@ISACA Volume 24  2 December 2015

Symptoms, Diagnosis and Treatment


What should happen when a security incident is detected?

When people do not feel well, they consult a doctor and describe their symptoms. The doctor needs to find out why the patient feels ill, which requires knowing the answers to a series of questions. Some questions will be answered by the patient and some questions need to have tests performed to gather data. Once the cause is identified, the doctor will prescribe the right solution. If the doctor chooses to prescribe medicines that only target the symptoms, the cause of the symptoms will not be treated.

This analogy helps answer the question “What should happen when a security incident is detected?” The answer to this question varies depending on the nature of the business, the culture of organization, and the policies and procedures that are in place. A typical answer would be “We conduct a root-cause analysis.” However, the major challenge people face is actually conducting a root-cause analysis.

Generally, security professionals perform the root-cause analysis of an incident, which is primarily focused on how the incident happened; very rarely do they look into why the incident happened. Looking for the answer to why an incident happened will most likely help determine where the virus entered into system, which can point to the vulnerability. The vulnerability could be control failure, control noncompliance or residual risk that materialized, such as a zero-day attack.

An appropriate root-cause analysis sometimes yields surprising results. While reviewing an incident, the security manager may observe that the root cause mentioned was hardware failure, which is the answer to the question of how the incident happened. But when determining why the incident happened, the answer may be completely different. For example, the hardware may have failed due to the presence of a harmful chemical, resulting in hardware misbehavior. But further analysis of data center air filters may reveal vulnerability in the heating, ventilating and air conditioning (HVAC) system. Knowing this information can help fix the actual problem.

Therefore, it is important for organizations to ensure that incident management detects the incident (symptoms), finds out how it happened (further probing) and then conducts the root-cause analysis (diagnosis), i.e., finds the answer to why the incident happened.

The following tips may help ensure the diagnosis process is effective:

  1. Verify that the risk assessment results are appropriately recorded in the risk register. While performing root-cause analysis, it is necessary to verify if the incident is caused due to an identified threat and/or vulnerability or if it is due to a new threat or vulnerability.
  2. Do not stop until the answers to why the incident happened are collected.
  3. Analyze the data to determine the appropriate root cause.

Knowing how an incident happened is essential to identify threats or vulnerabilities.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Managing Risk by Leveraging Identity Governance


Source: ©iStock.com/
Ugurhan Betin

As businesses grow, so do the number of identities associated with the business. These identities present risk for enterprises and mitigating this risk is necessary to keep the business safe. To help organizations better manage this risk, ISACA has partnered with CA Technologies to bring you the “How Much Risk Is too Much? Leveraging Identity Governance to Manage Risk” webinar. This webinar will take place at 11AM CST (UTC -6 hours) on 3 December. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Sumner Blount, director of security solutions at CA Technologies, will lead this webinar. Blount will discuss industry trends, such as how interaction with business users impacts the identity management life cycle. This webinar will also review techniques to guard against breaches related to identity management. Blount will explain how to increase engagement with identity services across the enterprise.

To learn more about this webinar or to register for it, visit the How Much Risk Is too Much? Leveraging Identity Governance to Manage Risk page of the ISACA web site.


Prioritizing the Attacks That Matter the Most


While security teams may have every intention of handling every potential threat, there are simply too many alerts to address in any given day. However, it is necessary for security operations, analysts and research teams to address the security events that have the biggest impact. To help security professionals better address the alerts that could do the most harm, ISACA has partnered with Palo Alto Networks to provide the “Threat Intelligence: How to Identify the Attacks That Matter Most” webinar. This webinar will take place on 8 December at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Cybersecurity threat intelligence can be used to help security teams determine what signs indicate a unique and targeted attack and contextualize the indicators of compromise to determine what issues need to be addressed. Scott Simkin, senior manager of threat intelligence at Palo Alto Networks, will lead this webinar. Simkin will also discuss how to use indicators of maliciousness and make them protection mechanisms.

To learn more about this webinar or to register for it, visit the Threat Intelligence: How to Identify the Attacks That Matter Most page of the ISACA web site.


Forecasting 2016 IT Audit Trends


The IT audit environment is rapidly changing, and ISACA and Protiviti’s 5th annual IT Audit Benchmarking Survey Report contains valuable insights on the trends that can be expected in 2016. To help enterprises best understand these changes, ISACA and Protiviti have partnered to provide the “2016 IT Audit Benchmarking Survey: A Global Look at IT Audit Best Practices” webinar. This webinar will take place on 9 December at 11AM CST (UTC -6 hours). Continuing professional education (CPE) credits can be earned at this webinar.

Nancy Cohen, ISACA’s director of privacy and assurance practices, will join Bob Kress, managing director of global IT audit at Accenture, and David Brand, managing director and IT audit practice leader at Protiviti, to present this webinar. These speakers will discuss the findings of ISACA and Protiviti’s IT Audit Benchmarking Survey, which include keeping pace with emerging technology and infrastructure changes, concerns regarding qualified resources and the necessity of IT audit risk assessments.

To register for this webinar, visit the “2016 IT Audit Benchmarking Survey: A Global Look at IT Audit Best Practices” web page.


‘Twas the Night Before Audit

By Kathleen M. Stetz

‘Twas the night before audit, and all through the residence
The auditors were planning to gather sufficient evidence;
Following standards, they must exercise due care,
Ensuring each conclusion—one must not impair.
The future CISAs were nestled all snug in their beds;
While visions of passing the test danced in their heads.
From the leadership team there arose such a clatter
Wanting to know every high-risk matter.
And what to their wondering eyes did appear,
Their talented team—they had nothing to fear.
More rapid than eagles, material items put in queue,
Following the audit plan; they knew just what to do.
And so to put them ahead of the game,
They knew every process and called them by name:
“Now assess! Now evaluate! Now oversee!
On governance! On assets! On SDLC.”
Away to the plans they would look at each requirement,
Put into context of the business environment.
To the top of each work paper, and overall
Now document! Document! Document all!
As dry leaves that before the wild hurricane fly,
When cited with issues, areas could not deny;
The auditors did so communicate;
Getting responses from managers to make all matters straight.
And then in a twinkling, they knew they could lead,
Taking in recommendations, of course they would heed.
Putting in place cost-effective controls,
To meet planned objectives that would achieve stated goals.
The leadership team could now sleep securely each in their own bed,
Knowing assets were protected—they had nothing to dread.
Having highly skilled auditors, with proper over-sight …
Good luck to all, and to all a good-night!

© Kathleen M. Stetz


Book Review: Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization

Reviewed by Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA

Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization is a road map of the major advanced persistent threat (APT) hacking techniques used in the world today. This book is written from the mind-set of a criminal, helping the reader understand that hackers will plunder the victim organization’s valuable assets by almost any means. This book has one primary objective: to prove that despite how elaborate any institution’s defenses are, the enterprise is still susceptible to APTs due to the influence technology has in the modern world.

The book provides a tested APT hacker methodology for systematically targeting and infiltrating organizations and their component systems. This 5-phased method to APT hacking is supplemented with practical examples and usable, hands-on techniques for effective attacks.

The book consists of 10 chapters, beginning with key concepts of APTs and practical examples of the varying degrees of APT impact. The book outlines APT methodologies and matches them to the correct system. Next, the book explains the tactics and the data that should be obtained passively and actively to assess the targets properly. The book discusses social-engineering strategies and tactics, and it also covers wireless attacks and exploits.

The creation and use of conventional audio, video and global positioning system (GPS) bugs to monitor target locations and individuals is also discussed. The book elaborates on how to circumvent many of the physical security controls and physically infiltrating target locations. The book concludes with an explanation of the different types of software backdoors that can be utilized to maximize the effectiveness of any attack.

The book has an in-depth review of social-engineering systems, but expanding on cyberspying and espionage, man-in-the-middle and spoofing attacks, in addition to APT threat attacks on social media, would have been useful inclusions. Despite this missing element, the book provides direct and practical insight into APTs, covering the various dimensions of APTs and providing pictures, illustrations, code commands and references that facilitate understanding of the concepts discussed in this book.

Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. Etea also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).