ISACA’s 2014 IT Risk/Reward Barometer Survey Results Reveal Internet of Things Trends

Like many people, my office tends to be airports and wherever in the world I have traveled. The advent of connected devices, wearable tech and the Internet of Things enables me to be more productive and have more contact with colleagues and friends. This is a good thing.

But at the same time, these amazing advancements are also causing disruption in our lives and workplaces. We don’t always know who has use of or control over our sensitive personal and corporate information. And since new developments are always making their way into the workplace, it is critical that we understand attitudes and actions of consumers as well as the professionals and executives on the front lines of enterprise technology.

ISACA helps build this understanding with its annual IT Risk/Reward Barometer, and the 2014 survey results show some interesting trends with significant implications. For example, 68 percent of US consumers plan to use wearable tech or connected devices at work. But despite the surge in wearable tech at work, only 11 percent of enterprises have a policy that addresses it.

Enterprises need to be aggressively proactive here, and start educating staff on the risks and the opportunities of wearable tech. Devices such as smart watches and glasses collect and transmit information that provides great value. But if this information gets into the wrong hands or is mishandled, it can be used to damage a company’s reputation, financial position, compliance activities and even its existence.

According to the latest IT Risk/Reward Barometer, “increased security threats” and “data privacy issues” are two of the biggest challenges that ISACA members list regarding the Internet of Things.

But along with the inherent risk in the Internet of Things, enterprises are also reaping benefit, such as the 29 percent that have achieved greater accessibility to information and the 26 percent that have used it to improve services. Also 22 percent have gained efficiencies and improved employee productivity. With new technology there is always the need to balance risks and rewards—and there are plenty of both in the case of the Internet of Things.

To keep tabs on evolving perceptions and trends, ISACA has fielded the IT Risk/Reward Barometer for five years. This survey is unique in that it has two components—a consumer survey and an ISACA-member survey. Globally, more than 4,200 consumers and more than 1,600 ISACA members responded this year, giving us an excellent pool of responses.

Wearable tech, connected devices and other cool advancements in the Internet of Things are making their way into every aspect of our lives. The gates are open and the tide is flowing, and we encourage you to take an “embrace and educate” approach. Having an informed and alert customer/employee/stakeholder base is a key aspect of making connected devices work for you and your enterprise.

I invite you to review the full report, infographic and news announcement for the 2014 IT Risk/Reward Barometer. I need to take off now. My smart refrigerator just told my smart watch that I need to pick up some bread on the way home from the airport.

Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President

[ISACA]

“Know Your Enemy”— Is It Enough?

Usually attributed to the ancient treatise The Art of War by Sun Tzu, the phrase “Know your enemy” is often repeated in military and security environments and is given as guidance to junior level staff in these environments. While it is good guidance, this article will explore why it is incomplete and why this is important.
One reference gives the full quotation, rendered in modern Chinese script as “故曰:知彼知己,百戰不殆;不知彼而知己,一勝一負;不知彼,不知己,每戰必殆” complete with the English translation:

“So it is said that if you know your enemies and know yourself,
you can win a hundred battles without a single loss.
If you only know yourself, but not your opponent, you may win or may lose.
If you know neither yourself nor your enemy, you will always endanger yourself.”

The full quotation provides much fuller and richer guidance and it is important to consider the meaning and impact of the full text. Below I will examine each sentence from the English translation.

“If you know neither yourself nor your enemy, you will always endanger yourself.”
The third sentence reminds us that lack of knowledge is dangerous. If you do not know your own capabilities, structures, processes, strengths and weaknesses it is unlikely that you will be able to use your resources effectively, or be able to resist your own weaknesses being exploited. A lack of knowledge about your enemy could lead you into a false sense of security—or to overestimate the abilities of your enemy—perhaps leading you to direct defences where the attacker is weakest and the attack least likely to succeed even without your efforts. For example, you would not want to concentrate all your defences on a Windows exploit being run against a Linux server. In short, you are totally unprepared for the battle and you may well contribute to your own defeat by making incorrect decisions!

“If you only know yourself, but not your opponent, you may win or may lose.”
The second sentence reminds us that it is only slightly better to know your own strengths and weaknesses. While you will know what you have to work with, and how best to engage your resources, you will not be prepared for the actions of your opponent so it is unlikely that you will be able to effectively direct them to the best effect against the threat. Your opponent will be able to surprise you and you will thus battle to take the initiative. As you will be unlikely to be able to anticipate the actions of your enemy they will find it easier to exploit your weaknesses. Put another way, you will likely be ‘behind the game’ for much of the time and the enemy will dictate the battle.

“…know your enemies and know yourself…”
The first sentence brings this together and essentially advises that you must know yourself and your enemy. This allows you to predict the strategy and attacks of your enemy and counter them with your defences quickly and effectively. While doing this you should also be able to start active defences. For example, you can implement a honeypot to direct them away from your real assets. You may even be able to counter-attack, directing your strengths at the weak areas of your attacker. For example, you can initiate civil action against the ISP that your attacker is using to launch the attack. At the very least you will keep them guessing and they will have to divert resources from attacking you to try to predict or interpret your actions. At its most effective, this will allow you to deflect or counter most attacks quickly and effectively.

Many organisations expend time and effort conducting threat identification and analysis. This is important but only helps you understand your enemies. Technical vulnerability analysis is slightly better in that it helps you understand your weaknesses. It is equally important but less common for organisations to spend time studying themselves. Your own strengths, weaknesses and vulnerabilities contribute as much to the outcome of any battle as do those of your enemy—but you have far greater ability to know yourself—use the opportunity before an attacker does!

To help you start your journey of discovery, I have listed some recommended activities to help you “Know your enemy” and “Know yourself:”

Know your enemy

  • Threat identification and analysis
  • Future threats and trends intelligence gathering
  • Research hacking and attack tools
  • Install detection and warning systems (e.g., intrusion detection/prevention systems)
  • Consider implementing honeypots or honeynets

Know yourself

  • Conduct vulnerability scans and penetration tests.
  • Review and test incident process, including staff contact details.
  • Ensure that asset register and Configuration Management Data Base (CMDB) are current and complete.
  • Create baselines for normal conditions (e.g. network utilisation, normal traffic flows).
  • Review patching and anti-malware update process to identify any weaknesses.
  • Engage specialist incident management/forensic support (on retainer or pre-paid to ensure quick response when needed).

Richard Norman, CGEIT, CISA, CISM, CRISC
Head of Information Security, Risk and Compliance for the British Council
London, England

[ISACA]

The Providential Apple Pay

Apple introduced its new Apple Pay, which allows Apple users with enabled devices, such as the iWatch, to use their devices to check out at participating vendors. The announcement was well received by the industry and industry analysts.

Despite the increased attention to security issues of the payment card industry, people seem to agree that the concept from Apple of keeping your personal information secret and using a random or one time generated token seems providential.

It is too early to tell what impacts Apple Pay will have, but it will surely start the journey away from PCI DSS (Payment Card Industry Data Security Standard). The main players—Visa, MasterCard and American Express—have shown great support to ensure the service works and large retailers are also supporting this change. Mobile operators are also showing support and are devising new SIM cards for 2015.

So the question is—how secure are the devices involved with processing Apple Pay, including the wearable? Should we worry or not?

The iWatch and your iPhone will be available to use with Apple Pay using NFC (near field communication) technology, which already has its concerns. Apple has addressed some concerns by integrating its Touch ID fingerprint scanner and its Passbook ticket-buying app into Apple Pay. This new approach keeps personal information on the device—instead of moving account data into storage servers within easy reach of thieves.

What happens if you lose your iPhone or iWatch? Some argue that you could lose your wallet as much as one of these devices, however due to the potential to access an enormous amount of personal data, the security and personal information on these devices today is of greater concern.

Although Apple has tried to address security concerns there are still some legitimate questions from a normal user perspective. How does someone verify a legitimate Apple Pay terminal or application on their device? What security does the mobile network provide on their end?

As with all new features and technology, I would suspect that elite criminal hackers may already be identifying opportunities to steal identities and mass-harvest payment card information from this new service.

What do you think—will Apple Pay be secure? As auditors and security experts, where do we stand and how are we preparing for this technology?

Kris Seeburn

[ISACA]

How I Became A CISO: Quinn Shamblin, Boston University

The man now leading security for a major university first got the security bug when dealing in government secrets about nuclear power.

If you had a broken toy that needed fixing when you were a kid, Quinn Shamblin was the neighborhood boy to take it to. Even as a child, Shamblin was “the guy who liked to know weird, unusual stuff,” and the go-to guy for taking things apart and putting things together.

“Infosec is the first career I really latched onto that uses all those old things that were drivers for me as a kid,” says Shamblin, now the executive director and information security officer at Boston University (which does not use C- titles like CISO).

He did not, however, set out for a career in infosec. He was a physics major, and after school was recruited to teach Naval forces about nuclear power.

It was then, while dealing with so much classified information, that he became interested in security.

He pursued that new fascination by going to work for Proctor & Gamble. At P&G, it wasn’t just the intellectual property confidentiality that was important, it was availability. They required 99.997% uptime, says Shamblin. “Eleven minutes would cost the company $200,000.”

Also at P&G, he met the manager who would be a professional mentor for the rest of his career.

“You need to have people believe in you,” says Shamblin. “Someone has to look at your work and say, yeah, wow, there’s value here.”

For Shamblin, that person was Kevin McLaughlin, a former felony investigator for the Army, who shared some of the same attitudes Shamblin had developed through his tenure in the military.

The two worked well together, so when McLaughlin left the company to go create a new information security department at the University of Cincinati, he invited Shamblin to join that new team.

It was McLaughlin again who recommended Shamblin for the job at Boston University in 2010, while declining the offer to take that job himself.

Shamblin is continuing the tradition by playing the role of mentor himself. Instead of hiring people who’ve done precisely the same job elsewhere, he hires people with promise and trains them up.

“I want people to get better and better at their job,” he says, “and I want them, at some point, to leave.” Shamblin believes that he’s preparing his employees for great careers wherever they decide to go, and in a broader sense, “improving the industry by investing in these people.”

Although most companies hire CISOs from outside the organization, Shamblin wants his successor to be someone he trained, and deliberately prepared to take over.

Most of the lessons he’s passing on to those future CISOs have little to do with technology, and everything to do with business sense and communication skills.

“As a CISO, it’s more important to understand risk and the business than to understand technology,” he says. “Understand that if I do X I won’t have a business.”

Shamblin says that a CISO needs to sound like a CFO. He or she must appreciate the balance of risk and reward, and must be able to comprehend a financial analysis. He did earn an MBA himself while working at the University of Cincinati, but there is something else he gives more credit for his success than his degrees.

“I can talk,” he says. “I’m genuinely interested in [people] and they can see it.”

One key piece of advice he gives to all aspiring CISOs is to improve their communication skills, both written and face-to-face. He urges them to get formal training on this, because the difference between a well-written email or document and a poorly written one is huge — but without training you might not see the difference.

If he weren’t an information security pro, Shamblin says he would pursue another career in emergency response — and isn’t that what a lot of infosecurity is all about?

This is part three of Dark Reading’s “How To Become a CISO” series. Read parts one and two now. Come back next Monday for the next CISO origin story, which is set in a law school.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law — a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.

[DarkReading]

The Costs and Benefits of Using the Cloud

Eduardo Gelbstein and Viktor Polic
For a long time, organizations and individuals have relied on third-party services relating to data, information systems, and infrastructure, and many lessons have been learned in the process.
Cloud computing has established itself as a potentially valuable addition to the portfolio of third-party services. But cloud computing can introduce several issues for data owners, particularly when the data is considered sensitive in terms of confidentiality, access rights and privileges.
While the benefits of cloud computing are easy to understand (e.g., lower cost, flexibility, transfer of accountabilities for operational activities), it is prudent to remember the old adage, “If it looks too good to be true, it probably is,” and devote time to a detailed assessment of the issues described in our recent Journal article.

Cloud-related issues raised in conference discussions and various publications focus on concerns such as:

  • Data ownership and what the service provider is or is not allowed to do with this data
  • The use of encryption and management of the encryption keys and digital certificates
  • Identity and access management
  • Compliance with data protection legislation, particularly about the location of the data
  • Compliance with privacy protection legislation
  • Terms of contract, including the right to audit the service provider
  • Confidentiality and nondisclosures by the service provider
  • Access rights to data by the personnel of the service providers and its suppliers or service providers
  • Guarantees that in the case of termination of a contract there will be no copies of data left with the service provider
Other issues that could effect cloud computing are:
  • The impact on the data owners if the service provider goes out of business or is the target for an acquisition by a third party
  • The feasibility of terminating a contract and migrating the data (and related services) to another service provider

The real issue may be one of timing—the cloud is likely to be part of the service portfolio offered by third parties for many years to come. Optimists and risk takers will no doubt gain the benefits of cloud computing sooner and gain valuable experience in doing so. Those whose risk appetite is limited and deal with custom, critical applications may choose to wait until the issues discussed in ourJournal article have been addressed and resolved appropriately.

Read Eduardo Gelbstein and Viktor Polic’s recent Journal article:
Data Owners’ Responsibilities When Migrating to the Cloud,” ISACA Journal, volume 6, 2014.

[ISACA]

English
Exit mobile version