ISACA Journal Author Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Journal Author Blog

Preventing Cyberattacks With COBIT 5 Processes

Fredric Greene, CISSP
Posted: 3/22/2015 3:01:00 PM | Category: Security | Permanlink | Email this post

It is easy to second guess organizations after an attack as opposed to working with them on cybersecurity or information security initiatives. But this questioning can also offer some benefit, helping the  security professionals learn what could have been done to defend the organization against the cyberattack. The following is a brief look at the attacks on Sony, Morgan Stanley and Anthem as a sample across the entertainment, financial and health insurance industries:

  • Sony Pictures Entertainment (SPE) was the victim of a breach that exfiltrated more than 100 terabytes of data (47,000 records), after which large volumes of data were erased. Servers, networks and other infrastructure were rendered nonoperational.
  • Morgan Stanley was the victim of an internal financial adviser who stole data on 350,000 clients using a reporting tool that gave him access to massive amounts of data on clients.
  • Anthem suffered the disclosure of 80 million unencrypted customer and employee records accessed through stolen administrator credentials.

I would suggest  that there are specific COBIT® 5 processes and practices that can be effective in halting or minimizing these types of attacks.


A Security Solution Needs to Fit Like a Great Suit

Kerry A. Anderson, CISA, CISM, CGEIT, CRISC, CCSK, CFE, CISSP, CSSLP, ISSAP, ISSMP Posted: 3/9/2015 3:08:00 PM | Category: Security | Permanlink | Email this post

The selection of a security solution is a critical decision for an information security program. With the plethora of security solutions available, finding the best fit for an enterprise and its security needs can be a challenging and time-consuming task. When cost constraints are added to the picture, the selection process becomes even more problematic. There is a temptation to go with what is already familiar or select a solution that is already in use at a similar organization. But the best place to begin is by identifying critical functional requirements and restrictions for a security solution. The goal is to define, in a vendor-neutral fashion, a generic prototype of the security solution being sought. This should be done before doing any vendor research. This process should also spot potential attributes of a solution that may clash with the organizational environment.


Tips for Implementing a Secure Cloud System

Larry Wlosinski CISA, CISM, CRISC, CAP, CBCP, CDP, CISSP, ITIL V3 Posted: 3/2/2015 7:59:00 AM | Category: Security | Permanlink | Email this post

Cloud technology had a strong start because it followed the same development path as other systems. That path was to develop capabilities and add features to systems with little regard for information security. Over the years, cloud applications have emerged as software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). Cloud systems are deployed as private, community, public and hybrid models. They are all over the Internet and are accessible by many types of mobile devices.

Over time, many cloud systems have crashed and incurred a variety of problems. Because of this and the fact that many people are not paying attention to these issues I wrote my recent ISACA Journal article, “Cloud Insecurities.” In the article I talk about the threats, vulnerabilities and weaknesses that people have accepted as a way of life and tend to ignore. Many of the article’s observations come from reading the Department of Homeland Security (DHS) Daily Open Source Infrastructure Report and from the Cloud Security Alliance (CSA) reports. To address the cloud problems, my Journal article suggests countermeasures that may or may not have been considered or implemented, and there are some questions that may help organizations think through cloud vulnerabilities. 


Applying Porter’s 5 Forces Model to Risk and Security

Yuri Bobbert
Posted: 2/9/2015 3:08:00 PM | Category: Risk Management | Permanlink | Email this post

Yuri Bobbert

A large portion of academic and practitioners’ literature focuses on implementing and validating existing security frameworks or guidelines. Limited academic research is done on strategizing risk and security. Formulating a security strategy depends on several perspectives and is usually different for each company. Formulating this strategy depends on regulations, technologies, business processes and the interaction among numerous partners in the digital value chain. These dynamics vary in force and frequency. The importance of a well thought-out strategy is examined and elaborated in several studies by several strategists in all types of industries.


A Smart Strategy to Combat Advanced Persistent Threats and Targeted Attacks

Posted: 2/2/2015 8:45:00 AM | Category: Security | Permanlink | Email this post

Seemant Sehgal, CISA, CISM, BS7799 LI, CCNA, CEH, CIW Security Analyst, SABSA

Advanced persistent threats (APTs) are a hot topic in the security arena today. There are a number of definitions and methods of identifying an APT. Some define it based on the extent of pinning it to certain attack vectors, while others map it to the complexity or time it takes to complete the attack. The term “targeted attacks” is the latest buzzword, gradually taking center stage as a new breed of cyberthreats emerge.

So how can one devise an effective strategy to combat such threats? Well, to do so, it is important to understand the implications of the words “advanced” and “targeted” in the cybersecurity context. Think of the example of a pickpocket looking for a prospective victim. A thief will skip stealing from targets when they are vigilant and instead look for someone whose guard is down. In other words, the attacker will go for the “low-hanging fruit” to find a way in.

<< First   < Previous     Page: 1 of 52     Next >   Last >>