@ISACA Volume 5  7 March 2018

Cyberrisk Cassandras

By Jack Freund, Ph.D., CISA, CRISC, CISM

Jack Freund In 2017, former US assistant secretary of state and counterterrorism expert Richard Clarke released his book, Warnings: Finding Cassandras to Stop Catastrophes. In it, he lays out a metaphor of the Greek mythological figure Cassandra and relates it to modern times. Cassandra was given prophetic visions by the Greek god Apollo, but after spurning his advances, he caused her prescience to be ignored by others. As a result, she had to live the remainder of her life in a perpetual state of “I told you so!”

It is easy to see how this parallels the current state of cybersecurity. Far too often, professionals in the industry tout the impact of cyber-related events that could portend the downfall of our organizations, and far too often they are ignored. Unfortunately for these cyberrisk Cassandras, their prophecy is more crying wolf than prognostication.

Cassandra was gifted with prophecy and, as a result, she did not need to learn statistical inference. Surely, if we knew the specifics of a cyberincident down to the exacting details, we would be proven correct countless times. Instead, as mere mortals without gifts from the gods, we need to understand that our statements of future calamity will be tested by observation. In fact, we need to learn to use statistics to appropriately recognize the amount of uncertainty in our prognostication. Popular security turns-of-phrase such as “it is not a matter of if, but when” are correct, however, only over an infinite timeline. This is immensely unhelpful to organizational leadership who does not have the liberty to make profit and loss forecasts over the same unending chronology. Instead, we should strive to be more helpful by casting our proclamations of impending breaches over a useful timeline. Quantitative risk methods, such as the Factor Analysis of Information Risk (FAIR), allow practitioners to effectively forecast cyberevents by expressing to organizational leadership that a cyberevent may reasonably be expected to happen somewhere between once every other year and once every 7 years (for instance). Expressing forecasts of future events in terms of ranges is a far more mature method than pretending we are endowed with Cassandra’s powers of prophecy.

The problem, of course, is that at an aggregate level, these events happen all the time. To the casual observer, it may seem that there is a breach of major significance every other week. Indeed, incident feeds from industry aggregators seem to show a daily deluge of (small) companies with data incidents. Careful analysis of these data helps to cast the reality of these incidents in a more consumable fashion. Try categorizing the incidents by industry and compare like to like. For instance, if you work in financial services, retail breaches do not look exactly the same as you. Further, a breach of a small business is hardly the same as a breach of a Fortune 100 firm. A useful standard is to think about the names of the organizations that you would list in a presentation to your firm’s senior leadership to justify your assertions that something bad could happen. If you find yourself uncomfortable drawing comparisons to unrelated firms, then that is an indicator that you might not be using the best data set. A best practice is to gather a list of organizations that your leadership considers competitors or benchmarks and collect incident data about them. When you narrow the list from all breaches to just those at organizations similar to yours, you will see a significant decrease. Feel free to show an aggregate view as well; such trend lines are helpful for making inferences about the relative state of controls in your industry vs. others.

Working in risk is often about seeing the storm clouds on the horizon that can disrupt any promising endeavor. However, we must be careful to utilize the appropriate technical tools and soft skills to cast our necessarily negative outlook as a thoughtful enthusiasm for customers and enterprise resilience.

Jack Freund, Ph.D., CISA, CRISC, CISM, is director, cyberrisk management for TIAA, member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and is speaking at the 2018 RSA Conference on implementing a cyberrisk framework.


Webinar: Be Resilient in the Face of Stress

Webinar:  Be Resilient in the Face of Stress
Source: Larry
Getty Images

Resilience is the key to overcoming obstacles and achieving success. The ability to shift your mind-set from sweating the small stuff to coming up with effective solutions for prioritized tasks can be learned. It is all about learning to communicate more effectively with others and adjusting your internal dialogue so that you can create positive outcomes both at work and at home.

To help you gain the correct mind-set to become resilient and reduce stress, ISACA presents the “Resilience—How to Handle Stressful Situations and Be Able to Relax, Refresh and Rejuvenate!” webinar. Participants in this webinar will learn simple, creative and fun tips to respond to stressful situations, difficult people and challenges in the workplace. This webinar takes place on 8 March at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Dan Duster, president of 3D Development Group, will present the webinar. Duster is known as the “Barrier Buster” and will use his experience as a motivational speaker, trainer and success coach to show you the path to more resilient stress management.

To learn more about this webinar or to register for it, visit the Resilience—How to Handle Stressful Situations and Be Able to Relax, Refresh and Rejuvenate! page of the ISACA website.


Learn to Transition to an InfoSec Career in This Webinar


The importance of cybersecurity roles in the workforce has become unquestionable. ISACA Now Blog author Ravikumar Ramachandran predicts cybersecurity professionals will need to be skilled in data analysis, cognitive computing, software engineering, regulatory guidelines and the ability to address the explosion of connected devices in his blog post, “2018 Predictions for Cybersecurity.” For organizations to meet these requirements, hiring managers need to consider candidates from various information security backgrounds.

To help you understand more about the information security profession and how to join it, ISACA presents the “A Roadmap for Transitioning to a Career in Information Security” webinar. This session will assist individuals in creating a plan for a career transition to information security. This webinar takes place on 20 March at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

John Pouey, CISA, CRISC, CISM, senior risk coordinator at Entergy, will lead the webinar. Pouey has more than 20 years of information security, banking and auditing experience. He will use his practical experience managing information security and business continuity at 2 financial institutions to show you what it takes to transition to an information security career.

To learn more about this webinar or to register for it, visit the A Roadmap for Transitioning to a Career in Information Security page of the ISACA website.


Auditing Microsoft Exchange Servers

Auditing Microsoft Exchange Servers
Source: Jakub
Pavlinec; Getty Images

With increasing user reliance on the functionality that the pairing of Microsoft Exchange Servers with clients such as Microsoft Outlook affords (e.g., email, meeting scheduling, creation of task lists and contact records), the security and availability of Exchange Servers are vital. To facilitate IT auditors’ assessments in these areas, ISACA has an audit program that addresses configuration and deployment, role-based access control, performance, logging, and backup and recovery.

The objective of the ISACA Microsoft Exchange 2016 Audit/Assurance Program is to provide enterprises with a means to assess the security and availability of Exchange Servers. This audit/assurance program explores the following Microsoft Exchange Server changes and areas:

  • All issues associated with migration from earlier versions of Exchange have been identified and resolved.
  • Role-based access controls (RBAC) are deployed in the Exchange Server 2016 environment.
  • Consideration has been given to the need for (and techniques to achieve) litigation hold on specified mailboxes in the case of legal e-discovery.
  • Testing steps are included to ensure encryption standards are in place to meet compliance expectations of regulations such as the US Health Insurance Portability Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).
  • The Exchange Server environment has a database availability group (DAG) design that can support high availability at a level that supports the entity’s business objectives.

Conducting a formal assessment of the security and availability of Microsoft Exchange Server 2016 allows auditors to assist management in identifying where controls are working as intended and where areas for improvement exist. To download this audit program, visit the Microsoft Exchange 2016 Audit/Assurance Program page of the ISACA website.


Learn More About Blockchain Technology in This Live, Virtual Event From IEEE


Blockchain is more than Bitcoin. The real estate, supply chain management, healthcare, financial services and banking industries, and academia all can benefit from the application of blockchain technology. Everything from smart contracts to encrypted credentials can be implemented using blockchain. So how do you start using it?

To dive into the world of blockchain, you need to understand what blockchain is and its capabilities. Morgan Peck, contributing editor of IEEE Spectrum will introduce you to blockchain in the “IEEE: Introduction to Blockchain Technology,” 3-hour, 3-day virtual event from 20-22 March 2018 at 11AM CST (UTC -6 hours) each day.

Peck will not only help you understand blockchain technology, but she will also illustrate how it is applicable to you and your industry. All 3-hour sessions are included in your registration of US $245 as an IEEE or ISACA member, and US $295 as a nonmember. Upon successfully completing the assessment at the end of the virtual event, you will receive a virtual certificate with IEEE continuing educations units (PDHs) and 3 ISACA continuing professional education (CPE) hours.

Register now on the Introduction to Blockchain webpage. For those not available to attend in real time, all content will be available on-demand for 30 days.


A New Perspective on Perimeter Defenses


Source: Alex Kich;
Getty Images

Ben Franklin said that nothing is certain except death and taxes, although Marcus J. Ranum, firewall innovation expert, argues that the perimeter is equally certain. This may seem like an extreme viewpoint, but it all depends on your perspective. Perspective is ISACA’s new series that presents the viewpoints of professionals, many of whom are preeminent in their fields of expertise, and covers their take on a particular IT topic.

ISACA’s first Perspective article, “The Vaguely Defined Perimeter,” discusses perimeter defenses, which, according to the author, Ranum, clearly are not dead. This article explores the idea that the perimeter is an organizing principle, not a technology. The perimeter is something that defines what you know and what you are responsible for dealing with, allowing you to manage your boundaries. Acknowledging this may make your organization’s management seem less daunting.

To read more about Ranum’s perspective, visit The Vaguely Defined Perimeter page of the ISACA website.


Working Through Implementing the Cybersecurity Law of the People’s Republic of China: An Online Publication


Last June, a new Chinese landmark cybersecurity law took effect. The Cybersecurity Law of the People’s Republic of China (also known as the National Cybersecurity Law) is China’s first published law in which cybersecurity requirements are specifically, comprehensively and legally documented. The law defines government authorities’, network owners’, operators’ and ordinary users’ responsibilities, and stipulates penalty provisions for breaches. In response to the law, Chinese authorities launched a comprehensive examination of cybersecurity to:

  • Advance implementation of the law
  • Improve information security awareness
  • Strengthen protections over sensitive data concerning critical infrastructure and individuals
  • Promote standardization and institutionalization of cybersecurity practices

Practitioners and enterprises must first completely and accurately understand the new law, and then they must implement it. As organizations work through this implementation, vendors are designing new products and services targeted to ensure ongoing compliance with the regulations.

The Guide to China’s Regulatory Cybersecurity Implementation Framework online book offers practical advice on implementing the National Cybersecurity Law. The guide utilizes concepts and methodologies of the US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF), which may be valuable references for China in meeting the challenges of the National Cybersecurity Law. You can purchase this ISACA online book on the Guide to China’s Regulatory Cybersecurity Implementation Framework page of the ISACA website. It is US $30 for members and US $60 for nonmembers.


Discover How Your ISACA Membership Can Help Preserve Your Identity

Discover How Your ISACA Membership Can Help Preserve Your Identity
Source: Tetra
Images; Getty Images

Your ISACA membership can now help prepare you in case of identity theft. Infoarmor’s PrivacyArmor is being launched at a new, special, member-only rate for US members (soon to expand globally). Identity theft cost US $16 billion last year and impacted more than 15.4 million Americans. It is an expensive and time-consuming problem to face. You can register and sign up for InfoArmor’s PrivacyArmor by visiting the PrivacyArmor by Infoarmor page of the ISACA website.

In addition to industry-leading digital identity and financial wellness protection, InfoArmor’s PrivacyArmor service includes the following:

  • Free annual credit report
  • Free monthly credit scores and credit monitoring
  • Identity and credit monitoring
  • Social media reputation monitoring
  • Digital wallet storage and monitoring
  • Threshold monitoring
  • Full-service remediation
  • US $1,000,000 identity theft insurance policy

As an ISACA member, you not only have access to this new service, but you also have access to free webinars and virtual conferences, discounted or complimentary access to ISACA publications, discounted rates on ISACA conferences and certifications, access to more than 70 free continuing professional education (CPE) hours, and access to member-exclusive partner content featuring the Massachusetts Institute of Technology’s (Cambridge, USA) (MIT) Center for Information Systems Research and Wapack Labs.

Learn more about becoming an ISACA member or renew your ISACA membership today to ensure you enjoy every member benefit available in 2018. The reporting of CPEs, fees and dues are now due, so be sure to visit the MyISACA tab on the ISACA website to review your status and sign up for membership or renew now.