@ISACA Volume 12  14 June 2017

Today’s Top 8 Digital Threats

By Leighton Johnson, CISA, CISM, CIFI, CISSP

In my security and auditing practice, I often refer to top threats in today’s digital world with an acronym: SCRAAMMM. The letters stand for areas of threats to corporations, agencies and individuals. These areas are the focal points of threats and issues prevalent throughout the cyber security world in today’s connected operating environments. I use the acronym to help explain the wide scope and depth of threats that affect everyone.

Those threats are:

   • S: Social media—The pervasive use of social media sites is always expanding the attack surface for organizations to monitor and protect. The utilization of social media for corporate activities has not only expanded the reach of companies, but also significantly increased their possible exposure to outside, sometimes nefarious, intrusions. Institutional management and monitoring of corporate information on various social media outlets, along with monitoring of users and employee utilization of corporate image and information, can help guide institutional access and shape the reputation of the organization.
   • C: Cloud—The advent of elastic, on-demand services in the cloud has dramatically increased the concerns and exposures for security and IT personnel everywhere in the world. The dynamic nature of the cloud and its currently active variable boundaries provide ever-changing perimeter and network connection issues for corporations. In cloud environments, always encrypt data—no matter where they are—to ensure confidentiality.
   • R: Ransomware—The explosive growth of ransomware and its ever-increasing use has expanded the reach and pervasiveness of cybercriminals everywhere. The fact that variants and families of ransomware have increased from 4 just 3 years ago to more than 350 today shows the extent to which criminals perpetrate digital extortion across virtually every industry. Recent ransomware attacks have illustrated that certain basic cyberhygiene tactics work, such as keeping machines patched and having current backup solutions active. Both practices can protect certain areas and industries from infection.
   • A: Access control (elevated privileges)—Administrative/elevated privileges are consistently exploited across virtually every industry, and sometimes result in large data breaches, intelligence exfiltration of sensitive data and major disruption of services for clients and customers. Compromised accounts are still the single biggest cause (81%) of data breaches. Managing the number of elevated accounts, especially service types, assists organizations in controlling this issue.
   • A: Advanced persistent threat (APT)—ISACA has defined APTs as parasitic threats across all industries. This problem is limited only by the threat actor’s imagination as to methods and means of maintaining a presence on networks and conducting malicious activities in systems and processes for long periods of time. The vast array of APT actors today requires that every organization implement threat-intel solutions and review internal data components on an ongoing basis to monitor the state of their own security.
   • M: Mobile—With the advent of the mobile revolution, corporations, organizations, agencies and individuals have used mobile devices to conduct all kinds of business and personal transactions, including highly sensitive financial and personal data exchanges. As a result, the security perimeter of networks is often blurred or outright removed, thereby creating a multitude of security problems and issues around access, authentication and data manipulation. Often an organization can mitigate some mobile issues with a good mobile-device management solution and realistic policies for use of mobile devices.
   • M: Malware—In 2016, some reports indicated that 20 new malware strains were introduced every second during certain periods. Malware has become one of the primary tools used by nefarious actors and organizations to perpetrate infections, data alteration, extortion, fraud, and other negative actions or events. The malware epidemic continues to expand, and ever-present spam emails with malware attachments or spoofed links leading to malware downloads show that end-user training is needed more than ever.
   • M: Malicious insider—Insider threat involves trusted personnel who perform negative activities with often catastrophic consequences for the organization or corporation that employs them. The reasons behind such acts are vast, wide and varied with no single predominate cause, which is why this threat is often considered the most dangerous of them all. Establishing an insider threat program that involves security, operational, human resources and management personnel has been shown to reduce the threat. However, since internal personnel are both source and remedy, there is no magic bullet to resolve this complex issue.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


Remain Secure by Leveraging Emerging Technology


Source: chombosan
/Getty Images

Threats such as ransomware and malware are on the rise and it is critical to combat emerging threats with new security capabilities such as artificial intelligence and DevOps. To help enterprises leverage emerging technology to combat security risk, ISACA has partnered with TechTarget to offer the “The Next Security Frontier: Automation, Things and Intelligent Machines” virtual conference. This conference will take place on 27 June from 7:15AM to 4PM CDT (UTC -5 hours). Attendees can earn 5 free continuing professional education (CPE) hours by attending this virtual conference and completing a post-event survey.

Four sessions will take place at this virtual conference:

   • Getting Ahead of the IoT Security Curve
   • Putting the “Sec” Into DevSecOps
   • Cyber Security: Insider Threat Detection, Prevention
   • Using AI, Machine Learning to Improve Security Analytics

In addition to learning from experts in the field, attendees can also connect with peers from around the world during dedicated networking time. Attendees can also access valuable content in the conference’s resource center, which includes additional material such as white papers and ISACA Journal articles.

To learn more about this virtual conference or to register for it, visit The Next Security Frontier: Automation, Things and Intelligent Machines page of the ISACA website.


Implement the NIST Cybersecurity Framework


A recent US executive order on cyber security mandates implementation of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) for US federal agencies. While the framework is not mandatory for all enterprises, the best practices outlined in the CSF provide an enterprise with methods to ensure the entire enterprise is considering cyber security. To help enterprises leverage the CSF, ISACA has published the Implementing the NIST Cybersecurity Framework Using COBIT 5 white paper.

The CSF and COBIT 5 use a similar approach and terminology. Because it complements CSF so readily, COBIT 5 can help enterprises implement the NIST framework in their environments. This white paper provides a step-by-step guide to adopting the CSF. Enterprise challenges can vary greatly, so applying the COBIT 5 framework to the CSF is useful in ensuring proper implementation of the NIST framework.

To download this complementary white paper, visit the Implementing the NIST Cybersecurity Framework Using COBIT 5 page of the ISACA website.


Understanding Blockchain


Although Blockchain is commonly associated with the Bitcoin cryptocurrency, this developing technology has the potential to revolutionize many forms of transaction and exchange across multiple industries from health care to real estate.

To help you understand what blockchain is and how to leverage it, ISACA’s first tech brief is focused on blockchain. The ISACA Tech Brief: Blockchain Basics provides a high-level overview on blockchain, specifically looking at Bitcoin.

This complimentary tech brief offers insights on how blockchain may impact enterprises. The tech brief also includes early adopters’ advice on the technology, which companies may want to consider before making investments in blockchain.

In addition to the tech brief, a more extensive research report, Blockchain Fundamentals: An Inside Look at the Technology With the Potential to Impact Everything, is also available. ISACA is also offering a brief on-demand course focused on blockchain technology. Viewers can earn 1 continuing professional education (CPE) hour by completing this course.

To learn more about the ISACA Tech Brief: Blockchain Basics, the blockchain research report or the on-demand course, visit the Understanding Blockchain Technology page of the ISACA website.


New Video Release Explores Digital Forensics


Source: Emrah

Cybercrimes are increasing in frequency and severity. And with the ever-increasing threat comes the need for security professionals trained to investigate cybercrime. ISACA has released a new video exploring the process of digital forensics for security practitioners and those interested in learning more about this essential security function. The video provides an overview of the field of digital forensics and the scientific process used to investigate computer-based and computer-facilitated crime.

The video is available on YouTube. For more information about digital forensics, read the ISACA white paper Overview of Digital Forensics. To learn more about cyber security training opportunities, visit the Cybersecurity Nexus (CSX) website.


Show Your Expertise With a CISA Certification

David Berkelmans, CISA, executive director of IT audit at Synergy Group Australia, Shares His Experience as a CISA

When David Berkelmans began working as an IT auditor in 2000, he knew it was the right career for him. In 2002, Berkelmans took the Certified Information Systems Auditor (CISA) exam, because the CISA certification is a valuable tool, especially for consultants. “I work in a consulting firm and, as such, we need to go out and win work,” he says. “Our team of IT auditors are all CISA qualified, and this sends a powerful statement to existing and potential clients that we have the skills and experience to undertake an IT audit.”

Berkelmans typically works with people who are experts in the technologies that he audits. Despite not having that same expertise, Berkelmans is able to provide reliable audits because of his CISA certification. “The people I work with know their jobs and the technology they work with inside and out,” he says. “Most of the time, I do not know the technology as well as the people with whom I am talking. Being a CISA means that although I do not know the technology as well as the experts, I do know the audit and risk concepts that apply and how to apply them to my work. It gives me creditability in my conversations.”

Despite some of the challenges he encounters on the job, Berkelmans enjoys his work and notes the impact that the CISA certification has had on his career. “Being a CISA has benefited my professional career, which has had a positive impact on my personal life,” he says. “I thoroughly enjoy the job I do and, without the CISA qualification, this may not be the job I would be doing. Our managing partner often says, ‘If you enjoy your job, you will never have to work a day in your life.’ This is certainly true for me and might not be the case if I were not a CISA.”

Berkelmans is also a member of the CISA Item Development Working Group and the immediate past president of the Canberra (Australia) Chapter. Through his involvement with ISACA, he has been able to expand his social circle and take advantage of new opportunities. “I have had the pleasure of attending many ISACA conferences and meetings. I have met like-minded people from all around the world and I have made some very good friendships with people I would otherwise have never met.”

To learn more about ISACA certifications, visit the Certification page of the ISACA website.