@ISACA Volume 22  30 October 2019

Common Misconceptions About Radio Waves, Radio Frequency and Wireless Communication

By Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP

Think about the last time you communicated via radio. Many people think they only listen to the radio in the car or think about the time when Morse code, walkie-talkies and teletype machines were more prevalent. But the truth is, mobile phones, hot spots, baby monitors and other wireless technologies all use radio waves to communicate, and any communication device that uses radio waves to communicate is a radio.

Radio waves move at different rates called radio frequency (RF). The RF spectrum is a wide range of the electromagnetic spectrum that ranges from 30 hertz (Hz) to 300 gigahertz (GHz). The higher the RF, the faster the data rate, assuming that compression and modulation are constant. Radio waves have 2 parts: the carrier, or base frequency that is being transmitted, and the data that are modulated onto the carrier. The data part can be applied to the carrier as analog or digital. The strength of the carrier determines how far the data can be transmitted and received in a usable state.

To prevent radio signals from drowning each other out, there is, in the United States for example, a Table of Frequency Allocations maintained by the US Federal Communications Commission (FCC) and other various organizations. The Table of Frequency Allocations is divided into bands of contiguous frequencies. These allocated bands are designated for cell phones, radars, remote control, television, AM/FM radio, etc.

As cybersecurity professionals, we need to understand the wireless environment and the impact of these types of communications on our security posture. Following are some misunderstandings of RF-based communications that apply to the electromagnetic spectrum:

  • Encryption makes the RF signal invisible and prevents it from being intercepted—This is untrue because encryption protects data prior to modulating them onto the RF carrier. The radio waves, both the carrier and the modulated data, can be intercepted, but the data are protected. There are techniques that can be used to prevent signal interception, but generally speaking, if you are properly located and listening to the right frequency, you can intercept all RF communication.
  • RF signals carrying digital data go further than RF signals with analog data—This is false. The strength of the signal, the environmental conditions, atmosphere and terrain determine how far an RF signal can travel and still be usable at the receiving end.
  • More Wi-Fi hotspots are better—This statement is mostly false. If members of your C-suite travel, each member should have a personal hotspot so they do not accidentally connect to a hostile hotspot, but this is not because more hotspots are better. A hotspot has 2 sides. There is a cell radio that connects to your Internet service provider (ISP), and there is a Wi-Fi radio that allows up to 4 or 5 users to connect. However, if you put more than 4 hotspots into a single room, strange things occur. While the cell side of the hotspot is fine, the Wi-Fi side experiences issues. Because Wi-Fi all works on the same frequency band, the signals begin to drown one another out. This is called jamming or stepping on one another. Even though you have plenty of cellular signal strength, the Wi-Fi signals are in conflict and no one can connect consistently.
  • Radio waves continue on into space forever—This is not really true. Radio waves are like dropping a pebble into a pond. As the ripples move away from the impact point, they get weaker and weaker until they reach a point where the RF signal-to-noise ratio makes the signal unusable.

Wireless technology is growing faster than wired communication. The next generation of cellular, 5G, will offer data rates reaching 9 gigabytes (GB). In addition, the introduction of software-defined radios (SDRs) will make radios RF agile. RF agility means that any given radio can work on any frequency in the RF frequency spectrum. This means the same people who hack systems today could soon violate the Table of Frequency Allocations if unchecked. It is a fun time to be in wireless technology development.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.

 

Preparing for an IT Audit

ISACA News

As IT risk and regulations change, IT departments are tasked by auditors and compliance professionals to clarify IT processes, provide audit evidence and identify control issues. IT audit readiness can feel harder to achieve as responsibilities mount, but if the right processes are put in place, risk assessments can be current and meaningful, controls can be well managed, and negative audit findings can be minimized.

To discover the right processes to enact to achieve IT audit readiness, attend the “Nine Steps to Achieve and Maintain IT Audit Readiness” webinar presented by ISACA and Galvanize. This webinar, which takes place on 7 November at 11AM CST (UTC -6 hours), will share 9 key steps to make your risk management and compliance activities smarter, faster and more resource efficient. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Ryan Torio, senior specialist of influencer relations on the Galvanize product strategy team, and Brian Luong, senior specialist on the Galvanize consulting team, will lead the webinar. Torio and Luong will use their past US Sarbanes–Oxley Act (SOX), Service Organization Control (SOC) 1 and 2, risk assessment, and audit experience to help you identify the best ways for you to achieve organizational IT audit readiness.

To learn more about this webinar or to register for it, visit the Nine Steps to Achieve and Maintain IT Audit Readiness page of the ISACA website.

 

The Top Challenges Facing IT Auditors

ISACA News

While innovation and emerging technologies are imperatives for any organization looking for a competitive edge, they have created challenges for the IT audit industry. To provide insights on the challenges that IT auditors face, ISACA and Protiviti’s 8th annual audit research project, the 2019 Global IT Audit Benchmarking Study, has recently been released. The study contains revealing insights into the key challenges impacting IT audit professionals; the top skills in demand in the profession; and takeaways, analysis and recommendations for business leaders.

This survey of 2,252 chief audit executives (CAEs), internal audit professionals, and IT audit vice presidents and directors worldwide found that the top 5 technology challenges faced are:

  1. IT security and privacy/cybersecurity
  2. Data management and governance
  3. Emerging technology and infrastructure changes—transformation/innovation/disruption
  4. Staffing and skills challenges
  5. Third-party/vendor management

Data management and governance jumped to second place from the 10th spot in the 2018 survey. The findings also show that the top skills that organizations are looking for their IT auditors to have are expertise in advanced and enabling technologies, critical thinking, and data science. Additionally, a main takeaway is how essential it is for the audit and IT functions to have a strong relationship.

“One of the prominent themes in this year’s survey is the importance of partnership between audit and the IT function, which is particularly essential in the area of risk management,” said Robin Lyons, CISA, CIA, ISACA technical research manager. “As these 2 groups work together, risk management becomes a shared, real-time effort that reduces guesswork by IT audit as to what project challenges and risk truly exist.”

To learn more, read the full report and check out the related infographic, blog post, podcast episode and video on the A Global Look at IT Audit Best Practices page of the ISACA website.

 

ISACA Podcast Explores Parallels Between Environmental Sustainability and Digital Transformation

ISACA News

Source: gmast3r;
Getty Images

To glean valuable industry insights, gain practical knowledge and keep up with industry trends, subscribe to the ISACA Podcast. In these podcasts, security experts, published authors, conference speakers and industry experts share thought leadership, practical knowledge and career advice. By subscribing to the ISACA podcast on Apple Podcasts, Google Play, Podbean, Stitcher, or Spotify, you can ensure that you never miss a new episode and can listen to episodes wherever you are.

A recent podcast episode, “Applying Environmental Sustainability to Digital Transformation,” discusses how environmental sustainability principles can apply to digital transformation, how ideas that protect physical ecosystems can also be used to protect the digital ecosystem, and how digital transformation efforts can learn from the successes and mistakes of environmental sustainability to secure information. Much of the terminology around digital transformation is also used in environmental sustainability conversations, so it is easy to draw the link between effective sustainability strategies and effective digital transformation strategies.

To listen to this podcast or learn more about the ISACA Podcast, visit the ISACA Podcasts page of the ISACA website.

 

New Research Explores Critical Risk Categories and Overall Risk for Organizations Today

ISACA News

The turbulence in today’s risk landscape is unprecedented, and many organizations are wondering how their risk mitigation is faring relative to other enterprises. To examine risk management leaders’ insights on current organizational risk mitigation strategies, ISACA, CMMI Institute and Infosecurity have issued a new joint research report on the state of enterprise risk management. The State of Enterprise Risk Management 2020 report explores:

  • Risk management process maturity
  • Most critical risk categories
  • Top cybersecurity risk mitigation controls
  • Length of response time to implement countermeasures once a new threat or vulnerability is detected

According to the research, 53% of risk specialists say their organization’s overall risk has increased in the past 12 months, and nearly 30% say information security and cybersecurity are the most critical risk categories facing their organizations.

For full findings and insights from risk management leaders, visit the State of Enterprise Risk Management 2020 page of the ISACA website.

 

A Passion for SheLeadsTech: A Few Minutes With Karen Sandhu

New From SheLeadsTech

Karen Sandhu, CISA, CRISC, is a professional with 15 years of risk management experience in information security, data privacy, emerging technology risk, cloud security, security incident response, governance and internal controls. She is passionate about raising awareness and closing the gender gap of women in IT and cybersecurity roles. Accordingly, Sandhu acts as the director of diversity and inclusion for the ISACA Vancouver (British Columbia, Canada) Chapter and leads the SheLeadsTech Vancouver program. Here she shares some of her experiences advocating for woman in tech.

Q: What is one of the biggest obstacles you have faced while raising awareness about the lack of women in IT and cybersecurity roles?
A: Finding enough leaders and influencers to address this global problem. In Vancouver, a really tight security community exists, but it lacks diversity. Many conference organizers were called out because of the lack of female speakers at IT and cybersecurity conferences. Women attendees were the ones to voice concern. Since launching SheLeadsTech in October 2018, the ISACA Vancouver Chapter program has gained momentum in raising awareness and calling for this change. This increase in awareness is in part due to the SheLeadsTech Vancouver panels at BC Aware day, where panelists spoke about their careers in cybersecurity, the challenges they have faced, the advice they had for others and their biggest accomplishments, and at BSides Vancouver, where panelists talked about building alliances and finding allies. The chapter’s SheLeadsTech program also organized a Cybersecurity for Youth session led by a well-respected security leader in Vancouver at BC Girl Guides Canada and spoke to and supported the New York Institute of Technology (NYIT) (USA) Vancouver Student Showcase event. The SheLeadsTech program is doing its best to show organizations and the education sector how to close the gender gap, rather than simply raise awareness of it.

Q: What is one of the most important internal (of your own effort) factors that led you to take on an ISACA Vancouver Chapter board member role?
A: Being a leader is hard. You have good days and bad days, and sometimes you need a different perspective and you need to develop in different ways. I was looking for an opportunity to develop my leadership skills and to become more involved in the Vancouver community. When I saw the opportunity to serve, I took it. Taking on different challenges and working with individuals I had never met or worked with before (outside of my professional space) is a completely different experience. You work with different personalities and learn to adapt your style. If anything, the continued ISACA Vancouver Chapter board member role is shaping me to be a better leader. I have learned to appreciate others’ perspectives and how they push me to grow in new directions.

Q: What is the most important external (not of your own effort) factor that led to this role?
A: Quite a few factors led me to this role, and I feel they are all equally important. Hearing the voices of some incredible women working in the tech industry and learning of their successes and challenges empowered me to advocate for change, encourage women to pursue the next steps in their careers or change careers, and elevate the role of women in the Greater Vancouver area.

Another factor was my curiosity about the current level of involvement of young girls in science, technology, engineering and math (STEM). I found that within Canada, we are already failing the next generation. Studies have reported a lack of education given to children (kindergarten to grade 12) in STEM; that 33% of university degrees lack areas in IT, networking, cybersecurity and virtualization; that 30% of graduates who have studied computer science degrees do not have job-ready skills; and that 78% of young women rule out careers in cybersecurity.

These facts broke my heart and pushed me to ensure that the ISACA Vancouver Chapter focuses on the next generation of females in tech in several ways:

  • At colleges and universities, focusing on increasing and promoting the study of IT and cybersecurity programs for women
  • At primary and secondary schools, focusing on supporting and encouraging girls who enjoy STEM subjects and changing the mind-sets of those who feel that STEM subjects are for boys only

Q: What challenges do you see women face in being able to take on positions in tech?
A: Apart from the well-known ones (i.e., gender bias, lack of leadership support, not enough role models), I have noticed through conversations I have had that women tend to doubt themselves, either their technical skills or leadership skills, and believe they are not ready to take on certain positions. This is largely due to past negative professional experiences and a tendency to constantly compare themselves to others. Women need to find a way to hack their conscious and unconscious minds, and I believe that, as leaders, we all have roles to play to help women overcome these types of challenges. There is a famous quote from the first female US Secretary of State, Madeline Albright. She said, “There is a special place in hell for women who do not help other women.” I follow this mantra because studies have shown women who help other women are more successful.

Q: What challenges do you see organizations face as they look to hire more women in tech?
A: Trying to find women in tech. This is the hard part. Where do you find them? And, if you do find them, how do you plan to develop them so that they are successful? Another area that needs to be addressed is that although the organization’s leadership team might be in full support of hiring more women in tech, what about the rest of the organization’s culture? Does it embrace a truly diverse workforce? How many female leaders are there?

If organizations are reaching out to women for roles in tech, they should do so with purpose and be mindful that women may ask “Are you only reaching out to me to achieve your diversity and inclusion metrics? Or, are you reaching out to me because my skills and experience have interested you?”

Q: What do you think organizations can and should do to address retention issues for technology professionals, especially women?
A: If an organization is serious about retaining women in tech, it needs to demonstrate commitment and investment. A great way to start is to reach out to technology groups within the community. For example, a technical recruiter at Infoblox contacted me a few months ago to explore opportunities to collaborate with SheLeadsTech to support the Infoblox’s diversity and inclusion initiative. This resulted in an evening of networking sponsored by Infoblox, and it was great to learn about the executives’ mandate to increase the representation of women in the workforce and actions Infoblox has put into place through the Women at Infoblox Network (W@IN).

Organizations can also create programs for women who aspire to be leaders within the organization. They can dedicate time and resources to develop the skills required to reach C-suite roles and present opportunities to shadow C-suite leaders. Additionally, organizations can become strategic partners with educational institutions to encourage educating the next generation of women in tech.

Q: Have you seen progress in retaining women in the technology field over the course of your career?
A: Unfortunately, no. I have seen too many employers drive women out of tech. It is only since the #MeToo movement amplified voices that organizations have begun to shift their actions. Even so, there is still much more that needs to be done. Organizations must go beyond vocal commitments to diversity by developing and implementing clear business cases for change.

Q: What progress do you see legislatively or culturally in your region toward addressing the gap of women in tech?
A: As cited on the Government of Canada’s website, advancing gender equality and the empowerment of women and girls is a top priority. In Canada, the Employment Equity Act's purpose is to achieve equality in the workplace so that no person is denied employment opportunities or benefits for reasons unrelated to ability. In the fulfillment of that goal, the act seeks to correct the conditions of disadvantage in employment experienced by women, aboriginal peoples, persons with disabilities and members of visible minorities. However, the progress toward addressing the gap of women in tech is slow.

More organizations are looking to address diversity and inclusion in the workplace and bring more women into tech, but how do they do that? There is not enough guidance to support these organizations toward achieving their goals.

Universities, colleges and schools need to do more to engage girls in STEM subjects to help address systemic barriers before women enter the workplace.

This article was originally published on the SheLeadsTech website.

The ISACA SheLeadsTech program and the SheLeadsTech newsletter shed light on the waves women are making in the tech industry today. By subscribing to the monthly newsletter, you will receive the latest event updates, webinar content, podcast content and insight into what women leaders, like Sandhu, are uncovering in the tech industry. To subscribe to the newsletter, visit the SheLeadsTech website.