COBIT 5: Quick Wins and Hard Sells

Ever since COBIT 5 was released, I have had the honor of both leading the ISACA Istanbul Chapter’s COBIT 5 translation team as well as supporting hundreds of COBIT practitioners with training and implementation professional support services. My clients serve the financial services, telecommunications, software, automotive production and retail industries. During the course of these engagements, I have found that most of my clients quickly and easily adapt some aspects of the framework while other aspects are perceived as more challenging and are generally omitted from the implementation process. My goal is to describe both these “quick wins” (slow fat rabbits) as well as the hard sells.

The new Process Reference Model with particular focus on the “Applying a Single Integrated Framework” principle has been a pleasure to implement as clients often asked me whether they should implement previous COBIT versions or some other framework like ITIL, ISO 20000 or 27001. I can answer with complete confidence that COBIT is integrated with all of them and that if they implement COBIT, they will have implemented the bulk of every other relevant framework and standard. For example, the Project Management Body of Knowledge (PMBOK) has some very detailed financial metrics, reporting and modeling approaches that are not present in COBIT 5. While they may be relevant to very large projects (billions of dollars), they are a bit too detailed to add significant value to projects at the size that most of my clients run (10s to 100s of thousands). That they are not a part of COBIT 5 is thus not relevant. The new “APO05 Manage Portfolio” process is a wonderful addition to COBIT in that it brings the framework into alignment with PMBOK in an area that I often found myself having to go outside of previous COBIT versions (often to Val IT).

APO03 Manage Enterprise Architecture is another new process that takes its inspiration from TOGAF. IT architecture and its critical strategic focus on selecting and supporting the “right” technologies for the business were very challenging to address with previous versions of COBIT. Describing the best way to select the enterprise’s IT building blocks required concurrently referring to TOGAF so that we could adequately address their control and management. Now, COBIT 5 includes this big-money area.

The new capability model has generally been a hard sell. My clients find the present capability attributes challenging to understand and miss the previous maturity model’s clarity, prescriptive approach and best practice content. The one aspect of the new capability model that is universally loved is that partially achieved process attributes can satisfy process capability. This new approach saves me from having to answer, “The framework says ‘no,’ but I will make an exception for you,” each time a client asked me, “Since we satisfy most of the next level maturity requirements, why can’t we be rated a 2.5?” I believe that most COBIT users would welcome a fleshed out version of the present capability model, provided that it included more detail about how to implement the attributes for each process. Even something as simple as mapping each processes practices and activities to specific attributes would help COBIT users understand how to easily implement the capability model.

Kaya Kazmirci, CISA, CISM, CISSP
Managing Director, Kazmirci Associates

[ISACA]

Security Resolutions for 2015

As we begin the New Year, it is critical for companies to understand the impact of cybersecurity breaches and attacks—and young professionals can play a key role in this.

As a young professional, I believe our objective should be to help our senior leaders define security levels and protect their key assets this year. How can we plan to do that? Here are some of my ideas for the New Year’s resolutions for young professionals (though professionals of any age will benefit from these tips):

Knowledge-sharing: It is very important to share our knowledge with others because the world is too big to know everything. ISACA provides good support for knowledge sharing through publications, blog posts, guidelines and the community around it, including at conferences and local chapter events. Furthermore, using social media is a good way to exchange with people.

Also, I recommend planning meetings, security breakfasts and trainings with your colleagues to help them understand the objective.

Personal training plan: Each day, new security features appear and we need to continuously update our cybersecurity skills. This is why a personal training plan is useful. The Cybersecurity Fundamentals Certificatefrom ISACA’s Cybersecurity Nexus (CSX) or the Certified Information Security Manager (CISM) Certified in the Governance of Enterprise IT (CGEIT) certification can be a good way to upgrade your skills and get recognized. Also, the virtualization age allows us to create labs for making tests with few resources. Personally, I focus on enhancing my capabilities in risk and governance management, such as penetration testing.

Educating users, management and the board: Many times, a user clicks on a link and downloads malware or something of that nature. Educating people takes time and patience, but allows you to create a strong security culture that lasts through time. Do not hesitate to explain the importance of security with a pragmatic view that relates to their own interests. Some people are more careful about finance and others about personal responsibilities. Create some user-friendly guidelines such as a guide on how to protect your privacy on Facebook to help convey your message.

Discovering new cultures: All countries are different and we need to respect them and be aware about local cultures we work with. Personally, I want to leave my country this year to discover a new working method, a new way of thinking and to increase my comprehension about the world. One benefit about being a young professional at ISACA is that the global association connects you with fellow professionals from around the world.
And you, what do you plan for 2015?

Damien Bertero
Security Engineer, France

[ISACA]

Providing Assurance on Data Quality

Many organizations are putting data governance on their strategic agenda, primarily because of the amount of data that is available to, generated by and utilized by the organization. Professionals who provide assurance services are now faced with the task of providing advice on the data quality issues, which if not addressed can lead to a number of adverse effects, including:

  • Lack of compliance with statutory requirements
  • Losing a competitive edge
  • Dissatisfied clients
  • A delay or scrapping of a new information system implementation
  • Failure to meet a significant contractual requirement or service level agreement

To address data quality, the organization must agree to and document data quality metrics that are relevant to the kind of data in use by the organization. Philip Nousak and Rob Phelps propose a score-based approach with predefined metrics. In general, data quality metrics may include:

  • Accuracy: Data reflects reality
  • Integrity: There is a possibility to uniquely identify data records
  • Consistency: There are no contradictions in the data
  • Completeness: All the necessary data is present
  • Validity: Data values are acceptable and fall within defined ranges
  • Timeliness: Data values represent the most current information for the specific use
  • Accessibility: Data can be obtained with ease, is comprehensible and usable
  • Granularity: Data is available at a sufficient level of detail

The data quality metrics in themselves are not sufficient for an assurance professional to provide an opinion on data quality. Other factors that should be considered can be categorized in the following three groups:

  • Technical:
    • What is the underlying database structure that is used for data storage?
    • What application is being used to process or manipulate the data?
    • While the original data may be of good quality, errors may be introduced as a result for poor database structures or bugs in the applications being used to process the data (e.g., a data value that is required to be unique by its nature)
  • Operational:
    • What business processes create or use the data?
    • What business rules are in place to provide validation of data captured or produced?
  • Governance:
    • Are the data roles and responsibilities clearly defined in the organization?
    • What monitoring and reporting requirements are in place?

In conclusion, investigating data quality practices to provide assurance, or as part of an IS audit, will add value to the organization. Assurance professionals should consider regular checks on data quality in the process of carrying out their work.

Carina K. Wangwe
Social Security Regulatory Authority, Tanzania

[ISACA]

A Smart Strategy to Combat Advanced Persistent Threats and Targeted Attacks

Seemant Sehgal, CISA, CISM, BS7799 LI, CCNA, CEH, CIW Security Analyst, SABSA

Advanced persistent threats (APTs) are a hot topic in the security arena today. There are a number of definitions and methods of identifying an APT. Some define it based on the extent of pinning it to certain attack vectors, while others map it to the complexity or time it takes to complete the attack. The term “targeted attacks” is the latest buzzword, gradually taking center stage as a new breed of cyberthreats emerge.

So how can one devise an effective strategy to combat such threats? Well, to do so, it is important to understand the implications of the words “advanced” and “targeted” in the cybersecurity context. Think of the example of a pickpocket looking for a prospective victim. A thief will skip stealing from targets when they are vigilant and instead look for someone whose guard is down. In other words, the attacker will go for the “low-hanging fruit” to find a way in.

Applying this scenario to the context of cyberthreats, the best strategy to combat an APT is to keep an eye on low-hanging fruit in your security ecosystem. Low-hanging fruit in this context represents the easiest vulnerability for threat agents to exploit and reach their target. It is important to remember that low-hanging fruit is not a static concept when it comes to cybersecurity. The moment you take the most obvious vulnerability out of the equation, attackers are going to take the next easiest route. As a result, the best combat strategy is that an enterprise stays situationally aware of the lowest hanging fruits it is offering to an attacker.

From a more global perspective, threats are targeted at a generic profile. Hence, for a threat to impact your values that are at risk, 2 conditions need to be met. First, the target profile must match the ecosystem that you present to the attacker. Second, your organization must be more easily exploitable than your next best competitor or another target presenting the same value to an attacker. If you want to make sure that your organization does not meet these criteria, the best strategy is to be situationally aware of the ecosystem your enterprise is a part of and ensure that you stay ahead of other like organizations.

However, when it comes to targeted attacks, the environment the enterprise is a part of does not matter. If the threat agents are motivated and committed to taking aim at you, they will. As with APTs, the best strategy to mitigate these targeted threats is to ensure that you are situationally aware of and continuously engaged in removing the low-hanging fruit from your security ecosystem. This way, you offer more complexity to an attacker and you have a better chance of combating targeted attacks.

Read Seemant Sehgal’s recent Journal article:
Effective Cyberthreat Management Evolution and Beyond,” ISACA Journal, volume 1, 2015.

[ISACA]

What Makes Advanced Malware So Scary?

Malware is code that is written to accomplish a malicious purpose. In most cases the malware also has the ability to spread or infiltrate other systems or programs. Sometimes the malware’s purpose is just to show off the author’s hacking prowess, but more recently the purpose has typically been to make money, steal information or cause damage. In some cases, the scope of the malicious intent and damage has been to such an extent that we call it cyberterrorism or cyberwarfare. Think of the recent attack on Sony, which appears to be prompted by the film The Interview.

Over the years, types of malware are often given colorful and even scary names. Viruses, worms and Trojan horses were terms coined in the 1980s for various types of malicious code. More recently, we have described certain attacks as advanced persistent threats (APTs) and advanced malware. Advanced malware tends to be targeted, stealthy, evasive and adaptive. This compared to previous types of malware that generally tried to spread to as many programs or systems as possible, often in an indiscriminate and “noisy” fashion.

APTs are advanced malware which The US National Institutes of Standard (NIST) defines as follows:

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.

The definition is a bit heavy, but completely in line with the concept that advanced malware has a clear “who” behind it that is writing the code to attack a specific target and carry out a specific mission. The attack is likely to be against a targeted enterprise or even certain individuals like systems administrators within an enterprise. Moreover, the malware is likely to be multipronged with a variety of different ways and techniques to infiltrate a system and extract the desired information. It can be patient and wait for some time before attacking. Also, it will adapt to conditions and try different methods automatically.

Finding and blocking this type of code can be difficult for traditional antivirus software because chances are the attack will never have been seen before. This means that no antivirus signature will have been created for the malware. Behavior blocking and reputation-based antivirus techniques might be somewhat effective. For instance, since the malware will likely try to extract and send confidential data somewhere, that type of unusual behavior might be discoverable and blocked. However, the people creating advanced malware are likely to test their creations’ evasive and stealth capabilities against most popular antivirus and security products.

So who writes this stuff? While individual hackers might write advanced malware, more often it is the product of dedicated teams from nation states, organized crime groups or terrorist organizations. Advanced malware is built and tested with a degree of professionalism and dedication similar to that found in legitimate software product teams.

Scared? You’re not alone. One in five respondents noted that their organization has already experienced an APT attack in a recent ISACA survey, and 66 percent believe it is only a matter of time before their organization is hit by one. Additionally, 92 percent believe that APTs are a serious threat.

So what can an organization do to protect against advanced malware? Improved training and multiple layers of security are clearly part of the answer, and ISACA’s Cybersecurity Nexus (CSX) has a helpful guide on the subject available.

I also discussed the reality of advanced malware in an article for Processor. Read the full article here.

Rob Clyde, CISM
CEO, Adaptive Computing

[ISACA]

English
Exit mobile version