Category: Cyber Security

When the general public thinks about today’s exciting technological breakthroughs, the imagery that springs to mind is unlikely to be a crowded pigpen in China or yam fields in the farmland of Nigeria. Yet, rural areas are the frontlines for some of the most important gains technology is enabling in modern society. The growing imprint of technology-driven advancements on the agriculture industry and in rural areas, generally, is one of the tech field’s most promising success stories.

Digital transformation is making its mark on the agriculture industry, with the Internet of Things, blockchain, robotics and drones among the technological forces that are helping to offset modern obstacles with which previous generations of farmers did not have to overcome. In the not-so-distant-past, farmers fretted about the weather, pests and their equipment – and that was about it. Today’s farmers must contend with a range of more sophisticated challenges, such as market volatility, international trade friction, serious labor shortages, borrowing costs and capital availability, and an increasingly complex regulatory environment.

Amid these challenges, in an industry known for razor-thin margins between success and failure, enabling even a 5% increase in yield can make a dramatic difference. Technological innovation increasingly is the path to swinging that equation in farmers’ favor by equipping them with an expanded set of solutions to their challenges. At the same time, for these innovations to serve their important purpose, it is imperative for security professionals to support suppliers’ and distributors’ assurance that these technologies are being deployed safely and securely throughout the supply chain.

Technology enabling a global bounty
The recent Forbes AgTech Summit underscored how key industry advancements – such as more reliable pathogen detection, autonomous wheelbarrows and analytics software that allows farmers to more accurately predict crop conditions – are capable of improving profitability for farmers and providing a more robust global bounty that will be increasingly critical as population growth, climate change and soil degradation put strain on the world’s food supply.

Much of the technological progress that is recalibrating the way food is being grown and distributed is attributable to automation. The implications of automation can cut in both directions, often driving improved business outcomes while, in some cases, imperiling job security for current workers. The net impact of automation, though, tilts heavily in a favorable direction when it comes to the agriculture industry. In many countries, including the United States, agriculture workers are in short supply, not because automation has put them out of work, but because of a range of factors that include urbanization and more stringent enforcement of immigration laws. Automation is a potent force in counteracting that labor shortage, producing driver-less tractors and more efficiently planting and harvesting to maintain productivity and prevent wasting crops while people around the world go hungry.

It is not just automation that is serving as a new catalyst for farmers and food producers; a variety of emerging technologies are modernizing business models in rural areas around the world. From a Chinese tech giant deploying AI-powered pig-tracking systems, to a growing number of blockchain implementations that will allow food to be tracked globally throughout the supply chain, more efficiently addressing customer risk, it is encouraging to see technology deployed so creatively in an industry that affects all of us on a daily basis.

The ability to more effectively address food security is especially notable, with blockchain and IoT technology allowing inspectors and consumers to become aware of potential hazards in more timely fashion and avert potential health crises. Dubai has shown leadership in this regard, moving to put in place a food monitoring system that will make its reported $200 billion of annual food imports safer and more secure for its residents.

Life-saving health measures
Agriculture is not the only cornerstone of rural life that is being enhanced by technological innovation. Medical drones in Africa deliver life-saving supplies that are not readily available in local clinics, such as blood, medicine and emergency vaccines. In China this year, a logistics firm initiated delivery of goods to sparsely populated areas that will rely on larger drones transporting products to warehouses and smaller drones connecting rural residents with final deliveries. As with all technological innovations, organizations must deploy the needed safeguards and controls to keep pace with the deployment of these new technologies, with drones in particular posing several legal and security considerations. Organizations must determine their appetite for added risks and liabilities introduced by a drone program, as well as how to meet the related compliance requirements on an ongoing basis.

Undeniably, however, these are significant opportunities for residents of rural areas that would not have been possible as recently as five years ago. Even as global population trends reflect increasing urbanization, the capabilities that are being developed will ensure farmers and rural residents stand to benefit from technological innovations that are taking root every bit as much as city-dwellers. As digital transformation spreads beyond our urban hubs to rural fields throughout the globe, it us up to the security community to perform the due diligence necessary to enable these advancements to truly blossom.

Editor’s note: This article originally published in CSO.

Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA

[ISACA Now Blog]

The fluid technology and regulatory landscape calls on IT compliance professionals to be more flexible and proactive than in the past to remain effective, according to Ralph Villanueva’s session on “How to Design and Implement an Adaptive IT Compliance Function,” Monday at the 2018 GRC Conference in Nashville, Tennessee, USA.

The IT compliance function serves as an important bridge between the audit and IT departments, in addition to articulating business-related IT and security initiatives to management, and recommending and implementing appropriate compliance frameworks.

Business model changes, legal considerations, government requirements and evolving industry regulations are among the common reasons that organizations may need to more frequently explore switching their frameworks than in the past. Villanueva, IT security and compliance analyst with Diamond Resorts, referenced the General Data Protection Regulation (GDPR), which became enforceable in May, as an example of a recent regulatory shift that could have significant compliance ramifications. Additionally, he cited industries such as banking, healthcare and gaming as having special requirements calling for the use of compliance frameworks.

While acknowledging that the need to explore new or additional frameworks can cause “compliance anxiety” and organizational resistance, considering the corresponding investments in time and resources, Villanueva said effective use of people, processes and technology can make the process worthwhile in the long-run. Given the increasing need to implement different frameworks to deal with a growing set of compliance complexities, Villanueva laid out five steps to be actively compliant across several frameworks while remaining in line with budget realities:

1. Understanding beats memorizing. Compliance professionals who truly understand the intent of the framework are best positioned to adapt them to their organizations.
2. Know your organization. Having a clear handle on the organization’s business model, mission and array of information and technology resources allows for more strategic compliance.
3. Anticipate how today’s trends will influence what you do tomorrow. Variables such as the need to incorporate more mobile device security and use of emerging technologies such as artificial intelligence (AI) and machine learning may call for recalibrating compliance processes.
4. Know that some fundamentals never change. Despite the volatile landscape, Villanueva said there still needs to be focus on established compliance priorities such as application controls and segregation of duties.
5. Keep learning. Investing in personal development and prioritizing networking are some of the best ways to keep current and “future-proof” career paths.

Villanueva cited COBIT 5, NIST 800-53, ISO 27001:2013 and PCI-DSS 3.2 as examples of useful frameworks for compliance professionals, and said identifying commonalities among different frameworks can make for a more efficient approach. Villanueva recommended IT compliance frameworks because they:

• Simplify compliance;
• Reduce the likelihood of missing compliance requirements;
• Maximize everyone’s time;
• Allow for clearly understood expectations;
• Are commonly accepted by control stakeholders.

The importance of compliance professionals should not be overlooked. Aside from potential legal ramifications resulting from inadequate compliance, Villanueva said having strong compliance programs in place is critical to deter corruption and costly illegalities.

“We’re here to make sure that crime doesn’t pay,” Villanueva said.

[ISACA Now Blog]

Recent surveys and studies have emerged that show interest in cybersecurity as a potential career field at uncomfortable lows. In fact, a recent ProtectWise report showed that only 9 percent of millennials indicate cybersecurity is a career they are interested in pursuing at some point in their lives. This disturbing finding has far-reaching potential consequences in a field that desperately needs a stronger workforce.

To understand these findings, the study posits several factors that could be to blame for the low level of interest, from lack of exposure to cybersecurity in school curricula, to lack of personal connections, such as relatives, in the relatively new field of cybersecurity. However, another element, often hushed, and rarely acknowledged, lurks throughout the field’s perception – lack of fun. Sadly, many people don’t consider cybersecurity as a “fun” field – and that’s a false assumption, as there are multiple elements that make cybersecurity an enjoyable career path. Considering the level of engagement cybersecurity professionals enjoy, the evolving nature of the profession, its constant relevance, growth rate, and pay, cybersecurity can be a fun field, as long as individuals give it a chance.

One of the most enjoyable aspects of cybersecurity is the level of engagement it requires of an individual. Many jobs are comprised of the day-to-day grind of waking up, performing the same task several times, eating lunch, performing the same task, and going home. Little-to-no engagement occurs in these job roles, resulting in a bored and ineffective workforce. However, cybersecurity is quite the opposite. As seen in several reports, including ISACA’s 2018 State of Cybersecurity research, cyber-attacks are constant and growing in frequency. As a result, many incident responders and cyber teams find themselves immersed in their job, engaged in the dissection, analysis, and evaluation of attacks to better protect their organization. Oftentimes, this takes the full attention of these individuals, who lose track of time and realize they’ve been actively engaged in their work all day, resulting in very little boredom.

These growing attacks also are constantly evolving. Many of the day-to-day attacks against an organization vary in shape, size, and composition, and require an engaged workforce to actively combat them. These individuals act as live guardians in a digital world, identifying each potential attacker and assailant by cross-referencing them against previous attacks and exploitation. Oftentimes, this can be the hardest part of the job, as attack mechanisms such as worms and viruses are like hydras, with two different variants appearing once one variant is killed. In fact, one such type of attack, a polymorphic virus, makes slightly different copies of itself each time it infects a system in an effort to throw scanners off of its trail. Hunting these changing malicious codes and actors often brings a smile to the face of cyber professionals, as each time an attack changes and the responder stops it, the responder becomes that much stronger and more experienced.

These constant attacks also contribute to another element that makes cybersecurity fun: its relevance.  Since new attacks and attack vectors are always emerging, cybersecurity professionals must stay up to date on all the potential exploitations that are discovered to meet their responsibilities of protecting the business operations of an organization. This, in turn, makes cybersecurity professionals incredibly relevant to the business and the field overall. Relevance in an organization oftentimes translates to respect and recognition. This is reinforced by the rise of the CISO and CIO roles in Fortune 500 companies. No longer are these individuals relegated to the back row by other executives; instead, they are more commonly brought to board of directors meetings to discuss the organization’s security stance.

While the relevance of the cybersecurity field is important, it does not amount to much if there is nobody to staff the workforce. As seen in the 2018 State of Cybersecurity research, there are not nearly enough cybersecurity professionals in the field to keep up with the explosive growth and need. As a result, cybersecurity professionals are valuable diamonds to be cherished and cultivated within the organization. Thanks to this growth, cybersecurity professionals enjoy the fruits of a seller’s market – and that can be pretty fun.

Finally, something which all millennials should consider as they chart their future careers: pay.  Everybody wants a career that will pay well, and cybersecurity offers that opportunity. The Robert Walters Salary Survey of 2018 indicated that cybersecurity pay will rise by an additional 7 percent around the world in 2018, outpacing all information technology roles, which on average will see about a 2 percent increase. Although having an engaging, evolving, relevant job in a growing field is fun, knowing that it pays well is another cause to smile.

Everyone is different and defines job fulfillment through their own personal lens. However, if finding a job enjoyable, engaging, and fun is a top priority, it’s worth considering cybersecurity as a potential career. On the outside, it may seem bland, but taking a closer look reveals that working in cybersecurity can be much more fun than most people think.

Editor’s note: For more of Frank Downs’ thoughts on the fun side of cybersecurity and relevant industry trends, listen to the recent ISACA Podcast, The State of Cybersecurity.

Frank Downs, Director and SME, ISACA Cyber Security Practice

[ISACA Now Blog]

An attacker gained access in June to Reddit users’ data, including usernames, passwords, email addresses and private messages from 2005-2007. The attacker also gained access to more recent data, including current usernames and emails.

This data allows hackers to try to break into sites where users might still be using the same passwords. Although the compromised passwords were encrypted, they are likely crackable using today’s tools.

Because the email digests also include current usernames and emails, this linkage could allow attackers to determine the actual identity of users. If those users have been receiving content or engaged in posts that could be embarrassing, this may lead to blackmail; hackers might threaten to make private messages public or share them with family or friends.

Reddit users should ensure that, across platforms, they are not still using any passwords from the breached timeframe. Users should also consider passwords that are in line with NIST’s recent guidance.

What your organization can do to prevent a similar breach
Periodic password changes and secure password choices are good practices for Reddit users and non-users alike. Additionally, there are system-wide changes that organizations can make to protect against breaches.

Employees with access to sensitive systems or with powerful privileges, like admin accounts, represent a high-value target for attackers, so organizations should pay particular attention to the security of such accounts.

One way to improve account security is the implementation of strong multifactor authentication. SMS is often used for consumer user account two-factor authentication, but can be compromised with some effort by attackers as occurred with the admin accounts in the Reddit breach.

A  cryptographic token system is a more secure alternative to the SMS two-factor authentication method that was compromised in the Reddit breach. Tokens take more effort to implement than SMS two-factor authentication, but they are also difficult to spoof. Authentication tokens are generated cryptographically and often have limited lifetimes: sometimes, as little as one or two minutes.

Many organizations have been using strong authentication based on physical or software tokens for decades. For particularly sensitive accounts like admin accounts, this has long made sense and is hardly a new idea.

Other detection tools your organization should use for breach prevention
Organizations should also use auditing and intrusion detection tools to quickly alert them to a situation when such an account is engaged in abnormal behavior.

Since admin accounts are very powerful, the information security team and IT auditors should carefully review the protection for these types of accounts, including the use of multifactor authentication, and determine if audit trails and intrusion detection tools can be turned off or tampered with by the admin accounts in question. Otherwise, attackers who breach such admin accounts will have the ability to simply bypass the monitoring. In many cases, the underlying operation system or application does not provide tamper-proof audit trails and intrusion detection; third-party tools will need to be implemented.

Organizations should also discover and find old files that contain personally identifying information, like email addresses, usernames or encrypted passwords. These files should be securely deleted or protected in some fashion. In many cases, it is older files that were not well protected, copied and then forgotten about, often due to employee turnover, that potentially pose regulatory compliance risks.

Proactive data governance measures are more important than ever in today’s landscape, as the Reddit breach and countless others attest.

Rob Clyde, ISACA board chair, executive chair of the board of directors for White Cloud Security and independent board director for Titus

[ISACA Now Blog]

Imagine this as a GRC professional. It’s April 2016. The European Parliament passes the General Data Protection Regulation (GDPR) with an enforcement date of May 2018. Your organization is impacted.  You are going to own this.

At first, you ask yourself – should I get going on this now? The answer is yes; the reality is you won’t. A year passes and the media pipes up about the clock ticking. You start to hear in your peer groups that people are starting to think about what they are going to do, but there’s little action. The clock strikes Q4 2017, your anxiety elevates, the consulting firms and professional organizations inundate your inbox with updates, trainings, services, etc., so you start your journey (late). You get organized, start reaching out to HR, IT, anyone who could be impacted. Crickets. A month passes. Two months pass, and it’s Q1 2018. You follow up. Finally, a response, maybe two come in. Finally, some momentum!

You re-engage your stakeholders, you email, call, try and set up meetings. Crickets. Q1 earnings come around. Analysts are asking. Your CEO says you are all over it and ready for the go live. Senior leadership is looking for an update. You’re working on it as best you can. The emails get responded to, finally. It’s a fire drill. You work tirelessly. GDPR goes live. You’re not quite there, but close enough that you finish by your Q2 earnings release. It’s been a disaster, but it’s over (until the next time).

GRC professionals, a lot of them, live this awful cycle every time there’s a new regulation, accounting standard, etc. Why is this? Our jobs should be simple. We carry the big stick! Most of what we support is tied to law, standards and regulations. Our organizations have to comply or face potentially stiff penalties and reputational damage. Why don’t they? They claim no resources, or budget, or time.  We’ve heard it all.

Why aren’t they listening? I argue that we don’t leverage persuasion and build the skills to persuade.

The reality we live in as GRC professionals is that we simply can’t be successful in our job if we don’t persuade, and if we can’t persuade, we risk insufficiently addressing or failing to address risks to the organization. The repercussions could be severe. We could hinder our own and our teams’ careers and damage our reputations. In the narrative above, we all know who’s going to be on the hook if there’s a problem. And it won’t be those who ignored us for the better part of a year.

Persuasion is a skill. Some of it can be taught; most of it we already know (or could be defined as common sense). We simply need to be aware of this and implement some simple (in most cases) techniques to tilt the scales:

1. Rapport is critical. If they don’t like you, send in someone else they do.  We can’t persuade someone who doesn’t like us.
2. Acknowledge the stigma that may be attached to your title and role. Let’s be honest – colleagues not may really enjoy getting a visit from a GRC colleague. Acknowledging this might help remove the first barrier.
3. Recognize the impact of mood. Having a bad day? Your counterpart having a bad day? Move the meeting; it simply won’t be productive.
4. Get out of a negative environment. The workplace can be a source of stress, so go grab a coffee or lunch or a drink. This is the real reason so many folks utilize “let’s grab a coffee” or similar approach to get things done.
5. In person is always better. Smile a lot and use your colleagues’ name when you see them – people like hearing their name. Keep your tone of voice positive and upbeat. And while you’re at it, avoid using the word “I” – it will turn them off.
6. Use how, not why, when requesting support. To most people, “why?” feels like an accusation.  Don’t believe me? Think about how you feel when your boss or your spouse ask “why” you didn’t do something. It puts most people right on the defensive. “How” invites both parties to strive toward a common goal. The simple statement “GDPR goes live in 6 months – how do we ensure our organization is prepared?” invites both potential solutions and a sense of ownership in both parties.
7. Listen. I mean it. Really listen. Can you do it? I can’t. Why? Because when I’m not talking, I’m thinking about what I am going to say next. Is that really listening? Bring someone with you to important meetings, and make it their job, and only job, to listen (take note of tone), watch body language, take notes, etc. Review that feedback after the meeting.

This seems easy enough, but the reality is if you don’t thoughtfully leverage some of these steps routinely, you’ll never reap the rewards. These won’t work all the time, but they’ll help increase the chance of success in your GRC role.
Have they helped me? You tell me – ever convinced a subsidiary to upgrade their ERP as part of an audit report? I have. And it was by using these tactics.

I’ll be discussing this topic further at the GRC conference next week in Nashville, Tennessee, USA. Track me down at GRC; I’d love to speak about these topics and lend a hand if I can.

Brian Tremblay, Chief Audit Executive, Acacia Communications

[ISACA Now Blog]