International President: Cybersecurity and Professionalization

Lately, it seems like a data breach, hack or cyberattack makes the news daily. I was at the recent ISACA/IIA Governance Risk and Control (GRC) conference when I read that hackers stole data on 4.5 million patients of a health system. With incidents like this occurring more frequently, there is an increasing demand for professionals who have the cybersecurity skills and resources to combat this growing threat. It is clear that bad actors have set their sights on the vulnerabilities of any type of enterprise, including medical, business and critical infrastructure.

Despite this growing need for cybersecurity skills, until recently the field was fragmented with no clear path set for those who want to pursue the cybersecurity profession. Recognizing this gap, ISACA conducted extensive research and planning with global business and cybersecurity experts. As a result, ISACA identified a need for a single, central location where security professionals and their enterprises can find cybersecurity research, guidance, certifications, education, mentoring and community. Subsequently, we launched the Cybersecurity Nexus (CSX) in April 2014.

The drumbeat for professionalizing cybersecurity is only getting stronger. A recent report from Salve Regina University’s Pell Centerfor International Relations and Public Policy also proposes an alternative to the current, ad hoc, decentralized approach to cybersecurity workforce development. The authors call for the creation of a professional association dedicated entirely to cybersecurity.

The Pell report notes that forming a new association focused on cybersecurity will take time—time that enterprises don’t have if they are to keep up with the rapidly expanding expertise of hackers. This is also one of the reasons why ISACA made the investment in creating CSX. ISACA is able to use much of its existing infrastructure and global subject matter experts to hit the ground running. ISACA, which has been serving IT professionals for 45 years, has been a highly respected provider of certifications, training and networking for global professionals for more than 30 years.

So when we established CSX, we made a commitment: We will do for cybersecurity professionals what we have done and continue to do for assurance and governance professionals. Whether you are a seasoned professional or new to the field, we will be your resource for the training, credentials, guidance and community to develop your cybersecurity career. In addition to other activities, we are offering the first Cybersecurity Fundamentals Certificate workshop and exam in October, which is also Cybersecurity Awareness Month—a cause for which we are a champion.

This is an exciting time in our industry and an extraordinary time for ISACA and our members. Organizations around the world are in need of skilled and knowledgeable cybersecurity professionals—and we’ll do everything we can to help you succeed in those roles.

Robert E Stroud, CGEIT, CRISC
International President, ISACA

[Source: ISACA]

Assessing Control Effectiveness — An Essential Part of Every Risk Assessment

Control effectiveness is measured by looking at the maturity of the process. Most people agree that mature processes are documented, but why? Transferring knowledge from the human brain requires conversion from tacit knowledge to explicit knowledge, so that it can be shared, reviewed, updated and tested. Think about it. If we relied on tacit knowledge all the time, there is a good chance that the outcomes would be different every time the process was executed, unless they had a plan to follow, which is where explicit knowledge comes into play. Quality management requires that we integrate feedback loops to push a process even higher in maturity. Continuously monitoring and making adjustments to perfect the process can only be achieved with explicit knowledge.

Building the perfect control to mitigate risk is one thing, but making sure that it gets implemented, monitored and maintained adequately, so that it is functioning 100 percent, is yet another. This requires the assessment of competence for those employees or contractors who have been assigned the responsibility to get the job done! I like to leverage my knowledge as a teacher using Bloom’s Taxonomy. I create at least six basic questions to determine how much the employee knows. For example, I recently created a one-page assessment for CyberSecurity Leader.

We have evaluated the control for maturity and assessed competence of the administrator. Now we need to verify and validate that the control is functioning as planned. There are similar approaches that work, from using quality assurance techniques to penetration testing. This part should be looked at every time changes occur that touch the control in any way. We need a solid baseline for assessment control effectiveness, and to accomplish that, I like to integrate the use of design qualification (DQ), installation qualifications (IQ), operational qualifications (OQ) and performance qualifications (PQ).

Based on my experience, the most secure systems are those that establish and maintain absolute control over the environment. I often joke with senior management about my number-one rule, “No surprises!” Quality management is deep in knowledge about establishing control and assessing process, so it is only logical that we would assimilate this knowledge into information security.

DQ is the architecture, or specifications, used to build a service or product. Any changes must be strictly controlled; so, while DQ sets out the design, IQ defines the specifications, or standard operating procedures, for installing a new piece of software or hardware. Control design is a related topic that would allow you to map where this control applies within the risk universe as it mitigates risk to a specific asset that is used to deliver a service or product. OQ documents the configuration specifications that could be recorded in the configuration management database used by ITIL also ISO 20000. Once everything has been documented and procedures have been followed, the PQs are reviewed. What were the expected response times? How can we optimize them to meet customer expectations?

Whomever gets the job of reviewing control effectiveness should be looking at three key elements—maturity, competence and testing—to verify and validate that what we said we would do we have actually achieved. The importance of assessing control effectiveness during regular audits is obvious. The assessment of control effectiveness during risk assessment as part of the risk management and governance process is absolutely crucial to provide all the facts to management quantified in a meaningful way.

I have seen plenty of external audits that have gone in a direction where hundreds of thousands of dollars and sometimes millions are spent on new controls that may not have been necessary if the current investment in security was better quantified and managed. This is an evidence approach that can easily be shared and reviewed and scrutinized. Too much control could negatively impact the business model, organizational culture, agility or time to market and resilience by creating more complexity that is expensive to maintain and difficult to replicate in emergency situations.

Mark E.S. Bernard, CISA, CISM, CGEIT, CRISC, CISSP, ISO 27001 Lead Auditor

[Source: ISACA]

European Initiatives For a More Secure Cyber World

Europe is poised to tackle cybersecurity headfirst with initiatives that are growing in strength and support. In 2013, the Cybersecurity Strategy for the European Union and the Commission Proposal for a Directive on Network and Information Security presented legal measures and provided incentives aimed at increasing the security of Europe’s online environment. These efforts are supported by theEuropean Network and Information Security Agency (ENISA), as well as by the Computer Emergency Response Team for the EU institutions (CERT-EU).

As part of ISACA’s holistic Cybersecurity Nexus (CSX), ISACA is addressing the need for cybersecurity guidance in Europe by releasing the European Cybersecurity Implementation Series of white papers and an audit program, which includes:

  • European Cybersecurity Implementation: Overview
  • European Cybersecurity Implementation: Risk
  • European Cybersecurity Implementation: Resilience
  • European Cybersecurity Implementation: Assurance
  • European Cybersecurity Audit/Assurance Program

The white papers address cybersecurity in the context of European Union (EU) laws, regulations and best practice, with a focus on using the COBIT 5 framework and related materials. They provide practical implementation guidance that is aligned with ENISA, European requirements and good practices.

The overview outlines how cybersecurity is discussed and directed in the European context, including institutions, organisations and recognized best practices. In some aspects, this is different from what might be expected in a U.S. setting or other geographies, given that there are 28 EU member states and several associated countries. As a result, there are EU level cybersecurity recommendations as well as national strategies, laws and regulations to be taken into account. This overview paper is designed to provide orientation and set the scene for more detailed aspects discussed in the risk, resilience and assurance papers.

Cybersecurity creates a multitude of new risks, many of which are part of the cultural, social and technical context of security. The risk paper in the series therefore addresses typical European perspectives on cybersecurity risk, including those that may be unique to one or more countries within the Union. In line with the COBIT 5 lens concept, the risk paper further provides a drill-down on using the available COBIT 5 cybersecurity materials in a targeted manner.

Resilience is one of the primary, but often neglected, aspects of cybersecurity. In Europe, resilience thinking is an important element of cybersecurity, both in the business and in the technical sense. The resilience paper within the cybersecurity series addresses the European view on creating, maintaining and improving resilience through various steps of a life cycle. It also covers European and national laws, regulations and best practices in creating cybersecurity resilience.

With the advent of a directional and declared EU cybersecurity strategy and digital agenda, many cybersecurity initiatives are beginning to produce results, often set down as legal, regulatory or industry requirements. In terms of cybersecurity governance and management, it is important to provide robust assurance over cybersecurity arrangements, including auditable evidence and processes. The assurance paper within the cybersecurity series offers insights on how to set up, maintain and uphold the requisite level of assurance in the EU and associated countries. The paper makes use of tried and tested COBIT 5 concepts and the underlying control universe and applies these to the EU landscape.

The ISACA European Cybersecurity Implementation Series is a living set of documents. In the near future, additional helpful tools will be released. These include a matching and mapping tabular paper for quick reference purposes throughout the 28 member states, as well as so-called country files providing subject matter expert advice on cybersecurity details in many European countries.

Rolf von Roessing, CISA, CISM, CGEIT
President, Forfa AG
Past International Vice President, ISACA

He will discuss “Responding to Cyberattacks” and “COBIT 5 for Security” at ISACA’s 2014 EuroCACS/ISRM Conference taking place 28 September – 1 October in Barcelona, Spain. For more information about the conference and to register, visitwww.isaca.org/eucacs-isrm2014.

[Source: ISACA]

Sony, XBox Victims Of DDoS, Hacktivist Threats

Hacktivists from Anonymous and from a presumed Islamic extremist group targeted a variety of online gaming services.

Services are up and running again after a denial of service took down Sony’s PlayStation Network for much of Sunday, coinciding with a bomb threat on American Airlines flight 362, which carried John Smedley, president of Sony Online Entertainment. The threats caused the airline to divert the flight.

Other online gaming services — including Microsoft’s XBox Live, Eve Online, and the services that host World of Warcraft and Diablo III — also experienced disruptions. The culprits seem to be hacktivists, but just which hacktivists is unclear, because several are trying to take credit for the attack, citing different motives.

One group, Lizard Squad, took credit for the attacks and presented two motives on Twitter. One tweet Sunday morning said that Sony “aren’t spending the waves of cash they obtain on their customers’ PSN service. End the greed.” A subsequent tweet stated, “Kuffar [non-believers] don’t get to play videogames until bombing of the ISIL [Islamic State of Iraq and the Levant] stops.” The account made many references to the Islamic extremist group ISIS.

On Sunday afternoon, Lizard Squad also tweeted the cryptic message “.@AmericanAir We have been receiving reports that @j_smedley’s plane #362 from DFW to SAN has explosives on-board, please look into this.”

The group tweeted at Smedley with the hashtag #PrayForFlight362 and a video from 2001 of a plane crashing into the World Trade Center.

On a separate account, a hacker associated with Anonymous claimed responsibility for the attack, showing screen shots to prove the work and stating that the attack was launched to highlight vulnerabilities in the PlayStation Network.

Microsoft confirmed that some customers were experiencing disruptions. However, it seems that Lizard Squad found that Microsoft’s XBox Live network was sturdier than Sony’s. The group tweeted Monday, “Microsoft props to you for giving us a challenge, good work. Sony, smh [shaking my head].”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law — a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.

[Source: DarkReading]

What Will Ease Healthcare’s Heartburn Over ‘Heartbleed’?

One of the latest breaches to hit the news took place at Community Health Systems (CHS), affecting an estimated 4.5 million patients.  According to principal security consultant and founder of TrustedSec, David Kennedy, the initial attack vector was through the infamous OpenSSL “heartbleed” vulnerability that led to the compromise of the information.

What is especially noteworthy about this particular attack is its impact on the healthcare community.  Major data breaches such as the one at Target last year put the spotlight on how retailers need to do a better job at guarding our sensitive financial information from cyber criminals. However, a May 2014 study by BitSight Technologies rated healthcare and pharmaceutical companies even worse than retailers in terms of security performance.

BitSight compared the performance of finance, utilities, retail, and healthcare groups within the S&P 500 from April 2013 through March 2014. Overall, healthcare companies scored lowest, at about 660 on a scale of 250 to 900.  Not only did the healthcare sector have the most security problems, but companies also took the longest to fix the problems—on average 5.3 days, according to the report.

The importance of a strong vulnerability management and patching program is well documented but, as with all 0-day vulnerabilities, there is a period of time in which a patch is not available to fix the problem.  So, what could CHS have done differently in this case?

As this rapidly evolving industry faces increasing challenges to keep personal health information protected, there is a need to ensure that knowledgeable security and privacy practitioners are in place to protect this sensitive information.  Without knowing the specifics of the information security program in place at CHS, it is hard to come up with short and/or long term recommendations.  Although I believe it is safe to assume that CHS could have used more “eyes on target” during that critical time block from when the “heartbleed” vulnerability was initially discovered and reported to when a patch was available for rollout.  Thus, to help address the short term need, it is critical for all companies to analyze their current monitoring and detection programs and make sure the right people, processes, and tools are in place.

Longer term, we need to come up with a better way to quickly determine the cyber posture of an organization – and not just those from the healthcare sector.  Through the use of a scoring method, the BitSight study provided an efficient and effective approach to help compare organizations against one another – similar to how a business runs credit checks before consumers can open a banking account, take out a car or home loan, or even get a job.  While this method would require the creation of standards and additional work to implement, it’s an idea worth considering.

[Source: (ISC)² Blog]

English
Exit mobile version