@ISACA Volume 2  24 January 2018

The Pulsing Problem


Bruce R. Wilkins Most of us understand the effects of an electromagnetic pulse (EMP). An EMP can overload electronic circuitry and destroy it from the inside out. The most-feared EMP would be one that is associated with a nuclear-based weapon. Assuming there is technology that survives the explosive power of the weapon, the EMP effect would destroy electronics, power grids, computing assets and the usability of the radio frequency (RF) spectrum (wireless communications) many miles away. Today, most technologically advanced countries have access to EMP jammers. These devices provide the same effect for a shorter amount of time.

Although these pulses are often thought of as man-made, they can also occur in nature. Nature kindly provides us with a compliment to the EMP: The colossal coronal mass ejections (CME). The largest recorded CME was in 1859, a 5-day storm referred to as the Carrington Event. A CME struck Earth at that time, destroying much of the Victorian telegraph network in Europe and North America. It was said that pieces of paper that were exposed caught fire. Other solar storms have hit Earth since then, but none of the same magnitude. The only significant event that has occurred in modern time caused the Quebec Blackout of 1989.

From an IT perspective, one of the most vulnerable areas that we cannot protect against is loss of wireless communications. What does losing the RF spectrum mean? We would immediately lose satellite communications, cellular, microwave and Wi-Fi service at a minimum. In fact, you will want to keep your phone away from your head whenever the next event occurs. The only wireless communications that would be available would be laser communications, provided the associated equipment was properly protected and had power. The ability to position, navigate and time (PNT) would also be lost. This is something we do not think about very often. The Global Positioning System (GPS) is critical to the IT industry across the globe. A lot of industries establish their time from the GPS signal. Time is critical to ensuring synchronous communications. In addition, time is needed to perform end-to-end and link encryption. Positioning is required for all types of industries—everything from resource discovery on the Earth to moving goods to market. Drones, self-driving cars and trucks would be inoperative. The loss of positioning would also result in just-in-time inventory being delayed, lost or even abandoned. Navigation would reduce us to becoming orienteers attempting to find the new restaurant or to pick up a manifest to transport. This means there would be no Google Maps, and maps that would lead us to where we thought we were going and were wrong. So, organizations with business models that rely heavily on these technologies would be offline during these kinds of events. Although all electronics (including cars, trucks, refrigerators, etc.) and power sources would be impacted, it should be noted that electronics that were not hardened for EMP or CME might need to be replaced prior to coming back online.

Recovery from EMP or CME would occur in a predictable sequence. First to come online would be shielded and power protected devices that have self-contained infrastructure. Next, power grids, and then the terrestrial communication infrastructure would come online. Finally, the RF spectrum would recover. The RF spectrum would recover from the lower frequencies (high frequency [HF]) to the higher frequencies (tremendously high frequency [THF]). For simplicity, the RF frequency of a signal is directly proportional to the amount of data one can pass using that RF carrier. So even though we would have communications, it would be somewhat slow in the beginning.

The question becomes how often these events occur. CMEs happen all the time; however, significant events seem to occur every 75 to 100 years. EMPs occur all the time as a result of everything from EMP jammers to trains that are breaking at railway stations. When trains are breaking, they can generate EMPs strong enough to completely disrupt high-frequency communications up to a half a mile away. The following are some strategies and techniques that might help prepare for EMP or CME occurrence:

  • Prepare for EMP like you would for a lightning strike.
  • Understand that the outage could last for up to one week.
  • Host critical infrastructure in a Faraday cage. If this is not possible, purchase shielded equipment for critical portions of the infrastructure.
  • Use window film to prevent EMP pulses from entering the office/data center.
  • Make sure you consider all threats when purchasing window film. Removing and reapplying window film is prohibitively expensive.
  • Some national assets such as GPS, power, sewage and water may be lost or not at full capacity for months. This is especially true for mobile electronics and supervisory control and data acquisition (SCADA) equipment that were not properly protected.
  • Have central breakers that allow both the low voltage and high voltage connections to be disconnected from your infrastructure.
  • Monitor space weather as part of your security monitoring. This assumes you are already monitoring Earth’s weather.
  • Ensure you have a tiered time architecture. Time can be established from a wide variety of sources including the US National Institute of Standards and Technology (NIST), GPS, the US Naval Observatory or Greenwich Mean. For systems requiring extreme accuracy, these time servers must be augmented with software that compensates for transmission time between the Simple Network Time Protocol (SNTP) server and the infrastructure.
  • When a time signal is not available, the technology within the infrastructure should be configured to negotiate an agreed upon time for both internal and external connections.
  • Investigate terrestrial-based positioning and navigation technologies. GPS is not the only way of positioning or navigating.
  • Properly position your contingency sites and execute a fully tested contingency plan.

In a future article will discuss in more depth the state of technology for PNT within the context of space-based assets being destroyed or rendered inoperative—a day without space.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins has the opportunity to provide his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Webinar: Automate Security Step-by-Step



Security automation and orchestration can effectively optimize your organization’s incident response (IR) program, but many teams overcomplicate and become overwhelmed with what actually needs to be automated. A “bite-size approach” to security automation and orchestration can make this task more accessible. IR teams can work smarter, not harder if they implement automation as they are ready, focus on repetitive and time-consuming tasks, and automate tasks with the greatest impact to the business first.

To clarify what your security team needs to automate and when, ISACA presents “Agile Automation and Orchestration—Take a Bite Out of Incident Response” webinar. This webinar takes place on 30 January at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Larry Lien, chief product officer at Resolve Systems, will lead the webinar. Lien is a senior executive with more than 20 years of experience in incident response; incident management; and application, systems and security management. He will use his experience accelerating incident response and resolution using automation to demonstrate how to make this method approachable and practical for your enterprise.

To learn more about this webinar or to register for it, visit the Agile Automation and Orchestration—Take a Bite out of Incident Response page of the ISACA website.


Learn What to Consider With Third-Party Data Security, Risk and Compliance Webinar


Source: Paper Boat
Creative/Getty Images

Third-party business relationships in IT, information systems and cybersecurity require process guidelines and frameworks so that enterprises’ boards of directors and senior management teams can oversee and manage risk adequately. Examining third-party vendors includes investigating a 3-dimensional risk-based model that provides information on the risk impacts, findings, enterprise requirements and remediation needed for success. A significant number of data breaches are linked directly or indirectly to third-party access, so evaluating the risk before outsourcing is essential.

To help increase your understanding of what to consider with third-party data security, risk and compliance, ISACA presents “A Risk-Based Management Approach to Third-Party Data Security, Risk and Compliance” webinar. This webinar takes place on 8 February at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Robert Putrus, CISM, CFE, CMC, PE, PMP, will lead the webinar. Putrus is a principal with The Roberts Company LLC. He has 25 years of experience in program management, compliance services, information systems and management of professional service organizations. He will use his experience in the deployment of various cybersecurity frameworks and standards to illustrate the methods and processes that should be in place when considering third-party vendors.

To learn more about this webinar or to register for it, visit the A Risk-Based Management Approach to Third-Party Data Security, Risk and Compliance page of the ISACA website.


ISACA Launches New Security Podcast Series


ISACA is launching a new monthly security podcast series. This series will typically feature an interview with Ed Moyle, director of thought leadership and research at ISACA. In it, Moyle will share his insights on the latest security news, including breaches, vulnerabilities and changes in the security landscape. This podcast is available on the ISACA website, iTunes, Google Play or SoundCloud.

This month’s security podcast includes ISACA staff members Dustin Brewer, CISSP, PMP, cybersecurity platform engineer, and Frank Downs, senior manager of cyber information security practices, in addition to Moyle. This podcast features a discussion of the recently discovered Meltdown and Spectre vulnerabilities. Brewer, Downs and Moyle analyze the response to these vulnerabilities and share tips on what you can do to stay safe in light of these new developments.

To learn more about this podcast, visit the ISACA Podcast page of the ISACA website.


ISACA’s Collaboration With MIT Leads to New Member Benefits and Research


ISACA’s new collaboration with the Massachusetts Institute of Technology Center for Information System Research (MIT CISR), Cambridge, Massachusetts, provides ISACA members with free access to more than 100 MIT CISR briefings covering topics that range from governance to digital transformation. The latest offerings include “Creating Customer Value Using Analytics,” “Digitized Does Not Equal Digital,” and “Future Ready? Pick Your Pathway for Digital Business Transformation.” These briefings and more can be accessed by visiting the ISACA Member Advantage Partner Content page of the ISACA website.

As a patron of MIT CISR, ISACA also works with MIT CISR on research studies. The first joint study on digital transformation was recently released.

In addition to content access to the MIT CISR briefings, ISACA’s expanded member benefits program also offers members similar content access from additional partners, including Wapack Labs, a cyberintelligence and threat analysis company that provides early warning and threat detection services for customers worldwide.

ISACA members have access to free webinars and virtual conferences, discounted or complimentary access to ISACA publications, discounted rates on ISACA conferences and certifications, and access to more than 70 free continuing professional education (CPE) hours.

To learn more about becoming an ISACA member visit the Membership page of the ISACA website.


Big Data Deidentification, Reidentification and Anonymization


Source: PM Images
/Getty Images

Big data is continuing to grow exponentially, but this growth is also paired with growing regulations. This makes the deidentification, reidentification and anonymization of data even more important. ISACA Journal volume 1 author Mohammed J. Khan, CISA, CRISC, CIPM, discusses the ways enterprises must deal with big data as it continues to grow in the future in his article “Big Data Deidentification, Reidentification and Anonymization.”

Big data seems indeterminate due to its constant use in intellectual data science fields and science, technology and humanities enterprises. There is a growing need to understand what big data can do for society at large. Not only can it improve human life by innovating speedier medical releases in the marketplace, but it can also utilize computing power to analyze large data sets and improve the efficiency of current technologies.

The use of big data is possible only with the proper dissemination and anonymization of publicly accessible data. To facilitate and administer the implementation of controls around the subject of big data, one must truly understand the concepts of deidentification, reidentification and anonymization. One famous study demonstrated that 87% of the American population can be uniquely identified by their gender, ZIP code and date of birth. This illustrates the idea that anonymization, while practical, requires further study and due diligence. It is important that personal data that have been anonymized are anonymized correctly before being used as part of a publicly available big data set. Auditing professionals who work with big data, deal with global privacy implications and handle sensitive research data require the knowledge and technical aptitude to audit the big data space to stay relevant. Almost all enterprises are now taking on big data projects, and staying compliant with growing regulatory risk requirements is causing internal compliance, risk and audit functions at these enterprises to demand auditors with these necessary skill sets.

Read Mohammed J. Khan’s full ISACA Journal article, “Big Data Deidentification, Reidentification and Anonymization.”