Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Taking Precautions With Smart Home Gadget Security

Larry AltonSmart home gadgets have been among the most popular holiday, housewarming and any-occasion gifts for the last few years. Whether it’s an interconnected home security system, a pet camera, or a voice-activated assistant like the Amazon Echo, homeowners and renters alike love having these tech gadgets in their homes.

In fact, research has shown that homes with smart home devices sell faster and for more than those without. Additionally, renters show great interest in living in rentals that have interconnected gadgets and are willing to pay more for these units. Therefore, many landlords have been rushing to turn their properties into smart homes.

Unfortunately, many users of these devices are unaware of the safety implications that come with them. Most smart gadgets are connected to your home’s Wi-Fi, which is linked to a large network that hackers can access. With this information in mind, many smart gadget owners are wondering just how much their safety is threatened by their tech gadgets – and what can be done about it. Let’s take a closer look.

The Interconnected Worldwide Web
When you set up your home or apartment internet connection, you typically put a password on the connection. That way, neighbors and passers-by can’t steal your internet and slow down your bandwidth.

Many people believe that this simple password is enough to protect them against hacking attempts, but it’s not. It’s certainly better than a public network, but it’s still pretty easy for hackers with any level of experience to crack.

Plus, the worldwide web is aptly named because it’s completely interconnected, providing inviting access points to hackers. Charles Henderson, professional security specialist for IBM, told The NY Times that it just takes one access point to create a catalyst of problems.

“If one device gets compromised, it could be the same as allowing an attacker to plug into the entire network,” he says.

Security Products Aren’t Perfect
Consumers often fall victim to cybersecurity threats simply because they believe they’re impenetrable. Because a reputable business builds and sells these gadgets, they’re trustworthy, right?

While most companies in the smart tech sector do their best to create high-quality products, there’s no such thing as a perfect, impenetrable device. Most devices are released before they’re perfect, and the company will produce patches and updates to repair vulnerabilities along the way.

A recent cybersecurity breach is a great example of this problem. Orvibo, a Chinese-based organization that creates smart home devices and sells them globally, recently experienced a breach compromising billions of smart home devices. Billions of device owners had their records and privacy compromised as a result of a security hole. The breach revealed more than just an invasion of privacy. It indicated a larger issue of personal identity theft.

“Using the information on Orvibo's database, it would be relatively easy to build a complex picture of any given user,” wrote James Gelinas of Komando.com. “The database contains a number of telltale entries like location, username, device ID, and email addresses. So, anyone with basic knowledge of the user would be able to identify them with these bits and pieces.”

Take Precautions
These breaches are disconcerting, but they don’t mean users should have to say goodbye to smart home devices. Instead, they should simply take a few precautions. You wouldn’t leave home without locking all the doors and windows, and the same goes for managing security devices.

Perform research on the best ways to keep your devices safe and locked down from privacy invaders and identity thefts. In the meantime, here are a few recommended measures:

  • Use strong passwords and change them often.
  • Apply all updates sent to your devices.
  • Use a virtual private network (VPN) to connect your smart devices.
  • Consider biometric authentication for smart home devices.
  • Remove personal information from smart home devices.

As you apply these simple steps for securing your home network, you’ll experience greater peace of mind while enjoying the luxuries of your smart gadgets.

Getting Creative to Solve Security Challenges in Healthcare

Susan SnedakerA recent article about information security challenges in healthcare pointed to the lack of resources many security teams report. They face staff shortages, lack of expertise and tight budgets. They find themselves unable to do the work they believe needs to be done.

In thinking about any problem, I always focus on what can be done. The truth is, there’s almost always something that can be done even if you can’t fix the bigger problem. After all, part of risk management is making any risk smaller, so why not approach resource challenges in the same way?

Solving Small Team Concerns
When faced with a small security team, one healthcare organization decided to distribute the security team’s work across the infrastructure teams. Though they had two people dedicated to information security, they also shifted the culture and expectations so that everyone, from the service desk analyst to the desktop analyst to the server and network engineers, knew that security was part of their job. They eventually added the applications leads to the mix to ensure security was truly an IT department focus, not just a security team focus. This had the effect of extending the security team without adding people. And it created numerous added benefits because now managing and monitoring security was not “someone else’s job,” it was everyone’s job.

Update job descriptions, set expectations, train staff in information security fundamentals (according to their job function), auditing and monitoring. Give them the tools to be effective members of the IT department knowing that, in today’s environment, security is everyone’s job. When the server team adopts system-hardening processes and audits those results on their own, security is improved far more effectively than if you have some security team person harping on hardening servers. The same holds true for managing application security. When the apps team understands how to assess, deploy and test for secure applications, security is improved at the point of origin rather than fixing a defect later (and for those of you familiar with Lean, this is a core concept). Building security into the standard work of each team not only teaches them about security in their area of expertise (while adding to their job expertise and often their satisfaction), it enhances the organization overall.

Addressing Lack of Expertise
There is a growing industry of security service providers. Everyone is facing talent shortages, but healthcare can be particularly hard hit because financial margins don’t allow for spending top dollar for talent in a highly competitive field such as information security. Some healthcare organizations manage to recruit and retain top talent by offering excellent working conditions and continuous professional development – but that doesn’t mean you can find, retain or reward those individuals in a tight job market. That’s where professional services can come in. Renting security monitoring, for instance, can be less expensive on an annual basis than adding another person. So, having a 24x7 security monitoring and alerting service may be an excellent approach to improving security without adding additional staff. Look for services you can use on a subscription basis or on an as-needed basis to add to your security program without breaking the bank.

Managing on Tight Budgets
The other major complaint that often arises is lack of budget to purchase and implement new security tools such as network monitoring or user behavior analytics. While these tools provide tremendous benefit when implemented and used correctly, two things are true. Tools purchased are often only partially implemented because healthcare IT has so many spontaneous projects and needs that teams become overwhelmed or distracted. So, buying the latest tool may not really solve the problem. Secondarily, if you lack the budget to buy new tools, your very first step should be to re-assess the tools you do have. Sometimes you haven’t fully implemented the tool or implemented it in the most advantageous manner. Sometimes you have poor processes wrapped around the use of the tool that could be improved. If you’re not fully utilizing what you have, that should be your first effort.

Sometimes you can find add-ons or expansions to your existing tools that may be less expensive than bringing in a whole new software solution. Have your vendors come in and talk with you about what else their solutions can do for you. Sometimes there are no cost or low cost solutions you wouldn’t have considered.

Still other times, if you feel strongly that you need a particular tool, have the vendor help you make the business case. They should be able to provide industry data, comparison data and benefits data. If they help you implement a proof of concept implementation, take lots of notes about the before and after state so you can gather data to make your case.

Get Creative with Training
There are a lot of excellent training opportunities available to enhance the security skills of your team. Some are very expensive, but many are not. Try to negotiate for training dollars or training credits with major vendors when you sign a new contract or large purchase. Vendors will often toss these in if asked. If your expense is limited to travel (and not paying for the course), your training dollars will go much further. Look for online or distance learning options to reduce travel expense, and consider free webinars from industry leaders (ISACA, SANS, HIMSS, etc.) as well as vendor webinars, which may be skewed toward their product but may also educate on the broader topic at hand. Keeping staff trained will enhance their job satisfaction and improve your organization’s security. Additionally, certifications in security or auditing areas add credibility to your work and may help you make the case for more people or more funds.

Make the Business Case
Too often, those requesting additional resources fail to make the compelling business case. Make sure you have put together a concise document explaining the current state, the risk of that state, the proposed solution and why the investment is required. It may not always be approved, but you’re unlikely to get anything you need without it. And, as a leader, it’s good practice to present a professional business case in support of your requests.

None of these ideas will solve the problem of being short-staffed or under-budgeted, but they will help mitigate these risks while you work to make the business case to your executive team about why they need to support these kinds of investments. It’s often hard to fight for dollars to prevent the “hypothetical” event (the same problem exists with business continuity planning). Healthcare executives should understand that healthcare data is at the center of the target for attackers and, ultimately, they need to make the investments needed to keep the organization as safe as possible. In the meantime, you can reduce your risks by taking small, meaningful steps toward your goals.

Author’s note: For additional articles and resources focused on IT leadership, visit Susan’s website, www.susansnedaker.com.

Forthright Handling of Cybercrime Essential to Improved Results

Chris K. DimitriadisWhile it is has become generally well-known that enterprises have a problem dealing with cybercrime, the true extent of the problem is much worse than many realize. In fact, even the entities that really ought to know the reality – such as legal and regulatory authorities – are generally in the dark about how many incidents are occurring and how severe they are.

In ISACA’s recently released State of Cybersecurity 2019 research, a combined 75 percent of security professionals responding to the survey assert that most enterprises underreport cybercrime, including 50 percent who believe that organizations underreport cybercrime even when legally required to report it. There is a well-known saying that the first step to solving a problem is acknowledging that there is a problem, but these numbers suggest that enterprises still would prefer to sweep cyber incidents under the rug than to face the often unpleasant realities of today’s threat landscape. There are a number of reasons why organizations resist reporting cyber incidents, but the failure to disclose incidents is short-sighted and ultimately opens the enterprise to far greater risk in the long-term.

An obvious starting point for why organizations are reluctant to report cybercrime is impact on brand name and customer trust. But this propensity for organizations to avoid reporting cyber incidents to the appropriate legal and regulatory authorities invites public relations debacles that result in far greater trouble down the road. Aside from the direct financial costs associated with cyber incidents, the damages to brand reputation and customer trust can be even more difficult from which to rebound. If organizations can demonstrate to the public that they made good-faith efforts to disclose the details of the incident and then mitigate the damage to the best extent possible, there is a fighting chance to rebuild customer relationships. Conversely, if the consequences of a breach are followed up by what is perceived as a cover-up, those customer relationships become near impossible to repair, and the executives involved with that unwillingness to accept accountability likely will see their careers permanently tarnished.

When the instinct to avoid embarrassment is not to blame for failing to report cyber incidents, the culprit might be a feeling that there is nothing to be gained from reporting the incident. Whereas when organizations are victimized by a physical break-in resulting in stolen property, a call to law enforcement is the natural next step – and likely would result in an investigation leading to an arrest – organizations are much less confident that legal authorities can help them recover stolen data or prevent the spread of digital assets stemming from cyberattacks. This, too, is a misguided reason not to report, especially as law enforcement agencies are beginning to develop more sophisticated capabilities when it comes to fighting cyber crime with each passing year. This trend will continue as public expectations mount for local law enforcement to take digital crime as seriously as enforcing parking meter violations and other traditional crime that commands their attention. Correspondingly, the amount of resources devoted to fighting cybercrime must increase to make it more realistic for law enforcement to be a viable partner in helping organizations respond to cyberattacks.

The unwillingness to report cybercrime is problematic on multiple levels. In the UK’s National Strategic Assessment of Serious and Organised Crime for 2018, it is noted that “underreporting of data breaches continues to erode our ability to make robust assessment of the scale and cost of network intrusions. Many companies are not disclosing data breaches, putting victims at risk.” The report also indicates that the public’s confidence in law enforcement’s ability to respond to cybercrime is impacted by the widespread underreporting of these incidents. In the bigger picture, the lack of trustworthy statistics around the volume of cyber incidents does a disservice to organizations of all types and sizes around the globe. Think about how much easier it would be for boards of directors to justify allocating greater resources toward cybersecurity if they had more credible and comprehensive data on the prevalence and nature of incidents from which to base their decisions.

Perhaps the evolving regulatory landscape will help mitigate this deeply ingrained problem, with the high-profile General Data Protection Regulation (GDPR) now adding to other regulations that put responsibility on organizations to report data breaches and other security incidents. There are plenty of common-sense reasons why organizations should accurately report cyber incidents, but if it takes regulatory pressure to provide additional incentive, so be it. In almost all cases in life, forthrightness and transparency is a better option than hoping others will not notice what is really happening. That certainly applies to the need for more widespread reporting of cyber incidents. Until organizations do so with more regularity, a range of important stakeholders will lack sufficient information to drive toward solutions that can make a meaningful difference in combating cybercrime.

Editor’s note: This article originally appeared in CSO.

How Small and Medium Businesses Can Leverage Cybersecurity for Client Value: Six Ways to Get Started

Ken RussmanSmall and medium-sized businesses (SMBs) lack the resources of a large business, in both finances and personnel, making it more difficult to extract client value from a robust cybersecurity program. In fact, many SMBs probably do not have a “robust” cybersecurity program. Implementing one can be costly, and the related costs are not just one-time capital expenses, but also include recurring expenses. So, why should an SMB even consider implementing a cybersecurity program when there are plenty of other high-priority business needs that demand resources?

The bottom line is the protection of data. If data is not protected, business owners should be afraid. It’s only a matter of time before a hacker comes calling and walks away with an organization’s data. They might not actually take it; they may just copy it for their use or for sale to the highest bidder and leave the business with its own copy, perhaps not even aware the data had been copied. What if that data was the corporate payroll database with employee bank routing numbers and account numbers? How about the HR files with employee social security numbers? We’ve all heard plenty of stories about major database breaches in which employee data was compromised (meaning the culprits, at a minimum, copied the data for their own use).

So, there are some very basic reasons to implement cybersecurity best practices. Think of it as an insurance policy. We might not like paying our insurance premiums each month, but we do it to protect ourselves from the unexpected events that could be very costly. And when something does happen where you need that insurance policy, you are glad you have it. The same goes for cybersecurity programs.

Six Ways to Get Started
SMBs can start by protecting their data and their client’s data by implementing a few low-cost initiatives:

Data Identification – What data is most important to you (and your clients)? What data needs the most protection? That data is where you need to start focusing your protection efforts.
Action: Make an inventory of all your data (including client data) and prioritize it based on its importance (or sensitivity).

Policies and Procedures – Policies establish the corporate expectations for every member of the staff. Procedures explain how employees are to meet those expectations. 
Action: Update (or create) policies and procedures that place an emphasis on data protection, both for the company as well as its clients.

Awareness Training – Training supports policies and procedures by providing awareness of areas of importance as well as by helping employees better understand how corporate procedures can be implemented. Training should be a recurring event and updated to reflect current corporate priorities.
Action: Improve employee awareness with recurring cybersecurity training, especially as it relates to data protection.

Minimize the Data Footprint – If there are multiple copies of a sensitive data file (call it “file A”) in several locations (e.g., local laptops, shared network drives, email inboxes, and other document libraries), then WHEN (not IF) your company is hacked, the perpetrator would need less time to find one of the versions of file A. However, if there is only one version of file A in one place, that greatly increases the difficulty and time for a perpetrator to find the single file A. Ideally, there would also be tools in place to alert the support team of a possible breach. If it takes the perpetrator enough time to find a single copy of file A, then the alerting system may detect the activity in time to stop (or minimize) damage.
Action: Keep only one copy of files, when possible.

Data Retention – This goes hand-in-hand with the data footprint. You should keep a file only as long as needed for business and legal purposes. The longer a file is sitting on the corporate network, the greater the number of opportunities for a perpetrator to find the file. Once a file is no longer needed, delete it. Remember to consider data backups as well.
Action: Only keep files for as long as they are needed, then delete them.

Monitoring – The best policies and procedures will be of no use if they are not being followed. Training can help ensure awareness of corporate priorities, but monitoring and conducting periodic spot checks are necessary to ensure policies and procedures are being followed. This monitoring also provides insight into where awareness training may need to be improved.
Action: Monitor and conduct periodic spot checks to ensure policies and procedures are being followed.

The bottom line is, treat the company’s data, as well as your client data, as if it is your own. Think of it as a game of “keep-away” from potential perpetrators. Implement these low-cost initiatives to get you well on your way to keeping your data and your client’s data protected. Corporate executives and your clients will be so glad you did.

About the author: Ken Russman is a senior project manager with TalaTek, who holds PMP and CISSP certifications and has 20 years of experience in managing projects, strategic planning, and policies and procedures development.

How to Properly Review an SOC Report

Brooke GardnerAs a follow-up to a blog post previously published by The Mako Group’s Chief Audit Executive, Shane O’Donnell, let’s dig a little deeper into what you should be reviewing when you receive your vendors’ SOC 1, SOC 2 or SOC 3 reports.

Each SOC (Service Organization Controls) report follows a basic outline. You will find the vendor’s management assertion, the independent service auditor’s report, the vendor’s description of its system, and a listing of controls tested. Below are some key points to focus on when reviewing your vendors’ SOC reports.

Who Issued the Report?
When noting who issued the report, there are two important factors to be considered. First, according to the AICPA, only CPA firms can issue SOC reports. A licensed CPA firm must undergo peer reviews at least every three years. A peer review includes a review of the firm’s accounting and auditing practices to ensure they are meeting AICPA standards.

While it is important to ensure that the firm issuing the SOC report is a licensed CPA firm, there is a second, yet equally important, point to be considered. Does the firm or individual issuing the report have information technology or information security certifications? It is important to understand that SOC reports are information security related audits. These are very different from the financial audits that CPA firms typically perform.

You can encourage your vendors to engage with a CPA firm that specializes in information security. Look for certifications, such as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC), to name a few. These certifications are rigorous and demonstrate expert knowledge of cybersecurity and information security.

What Is the Auditor’s Opinion?
Within the SOC report, you will find an independent service auditor’s report. In this section, the auditor documents the overall opinion regarding the vendor’s system, including whether the system description was presented fairly, and whether the vendor’s controls are suitably designed and functioning as expected. The auditor’s opinion is the main reason for an SOC report, so it is important to understand the meanings of the different opinions.

There are four possible ways that the auditor can present the opinion:

  • Unqualified: The auditor fully supports the findings, with no modifications.
  • Qualified: The auditor cannot express an unqualified opinion; however, the issues are not pervasive.
  • Adverse: The auditor believes that there are material and pervasive issues. Report readers should not rely on the vendor’s system.
  • Disclaimer: The auditor is unable to express an opinion due to insufficient evidence, and the possible effects could be both material and pervasive.

The most important point to keep in mind is that you want an unqualified opinion. If any other type of opinion is found, you should also find a separate paragraph to describe the reasons for the opinion and evaluate the impact of the qualifications.

What was Included in the Audit?
Within the SOC report, the vendor will provide a description of the system in scope. Background information and a description of the software, people, procedures, and data will all be covered in the system description. Due to familiarity with your vendor’s systems and infrastructure, review this description closely to determine what they may have chosen to exclude from the audit. From there, you can determine if it is important to the security of your system and/or data.

Were Any Relevant Exceptions Noted?
Each type of SOC report will include the relevant exceptions noted during testing. This is arguably the most important element of a SOC report. You must decide which of your vendor’s controls are critical to your organization and evaluate if there are any exceptions noted in those critical areas. If you find exceptions and determine they are critical to the security of your organization’s data, you must determine the impact these will have to your organization’s security.

A Look at CIS Controls Version 7.1

K. HarisaiprasadCIS Controls Version 7.1, released in April 2019, was developed by Center for Internet Security (CIS), which consists of a community of IT experts. CIS Controls has a set of 20 prioritized controls, divided into three categories as basic, foundational and organizational, which are also termed as Implementation Group (IG) IG1, basic; IG2 – IG1, foundational; and IG3 – IG2, organizational.

The basic category consists of controls for the inventory and control of hardware assets, inventory and control of software assets, continuous vulnerability management, controlled use of admin rights, and the secure configuration for hardware and software on mobile devices, laptops, workstations and servers.

The foundational category has 10 controls: email and web browser protection, malware defenses, limitation and control of network ports protocols and services, data recovery capabilities, secure configuration for network devices, boundary defenses, data protection, controlled access based on the need to know, wireless access control, and account monitoring and control.

The organizational category includes controls for implementing a security awareness and training program, application software security, incident response and management, penetration tests and red team exercises. These controls together form a net that provides best practices for mitigating common attacks against systems and networks.

Organizations should implement basic controls first, followed by foundational and organizational. Basic controls also are referred to as “cyber hygiene,” as these are the essential protections that must be in place to defend against common attacks. IG1 is recommended for small businesses, IG2 is suitable for regional organizations and IG3 is implemented for large corporations. Each control has sub-controls with descriptions for each, and each control has the following elements:

  • Description mentioning criticality of control
  • Actions that the organization should take to implement the control
  • Procedure and tools to enable implementation
  • Entity relationship diagrams that show components of implementation

For example, control 5 is described below as given in the CIS V7.1 document.

CIS control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

Why is the control critical?
As delivered by manufacturers and resellers, the default configurations for operating systems and applications are normally geared toward ease-of-deployment and ease-of-use – not security. Basic controls, open services and ports, default accounts or passwords, older (vulnerable) protocols, and pre-installation of unneeded software can be exploitable in their default state.

Developing configuration settings with good security properties is a complex task beyond the ability of individual users, requiring analysis of potentially hundreds or thousands of options in order to make good choices (the procedures and tools section below provides resources for secure configurations). Even if a strong initial configuration is developed and installed, it must be continually managed to avoid security “decay” as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked” to allow the installation of new software or to support new operational requirements. If not, attackers will find opportunities to exploit both network-accessible services and client software.

Actions organization should take to implement control


Asset Type

Security Function

Control Title

Control Description







Establish Secure Configurations

Maintain documented security configuration standards for all authorized operating systems and software






Protect Δ

Maintain Secure Images

Maintain secure images or templates for all systems in the enterprise based on the organization’s approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates







Securely Store Master Images

Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible







Deploy System Configuration Management Tools

Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals







Implement Automated Configuration Monitoring Systems

Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalogue approved exceptions, and alert when unauthorized changes occur




* Asset type includes assets such as applications, devices, users, network, data, etc.,
Δ Security function include Identify, protect, detect, respond and recover

Procedures and tools
Rather than start from scratch developing a security baseline for each software system, organizations should start from publicly developed, vetted, and supported security benchmarks, security guides, or checklists. Excellent resources include:

Organizations should augment or adjust these baselines to satisfy local policies and requirements, but deviations and rationale should be documented to facilitate later reviews or audits.

For a complex enterprise, the establishment of a single security baseline configuration (for example, a single installation image for all workstations across the entire enterprise) is sometimes impractical or deemed unacceptable. It is likely that you will need to support different standardized images, based on the proper hardening to address risks and needed functionality of the intended deployment – for example, a web server in the demilitarized zone (DMZ) versus an email or other application server in the internal network. The number of variations should be kept to a minimum in order to better understand and manage the security properties of each, but organizations then must be prepared to manage multiple baselines.

Commercial and/or free configuration management tools can then be employed to measure the settings of operating systems and applications of managed machines to look for deviations from the standard image configurations. Typical configuration management tools use some combination of an agent installed on each managed system, or agentless inspection of systems by remotely logging in to each managed machine using administrator credentials. Additionally, a hybrid approach is sometimes used whereby a remote session is initiated, a temporary or dynamic agent is deployed on the target system for the scan, and then the agent is removed.

ISACA at Infosecurity Europe: Expert Speakers and New Research at Europe’s Largest Infosec Event 

ISACA expert speakers, past board directors and chapter leaders provided insight and new research while ISACA representatives highlighted ISACA certifications and training solutions at Infosecurity Europe 2019, 4-6 June in London. With more than 400 exhibitors and 240 educational sessions, the annual exposition and conference attracts the largest infosec and cybersecurity crowd in the region.

Vilius Benetis, president of the ISACA Lithuania chapter and CEO at NRD Cyber Security, presented twice at Infosecurity Europe: “Building or Modernising Own CSIRT/SOC: Practical Tips” and “National or Sectorial Cybersecurity Capability Build-Out: Capability Assessments, CSIRT/SOCs, Threat Landscapes & CIIs.” Benetis shared that if organizations have sensitive data, heavily automated processes, or are part of critical infrastructure, establishing a computer security incident response team (CSIRT) or a security operations center (SOC) will ensure they are ready to respond to threats with internationally accepted incident response methodology.

Leading a team, Benetis said, requires more than technical expertise. “You should be smiling and leading. Concentrate on the manager role when leading a team.” Also, relying on a third party does not mean that responsibility is handed over. “There are experienced consultants to help your journey, but the actual work is done by you,” he said. Benetis will be presenting “Auditing with SOC-CMM: Cyber Security Detection and Incident Response” at Africa CACS 2019 (19-20 August in Johannesburg, South Africa) and Euro CACS/CSX 2019 (16-18 October, in Geneva, Switzerland).

Session presenting is not the only way to reach an audience at Infosecurity Europe. BrightTalk films panels and interviews on the expo floor, taking advantage of the global thought leaders and experts in attendance to tackle hot topics and critical issues. ISACA expert speaker Raef Meeuwisse moderated a BrightTalk panel, “Protecting Against Phishing, Ransomware & Social Engineering,” where industry insiders discussed the imperatives of knowing where your data is, safeguarding your credentials, and educating your staff. Panelists debated whether an organization should identify and protect data depending on its value, or if all data should be protected. Meeuwisse also interviewed Carl Leonard, principal security analyst at Forcepoint, on “How to Protect your Business in the Cloud.”

ISACA Past Board Director Allan Boardman moderated a session dedicated to “Proactive Privacy and Security” – the impact of GDPR one year after implementation, the challenges of achieving compliance with the internet of things (IoT), and best practices for data protection and privacy. Boardman also sat for an interview of his own; BrightTalk visited the ISACA booth and filmed an interview on ISACA’s 2019 State of Cybersecurity Part 2 report, which was released in conjunction with Infosecurity Europe. Boardman will be presenting on “Implementing a Cybersecurity Skills Competencies Framework” and “Strategies for Dealing with an Increasingly Sophisticated Cyber Threat Landscape” as well as a workshop, “Cybersecurity Risk Management: A Practical Approach” at Africa CACS 2019. He also will present “Strategies for Dealing with an Increasingly Sophisticated Cyber Threat Landscape” at Euro CACS/CSX 2019.

CMMI Institute, an ISACA subsidiary, was also an exhibitor at Infosecurity 2019, demonstrating the CMMI Cybermaturity Platform for enterprises. Ivo Maritz, Leiter Cyber Security (CSO/CISO) at BKW, spoke with other attendees about the platform’s assessment tool and how using the platform identified gaps in various business units in the enterprise. “The ultimate goal is to change attitude and behavior  … to have the company and individuals operating in a cyber-safe way, to make it part of their daily work and responsibilities,” Maritz said.

Infosecurity and ISACA are teaming up for the first Infosecurity ISACA North America Expo and Conference 2019, 20-21 November, in New York City.

Cybersecurity: Failing the Fundamentals

Raef MeeuwisseMy fellow information security professionals, you recently spoke, and ISACA listened. Now it is time to get all those commercial enterprises and other organizations to listen, too. What did you say?

According to the second part of ISACA’s State of Cybersecurity 2019 report:

  • Security teams that report to a chief information security officer have the highest level of confidence in their work.
  • Phishing, malware and social engineering remain the top three attack vectors yielding results for the threat actors.
  • … and cybercrime is underreported, even if that means ignoring a regulatory obligation to do so.

As information security professionals, it seems most of us already know how to improve security. The core problem appears to be getting that message through to the C-suite and shareholders. What is going wrong? And more importantly, how do we fix it?

1) We need a CISO (not reporting to the CIO).
I have spoken on this topic for years. Having the security function reporting into a CIO is a clear conflict of interest. It is the same as having the financial auditors reporting into the finance function they are checking on.

Having a CISO reporting to the technology department means the organization is failing to grasp that cybersecurity goes beyond technology into people, processes and information, and is most successful when it is at the heart of each organization’s strategy.

… But the worst sin of all is just not having a CISO at all. When I comment in the press on data breaches, the first thing I research is whether the compromised organization has a CISO and to whom he or she reports.

2) Fix the fundamentals.
Although we all love to talk about zero-day vulnerabilities, those items that nobody has seen before, that there may be no defense against – the truth is these have yet to score any major hits for cybercriminals.

Some of you might argue that “NotPetya” used a zero-day vulnerability – but of course the tactics it used had been known for some time and therefore were no longer considered zero-day.

I examine and research quite a few data mega-breaches and they all end up in the same predictable place – that there were three or more critical or major security controls that were not implemented or were not operating effectively.

We may only be able to minimize the impact from things like phishing, but given that we know that to be true, nobody these days should have sole authority to complete actions with enterprise-devastating consequences. Yet, from my auditing experience, this continues to be the case.

It may not be sophisticated to fix security fundamentals – but it does take considerable budget, resources and a change of philosophy to choose security by design – and not security as a sort of sprinkle you might add to a donut!

3) Move on from organizations that hide breaches.
Have you ever seen organizational denial? I have. In fact, when it comes to checking on cybersecurity, I see it in the majority of companies.

Ask any organization that has just suffered a devastating cyberbreach if they were doing a good enough job with its security, and if the problem was due to some excusable anomaly, and the answer is a universal “yes.”

But as we know, that never is the case.

And the more often the security failings of an organization receive attention, the less plausible it is that the problems are down to really clever cybercriminals.

All organizations want to state that they are treating security seriously. They want to look as though they are doing the right thing – but their actions can tell a different story.

What can you do if you are stuck in a company that is burying risks and failing to report breaches? Alas, I cannot tell you anything other than the fact that in the past, I have always treated that as an indication I should move on.

If enough of us only agreed to work in places with the right approach to security – where they had a CISO sitting on the C-suite; where security was adequately resourced and embedded by design; and where they reported all the cybercrime – I would hope that security would improve considerably.

However, if you read any cyber job ad, or talk with your peers at infosec conferences, you will already know that, at present, these places rarely exist.

A Deeper Look Into the WhatsApp Hack and the Complex Cyber Weapons Industry

Phil Zongo and Darren ArgyleOn 13 May, the Financial Times reported the discovery of a major security flaw in the popular messaging app, WhatsApp. The pervasive vulnerability, which affected both Apple and Android devices, allowed malicious actors to inject commercial spyware by ringing up unsuspecting targets using WhatsApp’s VOIP-based call function.

The world is now accustomed to daily data breach news. What makes this threat particularly disturbing, however, is its novelty and deftness. This flaw allowed hackers to break into phones by simply calling a target. The victims didn’t even need to pick up, and the missed calls simply vanished from the logs. Device hacks that don’t require victim participation, such as clicking a weaponized hyperlink, are difficult to fend off and dramatically alter the game.

According to the report, the commercial spyware in question was developed by Israeli cybersecurity firm NSO Group. While NSO has denied the allegations, the incident has nonetheless brought to light the complex, secretive and dangerous world of the cyber arms market, in which companies like NSO operate. Within this industry, governments and other sophisticated groups buy advanced surveillance tools, zero-day vulnerabilities, exploit kits and several other malicious programs from defense contractors or niche malware developers.

These advanced digital munitions are used to debilitate adversary nations’ critical infrastructure, influence elections; jam airwaves to silence opposition; and spy on journalists, dissenters, suspected terrorists and a wide array of targets. According to research, the global cyber weapons market stood at US$406.77 billion in 2016 and is poised to reach a staggering US$524.27 billion by 2022.

When we dig deeper into factors that have spurred the exponential rise in the cyber weapons market, three insightful answers emerge. At the root of this predicament is the rapid shift in defense policies. As geo-political tensions rise, more and more nations are rushing to acquire offensive cyber capabilities. This props up the commercial cyber weapons industry, as governments find it easier and more economical to buy or rent digital arms than to develop their own. As a 2013 article highlighted, “A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million. Ease of use is a premium. It’s cyber warfare in a box.”

Back in 2017, US defense chiefs, via a joint statement to the US Senate Armed Services Committee, bemoaned the growing threat from adversary nations exploiting cyber space to steal military secrets, sensitive research and other high-value information. “Many countries view cyber capabilities as a useful foreign policy tool that also is integral to their domestic policy, and will continue to develop these capabilities,” they emphasized.

Secondly, and perhaps the most vexing, is the absence of collective will to curtail the development and acquisition of cyber weapons. As one of the co-authors of this blog post wrote in his book, The Five Anchors of Cyber Resilience, international cooperation between law enforcement agents is non-existent or weak at best. As both geo-political and geo-economic tensions crank up, according to the World Economic Forum Global Risks, the prospects of achieving a binding global cybercriminal justice system invariably pale.

Granted, there have been sporadic efforts to address this void. In 2018, Antonio Guterres, the United Nations chief, issued a withering assessment, saying, “Episodes of cyber warfare between states already exist. What is worse is that there is no regulatory scheme for that type of warfare; it is not clear how the Geneva Convention or international humanitarian law applies to it.”

History also is a guide. At the 2015 G20 summit held in 2015 in Belek, Antalya Province, Turkey, G20 leaders agreed on language pledging not to conduct cyber-enabled economic espionage. But because the G20 communiqué was non-binding, it represented only form, not substance. It did very little to de-escalate rising cyber tensions or alter deep-seated nationalistic motivations. Messy situations demand strong leadership, but as powerful nations have significant stakes in the game, we are likely to see more of the same.

Third, while commercial cyber arms creators may not harbor intentions to sell their wares to repressive regimes or criminal mobs, it’s inevitable that these tools will eventually fall into wrong hands. The NSO Group, for instance, claimed that its program is licensed to authorized government agencies “for the sole purpose of fighting crime and terror.” But once a vendor sells powerful cyber weapons, it has little to no control on how and when that software is used. The 2016 incident in which a ghostly group of hackers infiltrated the Equation Group, a complex hacking enterprise believed to be operated by the NSA, provides a chilling example. The cyber weapons were later repurposed to debilitate several institutions, such as the NHS hospitals in the UK, resulting in billions in damages. Further compounding an already grave situation, insurers are now refusing to pay cyber claims when attacks are deemed “acts of war.”

What’s at stake here is innovation, peace and human development. Hacker incursions into critical infrastructure such as WhatsApp, which connects more than a billion people across more than 180 countries, can negatively alter consumer trust – derailing innovation and human development. As Tim Cook, the CEO of Apple, accentuated in a recent Time article, “Technology has the potential to keep changing the world for the better, but it will never achieve that potential without the full faith and confidence of the people who use it.”

About the authors

Phil Zongo is a director and co-founder of Cyberresilience.com.au, an enterprise that develops the next generation of cyber leaders. He is the Amazon best-selling author of “The Five Anchors of Cyber Resilience,” a practical cyber strategy book for senior business leaders. Zongo has won multiple industry awards, including the respected 2017 ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS audit, control and security.

Darren Argyle is a non-executive director and co-founder of Cyberresilience.com.au, an enterprise that develops the next generation of cyber leaders. He is a former Group Chief Information Security Officer (CISO) at Qantas Airlines. Argyle was named in the top 100 Chief Information Security Officers globally in 2017 and in the top 100 Global IT Security Influencers in 2018 by the SC Magazine. He was recently appointed Ambassador for the Global Cyber Alliance in recognition of his collaborative work advising small businesses on critical measures they can apply to defend against cyberattacks. He has nearly 20 years of experience in international cyber risk and security, with broad expertise in providing hands-on leadership, strategic C-level and board direction, and cybersecurity program execution.

Securing Major League Baseball - On and Off the Field

Three strikes and you're out is one of the more well-known sayings in baseball, but it only takes one devastating cyberattack to inflict huge damage on Major League Baseball or any of its 30 teams.

At Wednesday's session, "It's Only Baseball: Technology and our National Pastime - A Security Perspective," at ISACA’s 2019 North America CACS conference in Anaheim, California, USA, Neil Boland, the CISO of Major League Baseball, and Albert Castro, director of information technology with the Los Angeles Angels, provided perspective on the scope of the security challenge for an organization with such high visibility as MLB.

“Baseball has a lot going on,” Boland said. “We have a lot of fans, a lot of games, a lot of activities throughout the course of the year, and a lot of exposures around the globe in many, many countries. The sport continues to grow, and the consumption of the sport continues to grow.”

The session traced the rise of prominence of security in baseball from when security was an afterthought to today’s state, in which the bottom line is: “This is critical. Don’t mess it up.”

MLB works with numerous partners, which is often where the most challenging security considerations come into play. Boland said MLB is taking steps to strengthen partner onboarding and provide further guidance on mitigating risks.

"There's just a vast amount of partners we work with to pull this off - 162 games a year, not even counting spring training and the postseason for a club, and [multiply] that by 30 teams," Boland said. "There's a lot of data, a lot of tools and a lot of systems, and some of them are really important, like industrial control systems to keep people safe."

Recognizing the scope of the challenge, in 2017, Boland helped to implement a program to better protect the league and its clubs from cyberattacks, standardizing the security stack and integrations. A vastly increased use of mobile platforms, IoT and cloud services means the traditional perimeter is gone, putting the onus on MLB to provide simple and reliable tools that prevent attacks.

"We wanted to raise the bar a lot higher," Boland said. "We wanted to be faster than the next guy running from the bear."

Boland encouraged session attendees to move quickly to upgrade their organizations’ security posture rather than delay in search of the ideal solution.

"Any layer that you can add that just makes life harder for your adversary is a good thing, even if it's not perfect," Boland said.

Unlike the sport’s signature rivals such as the Red Sox and Yankees or Cubs and Cardinals, Boland emphasized that everyone needs to be on the same team when it comes to cybersecurity, and said it is important to share information on cyber threats.

"I ring the bell, and I think that's really important to do, because we're all in this together," Boland said.

Beyond the security realm, Castro highlighted the way that teams leverage technology in areas such as ticketing, sponsorship activation, fan engagement and scouting and developing players.

“The access to information has just grown exponentially and with that has come the ability to do all kinds of really sophisticated analysis that just makes technology critical to running a baseball team,” Castro said.

1 - 10 Next