Month: August 2018

Tony Vizza, CISSP, is the newest addition to the (ISC)² Cybersecurity Advocacy team! Based in Sydney, Australia, Tony works with corporations, government agencies and academic institutions to encourage collaboration across the industry, effective cybersecurity curriculums and strong legislation to attract and enable the workforce we need to manage the Asia-Pacific region’s most critical security issues. Tony has worked in the field for more than 25 years and has earned the CISSP certification, as well as the CRISC, CISM and is certified as an ISO/IEC 27001 Lead Auditor. To get to know Tony a bit better, we asked him five questions …

• What brought you into the profession we now know as “cybersecurity?”

I started at a young age “discovering vulnerabilities” in my school’s network systems. From there, I went on to study computer science at university. IT has always been in my blood and over the past ten years, network security and cybersecurity have been the core of my professional career.

• What career accomplishment are you most proud of?

Far and beyond all else – even both of my university degrees – I am most proud of achieving my CISSP certification. It was a culmination of months of study and preparation, on top of years of experience, and it finally made me feel proven to work in the field of information security. I had fantastic mentors and supporters who helped me through the process and I felt both disbelief and on top of the world when I passed my exam!

• What is something about cybersecurity that you wish those outside of the field had a better understanding of?

Like many other industries portrayed in the media, our reality is much more mundane than the fictionalized version the rest of the world is presented with. The most effective protection against “hackers” isn’t what you see on CSI, but rather understanding the value of your own personal data. It’s important to understand how IT devices share information and remember to be mindful of what you post on social media. Human education is infinitely important. In fact, it is the most important factor in ensuring good cybersecurity.

• What are you most looking forward to in your role as a Director of Cybersecurity Advocacy at (ISC)²?

I am looking forward to making a difference in the lives of many people in the APAC region, by helping to empower our members. When our members are able to succeed in their own endeavors, that is the best way to magnify our message of creating a safe and secure cyber world.

• When not advocating for the cybersecurity professional – and the profession itself – where might our members find you?

You will most likely find me playing with my two toddler children, helping my partner with housework, studying law at university, or (hopefully) catching up on sleep! I also enjoy watching live stand-up comedy, taking a relaxing walk along the beautiful coastline of Sydney or attending a great music festival with my family.

Tony joins John McCumber, our director of cybersecurity advocacy for North America, in working for you, the cybersecurity professional. You’ll be hearing even more from Tony in this blog, our InfoSecurity Professional magazine and at cybersecurity events around the Asia-Pacific region.

[(ISC)² Blog]

Source: http://blog.isc2.org/isc2_blog/2018/08/meet-your-cybersecurity-advocate-5-questions-with-tony-vizza.html

If you are a netizen, you must have already noticed how certain ads pop up while you are surfing videos on YouTube. Most of the times, these advertisements have close connections to the products and brands you have been searching recently. However, this is not the case always! Finding fake ads of reputed brands like Mercedes-Benz and Waitrose is not uncommon at all. According to reports from The Times of London, several reputed brands have found their advertisements among objectionable and explicit content.

Why should you care about online ad fraud?
If you are an advertiser, this should be a cause of concern for you. According to a recent study, over 20% of the clicks you are getting on your ads can be from bots and tricksters. Censoring the internet and running the entire web without advertisement is impossible. In short, good content and commendable user experience require sponsorship.

Sadly, advertisers are pouring money into digital ads, but they are not receiving the returns they expect. The advent of various smart devices may have expanded the scope of viewing content, but they have done little to ensure that the content is genuine.

According to the Association of National Advertisers, entrepreneurs are wasting over $7 billion on online adverts people do not see. The experts expect the numbers to grow beyond $335.5 billion in the next two years. When companies are ready to spend billions on online advertisements, it is understandable why malicious activities are always around the corner, waiting.

We have seen the likes of Meth-bot that cost the ad industry around $5 million per day. They used bots to mimic human data, created over 250,000 individual domains. These new sites had a resemblance to big fish like ESPN and Vogue.

Digital ad fraud is a serious concern for advertisers and users, too. While the fraudsters use bots to mimic human behavior, trace cursor movements, and hack social media accounts, they fake their geo-location data to avoid detection. As a result, along with regular display ads, the premium online video advertisements are also taking a hit. Digital fraudsters are messing up analytical data, upturning the KPIs and disrupting online campaigns of many of the more reputable brands in the world.

Blockchain as a potential solution to online fraud
Is there any current technology that can prevent pixel stuffing, ad stacking, search ad frauds and affiliate ad frauds? Experts say that it’s possible. They believe that advertisers can prevent similar frauds by turning to blockchain. We are not talking about cryptocurrencies, but the decentralized open-source ledgers.

A fusion of existing ad technology and blockchain can give advertisers the power to keep an eye on each impression and eliminate the fear of fraud. Leading advertising research firms like Interactive Advertising Bureau’s Tech Lab and Data & Marketing Associations already are working on creating a blockchain solution that can help advertisers detect and prevent fraudulent activities. However, the wide variety of online ad frauds make the task of developing a uniform system difficult.

Below are the major use cases of blockchain that can be implemented to prevent online ad frauds:

Ethereum-based ready solutions – Several startups and advertising research companies have been working on blockchain systems that can stop bots and impostors. Ethereum is the best-known blockchain right after Bitcoin. Instead of a central ad server, it offers a decentralized system to advertisers to monitor the activity of their partners. Google, Amazon, Twitter, YouTube, Facebook, and Snapchat have adopted similar history-proof, decentralized ledgers.

Blockchain counterattack – This mechanism adopted by the Ads.txt DApp allows publishers and content owners to list the authorized sellers of their inventory in a .txt file. This file is served from within the root path of their domain’s web server.

Blockchain-based exchange for traders – A combination of the financial matching engine and the latest blockchain technology allows advertisers to enable transparent transactions. It is a NASDAQ Inc. initiative that aims to provide advertisers and publishers a completely secure platform that supports buying, selling and re-trading advertising contracts.

In the digital era, online ads are an important channel for brands to use to reach out to their target audience. Ad fraud not only puts a hole in the pocket of the brands but also harms the end users, who need reliable information to make the right decisions. With the ability to impart transparency to the system and trace an online asset, blockchain can surely help reduce, if not completely stop digital fraud.

Ankit Shrivastav

[ISACA Now Blog]

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1061

After decades of presentations and prayers, security has finally become a business imperative for executives and boards alike. Business leaders are speaking publicly about championing security investments, as it’s important for shareholder value and future expectations. In fact, evidence-based security effectiveness measures are finding their way into annual reports (10-Ks), committee charters, and corporate governance documents.

Because of the spotlight that is on security, your business leaders are demanding security effectiveness evidence from you. This evidence is similar to the data-driven measurements and KPIs seen in other strategic business units such as shareholder return, client assets, financial performance, client satisfaction, and loss-absorbing resources.

Your leaders are making decisions predicated on these non-security measures every day to increase value for their shareholders, address stakeholder requirements, and mitigate business risks. Security is simply another variable in the business risk equation. In fact, your security program isn’t about security risk in and of itself, but rather, the financial, brand, and operational risk from security incidents.

One area where the need for security effectiveness evidence is profusely obvious is around rationalization. For example, many auditors no longer ask, “Do you have security tools in place to mitigate risk?” because the answer is always, “Yes, but we need more tools, training, and people anyhow.” Now auditors are asking for rationalization in terms of, “Can you prove, with quantitative measures, that our security tools are adding value? And can you supply proof regarding the necessity for future security investment?”

This evidence-based, rationalization methodology, often characterized as security instrumentation, aligns with the reality that your organization has finite resources to invest in security and that all investments need to be prioritized. Every dollar invested in security is a dollar not applied to other imperatives.

Measuring your security effectiveness: where you’ve been
The sad truth is that most security effectiveness measures are assumption-based instead of evidence-based. Because of a lack of ongoing security instrumentation, you assume your tools and configurations are doing what is needed and incident response capabilities are a well-choreographed integration of people, processes, and technologies. You know that assumption-based security is flawed. But historically, you haven’t had a way to empirically measure security effectiveness. You get some value from penetration testing, the endless march of scan-patch-scan, surveys, and return on security investment calculations, but these approaches don’t truly measure your security effectiveness. As a result, your business leaders are relying on incomplete and/or inaccurate data to make their decisions.

Where you need to be
You need to know if your security tools are working as intended. Once they are, you can optimize those tools to get the most value, rationalize, and prioritize where greater investment is required, and retire tools no longer needed. Then you can monitor for environmental drift so that when a tool is no longer working as needed, you are alerted to the drift and how to fix it. Finally, from a leadership perspective, your team can consider security effectiveness measures when calculating the business risks.

How to get there
By safely testing your actual, production security tools with security instrumentation solutions, not scanning for vulnerabilities, not looking for unpatched systems, and not launching exploits on target assets, but actually testing the efficacy of the security tools protecting your assets, you can start measuring security effectiveness of individual tools as well as security effectiveness overall. When gaps are discovered, you can use prescriptive instrumentation recommendations to address those gaps. Then you can apply configuration assurance to retest the security tools to validate that the prescriptive changes implemented resulted in the desired outcome. Once you have your security tools in a known good state, automated testing can continue validation in perpetuity, alerting you when there is environmental drift.

The end result of security instrumentation is security effectiveness that can be measured, managed, improved, and communicated in an automated way. Your security teams are armed with evidence-based data that can be used to instrument security tools, prioritize future investments, and retire redundant tools. This newfound ability to communicate security effectiveness and trends based on actual proof allows your decision-makers to incorporate security effectives measures when making business decisions.

Author’s note: Brian Contos is the CISO & VP Technology Innovation at Verodin. He is a seasoned executive with over two decades of experience in the security industry, board advisor, entrepreneur and author. After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, he began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents. He has authored several security books, his latest with the former Deputy Director of the NSA, spoken at leading security events globally, and frequently appears in the news. He was recently featured in a cyberwar documentary alongside General Michael Hayden (former Director NSA and CIA).

[ISACA Now Blog]

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1060