Category: Cyber Security

This weekend, all ISACA lost a dedicated leader, an engaged board member, a passionate colleague and, most notably, a dear friend. Robert E Stroud, CGEIT, CRISC, 2014-2015 ISACA Board Chair, and Board Director 2015-2018, will be deeply missed.

Only 55 years old, Rob passed away Monday, 3 September 2018, after being struck by a vehicle while jogging on Long Island, New York, USA. He is survived by his devoted family: his wife of 35 years, Connie, sons Josh and Kyle, daughter-in-law Allie Elizabeth, and grandchildren Ayden, Haylee and Jeremy.

Robert E Stroud

Rob brought boundless energy and enthusiasm into everything he did for ISACA—and those contributions were many.  He was board chair for the 2014-2015 term, and was a driving force in the launch of ISACA’s Cybersecurity Nexus (CSX). Prior to that, he was international vice president of ISACA, member of the Strategic Advisory Council and Governance Committee, and chair of ISACA’s ISO Liaison Subcommittee. He was a COBIT champion and contributed to COBIT 4.0, 4.1 and 5, as well as numerous COBIT mapping documents. Additionally, he was involved in the creation of ISACA’s Basel II, Risk IT and Val IT guidance.

His excitement about emerging technologies and extensive knowledge of assurance, governance, cloud security and DevOps made him a highly sought-after speaker at events around the world—including ISACA’s. Rob’s technical expertise, his excitement to travel and share his knowledge around the world, and his humor and wit in delivering remarks will be greatly missed.

Rob’s dedication to the profession extended beyond ISACA. He previously served on the itSMF International Board, the board of the itSMF USA and multiple itSMF local chapters.

Additionally, he served as a member of the ITIL Update Project Board for ITIL 2011 and in various roles in the development of ITIL v3.

Rob’s high-impact career in assurance, governance and innovation leaves a lasting legacy. Rob was Chief Product Officer at XebiaLabs, where in the last year he primarily focused on DevOps scalability in the enterprise. Prior to that role, he was Principal Analyst for Forrester Research Inc., where he helped large enterprises successfully drive their DevOps transformations and guided them through organizational change.

He spent more than 15 years in multiple roles at CA Technologies, including Vice President of Strategy and Innovation, where he predicted changing trends in the domains of assurance, cybersecurity, governance security and risk. He also advised organizations on strategies to ensure maximum business value from their investments in IT-enabled business governance.

On a personal note, Rob has been my good friend and mentor. It was his inspiration and support that led me to serve on the ISACA board of directors. I have had the privilege of co-presenting with Rob many times, and frequently we have had lively discussions about new technology, cloud, DevOps and how we can help ISACA have even greater impact. The day before his passing, I was working on a DevOps presentation using slides that Rob had put together and just shared with me to use. Having collaborated with him for so many years, enjoying his advice, company, humor and zest for life, I feel like I have lost a part of me. I’m sure many of you feel the same, and we will explore a fitting way to honor his contributions and legacy. I will let you know of those opportunities as they are decided by the board in a timely fashion.

Rob was always looking forward to new trends, new challenges and new opportunities, so he could best serve his clients, his colleagues, and his friends, whether bonds were just formed or existed for decades. His exuberance lit up the room wherever he went, and he was truly a guiding light and progressive proponent for the association and our professional community.

Rob’s enduring spirit of innovation will continue to influence ISACA and our global family for years to come.

Thank you, Rob. You are gone too soon. We miss you.

Rob Clyde, CISM, ISACA Board Chair

[ISACA Now Blog]

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1064

Of all the certifications represented annually in the Global Knowledge IT Skills and Salary Report, ISACA is more prominent in our top-paying certifications list than any others. This year, ISACA occupies five spots in the top 20, including three in the top six worldwide.

ISACA is associated with two important truths for business technology professionals:

1. Enhancing a wide range of careers
2. High salaries

ISACA’s certifications in cybersecurity and governance produce the highest salaries. This is in line with our overall salary data, as governance ranks second and security fifth in average global salaries by category.

Here’s a list of the five top-paying ISACA certifications for 2018 (average salaries are for North America):

1. CGEIT: Certified in the Governance of Enterprise IT

Average salary: $117,544
CGEIT is the top-paying certification in the United States and ranks third worldwide ($92,821). Its North American salary is 34% higher than the average for all certified professionals. This certification is designed for individuals who manage, advise or provide assurance services around enterprise IT governance.

Tenure is among the reasons CGEIT-certified professionals typically have higher salaries. To take the exam, an individual needs at least five years of experience in at least three of the five domains the certification covers, including at least one year in the IT governance framework area.

2. CRISC: Certified in Risk and Information Systems Control

Average salary: $107,968
CRISC ranks sixth in North America and second worldwide in average salary. Its average salary is 23% higher than the average for certified professionals. CRISC is a risk management and security credential designed for IT professionals, project managers and others whose job it is to identify and manage IT and business risks through information systems controls.

Globally, six security certifications made our top-20 list, with CRISC trailing only CISSP in average salary. Cybersecurity positions in general pay well, with the average among North American respondents at $101,083, which is more than $13,000 above the average.

Related training: CRISC – Certified in Risk and Information Systems Control Prep Course

3. CISM: Certified Information Security Manager

Average salary: $105,926
CISM ranks seventh in North American salary and sixth globally. It’s aimed at information security management professionals, focusing on security strategy and assessing the systems and policies in place. To take the exam, certification candidates are required to have at least five years of experience in IS, with at least three as a security manager.

It’s now common that many government agencies require their IS and IT professionals to have a CISM certification.

Related training: CISM – Certified Information Security Manager Prep Course

4. COBIT 5 Foundation

Average salary: $102,112
This premier governance credential has a North American salary that tops $100,000 and a worldwide salary that ranks 11th overall ($77,300). COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.

ISACA’s governance credentials (COBIT 5 Foundation and CGEIT) are two main reasons why governance certifications have the second highest average salary globally ($84,420).

Related training: COBIT 5 Foundation

5. CISA: Certified Information Systems Auditor

Average salary: $97,117
CISA ranks 13th in the US and globally in average salary. It’s also the most popular certification amongst our survey respondents, with 1,923 CISA-certified professionals. The CISA is perfect for individuals whose job responsibilities include auditing, monitoring, controlling and assessing IT and business systems. The exam tests the ability to manage vulnerabilities.

Originating in 1978 and now in its 40th year, CISA is ISACA’s oldest certification. It requires at least five years of experience in information systems auditing, control or security.

Check out these additional Global Knowledge resources to learn more:

• How to Select the Right Certification for You
• How to Convince Your Manager of the Benefits of Training
• 2018 IT Skills and Salary Report

Ryan Day, Content Marketing Manager, Global Knowledge

[ISACA Now Blog]

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1063

GDPR: An acronym and a buzzword that has set many of us into “alert mode.” Since it was set in motion more than two years ago, thousands of people worked hard to ensure their organizations were prepared by the set enforcement deadline of 25 May, 2018, and continue doing so. But among the good guys and gals, there were also some “louche” (a French adjective that means “shady” characters, and was used in CNIL’s video on GDPR. These are people who had no ethical problems in providing misleading guidance and wrong answers to the many questions concerning GDPR).

Unfortunately, Poland was among those countries where this phenomenon grew to be a danger to the whole idea of protection of personal data. Here are just a few examples of the consequences of the created havoc:

• Hospitals refused to inform parents whether their children were admitted after a serious bus accident with many schoolchildren injured;
• Teachers started calling out pupils by their assigned numbers instead of their names;
• Closure of a cemetery, because some gravestones had names of living persons on them; and
• Offers of special GDPR-compliant filing cabinets.

These situations were widely described and discussed on the internet in Poland, raising concern. To counteract this, in June this year, the Minister of Digital Affairs empowered Mr. Maciej Kawecki, the Director of the Department of Data Management at the Ministry, to create a special task force to deal with the worst absurdities. Mr. Kawecki is a top data protection specialist who is coordinating the work done in Poland to adapt Polish law to GDPR. The mission is very challenging; there are about 800 regulations that need to be revised. In the next few weeks, the Polish Parliament will debate the first package of legislative changes.

Mr. Kawecki posted a call for volunteers to work in the group. This proved to be a very sought-after, widely appreciated initiative, and the response was huge. From the several hundred candidates, 93 people were picked to work in five groups on issues concerning specific topics: health, education, finance/telecomms, public administration and general issues.

I had the pleasure to be selected to be a member of the education team. We come from a mix of different professions and different involvement in day-to-day school activities. This creates additional value as we have different perspectives and experience that enable us as a team to take a much broader look at GDPR issues.

In the first stage, we were asked to compile replies to seven especially pressing questions concerning schools. We came to the conclusion that each question should have two answers:

1. A short one, of the “YES /NO” type with just a brief added comment, so that headmasters and headmistresses would know right away what they can or cannot do, and
2. A long one, with legal reference to the applicable regulations concerning school and pre-school education and some practical advice for all concerned.

We already have noted our first success. Part of our work has been used in the GDPR guide for schools, just published by the Ministry of Education together with the Polish supervisory authority.

Creating a GDPR task force by the Ministry of Digital Affairs is a highly recommended approach. It gives the opportunity for data protection professionals to get involved in supporting GDPR compliance at the national level. It also creates opportunities for an exchange of knowledge and experience between practitioners and government officials in charge of developing regulations and recommendations. The Ministry intends to continue using our group to obtain practical and up-to-date information on issues and problems concerning GDPR implementation and to develop appropriate guidelines. This also gives us the opportunity to share our ideas and thoughts with our peers and to disseminate best GDPR practices to stakeholders both in the public and private sectors.

A good example of the usefulness of guidelines developed by official organizations are the “Guidelines on the protection of personal data in IT governance and IT management of EU institutions” published by the European Data Protection Supervisor (EDPS). These good practices are based on ISACA’s COBIT 5 and describe the data protection aspects related to the processing of personal data. With just a few minor changes that basically come down to replacing “EU institutions” with “data controllers,” this document can easily serve large and small organizations from the public and private sector in the European Union and outside in their efforts to achieve GDPR compliance.

Joanna Karczewska, CISA, ISACA GDPR Working Group

[ISACA Now Blog]

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1062

Tony Vizza, CISSP, is the newest addition to the (ISC)² Cybersecurity Advocacy team! Based in Sydney, Australia, Tony works with corporations, government agencies and academic institutions to encourage collaboration across the industry, effective cybersecurity curriculums and strong legislation to attract and enable the workforce we need to manage the Asia-Pacific region’s most critical security issues. Tony has worked in the field for more than 25 years and has earned the CISSP certification, as well as the CRISC, CISM and is certified as an ISO/IEC 27001 Lead Auditor. To get to know Tony a bit better, we asked him five questions …

• What brought you into the profession we now know as “cybersecurity?”

I started at a young age “discovering vulnerabilities” in my school’s network systems. From there, I went on to study computer science at university. IT has always been in my blood and over the past ten years, network security and cybersecurity have been the core of my professional career.

• What career accomplishment are you most proud of?

Far and beyond all else – even both of my university degrees – I am most proud of achieving my CISSP certification. It was a culmination of months of study and preparation, on top of years of experience, and it finally made me feel proven to work in the field of information security. I had fantastic mentors and supporters who helped me through the process and I felt both disbelief and on top of the world when I passed my exam!

• What is something about cybersecurity that you wish those outside of the field had a better understanding of?

Like many other industries portrayed in the media, our reality is much more mundane than the fictionalized version the rest of the world is presented with. The most effective protection against “hackers” isn’t what you see on CSI, but rather understanding the value of your own personal data. It’s important to understand how IT devices share information and remember to be mindful of what you post on social media. Human education is infinitely important. In fact, it is the most important factor in ensuring good cybersecurity.

• What are you most looking forward to in your role as a Director of Cybersecurity Advocacy at (ISC)²?

I am looking forward to making a difference in the lives of many people in the APAC region, by helping to empower our members. When our members are able to succeed in their own endeavors, that is the best way to magnify our message of creating a safe and secure cyber world.

• When not advocating for the cybersecurity professional – and the profession itself – where might our members find you?

You will most likely find me playing with my two toddler children, helping my partner with housework, studying law at university, or (hopefully) catching up on sleep! I also enjoy watching live stand-up comedy, taking a relaxing walk along the beautiful coastline of Sydney or attending a great music festival with my family.

Tony joins John McCumber, our director of cybersecurity advocacy for North America, in working for you, the cybersecurity professional. You’ll be hearing even more from Tony in this blog, our InfoSecurity Professional magazine and at cybersecurity events around the Asia-Pacific region.

[(ISC)² Blog]

Source: http://blog.isc2.org/isc2_blog/2018/08/meet-your-cybersecurity-advocate-5-questions-with-tony-vizza.html

If you are a netizen, you must have already noticed how certain ads pop up while you are surfing videos on YouTube. Most of the times, these advertisements have close connections to the products and brands you have been searching recently. However, this is not the case always! Finding fake ads of reputed brands like Mercedes-Benz and Waitrose is not uncommon at all. According to reports from The Times of London, several reputed brands have found their advertisements among objectionable and explicit content.

Why should you care about online ad fraud?
If you are an advertiser, this should be a cause of concern for you. According to a recent study, over 20% of the clicks you are getting on your ads can be from bots and tricksters. Censoring the internet and running the entire web without advertisement is impossible. In short, good content and commendable user experience require sponsorship.

Sadly, advertisers are pouring money into digital ads, but they are not receiving the returns they expect. The advent of various smart devices may have expanded the scope of viewing content, but they have done little to ensure that the content is genuine.

According to the Association of National Advertisers, entrepreneurs are wasting over $7 billion on online adverts people do not see. The experts expect the numbers to grow beyond $335.5 billion in the next two years. When companies are ready to spend billions on online advertisements, it is understandable why malicious activities are always around the corner, waiting.

We have seen the likes of Meth-bot that cost the ad industry around $5 million per day. They used bots to mimic human data, created over 250,000 individual domains. These new sites had a resemblance to big fish like ESPN and Vogue.

Digital ad fraud is a serious concern for advertisers and users, too. While the fraudsters use bots to mimic human behavior, trace cursor movements, and hack social media accounts, they fake their geo-location data to avoid detection. As a result, along with regular display ads, the premium online video advertisements are also taking a hit. Digital fraudsters are messing up analytical data, upturning the KPIs and disrupting online campaigns of many of the more reputable brands in the world.

Blockchain as a potential solution to online fraud
Is there any current technology that can prevent pixel stuffing, ad stacking, search ad frauds and affiliate ad frauds? Experts say that it’s possible. They believe that advertisers can prevent similar frauds by turning to blockchain. We are not talking about cryptocurrencies, but the decentralized open-source ledgers.

A fusion of existing ad technology and blockchain can give advertisers the power to keep an eye on each impression and eliminate the fear of fraud. Leading advertising research firms like Interactive Advertising Bureau’s Tech Lab and Data & Marketing Associations already are working on creating a blockchain solution that can help advertisers detect and prevent fraudulent activities. However, the wide variety of online ad frauds make the task of developing a uniform system difficult.

Below are the major use cases of blockchain that can be implemented to prevent online ad frauds:

Ethereum-based ready solutions – Several startups and advertising research companies have been working on blockchain systems that can stop bots and impostors. Ethereum is the best-known blockchain right after Bitcoin. Instead of a central ad server, it offers a decentralized system to advertisers to monitor the activity of their partners. Google, Amazon, Twitter, YouTube, Facebook, and Snapchat have adopted similar history-proof, decentralized ledgers.

Blockchain counterattack – This mechanism adopted by the Ads.txt DApp allows publishers and content owners to list the authorized sellers of their inventory in a .txt file. This file is served from within the root path of their domain’s web server.

Blockchain-based exchange for traders – A combination of the financial matching engine and the latest blockchain technology allows advertisers to enable transparent transactions. It is a NASDAQ Inc. initiative that aims to provide advertisers and publishers a completely secure platform that supports buying, selling and re-trading advertising contracts.

In the digital era, online ads are an important channel for brands to use to reach out to their target audience. Ad fraud not only puts a hole in the pocket of the brands but also harms the end users, who need reliable information to make the right decisions. With the ability to impart transparency to the system and trace an online asset, blockchain can surely help reduce, if not completely stop digital fraud.

Ankit Shrivastav

[ISACA Now Blog]

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1061