Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links


What makes advanced malware so scary?

Rob ClydeMalware is code that is written to accomplish a malicious purpose. In most cases the malware also has the ability to spread or infiltrate other systems or programs. Sometimes the malware’s purpose is just to show off the author’s hacking prowess, but more recently the purpose has typically been to make money, steal information or cause damage. In some cases, the scope of the malicious intent and damage has been to such an extent that we call it cyberterrorism or cyberwarfare. Think of the recent attack on Sony, which appears to be prompted by the film The Interview.

Over the years, types of malware are often given colorful and even scary names. Viruses, worms and Trojan horses were terms coined in the 1980s for various types of malicious code. More recently, we have described certain attacks as advanced persistent threats (APTs) and advanced malware. Advanced malware tends to be targeted, stealthy, evasive and adaptive. This compared to previous types of malware that generally tried to spread to as many programs or systems as possible, often in an indiscriminate and “noisy” fashion.

APTs are advanced malware which The US National Institutes of Standard (NIST) defines as follows:

Category: Security     Published: 1/29/2015 3:22:00 PM

Data Privacy Day: How ISACA will advance privacy best practices in 2015

Yves LeRouxToday marks Data Privacy Day, and ISACA is proud to be a champion of this initiative. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. The debate over privacy seems to have shifted to a larger discussion about new types of personal information, such as location information, browsing history, Internet of Things data, individual rights and enterprise use of personal data. This expanding debate results from the proliferation of technologies, opportunities for enterprises to gain value by leveraging new data items and government’s interest in e-government initiatives. This includes taking action to protect citizens and promoting the economic opportunities that personal data use brings. The volume of personal, and often sensitive, data being collected and shared by organizations today is growing exponentially—largely because of technology advances, lower data storage costs, the rise of the Internet of Things and the emergence of major data brokerage companies.

Currently, there is a global set of privacy principles in the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (2013) . In the last couple of years, the principle of accountability has received renewed attention as a means to promote and define organisational responsibility for privacy protection.

Category: Privacy     Published: 1/28/2015 10:02:00 AM

Football, risk management style

Brian Barnier1 February is a big day for American football. When the football takes flight in the big game on Sunday, where will you be? Will any of your office teammates or ISACA friends be with you?

To liven up a post-game office or chapter meeting, you can play a football game ISACA-style.

The game is simple; you earn points two ways:

    ●  First, by describing memorable football plays with five steps of the 5+2 Step Cycle used in managing IT risk. This is like the radio play-by-play the commentator does when the video can’t tell the story.
    ●  Second, by describing memorable plays with all the 5+2 steps. This is like a color-commentator, providing more backstory for a play. This requires a panel of judges:
  • Each person in the role of color-commentator tells a story to judges.
  • Judges could be a panel of three (to break ties) or all the other attendees—a bit like talent audition competitions.
  • Judges confer. If all seven steps are covered, the judges award points, depending on how robust and colorful the story is.

A review of the 5+2 Step Cycle:

    ●  Evaluating risk
  • Understand the environment and enterprise capabilities
  • Seek Scenarios—asking “What if?”
  • Watch for warning signs
    ●  Responding—quick response
  • React—taking the right action at the right time
  • Recover—reposition back into “ready” condition of evaluation
    ●  Responding to risk—continual improvement
  • Prioritize—based on evaluation, select actions to improve readiness to take advantage of opportunity and respond to threats
  • Improve position in the environment and strengthen enterprise capabilities—implement prioritization decisions

This is a constant cycle. In quick response, only existing capabilities are available. In continual improvement, time is available to add resources.

Category: Risk Management     Published: 1/27/2015 3:01:00 PM

Degrading security diminishes privacy

Rebecca HeroldPrivacy has been getting a lot of attention lately. And with good reason, given the increasing occurrences of privacy breaches, personal information records breaches, all the many new types of smart devices being used by more and more people, and the collection of more personal and associated data than ever before. It would appear that the 2014 Sony hack was the tipping point that motivated US President Barack Obama to propose the Personal Data Notification & Protection Act and the Student Digital Privacy Act on 12 January this year. It was encouraging to see this new interest in taking steps to better protect personal information—not only for improving personal privacy of US residents, but also to help show the rest of the world that the US is moving beyond having a patchwork set of privacy laws and being considered as an “inadequate” privacy protections country by the rest of the world, to moving forward with actions to better protect personal information throughout all industries, and not just a chosen few that exist in the US today.

Category: Privacy     Published: 1/22/2015 3:04:00 PM

World leaders focus on cybersecurity, but survey shows 86% see a global skills shortage

Matt LoebIn Washington tonight, US President Barack Obama will propose legislative action to focus on cybersecurity during his State of the Union address. In Davos, 2,500 world leaders from government, industry and civic society are gathering today for the World Economic Forum (WEF) to discuss what WEF Chairman Klaus Schwab describes as “The New Context.” Front and center on the agenda are cybersecurity, risk and the Internet of Things.

Large-scale data breaches have brought this issue to the forefront and showcase that even well-protected, mature organizations face difficulties keeping data secure. And with cyberattacks rising exponentially, it’s no surprise that organizations are aggressively trying to hire those with the skills to prevent them.

There is one problem, however: the severe shortage of skilled cybersecurity professionals. According to the ISACA 2015 Global Cybersecurity Status Report, 86% of respondents believe there is a shortage of skilled cybersecurity professionals and 92% of those whose organizations plan to hire cybersecurity professionals in 2015 say it will be difficult to find skilled candidates. The ISACA 2015 Global Cybersecurity Status Report, conducted 13-15 January 2015, polled more than 3,400 ISACA members in 129 countries. It found that close to half (46 percent) expect their organization to face a cyberattack in 2015, and 83 percent believe cyberattacks are one of the top three threats facing organizations today.

ISACA, which assisted the National Institute of Standards and Technology (NIST) in the development of the US Cybersecurity Framework, has launched its Cybersecurity Nexus (CSX) program. CSX is a global resource for enterprises and professionals that helps identify, develop and train the cybersecurity workforce, while also raising the awareness of cybersecurity throughout the organization. CSX has extensive resources to address the cybersecurity skills gap through training, mentoring, performance-based credentials and applied research. CSX also now offers a Cybersecurity Legislation Watch center, which features the new CSX Special Report.

Category: Security     Published: 1/20/2015 12:37:00 PM
<< First   < Previous     Page: 1 of 91     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.