Vous êtes ici :   Accueil » RSS - Isaca.org
Prévisualiser...  Imprimer...  Imprimer la page...
Base de connaissances

 1660783 visiteurs

 8 visiteurs en ligne


Notre site



Neuchâtel, Suisse

Mes coordonées

Crée votre Code

RSS - Isaca.org

ISACA Now: Posts


RSS feed for the Posts list.

What Capital One Got Right  Voir?


Gregory J. TouhillThe massive cyber breach of Capital One, reported in late July, quickly brought a chorus of condemnation of the company from a wide circle of pundits, concerned customers, competitors and potential investors. Lost in the media fray was Capital One’s exceptional incident response.

The facts are impressive when compared to other cyber incidents. Capital One’s cybersecurity team detected the incident within days (as opposed to the industry average of over 100 days before detection.) Critically, the company alerted law enforcement, and collected and analyzed the logs and data that led to an unprecedented rapid identification and apprehension of the perpetrator by law enforcement personnel.

Senior leadership messaging to the public regarding the incident was quick, transparent, and sincere. YouTube watchers even got to “ride shotgun” with reporters as they accompanied law enforcement personnel to arrest the alleged hacker and secure the purloined data. Such streaming content of law enforcement arresting suspected cyber criminals in a timely manner bolsters confidence in law enforcement’s capabilities to thwart cyber criminals while providing an unprecedented deterrent in the age of cyber crime.

With nation-state actors, hackers, and other criminal organizations increasing in their boldness and cyber capabilities, corporate entities face significant cyber risk, and the odds of a cyber breach or reputation-damaging cyber incident are high. Boards and business leaders at all levels should recognize that their organization is a target and that they need to be prepared to respond fast and well in times of crisis. They should fine-tune their incident response procedures using lessons learned from the Capital One breach, implement measures to protect the weaknesses exposed in this attack, and practice what they should do if their enterprise encounters their own “really bad day.”

While boards and business leaders rightfully should pay attention to the circumstances leading to the breach itself, there are numerous lessons learned from this breach that organizations of all sizes should pay close attention to – and nearly all are positive.

Category: Security
Published: 9/20/2019 10:00 AM

... / ... Lire la suite

(19/09/2019 @ 15:59)

How Company Culture Helps Shape the Risk Landscape  Voir?


Paul PhillipsIn today’s environment, companies all over the globe are experiencing culture risk. Yes, culture indeed has an impact on risk and every company has a unique culture. The key is to understand it, manage it, and leverage it when possible to obtain competitive advantage. Every company is faced with both positive and negative risk – that is, threats and vulnerabilities that could adversely impact the organization, its reputation and stock value, as well as opportunities that could have a positive impact. While there are many factors that impact the risks that a company faces, many times business leaders overlook and underestimate the impact of company culture.

So, what makes up company culture? Company culture is the character of a company. It sets the tone of the environment in which employees work daily. Company culture includes a variety of elements, including company strategy, mission, vison, value, policies and behaviors. Recently, many major organizations like Google and Microsoft are revamping policies and procedures to address issues such as sexual harassment, racism, and discrimination because of the negative impact these cultural behaviors have had on the overall success of the company. Policies and procedures are tools that can be used to hold individuals accountable for their behavior. The key is ensuring that everyone adheres to the rules. It is also important to visibly reward good behavior and punish bad behavior on a consistent basis.

Once policies and procedures are put in place, it is important to gauge their effectiveness. Are the policies being followed and do they need to be modified in any way? Organizations that are truly committed to the idea will institute monitoring mechanisms to ascertain this information. Oversight and reporting tools that are properly implemented will allow employees at all levels to feel free to report breaches without fear of retribution. The actions of the oversight function to move quickly and consistently on reports will encourage a culture of accountability. The lack of such functions leaves an enterprise at risk of high-turnover, unmotivated employees, and even potential lawsuits. Tools and procedures such as anonymous hotlines, required compliance training, and explicitly stated company values could be viewed as ways to mitigate such risk.

Simply instituting tools, policies, and procedures could be largely ineffective if the organization’s leadership doesn’t first take a long hard look at the current state of affairs. What is the employee demographic (age, gender, educational status, etc.)? Understanding backgrounds and human behavior can be key to having a clear picture of the culture within an enterprise. For instance, studies have shown that millennials view and respond to the world, including the workplace, in a very different way than older professionals. Understanding people helps an organization refine its culture, including the inherent risks associated with it.

There are many factors that typically impact the culture of an organization, including industry regulations, the competitive environment and economic climate. These factors have direct and indirect influence on how people make decisions on a daily basis. Leadership should set clear expectations about what is acceptable behavior in light of these factors. Influencing culture is not easy and can be time-consuming and costly. However, the cost of doing nothing can be even greater.

Category: Risk Management
Published: 9/19/2019 3:00 PM

... / ... Lire la suite

(18/09/2019 @ 22:01)

Sizing Up Email Security Protocols  Voir?


K. HarisaiprasadGiven the many instances of email security compromises, it has become vital to provide additional security to emails from the domain administrator level. Security protocols such as Domain-Based Message Authentication, Reporting and Conformance (DMARC), Domain Keys Identified Mail (DKIM), Sender Policy Framework (SPF) and Brand Indicators for Message Identification (BIMI) to prevent address spoofing are considered below.

Before getting into the security protocols, spoofing needs to be understood. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. Spoofing can apply to emails, phone calls, websites, IP address, etc. In email spoofing, an email header is forged so that the message appears to have originated from someone or somewhere other than the actual source. The objective is to get recipients to open/respond to the emails. There are many email spoofing portals from which emails can be sent to the recipient as if they originated from the real domain; such spoofing is called direct domain spoofing. DMARC, DKIM, SPF and BIMI can be used as an authentication and validation tool in many of these instances.

DMARC is an email authentication policy and reporting protocol. It determines whether the sender uses DKIM/SPF, handles recipients for authentication failure as per policies, and improves and monitors domain security from fraudulent email. It detects such emails and discards or blocks, depending on the configuration upon receiving. DMARC addresses owners and receivers in the following ways:

Domain owners:

  • Informs usage of email authentication DKIM, SPF
  • Collects feedback about email messages using their domain – authentic or not
  • Sets policy to report, quarantine or reject the message

Email receivers:

  •  Ensures the email domain uses email authentication
  • Continuously evaluates SPF and DKIM along with what recipients see in their inboxes
  • Ascertains domain owners’ preference of report, quarantine or reject the messages that do not pass authentication checks
  • Provides email owner feedback about messages using their domain

DKIM validates the identity of the email domain through cryptographic authentication by attaching a new domain identifier. It differentiates domains used by the known organization and domains used by others through Signing Domain Identifier (SDID). Figure 1 shows the DKIM model in which the process of the message validation is depicted. DKIM service provides a responsible identifier to the assessor, which assesses the identifier and assessment database and provides input to handling the filter. This filter uses various factors such as ancillary information from DKIM validation to provide input to the recipient.

SPF is a type of Domain Name Service (DNS) TXT record that identifies which servers are permitted to send email on behalf of your domain. The purpose of SPF record is to detect and prevent spammers from sending messages on behalf of your domain.

BIMI is a centralized method across multiple email providers to display the brand’s logo along with email messages. It helps to identify legitimate senders and reduce the number of fraudulent messages being opened or read. This protocol has been adopted by more than 81 leading email sending domains.

These protocols will be effective only when the email domain administrator enables in DNS using TXT records or enables an email host provider’s admin console. This is done to verify whether a particular email came from the specific domain from which it claims to be sent.

The above options are not perfect solutions for email security due to the fact that compromised email can be sent within the domain, a domain that uses DKIM and SPF can be set, and many commercial email hosts may not consider the senders’ domain settings. These protocols may provide enhanced security but are not 100 percent fool-proof. There are also cloud solutions in the market for preventing email security compromises that provide promising results.

Category: Security
Published: 9/17/2019 3:01 PM

... / ... Lire la suite

(16/09/2019 @ 21:06)

Has GDPR Been a Success So Far?  Voir?


Laszlo DelleiSince 25 May, 2018, the General Data Protection Regulation (GDPR) has been providing unified rules for data processing, requiring wider protection for the rights and interests of data subjects, and establishing important guidelines around the flow of information in the European Union. One year later, the first “anniversary” of the GDPR offered an exceptional opportunity to assess past achievement and to set goals for the future that were summarized in the communication from the European Commission to the European Parliament titled “Data protection rules as a trust-enabler in the EU and beyond – taking stock.” The report shows that, despite being described as a giant leap to the unknown, measures taken by the relevant stakeholders ensure the success of the new regulation.

The document focuses on legal framework, data protection governance systems, data subjects, controllers and international flow of personal data. Generally, the Commission concludes that the application of the GDPR should be considered successful in many areas, because many objectives set by the European legislators have been achieved. This success extends beyond the borders of Europe since the regulation has a global impact. On the other hand, as pointed out by the Commission, there are still aspects of the GDPR that need further action from the stakeholders.

Besides being a legal act, the GDPR is an instrument fostering a European “data protection culture.” Application of and compliance with the GDPR requires actions from all actors involved, such as legislators, supervisory authorities, data subjects and controllers. Adoption of the relevant measures were intended to change their cultures and behaviors. So those stakeholders were invited to contribute to the process of establishing the practices surrounding GDPR through public commenting or working with various authorities such as the European Data Protection Board.

For instance, parliaments and other regulatory bodies carried out the revision of the current legal framework, and, as a result, several laws have been adopted, amended or repealed. Most supervisory authorities have successfully adopted the necessary measures to effectively exercise their competences provided by the GDPR. Furthermore, the European Data Protection Board, as a platform of cooperation for these authorities, and the European Court of Justice, traditionally interpreting European law, provide guidance in order to achieve a more harmonized practice.

Meanwhile, data subjects and controllers have become more aware of the rules regarding data processing. Individuals are more mindful of controlling their personal data; thus, they exercise the rights provided by the GDPR more effectively than ever. On the other hand, controllers had to revise their activities, and to make the necessary modifications in order to comply with the new provisions.

The regulation provides unified rules for the proper flow of information within, from and into the European Economic Area. Instruments such as adequacy decisions or standard contractual clauses have been successfully applied in the past as well as under the GDPR. On the other hand, new institutions – e.g. certifications or codes of conduct – have been regulated to further ease trans-border transfer of personal data and to provide wide protection to data subjects. Furthermore, from the US through the Middle East to the Far East, many countries have adopted measures in order to harmonize their data privacy legislations with the GDPR, sometimes adapting to the new regime of data protection, sometimes even copying certain solutions or institutions. Thus, the impact of the regulation may be felt beyond the borders of the EU.

On the other hand, there are certain areas where the objectives of the GDPR have yet to be achieved. For instance, supervisory authorities should exploit all opportunities provided by the new regulation, especially in the field of cooperation. In a unified European area of data protection, the interactions and cooperation between these institutions, such as joint investigations or mutual assistance procedures, are inevitable but have not yet taken hold. The sanctioning system introduced by the GDPR, especially the system of fines, needs to be further harmonized. Since last fall, there is a growing number of cases in which supervisory authorities imposed so-called “GDPR fines.” Contrary to the intent of the GDPR, the amounts of these fines significantly vary among the member states. Therefore, efforts should be taken to ensure that violations of the GDPR will result in the same sanctions everywhere across the member states, otherwise so-called “forum shopping” might occur. Furthermore, international flow of personal data should be further considered. Certification schemes or codes of conduct may serve as useful instrument for facilitating trans-border data flows. Yet, the application of these tools on a national as well as European level lags other provisions of the GDPR. Finally, legal harmonization of GDPR and the adoption of new laws needs to be continued, such with the ePrivacy Regulation, which requires further revision of the legislative framework.

One might ask whether the GDPR is a success? Although it has only been applied a little more than a year, the GDPR has already made a great impact on almost all aspects of our lives, activating different stakeholders and providing wider protection to data subjects. Thus, as an instrument fostering a European “data protection culture,” the regulation is highly successful. On the other hand, deficiencies defined by the Commission in the communication may and – hopefully will be – resolved in the near future. And since the document is only the first one in the line of reports on the implementation of the GDPR, count on the progress of further harmonization being continuously monitored.

Category: Privacy
Published: 9/16/2019 3:08 PM

... / ... Lire la suite

(13/09/2019 @ 00:19)

Dernière mise à jour : 22/09/2019 @ 04:13