Security Breach Indicators
By Leighton Johnson, CISA, CISM, CIFI, CISSP
In the wide world of computer incidents, events and attacks, there are many indicators that system administrators and auditors can use to alert incident handlers or help-desk support personnel of a possible breach. These indicators can include:
- Unexplained new user accounts—These accounts are often created with no official supporting documentation from the system owner or IT staff. Often these indicators are found when reviewing the logins and logoffs in the system’s security records.
- Unexplained new files—The files loaded within the main operating system (OS) directories are often targets of malicious code exchanges with files loaded in these always-changing directories. These directories change with files every time the system is updated with its patches. Review all files in these directories with the official listing of each patch and upgrade loaded on the suspect system.
- Unfamiliar file names—The common files for each OS directory are identified and named by the OS vendor in its documentation. This naming is often a way of identifying which files should be in these directories and which ones should not be present.
- Modifications to file names and/or dates, especially in system executable files—These system files are often updated only when the patches are loaded onto the system. When performing a review on these files, looking for time stamps on each file that do not conform to patch dates, as provided by the OS vendor, is a good place to start the investigation.
- Excessive unsuccessful login attempts (usually more than 3 per user)—Often the primary way malicious attackers try to access systems is by attempting to compromise privileged accounts belonging to system administrators, managers and network administrators. One of the common early methods of access is to target the use of the administrative accounts in initial compromising events.
- Email flood from an unsuspecting helper (marked as spam; could be Trojan or other issue)—When a low-level worm is released in a network, the self-replicating effect can cause an internal denial-of-service (DOS) attack to be released within the network boundaries. This is often used as a diversion from the real attack since the internal DOS event will occupy the incident response resources and the real attack event will go unnoticed.
Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.
ISACA Membership Supports Your Career From Exam to Certification
Are you prepared for the upcoming certification exams? Your ISACA membership provides you with tools that can help you pass the certification exams.
If you are taking a certification exam in June, there is still time to prepare. Your local chapter may be hosting review courses for the upcoming June exams. Chapter leaders who are certified and active in their field may be able to provide insight into the upcoming exams. Certified members earn continuing professional education (CPE) hours for mentoring. Please reach out to your local chapter leaders to connect with a mentor, gain knowledge and build your network.
As a member of ISACA, you also receive significant discounts in the ISACA Bookstore. Order study materials such as the Practice Question Database, Review Manual, and the Review Questions, Answers & Explanations Manual to prepare for the certification exam of your choice. You can also browse archived study aids for the exams in the ISACA eLibrary.
After you pass the exam, your membership helps you retain your certification by providing ample free CPE hours. You can participate in webinars, virtual conferences and take ISACA Journal quizzes to keep your certification active. View a list of the free CPE hours available to members on the How to Report and Earn CPE page of the ISACA web site.
Your ISACA membership supports your career enhancements and achievements. Browse all of your membership benefits online in the myMembership tab of your ISACA profile.
Highlights of First Quarter Board of Directors Meeting
The ISACA/ITGI Board of Directors/Trustees met in Brisbane, Queensland, Australia, on 28 February-1 March 2014 to conduct regularly scheduled business. The board was pleased to welcome as a guest Anthony Wong, vice president of the Australian Computer Society (ACS), who made a presentation on ACS, IP3 and the International Federation for Information Processing and discussed areas of mutual concern between ISACA and these 3 organizations. The board was also honored to attend the Brisbane Chapter’s Value Management Forum, which featured a speaker and a question/answer session and was attended by top business and IT executives from the Brisbane area.
Topics discussed at the board meeting included:
- Progress update on the implementation of Strategy 2022 (S22)—Progress continues on the initiatives identified as first-in-focus, notably cybersecurity, COBIT market growth and various academic activities.
- Education foundation—Discussion has begun on the possibility of establishing a foundation dedicated to offering scholarships to college/university students and research grants to professors. The idea has the strong support of the board, but considerable additional research is needed.
- Bylaw revision—The bylaws are under review and revision to align with current California (USA) corporation codes and good/actual practices. The revised bylaws will be provided to members for a vote.
- Enterprise risk management (ERM) plan—The association will undertake an update of its ERM plan soon.
The board also discussed the upcoming Global Leadership Conference to be held in April 2014 in Las Vegas, Nevada, USA. All the board members are planning to be present and are very much looking forward to the opportunity to interact with chapter leaders from around the world.
The next meeting of the Board of Directors/Trustees will take place in June 2014 in Chicago, Illinois, USA. It will be the first meeting of the 2014-2015 board.
ISACA Makes Donation to Enactus Under New CSR Program
ISACA has made its first donation under its new corporate social responsibility (CSR) program. As part of the program, ISACA has donated US $20,000 to Enactus, an international, nonprofit organization of student, academic and business leaders who help develop entrepreneurial skills and community growth projects.
Enactus has a presence in more than 30 countries and empowers future business leaders around the world. “We are excited to partner with ISACA and to kick-start its new corporate social responsibility program,” said Alex Perwich, president, Enactus United States. “This partnership will aid in the growth and development of future leaders while empowering real human progress through entrepreneurial action.”
This donation falls under the support of a cause—international portion of the CSR program and is the first of 2 scheduled donations of this type for 2014. In addition, the support of a cause—chapter-/individual-level portion allows chapters, volunteers, members and staff to apply for funding from ISACA to support local/regional organizations and activities. The criteria for qualifying to receive funding and a link to the application form are available on the Criteria for Support of a Cause page of the ISACA web site. A volunteer working group with representatives from the Chapter Support Committee, the Finance Committee and the Relations Board will review all submissions.
Additional information about this program can be found on the Corporate Social Responsibility page of the ISACA web site.
Continuously Learning With a CRISC Certification
Shelly Martin, CISM, CRISC, Manager of IT Security at UnitedHealth Group, Shares Her Experience as a CRISC
Shelly Martin’s love of learning goes hand-in-hand with her Certified in Risk and Information Systems Control (CRISC) certification. “The best part of being a CRISC is the continuing educational opportunities,” she says. “Personally, I love to learn so obtaining my CRISC certification helped meet that objective.”
In addition to giving her educational opportunities, Martin’s CRISC certification has given her a professional edge. “One of the biggest challenges I face in my job is keeping up with emerging IT threats. My CRISC certification keeps me grounded and reminds me to bring each new threat back to basics.”
In her free time, Martin enjoys spending time with her 6 grandchildren and her “techie” husband. But even when she is not in the office, her risk management experience is still a big part of her life. “My CRISC skills are not a separate thing for me. When I first told my friends that I was spending an extra semester on my MBA to specialize in risk management, they were not surprised,” Martin says. “They said, ‘Risk management is who you are.’”
For anyone interested in taking the CRISC exam, Martin suggests doing an initial practice test to figure out your strengths and weaknesses. Martin, who volunteered to write certification exam questions this year, says the CRISC exam is unlike any other exam for which she has ever prepared. “Understand that it is an experienced-based exam. You cannot read a book to pass it,” Martin says. “Figure out which experiences you are weak in and then look for opportunities to gain more experience in those areas.”
To learn more about ISACA certifications, visit the Certification page of the ISACA web site.
Book Review: Engineering Safe and Secure Software Systems
Reviewed by Jeimy J. Cano M., Ph.D., COBIT (F), CFE, CMAS
Making an accurate distinction between the words “safety” and “security” is a challenge. Each represents a tradition and mastery of knowledge that challenges the current conditions of information systems implementation since both seek to understand and anticipate the inevitability of failure.
Engineering Safe and Secure Software Systems gives readers conceptual explanations about the differences between security and safety; ways to integrate the 2 concepts into the information systems life cycle; technology solutions; and detailed, in-depth case studies. The book also analyzes current practices for security and safety regarding appropriate maturity. It has a comprehensive view and analysis of management and technology solutions that companies require.
The complementary view of security and safety presented in this book allows developers and project managers to maintain a structural view of the development of systems. This structural view enables project managers to know that information and access to information is protected. This structural approach also helps ensure that each system component is constructed properly.
Systems should be built to ensure both security and safety. This book provides a unified approach to security and safety that allows engineers, developers, project managers, auditors and information security analysts to think beyond their domain of knowledge. It combines the concept of survival systems, which are systems that take care of the physical integrity of their human components and operation with information assurance.
Engineering Safe and Secure Software Systems helps readers rethink and renew their understanding of IT audit and information security systems. It enables information security professionals and IT auditors to visualize constructing more comprehensive software project practices. With the help of this book, readers can create recommendations regarding how to secure information and how to limit the effects of system failure.
Engineering Safe and Secure Software Systems is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email [email protected].
Jeimy J. Cano M., Ph.D., COBIT (F), CFE, CMAS, is a distinguished professor in the law department of the Universidad de los Andes, Colombia. He has been a practitioner and researcher in information and computer security, digital evidence and computer forensics for more than 17 years in different industries. Cano is a member of the ISACA Publications Subcommittee.