@ISACA Volume 18: 29 August 2012 

@ISACA Relevant, Timely News

Tips to Mitigate Intentional Attack Risk
By Victor Chapela

In the last few years, the number of enterprises that have been breached through intentional attacks has grown steadily. A comprehensive analysis of the risk of intentional attacks using quantitative methods shows that these events have been planned with clear objectives in mind: To make a profit or gain a strategic advantage. We need a call to action. In managing risk we must consider the nature of intentional attacks. They follow a behavioral pattern that is difficult to identify and track down, but the attackers’ main goals remain the same. An attack is formed by a complex chain of events. First, attackers obtain data by breaching enterprise or end user information. Second, these data could be modified and sold in black markets. Finally, the stolen data could be used to commit fraud or gain a competitive advantage.

When data have high value to potential attackers, it becomes very difficult to defend them by complying with checklists. There are powerful market forces motivating attackers to find holes in security. The weakest link analogy applies here, especially to intentional attacks. Therefore, securing high-value information requires us to implement a holistic approach to data security. To protect valuable data we need to enclose them in the equivalent of a digital safe box (DSB) where controls have been effectively set up. To do so, it is useful to think in terms of security patterns.

A pattern is a standardized solution model to solve recurring problems that are similar in nature. It is a reusable solution. Furthermore, a security architectural pattern covers the relations between processes and controls. Proper identification of the attackers’ optimization strategies and motivation allows us to define the corresponding security control patterns that most effectively mitigate intentional attack risk.

Patterns allow us to have equivalent security levels through different facilities and countries. This cannot be achieved with checklists alone. Control lists generally fail to define how and where the controls should be implemented. The main difference between control patterns and control checklists is that in a pattern all of the elements need to be set up in the right place and with a minimum level of security for each one of them. By integrating this information into control patterns, we can consistently better mitigate intentional attack risk.
How control patterns can consistently mitigate intentional attack risk:

  1. Two high-level patterns need to be defined to protect high-value information from being stolen. Each high-level pattern addresses a risk transition:
    • The first pattern is well known, the demilitarized zone (DMZ) pattern. By securing the perimeter with a properly configured DMZ, you are reducing the risk of allowing anonymous attackers into your enterprise’s internal network where sensitive data are stored and processed.
    • The second pattern is the DSB pattern. This pattern defines how high value information is stored, processed and accessed in order to isolate it from the rest of the internal network.
  2. These two high-level patterns can be broken into lower-level solution patterns. Examples include a “centralized authentication pattern” for all sensitive applications or a “virtualized access pattern” to monitor and limit user access to high value information. A high-level pattern can be comprised of several lower level patterns.
  3. Patterns should be defined based on known solutions that have worked well for the enterprise or industry. By standardizing a pattern, the enterprise can implement the equivalent levels of security throughout different applications, data centers and environments.
  4. Each pattern should define the minimum level of security required for each control (how?) and the relation of that control to other controls (where?).
    • How the control should be implemented is answered by defining the minimum level of security for each of the controls in the pattern. Is two-factor authentication required? What level of encryption is needed? Can the virtualized session copy or store information locally?
    • Where the controls should be applied could be defined by visual diagrams that are useful to represent relations. Where should you monitor? What should be logged? What information gets backed up? Where do you need redundancy? Where do you encrypt? Which accesses are authorized and which should be blocked? Where do you authenticate? These questions and many more can be answered by encoding them in a visual diagram.
  5. There are three different intentional attack risk mitigation vectors that should be considered when building control patterns:
    • Reduce the value of the information to reduce the attacker’s potential profit and therefore his/her motivation. This can be achieved by separation (reducing the amount of valuable data that can be accessed or retrieved, for example by virtualizing access to the database and disabling copying and saving), by dissociation (saving separate parts of the information, such as storing only the last digits of a credit card number and therefore rendering it useless to criminals) or by encryption, which can reduce the value of information to those who have no access to the key or the decrypting function.
    • Reduce the accessibility of the attacker to increment the cost of perpetrating the attack. The less authorized accesses you have in a system or network, the less risk there is that one could be compromised. Reducing privileged access is especially important; watch for those with access to valuable data or with technical access that could change configurations or code in the related systems. Additionally, by isolating the DSB from the rest of the internal network you can also reduce the potential number of accesses, thus, increasing security.
    • Reduce the anonymity of potential attackers and increment their risk of negative consequences. Increasing the potential attacker’s risk is achieved by better authenticating individuals, storing logs of their activity, monitoring access to valuable data and critical components, immediately reacting to high risk data access or incidents, and last but not least, by making sure that every individual with technical or privileged access to high value information has a binding contract signed with the enterprise.

Defining and implementing control patterns can better mitigate an intentional attack risk at complex enterprises with valuable information.

Victor Chapela is founder and chief executive officer of Sm4rt Security Services and a frequent speaker at ISACA conferences around the world.


Report of the June Meeting of the Board of Directors

The ISACA/IT Governance Institute (ITGI) Board of Directors/Trustees met in June 2012 in San Francisco, CA, USA, in conjunction with World Congress: INSIGHTS 2012 and covered the following:

  • Strategy 2022—In 2009, the ISACA Board of Directors approved a strategy that guided the association in providing its constituents products/services that enable them to ensure trust in, and value from, information systems (those of their own enterprises and of their customers). In 2011, an extension of that strategy was approved, covering a 10-year period and designed to further strengthen the trust and value concepts through new products/services and outreach to new constituencies. The strategy extension is based on several new initiatives, of which prioritization was needed. A market validation study was conducted during April and May 2012 to assist in that prioritization. Discussion at the board meeting focused on the results of the study, which tested market acceptance of the strategic initiatives designed to reach outside of ISACA’s traditional constituency base. The study was conducted on a global basis gathering input from those involved with ISACA and those unfamiliar with the association and/or its products/services. The purpose of the study was to ascertain whether:
       – There is market need for various products.
       – The product is already being provided by another source.
       – ISACA would be perceived as a preferred source of content on the topic.

    The results of the study enabled further prioritization of the initiatives so that ISACA’s resources—especially the time and energy of its volunteers—can be used in the most effective way.
  • Audit—ISACA’s external audit firm, Grant Thornton, will conduct an audit of the association’s IT general controls.
  • Leadership development—Given the critical importance of the contribution of volunteers to ISACA’s success, the need for continual talent recruitment and development was stressed for both volunteer bodies and the board itself.
  • Upcoming additions to the web site—A governance page will be added to the web site that will provide access to the association’s various documents of governance, including the guidelines, expectations and principles that govern selection of volunteers and the board. Exposure will also be given to megatrends, perhaps through the Knowledge Center, identifying and describing these trends and outlining any activities ISACA will undertake to address them.

The next meeting of the board will occur in November 2012.


Risk: A Bold and Intriguing Field
Robert Hanson, CISA, CISM, CRISC, Shares His Experiences

Robert Hanson“Earning a Certified in Risk and Information Systems Control (CRISC) certification has put me on the national stage,” Robert Hanson explains. He knew CRISC was the right certification for him because, “Risk is certainly an expanding field and those who develop a sound and thoughtful risk communication strategy are on a larger trajectory than most. I am thankful for all the knowledge and exposure fostered by ISACA, which has helped me craft my view of the IT security world and my vision with respect to governance, risk and control.”

Hanson remains excited about and challenged by risk management, “Enterprises are like organisms—governance is the central nervous system that coordinates all the activities and risk (particularly enterprise or strategic risk) is the stimulus or a crucial element of its reaction mechanism. The key is to transition from a stimulus/reaction mechanism to a stimulus/response mechanism and to anticipate and learn from that stimulus. Technology and information systems are the most strategic part of any cause-and-effect risk chain for enterprises. Being able to apply your knowledge provides assurance to any enterprise that you are qualified to get the job done—a very important factor if you aspire to become its risk specialist.”

Hanson’s current role as senior risk officer (SRO) supports the enterprise’s risk management activities where he applies his strategic perspective. According to him, “Information systems (IS) are at the heart of what we do and it is rewarding to be able to speak about technical matters and enterprise risk in the same breath.”

For Hanson, the biggest challenge in his position “is to achieve effective communication that allows me to discuss complex ideas with very busy top executives.”

Hanson also finds that a risk-related job has become a great avenue for him to develop his capabilities and perceptions. He believes his life in general has a strong connection with this topic and his interest in solving intricate situations potentially caused by risk. He realizes that his role as a CRISC professional is just as important as his other interests in life; he is an avid curler who recently competed at a national tournament and also enjoys landscape photography.


Join ISACA’s Online Community

Did you know that ISACA has online communities in the Knowledge Center? Connect, contribute and collaborate in ISACA’s Knowledge Center. You can start a discussion, add your favorite link, share a document or even start a wiki to collaborate with other ISACA members. Other valuable community resources include ISACA publications, white papers, ISACA Journal articles and events specific to each topic. There are more than 100 topics to choose from, so it is easy to find topics, guidance and experts that match your interests.

With ISACA’s Knowledge Center, you can:

  • Connect with ISACA members
  • Participate in discussions
  • Contribute documents and links
  • Collaborate in wikis

Visit the Knowledge Center page of the ISACA web site to browse the full list and to join a community.


Book Review: Principles of Information Security
Reviewed by Andrew Richardson, CISA, CISM, CRISC

Principles of Information Security, 4th Edition provides a balanced introduction to information security in the modern enterprise, as well as a solid historical overview of information security, risk management and security technology. This book will be of great interest to individuals pursuing the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), or Certified in Risk and Information Systems Control (CRISC) designation.

Principles of Information Security, 4th Edition by Michael E. Whitman and Herbert J. Mattord establishes that technology on its own cannot solve the underlying information security issues. Information security is a problem for management to solve and not a problem that technology can address by itself.

Chapters cover the need for security, legal, ethical and professional issues, risk management and planning for security. This book provides a very good introduction to access control, firewalls and remote connections. It also addresses implementation of information security, security and personnel, and information security maintenance. Each chapter has valuable real-life scenarios and learning objectives.

Principles of Information Security, 4th Edition is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Andrew Richardson, CISA, CISM, CRISC, is the group information security officer (ISO) at AEGON UK. Richardson has more than 25 years of experience in IT, information security, audit and risk. He has written a number of articles for the ISACA Scotland Chapter and is a member of the ISACA Publications Subcommittee. He can be reached at andrew.richardson@bcs.org.uk.


Read More Articles in Our Archives