@ISACA Volume 10  15 May 2019

The Backwaters of Technology


There are backwaters of your enterprise that have technologies that have fallen out of favor like broken toys that have been forgotten. This is troubling because these forgotten technologies can be a risk for the enterprise. I cannot tell you how many times I have performed forensic activities only to find a piece of networked IT that had been forgotten and left to decay into a state of disrepair. These technologies have been found in telephone closets, switch rooms, old computer rooms and sometimes even in an organization’s data center. How did these technologies become a threat to today’s operations? Many times, it is a result of moving forward at a pace where systems administrators miss removing part of a given function. This can lead to greater risk of insider threats if the remaining piece is forgotten. Other times, these threats materialize as a result of the hosted application server being reused without being properly cleaned. This can also allow internal and external threat actors to exploit the vulnerable server. There are many reasons for these situations; however, the result is always the same. Vulnerable technologies left in trusted areas of the infrastructure must be resolved.

I was once engaged by an organization to pinpoint why they were being attacked and resolve the issue. Because of the delays of contracting, my partners and I diagnosed their situation based on their description. The systems administrators countered our diagnosis and continued to try to resolve the issue on their own. Two weeks later, when they were in a panic and still being attacked, we were brought in under contract. It turned out that this organization had moved their enterprise mail to a cloud-based solution. As part of their migration to the cloud, they removed the on-premise email technology—or they thought they had. As we discovered, a system administrator had access and was attacking them. The system administrator had left the organization on questionable terms and was seeking retribution. The same system administrator had privilege and access to a component of the email infrastructure that had not been removed from the network. The same system administrator’s attack profile was based on trust relationships with the email components. Even though the email components on other hardware servers had been removed, the trust relationships still remained.

Working in this area of technology, I often ask myself, “Why do people not pay attention to the fundamentals?” This is not really a cybersecurity issue. Fundamentally, it is a failure in performing basic engineering constructs. The engineering discipline required to maintain hardware and software versions during development is the same discipline that needs to be applied to the technology when introduced into an enterprise. At its root, this problem resulted as a failure of the configuration management processes.

So, how can you stop attacks that are based on the disarray of the backwater of your enterprise? The key is to minimize or even eliminate decaying technology. Here are some recommendations for those enterprises that have been attacked under these conditions:

  • If you do not have automated configuration management of your enterprise at every server and network component level, implement it. The key here is, you must not only account for each component, but must also tie each of those components to a given functionality. This ensures that all the technology is accounted for and removed when eliminating a functionality.
  • Physically inspect telephone closets and wiring harnesses. This should provide some insight into how the enterprise is connected. In a geographically dispersed enterprise or a hybrid cloud implementation, this can be difficult.
  • Ensure 2-factor authentication is implemented for privileged users. Unfortunately, 2-factor authentication is often implemented for new technology but often forgotten on legacy systems. As privileged users turn over, returning the 2-factor device eliminates access by any ex-employees.
  • Self-inspect trusted relationships among servers. Trust relationships should be reviewed quarterly to ensure their relevance.
  • Refresh technology processes that include the necessary configuration management processes to ensure that the new technology is accounted for and the old technology is properly removed. This should occur at the hardware level and each level of the software stack on the servers.

These tips offer a path to end the suffering caused by the backwaters of technology. There are many other adjustments that you can make. Remember, never assume the fundamentals were followed; instead, trust but validate.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Use DNS to Secure the Cloud


Source: D_Bank;
Getty Images

Today, users access cloud applications from anywhere and everywhere they may be. Data are no longer only stored in physical data centers. Security is not simple when using software-defined networking in a wide area network (SD-WAN), Internet of Things (IoT) and the cloud to access applications and data. Scalable, simple and integrated security solutions are needed to balance these new digital transformations. The solution may be domain name system (DNS), which is critical to the fabric of the Internet and any IP-based communication (on-premises, cloud, SD-WAN and IoT environments). Using DNS as a foundation for security is preferred because it is simple to deploy, is ubiquitous in networks, is already used for connectivity and is scalable to the Internet.

To learn how DNS can be leveraged as a foundational security architecture for digital transformation, ISACA and Infoblox present the “DNS as a Foundational Security Architecture for Digital Transformations” webinar. Michael Katz, security sales specialist at InfoBlox, will teach you how to secure your enterprise’s traditional networks, SD-WAN, cloud and IoT and help you be more efficient in your threat defense. This webinar takes place on 21 May at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Katz has broad experience in information security as an entrepreneur, systems engineer, sales lead and cybersecurity specialist. He founded RAE Internet, the US distributor for RAV Antivirus; Mailspect, an email security and compliance platform; and MatchMyEmail, a cloud email business intelligence service. Katz will use the experience he gained founding his own security software and platforms to help secure your enterprise security with DNS.

To learn more about this webinar or to register for it, visit the DNS as a Foundational Security Architecture for Digital Transformations page of the ISACA website.


Videos Released to Help You Learn About Intelligent Automation


As more enterprises across multiple industries adopt automation and artificial intelligence (AI) to remain competitive, IT auditors must also understand the risk around AI, machine learning (ML) and robotic process automation (RPA) to keep their organizations safe.

To help auditors understand the impact of emerging technologies, ISACA released the first installment of its new Audit Outlook series. The Audit Outlook: Intelligent Automation package contains 2 half-hour videos focused on AI/ML and RPA in addition to 2 infographics that highlight practical tips for implementing these new technologies.

This package introduces auditors and enterprises to the technologies, presents a specific audit focus around the technologies and discusses risk/security considerations for the technologies. Purchasing the package, which is US$60 for members and US$75 for non-members, gives you access to the videos and infographics for 30 days in an online, on-demand format. Members can earn 1 continuing professional education (CPE) credit by viewing the 2 videos and completing a related survey.

To learn more, visit the Audit Outlook: Intelligent Automation page of the ISACA website.


Time for Technology Organizations to Commit to Women in Leadership Roles

By Gordon Tucker and Susan Haseley

Source: Thomas
Getty Images

In the digital age, technology organizations face relentless pressure to innovate before they are out-innovated or wholly disrupted. But many tech organizations are undermining their ability to compete by not making a concerted effort to assemble diverse leadership—including recruiting more women for senior executive and board roles. They are also risking their long-term survival. That includes both well-established technology enterprises and “born-digital” players on the rise.

More Diverse Leadership Could Help Reduce Risk Exposure
Women make up half of the total US college-educated labor force, yet they account for less than a third (29%) of employees in the science and engineering workforce. And the current gender imbalance in science, technology, engineering and math (STEM) will have employers struggling to fill the millions of STEM jobs that will be created over the next decade. Without an ample supply of skilled talent, technology organizations will not be able to keep pace with change, let alone drive it.

Staying ahead of the change curve is already a key concern for technology executives, according to the 2018 Executive Perspectives on Top Risks survey from Protiviti and North Carolina State University’s (USA) enterprise risk management (ERM) Initiative. Technology, media and telecommunications leaders who responded to the 2018 survey identified the following as the top 2 risk factors for their organizations this year:

  1. Rapid speed of disruptive innovations and/or new technologies within the industry may outpace our organization’s ability to compete and/or manage the risk appropriately, without making significant changes to our business model.
  2. Our organization’s culture may not sufficiently encourage the timely identification and escalation of risk issues that have the potential to significantly affect our core operations and achievement of strategic objectives.

These risk factors are related and could be better managed through more diverse leadership, which can help to do 2 things. First, as explained earlier, a C-suite and board of directors (BoD) that are more representative of what the real world (and, ideally, the organization’s workforce) looks like will lead to better business decision-making and products and services that are more relevant to customers. Second, having a more diverse senior executive team and BoD helps to create a more open and collaborative corporate culture overall, where everyone is comfortable sharing ideas and speaking up about potential risk.

Diversity Matters to the Future Tech Workforce
The first step to change is, of course, admitting there is a problem to be solved. Tech organizations need to take a hard look at the current makeup of their C-suite and board, and then set clear goals for improving diversity in both areas, if needed. It is likely they will find plenty of opportunity for change. For example, according to the 2020 Gender Diversity Index, women held just 19.8% of board seats at organizations in the 2017 Fortune 1000, and smaller and newer firms lag behind larger organizations in finding women to serve on their boards.

So, if technology organizations do not commit now to improving workforce diversity throughout their entire enterprise, it will without question impact their ability to recruit and retain in-demand talent in the future. Brand cachet and other “cool factors” will not be enough to satisfy a generation of professionals who expect to work in an inclusive environment guided by diverse leadership.

Go Bold in Setting a New Standard
The commitment to recruiting more women for leadership roles—and helping to increase the number of women working in STEM careers, generally—must be a bold initiative for the tech industry if real change is to occur. Technology enterprises, large and small, old and new, should be asking themselves, “What are we doing to ensure that we are creating an environment where women, who represent 50% of the workforce population, can participate meaningfully and rise up in our organization?” These organizations should also adopt strategies such as:

  • Taking a chance on new talent—Because the current population of women in technology leadership roles is small, organizations should consider recruiting up-and-coming women in the industry, including from start-up enterprises. Tech leaders should turn to their own professional networks for ideas and recommendations and explore resources such as theBoardlist, which is “a curated talent marketplace that connects highly qualified women leaders with opportunities to serve on private and public company boards.”
  • Providing relevant training—Women’s attrition rates are higher in the tech industry than in other non-STEM fields, according to a report from the National Center for Women and Information Technology. One common reason that women leave technology jobs is the lack of opportunities for training and development. Providing such opportunities is important for attracting and retaining all tech talent, but employers will be wise to ensure that they are targeting female tech professionals specifically.
  • Charting the path up—Technology enterprises need to outline to their female employees exactly how they can advance in the organization. Over time, as more women assume top leadership roles at the enterprise, this path will become more obvious. But management should never assume that the female tech professionals on their team already visualize the way up. Female staff should also be strongly encouraged to pursue leadership roles (if they have those aspirations). Managers should also work closely with women employees to help them set career goals, outline clear steps for achieving those objectives, and access the necessary support and resources.

These are just a few ways that technology enterprises can become more diverse, including at the top, over time. Another best practice: making it easier for women to transition back into the workforce—or better yet, stay engaged in it—when they need to prioritize other obligations, such as raising young children or caring for elderly family members. Too often, enterprises let their female talent slip away because they do not support women at pivotal moments in their nonwork lives.

A final tip: Technology enterprises (and all organizations, really) should use digital transformation initiatives to raise the visibility of women employees and help them expand their skills. These complex efforts require extensive collaboration across the organization and new ways of thinking and working. This is new territory, and everyone has something to offer in shaping this landscape. So, as organizations pursue digital change, they should seize the opportunity to change the face of their workforce, too. Doing so will help position them for long-term success and inspire more women to see their future in STEM careers.

For more on this topic, see “Gender Imbalance in STEM: A Growing Concern,” in the January 2018 issue of Protiviti’s PreView newsletter. You can also learn more about declining workforce gender diversity in ISACA’s State of Cybersecurity 2019, Part 1. To learn about Protiviti’s commitment to promoting diversity and inclusion, visit the Diversity and Inclusion page of the Protiviti website. ISACA’s SheLeadsTech program is also devoted to promoting, developing and retaining women in technology fields.

This article was originally published on The Protiviti View.


Use the ISACA Career Centre to Find New Career Opportunities and Talent


Source: Steve
Getty Images

ISACA’s online Career Centre is designed to help members navigate a successful career in the IS/IT industry. Members can use this tool to post their resume in the online resume database and even use it to learn how to leverage ISACA training and certification resources for career development.

ISACA’s online Career Centre aids employers too. Unlike industry-agnostic job searching databases where candidates seem to get lost in a large application pool, ISACA’s platform is tailored specifically to the IS/IT industry. This means that employers can find qualified candidates almost instantaneously. Additionally, from 15-31 May, employers can receive 10% off job posting packages.

During the first quarter of 2019, the Career Centre contained an average of 1,884 searchable resumes, and more than 80 positions were listed where employers were specifically looking for ISACA credentials, including Certified Information Systems Auditor (CISA), Certified Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM), and Certified in the Governance of Enterprise IT (CGEIT), and COBIT experience.

To search for a new career opportunity or to hire qualified candidates, visit the ISACA Career Centre page of the ISACA website.


Evolving From Accountant to IT Auditor With a CISA Certification

By Sreekrishna Rao, CISA, CIA, CIPM, CISSP, Shares His Experience as a CISA

As a professional who started his career as a chartered accountant, Sreekrishna Rao has encountered some resistance from stakeholders because he is not an IT engineer. His credibility changes quickly, however, when they discover that he holds the Certified Information Systems Auditor (CISA) certification. Rao says, “The moment my stakeholders across the table note that I am a CISA, I instantly sense their acknowledgement that I know what I am talking about.” While the CISA certification has allowed him to understand technology risk, it has done much more—giving him access to the other professional growth resources ISACA has to offer. Since becoming a CISA in 2003, Rao has witnessed organizations evolve and change in both size and scale. His passion for social service makes him wonder how he can use technology to lessen the world’s inequality.

Rao first turned to CISA in the late 1990s when he saw that technology was increasingly enabling business. He noted that “getting a better handle on identifying, understanding and evaluating information technology risk and relevant controls would be indispensable if I have to help business enterprises by providing technology risk assurance and consulting services.” In hindsight, Rao was not wrong in his thinking. Today, he helps enterprises leverage value from technology while ensuring that growth is sustainable. As a CISA, he feels it is his responsibility to find pragmatic solutions for enterprises to create value while managing relevant risk.

Outside of his work as a senior risk manager, Rao likes to explore using technology to help those less privileged. He has helped to offer technology enabled knowledge initiatives to school children in Bangalore (Karnataka, India) and helped UK charities manage technology risk. When he led the CISA preparatory sessions at the ISACA Bangalore Chapter, he was able to “ignite the spark of passion to do the right thing with the double edged tool that is technology, in [many] students who came to those sessions,” and it is for those experiences that Rao really is passionate. He believes in bettering the world at large and strives to impart that same sentiment to his 3 children.

Overall, Rao believes the CISA certification can benefit professionals in part because it is always being refreshed, reminding professionals that their skills must also keep up with IT’s transforming landscape. He thinks earning the CISA certification is a great way to jump start efforts to help organizations identify technology risk and start a new auditing journey on the right foot.

To learn more about ISACA certifications, visit the Certification page of the ISACA website.