Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
The 4 Most Secure Forms of Online Communication

Larry AltonWhether you need to have a private conversation with your lawyer or want to exchange files safely with a professional client, secure communication online in a must. “Secure” is a somewhat vague term, so here’s what a secure form of communication looks like:

  • Private. Your information shouldn’t be viewable by any third parties.
  • Hard to penetrate. It should be extremely difficult for any cybercriminals to break into your system by guessing your password, exploiting bad code, or leveraging API loopholes.
  • Reliable. Your communication should be consistently reliable, with no interruptions or vulnerabilities to exploit.

By these standards, which forms of online communication are the most secure?

Secure forms of communication
This is a short list of the most secure forms of online communication:

  1. IRC channels. Internet relay chat (IRC) is an application layer protocol that allows multiple people to communicate via text (and sometimes exchange files) through clients on their individual devices. Weechat and Pidgin are two of the most popular options here, but there are many niche clients available for specific applications, including ones developed for mobile devices. Once installed, you’ll need to set up or join a dedicated channel, but as long as you’ve set up your security properly, you should be able to exchange information freely.
  2. Secure file-sharing apps. You could also seek out a secure file-sharing app if your main intention is to exchange files with another party. Companies like XMedius have dedicated their resources specifically to allow users to send files back and forth without worrying about becoming vulnerable. Features like multi-factor authentication, 256-bit encryption, and file expiration make it possible to exchange files, worry-free.
  3. Encrypted emails. If you’re looking to send an encrypted email message, or take part in an encrypted conversation, you could use an app extension or plugin like Enigmail, or a dedicated service like Infoencrypt. In any case, the idea here is to encrypt your messages to prevent them from being decipherable by outside parties. Encrypted email exchanges are far more secure than their traditional counterparts.
  4. Other encrypted messaging apps. Emails, file sharing, and IRC chats aren’t the only secure ways to communicate online. Almost any mode of communication could be made secure by including better encryption and authentication protocols, and additional security features like data expiration. All you have to do is look for the right apps, which specifically advertise their security and/or privacy.

Best practices for online communication
Merely choosing a secure channel may not be enough to protect you. You’ll have to follow these best practices if you want to ensure your communication is as secure as possible:

  • Be choosy. There are hundreds, if not thousands, of apps out there advertising their “security,” but not all of them will offer you the same level of protection. Before you buy, download, or start using these apps, do your homework. Learn why they claim to be secure, read up on user reviews, and compare them to their competitors to make sure you’re using the best option.
  • Use a VPN. A virtual private network (VPN) will give you a secure tunnel through which you can send and receive information online, as if you were operating using a private server. VyprVPN and IVPN are two of your best options here, but there are dozens of VPN options that cater to different needs, so choose carefully.
  • Avoid reliance on telecommunication. Phone calls and text messages may seem like the straightforward way to communicate, but any form of communication that relies on a cell tower is inherently unsecure. For this reason, it’s best to communicate when you’re connected to a secured Wi-Fi network, rather than using your 4G network—and that also means avoiding publicly accessible Wi-Fit networks, like those in coffee shops or libraries.
  • Choose and rotate strong passwords. It’s a simple best practice, but one that you can’t afford to neglect; choose a strong password for your login, and create new passwords to replace it on a regular basis. Strong passwords include both upper-case and lower-case letters, numbers, and special characters—and the longer they are, the better.
  • Think carefully about what information you send. As an added layer of security, don’t send information unless you have to share it, or unless you’re perfectly comfortable with that information leaking. Even with the best security practices and apps in place, there’s no reason to make yourself vulnerable unless you have to.

Every system has vulnerabilities, so there’s no way to make your exchange completely hack-proof. However, you can eliminate vulnerabilities to make it far more difficult to gain access to your communication. Most of the time, making it difficult is enough—cybercriminals look for easy targets—so don’t neglect these important steps.

IoT Cybersecurity Act of 2017: A Necessary But Insufficient Approach

Charles HarryThe Mirai botnet attack on the DYN network in October 2016 highlighted to many policymakers the potential problems associated with IoT devices. The compromise and concerted use of thousands of webcams and DVRs to disrupt key Internet services focused attention on the poor implementation of security controls on millions of devices newly connected to the Internet.

The introduction of the IoT Cybersecurity Improvement Act of 2017 by a bipartisan group of US senators seeks to address the inherent threat IoT devices pose to federal government services. This bill builds on recent efforts, including the Trump administration’s new executive order on cyber security for federal networks and critical infrastructure.

The IoT Cybersecurity Improvement Act would require the Office of Management and Budget Director to confer with various cabinet and agency officials to define implementation guidance to ensure contracts that enable IoT installation in federal systems meet standards that allow for regular identification and patching of vulnerabilities found in deployed IoT devices across the federal government. The central concept of the bill is the requirement for contractors and agency heads to own the evolving security footprint of IoT devices deployed in their network. This approach is consistent with the Trump administration’s guidance for agency heads to be held responsible for the protection of their networks and critical systems and to include these devices as part of an overall assessment of risk.

While the bill requires contractors to assess deployed “internet connected devices” against vulnerability databases and recommend patching strategies, it does allow agency heads to apply for waivers in cases where devices with “severely limited functionality,” defined as Internet-connected devices with limited data processing and software functionality, can be exempted from the requirement if the executive agency deems it “economically impractical.”

For example, if an agency has deployed 10,000 smart lightbulbs and a vulnerability is found, the head of the organization would be able to request a waiver noting that those lightbulbs have limited functionality and would represent an “undue burden” to replace them with newer models (or push out a patch). It is reasonable for the government to carve out this exception. However, it does raise a fundamental issue. If most IoT devices, including small sensors, lightbulbs, etc., are individually cheap by design (e.g., to be competitively viable as compared to traditional devices), does the introduction of those devices pose an unacceptable risk to the federal agency? Or, in other words, is the agency willing to allow devices that could be used as a relay in a cyber campaign because the devices have “severely limited functionality”?

The bill addresses this problem through the requirement of a risk assessment. In this case, the bill attempts to leverage the current requirement for agencies to develop comprehensive risk frameworks as laid out in the May 11, 2017 US Cybersecurity Executive Order. Those requirements ensure agencies follow the NIST Cybersecurity Framework, which provides organizations with a set of best practices to identify and reduce their cybersecurity risk. This makes sense, yet neither the bill nor the NIST framework provide methodologies for conducting the actual risk assessment. Instead, agencies are left to design and implement their own approaches, which is useful but ultimately problematic, as an inconsistent set of definitions and criteria can be applied.

If IoT devices are structurally incentivized to not integrate robust security controls, and agencies can apply for exemptions to found vulnerabilities, and our application of risk assessment is immature to not fully grasp how those devices can be leveraged by hackers, how can we embrace evolving technology while at the same time protecting the most critical services provided by federal agencies? 

The IoT Cybersecurity Improvement Act of 2017 would be a good piece of legislation, as it serves to move the ball forward in highlighting an area of weakness in federal network security. However, the inconsistent and immature processes by which we assess risk to our core services undermines its effectiveness.

Editor’s note: Prior to Dr. Harry’s appointment at the University of Maryland, he spent more than 14 years working in the federal government.

What Does the Future of Financial Cyber Security Look Like?

Anna JohannsonToday, we trust banks and other financial institutions to safely handle our money and the bulk of our monetary transactions. Successful breaches are somewhat rare thanks to technologies like multi-factor authentication and heavy investment in cyber security, but hackers are always improving their techniques, and tech is always changing. This leads to an ongoing cycle of improvement on both sides: financial institutions keep building better defenses, and hackers keep trying to overcome those advancements.

So, could the financial industry eventually get ahead of the cybercriminals? What does the future hold for financial cyber security?

Consumer trust
Financial institutions’ most important job is building and maintaining consumer trust. Without that, people won’t be willing to part with their money, and the entire system could collapse. That’s why financial companies are working hard to stay ahead of the curve, to inform their customers proactively about prospective threats, explain what they’re doing to stop them, and of course, give them the proof that what they’re doing actually works. Third parties will always be around to rate banks and lending institutions for the quality of their offers, and security will only grow in importance as a factor in the future.

New threats
These are some of the most important threats we need to prepare for:

  • Botnet attacks. The concept of a botnet is relatively simple; a hacker uses a program to gain access to multiple independent devices, usually connected in a peer-to-peer web-like network, and then coordinate those devices to execute an attack. This could come in the form of a distributed denial of service (DDoS) attack, or to steal data, which can then be used to compromise financial accounts.
  • Self-mutating viruses. Standard computer viruses already have the potential to infect a computer, enabling the virus creator to steal information from the victim’s computer or use it as part of a botnet in the future. However, antivirus software often catches and eliminates these threats based on recognized patterns. Self-mutating viruses go a step further; they have the capacity to evolve, sometimes in response to direct threats, making them notoriously difficult to detect and prevent. Fortunately, these are in the early stages of development, and haven’t had much of an impact as a cyber threat thus far.
  • Biohacking. Biohacking refers to a number of different possible actions, all of which focus on identifying important people and gaining access to the biological features that make them unique. As biometrics start to become more heavily integrated, biohacking will grow in both importance and prominence, giving hackers a way to obtain fingerprints or other forms of personal information to gain access to systems.
  • BYOD manipulation. Thanks to the rise of mobile devices, many businesses have now adopted a bring-your-own-device (BYOD) policy, allowing and sometimes mandating that individual users bring their personal devices to the centralized workplace. For cyber criminals, this represents a wealth of opportunities; all it takes is one breached device on a shared network to bring the entire system down. 

New technologies
These are some of the ways financial institutions are protecting themselves:

  • Biometrics. Biometrics are a branch of security standards that rely on personal information, such as fingerprints, speech patterns, or even the shape of your ears, to authenticate identity. There are still a number of kinks to work out – such as how biometrics change with growth or significant life events – but if perfected, it could make it nearly impossible for thieves to replicate this information on their own.
  • Quantum cryptography. Typical encryptions use a “key,” which is usually randomly generated, to encode information that can only be decoded by authorized devices and programs, at least in theory. Dedicated hackers could uncover the key and use it to translate messages, with enough effort. However, quantum cryptography takes encryption to the next level, relying on the wave function of elementary particles and quantum physics to encode information in a way that is basically unhackable. The technology isn’t foolproof yet, but someday, it could encrypt information with absolute certainty.
  • Blockchain. Blockchain, the technology used to power the crypto-currency Bitcoin, is already starting to be used in the financial industry. It relies on a peer-reviewed open ledger to record and remember transactions, making it nearly impossible to record fraudulent transactions or “steal” from other participants in the chain. It’s a technology still in its infancy, but it has massive disruptive potential.

It’s hard to chart an exact course for the development of technology, as cybercriminals are always looking for surprising new angles, developers are working on projects in secret, and all it takes is one new revelation to force changes on both sides. Still, the world of financial cyber security will be interesting to watch in the coming years.

Increased Cyber Awareness Must Lead to Equivalent Action

Matt LoebRecent and widely publicized cyber attacks must be the impetus for a renewed and more concerted and coordinated global commitment to strengthen cyber security capabilities.

In May, the WannaCry ransomware attacks struck, underscoring the potentially disastrous consequences for health care facilities and their patients when medical records and medical devices are compromised. June brought yet another major attack in Petya, originally characterized as another widespread ransomware attack, but later revealed to draw upon a form of malware that does not steal data but, in fact, destroys it.

These types of attacks, and those that will follow, accentuate the increasing concerns about the continued escalation of the global cyber security crisis. It’s no longer just about stealing money and data, but one that’s now placing human lives at risk. While health care has been a primary target this time around, more threats loom on the potential for breaches or compromised access to industrial control systems that could result in penetration of critical infrastructure systems such as electric utilities, oil and gas facilities, or nuclear energy plants. This shines a spotlight on the need for a unified global response now.

Amidst the challenges of the current threat landscape, there are promising signs that an increasing number of enterprise leaders and boards of directors are making the defense of their organization against ransomware and other cyber threats a top priority. ISACA’s State of Cyber Security 2017 research showed the percentage of organizations with Chief Information Security Officers (CISOs) is up to 65 percent, a 15-point rise over the year before. And in a micro-poll of the ISACA professional community in the immediate aftermath of the Petya incident, half of respondents indicated they took action after WannaCry to bolster their defenses – in case something like Petya showed up.

Additionally, half of the post-Petya poll respondents indicated their organizations provide ransomware awareness training to their staff, and more than half of organizations are applying software patches within the first week that they are available. That’s a good start. Promoting cyber security awareness and adhering to basic cyber security fundamentals needs to be as common in the global digital economy as seatbelts are in cars. We have a long way to go to make this the reality.

While the past several months have created an aura of inevitability around major attacks, more than 4 in 5 respondents to our micro-poll indicate they expect ransomware attacks will be even more prevalent in the second half of 2017.We cannot accept this level of havoc as a ‘new normal.’ Putting in place a viable incident response plan is critical, but what’s worthy of further investment is protection before an attack happens. Every organization should proactively employ cyber security awareness for all staff, performance-based cyber security skills training, timely hardware and software updates, and the hiring of the most highly skilled staff to ensure preparedness for the next attack, ransomware or otherwise. Start with an assumption that your organization will be the next target of a cyber attack.

Governments need to exhibit bold leadership and do more, too. This includes a commitment from G20 nations to expand cyber security research and training, and standardize some of the measures that individual nations are putting in place. G20 nations also should consider providing cyber security resources and support to nations that are not equipped to invest in themselves, as the connectivity of the global digital economy means all of us are in this together. This can help amplify the reach of encouraging efforts that are unfolding at national levels, such as the UK’s National Cyber Security Strategy and the recent executive order on cyber security in the US. Expanding public-private cyber security partnerships, while leveraging the resources of industry associations and academia, also should be part of the solution.

As a global community, we remain vulnerable to the cyber threats that already are here today, as well as the ones that will surface tomorrow. We cannot fall victim to cyber attack ‘fatigue’; attacks like the WannaCrys and Petyas cannot become “business as usual.” Cyber security is everybody’s business. Cyber security is more than pickpocketing; it’s a matter of public safety. Awareness must translate into resolve, not resignation. Only then will we make even greater leaps toward a more safe and secure future.

Editor’s note: This blog post by ISACA CEO Matt Loeb originally appeared in CSO.

Five Questions With Jigsaw CEO and CSX North America Keynoter Jared Cohen

Jared CohenEditor’s note: Jared Cohen, CEO of Jigsaw (the successor of Google Ideas), will deliver the opening keynote address at CSX North America 2017, which will take place 2-4 October in Washington D.C. Cohen, co-author of the New York Times best-selling book “The New Digital Age,” recently visited with ISACA Now about the cyber security skills gap, advancements in machine learning and his extensive world travels. The following is an edited transcript:

ISACA Now: How did Jigsaw come to be?
I was hired to Google in 2010 to build out a new division of the company called Google Ideas. I had gotten to know the CEO while I was still advising Hillary Clinton and we took a trip to Iraq together. It was a transformative trip because we both realized that the vast majority of future Internet users still had not yet come online, and companies like Google needed to be better prepared for that ubiquitous moment. I ran it as a think tank for many years and then a product organization. When the company restructured to become Alphabet, Jigsaw became the letter "J" in the Alphabet suite of companies. We are an engineering organization working on the cutting edge of AI, cyber security, and tackling some of the toughest global challenges with technology.

ISACA Now: What type of reaction have you received to The New Digital Age?
The New Digital Age captures the last mile of an access revolution that has been playing out for the past decade and a half. It is a book about the advent of technology and how it will impact war, terrorism, interactions between states, and so many other geopolitical trends. So much of what we wrote about and predicted in that book has happened faster than expected. So, I suppose the most common reaction I get from people is whether or not I'm surprised that the predictions came true as quickly as they did. I am.

ISACA Now: Which emerging technologies do you foresee being most impactful in the next 3-5 years?
This is a clear answer. The advancements in machine learning are going to be the most important innovation that defines the next decade. We are entering a ubiquitous moment where technology is everywhere and we are all mass producing data at record speed and volume. The combination of data and even bigger data, coupled with the ability to process that data through multiple machines and build deep neural nets, means that we will be able to build machine learning models to tackle challenges never before possible. Eventually we will reach something called inventive AI, where we train a machine on a particular type of data that enables it to tackle a broader set of challenges. This will have a profound impact on everything from security to health.

ISACA Now: The cyber security skills gap is well-documented. What are your thoughts on the best ways to influence more young people to pursue careers in cyber security?
Young people are ambitious and often want to work on the next zeitgeist. It doesn't get more of the next zeitgeist than cyber security. It is a barren field that is ripe for innovation. It is also a field that bridges the technical and non-technical disciplines. It's a skill set that will be desired by every sector, discipline and company. If every country in the future is also a technology company, then it is only as good as its security.

ISACA Now: You’ve traveled to more than 110 countries in your role advising two US Secretaries of State. How has all that travel influenced your view of the transformative potential of technology, from a global perspective?
I've seen first-hand how technology is transforming every society around the world, from the most connected to literally the least connected. What I've also learned is that the physical world shapes the digital world and vice versa. Every technology we build today has global implications. It expands the digital topography that complements the physical world we know. If all people are splitting their time between both worlds, it also means that the challenges of the physical world are spilling over online. In order to build technology responsibly and in a way that will have impact, we need to make sure we don't lose the human intelligence side of things. For me, this means showing up places and asking questions, meeting people, and going to countries and places I haven't visited.

‘Cyborg’ Society Necessitates Governance, Compliance and Security Vigilance

Today’s security professionals face a daunting reality as the attack surface swells and cyber criminals prey upon the speed at which new devices are hurried to market.

“As soon as we put out a device, there’s going to be somebody who starts tinkering with it and finding vulnerabilities,” said Kimberlee Ann Brannock, senior security advisor with HP. “That’s just a fact.”

Brannock, an ISACA member, presented this week at Black Hat USA on how organizations can leverage governance, compliance and security to protect themselves. She said a comprehensive, multilayered approach is especially critical given powerful trends such as accelerated innovation and globalization. “I’m a huge proponent of defense in layers, security in layers,” Brannock said. “One-dimensional does not work.”

Kimberlee Brannock

Sound governance and security programs also help drive compliance, she said.

“When you have all of these different layers and all of these different strategies, and you bring all of those together, one of the amazing things is you start to develop security intelligence,” Brannock said. “And then because you’re documenting your processes, you’re documenting your procedures, you’re doing your assessments, you’re getting the evidence from that, that helps you to demonstrate compliance as well.”

Brannock recommended three actions enterprises should take to mitigate their risk:

  1. Focus on end-to-end security. Include security in considerations when evaluating potential IoT product purchases, such as printers. (The presentation began with a video featuring an organization having its network compromised through a malware attack on an insecure printer).
  2. Deploy strong administration tools. Avoid using system defaults for user names and password purchases. “It is amazing how many sophisticated organizations that have spent millions of dollars on their infrastructure, on their end points and their devices, they have the default settings,” Brannock said.
  3. Do not share access. Account access should not be shared with anyone, and secure password practices should be emphasized with those who do have access.

Brannock also encouraged organizations to adopt applicable cyber security frameworks, conduct thorough risk assessments and be mindful of firmware security in their devices.

“Every device that we can think of is hackable in one way or another,” Brannock said. “As security professionals, as IT professionals, we need to be aware, and we need to get the conversation started about it.”

When organizations put governance policies and procedures in place, Brannock said it is important to avoid shrugging off shortcomings that might surface.

“As an organization, you want to tell people what you’re wanting to accomplish and why, and how to do it,” Brannock said. “But you also want to make them accountable … so there has to be consequences.”

Brannock shared industry statistics about the mounting use of data and devices on an everyday basis, leading to a corresponding spike in security threats.

“We are plugged in all the time,” Brannock said. “We carry around a device all the time. We are cyborgs – whether we acknowledge it or not, we are. So, with this digital and physical world colliding, we need to be at the ready to address it from a security standpoint.”

Not Just Smart Cities – A Smart Community Ecosytem

Much consideration has been given to the creation of smart cities in the connected devices era, but Gary Hayslip thinks that security professionals should broaden their perspectives.

Hayslip, CISO of Webroot and an ISACA member, spoke of a wider ecosystem that must be accounted for during a presentation this week at Black Hat USA 2017. The session, titled “Protecting Tomorrow’s Smart Community … Today,” was presented together with Tom Caldwell, Webroot’s senior director of engineering.

Gary Hayslip

“I look at the smart community ecosystem as more than just cities,” Hayslip said. “I look at it as also being corporations. I look at it as being small mom and pop stores. I look at it as even being users now who are downloading and using so many different types of IoT devices. It is a full ecosystem.”

The explosion of connected devices means more and more technologies and networks are becoming intertwined, each introducing new risk and control considerations. One of the most important steps organizations should take is assessing which devices are utilizing legacy systems that could pose major security risks.

“I’ve never run into a network that is all brand new,” Hayslip said. “You’re going to have legacy. It’s just one of those things that you’ve got to deal with. So, if you’ve got legacy, how are you handling it? Are you segmenting it and putting it aside, or is it intertwined with what have on your corporate network? If you can’t segment it, what controls can you put in place to get visibility so you can catch those anomalies?”

Connected devices also are challenging CISOs with the erosion of the physical perimeter.

“I look at my perimeter as basically on my employees’ laptops, on their phones, mobile,” Hayslip said. “From a risk perspective, as a CISO, how do I go in and really understand where my data’s at and how my networks are being used?”

Given the expanding threat landscape, Hayslip said organizations must face the reality that they are going to deal with breaches, and put their emphasis on reducing their impact and moving forward with business. To do so, Hayslip said security leaders need to understand the full life cycle of the organization’s data, not just who is using it and whether it is being backed up.

Hayslip also highlighted the importance of effective communication with third-party vendors so that critical information is swiftly shared when either side is slammed with a breach.

“Is that happening within an acceptable time frame and not 48 hours later?” Hayslip said. “I mean, 48 hours in the life of cyber, you can rule the world in 48 hours.”

Emphasizing the complexity of today’s security ecosystem, Hayslip urged CISOs to draw upon each other’s experiences on these and a variety of other topics, such as how to contend with various cloud environments, which vendors are worth pursuing and how to navigate budget constraints.

Caldwell’s portion of the session dealt largely with the ramifications of AI and machine learning, dissecting use cases involving threat intelligence, endpoint protection and behavioral analytics. As promising as machine learning may be, Caldwell said “the human feedback loop” remains indispensable in ensuring the technology is implemented effectively.

IoT Security Programs Must Leverage Trust

Jon ShendeWith an ever-growing digital and virtualized world of interconnected devices, we are seeing the rise of an ecosystem of Internet of Things (IoT) that is impacting everyday actions. This ecosystem of devices can be managed and monitored remotely, can leverage mobile and wireless networks for communication, and capitalizes on a combination of the cloud and data centers for analysis.

While this is a good thing for technological and human-machine interaction, the confluence of many devices and applications, coupled with fragmented solutions, inherently opens the door to risk. This risk comes in the form of security threats and those arising from not being able to align with a standard framework, taking into account data privacy, and meeting regulatory and compliance requirements.

If we look at IoT through a security lens, then we have to consider the integration of network, sensors, human machine interactions, virtualized systems and other endpoints that must be able to provide actionable security intelligence in near real time, and which can align to a security framework or model. This model should identify and mitigate environmental risk, ensure data privacy and drive threat mitigation around:

  • Weaknesses within web interfaces
  • Challenges with authentication and authorization
  • Challenges with encryption
  • Data privacy across borders
  • Inconsistencies within network security
  • Challenges with physical security of devices

Delving a layer deeper, and as we consider these potential areas of vulnerabilities, any security program for an IoT environment should leverage the principle of trust in the form of trusted IDs, trusted software and systems, integrated with trusted and protected communications, linked to trusted data sources and data, and all encircled within trusted secured connections and secured device configurations. In the telecommunications world, we can cite the example of authentication, where a mobile services provider can “authenticate applications within a federated gateway via SIM, but also through sensors on short-range networks” – Ericsson Innovation Day 2015.

These “trust principles,” though, should all follow a premise where we understand the areas of involvement and operations for any “thing” as it connects to any system or other device that can be part of a known framework, based on implied architecture or intrinsic architectural embedding into a defined framework. Any such framework should have a policy that defines a process and drives an implementation that can align with the mandate of a governance model covering architectural device identity and access management, authentication and security associations, risk management, and privacy, as well as regulatory/compliance alignments.

This post just scratches the surface of the impact of the IoT on our environments, as companies move more toward digitalization and drive digital transformation. These transformations will only see the growth of more connected “things” interacting with and impacting our environments. Some of these things will not necessarily be governed by human machine interactions, but may exist as components embedded within architectures found within smart buildings, vehicles and environmental systems.

Data privacy, legal oversight, IoT frameworks, and regulatory and compliance considerations are among the other areas that we need to have defined and standardized for IoT.

Job Boards, Social Networking Sites Can Set Cyber Attacks in Motion

Jesse FernandezOne of the most common cyber security questions I get is: How do attackers plan/carry out their attacks? I thought this would be a great topic to address since we are always asked to explain the risk of any audit observation we make. So, what is risk anyway? In a cyber security context, think of risk as the overall probability of our systems or data being compromised by a malicious individual.

Attackers (which could be insiders) make up one piece of our risk equation, the other piece being vulnerabilities. If one piece of the risk equation does not exist (attackers or vulnerabilities), then there would be no risk to our systems and/or data. Why? Because if the world was full of attackers, but our systems/data were not vulnerable to any attack, then the attackers could not steal our data. In a similar way, if we ran a system full of vulnerabilities (think Windows XP, which is no longer supported by Microsoft), but attackers simply did not exist, then there would not be a risk of our systems or data being compromised.

So, how do attackers operate? Here are some common techniques:

1. Attackers perform reconnaissance activities on the targeted organization and can gather data from the following:

  • Websites
  • Forums
  • Job boards
  • Social networking sites, such as LinkedIn, Facebook, Twitter, Google+
  • Employees (e.g., sales, human resources, executives)

2. The data uncovered during reconnaissance allows the attacker to identify who/what to target within your organization. Next, the attacker prepares and delivers the exploit to your organization. The following are common methods of delivery:

  • Watering hole attacks are used to infect websites that your users/members of your group are known to visit.
  • Spear phishing attacks are used to trick specific users into infecting their system.

3. Once on your network, the attacker will attempt to compromise additional systems and exfiltrate your data. They do this by exploiting known/unknown system vulnerabilities via command and control.

There you have it – those are the basic steps of an attack. I recommend you watch this video produced by Cisco that illustrates an attack better than I can. Here are some recommendations that can be acted upon:

  •  Ensure your organization has an adequate cyber security awareness program in place.
  • Ensure your organization conducts spear phishing exercises on all employees.
  • Work with human resources to avoid including too much detail in job ads.
  • Monitor social media use/review public posts made about your company.
  • Educate your employees on what information should not be disclosed to anyone in normal day-to-day conversations.
  • Ensure adequate malware prevention capabilities are in place.
  • Ensure adequate intrusion detection/incident-handling capabilities are in place.

Editor’s note: Jesse Fernandez presented on auditing cyber security at North America CACS 2017. For highlights and key takeaways from the North America CACS and EuroCACS conferences, read the CACS 2017 Conference Report

The Evolving Role of CISO Can Improve Information Security in Indian Banking

Ravikumar RamachandranWhether in banking or any industry, business needs take precedence; everything else not as tangibly connected to organizational objectives and profitability is regarded as not as important by senior management.

Information security and the concept of CISO have struggled to gain prominence – this despite ISACA’s best efforts, shouting from the rooftop that information security must be part of boards of directors’ agendas and CISOs should be installed, reporting to the CEO.

During the late ’90s, the CISO position was always thought of as something connected to “IT.” It was more data security than information security. Even when I passed my CISA examination in 2005, I was given the role of “Data Security Officer” in my organization, reporting to the VP-IT.

In the banking sector, the CISO position was normally held by somebody handling network security and reported to CTO (GM-IT). We had a position called “head of IT,” and the custom of designating a CIO was quite infrequent.

Then, Reserve Bank of India (RBI) published a comprehensive report and recommendations of the working group on information security, electronic banking, technology risk management and cyber frauds, popularly known as the “Gopalakrishna Committee” report, in January 2011. This report not only mandated that the CISO position be held by a sufficiently senior-level official of the rank of GM/DGM/AGM, but also stated that the CISO report directly to the head of risk management. Thereafter, in most banks, the CISO position was held as a part of the risk management department and reported to GM-Risk Management, alternatively designated as Chief Risk Officer (CRO). Interestingly, the report also mandated that the CISO not have a direct reporting relationship with the CIO.

Not satisfied with the various banks’ response to continuing cyber attacks, RBI came out with a comprehensive cyber security framework consisting of baseline measures on 2 June 2016. Board level sponsorship was mandated, baseline controls were established and strict compliance was required, in addition to having a cyber-crisis management plan. The CISO position assumed huge relevance, and RBI expected the CISO to play a pivotal role.

Within a year’s time, RBI once again came out with a document clearly articulating the CISO role.  Apparently wanting significant improvement in remediation of cyber security attacks by banks, the new mandate was for the CISO to directly report to Executive Director (ED) or the equivalent, overseeing the risk management function. Therefore, the CISO now has more board visibility than ever.

In addition, the regulator very clearly positioned the CISO role along with the CRO to establish a strong risk management framework. They both should have strong communication and work together to enable a holistic risk management approach.

This is a very good development, which will make cyber security in the banking sector more effective and the position of CISO more challenging and fulfilling. Both the positions report into the ED with their respective teams. Credit risk management and information risk management (IRM) for backing them.

With credit risk management being a proper discipline, we can soon expect that information risk management will fully mature into a robust discipline as it evolves to defend the entity against continuing cyberattacks and threats, and shapes itself to comply with associated advisories from the regulatory bodies.

Very exciting times ahead!

1 - 10 Next