Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links


Heartbleed and the Internet of Things implications

Ed MoyleChances are good you have already seen news about the OpenSSL Heartbleed vulnerability (i.e., CVE-2014-0160). It's a pretty significant bug, particularly since it impacts popular open-source web servers such as Apache (the most popular web server) and Nginx. This means that a combined population of up to 66 percent of the Internet is potentially impacted (based on data from Netcraft).

One significant area that has been covered less in the industry press is the impact this issue could have outside of the population of vulnerable web servers. Now clearly, the impact to web servers is a big deal. But consider for a moment what else might be impacted by this. Here's a hint: it's Internet of Things Day today. In other words, consider the impact on embedded systems and "special purpose" systems (like biomed or ICS).

OpenSSL has a very developer-friendly license, requiring only attribution for it to be linked against, copied/pasted or otherwise incorporated into a derivative software product. It is also free. This makes it compelling for developers to incorporate it into anything they're building that requires SSL functionality: everything from toasters to ICS systems, medical equipment, smoke detectors, remote cameras, consumer-oriented cable routers and wireless access points. It's literally the path of least resistance as a supporting library/toolkit when developing new software that requires SSL.

Category: Privacy     Published: 4/9/2014 12:59:00 PM

ISACA International President: Constant connectivity

Tony HayesWe have entered the era of constant wireless connectivity, and the ramifications of this development are widespread. For example, it is not merely that Google Glass transforms your field of vision into a computer screen, but that this technology can be used constantly, permanently digitizing your perception of the world (as long as you are wearing the glasses). Likewise, wearable health-monitoring devices benefit many with their ability to analyze a body constantly—or at least over extended periods of time—which delivers useful data about their health and well-being.

And while this is an exciting time, this is also a time to be cautious. “The known vulnerabilities associated with wearable technology are found in the software that users load onto workstations and the devices themselves,” writes Bruce R. Wilkins in the @ISACA newsletter. “These weaknesses allow ill-intentioned actors to see and modify the individual performance reported by the device.”

In short, this constantly connected technology can be hacked in the same manner our other computers can be. The fact that these wireless devices are always connected and in constantly changing locations heightens that vulnerability.

Category: ISACA     Published: 4/8/2014 2:54:00 PM

Young professionals and the future of the Internet

Ferry HarisThis year we celebrate the 25th anniversary of the Internet, which has changed the way we live and altered the way we interact with each other. We are more connected because of the Internet—connected with other people and with non-human elements that are important in our lives. Buying merchandise from other countries and working with colleagues seated in different parts of the world are just small examples of how the Internet has contributed to human civilization.

Increasingly, though, we have begun questioning the future of the Internet, specifically around issues of trust.

"The next phase of the Internet will be data-centered and connectivity-driven,” Vice President of the European Commission Neelie Kroes is quoted in a recent BBC News post. “Cloud computing, big data, the Internet of things; tools which support manufacturing, education, energy, our cars and more. The Internet is no longer about emails. To make the 'leap of faith' into this new world, reliability and trust is a pre-condition.”

This new world is an exciting one. But for young professionals like me, a recurring question is “How can we contribute to the future of Internet while bringing back trust?”

Category: Security     Published: 4/4/2014 12:13:00 PM

Why didn’t the dog bark?

Brian BarnierAs my wife recently watched a Sherlock Holmes program in which a clue was a silent dog, I worked on a presentation for the ISACA Los Angeles Conference titled “Controls–Why They’ve Become Wasteful, A False Sense of Security and Dangerously Distracting (And How to Fix Them).” In that process, two causes for controls churn and confusion came to mind.

First, the dog (control) does not bark if it fails to meet the tight assumptions required for control to actually work. For example, the “chain of fitness” assumptions for controls require that:

  • The control is used as intended
  • The control is maintained as implemented
  • The control is implemented as designed
  • The control is designed from the appropriate template
  • The control template is appropriate for the process class and problem
  • The control is located properly in the process flow
  • The location in the process flow was determined based on the location of useful warning signs
  • Useful warning signs were determined based on robust, real-world “What if?” scenario analysis
  • Scenario analysis was conducted properly based on a thorough “know the business” understanding of environment and capabilities

Though still challenging, these assumptions are easier to meet when applied to retrospective financial reporting, when those reporting systems are stable and a threshold of materiality (percent of revenue or income) can be applied. These assumptions are more difficult to meet when a prospective view is needed of a dynamic, operational world, where a tiny issue can turn into a huge problem.

Category: ISACA     Published: 4/2/2014 2:13:00 PM

Assessing knowledge, sustaining talent

B.T. BentleyI am intrigued by the ongoing dialogue about identifying key talent among security professionals. More specifically, identifying the skills necessary to protect the business from disaster. Everything from in-depth security best practices to software-development skills to vendor management has been highlighted.

My questions to leaders are these: How have you assessed your talent to ensure they actually have these skills? Have you confirmed your security professionals’ decision-making abilities are based on these skills? How have you assessed that decisions will be made in line with security standards and the vision and mission of your business?

Companies spend a significant amount of investment dollars on recruiting the “right talent” and train them to have the “right skills.” Companies enhance security systems and practices to provide the “right protection.”

But until we assess the effectiveness of those personnel investments, aren’t we leaving ourselves exposed?

Enterprises must be sure that the training provided will positively influence employees’ ability to make the best decision before and during security attacks. Enterprises must know that security professionals will make decision on security protocol in line with best practices and the enterprise’s values.

Category: ISACA     Published: 3/28/2014 10:31:00 AM
<< First   < Previous     Page: 1 of 74     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.