Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links


What Heartbleed taught us

The year 2014 has been dubbed “The Year of the Cyberattacks” before it even reached the halfway point, with aftershocks from Heartbleed still being felt weeks later. But did you know that attacks and bugs like Heartbleed are often 100 percent preventable? Simply put, best IT practices can create red flags before damage can be done. But, when humans are involved, laziness and shortcuts can lead to missed security steps. Technology, of course, is programmed and designed by humans, so the possibility for human error in technology is everywhere.

And it is not just human fault here, but also the technology. This is a two-pronged fork. According to security expert Richard Kenner, programs should never read from the same place in memory where they were written. That is security safety 101, but that is exactly what happened with Heartbleed. It has already been estimated that millions of dollars are being paid out by enterprises affected by Heartbleed, but what lessons can be learned from this?

Technology: Not as cutting edge as you think
Kenner points out that the programming language involved in Heartbleed is more than 40 years old; and even though new languages have been developed (and are arguably safer), that doesn’t mean they have been adopted. In addition to keeping up with languages and improving upon them, best practices simply were not followed in order to stop Heartbleed. There is technology available that ensures programs meet key properties (like that pesky reading from memory writing issue), but most companies fail to utilize it.

Category: Security     Published: 8/19/2014 3:12:00 PM

Guide to Implementing the NIST Cybersecurity Framework

Kristen LeClereData breaches and cyberattacks are becoming more and more common, causing many organizations to increase their spending on cybersecurity. But even with an increased security budget, cyberattacks continue to put important business systems at risk. To help overcome this problem, US President Obama issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, calling for the creation of a voluntary, risk-based framework for improving cybersecurity. In response to the EO, the National Institute of Standards and Technology (NIST) led the development of the Cybersecurity Framework (CSF). Input from industry, such as owners and operators of critical infrastructure, was a significant part of the development. Many organizations recommended ISACA’s COBIT as a good example of a cross-sector security framework and guideline that is technology neutral and addresses cyber risks. Since its release, organizations have been able to use the CSF to help them implement security measures. The new ISACA guide on Implementing the NIST Cybersecurity Framework helps organizations in this process by describing how to use existing ISACA methods to effectively implement the CSF.

Category: Security     Published: 8/14/2014 3:13:00 PM

Pragmatic look at PCI DSS v3.0 changes

Miguel (Mike) O. VillegasPCI DSS version 3 is an improved ballast for addressing the protection of cardholder data. Version 3 deltas from previous versions focus on providing a stronger understanding and clarity of the intent and application of PCI DSS test procedures and on driving more report consistency among PCI QSAs. They also provide flexibility to merchants and service providers in the implementation and assessment of the PCI Data Security Standard. Clearly these are noble and much needed revisions; however, a pragmatic look to PCI DSS v3.0 might help us better see its application.

PCI DSS changes in version 3 focus on five major areas:

  • Penetration testing
  • Inventory of system components
  • Service providers
  • Evolving malware threats
  • Physical access and point of sale

Penetration Testing
Currently, there is no universally accepted industry standard for penetration studies. Although required by PCI DSS v3.0, the quality, approach and reporting of the pen tests are subjectively reviewed by the QSA and entity being assessed. Despite this, PCI DSS v3.0 requires the development and implementation of a pen test methodology.

Category: Audit-Assurance     Published: 8/12/2014 3:20:00 PM

Cloud Security Solutions With BYOD

Rob ClydeFor most organizations, bring your own device (BYOD) is a fact of life or soon becoming one. People want to use the same mobile device(s) for both their work and personal lives and have some freedom of choice as to the devices they use. The more competition an organization faces in recruiting and retaining employees, the more likely a company is to allow some form of BYOD. It can also increase productivity and communication for employees, since they are likely to be always connected.

However, BYOD also brings some interesting security challenges. Most of the challenges arise from the potential of sensitive information being stored on mobile devices. ISACA has a set of guidelines that can be helpful for securing mobile devices. Organizations could require that BYOD users follow such guidelines. In addition, BYOD users frequently connect to the cloud as a way to get their work email or share files and this poses some specific challenges.

For example, consider BYOD and the use of Dropbox or similar cloud file-sharing services for business purposes. Many organizations use Dropbox as a way to easily share files, even sensitive files, between users. The files are stored in Dropbox’s cloud and are encrypted using 256-bit AES encryption (both at rest and in transit), which is decent enough encryption for most corporate use. Generally, the files are also automatically synced with the mobile device. This may not be a concern for devices owned by the organization, but with BYOD, the employee now has a copy of a potentially sensitive file on his or her own device. If the device was then lost or stolen, it is possible that the sensitive data could be compromised, resulting in a data breach.

Category: Security     Published: 8/7/2014 4:10:00 PM

Industrial cybersecurity in our society

Samuel LinaresInformation technology (IT) has a main role in our society and economy. It is known that most of the essential services, public and private, mass media, security forces and, of course, enterprises, depend on IT for the normal, everyday activities. But, it is not so widely known that every one of those essential services and IT assets depend more and more on industrial control systems (ICSs). ICSs are responsible for the control and management of physical security systems in data centers, as well as refrigeration towers and electric generators providing energy to the fire extinguish systems, among many other aspects.

ICSs are the bases of the main critical infrastructures and essential services in our nations and, therefore, their security and protection rests in them. This has made ICSs a target for cyberterrorism, advanced persistent threat attacks and cyberwar.

This fact, besides a lack of security requirements in their design, deployment and operation, has allowed the development of real cyberweapons whose objective is to exploit the existing vulnerabilities in these systems.

Therefore, our society and economy are vulnerable. Stuxnet, Duqu, Anonymous, Flame, Shamoo, Careto, botnets or denial of service attacks are words and concepts appearing more and more in the media, trying to explain information leaks, service outages, electrical blackouts and other incidents that affect our essential services.

Category: Security     Published: 8/5/2014 3:46:00 PM
<< First   < Previous     Page: 1 of 81     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.