Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
An Overlooked Upside to Cybersecurity Roles – They’re Fun!

Frank DownsRecent surveys and studies have emerged that show interest in cybersecurity as a potential career field at uncomfortable lows. In fact, a recent ProtectWise report showed that only 9 percent of millennials indicate cybersecurity is a career they are interested in pursuing at some point in their lives. This disturbing finding has far-reaching potential consequences in a field that desperately needs a stronger workforce.

To understand these findings, the study posits several factors that could be to blame for the low level of interest, from lack of exposure to cybersecurity in school curricula, to lack of personal connections, such as relatives, in the relatively new field of cybersecurity. However, another element, often hushed, and rarely acknowledged, lurks throughout the field’s perception – lack of fun. Sadly, many people don’t consider cybersecurity as a “fun” field – and that’s a false assumption, as there are multiple elements that make cybersecurity an enjoyable career path. Considering the level of engagement cybersecurity professionals enjoy, the evolving nature of the profession, its constant relevance, growth rate, and pay, cybersecurity can be a fun field, as long as individuals give it a chance.

One of the most enjoyable aspects of cybersecurity is the level of engagement it requires of an individual. Many jobs are comprised of the day-to-day grind of waking up, performing the same task several times, eating lunch, performing the same task, and going home. Little-to-no engagement occurs in these job roles, resulting in a bored and ineffective workforce. However, cybersecurity is quite the opposite. As seen in several reports, including ISACA’s 2018 State of Cybersecurity research, cyber-attacks are constant and growing in frequency. As a result, many incident responders and cyber teams find themselves immersed in their job, engaged in the dissection, analysis, and evaluation of attacks to better protect their organization. Oftentimes, this takes the full attention of these individuals, who lose track of time and realize they’ve been actively engaged in their work all day, resulting in very little boredom.

These growing attacks also are constantly evolving. Many of the day-to-day attacks against an organization vary in shape, size, and composition, and require an engaged workforce to actively combat them. These individuals act as live guardians in a digital world, identifying each potential attacker and assailant by cross-referencing them against previous attacks and exploitation. Oftentimes, this can be the hardest part of the job, as attack mechanisms such as worms and viruses are like hydras, with two different variants appearing once one variant is killed. In fact, one such type of attack, a polymorphic virus, makes slightly different copies of itself each time it infects a system in an effort to throw scanners off of its trail. Hunting these changing malicious codes and actors often brings a smile to the face of cyber professionals, as each time an attack changes and the responder stops it, the responder becomes that much stronger and more experienced.

These constant attacks also contribute to another element that makes cybersecurity fun: its relevance.  Since new attacks and attack vectors are always emerging, cybersecurity professionals must stay up to date on all the potential exploitations that are discovered to meet their responsibilities of protecting the business operations of an organization. This, in turn, makes cybersecurity professionals incredibly relevant to the business and the field overall. Relevance in an organization oftentimes translates to respect and recognition. This is reinforced by the rise of the CISO and CIO roles in Fortune 500 companies. No longer are these individuals relegated to the back row by other executives; instead, they are more commonly brought to board of directors meetings to discuss the organization’s security stance.

While the relevance of the cybersecurity field is important, it does not amount to much if there is nobody to staff the workforce. As seen in the 2018 State of Cybersecurity research, there are not nearly enough cybersecurity professionals in the field to keep up with the explosive growth and need. As a result, cybersecurity professionals are valuable diamonds to be cherished and cultivated within the organization. Thanks to this growth, cybersecurity professionals enjoy the fruits of a seller’s market – and that can be pretty fun.

Finally, something which all millennials should consider as they chart their future careers: pay.  Everybody wants a career that will pay well, and cybersecurity offers that opportunity. The Robert Walters Salary Survey of 2018 indicated that cybersecurity pay will rise by an additional 7 percent around the world in 2018, outpacing all information technology roles, which on average will see about a 2 percent increase. Although having an engaging, evolving, relevant job in a growing field is fun, knowing that it pays well is another cause to smile.

Everyone is different and defines job fulfillment through their own personal lens. However, if finding a job enjoyable, engaging, and fun is a top priority, it’s worth considering cybersecurity as a potential career. On the outside, it may seem bland, but taking a closer look reveals that working in cybersecurity can be much more fun than most people think.

Editor’s note: For more of Frank Downs’ thoughts on the fun side of cybersecurity and relevant industry trends, listen to the recent ISACA Podcast, The State of Cybersecurity.

Lessons from the Reddit Breach

Rob ClydeAn attacker gained access in June to Reddit users’ data, including usernames, passwords, email addresses and private messages from 2005-2007. The attacker also gained access to more recent data, including current usernames and emails.

This data allows hackers to try to break into sites where users might still be using the same passwords. Although the compromised passwords were encrypted, they are likely crackable using today’s tools.

Because the email digests also include current usernames and emails, this linkage could allow attackers to determine the actual identity of users. If those users have been receiving content or engaged in posts that could be embarrassing, this may lead to blackmail; hackers might threaten to make private messages public or share them with family or friends.

Reddit users should ensure that, across platforms, they are not still using any passwords from the breached timeframe. Users should also consider passwords that are in line with NIST’s recent guidance.

What your organization can do to prevent a similar breach
Periodic password changes and secure password choices are good practices for Reddit users and non-users alike. Additionally, there are system-wide changes that organizations can make to protect against breaches.

Employees with access to sensitive systems or with powerful privileges, like admin accounts, represent a high-value target for attackers, so organizations should pay particular attention to the security of such accounts.

One way to improve account security is the implementation of strong multifactor authentication. SMS is often used for consumer user account two-factor authentication, but can be compromised with some effort by attackers as occurred with the admin accounts in the Reddit breach.

A  cryptographic token system is a more secure alternative to the SMS two-factor authentication method that was compromised in the Reddit breach. Tokens take more effort to implement than SMS two-factor authentication, but they are also difficult to spoof. Authentication tokens are generated cryptographically and often have limited lifetimes: sometimes, as little as one or two minutes.

Many organizations have been using strong authentication based on physical or software tokens for decades. For particularly sensitive accounts like admin accounts, this has long made sense and is hardly a new idea.

Other detection tools your organization should use for breach prevention
Organizations should also use auditing and intrusion detection tools to quickly alert them to a situation when such an account is engaged in abnormal behavior.

Since admin accounts are very powerful, the information security team and IT auditors should carefully review the protection for these types of accounts, including the use of multifactor authentication, and determine if audit trails and intrusion detection tools can be turned off or tampered with by the admin accounts in question. Otherwise, attackers who breach such admin accounts will have the ability to simply bypass the monitoring. In many cases, the underlying operation system or application does not provide tamper-proof audit trails and intrusion detection; third-party tools will need to be implemented.

Organizations should also discover and find old files that contain personally identifying information, like email addresses, usernames or encrypted passwords. These files should be securely deleted or protected in some fashion. In many cases, it is older files that were not well protected, copied and then forgotten about, often due to employee turnover, that potentially pose regulatory compliance risks.

Proactive data governance measures are more important than ever in today’s landscape, as the Reddit breach and countless others attest.

Is it Time for a Cyber National Guard?

Michael PodemskiWith more emerging risks and more data breaches, we continue to hear about the shortage of cybersecurity professionals with the necessary skills, knowledge and experience to protect our information technology infrastructure, especially in the government and public sector.

For instance, in the United States, we know that our federal, state, and local governments are communicating that our information technology infrastructure is outdated and vulnerable to cyberattacks. We also know they are currently trying to pass legislation that will modernize our information technology infrastructure to prevent future cyberattacks. Modernizing information technology infrastructure will help mitigate the risk for cyberattacks; however, you need skilled cybersecurity professionals to continuously identify and evaluate risks, design and implement controls, and assess and monitor the effectiveness of those controls. Just like our outdated technology, we have a shortage of skilled cybersecurity professionals across the government and public sector. How do we solve these problems in the most cost-effective way?

This is important to understand because it’s already difficult to find cybersecurity professionals with necessary credentials to protect information technology infrastructure in the private sector. It’s even more difficult to find these professionals in the government and public sector. Do we just continue to communicate the shortage? Or do we provide an opportunity for private sector cybersecurity professionals to serve their country?

Two members of the US House of Representatives, Ruben Gallego (D-Arizona) and William Hurd (R-Texas), have proposed a Cyber National Guard, which would be similar to the existing Army or Air National Guard. This reserve force would not complete boot camp or use guns in battle. Instead, this reserve force would be called to protect the country against cyber threats and strengthen our national security on the digital battlefield. These resources would identify and patch bugs, upgrade outdated systems to be compliant with policies, and audit and report on information technology infrastructure.

Just like the existing reserves of the National Guard, these cybersecurity professionals would commit to serve their country by volunteering their skills, knowledge, and experience to protect the country from malicious attacks or unintentional changes to the technology infrastructure that supports the government. In return, they would receive the same benefits that anyone serving in the National Guard would receive, including additional pay, tuition reimbursement and other financial benefits. The overarching reward for most of these individuals, though, would be the opportunity to serve their country.

It would be a time commitment both personally and professionally that potential participants would need to consider. However, it would be an opportunity to give back to the country. If former US President John F. Kennedy were around today, would he make the same call to action in the context of this current skills crisis: “Ask not what your country can do for you, but what you can do for your country”? I know that I would consider a Cyber National Guard to be my opportunity to give back to my country.

The Multiple Options for Multi-Factor Authentication

Cory MissimoreHow do you prove you are you? In the physical world, we have birth certificates and driver’s licenses to prove we are who we say we are. Yet this question becomes more difficult when you are trying prove yourself to a computer system. Thankfully, Multi-Factor Authentication (MFA) can help in a variety of ways.

MFA is a method of authorizing a user’s claimed identity and granting that user access to a system. MFA is achieved after a user has provided two or more factors to an authenticating mechanism, such as something the user knows, has, or is. MFA factors can be derived from any of the three.

A common example of a factor would be your username and password. Both are a form of something you know. Stemming from MFA is Two-Factor Authentication (2FA). This is an MFA protocol that requires a user to present a unique factor from two separate mechanisms, as often comes into play with an ATM card. You are only able to use your ATM card if 1) you have the card, and 2) you know the PIN associated with the card.

Finally, we have Two-Step Authentication (2SA). Two types of 2SA are a disconnected token (such as hard tokens and Keyfobs), and a soft token, which is an application that will generate a unique number combination. While both serve the same function, each has its own advantages and disadvantages. For instance, hard tokens cannot be duplicated. However hard tokens are costly to acquire and have to be physically handed to each and every user, creating an administrative burden. Soft tokens, on the other hand, can be widely disseminated, ensuring the likelihood that it is an authorized user requesting access to the system. Yet soft tokens are more susceptible to outside attacks than a hard token.

Whether you use a soft or hard token, you are still limiting the application to either a physical device that a user must always retain and not lose, or an app on a person’s phone. Both tokens can be lost, eaten by the family dog, broken, or otherwise rendered useless. What then? You can use something you have, something you know, and more importantly, something you are. Biometrics, the use of physical characteristics, such as an eye scan, fingerprint readers, and facial recognition, can potentially eliminate passwords, thus removing the password recovery requirement, a key vulnerability of MFA/2FA/2SA. Biometrics are instant, require no keys, and are unique to each individual.

While biometrics seem promising, there are some potential challenges. If a user relies on facial recognition software and gets a tattoo or a facial injury, will that prevent him or her from using the feature? Some users may have damaged fingerprints, rendering that option useless. Further, the use of biometrics implies that every user has a smartphone or tool capable of reading and comparing the data to a table for reference and approval.

Be it hard or soft token, or biometrics, each MFA option has its benefits and its costs. Which one you or your company choose will be based on the size of your company, the scope of users requiring a token, and what level of risk your company is willing to accept.

Harnessing the Hacker Mindset

Keren ElazariEditor’s note: Keren Elazari, cybersecurity analyst, author and researcher, will give the closing keynote address at CSX Europe 2018, to take place 29-31 October in London, UK. Elazari recently visited with ISACA Now to discuss the hacking “ethos,” whether data privacy should be considered a right or a privilege, and more. The following is a transcript, edited for length and clarity.

ISACA Now: What prompted you to take an interest in cybersecurity research and analysis?
In one word: Curiosity. Always asking more questions, always poking fingers into things I don’t understand – I believe that is the quintessential hacker mindset and that is what has always defined who I am. Even as a child, I was always really interested in technology and curious about how things worked. I would break things, take them apart, crawl under the table to disconnect the cables and see what would happen if I put them somewhere else.

An important milestone for me was the movie “Hackers” that came out in 1995. I always talk about this movie as my inspiration, because it really gave me a context for hacking: hacking as a calling, a life choice. It showed me a hacker could be a hero of a story, and that hero could be a high school girl just like me! In the movie, it’s Angelina Jolie, pretty much the coolest person in the world from my point of view. Everything was exactly right for me in that cultural moment; it was exactly what I needed to see and hear to understand it was my calling. That’s why I am proud to call myself a hacker. My idea of a hacker is perhaps, somewhat romantic, but I consider the friendly and ethical hackers out there in the world as a vital part of culture, society and the economy, pushing forward the evolution of technology and acting as a much needed “immune system” for the information age.

I wear many professional hats: strategic advisor, business analyst, academic researcher and author. I’ve worked as a security architect, risk management consultant and product manager; yet in any role and organization, I’ve always held that hacker–hero ethos at heart.

ISACA Now: In what areas must the cybersecurity workforce make the most strides if organizations are going to be equipped to deal with the evolving threat landscape?
Despite widespread automation of technology and defensive security solutions, I do believe there always will be room for humans in the equation. As AI, big data, algorithms, automation, machine learning, and adaptable technology become more prevalent, 70-80% of cybersecurity tasks will be automated and drilled down to a science. That means defenders must become more like data scientists and feel at ease with managing and utilizing such tools and leveraging them to gain a better understanding of threats and the security posture of organizations.

It also means, that the hard-to-find, 20-30% of threats and security problems will become harder to identify. This is where the ART comes in. This is where the tasks human defenders will deal with become less methodical and more creative, more hacker-like, more innovative. In order to make the alchemy of science plus the art of security work in harmony, we must also harness the hacker mindset and invest in skillsets like digital forensics, incident response, threat hunting and red team testing. Those are the skills we should cultivate and in which we should invest today to be ready tomorrow.

ISACA Now: What are the biggest barriers that must be dealt with to improve diversity within the cybersecurity workforce?
First, I’d like to say that there’s no doubt in my mind that the community and the industry is changing and maturing, becoming more diverse and open to other voices and perspectives all the time. This is incredibly exciting to witness, as I still recall going to my first hacker event in Tel Aviv back in 1999 and being the only young lady in a set of 200 guys and one woman (who was the lead organizer). 

Now I see more and more women, more people from all walks of life, genders, backgrounds, ages, finding their place and their voice in this community. One metric of this change, and one way we can do even better, is by featuring and curating content from more diverse speakers at conferences.

Another aspect is for the HR departments and managements of organizations to find ways to create onramps, entry level programs and skill building initiatives – not just to get more women into the community and industry, but generally to create multiple pathways for more people to join our forces.

ISACA Now: What concerns you most about how cybercriminals can impact the world of politics?
While in 2018 it’s no surprise to anyone that criminals and certain nation-states have been using cyber-based capabilities and technology to influence and manipulate the geopolitical landscape, there is little being done to prevent this from happening again. This is a global, cross-border problem with very few organizations that can work together to prevent it.

Should it be dealt with by INTERPOL? Or the FBI? Perhaps NATO? I don’t have the answers to that. This is not just a US issue, as it’s not affecting just the US elections (we have seen such attempts, for example, during the 2017 French presidential elections, across Latin America, and elsewhere). In 2018, it should come as no surprise that politicians who wants to influence the world and have talented hackers in their country would try to harness them to use that power to shape the world to their liking. We shouldn’t be so shocked to know that; it’s a reality. What’s more urgent, in my opinion, is how to work together between nations and borders to protect democracy.

ISACA Now: Data privacy has emerged as a major issue not only in the EU, but worldwide. What aspects of data privacy do you expect will be most challenging for security practitioners as the number of connected devices in use continues to explode?
As we connect more elements of our lives and make them smarter, we also are allowing data collection about individuals to occur in a scope never before made possible. I believe we must reconsider our notions of secrets, of personal privacy and corporate transparency, and the way technology and big data fuels the next wave of innovation.

That means our future may be defined not just by our efforts to balance technology’s benefits against the risks it brings with it, but also by how we evolve our notions of privacy and digital access to information. I think we must ask ourselves: Is privacy a basic human right? Perhaps in the “information age,” we should consider privacy a privilege one must work hard to maintain.

Transport Layer Security Bolsters Secure Remote Data Transmission

Paul PhillipsIt is an amazing time to be alive for many reasons, one of which is the ability to communicate almost seamlessly and securely with people from all over the world. Technology allows us to connect with individuals with whom we most likely never would have before.

Remote communication was the initial goal; however, as the internet evolved, so did the risk of sending and receiving unaltered accurate and complete data remotely. With the Transport Layer Security (TLS) technology protocol, secure remote communication and data transmission between businesses and individuals is possible.

The objective of TLS is to provide confidentiality and integrity of data between multiple applications based on a set of communication rules. However, this ability does not come without risk. The ultimate goal is the confidentiality, integrity and availability of data in transit. How do we ensure the data is only accessible to the authorized recipient and that it accurate, complete and available when needed? Message authentication, non-repudiation, and integrity checks are functions performed to achieve the overall goal. Because of the ever-present threat posed by individuals seeking to steal and/or modify messages in transit, the TLS protocol continues to evolve, which requires security professionals and developers to be informed on revisions and make necessary modifications to their infrastructure.

The foundation for the TLS protocol is based on the Public Key Infrastructure technology. This technology is used to create and manage both the public keys and digital certificates needed to ensure the privacy, authenticity and accessibility of transmitted information. This process is triggered by a function known as the handshake. This is the initial communication between the two parties, the client and the server. This is when the keys are initiated and the digital certificate is validated to allow for secure communication. There are challenges associated with this process, one of which is establishing trust in the certificate, and the other is relying on and communicating with a website that may not have been implemented, configured and properly patched, which could lead to all types of inefficiencies and vulnerabilities.

While the risks and challenges associated with this technology may be difficult, it is obviously much easier to address them internally within the enterprise as opposed to them existing externally, which is next to impossible to address. Therefore, enterprises should focus on how best to implement and properly maintain the technology and how it fits into the overall information security program, which starts with a look at the information security policy and procedures of the organization as well as the risk management process. The TLS protocol is an acceptable approach to implementing tools and techniques to mitigate the risk associated with data transmission. However, a holistic approach to information security that will include safeguards to protect data at rest should be taken.

Each tool, technique, and process should work cohesively to protect the enterprise’s information assets because there is no silver bullet. There is no one technology that will mitigate all risks and address all challenges. Therefore, it is a matter of choosing the best tool for the organization and ensuring there are trained individuals in place to install and maintain such complex tools.

Deep & Darknet: The Origins of Threats

Claudio CilliThe deep web and darknet comprise a sort of parallel world compared to the public internet we’re used to.

Deep web: Part of the web that has not yet been indexed by common search engines.

Darknet: Set of publicly accessible contents that are hosted in the websites whose IP address is hidden but to which anyone can access as long as you know the address; Set of private content exchanged in a closed network of computers for file sharing.

While the deep web is only getting bigger – it is the largest growing category of new information on the internet – the darknet isn’t particularly vast and it’s not even particularly secret. In fact, the darknet is a collection of websites that are publicly visible yet hide the IP addresses of the servers that run them. That means anyone can visit a darknet site, but it can be very difficult to figure out where they’re hosted—or by whom.

When news sites mistakenly describe the darknet as accounting for 90% of the internet, they’re confusing it with the so-called deep web, the collection of all sites on the web that aren’t reachable by a search engine. Those unindexed sites do include the darknet, but they also include much more mundane content like registration-required web forums and dynamically created pages like your Gmail account—hardly the scandalous stuff 60 Minutes might have in mind. The actual darknet, by contrast, likely accounts for less than .01% of the web.

"I bought a gun on the web"
The ability to anonymously access content makes the deep web very attractive for criminals. Networks that provide anonymity, such as Tor, represent a valuable instrument for cyber criminals to create and participate in online exchanges for any kind of illegal goods, including weapons, drugs and malware. Black markets for stolen credit card numbers and hacking services also are available on the deep web, where it can be easier to hide from law enforcement agencies.

Buying weapons, false passports and other illegal items on the darknet is easier every day and can generally be done in a few minutes. For every 5,000 people connected, there is a user who is navigating on the darknet and doing something illegal, all thanks to Tor, Tails and other navigation systems that are easy to use and downloadable for anyone. After installing the software, the doors of the internet armory will magically open. Therefore, it becomes less complicated to get a new identity with a passport or a false driver’s license, to buy drugs or to exchange child pornography.

The domain suffix “.onion” implicitly explains the operation of the darknet: a system in which the different “layers” of the onion represent the various servers all over the world on which the sites of illegal goods rest for a few seconds, practically not traceable, because the connection jumps from a virtual place to another without the knowledge of the same users who host the illegal bytes. And, so, browsing hidden Wiki or Silk Road, we come across EuroGuns, where, after you have registered with any account, even a fake one, you can put your hands on semiautomatic weapons and guns used for war. Other users may take a ride on UKPassport, where by uploading a photo you can buy a working passport for about £1,000 or browse forums that terrorists use to meet.

On EuroGuns, a more economical gun is a 7.65-caliber that costs €600, which most of the time can be paid in bitcoin. The weapon arrives in pieces, each shipped with different carriers and through a chain of people who only know the previous sender, finally arriving to the final purchaser, who only has to re-assemble the parts. The only way to be discovered is by talking of the bargain: in this way, a young Roman was arrested after he boasted of the undertaking on YouTube, with selfies taken of himself with new guns and bullets.

Darknet culture
The darknet is browsed mainly at night, especially by young people between the ages of 12 and 24. Around 90% of ".onion" domains are illegal, with 60-80% related to pornography and child pornography.

The culture of the darknet is perhaps best represented in the forums, where the language used is that of hackers and characterized by the use of many non-alphabetic characters and impolite terminologies. After a few weeks of apprenticeship, the use of the right terms and the acquisition of a certain reputation within the forum – which takes all countermeasures to protect itself against the presence of newcomers or infiltrated law enforcers – the more accredited users request the links to the illegal sites where forbidden products or services can be found. Terrorist organizations have their own forums, where they trade, exchange and buy special software and high-tech equipment.

For the police forces of the world, the only way to intervene is by infiltrating inside the web, trying to acquire the confidence of criminals and to arrange meetings outside the net – a method that has not yet brought significant results. One law enforcement success was the identification of Ross Ulbricht, creator of the portal of the illegal black market named “Silk Road,” arrested in 2013 by the FBI. But the site was restored shortly after and is a virtual cancer that spreads: for one deleted file, thousands duplicate and multiply.

Still, the darknet is no longer the safe place many criminals envision. In the US, the Department of Justice has announced the results of a big operation against the darknet, which has led to 35 arrests and the seizure of weapons, drugs and about $26 million. The operation lasted a year and included the involvement and collaboration of several entities that worked together to combat this growing and serious threat.

Editor’s note: For more insights on the topic, download ISACA’s darknet tech brief.

Automated Systems and Security: Threats and Advantages

Larry AltonAutomation is the biggest driving factor for change in most modern industries. By 2030, it’s estimated that automation could fully replace more than 800 million jobs, and in the meantime, automation is changing how we work, how we plan our businesses, and how we engage with others.

The main appeal of automation is cost reduction; if you can pay $500 a month to have a machine do what a salaried individual making $3,000 a month was doing, you can easily save $2,500 a month ($30,000 a year). And thanks to general advancements in technology, apps like automated payment platforms, automated marketing software, and even automated trading software are becoming more available and more affordable for small- to mid-sized businesses.

But with the rise in automation, there will be new security threats, and conversely, some security advantages, to watch for.

The advantages
First, let’s talk about some of the biggest advantages you’ll see when adopting more automation:

  • Predictability. Automated systems are designed to work the same way in all circumstances (with some exceptions for platforms driven by machine learning). This means the actions they take are almost entirely predictable; any actions they take that are “safe,” will remain safe indefinitely, and any security vulnerabilities can be identified and fixed, because they’ll repeat themselves. This makes it easier to control individual engagements with the system, like monetary transactions or content publications.
  • Reduction of human error. It’s estimated that about 90 percent of cybersecurity breaches are at least partially attributable to human error. Using automated systems instantly and significantly reduces that risk of error. Humans will be responsible for logging into and managing things on the platform, but they won’t be participating in every transaction or action item. That means fewer vulnerabilities overall, and fewer worries about an unfamiliar or undereducated employee making a foolish mistake that compromises your system.
  • Scalability. Most automated platforms are designed to scale as well; because they function just as efficiently with a few tasks as they do with several thousand (provided there is enough computing power, storage, etc.), they can easily adapt to almost any company’s needs—even as they grow. This means you won’t have to worry as much about hiring new people, training new people on security standards, or investing in bigger and better solutions every time you go through a growth spurt.

The threats
But what vulnerabilities could automation hold for your enterprise?

  • Provider vulnerabilities. Security breaches are becoming insanely common, and 74 percent of companies that suffer one don’t even know what’s happened. If you purchase an automated system through an external provider, and they have a glaring security vulnerability they weren’t able to catch, it could render your entire system vulnerable. Working with a third-party automation platform means you’ll be susceptible to whatever vulnerabilities that third party brings to the table.
  • Integration loopholes. Because most automated systems need to integrate with other systems to serve your company (whether it’s drawing data from another platform or exchanging information with another system), you’ll need at least a handful of API connections to make things work. Unfortunately, each of those connections is another potential vulnerability. If you aren’t communicating using encrypted exchanges and secured channels, your data could become vulnerable—especially if it’s all happening in the background.
  • Lack of oversight. Unfortunately, many IT officers and employees start to develop a sense of complacency when automated systems are handling the bulk of their original responsibilities. In some cases, entire roles are outright replaced. In any case, there’s a significant drop in the oversight for individual actions, and often lackluster alert systems in place to notify IT when there’s a breach or an abnormality in the system.

Automation won’t ruin your plans for system security, nor is it a catch-all solution to improve your security standards. If you want to be an effective cybersecurity or IT professional, you need to learn the key strengths and weaknesses that automation brings to the table and learn how to adapt your strategies accordingly.

Only through understanding and integration will you be able to make the most of your new systems and compensate for their flaws.

Editor’s note: For more insights on the impact of automation, listen to this month’s ISACA 50th Anniversary series podcast.

Five Tips to Make a More Secure Internet of Things

Avani DesaiThe Internet of Things (IoT) has positively exploded into our daily lives. We see IoT devices everywhere, from our workplace to our homes. It is inevitable that a new technology will become ubiquitous after it hits the headlines, and thanks to the IoT, many have done just that--repeatedly—even if the headlines aren’t always positive.
For instance, my daughter had an IoT toy that experienced a similar furor—a beloved doll called “My Friend Cayla.” My daughter would ask the doll a question, which was then sent to an app that converted it to text. The text was then used to look the answer up online before returning the answer to the doll, and Cayla would then speak the answer back to my daughter. That’s cute and exciting for a toy, but for a privacy expert, it was a bit creepy. In fact, German regulators agreed on the last sentiment and were concerned. They saw “My Friend Cayla” more as “My Spy Cayla,” and banned the doll on the grounds that it was a surveillance device. Negative headlines, indeed; and in fact, the IoT has been disparaged more than once for worries over surveillance and tracking, thanks to Cayla and other devices like the Amazon Echo.
But look at the bright side—it can also be technology used for good. IoT wearables have saved lives, including the life of a 42-year-old patient at the Lady of Lourdes Medical Center that had been admitted with a heart arrhythmia. At the time, doctors had two courses of action, each dependent on knowing how long the arrhythmia had been occurring. With permission, they accessed the patient’s Fitbit and were able to ascertain the facts they needed to give him life-saving treatment. Beneficial IoT tech doesn’t even have to be worn—these days, you can even get a "smart mattress" that collects data on your sleeping patterns and helps improve your overall state of health.
To make the most of what can be empowering technology, that technology must be simultaneously optimized to do its job while also not exposing personal data, as they do generate a generous amount of it. They also, generally, are custodians of other Personally Identifiable Information (PII), such as name, address, passwords and even your physical location. In the case of the man saved by his Fitbit, his wife gave consent to the doctors at that time to use that information created by the device, but what should or could be done if a location-enabled IoT device was utilized criminally to stalk someone?
With the following tips, you can help to keep the risk of leaked or stolen information to a minimum.
Five Tips to Keep You and Your IoT Device Safe

Tip #1: Buy Your IoT Device from a Known Supplier
Once you start using an IoT device, you will need to share your own PII and potentially lots of other types of data, depending on the device. This can include health data, home utility information, and your location. All these data sets are sent to a cloud repository—often via a mobile app. That’s a significant amount of personal data being shared with a third party, so it’s important to check the credibility of the supplier when purchasing an IoT device. Established suppliers with brand equity are more likely to adhere to industry standards and best practices like using “secure-coding,” security and privacy by design, and pushing regular software updates. Act like a lawyer and read the supplier's privacy policy. Identify why they must use your data, and make sure they don't include draconian clauses for reselling your data onto third parties. And if their privacy policy doesn’t exist? Don’t even consider buying.
Tip #2: Secure Your Wi-Fi
Our homes are now becoming the hub of IoT devices. The “smart-home” is no longer science fiction but attainable for many people able to purchase devices such as the Nest, Ring Doorbell, and Amazon Echo that are easily available. To keep your smart home secure, you need to keep your home router secure. One of the main security issues of routers is that many come with default passwords. These passwords are often guessable, or brute forced by hackers. Change your router password to be complex as soon as you set up the router.
Tip #3: Keep your IoT Device Up to Date
The WannaCry ransomware cyberattack was a stark reminder that software updates are not a luxury, but a vital necessity. Applying patches to computer software is just good, standard security practice--this is no less true of IoT devices. Unfortunately, research by Ubuntu found that 40% of consumers never actively update their smart device. If you can directly update your IoT device firmware, you should.  If not, look to see how those devices are automatically updated, and if they are not, consider not using them.
Tip #4: Keep Your Mobile Secure Too
Mobile apps and IoT devices often go together - the IoT sensors transfer data back to the app so it can be visualized by the human operator. Keeping your mobile phone secure by ensuring that the latest updates are installed helps keep your IoT-generated data safe. Also, make sure that the app you use with an IoT device is downloaded from a safe site, such as the manufacturer’s website or a legitimate app store. When you install the mobile app, check out the settings and ensure privacy permissions reflect your comfort level, including the configuration of the location services.

Tip #5: Device Stock Check
IoT devices are meant to connect to one another. In a home setting, for example, you can use Alexa to switch IoT light bulbs on and off, or open and close curtains, and so on. As such, you could potentially end up with several individual IoT devices linked together, so keeping an IoT device inventory would be smart. A tool like Cujo could help, as it keeps track of all devices connected to the internet, so you know what you need to secure, allowing you to then more easily control any situation. Keeping track of how your devices are operating will let you have an early view of unauthorized access.

Editor's Note: Avani will be speaking on a panel in the session “Increasing Trust in the IoT Through Auditing” at the upcoming GRC Conference 2018 in Nashville, Tennessee, USA.

Lower IT Department Expenses Without Compromising on Security

Anna JohannsonThe IT department has risen to prominence as one of the more integral components of successful, modernized organizations. However, in the midst of this growth, IT has also become increasingly expensive for many of these companies. Discovering what it looks like to manage a cost-effective IT department could be the difference between running a profitable business and straining to make ends meet. 

Three Highly Effective Ways to Lower IT Expenses
According to an article coauthored by consultant Kevin Coyne in Harvard Business Review, there are two key points to keep in mind whenever you pursue cost savings, regardless of the organization or department.

“First, forget about finding a single idea that would radically change the cost structure of your organization or department, thereby solving your problem in one go,” Coyne writes. “(If such an idea existed, it would most likely entail so much risk that the organization would never be willing to implement it.)”

Instead, Coyne suggests reaching your goal through a combination of at least 10 different actions. Additionally, he notes that the degree of organizational disruption caused by the cost-cutting will typically be proportional to the degree of reduction that’s done. Incremental actions may reduce costs by 5 or 10 percent, whereas serious restructuring may be able to lower costs by 25 percent or more.

Assuming that you aren’t looking to slash your IT expenses by 25 or 50 percent, here are some incremental steps you can take to quickly and effectively lower costs.

  1. Defer non-critical initiatives. You always need to have an idea of which tasks and strategies within your IT department are most timely and important. Having this sort of internal priority list will help you defer non-critical IT initiatives when money is tight and reallocate that money towards the ones that matter.
  2. Shop for deals. In your personal life, you probably give careful thought to the purchases you make. In other words, you don’t just go around investing money into things without first doing a little bit of research. You need to take a similar approach in business. Shop around for the best price on software and tools – which may mean using coupons and deals – to ensure you’re saving money wherever possible.
  3. Virtualize wherever possible. When compared to traditional servers, virtualization software can increase utilization by fourfold or more. This means you can reduce the number of servers you need by the same ratio – leading to a stiff reduction in hardware and energy costs.

Don’t compromise on security
While there’s a time and place for lowering costs and eliminating superfluous IT expenditures, don’t be shortsighted in compromising on security at the expense of a few dollars. It’s far better to invest in cybersecurity than it is to deal with a costly attack that damages your brand and costs exponentially more to correct.

It’s up to you to find the sweet spot, so to speak. You must discover the optimal amount to spend, without opening your company to risk or falling behind on the innovation curve. This will require constant tweaking and regular optimization – so stay dialed in!

1 - 10 Next