Our blog was recently ranked 35th among 100 top information security blogs for data security professionals by Feedspot. Among the other blogs named to the list were The Hacker News, Krebs on Security and Dark Reading. Needless to say, we’re honored to be in such good company.
To be listed, Feedspot’s editorial team and expert reviews, assessed each blog on the following criteria:
• Google reputation and Google search ranking;
• Influence and popularity on Facebook, Twitter and other social media sites; and
• Quality and consistency of posts.
We strive to offer our readers broad range of informative content that provides not only varying points of view but information you can use as a jumping off point to enhance your organization’s cloud security.
We’re glad to be in such great company and hope that you’ll take the time to visit our blog. We invite you to sign up to receive it and other CSA announcements. We think you’ll like what you see.
Editor’s note: Vicki Gavin, CRISC, MBCI, is compliance director, and head of business continuity, cyber security and data privacy for The Economist. Gavin, based in London, recently visited with ISACA Now to discuss how her areas of expertise are being affected by the fast-changing technology and regulatory landscape. The following is an edited transcript.
ISACA Now: At InfoSec Europe last month, you were part of a panel that discussed building an agile team for the future. What were the major takeaways for you?
For me, the most significant takeaway was the need to do things differently. Current hiring processes are designed to exclude candidates. We need to get smarter about including candidates from a variety of backgrounds by systematically removing bias from role profiles, job descriptions and advertisements, screening and interviewing.
ISACA Now: How critical is it for organizations to have tech-savvy boards in terms of fostering strong governance?
I do not think the board needs to be tech-savvy. Tech awareness is sufficient. Security professionals need to become more business aware to communicate effectively with the board.
ISACA Now: What are some shortcuts that organizations tend to take in their governance that often come back to haunt them?
I think one of the biggest IT governance mistakes made by technology professionals is the assumption that risk is to be eliminated. Risk is to be managed; the key is to determine what level of risk your organization is willing to accept.
ISACA Now: What are the biggest keys to successful business continuity planning? The value in planning is the process, not the plan. As Mike Tyson said, “Everybody has a plan until they get punched in the face.” The same is true for BCPs. The process, on the other hand, done properly, ensures a common risk appetite and approach to recovery when the time comes.
ISACA Now: Which emerging technologies present the greatest challenges from a compliance standpoint?
All of them. All change is disruptive. The challenge is to balance the risks and benefits of compliance.
ISACA Now: As we move closer to GDPR taking effect next year, are you sensing a greater sense of calm or of anxiety from your peers?
From my peers, anxiety. From my business, calm. We started on our GDPR journey about a year ago and will be ready by November 2017, giving us plenty of time to bed in new processes.
In today’s competitive environment, enterprises are under enormous pressure to focus valuable resources on initiatives that provide value. The inherent issue with most approaches is that the methods used to determine organizational priorities are often flawed by focusing on compliance as a primary navigation aid. A “compliance only” focused program can have a huge effect on performance. Of course, compliance is crucial for business survival, but it’s not always the only guidance system to use for value creation.
A solution to this narrow approach is to prioritize efforts using multiple perspectives to offer a balanced approach to determining priorities, allocating resources and, ultimately, providing value. As in travel, you need to have a good fix on your coordinates – location, altitude, heading and speed – before determining future moves. Where most companies go wrong is in choosing only one of these perspectives. Just like using a GPS to help you navigate, you should use more than one guidance system to help you focus efforts.
Having tools available that offer pinpoint accuracy to where you need to focus efforts in an organization is crucial – hence, the GPS analogy. GPS satellites help locate a position on the ground based on their time and position. The GPS receiver communicates with multiple satellites, and therefore determines a precise location on the ground. Decisions around funding, assurance, improvements and compliance are all areas in an enterprise that require resources, and should not be determined with only one signal. The more ‘GPS’ signals you have looking into your ecosystem, the more accurate you can be at focusing your efforts.
Using these multiple guidance systems will drastically improve your chances of success. These four GPS signals can include: 1) Goals cascading, 2) risk scenarios, 3) pain points, and 4) regulatory and compliance (see figure 1).
Figure 1—Using Multiple Perspectives to Prioritize Efforts
Guidance System 1: Cascading goals
I believe that one of the best-kept secrets in our industry today is the goals cascade. The model begins with stakeholder drivers that influence stakeholder needs. Stakeholder needs can be literally mapped to enterprise goals, IT-related goals and enabler goals. The enabler level is a more holistic view of the ingredients required to govern and manage enterprise IT. For example, if you know that a particular enterprise goal is the most important goal for the next year, then you can map that goal through the cascade and determine which processes are critical to its success. The model is already done for you in COBIT, where there is a set of tables that map each of these levels.
Guidance System 2: Risk scenarios
An IT risk scenario describes IT-related events that could lead to a business impact. COBIT 5 for Risk contains a set of generic IT risk scenarios and can serve as inputs to risk analysis activities and their effects on overall business objectives. This process results in the risk register and provides valuable information for informed decision-making. Use the results of this “GPS signal” to come up with the most critical risk scenarios that could hinder enterprise objectives, determine pain points or guide mitigation responses.
Guidance System 3: Pain points
Pain points are those areas that need little effort to identify. Use pain points as perspectives from which efforts toward the governance of enterprise IT initiatives are chartered. This can have a positive effect on the buy-in of your business case and create a sense of urgency and support. The COBIT 5 Implementation Guide identifies some common pain points associated with enterprise IT and maps these pain points to specific processes in COBIT.
Guidance System 4: Legal/regulatory/compliance requirements
No organization can be 100 percent compliant with everything. Synchronize this with your risk management process to determine the right response to each requirement. Some requirements are legally required and must be adhered to, but what level of adherence is the most appropriate?
Aligning your satellites
Each of these guidance systems should result in a very clear list of high-interest areas. Devise a prioritization scheme for each of these lists and normalize them into a single list. Now that the most important areas have been identified, compared and analyzed, more focused efforts can be identified. These results can assist in scoping assurance activities, allocating and prioritizing resources, and ensuring business/IT alignment.
The enterprise exists to create value for its stakeholders. Realizing benefits while optimizing risks and resources requires more than one perspective, or ‘guidance system,’ to fully understand what is required. This post has identified four potential perspectives that worked for one organization. Yours might have more, but should never have less.
One of the most common cyber security questions I get is: How do attackers plan/carry out their attacks? I thought this would be a great topic to address since we are always asked to explain the risk of any audit observation we make. So, what is risk anyway? In a cyber security context, think of risk as the overall probability of our systems or data being compromised by a malicious individual.
Attackers (which could be insiders) make up one piece of our risk equation, the other piece being vulnerabilities. If one piece of the risk equation does not exist (attackers or vulnerabilities), then there would be no risk to our systems and/or data. Why? Because if the world was full of attackers, but our systems/data were not vulnerable to any attack, then the attackers could not steal our data. In a similar way, if we ran a system full of vulnerabilities (think Windows XP, which is no longer supported by Microsoft), but attackers simply did not exist, then there would not be a risk of our systems or data being compromised.
So, how do attackers operate? Here are some common techniques:
1. Attackers perform reconnaissance activities on the targeted organization and can gather data from the following:
Websites
Forums
Job boards
Social networking sites, such as LinkedIn, Facebook, Twitter, Google+
Employees (e.g., sales, human resources, executives)
2. The data uncovered during reconnaissance allows the attacker to identify who/what to target within your organization. Next, the attacker prepares and delivers the exploit to your organization. The following are common methods of delivery:
Watering hole attacks are used to infect websites that your users/members of your group are known to visit.
Spear phishing attacks are used to trick specific users into infecting their system.
3. Once on your network, the attacker will attempt to compromise additional systems and exfiltrate your data. They do this by exploiting known/unknown system vulnerabilities via command and control.
There you have it – those are the basic steps of an attack. I recommend you watch this video produced by Cisco that illustrates an attack better than I can. Here are some recommendations that can be acted upon:
Ensure your organization has an adequate cyber security awareness program in place.
Ensure your organization conducts spear phishing exercises on all employees.
Work with human resources to avoid including too much detail in job ads.
Monitor social media use/review public posts made about your company.
Educate your employees on what information should not be disclosed to anyone in normal day-to-day conversations.
Ensure adequate malware prevention capabilities are in place.
Ensure adequate intrusion detection/incident-handling capabilities are in place.
Editor’s note: Jesse Fernandez presented on auditing cyber security at North America CACS 2017. For highlights and key takeaways from the North America CACS and EuroCACS conferences, read the CACS 2017 Conference Report.
