Did you know that 69 percent of reported breaches involve someone inside the organization? Whether by mistake or malice, users are the biggest threat to a company’s data. Therefore having forensics and analytics on your users’ actions is the best way to audit and respond to a data breach. But how will users feel about you collecting these forensics?
On the one hand, organizations need to monitor user activity for potential threats. On the other hand, employees do not want to feel like their privacy is being violated. So, how do you protect your company from data breaches without employees seeing you as being intrusive? Here are a few suggestions:
- Clearly communicate monitoring policies—When giving employees or third-party users access to the system, notify them that their actions will be monitored. Create a “policies and procedures” document that clearly outlines why user behavior is monitored, what will be monitored, and what behaviors are considered illegal or unacceptable. Give this document to all users when they first receive their login credentials. Discovering this monitoring policy later may leave employees or vendors feeling like their privacy has been violated.
- Explain the goal of user activity monitoring—To help employees feel like they are trusted members of the company, it is important to explain the goal of user monitoring. Monitoring simply records actions to flag down potential illegal activity or threats to the company. The standard employee should have nothing to be concerned about. In fact, this software will help protect them from blame if a breach does occur.
- Explain what activities are monitored—Unfortunately, all action taken on a company system must be monitored, recorded and stored. While it does not seem necessary to record someone browsing Facebook or checking personal email, stopping the recording during these times would open up opportunities for disguising illegal behaviors. To ease employees’ minds, explain that while every action—including individual keystrokes—is being recorded, they are not necessarily being monitored. Only suspicious or illegal activity will trigger alerts.
- Remind users they are being monitored—Even after explaining the monitoring policies fully, it is a good idea to regularly remind employees of these policies. Notifications and policy messages can be built into your monitoring software to remind users every time they log in so they never feel caught off guard. It can also act as a constant deterrent for anyone attempting any illegal acts.
User activity monitoring is the best defense for the inside threat companies face. But companies should be smart about it. Follow these tips to keep users feeling happy and safe while keeping the company protected.
Read Dimitri Vlachos’ recent Journal article:
“User Threats Vs. User Privacy,” ISACA Journal, volume 1, 2015.
There is a big push within the United States federal government right now to implement information security continuous monitoring (ISCM) across all of its computer networks. According to the US National Institute of Standards and Technology (NIST),“information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions.” Key benefits of an ISCM program include enabling consistent adoption of cybersecurity best practices, streamlining and automating manual assessment processes, measuring risk, and prioritizing the problems that need to be fixed first. The US Department of Homeland Security (DHS) is spearheading the effort to implement an ISCM, with an initial focus to roll out hardware asset management, software asset management, configuration settings management and vulnerability management capabilities across federal agencies.
Implementing an ISCM program can be a complex undertaking, especially at large federal agencies that may have hundreds of thousands of devices deployed across multiple geographically distributed sites. The challenges range from technical challenges, such as data integration issues, to operational challenges, such as training staff to properly use the tools, to governance challenges, such as how to enforce reporting and compliance. My recent Journal article describes my company’s experience when working with a large federal agency to develop a continuous monitoring system that is responsible for monitoring millions of devices across a globally distributed network. The article discusses the key technical challenges we encountered and the techniques we applied to overcome those challenges based on 4 years of successes and some painful lessons we learned along the way.
Read Tieu Luu’s recent Journal article:
“Implementing an Information Security Continuous Monitoring Solution—A Case Study,” ISACA Journal, volume 1, 2015.
Ed Gelbstein, Ph.D.
The need to justify expenditures with a return on investment (ROI) grows steadily as everyone is trying to reduce costs—in the private sectors to “optimize shareholder value,” and in the public sector to “cut public expenditure”— In extreme cases, this leads to what I call saving money regardless of cost (SMRC).
The chief information officer (CIO) and chief information security officer (CISO) are disadvantaged when competing against other corporate functions for funding—security is essentially an expense, while other areas, such as marketing, target new revenue. This is not the only disadvantage CIOs and CISOs face. Other challenges include:
- The benefits of any investments in security are not accrued by the IS/IT department. They are corporate and, regardless of the numbers (which are difficult enough to estimate), without a business process manager accepting such benefits as being roughly correct and supporting them, the return on security investment (ROSI) becomes a piece of science fiction.
- There are few, if any, metrics that allow an estimate of the likelihood of a successful cyberattack. This is because new vulnerabilities emerge with every new product or software upgrade, hackers get smarter, malware for sale becomes increasingly available and each organization may become a target of hackers, spies, activists or criminals. We just do not know and have to make guesses about future events. As the Danish physicist Niels Bohr said, “It is very hard to make predictions, particularly about the future.”
- Worse, this lack of knowledge implies that asking the question, “Are we likely to be a target in the next 12 months?,” in the absence of other indicators, such as detected attempts to penetrate its networks or systems, is the equivalent of tossing a coin: a probability of 50% that the answer is yes and a probability of 50% it is no.
My recent Journal article describes the steps to put together a ROSI that is robust enough to withstand close scrutiny, including factors such as conditionalities, e.g., lack of knowledge that the product or service to be purchased will actually work as described by the vendor, that it will be correctly configured and that people will know how to use it. This is not always the case.
There are many ROSI calculators available online and some proposed by serious organizations. Many of them are of doubtful value because they are simplistic and rely on data that needs to be guessed (e.g., mitigated annual loss expectancy).
On the other hand, given that the sums of money involved are modest, how likely is it that there will be a post-implementation benefits audit to validate the original ROSI?
Read Ed Gelbstein’s recent Journal online-exclusive article:
“Return on Security Investment—15 Things to Consider,” ISACA Journal, volume 1, 2015.
Ian Cooke, CISA, CGEIT, CRISC, COBIT Foundation, CFE, CPTS, DipFM, ITIL Foundation, Six Sigma Green Belt
According to DB Engines
, the Microsoft SQL Server Database is the 3rd most popular database management system in use today.
The Microsoft SQL Server Database is particularly popular with small- and medium-sized enterprises due to its relative lack of complexity and ease of use. These small- and medium-sized enterprises typically have fewer IT resources than large enterprises, which, in turn, could mean less oversight of the database. For example, the cost of a Microsoft SQL Server Database scanner may be prohibitive for these smaller companies. Similarly, they may not have the budget to pay for a consultancy to review the database configuration against accepted best practice.
In such instances, computer-assisted audit techniques (CAATs) may provide the answer. CAATs can be tailored for multiple tasks and, when combined with information taken directly from the SQL Server database, they can be used to provide assurance for a number of risk factors, including many of those defined in the main SQL Server Security Standards. Furthermore, the company can build and define its own standards within the CAAT software. These standards can then be used as a basis to compare against all of the company’s databases, thus increasing compliance and speeding up the audit process. This technique provides an efficient, cost-effective method of providing assurance over the company’s Microsoft SQL Server Databases.
Read Ian Cooke’s recent Journal article:
“Auditing SQL Server Databases Using CAATs,” ISACA Journal, volume 1, 2015.
Ulf T. Mattsson
Data are valuable. Businesses increasingly rely on data to make better decisions, to better target their customers and to predict the future. Leveraging data through real-time analysis for business value is driving businesses to collect more data faster and from more sources than ever. This has given rise to the era of big data and the Internet of Things.
These large caches of data also hold a significant direct value in monetization—the sale of part or all of the data to a third party. The percent of businesses monetizing their data is projected to triple by 2016. Much of this data is related to consumers—privacy data.
It is important to note how much more severe the damage due to identity theft can be than a typical payment card industry breach. You cannot simply issue a new identity the same way you can a new payment card. Meanwhile, an individual’s health insurance, credit and legal status are all in jeopardy.
It only makes sense that with all that data (and the direct and indirect value it represents), hackers would be increasingly driven to steal it. The question is how to protect the data from persistent, intelligent threats while preserving its value to the enterprise.
Businesses often collect a lot of privacy data in bits and pieces: names and addresses, separate from phone numbers and email addresses, separate from ages and genders. Then they integrate it in analysis to get a complete view of their customers. While separately these pieces of information may not readily identify an individual, together they can completely expose an individual to financial hijacking or outright identity theft. In effect, these businesses are doing a lot of the work for criminals aiming to steal this information.
To reach the goal of securing the data while preserving its value, the data itself must be protected at as fine-grained a level as possible. Securing individual fields allows for the greatest flexibility in protecting sensitive identifying fields while allowing nonidentifying information to remain in the clear.
Protecting this information within the enterprise is a significant challenge on its own, but monetizing the data means sending it to one or many other organizations, each of which have their own security profiles. Anonymizing privacy data completely may not be feasible in a monetizing scenario, but deidentifying the most sensitive information, e.g., names, social security numbers, birth dates, is vital to protecting the privacy of individuals. Using data protection methods such as tokenization can also allow businesses to preserve the type and length of the data, as well as deidentifying only part of the data fields, while leaving the relevant parts in the clear, such as exposing a birth year rather than the entire date. This will keep the data usable for third parties to analyze, while helping to protect the privacy of the individuals who make up the data.
We may not be able to completely prevent hackers from stealing data, but we can make it far more difficult for them to cause significant damage with it. By protecting data at a very fine-grained level—fields or even part(s) of a field—we can continue to reap the benefits of data monetization while putting forth a significant barrier to identity theft.
Read Ulf Mattsson’s recent Journal article:
“Leveraging Industry Standards to Address Industrial Cybersecurity Risk,” ISACA Journal, volume 6, 2014.
Ivan Alcoforado, CISSP, PMP
The cybersecurity landscape has changed and evolved to more sophisticated threats targeting the enterprise IT and industrial automation and control systems (IACS) supporting pipelines, refineries, manufacturing and power plants, mining, and railways. It is evident that critical infrastructure organizations must appropriately manage this new risk in their environments.
Very often, however, we find that organizations jump to the implementation stage without adequately establishing all of the processes needed to achieve their goals. From failing to establish cybersecurity risk management targets to having little oversight over metrics and controls, these companies do not have an IACS security program with proper governance.
IACS security and IT security are usually undertaken by separate teams with different drivers and requirements. The IACS devices (e.g., distributed control systems, programmable logic controllers, supervisory control and data acquisition) are managed by the engineering or automation department, whilst the IT components (e.g., IP network, infrastructure, servers, operating systems) are the responsibility of the IT department. Without proper coordination, there is often uncertainty about where the responsibility for IACS support and security lies, and gaps occur in the organization’s security capabilities.
I believe we need IACS and IT security strategies to be aligned to the business, ensuring that resources are allocated in an efficient and effective manner to bring consistent results. These results need to be measurable, comparable and in line with the company’s risk appetite.
Failure to establish proper IACS security governance can lead to poor management of risk with dire consequences to the organization’s operations. It may lead to individual security project flops, operational impacts to the very IACS we are trying to protect or to overestimating the organization’s own cybersecurity capabilities.
My recent ISACA Journal article talks about leveraging industry standards to build an IACS program with an adequate governance structure. This should give senior management a better view of the company’s IACS risk profile, enable clearer communications with all stakeholders, optimize the allocation of resources, and give clarity of roles to engineers, IT security professionals and IT auditors when it comes to IACS security.
Read Ivan Alcoforado’s recent ISACA Journal article:
“Leveraging Industry Standards to Deal with Industrial Cybersecurity Risk,” ISACA Journal, volume 6, 2014.
Kerry A. Anderson, CISA, CISM, CGEIT, CRISC, CCSK, CFE, CISSP, CSSLP, ISSAP, ISSMP
Information security programs need to evolve in order to survive and mature. This century will see almost a thousand times greater technological change. This means information security programs will need to evolve to maintain their current maturity stage. The key strategy for managing the maturity life cycle is adaption. Organizations unwilling or unable to adapt may find themselves regressing to an early maturity state, while enterprises willing to innovate and expand upon new paradigms will thrive. The following strategies can assist in the evolutionary change required for maturity to flourish:
- Develop change-adaption strategies—Each organization needs to develop a strategy for adapting to change. Whatever the change appetite, information security programs are more successful in managing change when those programs are in control of it rather than having it forced upon them.
- Identify focus areas—It is possible to have too many ideas. A mature information security program needs to select a few focus areas that have the highest potential to take it to the next maturity stage. This requires identifying any weaknesses that that could thwart maturity progress, then methodically eliminating them.
- Build connectivity—Mature information security programs cannot exist within a silo. All stakeholders need to understand how their decisions can affect the organization’s security posture. This means communicating security messages across all levels of the organization.
- Be prepared for set backs—Set backs are inevitable in life. Successful information security programs regard the occasional bump in the road as the cost of innovation and a chance to try again, similar to Henry Ford’s saying, “Failure is simply the opportunity to begin again, this time more intelligently.”
- Seek continuous renewal at every maturity level—An information security program cannot tolerate stagnation. Maintaining an effective program requires vigilance in sustaining its people, processes and technologies, as well as continuing to seek solutions to emerging risk. The security threat environment is dynamic and the control portfolio needs to be tweaked to adjust to changes in the risk landscape and unique organizational environment.
In the dynamic business environment we are currently experiencing, continual change may remain the only constant. In order to maintain and advance maturity, information security programs need to respond and transform themselves to manage emerging risk.
Muhammad. Mushfiqur Rahman, CISA, CCNA, CEH, ITIL V3, MCITP, MCP, MCSE, MCTS, OCP, SCSA
Database management systems (DBMS) are rapidly changing their technological capabilities. This advanced technology provides a wide range of flexibility when using a DBMS, but also increases the likelihood of attacks. These DBMS advances also drive massive and rapid increases in the number of people with access to them.
The speed of these changes has no precedent in human history, and the power of these technologies has transformed the work environment and our personal lives and brought with it many positive contributions.
It is very important for an auditor to know about the new changes of the DBMS, otherwise a set of undetected vulnerabilities may cause a distortion of the company image, reputation and business losses. We have by now learned that technology is never perfect; by design, hardware vulnerabilities and software errors can be impossible to totally avoid.
In my recent Journal article, I discussed the Oracle database auditing steps, which uses penetration of the Oracle database to ensure compliance with the organization’s security policy. The users or Oracle database administrators who use sophisticated DBMS technologies have limited knowledge or even awareness of security issues and what their roles are in managing them. In this article I have tried to identify those security issues to be aware of and to initiate a discussion with the peers around the globe.
Read Muhammad Mushfiqur Rahman’s recent Journal article:
“Auditing Oracle Database,” ISACA Journal, volume 6, 2014.
Jeimy J. Cano M., Ph.D, CFE
The role of information security should not detract from the evolution of business models. Information security must read, understand and motivate a proactive move to protect the value of the company and anticipate emerging risk. In this context, information security teams should understand the digital mastery needed
to consolidate the business and understand what the management expectations are regarding the transformation of the enterprise IT.
In the current ecosystem of content and possibilities, organizations demand a more flexible view of information security, practical rules to promote security and use agreements founded on the impacts of possible breaches of information security. This flexible view is preferable to having rigid IT security procedures and security and control guidelines. In this understanding, information security executives should orient based on business decisions, not security ones. That is, information security teams should have an understanding of how to leverage a more reliable operation and secure actions while keeping the enterprise goals in mind.
If the organization is challenged to conquer and expand into new territories to create new value and growth options, information and IT will be the basic elements to motivate this transformation. Consequently, there will be greater exposure and demand from the company management to develop proposals for changes, which can help enterprises capitalize by quickly taking calculated risk in a changing context.
In an ongoing review of the role of information security, it is necessary to create breaks—moments of truth to observe emergent situations. These can be an opportunity to develop distinctions, establish and indicate new patterns and emerging reflections about the environment. It is important to incorporate changes and make them part of the ongoing review exercise and to develop new strategic, tactical and operational practices that will enable that function. An ongoing information security review is about more than teaching others what they do not know; it is about helping them shape their actions to keep information security principles in mind.
Read Jeimy J. Cano’s recent Journal article:
“The Information Security Function: Current and Emerging Pressures From Information Insecurity,” ISACA Journal, volume 6, 2014.
Eduardo Gelbstein and Viktor Polic
For a long time, organizations and individuals have relied on third-party services relating to data, information systems, and infrastructure, and many lessons have been learned in the process.
Cloud computing has established itself as a potentially valuable addition to the portfolio of third-party services. But cloud computing can introduce several issues for data owners, particularly when the data is considered sensitive in terms of confidentiality, access rights and privileges.
While the benefits of cloud computing are easy to understand (e.g., lower cost, flexibility, transfer of accountabilities for operational activities), it is prudent to remember the old adage, “If it looks too good to be true, it probably is,” and devote time to a detailed assessment of the issues described in our recent Journal
Cloud-related issues raised in conference discussions and various publications focus on concerns such as:
- Data ownership and what the service provider is or is not allowed to do with this data
- The use of encryption and management of the encryption keys and digital certificates
- Identity and access management
- Compliance with data protection legislation, particularly about the location of the data
- Compliance with privacy protection legislation
- Terms of contract, including the right to audit the service provider
- Confidentiality and nondisclosures by the service provider
- Access rights to data by the personnel of the service providers and its suppliers or service providers
- Guarantees that in the case of termination of a contract there will be no copies of data left with the service provider
Other issues that could effect cloud computing are:
- The impact on the data owners if the service provider goes out of business or is the target for an acquisition by a third party
- The feasibility of terminating a contract and migrating the data (and related services) to another service provider
The real issue may be one of timing—the cloud is likely to be part of the service portfolio offered by third parties for many years to come. Optimists and risk takers will no doubt gain the benefits of cloud computing sooner and gain valuable experience in doing so. Those whose risk appetite is limited and deal with custom, critical applications may choose to wait until the issues discussed in our Journal
article have been addressed and resolved appropriately.