Month: November 2017

This is a story about researching a simple question: Why are there so many vulnerabilities in information systems? One answer that might strike a chord with ISACA members is: “failure to listen to experts.”

Many of us have spent years advising companies to adhere to the principles of security by design and privacy by design, yet some still ship products with holes in them, vulnerabilities that leak sensitive data or act as a conduit to unauthorized system access. We’ve been teaching cyber-hygiene to end users since before it was called that, and we’ve all encountered organizations that don’t listen to our warnings about the risks inherent in their deployment of digital technologies.

But why do some people not listen to experts? I decided to study this question with help from my research colleague at ESET, Lysa Myers. We found an established body of research that examines the way people perceive risk and explores the ways in which risk communication can become more effective. Many of these studies centered on the rejection of warnings about risks inherent in successive waves of technology. For example, some were funded back when people argued about the risks from nuclear power and radioactive waste disposal. More recent research has explored why so many people don’t heed the warnings of climatologists.

Many studies used survey questions phrased like this: “How much risk do you believe [this hazard] poses to human health, safety, or prosperity?,” where this hazard might be global warming, genetically modified foods, and so on. Responses to these questions revealed interesting patterns when subjected to demographic analysis, particularly when that analysis included profiles derived from the cultural theory of risk perception (CT for short). According to this theory, we tend to perceive risk in a way that affirms our understanding of social structures and our place within them.

People who see society as a hierarchy of individuals rather than as a community of equals typically rate global warming less risky than folks who are more egalitarian and communitarian. Studies also found that, as a group, white males rated risks from a variety of technologies lower than white females, non-white males, and non-white females. Dubbed “the white male effect” by researchers who first observed it in 1994, this phenomenon appears to be caused by a subset of white males drastically under-rating risk relative to the mean (these men are predominantly hierarchical individualists with above average education and income).

What we didn’t find in our literature review was comparable surveying around risks arising from digital technology, so we conducted our own. We mixed six digital hazards in with nine risks unrelated to information systems, like air pollution. Using Survey Monkey, we polled more than 700 adults in the US. Our first surprise when analyzing responses was that “criminals hacking into computer systems” rated higher than any other risk, ahead of air pollution and hazardous waste disposal. A second digital hazard, theft or exposure of private data, rounded out the top four.

These results suggest that a significant portion of the American public now “gets” that digital technology brings serious risks, but what did our survey tell us about communicating with those who don’t “get” it? We did find a white male effect in our sample, but it was less pronounced for digital risks. The cultural alignment of respondents followed earlier studies for global warming, but looked quite different for digital risks. That tells me there is more work to do in this field, but we can improve our risk communication skills by learning from the work of those studying how cultural theory informs the science of science communication.

I encourage you to read Dan Kahan’s articles on this at CulturalCognition.net, and hope to see more people studying why the advice of information security experts is not universally embraced.

For more of our results, see our slides on SlideShare: https://www.slideshare.net/secret/j6a7vyrtlEgzOf.

Stephen Cobb, CISSP, MSc., Senior Security Researcher, ESET

[ISACA Now Blog]

Without a doubt, the information security space is experiencing a dramatic increase in hiring. Finding qualified candidates is continuing to get more difficult, and the duties of managers are steadily increasing. As a result, hiring managers and human resource recruiters are looking for ways to make the process more efficient. Because most certifications in the information security industry come with experiential requirements, the search for candidates possessing industry credentials is seen as a good way to achieve this goal. However, other challenges begin to surface if the proper value of certification is not considered, which I explore in further detail in my recent Journal article.

I personally value certification in the hiring process and use this as a tool to screen potential employees before evaluating their resumes. Some scoff at this idea, as there are many qualified candidates without certification. While these candidates will almost certainly be filtered out, there are few better qualifiers to help parse through resumes and candidate requests in an efficient manner.

Whether it be on Internet forums or in discussion with industry peers, there are widely varied opinions about requiring certification as part of a job search. It appears that this practice is taking place in many organizations—glancing through job postings recently, I have seen many job postings requiring certification. Pushback from a few of my peers in the industry caused me to reevaluate my stance and to dig deeper into understanding the value certification brings to the process, the person and the organization. While my evaluation was not scientific in nature, it highlights many experiences I have had over the years as a hiring manager and is an aggregation of conversations I have had with many of my peers over the past year.

I suspect that some may feel that certification is becoming irrelevant or that candidates do not possess the skills that are expected, but if you put certification in the proper context, I truly feel that it helps in the hiring process and also helps identify a great employee with some of the positive characteristics I mention in my Journal article.

Read Thomas Johnson’s Journal article:
“The Value of Certification,” ISACA Journal, volume 6, 2017.

Thomas Johnson

[ISACA Now Blog]

In my last post, I spoke about the Internet of Things (IoT) in terms of trust, security and privacy at a high level. Here, I will take a deeper dive in terms of how IoT security and privacy can impact an ecosystem interconnect.

When we talk about IoT, we think about the process we implement as we migrate to sensor-driven infrastructure for automated processes.

Looking at economies and technology ramp-up trends from a financial perspective, we will expect that there with be standardization around policies and processes, as well as implementing interfaces that are expected to connect sensors to networks, platforms, and application systems, or a combination of services.

It can all appear to be complex and large scale, especially in the borderless world of IoT. However, if as security and privacy professionals we ask ourselves, “What are the major areas we should focus on?,” my perspective is that we will have to look at:

1. Device security and settings
2. Security device and system physical access (IAM)
3. Securing our communication network systems
4. Dealing with the large volume of data we will have to process, leveraging big data analytics, risk scoring and criticality metrics aligned to a system, user privilege, and the business functionality.

IoT PriSec Model
The team at The Cyber Policy and Security Governance Institute have been developing an IoT PriSec Model. This model:

1. Combines best of breed practices based on network, system and application security, which integrates functionality to meet data security lifecycle expectations as well as data privacy requirements for in-border and cross-border migrations.
2. Is built on the premise that an IoT infrastructure ecosystem consists of a self-healing, secure network infrastructure and systems that exfiltrates data for analysis from system-system connects and sub-system interactions. This system will have a big data capability to build an analysis of permitted, potentially dangerous and malicious activities, allowing for event-driven capabilities, driving a mindset of adaptive security.
3. Will be further enhanced to adapt to blockchain technologies.
4. Integrates privacy definitions that are tied into the IAM and privilege access management which is tightly tracked and auditable.
5. Promotes an effective combination of cryptography and smart analytics integrated into sensor security mechanisms which can quickly assess, measure and score attack attempts and attack paths for smart attack detection.

One area that will have an impact on IoT environments, given that the growth of cloud and big data are enablers of IoT, is that of unikernel security.

In the paper “Unikernels: Library Operating Systems for the Cloud,” A. Madhavapeddy and team describe a unikernel as follows: “In the context of virtual machines and cloud computing, it makes sense to describe the whole virtual machine as a unikernel.”

Bratterud, Happe and Duncan presented a paper on “Enhancing Cloud Security and Privacy: The Unikernel Solution,” which lists six observations exhibited by Unikernel systems as follows:

1. Choice of service isolation mechanism
2. The concept of reduced software attack surface
3. The use of a single address space, shared between service and kernel
4. No shell by default, and the impact on debugging and forensics
5. Microservices architecture and immutable infrastructure
6. Single thread by default

In a following piece, I will present further details on this aspect, as well as other areas that we are seeing leading IoT vendors focus on from a security and privacy best practice perspective.

Jon Shende, MSc., FBCS CITP, CISM

[ISACA Now Blog]