@ISACA Volume 22  4 November 2015

The Costs and Benefits of Open-source Software


Open-source software is often viewed as the panacea of all financial woes associated with the delivery of IT solutions. What could be better? Open-source software seems to provide functionality to employees while being nearly free of fiscal burden. In all ways, this seems like a classic win-win situation. At least at first glance.

The best use of open-source software is open-source products. These are products that can be used without modification. Open-source products, such as operating systems, a database management system (DBMS), Not Only SQL (No SQL) and browsers, can exceed the functionality, performance and maintainability of commercially available products. In many cases, open source provides state-of-the-art functionality that is not available in commercial products. Many people ask, “What can one really do with open-source products today?” There are existing developed systems with 100% open-source software that maintain 10 terabytes (TB) online (and growing) and 1,000 transactions per second, while providing the user less than 15-second query response times. The current licensing costs for the system are zero.

Open-source applications are large pieces of software that perform some business process, e.g., email, collaboration. This class of open-source software often requires modification in order to meet an organization’s critical business process requirements and is a little more challenging as far as achieving expected fiscal goals. Since this software is often user facing, it presents security issues that must be addressed. The most severe security issues seem to manifest themselves as the code counts of these applications approach 1 million lines of code. As you can imagine, conducting code reviews and detecting various forms of malware become a challenge. In addition, the software application often needs modification to meet requirements such as authentication, audit and integration with other open-source applications.

Open-source tools, when leveraged properly, can achieve all of those benefits that were first perceived. However, very quickly, open source can become a source of embarrassment and financial woes if not managed properly. Here are some tips for helping use and manage open-source software:

  • Open-source products, although initially free, often migrate to a traditional commercial licensing model. This process happens either by the open-source community itself or by a corporation that is formed to maintain the product. This requires migration to another open-source product or resigning oneself to pay the licensing costs.
  • It is critical to monitor the associated open-source community for significant changes in the product’s technical road map. The use of open source can become severely impacted as the open-source community moves the product or application toward the latest technological advancement or to meet a better open standard.
  • Open-source products often get bad reputations by providing more functionality than other products. Many may view an open-source browser that displays nonpersistent cookies as being a “hacker tool.” Security tokens and other protected structures should have never been implemented in cookies, persistent or nonpersistent.
  • Open-source communities are sometimes slow to react to known vulnerabilities. As a result of this lag time, compensating controls should be in place to support the security architecture. These additional security features can offset the perceived fiscal savings.
  • After making software modifications to open-source applications, the open-source community may or may not accept the changes into its baseline. The probability of the open-source community rejecting the changes is especially high for government, military or large corporations. The reasons often come down to trust and what the modifications are really doing. Rejection of the software into the open-source baseline results in the organization having to maintain modifications across software releases, thus increasing maintenance costs for the open-source software application.
  • Large open-source software applications are difficult to maintain. Hundreds of libraries and external references are made within the application. Software vulnerabilities, which are known in some cases, remain in the baseline with no plans to fix them, remove them or mitigate them through software development. The developers cannot even determine if the software in which the vulnerabilities exist is even executed and whether the libraries are being used or even needed in order to build the application. This leads to additional compensating controls to monitor the software for events such as phoning home or other variations of malware.

In the end, open-source software is here to stay. It is invaluable in reducing IT costs while providing much needed user functionality. Just be aware that open source can become a commercial product in less than 2 years. As a result, the next open-source product, the next migration and the next approach should always be on the technological road map.

Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


ISACA Releases Mobile Payment Security Study


Source: ©iStock.

A survey of more than 900 ISACA members who are cybersecurity experts shows that an overwhelming majority, 87%, expect to see an increase in mobile payment data breaches over the next 12 months, yet 42% of respondents used this payment method in 2015. The 2015 Mobile Payment Security Study from ISACA suggests that people who use mobile payments are unlikely to be deterred by security concerns.

Other data from the survey show that cybersecurity professionals are willing to balance benefits with the perceived security risk of mobile payments:

  • Only 23% of respondents believe that mobile payments are secure in keeping personal information safe.
  • Nearly half (47%) say mobile payments are not secure and 30% of respondents are unsure.
  • 89% of respondents said cash is the most secure payment method, but only 9% prefer to use it.

“Mobile payments represent the latest frontier for the ongoing choice we all make to balance security and privacy risk and convenience,” said John Pironti, CISA, CISM, CGEIT, CRISC, risk advisor with ISACA and president of IP Architects. “ISACA members, who are some of the most cyberaware professionals in the world, are using mobile payments while simultaneously identifying and contemplating their potential security risk. This shows that fear of identity theft or a data breach is not slowing down adoption—and it should not—as long as risk is properly managed and effective and appropriate security features are in place.”

Reports say that contactless in-store payment will continue to grow. Overall, the global mobile payment transaction market, including solutions offered by Apple Pay, Google Wallet, PayPal and Venmo, will be worth an estimated US $2.8 trillion by 2020, according to Future Market Insights.

ISACA survey respondents ranked the major vulnerabilities associated with mobile payments:

  1. Use of public WiFi (26%)
  2. Lost or stolen devices (21%)
  3. Phishing/shmishing (phishing attacks via text messages) (18%)
  4. Weak passwords (13%)
  5. User error (7%)
  6. There are no security vulnerabilities (0.3%)

In the emerging mobile payment landscape, ISACA notes that there is no generally accepted understanding of which entity is responsible for keeping mobile payments secure—the consumer, the payment provider or the retailer. One approach to better understanding responsibility is for businesses to use the COBIT framework to involve all key stakeholders in deciding on an acceptable balance of fraud rate versus revenue. Based on that outcome, organizations should set policies and make sure that mobile payment systems adhere to them.


ISACA Webinar: Addressing Third-party Risk


Hackers using third parties to access an outsourcer’s sensitive data is becoming more frequent. Using third-party organizations can result in significant risk to an organization’s data. To help organizations better manage outsourced data, ISACA is presenting the “Collaborative Onsite Assessments: A Game Changer in Third-party Risk Management” webinar. This webinar will take place on 10 November at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

The largest US financial institutions are collaborating to perform shared assessments of commonly used key service providers. By addressing third-party risk management as a collaborative issue rather than a competitive issue, these organizations are promoting cross-industry best practices and cost efficiency across the industry. Charlie Miller, senior vice president at Santa Fe Group, will lead this webinar. He has experience leading vendor risk management and financial services initiatives for several global companies.

To learn more about, or register for, this webinar, visit the Collaborative Onsite Assessments: A Game Changer in Third-Party Risk Management page of the ISACA web site.


EuroCACS/ISRM 2016 Call for Papers Now Open


Be a part of Europe’s leading conference for experts, thought leaders and professionals in audit, assurance and risk management at the 2016 European Computer Audit, Control and Security (CACS) and Information Security and Risk Management (ISRM) Conference. This conference is designed to provide information systems professionals a pragmatic approach to industry-relevant concepts, tools and best practices. ISACA is looking for speakers who can bring new industry topics, ideas and insights in an innovative, energetic and engaging way. Speakers should be able to offer real-world cases, examples of actual tools and working papers they have used, stories of successes and failures, and insight on emerging issues. Topics for the 2016 EuroCACS/ISRM Conference will include IS audit and assurance; governance, risk and compliance; security/cybersecurity, with an audit focus; data governance; and career and communications management. The majority of attendees will have 10 or more years of experience, so material designed to be presented at the advanced level is highly encouraged.

Those who are interested in submitting an abstract for consideration should visit the Call for Papers page of the ISACA web site. To submit a paper, click on “Submit a Proposal” under EuroCACS Conference 2016, and the detailed information about submitting an abstract will be listed on that page. At the very bottom of the page, click on “Submit a Proposal” and sign in to MyISACA. If you do not have an existing profile with ISACA, you will need to create an account before proceeding. Then, continue your submission(s) by filling out the form completely for your proposed session. If you do not complete the form, you can indicate “work in progress” so that you can complete it at another time. Please note that all forms must be completed by 27 November 2015 to be considered for the conference program.

Once the deadline has passed, all presentations will be reviewed by ISACA’s subject matter experts. Those submissions that are found to be the most professionally prepared and relevant for the audience will be selected. Notification of acceptance will be sent to the speaker 4-6 weeks following the submission deadline. Those who are selected will also receive complimentary registration for EuroCACS/ISRM—a savings of up to US $1,950—and the opportunity to earn free continuing professional education (CPE) hours during the conference. Please note that registration for pre- and postconference workshops is not included for session speakers.

EuroCACS/ISRM 2016 will take place 30 May-1 June 2016 at the Convention Centre Dublin (Ireland). The call for papers deadline, 27 November 2015, is fast approaching, so be sure to submit your proposal today!


Board Nominations Are Open


Nominations for the ISACA Board of Directors for the 2016-17 term are now open. Information about serving on the board, the attributes for office (international president, president-elect and vice president) and the nomination form itself are available on the Board Nominations page of the ISACA web site.

Members may submit nominations for themselves or for others (or both). All nominations will be acknowledged and all candidates will be required to complete a candidate profile form that confirms the candidate’s willingness to serve if selected and provides the Nominating Committee information about the candidate. Self-nominating candidates will also be asked to submit a letter of recommendation from an ISACA member outlining how the candidate demonstrates the attributes for office. Information on candidates will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and interviews with the candidates.

Nominations for international president and president-elect close at 5:00PM CST (UTC -6 hours) on 19 November 2015. Nominations for vice president close at 5:00PM CST (UTC -6 hours) on 8 January 2016. These are the dates by which all materials must be received at ISACA International Headquarters (i.e., completed candidate profile form and letter of recommendation, if required). Please note that if you wait until these deadline dates to submit your nomination form for yourself or to nominate someone else, there may not be enough time left to provide the committee with all the information required. Questions? Contact nominate@isaca.org.


Two More Months to Recruit Members and Earn Prizes


Two more months remain in the 2015 Member Get a Member program! Follow up with your colleagues to ensure they join ISACA before 31 December 2015. Remember, new members you recruit need to register with your member ID number and be paid in full by 31 December 2015.

When you connect with a colleague about ISACA, you can discuss the most recent white paper, the new cybersecurity certification or the IS Audit Basics column in the ISACA Journal. With every member you recruit, you move closer to earning rewards. There is still time to recruit at least 2 members to earn a passport wallet with radio-frequency identification (RFID)-blocking technology. If you recruit more than 2 members, you will have the opportunity to earn a pair of high-quality 10x42 binoculars, a bladeless fan from a leading manufacturer, a high-performance camera for photos and video, or a high-quality smart watch from a leading manufacturer.

Become part of the solution to advancing the IS/IT profession—recruit members to ISACA today. To learn more about the prizes or participating in ISACA’s Member Get a Member program, visit the Member Get a Member page of the ISACA web site. Rules and restrictions may apply.


Book Review: Cloud Management and Security

Reviewed by Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA

Cloud Management and Security by Imam M. Abbadi, takes cloud computing to a new level, deepening and diversifying readers’ knowledge on the topic. Abbadi uses his experience to advocate a new depth of understanding and promote a unique appreciation of the subject.

The book advances the foundations of cloud computing and builds a comprehensive and versatile outline of technologies supporting cloud computing. The book’s references to scientific publications and leading journals provide it with an authoritative flair and lend credence to its practical applicability to industrial applications. There is a systematic structuring in the outline of the chapters, in classic textbook style, and the chapters also include a variety of illustrations and diagrams. Because of this format, the author is able to include significant detail to cascade the topics reviewed in the book, making the content much easier for readers to understand. There are a number of algorithms interspersed throughout the book, as it explains some of the more complex dimensions of the cloud. This is a book for the advanced cloud security students and is well-suited for experienced professionals.

The book covers the dual aspects of cloud computing, which are cloud management and cloud security, in a granular and detailed approach. It presents a deep-dive review of the cloud architecture framework for federated clouds and sets out several diagrams and practical scenarios that enable connection with cloud fundamentals. There is a systematic identification, evaluation and analysis of the core characteristics and management services of cloud computing, in addition to challenges and harms associated with the cloud. There is a research direction outlined in the book, with the motive to set the pace for evolution in cloud computing models. The book also has a number of stimulating exercises and solutions and PowerPoint slides for instructors.

Cloud Management and Security is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. Etea also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).