Don’t Let Your Users Unknowingly Be the Weak Link in Your Security Infrastructure

Hackers are becoming increasingly stealthy and creative, relentlessly trying to gain access to sensitive data, while organizations work tirelessly to prevent security breaches and data theft. In this complex game of cat and mouse, security practitioners are being forced to rethink how they identify and control traffic on the network, shifting to an application-focused approach, rather than port- and protocol-based policy, to defend against successful cyberattacks and uphold business integrity.

User-based access controls, based on user identity information, rather than IP address, allow organizations to safely enable applications traversing the network, make informed decisions on network access, and strengthen overall network security. Here are four reasons why you should take advantage of user-based access controls, called User-ID, on your Palo Alto Networks next-generation firewall (NGFW):

1. Complete Network Visibility

Improve network visibility by mapping network traffic to users, rather than IP address. Application visibility based on users provides an organization with a more relevant picture of network activity, along with the power to quickly determine associated risks and respond accordingly. User-based access policies can be applied to application, URL, and file type accessibility, reducing the organization’s risk of initial attack, lateral threat movement, and insider threats by ensuring that data movement to and from users is both allowed and approved.

2. Simple Security Policy; Simple Life

Security practitioners do not have the time nor resources to invest in tracking thousands of IP addresses and complex security rules. Access controls based on User-ID, user identity, who is allowed or required to do what, dramatically simplifies the rules and safely enables applications, while simultaneously reducing the administrative effort associated with end-user moves, adds and changes. User-based access policy eliminates the need for a multitude of location-specific rules, as well as the need to dynamically adapt to the most appropriate policy for individual users and user groups, even as users move around the office, or outside the corporate network with various devices on different network addresses.

3. Minimum Access; Maximum Control

End users – employees, customers, partners – must be able to access required information repositories, as well as the Internet, to perform various functions of their jobs. Leveraging user-based access controls to analyze application threats and web surfing activity in terms of individual users, or groups of users, ensures access to mission-critical resources, and restricts access beyond the scope of approved means. When determining accessibility parameters, align application usage with business requirements following the principle of least privilege – minimum access based on job requirements – and, if appropriate, inform users that they are in violation of policy, or even block their application usage outright. User-based policy follows users regardless of location or device.

4. Increased Security; Better Forensics

It’s important to have the right user-based access controls in place to manage the identities and access of both internal and external employees, customers and partners. Knowing who is using each of the applications on your network, and who may have transmitted a threat or is transferring files, reduces incident response times and allows for damage control if an attacker does successfully infiltrate. In addition, user-based access policy ensures an attacker will only gain access to a small portion of data on the network, rather than the entire net worth of information. For maximum security protection and breach prevention, employ the right user access to mechanisms not only on the applications and endpoints that users access, but also on the organization’s next generation firewall infrastructure.

To learn more about the benefits of leveraging User-ID, user-based access controls, on your Palo Alto Networks NGFW:

[Palo Alto Networks Research Center]

2016 Accomplishments Poised to Drive 2017 Growth

We hope 2017 finds you ready for another year of challenges, opportunities and achievements—much like the year we all have just enjoyed.

In 2016, ISACA moved forward as an organization with the support of its 215 chapters around the world working to increase our visibility, influence and impact, locally and globally.  Perhaps most encouraging is the progress we are making as a valued professional community, which has occurred amidst rapid changes and increasing complexity in and around our key fields of interest—audit/assurance, information and cyber security, governance and risk. Highlights from 2016 included:

  • The growth of our community to 159,000 constituents worldwide;
  • A very inspirational and successful Global Leadership Summit (GLS) that brought together over 400 ISACA chapter, member and staff leaders in April, and has resulted in ongoing input on both ISACA’s current efforts and how best to shape the future of our organization;
  • Regional expansion of ISACA events: Our first Africa CACS conference was held in Nairobi, Kenya, in August. Two new cyber security conferences took place in November: CSX Asia Pacific in Singapore and CSX Europe in London;
  • Completion of the development work required to support the 2017 transition from paper-based to computer-based testing for ISACA’s core certifications (CISA, CISM, CRISC, CGEIT);
  • ISACA’s acquisition of CMMI, with plans to accelerate ISACA’s reach in fast-growing economies, including China and India, and to better engage and deliver solutions to enterprises, while highlighting the value members of our professional community deliver;
  • ISACA’s significantly increased engagement with government, including the EU, US, India, Israel, Jordan, China, Kenya and Singapore, with many others expressing interest or initiating a dialogue;
  • The launch of ISACA’s Connecting Women Leaders in Technology program, which has been well-received across our professional community, and offers opportunities to extend its impact going forward into 2017 and beyond;
  • Established business development initiatives to grow relationships with organizations that employ professionals in our community worldwide;
  • The recent deployment of the ISACA Member and Customer Experience Center which, in its first two months of operation, has already significantly improved response time and overall service levels, including reducing certification application processing time from eight weeks to three weeks, and responding to email inquiries in less than 72 hours.

The above is a small subset of all that has happened over the past year. These highlights, along with many other contributions and accomplishments, have helped lay the foundations for a very promising year ahead. In 2017, we will again expand our education and training programs; increase our research efforts and publications output; grow our collaboration with government, industry, and other strategic partners; launch a new digital presence; enhance member and customer service levels; and begin planning our 50th anniversary, with an aim of using this 2019 milestone as a means to further increase the visibility of our professions and to build our workforce of the future.

While our anticipated growth in 2017 will occur in a world that remains unsettled, we believe ISACA’s professional community is ready to meet the challenges that will ensue, and turn these challenges into opportunities in the spirit of ISACA’s purpose to help enterprises and people realize the positive potential of technology. We thank all of you for your support and efforts to date, and as we begin 2017, we wish you all a safe, healthy, productive and prosperous year ahead.

Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, chair of ISACA’s Board of Directors and group director of Information Security for INTRALOT, and Matt Loeb, CGEIT, FASAE, CAE, Director and CEO, ISACA

[ISACA Now Blog]

Setting the Record Straight: Convincing Management of COBIT’s Value in Risk Management

Although COBIT remains an extremely valuable tool for IT risk management, many Latin American companies still find themselves slightly confused when trying to understand what it takes to carry out a complete or partial COBIT implementation. In fact, organizations still struggle with how to achieve long-term business and IT goals through proper use of the framework’s tools, and advice from experienced or well-informed practitioners is not sought because top management often considers any external consultancy as an expenditure with little or no return on investment. In addition, due to multiple mergers and acquisitions currently taking place, there is a growing interest in the region in implementing COBIT as an IT risk management framework and even as a way to comply with globally accepted regulations, particularly the US Sarbanes-Oxley Act 2002 (SOX).
In those terms, the main challenge that must be addressed by COBIT practitioners is encouraging top management to actively participate in the transformation process for integrating and standardizing IT management practices. Also, the COBIT practitioner must be focused on helping the involved stakeholders understand that “IT guys” are friends interested in taking the company to the next level and providing solutions, not foes who should be pointed to when looking for scapegoats. Some of the elements to be considered when implementing COBIT as a reference for risk management practices are:

  • According to the COBIT goals cascade, every endeavor regarding the enterprise enablers must be driven by IT-related goals, which are also leveraged by the enterprise goals and the stakeholder needs, which includes risk optimization.
  • Going along with this definition, the concept and scope of governance of enterprise IT (GEIT) must be clarified and communicated within the organization to enable the achieving of the goals in which IT has participation and accountability. Once GEIT has been established, the cornerstone for the IT internal control model is established.
  • In addition, a business case must be generated to create an interface between the stakeholders’ expectations and IT plans as referenced in the publication COBIT 5 for Business Benefits Realization. The definitions included in the aforementioned business case will be the confirmation that the GEIT goal is to generate potential benefits for the organization as a whole, considering the pervasive nature of IT.
  • According to the white paper Getting Started With Governance of Enterprise IT (GEIT) and in this author’s experience, GEIT ensures greater alignment of IT functionality with business needs. However, commitment from the enterprise leadership at the highest levels (e.g., C-suite, board of directors) is fundamental to ensuring a successful implementation and a sustainable model.

Based on the aforementioned facts and on each organization’s background—determined by factors such as industry, rate of automation of its processes, and applicable regulation (e.g., SOX, anti-money laundering, fraud prevention) it is also important for the COBIT practitioner to set the record straight with the organization’s top management about the culture and practices that must be embraced when adopting the framework into their organizations:

  • Definition of governance and risk management structures required for the implementation of COBIT practices is not a one-time effort.
  • The effectiveness of the framework’s risk management practices depends on the management fomenting and fostering COBIT’s enablers as a primary commitment.
  • Although IT must actively participate in defining practices, COBIT maintenance and periodic review must be sponsored by core business and controlling dependencies.
  • Management must be aware that there is not a standard timeline for implementing COBIT. Therefore, COBIT practitioners must set realistic expectations with management when defining and analyzing which COBIT enablers will be implemented and how many resources (e.g., time, money, people) will be required to use COBIT practices and ensure their sustainability through early life support and other management review and follow-up activities. In some cases, it could even take years to get to the maturity level agreed on by the enterprise!

So, what should COBIT practitioners do to fight against these misconceptions? What actions will generate more COBIT supporters, based on the framework’s applicability, and counteract any perception that COBIT is an excuse invented by consultants to sell high-end products and obtain a constant income on a periodic basis? In this case, the experts’ experience, vision and judgment are fundamental, not only to set a solid cornerstone for IT risk management, but also to ensure the business processes will be optimized thanks to COBIT’s benefits, due to the relevance assigned by the standard to the management’s goals. The presentation prepared by the COBIT implementer and the individuals to whom it is presented will also affect the outcome, since the same presentation should not be used for top management, business areas, IT staff and support dependencies. Nonetheless, the main message must remain consistent: The entire organization is responsible for COBIT’s success and proper operation, with periodic consultations from external experts.
Another important factor is to assign proper accountability to ensure the defined practices are properly implemented and operate consistently over time. Robust activities and processes with no accountability are practically useless. The stakeholder accountable for each process must be defined according to business goals and requirements, and that person must act as a translator of the general strategic plan and as a mediator when change is to be implemented. The accountable stakeholder must be also aware of the process’s maturity level, what it is required to achieve the next level (assuming the enterprise has agreed that a higher level is optimal for the business) and what should be changed after a review is performed. Phrases such as “I do not have to change it since we have not have any outages” or “I have always done things this way and I have been with the organization for more than 20 years” pose a huge challenge for the accountable stakeholder, suggesting his/her role must also consider skills for dealing with change and transforming it into an opportunity to understand the importance and impact that each factor has for an organization.
With that being said, when initiating a COBIT implementation, practitioners should instruct the project’s stakeholders with these messages:

  • COBIT maintenance requires resources and infrastructure, but, in the end, it will greatly improve an organization’s stance regarding risk management.
  • COBIT promotes the importance of leadership and teamwork because, without proper guidance, commitment, and assignment of roles and accountability, the policies, procedures and rules that come along with COBIT fall into the perception that IT is an expenditure.

Conclusion

COBIT is a very powerful tool with numerous features that can be adapted to different circumstances, but it also takes a great deal of commitment to ensure it operates as expected. If management understands that everything is capable of being improved, nothing eternally remains in the same state and expert judgement is required on a periodic basis, the mystery of how to properly use COBIT to achieve business, compliance and operational goals could finally be solved.

Julian Marquez, CISA, CRISC, COBIT Foundation, ISO 27001 LA, ITIL Foundation
Is an experienced risk management professional. He has worked with Deloitte on IT auditing and consulting services for projects in Colombia, Chile and Canada. He has worked on initiatives to use COBIT as a reference framework for different retail, manufacturing, financial services, and energy and resources companies. He has also participated as a trainer on internal and external COBIT-related training.

[ISACA COBIT Focus]

English
Exit mobile version