@ISACA Volume 6  22 March 2017

Is the Internet of Things the Next Trojan Horse?


On 21 October 2016, something happened that could have been straight out of a science fiction movie. Many parts of the Internet, which we take for granted, stopped working. Twitter went down; Airbnb and Spotify were inaccessible. Even security expert Brian Krebs’s blog was shut down. It was as if the Internet had stopped working. What had occurred was a massive distributed denial-of-service attack (DDoS). The difference between this attack and most others is that instead of focusing the attack on an individual website, the focus was on a centralized service provided by the vendor, Dyn. Dyn offers services, including routing of incoming traffic, so that heavily used sites, such as Twitter, can offer better service to their visitors. The DDoS hackers took a hit-the-mothership approach to deliver a much more widespread impact, bringing down multiple websites.

DDoS attacks are increasing in frequency and size. Security experts, including Krebs, believe that this new breed of DDoS attack is only possible because of the Internet of Things (IoT), which is acting like a modern-day Trojan horse carrying the capability en masse to carry out a cyberattack.

IoT devices, being connected via the Internet to cloud servers and each other, have a wide reach and can control our fridges, heating controls and much of our modern lives. This highly distributed connectivity is a hacker's dream. The IoT has the potential to be a massive interconnected web of hacker tools that can be switched on for hacking whenever needed. If an IoT device is infected with malware, such as a botnet, then it can also connect back to the hacker via the Internet. Infected IoT devices act like a massive distributed collective, working together as highly effective cybercrime tools and using the combined power of many devices to affect their sinister outcome.

The underlying reason why IoT can be hijacked in this manner has to do with the security approach of IoT manufacturers. The rush to market of many IoT devices has had some negative implications, one of which is security. Many devices have serious security vulnerabilities, and vendors may not be efficient with updates. Other security issues also exist, e.g., insecure software components, unencrypted or poorly encrypted communications, or insecure protection of the wireless network password for the home network where the device resides. This practice effectively adds a backdoor into the device that can be exploited, which is what happened during the Dyn attack. The Dyn DDoS attack was traced back to IoT devices, which were infected with malware known as Mirai. Mirai was built to run scans across IoT connected devices looking for known security vulnerabilities, in particular, weakly applied usernames and passwords. Mirai then uses dictionary attacks or tries to log in with well-used default credentials. Once it has access, the infection begins.

The following tips can be used to keep IoT devices secure:

  • Passwords—One of the well-known issues with many IoT devices is that manufacturers create IoT devices with default passwords. These passwords should be changed as soon as the consumer switches on the device. One should make sure the chosen password is not obvious. The Mirai botnet was able to take control because of preset, easy-to-guess default passwords on IoT devices, such as 1111111. If 2-factor authentication is available on a device, it should be used to increase security.
    Note that some devices have hard-coded administration passwords for remote access by manufacturers—this is a known security hole, which manufacturers are aware of and should be working to resolve.
  • A patch in time—Just like laptops and mobile phones, IoT device firmware needs to be updated. If the IoT device allows users to update it directly, they should do so whenever a patch is available.
  • Selective connections—One of the reasons why IoT devices are so vulnerable is because of the number of points of failure. The more connections that exist, the more routes there are to exploit. So if an IoT kettle does not need to connect to a user’s email account, then it should not.
  • A degree of separation—It is a good idea to create a separate guest network for IoT devices on routers (if they allow for this). This will create a degree of isolation from the rest of a home network and files.
  • No more plug and play—Universal Plug and Play (UPnP) is a protocol that allows devices to find each other so they can be linked together to perform data sharing, e.g., cameras and printers. Unfortunately, this very useful service also makes IoT devices vulnerable to attack, as it opens a hole into the network that hackers can exploit. Recently, however, the UPnP forum has put out advisories on how to reduce this vulnerability and is working on improved standards taking IoT into consideration.

The recent Dyn attack may be just a test session for the perpetrators. We may well witness an even larger scale and more impactful attack next year. Having Twitter or Spotify offline may be annoying, but losing a critical infrastructure, such as an electricity grid, will have a more worrying outcome. If we do not take stock and put measures in place to stop this modern Trojan horse, we may well end up with much more dire consequences.

Avani M. Desai, CISA, CRISC, CIPP, CIA, CISSP, PMP, is the executive vice president at Schellman & Company Inc. Desai has more than 13 years of experience in IT audit, attestation, security and privacy. Her focus recently has been on emerging technology concerns and issues.


Develop Your Personal Brand


Source: wragg
/Getty Images

Personal branding can be crucial to career success. However, many professionals are too busy to develop a personal brand strategy. It is necessary to have a consistent professional image on resumes, social media and through networking. To help individuals develop their brand, ISACA is presenting the “Personal Brand Stewardship: Secrets for Creating a Powerful Leadership Brand” webinar. This webinar will take place on 23 March at 11AM CDT (UTC -5 hours). Attendees can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

This webinar will teach attendees how to network via messaging and how to leverage social media, especially LinkedIn, for career advancement. After completing the webinar, attendees can expect to have a strategy on how to improve their personal brand. Caitlin McGaw, chief recruiting officer for Candor McGaw Inc. will lead this webinar.

To learn more about this webinar or to register for it, visit the Personal Brand Stewardship: Secrets for Creating a Powerful Leadership Brand page of the ISACA website.


Subscribe to the ISACA Podcast and Never Miss an Episode


Source: Don Farrall
/Getty Images

The ISACA Podcast gives you insights into the latest regulations, trends and threats experienced by information systems auditors and governance and security professionals. To help you listen to podcasts on the go and ensure you never miss an update, the podcast is now available for subscription on iTunes, Google Play and SoundCloud. At least 1 new podcast will be available each month, and the subjects of the podcasts include cyber security, COBIT 5, audit and more.

The experts interviewed in the ISACA Podcast have valuable perspectives they have gained from their years of experience in the field. The experts interviewed in these podcasts include ISACA Journal contributors, subject matter experts who contributed to white papers and COBIT-certified trainers. The complexity of the subjects varies, so whether you are beginning your career or have decades of experience, the ISACA Podcast has something for you.

To learn more about the podcasts or to subscribe to them, visit the ISACA Podcast page of the ISACA website.


ISACA Survey Identifies 5 Biggest Barriers Faced by Women in Technology


Wage inequality compared to equally qualified male colleagues, workplace gender bias and a shortage of female role models continue to contribute to the shortage of women in technology, according to a new ISACA survey. Detailed in the release of ISACA’s “The Future Tech Workforce: Breaking Gender Barriers” report, survey respondents identified the top 5 barriers experienced by women in technology as:

  1. Lack of mentors (48%)
  2. Lack of female role models in the field (42%)
  3. Gender bias in the workplace (39%)
  4. Unequal growth opportunities compared to men (36%)
  5. Unequal pay for the same skills (35%)

The survey found that 92% of the women in technology surveyed have experienced gender bias in the workplace, and 43% say male colleagues are paid more than their equally qualified female team members.

“Women are vastly underrepresented in the global technology workforce. This is not only a societal concern, but also a workforce problem, given the critical shortage of skilled technology professionals faced by many enterprises,” said Jo Stewart-Rattray, CISA, CRISC, CISM, CGEIT, FACS CP, board director of ISACA and director of information security and IT assurance at BRM Holdich. “ISACA’s survey findings reinforce that there is much work left to be done. By providing more opportunities, including career advancement programs, we can make long overdue progress in ensuring that women are more equitably represented in the technology workforce.”

ISACA addresses a number of these barriers, including the lack of networking opportunities, through its Connecting Women Leaders in Technology program, which began in 2015 and connects women in the technology industry.

In 2017, ISACA will feature several educational opportunities related to its Connecting Women Leaders in Technology program, including a Women in Technology webinar series. The next webinar is scheduled for 18 May. Women in technology programs will also take place at ISACA’s North America CACS conference in Las Vegas, Nevada, USA, 1-3 May, and at the EuroCACS conference in Munich, Germany, 29-31 May.

For a survey report and additional perspectives from women in technology, visit the Women in Technology Survey page of the ISACA website.


CISA Named Best Professional Certification Program


Source: Chris Ryan
/Getty Images

SC Awards 2017 recognized the Certified Information Systems Auditor (CISA) certification, ISACA’s most longstanding certification, as the Best Professional Certification Program. The Certified Information Security Manager (CISM) certification was also a finalist for this year’s top professional certification program.

“The CISA credential is often a mandatory qualification for employment as an IS auditor,” said Frank Schettini, ISACA’s chief innovation officer. “As the business technology landscape rapidly evolves and creates new challenges, employers recognize that CISA-certified professionals have the knowledge and global credibility to deliver on rising expectations for audit, control and security professionals.”

This year, the CISA, Certified in Risk and Information Systems Control (CRISC), CISM and Certified in the Governance of Enterprise IT (CGEIT) certification exams will be offered in 3, 8-week testing windows. To learn more about CISA or the other certifications ISACA offers, visit the Certification page of the ISACA website.


Survey on Internet Users’ Willingness to Provide Personal Information


With the rapid development of online platforms, corporations and customers’ interactions have been moving from brick-and-mortar stores to cyberspace. With the advancement of information technology, the personal information of Internet users can be collected efficiently and analyzed effectively, which brings significant business value to corporations. Customers can also enjoy the benefits of personalized services and targeted marketing promotions as a result of the collection and use of personal information collected from them. However, information privacy is a key concern of Internet users in providing personal information to online platforms.

The Department of Management and Marketing at the Hong Kong Polytechnic University is undertaking a study to explore Internet users’ willingness to provide personal information for personalization. The objectives of the study are:

  • To understand the impact of personal disposition and contextual factors to Internet users’ evaluation of privacy concern
  • To identify and analyze Internet users’ responses to personal information request for personalization
  • To analyze the effectiveness of privacy countermeasures implemented by organizations in mitigating Internet users’ privacy concerns
  • To analyze and compare Internet users’ evaluations of privacy concerns and willingness to provide personal information for personalization among different countries

To participate this study, please complete the online survey, which will take approximately 20 minutes. All analysed information will be de-identified and kept strictly confidential. The findings will be presented in aggregated form only and no individual or organization will be identified in this project.

The survey will be available through 16 April. If you have any questions or require further information about this research, contact Alan Lee at alan.wl.lee@connect.polyu.hk or by phone at +1.852.9092.2416.


Using the CISM Certification to Help Your Career Soar

Thomas A. Johnson, CISM, Shares His Experience as a CISM

Thomas A. Johnson, CISM, believes in the importance of studying and education. His weeknights are spent teaching at the university level, and his weekends are spent providing advanced instruction to small-aircraft pilots. To earn his Certified Information Security Manager (CISM) certification, Johnson knew that studying would be crucial. “My professional goals involve personal growth, which directly influence my personal goals. My personal goals are firmly oriented in educational growth,” he says. “The CISM certification satisfies both of those goals. In pursuit of a certification, there are some who attempt to take the test without study, but the overwhelming majority of test takers set goals, reserve time and diligently study.”

Johnson had technology-related certifications throughout his career, but he pursued the CISM certification because of the way the security role was evolving. “Because security was slowly being pulled into a separate function at the financial institution I was working at, and because I was stepping into a security leadership role, I realized that I needed to look into certification in the security space—specifically in security management and leadership. The CISM certification stood out as the clear choice.”

The CISM certification has enhanced Johnson’s credentials and helped him excel in his career as a full-time consultant. “In the consulting industry, marketing is important. There are very few ways to show that your staff has the expertise to do the job better than certification. Holding the CISM certification demonstrates to potential clients that I have the skills to do the job.”

Part of doing the job involves staying informed about the latest trends in security and governance, and Johnson says that the CISM certification helps keep him aware of changes in the industry. “The biggest challenge I face as a consultant is being on top of the latest security and governance methodologies and trends,” he says. “Being a CISM, I am required to obtain a minimum number of continuing professional education (CPE) hours, which helps me stay ahead of the curve.”

To learn more about ISACA certifications, visit the Certification page of the ISACA website.