‭(Hidden)‬ Admin Links

ISACA > Journal > Journal Author Blog
Security Flaws With the Windows Operating System
Muhammad Faisal NaqviMuhammad Faisal Naqvi, CISA, AMBCI, CISSP, ISO 27000 A, ISO 27000 MI
My recent ISACA Journal article discusses some security flaws in Windows. The errors are related to fundamental components of security, such as password, account lockout and audit logs. These weaknesses have existed since 2003 and are present in all of the latest versions of Server and Client Windows. Windows is one of the leading operating systems for personal computers (PCs) and servers and is also used to implement security on PCs and servers within an enterprise. The professionals who are responsible for managing and auditing the computer security rely on security measures that Windows has explained are sufficient, but in reality have their weaknesses. These discrepancies may lead to a false sense of security.
One discrepancy is related to password policy. Windows explains that enabling password complexity, length and history ensures a strong password, but in some cases, a user can set a password meeting these criteria that can still easily be guessed by another person.

Account lockout policy is a countermeasure against password guessing. This policy will lock the account after a specified number of invalid or failed login attempts. But this policy can be easily bypassed using the following technique:

  • A password-guessing attack can be launched by one user against all other domain or local users.
  • A password-guessing attack can be continued even after the account lockout threshold.
  • A simple user can launch this attack without administrative privileges.
  • There is no delay between unsuccessful attempts, whereas in the graphical user interface (GUI), a delay of 30 seconds is expected twice after five unsuccessful attempts.
  • Once the password is guessed, it may be used after 30 minutes. Thirty minutes is the account lockout duration’s default value and is the recommended value by Microsoft.
  • The latest next-generation firewalls or intrusion prevention systems (IPS) do not have out-of-the-box rules to recognize this attack.
Another discrepancy is related to audit policy. Windows explains that enabling audit-account-logon-events logs events of credential validation, but credential validation through the previously mentioned technique will not be logged. Even if Microsoft’s recommended best practices related to audit policy are implemented, no failed attempts will be logged related to this attack.
The majority of the above-mentioned weaknesses can be prevented with the following compensating controls:
  1. Users should be made aware of the criteria of strong passwords.
  2. Multifactor authentication (e.g., one-time passwords, public key infrastructure, tokens, biometric) should be implemented.
  3. The intrusion prevention system should be configured to prevent this kind of attack by adding the rule that if there are multiple failed account management requests from one source within a few seconds, it should be treated as an attack.
  4. The account lockout duration should be set to infinite.
  5. In the audit policy, audit account management should be set to success and failure.
  6. Administrators should unlock accounts only after a proper investigation of logs.
  7. Once unlocked, a password reset should be required.
Read Muhammad Faisal Naqvi’s recent JournalOnline article:
Reinspecting Password, Account Lockout and Audit Policies,” ISACA Journal, volume 2, 2014.
Expanding the Boundaries of IT

Giuliano Pozza

Exactly one year ago, I read The Adventures of an IT Leader, a fascinating book addressing IT governance from an unconventional perspective. The book is basically a well-written novel with many IT governance themes developed in an engaging style. I did not know at the time that the main character was inspired by a well-known health care CIO (chief information officer), John D. Halamka.

I work in an environment where executives generally have very little training and awareness about IT governance. The idea of using nonconventional media, such as a novel, a theatrical performance or a short video clip to build a minimum level of awareness and cultural readiness in executives, before engaging them in complex IT governance decisions, was particularly appealing to me.

The idea was intriguing, but at the beginning, few people were willing to invest time in developing or even discussing it. Finally, I was put in touch with ISACA and invited to explain my idea in an article for the ISACA Journal.

But my journey into the fascinating world of what social science calls boundary objects had just begun. Boundary objects examine how different communities use information in different ways. I started looking for someone willing to develop with me a kind of “proof of concept” of what I think could be an interesting cross-cultural communication medium:  a thriller novel about IT governance, risk and security.

I knocked on many doors (or email addresses), most of the time without success. I was almost ready to quit, when John Halamka replied to my uncommon email and we started working together. The CIO who inspired The Adventures of an IT Leader found the idea interesting, encouraged me and together we authored The Fifth Domain, which is quite a peculiar kind of experiment.

As I write this blog post, some IT players are starting to use fiction to communicate about security. A good example is 2020 by Trend Micro, Europol and the International Cybersecurity Protection Alliance (ICSPA). 2020 is a video web series about mobile and cloud technology.

I do believe the idea of boundary work and boundary objects should be developed more and more in the IT field. Times and technologies are changing fast; humans change slowly. Besides developing IT governance models and best practices, we must invest time and mental energy in developing boundary objects, enabling IT and business to cooperate effectively.

Read Giuliano Pozza’s recent JournalOnline article:
Communicating IT Governance—Does It Matter?,” ISACA Journal, volume 2, 2014

Universal Steps in Project Planning
Key MakKey Mak, CISM, CAP, CISSP, ITIL, PMP, Security Plus, ECMp
Projects are like snowflakes. None of them are alike, but they all show similar characteristics throughout the project life cycle. I would like to share my experience in launching different IT and security projects.
While I applied the body of knowledge (BOK), I also created a table summarizing all of the project planning phases, processes and activities. I examined and analyzed what I learned on the job when managing projects of various sizes and found that there are some common activities, regardless of the organization type. I organized the common processes and chained them together using alphabetical order so that I can follow the processes easily:

A. Assess—Project initiation can start with an assessment that defines the project objectives, scope, constraints, approaches and review (OSCAR).
B. Build, baseline, benchmark, best practices and big picture—This is the planning phase where you build your case, baseline your system, create the work breakdown structures, look at the big picture and apply the best practices when you put together a cost and time schedule for the different project tasks.
C. Communicate, collaborate, categorize and customize—This is part of the executing and controlling phase in which you  need to show your confidence and commitment to tackle the challenge.
D. Document, design, develop and deliver—Continue the executing and controlling phase to document, design and develop a solution. The ultimate goal is to deliver.
E. Educate—Education awareness is important for any project, as you need to sell your idea to all the stakeholders so that they adopt and accept your solution.
F. Focus—Do not just fulfill, but focus on your future goals.
G. Goals—Establish your goals and communicate them to your stakeholders.
H. Holistic strategy—Walk through the solution you developed to make sure you did not miss something critical.
I. This is you—the reader. Let us admit it, sometimes we are discouraged, but we need to push ourselves to overcome any obstacle.
Read Key Mak’s JournalOnline article:
The A to I Ways to Launch an IT Program or Information Security Project,” ISACA Journal, volume 2, 2014.
The Growing Awareness of Computer Ethics
Wanbil W. LeeWanbil W. Lee, DBA
Computer ethics are gradually becoming a more commonly discussed subject. The international think tank e-Center, which specializes in e-commerce and Internet law, has expressed interest in computer ethics. This interest is rather amazing (to me), and more amazing is a seminar jointly organized by the e-Center and the law faculty of the University of Vienna to take place in June in Vienna, Austria. The Hong Kong Law Society has also expressed interest in computer ethics and has an ethics-related continuing professional development course for practicing lawyers. There is still another ethics-related seminar organized by electronic engineers and control, automation, and instrumentation engineers of the Hong Kong Institution of Engineers. These kinds of events are an encouraging sign that computer ethics has gone out of the box and is beginning to attract the attention of professionals from various disciplines.

I view computer ethics as having a dual mission; it is both an area of research and a field of practice. Computer ethics also has a dual function; it is an additional type of risk and a risk countermeasure. The field of practice portion of computer ethics ought to be considered an additional branch of applied computing, akin to green computing, cloud computing or mobile computing. The duality of computer ethics, along with flawed training and education in this area, led me to advocate for a new view of computer ethics.

Read Wanbil Lee’s recent Journal article:
Why Computer Ethics Matters to Computer Auditing,” ISACA Journal, vol. 2, 2014.

High-level Model of an Internal Control System Using UML
John H. WhiteJohn H. White, Ph.D., CISA, CPA
Structured class diagrams are one of the least used of the 13 diagrams available in Unified Modeling Language (UML) 2.4, yet they are very powerful when presenting a high-level view of the structure of a system that can be used in the early analysis of a system to get an overall understanding of it.

A UML-structured class diagram (also known as a UML composite structure diagram) depicts the structure of an object in a system as consisting of (i.e., encapsulating) internal parts that may be linked to each other via connector relationships (the lines in the figure). The rectangular parts internal to the main class rectangle may also be modeled as a subordinate structured class rectangle with their own internal part structure, so the diagram can show the structure of the whole system as multiple levels of internal parts for a view of increasing amounts of structural detail. The number of levels of detailed parts to show in a structured class diagram is chosen by the presenter as a trade-off between detail and simplicity.

John White Graphic

In the figure, the organization (a class depicted by the large outside rectangle) is shown as composed of 3 second-level internal parts:  organization objectives, risk to achieving those objectives and an internal control system connected to the risk through some type of interface (represented by the lollipop and socket). The 3 second-level parts have different sized rectangles, but this is of no consequence.

The second-level objectives part has its own third-level internal parts consisting of 3 COSO 2013 defined enterprise objective types involving operations, reporting and compliance. The internal control system second-level part also has its own third-level internal parts consisting of five COSO 2013 defined components. The third-level control activities part has 3 fourth-level parts of its own, which are principles 10, 11 and 12 from the 17 principles listed in COSO 2013.

The second-level risk part does not show any lower-level internal parts in this figure, even though they exist, because additional detail about risk is not the primary topic here. The same is true of the fourth-level principle parts; they also have internal parts presented in COSO but these fifth-level parts are not modeled in this figure. The power to show a lot of detail (many levels) in some areas while eliding detail in other areas is an important attribute in any modeling scheme.

Read John White’s recent Journal article:
The Effect of the COSO 2013 Update on IS Professionals,” ISACA Journal, volume 2, 2014.

The Costs and Benefits of Cyberinsurance
Jide OlakunleJide Olakunle
A few major US retailers recently experienced credit card security breaches; Target, Michaels and Neiman Marcus are a reminder to us that a security breach is no longer an issue of if. but when. The financial cost of successful cyberattacks for organizational IT infrastructure is high, and the reputational impact of a tarnished brand coupled with customer attrition may sink an organization. An organization needs risk management strategies to delay, destroy and document cyberattacks.
Risk management objectives include protecting assets, conserving resources and improving the quality of decision making. One of the mechanisms adopted by most organizations is to combat the risk inherent in the cyberlandscape by purchasing cyberinsurance.
Cyberinsurance is an insurance policy developed to protect organizations from Internet-based risk and other related IT activities, tools and processes. Cyberinsurance premium costs are growing quickly. In 2012, cyberinsurance gross written premiums in the US increased from US $800 million to more than US $1 billion. This trend will continue as cybersecurity risk expands.
To enable organizational benefit from the cyberinsurance premium expense, IT auditors must expand their audit overview of cyberinsurance policies. This evaluation of cyberinsurance policy requires 2 steps:
  1. Evaluating conditions precedent to the cyberinsurance policy. IS auditors should evaluate the risk management framework, identify and document the critical assets, evaluate the IT security strategies, and review the incident report within a specific time period.
  2. Evaluating conditions concurrent with cyberinsurance policy. The auditor should use the information derived in the previous step to evaluate the completeness and truthfulness of the data in the insurance proposal form, review the insurance policies, and determine the adequacy of coverage and security policies in place.
Cybersecurity premiums have started to take a significant portion of the IT department’s budget. A timely and detailed review of the organization’s risk transfer strategy is necessary to ensure it adequately protects itself, safeguards critical data and ensures value for its expenses.
Read Jide Olakunle’s recent Journal article:
Auditing Cyberinsurance Policy,” ISACA Journal, volume 2, 2014.
Understanding the Impact of Human Behavior on Privacy
Vasant RavalVasant Raval, DBA, CISA, ACMA
The issues of privacy will linger on. We as a profession—the regulators, the IT innovators and the developers—will continue to muddle through challenges of both implicit and explicit privacy goals. In turn, these challenges will continue to take different shapes. The technology infusion that cuts across cultures and navigates through national boundaries with great ease will exacerbate the difficulties of capping the privacy issue. To all these challenges, add one more:  Everyone wants to make more money in the near term with great breakthroughs. Risk that you can afford to ignore, i.e., that may not offer enough motivational force to take the time or money to examine proactively, during product and service development.
Also, consider this:  Privacy is not just an IT problem, although it could be IT-sourced in many cases. Many sociopolitical and psychological factors play a role in the privacy domain. Human behavior is an intriguing variable; any time you consider it—and there are very few circumstances where it is not warranted to be considered—you come up with an open system subject to many contingent or moderating variables. 
For example, a community member whom I know well came to me for tax advice. The situation was complex, involving tax treatment of investment losses suffered from a Ponzi scheme. Of course, this is confidential and we briefly touched on that during our conversation, but several weeks later, when he was talking to my wife, he expressed surprise that she did not know about his problem. The misplaced expectation was that there is no privacy between husband and wife. People say they want privacy, but they really do not think it happens.
I am often a victim of what I call “reverse privacy”; students tell me what I should not know, which compromises my professional integrity and independence. And they know they should not disclose such realities to me, their teacher. Students may, for example, declare to their teacher that in order to receive tuition reimbursement, they need a minimum of a B grade in the course. Telling people what they should not know about your situation is as much a problem of privacy—or reverse discrimination through privacy abuse—as the privacy itself. It is quite likely that such a disclosure may not affect the judge’s opinion; however, you do not want to create a situation of conflict in their minds. As an educator, it is my duty to cultivate sensitivity around disclosures of this type and help prevent potential ethical dilemmas that should not even exist.
What all this tells us is that we really need to invest more thinking on privacy. Ideally, such an effort, or a series of efforts, should provide us with rules that we as individuals, as professionals, as community members, etc., should follow. Without clear and brief privacy guidelines, not much can be accomplished; the talk of privacy remains just talk. Can you verbalize your rules of privacy?
Note:  Opinions expressed here are those of the author and not of Creighton University.
Read Vasant Raval’s recent Journal article:
Information Ethics: The Piracy of Privacy,” ISACA Journal, volume 2, 2014.
COBIT Requirements on Critical Processes
Tugba Yildirim, CISA, CGEIT, CRISC
Organizations maintain their operations with the help of processes that are tailored to their working styles. Processes may differ from organization to organization according to their organizational structure, business objectives and working styles. An information system’s internal control system is a very important enabler of an organization because most business operations are strictly related to information technology. Making a risk assessment that provides a prioritization in designing and evaluating an internal control system for these processes is recommended.
These critical processes have been defined by taking into account the requirements that are acknowledged by most of well-known IT frameworks and standards.
By highlighting the most critical IS processes via the most well-known frameworks and standards, business objectives can be achieved and design and evaluation of internal control system efforts can be prioritized.
Read Tugba Yildirim’s recent Journal article:
Critical Information Systems Processes,” ISACA Journal, volume 2, 2014.
There Is More Than One Way to Skin a CAAT
Ian CookeIan Cooke, CISA, CGEIT, COBIT-F, CFE, CPTS, DipFM, Six Sigma Green Belt, ITIL-F
One of my grandmother’s favorite sayings was, “There is more than one way to skin a cat.” This means that there is more than one way of achieving an aim. In IT auditing, this is most certainly the case. Indeed, not only is there more than one way of achieving your aim, there are often instances when the perceived or accepted best practice is not practical.
This, I believe, is true when auditing Oracle databases, where the accepted best practice is to validate the database with a security scanner. But this may not always be possible. For example, the costs may be prohibitive for smaller companies, or as a consultancy, you may not be given permission to scan a mission-critical database.
In these instances, computer-assisted audit techniques (CAATs) come into their own. CAATs can be tailored for multiple tasks, and when combined with information taken directly from the Oracle database, they can be used to provide assurance for a number of risk concerns, including many of those defined in the main Oracle Security Standards. Furthermore, your company can define its own standard within the CAAT software and use this as a basis to compare against all of its Oracle databases, thus increasing compliance and speeding up the audit process.
So there are indeed many ways to skin a CAAT.
Read Ian Cooke’s recent Journal article:
Auditing Oracle Databases Using CAATs,” ISACA Journal, volume 2, 2014.
Cyberattack Defense Strategy:  Integrate Security Analytics With GRC
Yo DelmarYo Delmar, CISM, CGEIT
The 2013 Data Breach Investigation Report reveals some alarming statistics about the rising incidence of cyberattacks and overall enterprise awareness and response strategies to cyberattacks. In 2012, there were several cases of intrusions that were successfully carried out within a matter of minutes. Yet nearly 66 percent of breaches remained undetected for several months, and 69 percent were first detected by an external party. These numbers reveal just how defenseless organizations can be against cyberattacks, irrespective of their organization’s size, location or industry.

The heightened likelihood and effects of threats, alongside mounting regulatory complexity, has put IT and risk professionals under unprecedented pressure from across all levels of the organization. Fortunately, there are tools and technology that can support a more collaborative, proactive and analytics-driven security program that aligns internal stakeholders, prioritizes resources, and protects business-critical processes and sensitive assets. However, many organizations still lack the necessary 360-degree near real-time view of their emerging potential threats and the associated defense strategies needed to counter those threats.

CyberAttack Defense Strategy

Organizations increasingly require security analytics that deliver insights into the size, scale and scope of the risk, in addition to providing the basis for root-cause analysis and remediation strategies across policies, processes and technologies. Strong metrics and security analytics frameworks can act as catalysts, transforming risk identification to more sophisticated risk intelligence. Leveraging technology can provide automation and can support ongoing threat monitoring, identification and analysis processes.

By integrating security analytics with GRC programs, organizations can establish a mature security program. By taking it one step further and aligning the program with broader business objectives and business performance metrics, organizations can achieve greater stakeholder engagement and support for additional security-related resources and investments.

A long-term and tightly integrated security and GRC program requires a clear road map that outlines the firm’s objectives, stakeholder roles and responsibilities, and key milestones. Executive involvement, ownership and accountability, especially amongst the security, risk and business teams, can lower overall enterprise risk exposure and ensure a more sustainable enterprisewide approach.

Tomorrow’s most trusted, reputable and financially sound organizations are the ones that are working today to integrate security analytics with their enterprise GRC program and technology ecosystem. Gaining the risk intelligence needed to protect the business, sustain operations and support performance is no easy feat. But establishing the vision and embarking on the journey promises a payoff that will prove to be well worth it in the end.

Read Yo Delmar’s recent Journal Online article:
Integrating Security Analytics into Governance, Risk and Compliance Programs,” ISACA Journal, volume 1, 2014.

1 - 10 Next