Articles 

 

ISACA International Events

Take your career to a higher level. Participate in one of ISACA's many international conferences, training weeks and online events

More Info >>

 

Top of the News
IAEA Director Says Nuclear Plant Experienced Cyber Attack
(October 10 & 13, 2016)
 
The director of the United Nation's (UN's) International Atomic Energy Agency (IAEA) said that an unnamed nuclear power plant suffered a cyberattack within the last three years. Yukiya Amano said that the targeted plant was not forced to shut down operations, and that "This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously." Amano said that IAEA is helping nuclear facilities around the word improve cyber and physical security.
 
Editor's Note

[Michael Assante]
The director of IAEA is most likely referring to the incident involving a Korea Hydro & Nuclear Power (KHNP) plant, but recent discoveries in Germany of aged malware infections on plant process control equipment is also troubling. The nuclear industry has been well positioned to defend against Internet-borne, non-targeted, threats based because they adopted secure network architectures early, but they are now struggling to address human-enabled (e.g. infected USBs) and highly targeted cyber threats. The next step for the industry will be to transform its cyberdefense strategies from prevention-focused to a more active defense. Active defense is based on the assumption that intrusions will occur, and effective defense focuses on rapid detection of failures along with rapid collapse of free-time available to attackers.

Read more in:
- 
http://www.scmagazine.com: IAEA director: cyberattack against a nuclear power plan occurred years ago
- http://in.reuters.com: IAEA chief: Nuclear power plant was disrupted by cyber attack
More than 58 Million Records Stolen from Data Aggregator
(October 13, 2016)
 
Data aggregator Modern Business Solutions suffered a database breach that compromised at least 58 million records. Modern Businesses Solutions works primarily with the automotive and real estate industries.
 
Editor's Note

[Tom Liston]
The really bad part about these types of breaches is that consumers don't have any kind of direct relationship with a data aggregator. If your favorite coffee chain is compromised, when the hack is publicized, you'll know your data has likely been taken. In this case, how do you know?

Read more in:
- 
http://www.scmagazine.com: Unsecured database lets hackers expose 58 million plus records from data management firm
- http://www.theregister.co.uk: Personal info on more than 58 million people spills onto the web from data slurp biz
Nearly 6,000 Online Stores Infected with Skimming Malware
(October 13, 2016)
 
Data thieves have installed scripts to skim payment card data on nearly 6,000 websites. Some of the information the malware harvest is being sent to servers in Russia. Dutch developer Willem de Groot has been investigating.
 
Editor's Note

[Tom Liston]
Over the years, I've notified hundreds of organizations that they've been hacked. I'm constantly amazed at how clueless many are about the potential seriousness of a breach. Willem also found many of these companies just didn't understand the potential consequences of these skimming scripts.

[William Hugh Murray]
Merchants and consumers can reduce their risk by using proxies like PayPal, MasterPass, and Visa Checkout.

Read more in:
- 
http://www.computerworld.com: Thousands of online shops compromised for credit card theft
- http://www.theregister.co.uk: Hackers pop 6000 sites on active 18-month carding bonanza

Why didn't the dog bark? Fixing Controls before it's is too late.

 

As my wife recently watched a Sherlock Holmes program in which a clue was a silent dog, I worked on a presentation for the ISACA Los Angeles Conference titled “Controls–Why They’ve Become Wasteful, A
False Sense of Security and Dangerously Distracting (And How to Fix Them).” In that process, two causes for controls churn and confusion came to mind. First, the dog (control) does not bark if it fails to meet the tight assumptions required for control to actually work. For example, the “chain of fitness” assumptions for controls require that:

  •  The control is used as intended

  •      The control is maintained as implemented

  •  The control is implemented as designed

  •  The control is designed from the appropriate template

  •  The control template is appropriate for the process class and problem

  •  The control is located properly in the process flow

  •  The location in the process flow was determined based on the location of useful warning signs

  •  Useful warning signs were determined based on robust, real-world “What if?” scenario analysis

  •      Scenario analysis was conducted properly based on a thorough “know the business” understanding of environment and capabilities

Though still challenging, these assumptions are easier to meet when applied to retrospective financial reporting, when those reporting systems are stable and a threshold of materiality (percent of revenue or income) can be applied. These assumptions are more difficult to meet when a prospective view is needed of a dynamic, operational world, where a tiny issue can turn into a huge problem.

The second cause for controls churn and confusion is when the auditor or compliance person fails to bark because all looks well—because he or she does not understand the chain of fitness and other assumptions. There is a false sense of security.

Why do some auditors miss these problems? In speaking at ISACA programs around the world, show-of-hands surveys reveal that it has much to do with the time a person began working in audit. In particular, whether a person’s work experience begins before the Sarbanes–Oxley Act of 2002, when IT audit began focusing on a narrow financial reporting notion of “IT General Controls” (ITGC).

The modern, skilled IT pro has a clear operational view of a control as something that senses and responds, whether dumb like a light switch or intelligent like server load balancing.

ISACA’s COBIT 5 offers help in the shift from “controls” (too often understood mostly as ITGC) to business-objective-oriented management practices. More broadly, consider ISACA’s tagline: “Trust in, and value from, information systems.” Value creation inVal IT (now incorporated in COBIT 5) is well beyond controls that struggle just to protect value.

I suggest taking action—host a “Cut Controls Churn and Confusion Day” at your chapter or for your team at work. Invite a panel of people with managerial accounting, operational process improvement and IT process improvement experience to discuss why improved oversight, management practice and core business process are more effective than controls for any operational situation.

 

Brian Barnier
Principal Analyst & Advisor, ValueBridge Advisors
ISACA conference presenter and volunteer on Risk IT and COBIT 5 initiatives
Author of “The Operational Risk Handbook”


Brian will be running a Controls Workshop hosted by the ISACA Greater Hartford Chapter at the CPA center on April 19, 2016. For details and to register visit the events page on www.isacact.org


  What is the K.Wayne Snipes Award?

   

As mentioned in our previous issue, our chapter received an honorable mention for the prestigious K. Wayne Snipes Award and thanks to our Board and volunteers for the dedication in providing valuable service, training, and efficient chapter events, and YOU our members for your involvement and attendance. What a pleasant surprise that our Greater Hartford Chapter received an honorable mention. We look forward to continuing on the path to winning the award and congratulate the 2016 ISACA chapters who won!

The K. Wayne Snipes award was established in 1989 and recognizes ISACA chapters that meet or exceed service goals by actively supporting local membership and, thus, the information systems audit and control profession. The award is given to the top chapter in four size categories—small (20-100 members), medium (101-300 members), large (301-800 members) and very large (more than 800 members) within each region. The K. Wayne Snipes Award is ISACA’s way of recognizing chapters that continually go above and beyond to provide excellent service and guidance. Chapters are selected by a group of peer leaders from chapters around the world, specifically the Chapter Support Committee, with help from the International staff. Award recipients are determined based on the following criteria:

  •     Chapter membership and growth

  •  Member service projects

  •  Chapter-sponsored education events

  •  Attendance at chapter meetings

  •  Involvement with association committees or with association activities

  •  Involvement with other professional organizations

  •  Compliance with ISACA International Headquarters


K. Wayne Snipes, Jr., was an active member of ISACA who served in various positions at both the local and international levels, including regional vice president at the international level. During his time in office, Snipes achieved the largest number of new chapters and the largest membership growth in existing chapters. In total, he dedicated 14 years to the North Texas (USA) ISACA Chapter and served eight years as an international trustee on the ISACA Board of Directors.