You are here :   Welcome » RSS - Isaca.org
 
Preview  Print...  Print this page...
!Introduction
Technical
Tools
Knowledge base
Visits

 1579880 visitors

 3 visitors online

Contact

site Link
griessenconsulting-Tag-Qrcode.png

info@griessenconsulting.ch

ch.linkedin.com/in/thierrygriessenCISA

Neuchâtel, Suisse


CONTACT
griessenconsulting-Tag-Vcard-OK.png

Genere YOUR Code

RSS - Isaca.org

ISACA Now: Posts

http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/AllPosts.aspx


RSS feed for the Posts list.


Demystifying Cybersecurity Terminology  View ?

Body:

Raef MeeuwisseDo you struggle to keep up to date on the latest cybersecurity terminology?

Fear not, you are not alone.

Behavioral microtargeting, cryptojacking, fileless malware, malvertising, cloudlets, unified endpoint management and sextortion are just some of the terms cropping up with increased regularity over the past two years.

“Hey Raef, BA was just subject to a digital skimming cyberattack. Can you write a piece on that?”

I could have taken a reasonable guess at what that term means, but guesswork combined with writing for magazines is a fast way to lose credibility. Added to that, I have been maintaining a publication called The Cybersecurity to English Dictionary for a few years now. That has meant that my spidey senses tingle each time someone drops in a new term.

  • Is it something I will need to add to a future edition?
  • Was it just a term made up by an eager marketing department?
  • Does it reflect an emerging cybercrime trend or defensive technology?

A few years ago, maintaining the dictionary was a joyful skip in the park. Rarely did a new term worth defining emerge – and most of the expansion between editions was down to just extending the existing vocabulary it covered. Now, there are new terms thrown around on at least a weekly basis.

The problem is threefold:

  • Cyber criminals are rapidly developing new threat tactics in an attempt to send their industry over the trillion-dollar threshold.
  • New vulnerabilities and exploits are requiring new defensive technologies and processes. As an example – consider how Spectre and Meltdown drew many of us into looking more deeply at potential processor security gaps.
  • The budgets being assigned to cybersecurity are attracting a lot of marketing spend. Is that new term just marketing spin or does it have real value?

Together, this trinity of issues has meant that staying apprised of the language of cybersecurity has not only become tougher – but is continuing to get harder because the evolution seems to be accelerating.

How do you keep up to date?

For me, one of the best sources of real information comes from attending ISACA conferences. It is a good way to find other professionals in similar roles and compare notes on the reality of each of our environments. Those presentations also are a great way to pick up on exactly what real-world security functions are doing.

Spending a few thousand corporate dollars on attending a conference can often yield substantial returns on investment for your organization. It is a place where you can get insights into the best practices that are really working – unlike sales presentations where information is often mixed with a substantial degree of marketing spin.

Security conferences, real world consulting and news stories are my own primary sources for understanding the evolving language of cybersecurity.

Despite that, there is still a challenge. Although the principles behind cybersecurity have largely remained the same, the methods for achieving effective security are changing fast.

How fast?

Perhaps one indicator is that in the most recent update to my dictionary, I found that I had more than 100 new terms – roughly a 30% increase over the previous edition.

For example, where we once talked about anti-malware and anti-virus, discussions have now moved on to unified endpoint management.

Cybersecurity can be like learning a new language, and it is not just the information security professionals who find keeping up to date with the topic a challenge. Now that data breaches are a frequent topic for the C-suite, executives have a regular need to understand complex cybersecurity topics in plain and simple language.

The good news is that there are some great FREE resources out there to help decipher the terminology. One of those is the ISACA glossary; another is the somewhat shorter UK NCSC (National Cyber Security Centre) glossary.

In the meantime, for me, it’s time to start collating and demystifying the new terms for the 5th edition of my dictionary – and with the speed of evolution in the cybersecurity market, that might be something I have to do sooner than I would like.

Editor’s note: The Cybersecurity to English Dictionary, 4th Edition is available beginning 24 September 2018.

Category: Security
Published: 9/21/2018 3:12 PM

... / ... Read more...

(20/09/2018 @ 20:57)

Remembering Robert E Stroud  View ?

Body:

Rob ClydeThis weekend, all ISACA lost a dedicated leader, an engaged board member, a passionate colleague and, most notably, a dear friend. Robert E Stroud, CGEIT, CRISC, 2014-2015 ISACA Board Chair, and Board Director 2015-2018, will be deeply missed.

Only 55 years old, Rob passed away Monday, 3 September 2018, after being struck by a vehicle while jogging on Long Island, New York, USA. He is survived by his devoted family: his wife of 35 years, Connie, sons Josh and Kyle, daughter-in-law Allie Elizabeth, and grandchildren Ayden, Haylee and Jeremy.

Robert E Stroud

Robert E Stroud Memorial Fund

To honor the contributions, leadership and legacy of Robert E Stroud, and with the express wishes and support of the Stroud family, ISACA has established the Robert E Stroud Memorial Fund within the Information Technology Governance Institute (ITGI). For more information on the Memorial Fund and to make a donation please visit ITGI.

Rob brought boundless energy and enthusiasm into everything he did for ISACA—and those contributions were many.  He was board chair for the 2014-2015 term, and was a driving force in the launch of ISACA’s Cybersecurity Nexus (CSX). Prior to that, he was international vice president of ISACA, member of the Strategic Advisory Council and Governance Committee, and chair of ISACA’s ISO Liaison Subcommittee. He was a COBIT champion and contributed to COBIT 4.0, 4.1 and 5, as well as numerous COBIT mapping documents. Additionally, he was involved in the creation of ISACA’s Basel II, Risk IT and Val IT guidance.

His excitement about emerging technologies and extensive knowledge of assurance, governance, cloud security and DevOps made him a highly sought-after speaker at events around the world—including ISACA’s. Rob’s technical expertise, his excitement to travel and share his knowledge around the world, and his humor and wit in delivering remarks will be greatly missed.

Rob’s dedication to the profession extended beyond ISACA. He previously served on the itSMF International Board, the board of the itSMF USA and multiple itSMF local chapters.

Additionally, he served as a member of the ITIL Update Project Board for ITIL 2011 and in various roles in the development of ITIL v3.

Rob’s high-impact career in assurance, governance and innovation leaves a lasting legacy. Rob was Chief Product Officer at XebiaLabs, where in the last year he primarily focused on DevOps scalability in the enterprise. Prior to that role, he was Principal Analyst for Forrester Research Inc., where he helped large enterprises successfully drive their DevOps transformations and guided them through organizational change.

He spent more than 15 years in multiple roles at CA Technologies, including Vice President of Strategy and Innovation, where he predicted changing trends in the domains of assurance, cybersecurity, governance security and risk. He also advised organizations on strategies to ensure maximum business value from their investments in IT-enabled business governance.

On a personal note, Rob has been my good friend and mentor. It was his inspiration and support that led me to serve on the ISACA board of directors. I have had the privilege of co-presenting with Rob many times, and frequently we have had lively discussions about new technology, cloud, DevOps and how we can help ISACA have even greater impact. The day before his passing, I was working on a DevOps presentation using slides that Rob had put together and just shared with me to use. Having collaborated with him for so many years, enjoying his advice, company, humor and zest for life, I feel like I have lost a part of me. I’m sure many of you feel the same, and we will explore a fitting way to honor his contributions and legacy. I will let you know of those opportunities as they are decided by the board in a timely fashion.

Rob was always looking forward to new trends, new challenges and new opportunities, so he could best serve his clients, his colleagues, and his friends, whether bonds were just formed or existed for decades. His exuberance lit up the room wherever he went, and he was truly a guiding light and progressive proponent for the association and our professional community.

Rob’s enduring spirit of innovation will continue to influence ISACA and our global family for years to come.

Thank you, Rob. You are gone too soon. We miss you.

Category: ISACA
Published: 9/4/2018 12:22 PM

... / ... Read more...

(04/09/2018 @ 18:47)

Lessons from the Reddit Breach  View ?

Body:

Rob ClydeAn attacker gained access in June to Reddit users’ data, including usernames, passwords, email addresses and private messages from 2005-2007. The attacker also gained access to more recent data, including current usernames and emails.

This data allows hackers to try to break into sites where users might still be using the same passwords. Although the compromised passwords were encrypted, they are likely crackable using today’s tools.

Because the email digests also include current usernames and emails, this linkage could allow attackers to determine the actual identity of users. If those users have been receiving content or engaged in posts that could be embarrassing, this may lead to blackmail; hackers might threaten to make private messages public or share them with family or friends.

Reddit users should ensure that, across platforms, they are not still using any passwords from the breached timeframe. Users should also consider passwords that are in line with NIST’s recent guidance.

What your organization can do to prevent a similar breach
Periodic password changes and secure password choices are good practices for Reddit users and non-users alike. Additionally, there are system-wide changes that organizations can make to protect against breaches.

Employees with access to sensitive systems or with powerful privileges, like admin accounts, represent a high-value target for attackers, so organizations should pay particular attention to the security of such accounts.

One way to improve account security is the implementation of strong multifactor authentication. SMS is often used for consumer user account two-factor authentication, but can be compromised with some effort by attackers as occurred with the admin accounts in the Reddit breach.

A  cryptographic token system is a more secure alternative to the SMS two-factor authentication method that was compromised in the Reddit breach. Tokens take more effort to implement than SMS two-factor authentication, but they are also difficult to spoof. Authentication tokens are generated cryptographically and often have limited lifetimes: sometimes, as little as one or two minutes.

Many organizations have been using strong authentication based on physical or software tokens for decades. For particularly sensitive accounts like admin accounts, this has long made sense and is hardly a new idea.

Other detection tools your organization should use for breach prevention
Organizations should also use auditing and intrusion detection tools to quickly alert them to a situation when such an account is engaged in abnormal behavior.

Since admin accounts are very powerful, the information security team and IT auditors should carefully review the protection for these types of accounts, including the use of multifactor authentication, and determine if audit trails and intrusion detection tools can be turned off or tampered with by the admin accounts in question. Otherwise, attackers who breach such admin accounts will have the ability to simply bypass the monitoring. In many cases, the underlying operation system or application does not provide tamper-proof audit trails and intrusion detection; third-party tools will need to be implemented.

Organizations should also discover and find old files that contain personally identifying information, like email addresses, usernames or encrypted passwords. These files should be securely deleted or protected in some fashion. In many cases, it is older files that were not well protected, copied and then forgotten about, often due to employee turnover, that potentially pose regulatory compliance risks.

Proactive data governance measures are more important than ever in today’s landscape, as the Reddit breach and countless others attest.

Category: Security
Published: 8/9/2018 2:52 PM

... / ... Read more...

(08/08/2018 @ 17:21)

AI Factors Heavily into Future of Digital Transformation  View ?

Body:

Rob ClydeThe second installment of ISACA’s Digital Transformation Barometer research underscores the ascent of artificial intelligence as a technology with growing potential – and how urgently enterprises must rise to the occasion of addressing the related risk and security implications.

In the 2018 Digital Transformation Barometer, global respondents rank AI/machine learning/cognitive technology as the second-most transformative technology for organizations, finishing just behind big data. While big data also was the top choice in the 2017 version of this annual research, the gap between big data and AI shrunk from 18 points to 3, reflecting a growing realization that AI technology is on the verge of profoundly reshaping many aspects of society.

Already, AI and machine learning hold significant sway in our daily lives, ranging from the way our flights are piloted to matters of simple convenience, such as how photographs are tagged on Facebook. Larger impact is on the way. AI and machine learning are being explored to set medical breakthroughs in motion, improve farmers’ crop yields and help law enforcement identify missing people, among a wide range of promising applications on the horizon. As new uses continue to be developed and refined, there will be increased need for enterprises to safely and securely deploy AI. On this front, there is much work to be done.

Only 40 percent of Digital Transformation Barometer respondents express confidence that their organizations can accurately assess the security of systems that are based on AI and machine learning, a statistic that is concerning enough today but will grow considerably more problematic in the near future if enterprises don’t make the needed investments in well-trained staffs capable of putting the needed safeguards in place. As AI evolves – consider the likely proliferation of self-driving vehicles, or AI systems designed to reduce urban traffic – it will become imperative that enterprises can provide assurance that the AI will not take action that puts people in harm’s way.

Contending with malicious uses of AI will be one of the central challenges for our professional community, as a concerning report from a range of global researchers accentuated. The Digital Transformation Barometer research shows that potential instances of social engineering, data poisoning and political propaganda are among the malicious AI attacks that need to be accounted for in the short-term, but even more concerning possibilities loom, such as the activation of autonomous weapons, driving home the urgency of bolstering AI security capabilities. In many cases, the solution to keeping AI in check will be tapping into AI technology that enables security innovations.

Whether thinking about AI or other emerging technologies, practitioners should look for opportunities to expand their knowledge base and explore ways for their enterprises to leverage new technology to connect with customers in new and potentially more impactful ways. More than 4 in 5 respondents (83%) indicate their organizations have no plans to accept cryptocurrency in the future, while the majority of respondents (53%) consider public cloud to be high risk, reflecting mindsets more tethered to the status quo than embracing opportunities to fuel innovation. Not every new technology is the right fit for every organization, but enterprise leaders owe it to their stakeholders to ensure they are actively exploring promising technologies and determining how technology can be securely leveraged to drive the innovation needed to compete in today’s digital economy.

Change is difficult for organizations, which traditionally are structured with stability, rather than innovation, in mind. However, as technology plays an increasingly prominent role in our daily lives, customers increasingly are expecting dynamic, swift-to-market, technology-driven solutions. To be able to deliver, organizations must prioritize investing in the security capabilities needed to enable effective and responsible digital transformation.

Category: Risk Management
Published: 9/19/2018 7:30 AM

... / ... Read more...

(24/08/2018 @ 17:30)

Digital Transformation Brings More Opportunities to Financial Sector  View ?

Body:

Kris SeeburnEmerging technologies and the pace of innovation are reshaping the banking/financial industry and operating models, while influencing the shape and dynamics of the broader financial services ecosystem.

Banks have adopted new technologies to varying degrees. Most banks use elements of cloud computing, a key technology that reduces the costs of rolling out and scaling the online and mobile banking capabilities that digital era consumers expect. Many institutions also are gradually implementing elements of big data and analytics as well as robotic process automation (RPA) to strengthen controls and reduce costs. Other technologies, such as distributed ledger technology and the Internet of Things (IoT), are only in the early stages of commercialization by banks.

Respondents to ISACA’s 2018 Digital Transformation Barometer identify financial/banking as the industry showing the most leadership in adopting emerging technologies. Banks are undergoing a fundamental transformation resulting from a range of technological innovations. Six technologies are currently most prominent in financial innovation: cloud computing, big data and analytics, artificial intelligence (AI)/machine learning, RPA, distributed ledger technology and the IoT. These technologies are at different stages of maturity, and some have the potential to significantly change the industry in the coming years.

Technology Trends & Game Changers

The questions that pops up is: How rapidly is the pace of change accelerating for financial services industry firms, and how are leaders planning to navigate their firms into the future?

To answer these questions, it’s important to first consider that there are some regional and national differences in competitive market structure, regulatory environments, and the global scale of the industry that influence outcomes. Even though the larger G7 economies (Canada, France, Germany, Italy, Japan, the United States and the United Kingdom) are still dominant, in terms of size (assets) and number of transactions, other countries, especially from the large emerging markets, are catching up steadily as well. The growing, emerging economies have been able to more easily implement modern core technology platforms because of the relative absence of legacy investment and integration with 40-year-old systems often found in firms in the G7.

New technologies are allowing banks to re-examine their business and operating models, and determine which functions and capabilities should be retained internally vs. obtained externally. Banks are able to benefit from technological advances made by other organizations in several key areas (such as customer reporting, risk analytics as a service, blockchain) by entering into strategic partnerships with these entities.

Technological innovations also are enabling banks to virtualize more of their banking operations and shift non-critical functions (for example, managed treasury and cash services, white label call centers) to business partners — allowing firms to increase their focus on core services and improve efficiency, while maintaining robust oversight and controls.

We also need to understand that there is a growing customer expectation of what “great” service looks like that often is shaped by “single best user experiences.” The optionality, transparency and affordability of products and services offered by prominent digital era companies have set a new baseline for banking customers’ expectations of convenience, simplicity and customer engagement.

Further, machine learning and advanced analytics are enhancing risk monitoring, controls and risk mitigation across the banking industry. Banks are able to leverage expanded internal and market data and advanced analytics to better understand key customer and financial transaction related-risk factors.

The shift toward digital platforms allows banks to interact more closely with customers, and quickly design and deliver relevant services. Digitizing end-to-end business processes further enables banks to achieve scale and become more efficient, resilient and transparent. As a result, banks are better able to quickly respond to changing customer needs, market dynamics and regulatory expectations.

Maintaining an appropriate balance in regulating and supervising banks as they innovate is not a new challenge. Key examples of impactful, organic incorporation of technological innovations into banking include, among others, the advent of call centers and the shift from paper to electronic/digital books and records. Banks determine the precise design and use of each technological innovation based on customer needs, opportunities to enhance customer value, compliance with regulatory requirements and supervisory expectations, their business models, risk tolerances and other market factors. Banks rely on their first (business), second (risk management) and third (internal audit) lines of defense to maintain compliance. The banking industry’s long and successful track record of safely implementing technological innovations speaks to the effectiveness of its regulatory engagement model.

Policymakers and regulators continue to actively monitor developments within the banking sector, including those that are technology-related, so that emerging, potential risks are appropriately addressed.

To date, banks have safely implemented many beneficial technologies without adverse repercussions to institutions or the broader financial system. Nevertheless, implementing technological innovations, particularly emerging technologies, will always have some element of risk, given the heuristic nature of innovation and new activities and services.

Going forward, digital transformation has the potential to continue to significantly transform the financial services industry and benefit society. It can replace individual banks’ legacy systems, enhance processes, improve efficiencies and strengthen controls. Digital transformation also can provide opportunities for the creation of new products and services that benefit customers. Ultimately, technological innovations hold great promise for the identification of new customers and the provision of financial services to the unbanked or underbanked community in a safe and sound manner.

Category: Risk Management
Published: 9/19/2018 7:30 AM

... / ... Read more...

(24/08/2018 @ 17:44)

Clouds, Codebases and Contracts – How the New Era of Privacy is Changing Third-Party Risk  View ?

Body:

Alex BermudezThe last two years have taught us that conventional wisdom and knowledge around privacy and security needs a makeover, in particular as it relates to the EU’s GDPR and the California Consumer Privacy Act. Data controllers and businesses, the entities responsible for what happens to personal data under GDPR and CCPA, respectively, are subject to new obligations that place significant organizational risk squarely on their shoulders. Though compliance issues can come from many places, one often-overlooked impact is managing processor/third-party risk.

Third parties (aka processors in the GDPR or information recipients in California law) are critical to organizational operations, from cloud hosting to payroll administration and processing. They hold customer, partner, employee, and confidential data that is the lifeblood of organizations, and we can’t run without them. While many third parties strive to be good stewards of their customers’ data, we find ourselves in a time where trust and good-faith efforts aren’t going to pass muster anymore.

Under the GDPR, CCPA, and other regulations, controllers need to hold their vendors contractually responsible in regards to specific obligations for how data is handled through data processing agreements and other measures, and as always, “trust but verify” that the vendor is acting accordingly. By extension, this includes our vendors’ partners as well, when fourth parties are involved.

Along with contractual measures, controllers need to assess, test and review a vendor’s ability to adequately safeguard the data they are transferring through product, personnel, and organizational protection mechanisms. This also requires that they pass the same data protection expectations downstream.

All of this due diligence should, at all times, be centrally documented and maintained. In the event of an incident or breach, controllers must be able to demonstrate a reasonable and defensible process for vetting third parties, including providing results of their assessments of vendors' practices and commitments to data protection, to help mitigate risks of liability. This also includes identifying potential risks of doing business with a particular vendor, taking actions to mitigate those risks, and continually managing vendors based on the scope and sensitivity of the data they process.

Now, chances are your organization has already taken steps to ensure proper actions are taken. For organizations looking for continual process improvement (CPI) and formal action plans, here’s a sample Vendor Risk Management lifecycle to consider:

This lifecycle is a roadmap to operational Vendor Risk Management that includes:

  1. Establishing a baseline for new vendors to benchmark associated risks (done during the evaluation and procurement process);
  2. Mitigating risk down to the lowest possible level and using that analysis to set a cadence for vendor review frequency;
  3. Documenting all aspects of vendor due diligence, including services agreements, privacy and security risk analysis, data processing agreements, vendor contacts, and internal owners; and
  4. Reviewing all vendors periodically to ensure agreements and relationships are maintained with appropriate controls in place, including based on regulatory guidance, as renewals or new services may be rendered.

Organizations should also incorporate privacy/security by design into vendor onboarding practices by integrating with procurements processes to take advantage of work being done today. This could include an early screening to determine if further privacy and security due diligence will be required – based on what services are being rendered – and how they’re delivered.

Editor’s note: For more resources related to GDPR, visit www.isaca.org/gdpr.

Category: Privacy
Published: 9/17/2018 3:08 PM

... / ... Read more...

(13/09/2018 @ 23:36)

Last import : 24/09/2018 @ 18:06