As an audit practitioner, you know better than most the need to ensure the effectiveness of risk management, control and governance processes in your organization. This need is only amplified by the rapid development of technology solutions being deployed as they add additional layers, which makes ongoing compliance even more challenging.
But what about your current environment? A hidden challenge to many audit and compliance professionals has been a 20-year-old “tool” granting elevated or privileged access to all types of production environments known as the Secure Shell (SSH). Awareness of this unknown access gap has been on the rise primarily by practitioner guidance and industry events discussing the protocol, and unfortunately because of large security breaches (such as the Sony breach) resulting from poorly managed SSH environments.
Editor’s note: Matt Olsen, national security expert and co-founder of IronNet Cybersecurity, will deliver the opening keynote address at CSX North America, which will take place 2-4 October in Washington, D.C., USA. Olsen, who says ‘no company should go it alone in cyber space,’ visited with ISACA Now about the role of cyber professionals in counterterrorism, evolving forms of attacks and sharing of threat information. The following is an edited transcript:
If only neurologist Oliver Sacks, who wrote “The Man Who Mistook His Wife for a Hat,” were still alive! He would find today’s neural networks (the hot new trend from the artificial intelligence community) extremely amusing.
His book describes a man whose brain damage results in the man thinking his wife’s head is a hat. Maybe there are more parallels between the brain and artificial neural networks than what meets the eye (no pun intended).
Neural networks are being leveraged increasingly often in information security to provide a higher level of protection, including against zero day attacks. However, what if the adversary targeted the neural network/machine learning algorithm itself?
Transitioning into an IT audit or assurance role can be daunting, overwhelming and outright scary at first. Like for many roles these days, individual performance expectations are high, your engagement results are heavily scrutinized by the client and senior management constantly expects a high level of value to be provided through your efforts. This blog post mainly focuses on overcoming some of these challenges for individuals new to the IT audit or assurance profession, but it may be useful for others as well. Here’s what I’ve learned over the past two years; hopefully it serves you well.
In the early days of computing, use of private networks was more prevalent than it is now. Given that, the use of a network protocol (such as Telnet) that transmitted data in plain text was not cause for much concern. As the use of public networks increased, however, a more secure network protocol was needed. Offering encryption, authentication, and other security mechanisms, the Secure Shell (SSH) protocol has been adopted by organizations as a more secure means to connect remote servers to clients.
The security mechanisms offered by SSH are worthy of this widespread adoption. The use of SSH, however, has an element that requires consideration. For the typical Fortune 500 enterprise that has several million SSH keys granting access to its production servers, a substantial portion of them are unused. This large number of keys can be attributed to those with SSH keys having the ability to generate additional keys outside of the enterprise’s access management process. Also, weaknesses in an enterprise’s process for disabling SSH keys when administrators or developers separate from the enterprise or move into new roles can contribute to unneeded SSH keys. So, the bottom line is an environment may exist where new keys are being generated while existing keys are not being disabled.
This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.
The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.
Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.
To volunteer to write a blog or suggest a topic send an email here.