@ISACA Volume 25  11 December 2019

Three More Vs of Big Data

By Leighton Johnson, CISA, CISM, CIFI, CISSP

In my 12 June 2019 @ISACA column, I identified the 4 Vs of big data as areas of focus and understanding to properly review, assess and audit big data systems and organizational efforts. There are at least 3 other Vs to consider when reviewing big data systems. They are:

  1. Variability—Variability refers to changes in a data set, which could include data flow rate, format/structure, semantics and/or quality, that impact the analytics application. This characteristic is different from variety, which was previously identified as variability in my last column, and applies to the wide range of changes present in the various data set inputs. The variations in format of unstructured data provide challenges to data scientists and custodians as the data are received and then processed. The quality of the data elements can cause the input data to be rejected, which then will cause issues in consideration of the veracity of the data.
  1. Volatility—Volatility refers to data management over time. How data management changes over time directly affects provenance. Big data is transformational in part because systems may produce indefinitely persisting data, meaning data that outlive the instruments on which they were collected; the architects who designed the software that acquired, processed, aggregated and stored it; and the sponsors who originally identified the project’s data consumers. Some of the criteria surrounding these data changes include:
    • Roles
    • Security
    • Privacy
    • Governance
    Roles are time-dependent in nature. Security and privacy requirements can shift accordingly. Governance can shift as responsible organizations merge or even disappear.
    While research has been conducted into how to manage temporal data (e.g., in e-science for satellite instrument data), there are few standards beyond simplistic time stamps and even fewer common practices available as guidance. To manage security and privacy for long-lived big data, data temporality should be taken into consideration.
  2. Validity—Validity refers to the accuracy and correctness of data. Traditionally, this is referred to as data quality. In the security world, this is called integrity. In the big data security scenario, validity refers to a host of assumptions about data from which analytics are being applied. For example, continuous and discrete measurements have different properties. The field “gender” can be coded as 1=Male, 2=Female, but 1.5 does not mean halfway between male and female. In the absence of such constraints, an analytical tool can make inappropriate conclusions. There are many types of validity whose constraints are far more complex. By definition, big data allows for aggregation and collection across disparate data sets in ways not envisioned by system designers. This affects the validity of the data in several areas, which include:
    • Data quality
    • Aggregation issues
    • Disparate data sets that cause interpretation issues, corrupted data and/or translation issues
    These examples show that what passes for valid big data can be innocuously lost in translation, interpretation or intentionally corrupted for malicious intent.

The wide range of data types, constructs, formats and sizes used in today’s big data systems cause reviewers and auditors to adjust their approaches to validating and verifying the accuracy, completeness and security of these types of systems.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


Learn to Detect Encrypted Traffic


Source: Yuichiro
Chino; Getty Images

Over the last decade, encrypted network traffic has increased tremendously, making incident responders’ jobs more challenging. Decrypting traffic can be difficult, and while encryption can protect user privacy, threat actors also take advantage of encryption’s impact on network monitoring visibility. As a result, professionals who defend networks struggle to detect threats in encrypted traffic.

To learn more about encrypted traffic and how it hampers network detection and response, attend the “Encrypted Things: Network Detection and Response in an Encrypted World” webinar presented by ISACA and Gigamon. This webinar will be led by Justin Kohler, senior director of the ThreatINSIGHT customer success and sales engineering department at Gigamon. He will review new developments in Secure Sockets Layer (SSL)/Transport Layer Security (TLS). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Kohler is an operations expert who leads technical account managers and sales engineering teams. He has more than a decade of experience in project and program development. After Kohler served in the US Air Force, he worked for several consulting firms as a program manager focused around process and workflow automation and optimization. He will use his technical experience to help professionals hunt and detect malicious activity in encrypted traffic that affects their networks.

To learn more about this webinar or to register for it, visit the Encrypted Things: Network Detection and Response in an Encrypted World page of the ISACA website.


Why Passwords Still Persist


Source: Ian Hooton
/Science Photo Library;
Getty Images

Back in 2001, someone wrote, “In the near future, I am certain we are going to replace passwords. Maybe a better way to put it is that we are going to replace all those passwords with just one.” Who said that? Oh, yeah, right, it was me, in an article entitled “Why Passwords Persist.”1

Okay, I was wrong. Worse yet, I am still guilty of many of the information security sins that I described in that ancient article: using the same one too often and then writing them down. (At exactly this point, I received a message from the identity protection service to which I subscribe. It seems that someone somewhere was trying to sell one of my outdated email addresses, complete with a password. Fortunately, it was not the password associated with that account, but it was one I have used on other relatively immaterial websites. There ensued a furious session of changing passwords on every site I could recall.) Mea culpa, but I would never be able to get through a typical day if I had to remember hundreds of distinct passwords.

Societal Acceptance
And that is the underlying rationale for why passwords persist, even now. The myriad organizations that run websites and other online services want to make it easy to access their sites while at the same time providing a level of security that potential users/customers will accept. And around the world, we do accept passwords. We, or at least the more sophisticated security folks among us, know that passwords are less than foolproof, but we do nothing about them. The fault is not in our systems, but in ourselves. Passwords persist because we allow them to be the basis of the security on which we depend.

There is no demand for identification and authentication mechanisms stronger than a user ID and a password. I have never communicated with any of the services I use—and many, many other people also use—to say that I do not trust their security and ask them to issue me a token. Or a digital certificate. Or to scan and record an image of my retina.

There appears to be a societal consensus that passwords are a sufficient form of authentication. They are good enough because we have used them for a long time, because most days nothing goes wrong and because most people accept the security they provide.

The question for information security professionals is whether good enough is good enough. I reluctantly conclude that the answer is “yes.” That is not because the level of security is sufficient for most commercial transactions, although that may be the case. However, the issue is more about marketing than it is about security. Those of us who do not believe that passwords offer adequate authentication have not pressed the owners of the systems we use enough to convince them to adopt alternatives.

A Little Experiment
So I performed a little experiment. I tried to call a few of the services I use the most often and ask for enhanced security. Alas, for many services I could not even figure out who to call to complain about their use of passwords for security. Finally, I remembered that I could call customer service at the company that supplies the security software on my personal computer. I was told, “Sorry, user ID and password is all that can be offered.” This was my security company.

I was asked if there had been a problem with my password. Since there had not been, they seemed a little puzzled as to why I was calling them at all. And, in a sense, they were right to be confused. Passwords work very well as a security mechanism. Except when they do not. Except when somebody intercepts them, or guesses them, or just looks over my shoulder as I enter one of them. But I can always change my password if it is taken, so what is the problem?

The problem is that I have no way of knowing that the secrecy of my password had been breached. Maybe whoever took it has not used it…yet. Maybe it was the password to an inconsequential site and all the thief was able to do was read the newspaper to which I subscribe. The problem with a mechanism that relies on secrecy is that a failure of that secrecy is a secret, too.

Better Passwords?
In recent years, organizations that have become more aware of the need for improved security have pressed users to strengthen their passwords. They must be 8 or more characters, include a capital letter, a number and a special character and cannot spell a word known in any language. None of which justifies the underlying shortcomings of passwords to protect me and the information to which I have access. Harder passwords might deter guessing and shoulder-surfing, but do nothing at all against those who are able to undermine the security of my communications and who can then steal any and all of my passwords. As cyberattackers become more adept, long, convoluted passwords will be rendered useless; users will not remember them, but attackers can steal them all the same.

When I wrote in 2001 that we would be rid of passwords in the future, I believe I had in mind that that future would have arrived by now. But maybe the day will come tomorrow and I will be proved right. (Oh, heck, no it will not.) There are some uses of information that, in many organizations, require passwords plus. These call for at least 2 means of authentication or 2-factor authentication (2FA). Remote access, high-value transactions, access to system internals and any particularly vulnerable use of information resources justify 2FA in many organizations. This is implicit acceptance that passwords alone are not good enough.

I do not expect that ISACA’s 75th anniversary will be the occasion for another retrospective assessment of something I am writing today. But I do have a strong hunch that if anyone wants to read new articles on whatever will replace the Internet by then, he or she will need to enter a password to see it.

Steven J. Ross, CISA, AFBCI, CISSP, MBCP, is executive principal of Risk Masters International LLC. Ross has been writing one of the ISACA Journal’s most popular columns since 1998. He can be reached at stross@riskmastersintl.com.

1 Ross, S.; “Why Passwords Persist,” Information Systems Control Journal, vol. 1, 2001


Keep Your Certifications Current: Earn CPE Hours Before Year-End


Source: Eskay
Getty Images

As an ISACA certification holder, you need to earn continuing professional education (CPE) hours by 31 December 2019 to maintain your certification through 2020. As an ISACA member, you can earn CPE hours in many ways, including watching webinars (up to 36 free CPE hours a year), attending conferences (up to 37 CPE hours per event), participating in an online or in-person training course (up to 26 CPE hours online and 32 CPE hours per course), taking ISACA Journal quizzes (up to 6 free CPE hours a year), or serving as an ISACA volunteer or mentor (20 and 10 free CPE hours, respectively). You can also earn CPE hours for viewing past webinars. Visit the Archived Webinars page of the ISACA website and earn 1 free CPE hour per webinar you view.

If you are interested in earning more CPE hours before the end of 2019, these opportunities are still available:

Interested in learning more about how to earn CPE hours? Visit the How to Report and Earn CPE page of the ISACA website.


CRISC: The Perfect Partner to CISA for a Holistic View of Audit and Risk Management

Mercy Omollo-Mbai Shares Her Experience as a CRISC

In 2018, Mercy Omollo-Mbai, CISA, CRISC, ISACA Kenya (Africa) Chapter communications committee secretary (2019-20) and IT internal audit manager at Liberty Group East Africa, realized it would benefit her audit career to understand risk management, so she pursued the Certified in Risk and Information System Controls (CRISC) certification. Omollo-Mbai says that after becoming certified, “the CRISC certification helped me earn respect from my supervisors, colleagues and management. They feel confident in what I articulate about risk and controls and how best to improve organizational strategy around them. My peers outside of my organization seek me out to listen to my views on handling certain issues related to risk. As an auditor, I have been able to identify gaps in various risk assessments performed by management or the risk and compliance teams.”

Since becoming a CRISC, Omollo-Mbai has also found better career prospects and greater respect as a risk and assurance professional. Because she holds both Certified Information Systems Auditor (CISA) and CRISC certifications, recruiters and managers look at her as someone who understands both the risk and audit sides of the IT spectrum.

Even though the CRISC certification has given Omollo-Mbai the tools to quantify risk and align it with an organization’s risk appetite, she says the biggest challenge is convincing management to invest in implementing stronger and more stringent risk controls. That being said, she trusts her ability to use her technical knowledge around the risk management life cycle to provide management with all the information it needs to address current gaps and pain points.

Omollo-Mbai says one of the best parts of her job is that she gets to interact with a variety of people in different positions and in different countries. She enjoys seeing how they all view risk and controls differently and likes helping others find the controls that would benefit their organizations most. When Omollo-Mbai looks to advance herself further, both professionally and personally, she tries to apply her CRISC knowledge too. She says, “I realize that my personal and professional goals also tend to align and become intertwined, so my plans must harmonize or else my personal or professional life will likely suffer. The CRISC certification has helped me to look at pros and cons even when making personal decisions, so I have become more risk-aware as I make professional and personal decisions.”

Omollo-Mbai recommends that, “If you want to learn all matters risk—how to identify, assess, manage, report and monitor risk—then CRISC is the certification for you. What you learn while preparing for CRISC is not only applicable to IS and IT, but also for general business.” Getting her CRISC certification has helped her become more active in ISACA. She volunteers for opportunities she finds through Engage and on the ISACA Kenya Chapter committees. Since becoming a more active member, she has broadened her personal and professional networks and helps mentor technology interns as part of the SheLeadsTech outreach programs across South and East Africa.

To learn more about ISACA certifications, visit the Certification page of the ISACA website.


ISACA Concludes 50th Anniversary Year With a Look at the Next Decade of Tech


As ISACA’s 50th anniversary year draws to a close, the association looks to the future and explores how to help members navigate tech innovations in the 2020s. As part of this exploration, ISACA conducted the Next Decade of Tech: Envisioning the 2020s research study, which features insights and predictions from more than 5,000 members.

The research found that 59% of respondents are optimistic about the impact new technology will have on their career over the next decade. However, these same respondents are not confident that enterprises are adequately preparing themselves for upcoming tech advancements. Eighty-one percent of respondents also believe that enterprises are not yet adequately investing in the skills employees will need to navigate upcoming shifts in technology, and 70% of respondents think enterprises are underinvesting in the technology needed to retool their organizations for the 2020s.

When asked about his thoughts on the upcoming tech advancements of the 2020s, ISACA Chief Executive Officer (CEO) David Samuelson said, “The pace of technology-driven change will continue to accelerate, so it is more important than ever to be always learning. Both as individuals and in our enterprises, we will need new skills and frameworks to be equipped to navigate the inevitable change ahead. As the next decade quickly approaches, our human potential, combined with these advancing technologies, will ensure an era of positive technology breakthroughs and a future where we all thrive.”

Interested in joining the conversation and contributing your predictions in tech with the ISACA professional community? Share your prediction on social media using #nextdecadeoftech and #isaca50.