@ISACA Volume 14  15 July 2015

The Tragedy of Risk Commons

By Jack Freund, Ph.D., CISA, CISM, CRISC

Risk ownership can be a difficult strategy to implement. In IT risk, we may often find ourselves in a game of political finger pointing, in which various groups look at each other as the owner.

At first glance, it might appear beneficial to assign ownership to the person or persons who would be responsible for the fix. After all, doing so ensures that if there is something to be done, those responsible will know they have to do it. This is often the case for IT systems where a business process is dependent upon some critical technology. If the mitigating solution to a risk scenario involves patching an application (for example), then assigning the risk to the application development manager makes sense—at least on the surface. Those with more experience might recognize that fully understanding the impact of the application patch involves taking stock of the parts of the business that rely on that application. It is through this process that the real owner can be identified. IT management is really the core of other parts of the business.

I have said before that the quickest way to identify the real risk owner is by using the phrase “who owns loss owns risk.” The idea behind this is to determine who owns the outcome of the realization of said risk. Hint: It is almost never IT. A quick mental exercise to illustrate this is by having someone imagine that after an organization experiences a loss, in a fit of moral outrage, its leaders decide to fire the entire IT staff. Every single one is let go. In such a scenario, what happens to the impact of that risk? Who in the organization still feels the fallout of that risk? The answer to this question almost always lies somewhere in the business. Now imagine the same situation plays out for a risk scenario that originates in the business (for example, something to do with mortgage-backed securities or collateralized debt obligations). Exiting that business (and dismissing the staff) at least, in part, alleviates some of the fallout (regulatory action may still apply and take some time to wind down).

But what happens to a risk scenario that spans several lines of business? It is here that the metaphor of “the commons” comes into play. When many stakeholders have a claim to a shared asset, it is often the case that through self-interest, the shared asset is mistreated. Either the shared asset is not given proper maintenance so it deteriorates, or it is overused and subsequently unavailable to all stakeholders.

However with risk, it can be difficult to bring closure to an issue when it is given shared ownership. Often, through no fault of their own, owners fail to contribute to the remediation efforts, thus putting all the owners at risk. After all, there is little incentive for a single owner to submit resources to fixing the problem, as it limits his or her ability to achieve other objectives. The financial processes in an organization may further inhibit risk remediation efforts in such instances by making it difficult for any 1 risk owner to request and receive funds that will be suitable to cover the costs of mitigation for everyone. Likewise, shared ownership means diffused accountability in the event that risk is realized. It is easy for a collective to weather the downfall of a shared problem.

I can offer no easy solutions to this problem, except to say that it is important to avoid shared risk ownership whenever possible. Tactics for doing this will vary by organization and will largely depend on the tools available and the personalities of the stakeholders with which the organization is interacting. As in all risk matters, it is important to appeal to the sense of obligation leadership has to properly manage risk. Even if a risk scenario affects multiple parts of the business, it is important for one part to take ownership for the entire risk. The concept of the tragedy of the commons has existed since the 1800s, and it is not likely to go away anytime soon. As a result, it is imperative to work within the bounds of organizational culture to try to avoid shared risk ownership at every turn. In so doing, it will be easier to identify a single owner who will feel the weight of that risk and muster the political wherewithal to marshal his or her peers into assisting in the remediation efforts.

Jack Freund, Ph.D., CISA, CISM, CRISC, is lead IT risk manager for TIAA-CREF, member of the CRISC Certification Committee and coauthor of Measuring and Managing Information Risk.


Compete in the Global CyberLympics


CyberLympics is an international competition in which teams of 4-6 participants compete with ethical hackers and cyberdefenders from around the world. ISACA, a sponsor of the Global CyberLympics competition, will host the world finals at CSX 2015 North America on 19-21 October in Washington, DC, USA.

Team registration for CyberLympics is open now through 31 July. The online elimination rounds begin in August. Teams who make it to the final round will receive complimentary registration to the inaugural CSX 2015 North America conference.

To learn more about the CyberLympics competition or to register for it, visit the CyberLympics web site.


Explore the State of Cybersecurity at ISACA Webinar


ISACA and the RSA Conference conducted a survey in early 2015 on the state of cybersecurity. To better understand the significance of the study and how the results may affect you and your organization, ISACA will offer the “State of Cybersecurity: Implications for 2015” webinar. This webinar will take place on 23 July at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Robert E Stroud, CGEIT, CRISC, immediate past president of ISACA, and vice president of strategy and innovation at CA Technologies, will lead this webinar. Stroud will discuss the State of Cybersecurity: Implications for 2015 study and the key results from it. Among the issues he will discuss are the current vulnerabilities, changes in the threat landscape, how enterprises respond to threats and how organizations can close the cyber-related skills gap.

To learn more about this webinar or to register for it, visit the State of Cybersecurity: Implications for 2015 page of the ISACA web site.


ISACA Launches CSX Web Site


ISACA recently launched a new Cybersecurity Nexus (CSX) web site featuring certification and career path information. Visitors to the site can also purchase self-paced training labs or register for the following skills-based training courses to prepare for the upcoming CSX Practitioner exam:

  • Identification and Protection
  • Detection
  • Respond and Recover

The new CSX web site has numerous resources for cybersecurity professionals. Visitors to the site can also:

Take a look at the new site to boost your cybersecurity knowledge and help advance your career.


Register Now for September CISA and CISM Exams


Interested in taking the Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM) exam in September? Registration for the 12 September CISA and CISM exams will remain open until 24 July. Individuals seeking to take an exam can register on the Exam Registration page of the ISACA web site. Please remember that the September exam administration is for CISA and CISM only and will be offered only at select locations worldwide. Please also note that the CISA Chinese Traditional-, German-, Hebrew-, Italian- and Turkish-language exams and the CISM Japanese- and Korean-language exams are not offered at September’s exam. To learn more, visit the ISACA Exam Candidate Information Guide page of the ISACA web site.


Annual CPE Audit Begins


The goal of ISACA's continuing professional education (CPE) policies is to ensure that all certified individuals maintain an adequate level of current knowledge and proficiency in their respective field. Each year, a random sample of certified individuals is selected for audit. CPE policies for all ISACA certifications require certified individuals who are selected for annual audit to respond and submit required documentation of CPE activities.

The 2014 annual CPE audit will begin in mid-July. Those selected for the audit of their 2014 CPE hours will be notified via email and hard copy letter and will need to supply the ISACA certification department with copies of their CPE documentation for the CPE hours reported for 2014. If selected for the audit, you will be sent notification identifying the documentation that is to be supplied to ISACA for the 2014 CPE hours that are being audited. The deadline for returning supporting documentation is 20 August 2015. Those individuals who do not comply with the audit will be subject to revocation.

As per all ISACA CPE policies, each certified individual must obtain and maintain documentation supporting reported CPE activities. Documentation should be retained for 12 months following the end of each 3-year reporting cycle. Documentation should be in the form of a letter, certificate of completion, attendance roster, verification of attendance form (a sample of which is located on each CPE policy page) or other independent attestation of completion. At a minimum, each record should include the name of the attendee, name of the sponsoring organization, activity title, activity description, activity date, and the number of CPE hours awarded or claimed. Detailed information on CPE requirements can be found on the Maintain Your CISA, CISM, CGEIT and CRISC pages of the ISACA web site.

Questions? Contact CISAaudit@isaca.org, CISMaudit@isaca.org, CGEITaudit@isaca.org or CRISCaudit@isaca.org.


Book Review:  The Art of Memory Forensics—Detecting Malware and Threats in Windows, Linux, and Mac Memory

Reviewed by Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA

Memory forensics involves the use of the random-access memory (RAM) to solve digital crimes and attacks. The conventional approach used for this purpose often overlooks the volatile RAM memory, focusing instead on the read-only memory (ROM). However, recent research has proven that RAM contains essential information and data that can implicate or exonerate the system in a crime scenario and ultimately destroy the audit trail entirely. The Art of Memory Forensics is a sequel to the bestseller Malware Analyst’s Cookbook. This book is targeted at improving the competence levels and the investigative and forensic skill of forensic experts, network security professionals, incident response officers, law enforcement officers and government agents.

With the increase of online attacks, e.g., the Sony Pictures Entertainment hack, industry-targeted attacks, advanced malware threats and corporate-directed targeted attacks, memory forensics has become an increasing area of interest and defense for every system remotely connected to a network. The Art of Memory Forensics is a comprehensive guide to conducting memory forensics for Windows, Linux and Mac operating systems, including X64 architectures. Some of the most valuable discussions in the book are on memory acquisition, rootkits and tracking user activity, each of which is supported with practical case studies of these techniques.

The book contains several industry-relevant exercises, sample memory dumps and cutting-edge memory forensic software overviews. The Art of Memory Forensics and the corresponding Volatility 2.4 framework code cover the most contemporary Windows, Linux and Mac OS X operating systems. The book covers memory forensics with respect to different types of devices, which is particularly valuable for companies or clients with a diverse mix of computer equipment such as laptops, desktops or servers utilizing different operating systems.

The book is broken into 4 major parts, the 1st of which gives a basic introduction to computer hardware and software. It also presents the tools and techniques for acquiring memory and implementing the Volatility framework, which is an open-source collection of tools, utilized in the extraction of digital memory from RAM samples. The next 3 parts of the book elaborate on the specifics of each major operating system (Windows, Linux and Mac). The structure of the book is ordered according to each OS artifact (e.g., networking and rootkits) or location where these occur (e.g., process memory or kernel memory).

The depth of the content and structure of the book are informative and effectively convey memory forensics as an “art.” The topics covered are compelling and insightful. One area of particular interest is the treatment of kernel forensics and rootkits. There is a deep dive into the use of memory forensics to help the reader identify high-profile rootkits, e.g., ZeroAccess, Tigger.A, Blackenergy and Stuxnet. It also outlines methodologies for combining Volatility with Interactive Disassembler (IDA) Pro for in-depth static analysis of malicious kernel modules.

This book is an eye-opening, authoritative guide on the subject of memory forensics. While the field of memory forensics is still evolving, this book serves its purpose of telling readers all they really need to know about memory forensics.

The Art of Memory Forensics—Detecting Malware and Threats in Windows, Linux, and Mac Memory is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. He also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).