email account. Therefore, the Internet histories and limited file fragments are all that will be available.

This same scenario now applies to personal files as users have migrated this information to cloud-based storage such as Box, Google docs and Dropbox. The same difficulties as webmail email exist.

There are few investigations that do not have a social media component, either directly or indirectly. While Internet histories may demonstrate the usage of these sites, the available information related to all activity and communications can be difficult to extract from the device alone. While the social media providers likely have extensive activity available for each user, this information would require subpoena power that you may or may not have.

Lastly, the IoT phenomenon is also significantly impacting the digital forensics field to provide types of information we have not had in the past. From Internet cameras to fitness wearables, anything electronic may now be a potential target for collection and analysis. However, IoT devices pose similar challenges to that of mobile devices in 2010. There are thousands of different types of devices and little to no standardization. With that diversity and chaos, there are challenges for the collection, parsing, and analyzing of this information. As the mobile device forensic platforms exploded and faced challenges a decade ago, I predict the same for IoT devices going forward.

The overall goal of forensic analysts is to have confidence that every artifact has been properly identified, parsed and analyzed for an accurate conclusion. We have digital artifacts that we never dreamed of years ago. With the diversity of information and numerous locations where pertinent data may now be stored, it is a challenge to be certain you have everything you need.

I suggest that forensicators be patient, yet diligent, with the data sources available. As an artifact points to a data source that is not currently available, regroup and seek that information for additional analysis.

Editor’s note: For more insights on digital forensics, visit www.isaca.org/digitalforensics, and watch a related video at https://youtu.be/ZUqzcQc_syE.

Bill Dean, Senior Manager, LBMC Security

[ISACA Now Blog]

Much of what I learned about being a professional – and being part of a professional community – came through my association with ISACA.

As the first person in my family to graduate from college, I entered the workforce hungry for the educational resources, networking and professional growth opportunities to make an impact. ISACA provided that and much more, allowing me to envision and embark upon a career trajectory that otherwise would not have been possible.

My professional development was accelerated by pursuing ISACA volunteer opportunities such as helping to coordinate local conferences, which allowed me to make valuable industry contacts and build my project management skills. Eventually I became president of ISACA’s Greater Washington DC Chapter, providing another important opportunity to expand my skill set and learn more about the audit and assurance, governance, risk, and information and cyber security professions. Serving on several ISACA committees and on the board of directors provided further enrichment, both professionally and personally, as I am fortunate to have built treasured relationships with many of ISACA’s 130,000-plus members worldwide.

Now, as the newly installed chair of ISACA’s board of directors, I am grateful for the opportunity to help lead the organization that has provided me so much fulfillment. I’m privileged to work with and on behalf of our global professional community to advance the positive potential of technology in the professions that we serve and society as a whole.

ISACA is nearing its 50-year mark, and with technology-driven challenges and opportunities all around us, there is no doubt we are more relevant than ever. In addition to ongoing activities building toward our 50th anniversary in 2019, there is so much to accomplish in the year ahead. Cultivating a deeper pipeline of leaders in our professions through the Leadership Development Advisory Council, building toward greater societal impact through a revitalized foundation and ensuring ISACA’s Connecting Women Leaders in Technology program becomes even more robust and influential are among many projects for which there is promising momentum.

As we anticipate the progress ahead, I want to express my appreciation for the many contributions of our outgoing board members, as well as our outgoing board chair, Chris Dimitriadis. Chris has led with a calm and good-natured approach, steering ISACA through a period of growth and change while making sure that local chapters and all members of our community are heard and included.

I am delighted that Chris will be part of the smart, dedicated and diverse group of board members for 2017-2018 that will help shape ISACA’s vibrant future:

• Theresa Grafenstine, CISA, CGEIT, CRISC, CPA, CISSP, CIA, CGMA, CGAP, chair
• Rob Clyde, CISM, vice-chair
• Brennan Baybeck, CISM, CISSP, CISA, CRISC, director
• Zubin Chagpar, CISA, CISM, PMP, director
• Peter Christiaans, CISA, CISM, CRISC, PMP, director
• Hironori Goto, CISA, CISM, CGEIT, CRISC, ABCP, director
• Mike Hughes, CISA, CRISC, CGEIT, director
• Leonard Ong, CISA, CISM, CGEIT, CRISC, CFE, CIS, CISSP, CPP, CSSCP, ISSAP, ISSMP, PMP, director
• R.V. Raghu, CISA, CRISC, director
• Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, director
• Ted Wolff, CISA, director
• Tichaona Zororo, CISA, CISM, CRISC, CGEIT, CIA, CRMA, director
• Chris Dimitriadis, CISA, CISM, CRISC, ISO 20000 LA, director and past board chair
• Robert E Stroud, CGEIT, CRISC, director and past board chair
• Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, director and past board chair
• Matt Loeb, CGEIT, director and CEO

While the board will work diligently on ISACA’s behalf, it will take a team effort – all of us collaborating as ONE – to achieve all that we can. We live in a world that is grappling with widespread digital disruption. ISACA can and must be a leading voice in providing a sense of assurance and security as professionals and enterprises navigate a challenging technology landscape.

I know how influential ISACA can be, as evidenced by my own journey. I am proud of what ISACA has meant for myself and so many others, but more than anything, I am energized about the future that we can build together.

Theresa Grafenstine, CISA, CGEIT, CRISC, CPA, CISSP, CIA, CGMA, CGAP, chair of ISACA’s Board of Directors and inspector general of the U.S. House of Representatives

[ISACA Now Blog]

Indian banks have deployed IT-based solutions to cater to increasing demands in the banking industry required for a growing economy. Adoption of technology has necessitated improving IT-related skills of experienced bankers. Considering the unavailability of internal IT skills, most banks resort to outsourcing IT activities. This has resulted in over-relying on third-party vendors and slackened the pace of acquisition of skills by bank employees.

Considering these limitations, the Reserve Bank of India (RBI) – India’s central bank – appointed a ‘Committee on Capacity Building’ that has made recommendations relating to particular areas/components of function, such as recruitment, performance assessment, promotion, placement, job rotation, and skills and capacity building. The committee also has made a number of recommendations for certification of staff in specialized areas, emphasizing that banks should make certification mandatory for the following areas:

• Treasury operations – dealers, mid-office operations
• Risk management – credit risk, market risk, operational risk, enterprise-wide risk, information security, liquidity risk
• Accounting – preparation of financial results, audit function
• Credit management – credit appraisal, rating, monitoring, credit administration
• Information and cyber security
• Governance of enterprise IT (GEIT)

The Indian Banks’ Association (IBA), in consultation with RBI, identified 10 institutes, such as the Indian Institute of Banking and Finance (IIBF), the National Institute of Bank Management (NIBM), ISACA, and others, as certifying organizations. ISACA is identified for its certifications in audit, risk management, security and GEIT.

RBI’s directives for banks
RBI had made a compliance requirement for banks in 1999 to perform annual IS audit of IT-based systems deployed and used by banks, with the report of the audit to be submitted to RBI. The notification recognized CISA as a qualifying certification for conducting IS audits.

Another committee provided guidelines for IT governance, information security, IS audit, outsourcing management, business continuity and compliance in 2011. These guidelines recommended banks to use COBIT 5 or similar frameworks for GEIT. Recommendations for other areas include adopting global best practices, including ISO 27001.

In June 2016, RBI issued a notification for banks specifying compliance requirements for cyber security.

Considering these compliance requirements and skills and competency development requirements, banks have already taken steps to recognize ISACA certifications. Some banks provides examination and membership fees reimbursement on passing the examination.

Role of ISACA certifications in skills development of bank staff
ISACA offers certifications in governance of enterprise IT (CGEIT), risk and control (CRISC), information systems audit (CISA), information security management (CISM) and performance-based cyber security (CSXP).

Certified Information Systems Auditor (CISA)
Most banks have made this certification mandatory for IS auditors, both internal and external.

Certified in Risk and Information Systems Control (CRISC)
Most banks have a defined chief risk officer (CRO) to implement enterprise risk management (ERM); however, there is a gap in aligning them with IT risk. CRISC helps bankers in aligning IT risk with ERM.

Certified Information Security Manager (CISM)
CISM is designed for information security and cyber security professionals including CISOs, information security managers and enterprise leadership.

Certified in Governance of Enterprise IT (CGEIT)
CGEIT is designed for senior management personnel who are responsible for overall governance of IT to ensure that investments in IT realize the expected benefits. This certification is ideal for the CIO, CEO, and members of the board of directors. Considering the RBI’s expectations from banks to implement GEIT, this certification is valuable for bankers in understanding the steps to implement an IT governance framework.

CSX Practitioner (CSXP)
This performance-based cyber security certification provides technical skills for much-needed and critically important cyber security responders working in the area of threat intelligence, incident response, SOC, etc.

Current challenges and next steps
Banking professionals with these skills are needed all over India and in many other countries throughout the world. Therefore, IBA has decided to develop and launch e-learning certification courses, and certifications in other areas are being developed by different institutes.

ISACA’s CISA, CISM, CRISC and CGEIT certifications are experience-based; however, there is some level of preparation required. There are 10 ISACA chapters in India, some of which offer review courses. Many banks officers, therefore, may not have access to the review courses conducted by chapters. However, ISACA is launching online review courses for some of its certifications and has moved to global computer-based testing, which should expand accessibility for bankers interested in pursuing these important certifications.

Sunil Bakshi, CISA, CISM, CRISC, CGEIT, Consultant

[ISACA Now Blog]