Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links


Seven ways to tighten the security of passwords

Elie MaboPasswords can actually represent one of the greatest security risks to an organization due to the combination of constant attacks and human weaknesses. In addition, as IT has become universally accessible, more users are adept at circumventing this basic security tool. Here are 7 tips to help organizations manage their passwords policy and reduce security risk.


1. Know the attacks

Methods of attack on passwords can be categorized into 5 types:

  • Dictionary attack uses a dictionary file to compare possible password with every word of that file.
  • Brute force attack tests every combination of characters until the password is broken.
  • Hybrid attack works like dictionary attack but adds some numbers and special characters.
  • Syllable attack combines both brute force and dictionary attack.
  • Social engineering attack uses some ruses to convince people to reveal their password.

2. Define the purpose

Before developing a password security policy, its life cycle should be defined and used as a baseline to identify needs. The password’s life cycle should comprise all phases from creation until the end of life and take into account the critical level of the resource it is assigned to protect. Phases of management may include, but are not limited to, create, send, store, utilize, recover (locked account), renew and dispose.

Category: Security     Published: 11/25/2014 3:40:00 PM

A Look at the Fourth Annual IT Audit Benchmarking Study

Robert E StroudThis week, Protiviti and ISACA issued results of the fourth annual IT Audit Benchmarking Study. The organizations surveyed 1,330 IT audit leaders across the globe, including chief audit executives, IT audit vice presidents and directors, who answered questions in five categories:

  • Today’s Top Technology Challenges
  • IT Audit in Relation to the Internal Audit Department
  • Assessing IT Risks
  • Audit Plan
  • Skills and Capabilities

The survey found that, although organizations have made strides in establishing best practices for the IT audit function, many are struggling to keep pace with global IT risks amid rapidly changing technology environments.

“Concerns over cybersecurity, industry disruptors and regulatory compliance have moved many organizations, and audit committees in particular, to become more engaged in the IT audit function,” said David Brand, a Protiviti managing director and the firm’s global IT audit leader. “We see some positive trends in our results, notably in the number of designated IT audit directors and their regular attendance at audit committee meetings. However, we also see significant gaps to be addressed, including the frequency with which IT audit risk assessments are conducted."

Category: Audit-Assurance     Published: 11/20/2014 12:01:00 PM

Risk management that embraces privacy can strengthen security

David MelnickIt is hard to imagine a world in which we didn’t use the Internet at work. 15 years ago, it was a luxury. Today, Internet use at work is mission-critical. We’ve evolved from casually getting online to search for basic information about a company to doing such critical things as accessing webmail, posting to and monitoring social media and transferring and storing files in the cloud.

Unfettered Internet access at work has empowered us to defy geographical and time constraints to communicate with colleagues, vendors and customers located around the globe, develop content and code, and share real-time 24 x 7. It also allows us to shop, gamble, chat with friends, check bank balances and pay bills at work and generally “cyber loaf” on the company network, to the tune of US $178 billion in lost productivity annually, according to U.S. security company Websense. According to IDC, 30 to 40% of Internet access is now spent on non-work related browsing, and 60% of all online purchases are made during working hours.

Category: Privacy     Published: 11/18/2014 3:08:00 PM

ISACA’s 2014 IT Risk/Reward Barometer survey results reveal Internet of Things trends

2014 IT Risk/Reward Barometer

Robert E StroudLike many people, my office tends to be airports and wherever in the world I have traveled. The advent of connected devices, wearable tech and the Internet of Things enables me to be more productive and have more contact with colleagues and friends. This is a good thing.

But at the same time, these amazing advancements are also causing disruption in our lives and workplaces. We don’t always know who has use of or control over our sensitive personal and corporate information. And since new developments are always making their way into the workplace, it is critical that we understand attitudes and actions of consumers as well as the professionals and executives on the front lines of enterprise technology.

ISACA helps build this understanding with its annual IT Risk/Reward Barometer, and the 2014 survey results show some interesting trends with significant implications. For example, 68 percent of US consumers plan to use wearable tech or connected devices at work. But despite the surge in wearable tech at work, only 11 percent of enterprises have a policy that addresses it.

Category: ISACA     Published: 11/12/2014 7:01:00 AM

“Know your enemy”—is it enough?

Richard NormanUsually attributed to the ancient treatise The Art of War by Sun Tzu, the phrase “Know your enemy” is often repeated in military and security environments and is given as guidance to junior level staff in these environments. While it is good guidance, this article will explore why it is incomplete and why this is important.

One reference gives the full quotation, rendered in modern Chinese script as "故曰:知彼知己,百戰不殆;不知彼而知己,一勝一負;不知彼,不知己,每戰必殆" complete with the English translation:

"So it is said that if you know your enemies and know yourself,
you can win a hundred battles without a single loss.
If you only know yourself, but not your opponent, you may win or may lose.
If you know neither yourself nor your enemy, you will always endanger yourself."

The full quotation provides much fuller and richer guidance and it is important to consider the meaning and impact of the full text. Below I will examine each sentence from the English translation.

"If you know neither yourself nor your enemy, you will always endanger yourself."
The third sentence reminds us that lack of knowledge is dangerous. If you do not know your own capabilities, structures, processes, strengths and weaknesses it is unlikely that you will be able to use your resources effectively, or be able to resist your own weaknesses being exploited. A lack of knowledge about your enemy could lead you into a false sense of security—or to overestimate the abilities of your enemy—perhaps leading you to direct defences where the attacker is weakest and the attack least likely to succeed even without your efforts. For example, you would not want to concentrate all your defences on a Windows exploit being run against a Linux server. In short, you are totally unprepared for the battle and you may well contribute to your own defeat by making incorrect decisions!

Category: Security     Published: 11/11/2014 3:27:00 PM
<< First   < Previous     Page: 1 of 88     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.