@ISACA Volume 13  29 June 2016

The Danger Inside: Tips for Preventing Insider Threats

By Avani Desai, CISA, CRISC, CIA, CIPP, CISSP, PMP

Insider threats are becoming more recognized as an issue among organizations. One report found that 89% of organizations felt a threat from insiders due to the information and background of the organization that insiders possess. The types of attacks perpetrated by insiders may take a number of forms including:

  • Malicious attack—This attack occurs when a disgruntled employee intentionally discloses company intellectual property, e.g., to a third party for financial gain.
  • Password sharing—This attack occurs when employees share their passwords with a third party who then steals or exposes data.
  • Accidental exposure—This type of attack occurs when an employee or associated person (e.g., a contractor) accidentally exposes data, such as in the loss of a laptop.

The types of data exposed by insiders vary and depend on the motive. Some reasons people commit insider breaches include financial gain or to expose information for social or ideological reasons (as was the case with Edward Snowden) or for revenge against the company.

One of the main methods contributing to insider-initiated data exposure is believed to be the misuse or sharing of privileged user credentials, usually a username and password. The same survey referenced previously found that 55% of respondents felt that privileged users were the greatest internal threat to their organization. This survey is supported by the finding that 52% of US-based IT staff have shared administrative credentials with a colleague and 59% have shared credentials with a contractor.

There are also countless examples of accidental exposure of data. This would involve, for example, losing a laptop or USB key, leaving a fax out on a desk for everyone in the office to see, or accidentally sending an email to the wrong person. Email is one of the most common causes of accidental data exposure. A high-profile example of this type of accidental data exposure was seen during the 2014 G20 meeting in Brisbane, Queensland, Australia. The Australian Immigration Department accidentally emailed the personal details of the G20 participants, including US President Barack Obama, Russian President Vladimir Putin and German Chancellor Angela Merkel, to the organizing committee of the Asian Cup.

Preventing someone inside the organization from exposing sensitive and proprietary data is a difficult task, but mitigating this risk should be part of an overall security strategy. Here are some tips to keep data safe from insider threats:

  • Educate—Because many insider threats are purely accidental, not malicious, education can go a long way. This means educating entire organization, from the board of directors down, about how data loss can occur. Training staff about being careful with email lists and keeping laptops and other devices safe at all times is a baseline security requirement of any organization.
  • Reduce the risk of privileged credential sharing with multi-factor authentication (MFA)—It might prove difficult to stop password sharing altogether, but this risk will be mitigated by requiring a second factor to be used to log in. If a privileged user does share his/her password, then the person using the shared password would need that second factor to log in. Second factors are usually something such as a short message service (SMS) text code sent to the original user’s phone or a code generated on a hardware device.
  • Use adaptive authentication measures—This is a technique that uses risk levels to increase the level of authentication needed to access a given resource. For example, if a user attempts to authenticate from a new IP address, that user would be required to use additional layers of authentication to gain access.
  • Use a behavioral analysis tool and a security information and event management (SIEM) tool—There are a growing number of sophisticated tools that can recognize insider threat behaviors and alert security professionals to potential issues. Some of the most advanced tools use machine learning to build behavior profiles and reduce the number of false positives that older technologies produce. Be sure to tune these tools to the enterprise’s particular environment and then deal with these events in a timely manner.
  • Use known techniques to prevent malicious code infection—Some insiders are known to insert malware onto the network to steal login credentials and exfiltrate data, such as intellectual property. Do not forget the security basics such as patching vulnerabilities and pruning unused functions and user accounts.

With the correct measures in place, organizations can significantly reduce the risk and impact of insider threats. This will reduce the likelihood of data exposure, which will in turn prevent reputational damage and customer losses.

Avani M. Desai, CISA, CRISC, CIA, CIPP, CISSP, PMP, is the executive vice president at Schellman & Company Inc. Desai has more than 13 years of experience in IT audit, attestation, security and privacy. Recently, her focus has been on emerging technology concerns and issues.

 

2015 Annual Report Highlights Year of Growth

ISACA News

ISACA’s 2015 Annual Report spotlights ISACA’s activities and accomplishments last year and emphasizes that by acting on our core value, “We are one,” we can achieve great things.

The annual report details the association’s growth in 2015. More than 28,000 new members joined ISACA last the year, raising the overall membership to 124,357 members in 187 countries. ISACA’s global footprint expanded to 213 chapters in 90 countries.

Among ISACA’s 2015 highlights noted in the annual report are:

  • A volunteer engagement model was created to allow for greater flexibility in volunteer opportunities.
  • A new initiative, the Future of Local Engagement, was among the steps taken in 2015 to strengthen ISACA’s global presence. ISACA also grew external partnerships in China, India and Africa and built on the strong relationships we have with the Committee of Sponsoring Organizations of the Treadway Commission (COSO), International Organization for Standardization (ISO), European Union Agency for Network and Information Security (ENISA), the US National Institute of Standards and Technology (NIST) and other organizations.
  • The development of student and women’s career programming—including networking and information sessions—set the stage for further growth in 2016.
  • The first-ever CSX Conference was held in Washington DC (USA), and the CSX Practitioner certification was launched.

PDF, interactive and video versions of ISACA’s 2015 Annual Report can be found on the Annual Report page of the ISACA web site.

 

ISACA Congratulates 2015-16 Award Winners

ISACA News

ISACA would like to congratulate the winners of the 2015-16 awards, many of which were presented in June at the Annual Meeting of the Membership in Chicago, Illinois, USA.

Professional Awards

Michael Cangemi Best Book/Article Award
This award is given to recognize individuals for major contributions to publications in the field of IS audit, control and/or security. This year, the award was presented posthumously to Ed Gelbstein, CISA, CGEIT, for his ISACA Journal “IS Audit Basics” column.

Eugene M. Frank Award for Meritorious Performance
Named after ISACA’s first president, this award recognizes individuals for outstanding contributions to ISACA/ITGI. It is for performance that far exceeds the norm, and nominations are accepted only from a current board member or past international president. The award is granted with input from the international president and approved by two-thirds support from the ISACA/ITGI Board of Directors/Trustees. This year, ISACA presented the award to Robert E Stroud, CGEIT, CRISC.

John Kuyers Award for Best Speaker/Conference Contributor
This award was instituted during the 1996-97 year to recognize individuals for major contributions in the development of ISACA global conference(s) and/or outstanding speaking achievements. This year’s award was presented to Mark Thomas, CGEIT, CRISC.

Harold Weiss Award for Outstanding Achievement
Instituted in 1985 to recognize individuals for dedication to the IT governance profession, this award is for achievement that far exceeds the norm. This year’s award was presented to Sushil Chatterji, CGEIT.

Paul Williams Award for Inspirational Leadership
This award is given to an ISACA volunteer to recognize strategic leadership accomplishments on ISACA’s behalf. The recipient must have contributed to ISACA over the course of several years and far exceeded the norm in achieving strategic results and/or driving ISACA’s strategy forward. This year, the award was presented to Tony Hayes, CGEIT.

Certification Awards

Each year, a variety of awards relating to the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) certification exams are presented. Worldwide top and second highest scorers on the June, September and December exams and the highest scorer in each geographic area for each exam are recognized.

Thomas H. Fitzgerald Award
This award is given in recognition for achieving the highest worldwide score on the June, September and December 2015 CISA examinations. The award was earned by:

  • June—Fred Langeneckert, CISA, CISM, CISSP, CPA
  • September—Waseem Ahmed, CISA, ACA
  • December—Charles A. Ritchie, CISA, CISM, CISSP, GSEC, PMP

CISA Worldwide Achievement Award
This award is given in recognition for achieving the second highest worldwide score on the June, September and December 2015 CISA examinations. This award was earned by:

  • June—William Gordon Wright, CISA, FITSP:A, Security+
  • September—Jeff B. Bragg, CISA
  • December—Edgar B. Butler, III, CISA, CISSP, ITILv3

CISM Worldwide Excellence Award
This award is given in recognition for achieving the highest worldwide score on the June, September and December 2015 CISM examinations. This award was earned by:

  • June—Bruce Shackleton, CISM, CISSP
  • September—Peter OToole, CISA, CISM, CISSP
  • December—Brian K. Johnson, CISA, CISM, CPA, CNE, CPIM, MCSE

CISM Worldwide Achievement Award
This award is given in recognition for achieving the second highest worldwide score on the June, September, and December 2015 CISM examinations. This award was earned by:

  • June—Brian D. Murphy, CISM, CPHIMS
  • September—Simon Andrew Walker, CISM, CCSK, CISSP, MBCS, and Kirk Henry, CISM, CGEIT, CRISC (tie)
  • December—Justin David Barber, CISM, CRISC, CISSP, GLEG, GSNA, Achim A. Hecker, CISA, CISM, CRISC, PMP, Paul Sylvestre, CISM, Leonardo Croppo, CISA, CISM, CRISC, CCSA, CIA, CISSP, CRMA, and Moeen Qaemi Mahmoodzadeh, CISA, CISSP, ISO27K1, ITIL (tie)

CGEIT Worldwide Excellence Award
This award is given in recognition for achieving the highest worldwide score on the June and December 2015 CGEIT examinations. This award was earned by:

  • June—Russell Baker, CGEIT
  • December—Frederic Vert, CISA, CISM, CGEIT, CRISC, CISSP

CGEIT Worldwide Achievement Award
This award is given in recognition for achieving the second highest worldwide score on the June and December 2015 CGEIT examinations. This award was earned by:

  • June—Miriam I. Lane
  • December—Roger Keith Williams, CGEIT

CRISC Worldwide Excellence Award
This award is given in recognition for achieving the highest worldwide score on the June and December 2015 CRISC examinations. This award was earned by:

  • June—Arnold Brouwer, CISA, CRISC, CIA, CRMA
  • December—Derek Downes, CISA, CISM, CRISC, CISSP, PMP

CRISC Worldwide Achievement Award
This award is given in recognition for achieving the second highest worldwide score on the June and December 2015 CRISC examinations. This award was earned by:

  • June—Nancy Kar Yee Chan, CISA, CGEIT, CRISC, CMIIA, and Ross Cameron Peachey, CISA, CISM, CRISC (tie)
  • December—Simon Schneiter, CRISC, PCI QSA

CISA Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June, September and December 2015 CISA examinations. This award was earned by:

June

  • Area 1—Binto Kurien, CISA, CGEIT, PMP, PRINCE 2, TOGAF
  • Area 2—Manuel Roberto Luna Duerte, CISA
  • Area 3—Kai Florian Tschakert
  • Area 5—Rachael Greaves, CISA

September

  • Area 1—Chun Kuen Wong, CISA, CRISC
  • Area 2—Edgar Eduardo Castaneda Totozintle, CISA, CISM
  • Area 5—Miriam I. Lane

December

  • Area 1—Vineet Hemant Beri, ITIL
  • Area 2—Pablo Damian Gutierrez, CISA
  • Area 3—Maciej Kosz, ITIL V3 Foundation
  • Area 5—Robert Todd Gordon, CISA, CISM, CGEIT, CISSP, PMP

CISA Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June, September and December 2015 CISA examinations. This award was earned by:

June

  • Area 1—Andrianto Wardhana, CISA
  • Area 2—Carlos Sanchez-Sicilia Valero, CISA, CISM, CGEIT, CRISC, CBAP, ITIL, PMP, TOGAF, and Kattia Fernandez Quesada, PMP, RMP (tie)
  • Area 3—Konrad Trubas, CISA, CISM, ITIL Foundation
  • Area 5—Ivan Dean, CISA, CISM

September

  • Area 1—Chee Huey Min
  • Area 2—Diego Javier Rosales Sanchez, CISA, CISM, CRISC
  • Area 3—Adrian Sieber, CISA, CCSK, CISSP, and Micha Mosseveld, CIA, EMIA (tie)
  • Area 4—Daniel Brodie, CISA, and Kim Z. Dale, CISA (tie)
  • Area 5—Ramesh Emmanuel Maheswaran, CISA, FCMA

December

  • Area 1—Cheng Man Wai, CISM
  • Area 2—Jorge Vergara
  • Area 3—Vladimir Naimark, CISA, CISM, CISSP, Jeroen Jaspers, CISA, CISSP, SCF, Sergio Oteiza, CISA, and Mark McDermott, CISA, CISM, CISSP (tie)
  • Area 5—James Hyland, CISA

CISM Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June, September, and December 2015 CISM examinations. This award was earned by:

June

  • Area 1—Gladwin Thomas, CISM, CEH, CISSP, Security+, and Kok Hwee Lim, TOGAF (tie)
  • Area 2—Claudio Dodt, CISM, CRISC, CISSP, ITIL, ISMAS
  • Area 5—James Alexander Falk

September

  • Area 1—Li Zheng
  • Area 2—Jorge Augusto Salazar, CISA, CISM, CRISC, ABCP, CISSP
  • Area 5—Christian Haider, CISA, CISM, CGEIT, CISSP

December

  • Area 2—Carlos Sanchez-Sicilia Valero, CISA, CISM, CGEIT, CRISC, CBAP, PMP, TOGAF
  • Area 3—Steven Greenham, CISM, CISSP, and Mike Glassey, CISA, CMIIA (tie)
  • Area 5—Ivan Dean, CISA, CISM, Colin J. Lewis, CISSP, SABSA, and Aaron Finnis, CISM, CEH, CISSP (tie)

CISM Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June, September and December 2015 CISM examinations. This award was earned by:

June

  • Area 2—Claudio Roberto Grassi Silotto, CISM
  • Area 3—Fotios Tsifountidis, CISA, CISM, CRISC, and Michael M. Etale, CISSP (tie)
  • Area 4—Sebastien Boire-Lavigne, CISM
  • Area 5—Dean Kastelic, CISM, CISSP

September

  • Area 1—Stephen Hodson, CISM, and Kraisit Vittinanon, CISM (tie)
  • Area 2—Lesly Grajales Vaquiro, CISM, ISO 27001 LA
  • Area 4—Joseph Z. DeLeon, CISM, CISSP
  • Area 5—R. John Thomas, CISA, CISM, QSA

December

  • Area 1—Wee Kit Chan, CISM
  • Area 2—Nicolas Mathias Serrano, CISA, CISM

CGEIT Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June and December 2015 CGEIT examinations. This award was earned by:

June

  • Area 1—Muhamad Robby Munajat, CGEIT
  • Area 2—Carlos Abraham Quijas Luna, CISA, CISM, CGEIT
  • Area 3—Elanor Clare Crossland and Dumisani Graham Ngwenya, CISA, CGEIT (tie)
  • Area 4—Chad M. Breaux, CGEIT, Lean Six Sigma, PMP, TOGAF

December

  • Area 1—Aasish George Mathew, PMP
  • Area 2—Andres Olvera, CGEIT
  • Area 5—J.F. Dippenaar

CGEIT Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June and December 2015 CGEIT examinations. This award was earned by:

June

  • Area 1—Osama Salah Ghazy, CISM, CGEIT
  • Area 2—Julian Gonzalez Roig, CAPM, ITIL
  • Area 4—Maria Eisenberg, CGEIT, ITIL V3 Expert, PMP

December

  • Area 1—Zohaib Abrar, CGEIT
  • Area 2—Gonzalo Martin Valdivia Benites, CISA, CISM, CCISO, ISMS-LA, ITIL
  • Area 3—Andre Van Der Merwe, CISA, CISM, CGEIT, CRISC, ITIL, PRINCE 2
  • Area 4—Gavin Langston, CGEIT, Warren Hobbs, CGEIT, CRISC, and Susan Dery, CISA, CGEIT, CISSP, PMP (tie)
  • Area 5—Gerard Nicholas Paver

CRISC Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June and December 2015 CRISC examinations. This award was earned by:

June

  • Area 1—Dimas Lagusto, CISA, CRISC
  • Area 2—Luiz Carlos Araujo, CISA, CISM, CRISC

December

  • Area 1—Binto Kurien, CISA, CGEIT, PMP, PRINCE 2, TOGAF
  • Area 2—Ivan Ramirez Vega, CISSP, and Mariano Gabriel Bernal, CRISC (tie)
  • Area 5—Derek John Nelson, CISM, CRISC

CRISC Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June and December 2015 CRISC examinations. This award was earned by:

June

  • Area 1—Chun Kuen Steve Wong, CISA, CRISC
  • Area 2—Mariane Miranda Costa, CRISC
  • Area 3—Peter R. Bitterli, CISA, CISM, CGEIT
  • Area 4—Socrates Guerrero, CISA, CISM, CRISC
  • Area 5—Anthony Wallis, CISA, CRISC, CBCP, CIA

December

  • Area 1—Mukesh Bhatia, CISSP, and Chiun Hua Lawrence Loh, CISA, CISM, CRISC (tie)
  • Area 3—Bruno Pollaris, CISA, CRISC, ITIL Foundation
  • Area 4—Jae Kyoung Ro
  • Area 5—Pablo I. Borges, CISM, CRISC, and Alan Vongsavanh, CISM, CRISC (tie)
 

Controls and Assurance in the Cloud

ISACA News

The governance and role of cloud computing have become major concerns for enterprises utilizing the cloud or thinking about migrating to the cloud. Controls and Assurance in the Cloud: Using COBIT 5 helps enterprises understand the strategic cloud-related decisions that need to be made. The book begins by outlining the business benefits associated with transitioning to the cloud. For those who are not yet using the cloud, Controls and Assurance in the Cloud contains information about cloud service and delivery models and their associated risk.

By discussing risk assessment specific to the cloud, the book effectively addresses information security concerns related to the cloud. The governance and management section of this book informs upper management of their roles and responsibilities with respect to cloud governance. Controls and Assurance in the Cloud offers a valuable threat matrix along with mitigating actions, which are mapped to COBIT 5.

To purchase Controls and Assurance in the Cloud: Using COBIT 5, visit the Controls and Assurance in the Cloud: Using COBIT 5 page of the ISACA web site. The PDF version of the book is available as a complimentary download for ISACA members.