Vous êtes ici :   Accueil » RSS - Isaca.org
Prévisualiser...  Imprimer...  Imprimer la page...
Base de connaissances

 1568695 visiteurs

 5 visiteurs en ligne


Notre site



Neuchâtel, Suisse

Mes coordonées

Crée votre Code

RSS - Isaca.org

ISACA Now: Posts


RSS feed for the Posts list.

First Things First: Know Your Data  Voir?


Baan AlsinawiIt’s been three years since the U.S. Office of Personnel Management’s (OPM) two data breaches shocked the country and spawned immediate cyber initiatives in response to the theft of millions of highly sensitive records –possibly now resulting in identity fraud, as reported by the Wall Street Journal. In the months that followed, the nation’s agencies were required to make an honest accounting of vital systems and the state of their security.

Although the new processes will not mitigate the full impact of the OPM hack, we now have access to a better process for identifying and managing critical assets or high value assets (HVA), which are defined as information systems, information and data so essential that unauthorized access, use, disclosure, disruption, modification, or destruction could cause significant harm to national security or interests, and to an organization’s business operations.

It is equally important to keep in mind that the single most important part of the process is to fully understand what makes up a high value asset, regardless of whether you are in the public or private sector. In talking to many CISOs over the last past few years, it is clear many organizations are still not sure what constitutes their most valuable assets and, as a result, cannot adequately protect their “crown jewels.”

As part of the risk management process, I encourage all my clients to take a step back, so they can truly see the big picture in understanding their critical data assets. While this seems rather fundamental, it is still very much a challenge for many security professionals today.

The key takeaway is that until organizations, public and private, have a firm grasp on what their most valuable assets are, it is relatively impossible to develop an effective security program. Both public and private organizations that move forward without this knowledge generally invest time and resources that are not based on a solid foundation where critical assets are identified, business impact analysis performed and risk-based decisions executed accordingly. The results may yield a false sense of security, especially since they are not based on risk modeling and situational awareness.

To its credit, the U.S. federal government has issued several informative security bulletins to address prioritizing risk based on the value of its information assets, including several worthwhile ones that give users a good place to start:

  • OMB M-16-04 details the Cybersecurity Strategy and Implementation Plan (CSIP).
  • OMB Circulars A-123, A-130 and OMB-M-13-13 outline requirements for identifying assets, maintaining inventories, performing risk assessments and addressing risks related to assets and
  • OMB M-17-09 lists additional agency obligations and introduces the Agency HVA Process for managing risk to HVAs across the enterprise.

In addition, the Department of Homeland Security, which is vested with the authority to define agency information security policies and practices, collaborated with NIST on an HVA Control Overlay. Risk management professionals, government or not, will find it provides valuable information on how they should implement critical security controls for their high value assets to mitigate against known threats and weaknesses.

As I tell my clients, always remember that compliance is a means to the objective of effective risk management. It’s so important to always take a step back and look at the big picture, so you can define and quantify the value of your assets and the business impact. Make sure the conversation is a business-focused one about what matters most to the board, agency heads and key stakeholders. Start by mapping critical assets to business priorities, beginning with an initial gap analysis that addresses the business impact. Then, identify the corresponding frameworks, and be on the path to effective risk management—all centered around your HVA.

When your foundation is solid, fulfilling the control requirements is much easier, and more importantly, you have the benefit of knowing that your sense of security is real.

Category: Risk Management
Published: 7/19/2018 3:07 PM

... / ... Lire la suite

(18/07/2018 @ 19:39)

Harnessing the Hacker Mindset  Voir?


Keren ElazariEditor’s note: Keren Elazari, cybersecurity analyst, author and researcher, will give the closing keynote address at CSX Europe 2018, to take place 29-31 October in London, UK. Elazari recently visited with ISACA Now to discuss the hacking “ethos,” whether data privacy should be considered a right or a privilege, and more. The following is a transcript, edited for length and clarity.

ISACA Now: What prompted you to take an interest in cybersecurity research and analysis?
In one word: Curiosity. Always asking more questions, always poking fingers into things I don’t understand – I believe that is the quintessential hacker mindset and that is what has always defined who I am. Even as a child, I was always really interested in technology and curious about how things worked. I would break things, take them apart, crawl under the table to disconnect the cables and see what would happen if I put them somewhere else.

An important milestone for me was the movie “Hackers” that came out in 1995. I always talk about this movie as my inspiration, because it really gave me a context for hacking: hacking as a calling, a life choice. It showed me a hacker could be a hero of a story, and that hero could be a high school girl just like me! In the movie, it’s Angelina Jolie, pretty much the coolest person in the world from my point of view. Everything was exactly right for me in that cultural moment; it was exactly what I needed to see and hear to understand it was my calling. That’s why I am proud to call myself a hacker. My idea of a hacker is perhaps, somewhat romantic, but I consider the friendly and ethical hackers out there in the world as a vital part of culture, society and the economy, pushing forward the evolution of technology and acting as a much needed “immune system” for the information age.

I wear many professional hats: strategic advisor, business analyst, academic researcher and author. I’ve worked as a security architect, risk management consultant and product manager; yet in any role and organization, I’ve always held that hacker–hero ethos at heart.

ISACA Now: In what areas must the cybersecurity workforce make the most strides if organizations are going to be equipped to deal with the evolving threat landscape?
Despite widespread automation of technology and defensive security solutions, I do believe there always will be room for humans in the equation. As AI, big data, algorithms, automation, machine learning, and adaptable technology become more prevalent, 70-80% of cybersecurity tasks will be automated and drilled down to a science. That means defenders must become more like data scientists and feel at ease with managing and utilizing such tools and leveraging them to gain a better understanding of threats and the security posture of organizations.

It also means, that the hard-to-find, 20-30% of threats and security problems will become harder to identify. This is where the ART comes in. This is where the tasks human defenders will deal with become less methodical and more creative, more hacker-like, more innovative. In order to make the alchemy of science plus the art of security work in harmony, we must also harness the hacker mindset and invest in skillsets like digital forensics, incident response, threat hunting and red team testing. Those are the skills we should cultivate and in which we should invest today to be ready tomorrow.

ISACA Now: What are the biggest barriers that must be dealt with to improve diversity within the cybersecurity workforce?
First, I’d like to say that there’s no doubt in my mind that the community and the industry is changing and maturing, becoming more diverse and open to other voices and perspectives all the time. This is incredibly exciting to witness, as I still recall going to my first hacker event in Tel Aviv back in 1999 and being the only young lady in a set of 200 guys and one woman (who was the lead organizer). 

Now I see more and more women, more people from all walks of life, genders, backgrounds, ages, finding their place and their voice in this community. One metric of this change, and one way we can do even better, is by featuring and curating content from more diverse speakers at conferences.

Another aspect is for the HR departments and managements of organizations to find ways to create onramps, entry level programs and skill building initiatives – not just to get more women into the community and industry, but generally to create multiple pathways for more people to join our forces.

ISACA Now: What concerns you most about how cybercriminals can impact the world of politics?
While in 2018 it’s no surprise to anyone that criminals and certain nation-states have been using cyber-based capabilities and technology to influence and manipulate the geopolitical landscape, there is little being done to prevent this from happening again. This is a global, cross-border problem with very few organizations that can work together to prevent it.

Should it be dealt with by INTERPOL? Or the FBI? Perhaps NATO? I don’t have the answers to that. This is not just a US issue, as it’s not affecting just the US elections (we have seen such attempts, for example, during the 2017 French presidential elections, across Latin America, and elsewhere). In 2018, it should come as no surprise that politicians who wants to influence the world and have talented hackers in their country would try to harness them to use that power to shape the world to their liking. We shouldn’t be so shocked to know that; it’s a reality. What’s more urgent, in my opinion, is how to work together between nations and borders to protect democracy.

ISACA Now: Data privacy has emerged as a major issue not only in the EU, but worldwide. What aspects of data privacy do you expect will be most challenging for security practitioners as the number of connected devices in use continues to explode?
As we connect more elements of our lives and make them smarter, we also are allowing data collection about individuals to occur in a scope never before made possible. I believe we must reconsider our notions of secrets, of personal privacy and corporate transparency, and the way technology and big data fuels the next wave of innovation.

That means our future may be defined not just by our efforts to balance technology’s benefits against the risks it brings with it, but also by how we evolve our notions of privacy and digital access to information. I think we must ask ourselves: Is privacy a basic human right? Perhaps in the “information age,” we should consider privacy a privilege one must work hard to maintain.

Category: Security
Published: 7/18/2018 3:08 PM

... / ... Lire la suite

(17/07/2018 @ 21:55)

Blockchain Initiatives and Realistic Implementation  Voir?


Sonia MundraThese days, when we turn on the television or listen to the news, we are likely to hear about the latest hot topic in technology: blockchain. Typically, a breathless announcer is giving news of the latest ups and downs of the popular cryptocurrencies, such as Bitcoin and Ripple. Our society seems to be mesmerized with the “Bitcoin phenomenon” and its seeming financial volatility.

We have also heard the stories of Mt. Gox and other scurrilous entrepreneurs who have bilked investors out of their savings. Due to this type of coverage, cryptocurrencies sound to most like a sham and something that has nothing to do with the fundamentals of our businesses. However, nothing could be further from the truth. Blockchain, the technology that powers Bitcoin and other cryptocurrencies, has many different use cases, and has the potential to absolutely transform not just information technology (IT), but also identity management, land management, voting, shipping, records management and nearly every other industry that you can imagine.

Blockchain can essentially be described as the new standard for securing data. Traditionally, data has been stored in a centralized database with a single (human) system administrator or central authority who gives users access to the database and validates transactions. Centralized data warehouse storage is viewed as inferior to blockchain because it has a single point of failure that can be penetrated or hacked.  Databases with a central authority also requires special skills of a system administrator, bank, lawyer or notary, which increases both costs and time to market for goods and services.

Blockchain, on the other hand, can be defined as a distributed, or decentralized, database. Both physical (tangible) and intangible assets can be digitized, and the digital footprint of the asset can be stored on a blockchain. The digital blockchain that is used to represent the asset in question is stored on multiple systems and computers. Each computer system has a designated user, or administrator. If the owner of the digital asset wishes to make a change to the asset (for example, transfer of ownership), then the change must be approved by all system users, for the change to be validated and subsequently transacted. Every change in the asset becomes another block in the blockchain, with each block having its own special key.

Recording of changes provides a clear audit trail for executive leadership and for external audits. Blockchain distributed ledgers provide what is known as “consensus-based permission.” If a hacker attempts to alter one blockchain, secure blockchain technology will not permit the change since all the distributed blockchains must sync, or reconcile to each other, for the change to be considered valid.  Blockchain databases are considered by technology pundits to be nearly hack-proof through their use of SHA-256 encryption and certainly more secure than traditional centralized databases, allowing only owners of digital assets to alter and make changes to the asset.

The implications of a more secure, more efficient way of tracking and storing digital assets and transactions are astounding.  It helps to begin with an example.  One of my favorite movies is “The Thomas Crown Affair.” If you remember the plot of the movie, a very valuable painting is stolen from an art museum. The insurance agent, whose employer does not want to pay the insurance settlement for the stolen painting, is very keen to track down the painting, which is the main asset in question. She proceeds to take a series of different actions to accomplish her mission. First, she tries to retrace the crime by visiting the art gallery. She spends time with the police and watches the surveillance videos. She then busies herself by contacting art dealers, looking for any signs that the asset may have changed ownership - in other words, been sold and changed its state from one asset into another more liquid asset (sold for cash).

Well, that was a lot of work for her, and made for a highly entertaining plotline. However, suppose the painting has been turned into a digitized asset and secured using a blockchain. As soon as the thief attempted to monetize the asset by transferring ownership, the transaction would immediately pop up on the blockchain. Those administrators who have a copy of the blockchain on their system would need to verify and all reach consensus that: (1) the person attempting to make the transaction is a valid or authorized user, and (2) the transaction itself is valid and authorized. In the case of the painting, as soon as that thief went to sell the painting, the authorized parties with the blockchain would know about it and be able to deny the transaction. The attempt to create that transaction, even though it did not actually happen, would be recorded on the blockchain itself. Therefore, the person in question (who was trying essentially to serve as a bad actor) would not be able to later deny her involvement in the attempted fraudulent act.

That characteristic of the blockchain is known as immutability. One might stipulate that if a thief knows that this is going to happen and she won’t be able to monetize the transaction, it might prevent her from stealing the asset, or attempting to make the fraudulent transaction in the first place. The interesting characteristic of blockchain is that this verification happens on the spot, so it’s not a situation where we go back to audit six months or a year later, and see that there has been a bad actor, or find a material misstatement.  At that point, the horse is already out of the barn. Even if something is caught in an audit later, the reputational and financial damage to a company can be massive; just ask anyone who worked at Enron or Arthur Andersen in 2002.

Some might wonder if blockchain is redundant compared to current checks and balances already in place. For example, we already use title and insurance intermediaries to verify asset ownership and provide third party validation, prior to the sale of an asset, such as a house. However, it takes time for title companies to verify titles. It also, like nearly everything in life, costs money. Therefore, we can use other methods besides a blockchain to verify ownership and authorize transactions. However, is our current system the most efficient and effective method of verifying titles?  With the advent of blockchain, the answer is: probably not. When choosing a method of verification, we want to achieve at least one objective: either reduce costs, reduce time or reduce risk. Blockchain is fascinating because it has the potential to achieve all three objectives. In an ideal world using the blockchain, we are reducing time involved in completing the transaction; we are reducing costs by eliminating the third-party verifier; and we are potentially also reducing the risk of fraudulent transactions or major errors much sooner in the business cycle, as opposed to after the fact, like we would with a traditional audit.

However, before we begin our journey into a blockchain-filled utopia, we need to consider the barriers to implementation. Blockchain is a new technology, requires an extraordinary amount of compute power, and is (right now) very expensive. Therefore, when considering whether to implement a blockchain, one must look first at the return on investment (ROI).

Blockchain ought to pay for itself; otherwise there is no point in having one. The most risk-averse way to implement one would be to start with a Minimum Viable Product (MVP) or Proof of Concept (POC) using a sample size of digitized assets – whether those assets are real property, like land or houses, or intangible assets, like patents or intellectual property. By going through this process, it allows us to look at all our data or assets, and decide which is most valuable.  This would be a good practice in any environment, not just a blockchain implementation.

At the end of the day we must secure our data; either through some sort of data warehouse, SharePoint system, cloud or blockchain. Therefore, the first question we ought to always ask is: what are the most valuable data, the “crown jewels” of the organization? Once identified, we need to focus on securing them.  This topic deals more with data security in general, but it is important to touch on it, since it is the foundation on whether an organization should implement a blockchain and for which data. Storing and securing data, via any method, is not cheap. No matter what the organization ends up using, the executives in charge should make sure that the ROI on that security method is high – in other words, that the money they are paying to protect that data is warranted and costs less than the actual value of the data itself.

Editor’s note: Sonia Mundra will present on this topic at the CSX North America 2018 conference, to take place 15-17 October in Las Vegas, Nevada, USA.

Category: Risk Management
Published: 7/17/2018 3:05 PM

... / ... Lire la suite

(16/07/2018 @ 18:34)

For Whom the Web Trolls: Social Media Risk in your Organization  Voir?


Nejolla KorrisThere is no doubt that social media has penetrated the daily lives of billions of people. According to Statista, the number of monthly users of social media is slated to reach 3.02 billion people by 2021, which is around one-third of the world’s population. With social media becoming second nature to so many people in every corner of the world, the risk associated with its use is staggering.

We are online all the time creating a permanent archive of ourselves and our families. For many people, our personal posts spread into our professional lives as well. This has gotten us into the current state we’re in. Can we separate our personal selves from our business selves online? Will that post affect me professionally? Will the post affect the company I work for? All these questions are being played out online on a daily basis.

Understanding that social media is fluid and can change in an instant is a fact often overlooked by corporations. Keeping the lid on news or scandals, true or not, is difficult to manage. Some companies find themselves in social media scandals not of their own making.

Let’s go back to August 2017 and the “Unite the Right” rally in Charlottesville, Virginia. Violence erupted during the rally when protesters and counter-protesters clashed. Hundreds of photos were taken and posted online by the media, protestors and onlookers.

In many of the photos, protesters were seen carrying TIKI torches. When was the last time you saw a TIKI torch? According to the company’s website, “A yard illuminated by TIKI torches quickly came to symbolize the ultimate backyard gathering.” And now TIKI was catapulted into the public eye in a way that nowhere near symbolized the backyard gathering they envisaged. The riots forced TIKI to make public announcements on their website and social platforms denouncing the way their products were used in this circumstance.

As of July of this year, TIKI has only tweeted 443 times and has a scant 820 followers since they put up their Twitter profile in 2009 – hardly a robust Twitter following. But tweet they did once their products were seen associated with violence. The tweet relating to the riots has since been removed from their Twitter feed.

Many organizations’ social media policies remain vague with only skeletal guidelines on overall usage. Endless stories of turf wars on who controls social media along with a lack of general understanding of what can go wrong are pervasive organizational issues. For the most part, policies focus on the marketing aspects of social media rather than potential risk.

Now let’s toss a bit of social engineering into this mix. Social engineering is widely used by cybercriminals to gather data and figure out the best way to infiltrate an organization. They will scan the social profiles of staff, research the social profiles of the organization and evaluate the effectiveness and frequency of responses. Then they will launch their attack. An overwhelming amount of malware and ransomware attacks use social engineering to send believable phishing links to unsuspecting individuals.

The session I will give on social media risk at the GRC Conference next month in Nashville, Tennessee, USA, isn’t a story about how far we’ve come; it’s about the rapid pace by which we got here. It’s about the massive amount of information that can be mined about individuals, the places they work and the opportunities that become available to cybercriminals as a result. Understanding the inherent risks of social media is the first step in mitigating the dangers that may arise from its use.

Category: Risk Management
Published: 7/16/2018 3:00 PM

... / ... Lire la suite

(13/07/2018 @ 20:09)

Why Problem-Solving Can Detract from Innovation  Voir?


Luke WilliamsEditor’s note: Luke Williams, author, professor of marketing at the NYU Stern School of Business and founder of the W.R. Berkley Innovation Labs, will give the closing keynote address at the GRC Conference 2018, to take place 13-15 August in Nashville, Tennessee, USA. Williams recently visited with ISACA Now to discuss how enterprises can spark more innovation, the concept of disruptive hypotheses and more. The following is a transcript of the interview, edited for length and clarity:

ISACA Now: How, if at all, is entrepreneurship different from it was 10 years ago?
In the past 10 years, the public perception of “entrepreneurship” has shifted toward “disruptive entrepreneurship,” which is about trying completely new products and business models that haven't been tried before. Instead of staying small, disruptive entrepreneurship is focused on high-growth businesses.

We often contrast small business entrepreneurs as sort of “incremental” entrepreneurs; they're incrementally improving business models that have already been established. So, someone who wants to open a shoe store might take their own incremental spin on it, but that's pretty much what it is. Disruptive entrepreneurship is a different form of entrepreneurship and it requires a completely different skill set. As a result, it requires a different approach to education.

Ten years ago, this approach was very much focused on the business plan: this long, elaborate document with all these sorts of financial projections. There was emphasis on getting the plan right. There was little emphasis on prototyping and experimenting. That has been a significant shift in the last 10 years. What we’re really educating entrepreneurs on today is far less about writing a business plan and far more about putting that focus, time, and energy into trying out your idea.

ISACA Now: What are some of the most common missteps made by people who are starting their first business?
I think the biggest misstep or mistake is that people are focused on finding problems to solve. We’re obsessed (in America in particular) with problem-solving. We almost use “problem-solving” as a label for thinking. The problem with problems is they’re seductively clear. They’re screaming for your attention, which typically means that problems are all that are getting anyone's attention.

The richest areas for innovation are found in the seemingly unbroken aspects of the situation you're focused on, precisely because nobody else is looking at these things. Because nothing appears to be wrong, or because it’s not broken enough to be really a problem, that doesn't mean that there’s not an opportunity there.

Often, an adequate idea blocks the emergence of a better idea. Because something is adequate, people don’t feel the need really to look at an alternative way of delivering their model. If it’s not broken, they don’t see the need to spend the time and attention to fix it.

ISACA Now: What type of management style most lends itself to fostering innovative thinking among employees?
What I’m going to talk about at the conference is the difference between sustaining leadership and disruptive leadership.

Sustaining leadership means incrementally improving what you’re currently doing. It’s all about maintaining the continuity of the current business.

Building options for the organization’s future is about managers introducing prolific discontinuity into the business – not waiting for disruption to happen, but rather being proactive. You've got to disrupt yourselves.

There are a lot of managers running around saying they value innovation. Where I find the disconnect most readily occurs is in the metrics; most managers find they’re rewarding the status quo, basically incentivizing people to keep the existing system of continuity. They have to fix that disconnect and figure out how to actually start rewarding effort rather than result.

ISACA Now: Which themes from Disrupt: Think the Unthinkable to Spark Transformation in Your Business tend to surprise people the most? What kind of feedback have you heard that are kind of new, a-ha moments for people?
There’s a tool called “disruptive hypothesis.” With a regular hypothesis, we make a reasonable prediction of what we can do, and then we test that prediction. An example: if your phone wasn't working, you would predict that the battery was flat, so you'd charge your phone. If your phone starts working, your hypothesis was correct; if it doesn't, you need to formulate another hypothesis.

That’s OK for sustaining leadership. If you want to start growing through innovation, you have to get out of the habit of making reasonable predictions and into the habit of making unreasonable provocations.

So, you might start thinking, “Well, why does a phone even need a battery?” The difference is profound. The point of a “disruptive hypothesis” is to give yourself deliberate permission to be wrong and try to create a new idea.

If you’re in a brainstorm session and everyone’s nodding and going “Yeah! Great idea! We can implement that tomorrow!” it means it’s incremental; one of your competitors is already doing it or will be soon. A disruptive hypothesis is an intentionally unreasonable statement that gets everyone’s thinking flying in a different direction.

Another takeaway from the book, I talk about the “cult of personality” problem with innovation. It forms out of celebrity CEOs – Steve Jobs, Jeff Bezos, and Elon Musk – and reminds us that they’re role models of innovation. It’s all about their personalities, and it’s not productive. It’s not about actually creating new products and services. For all of us as innovators, our most important job is to educate and create more innovators. We need to treat innovation as a skill. This isn’t about asking them to change their personality.

I often use the metaphor of cooking; there’s cooking show on every channel. Weirdly, we have a problem teaching people to cook, because it’s nothing more than, “We show you how to take the ingredients and arrange them into a meal.” It’s the same with innovation. Those recipes are ideas, and those recipes (your ideas) make the ingredients (your resources) more valuable. The cooking metaphor is powerful for people because this isn’t about inventing anything new; it’s just rearranging things we already have.

Category: ISACA
Published: 7/13/2018 3:09 PM

... / ... Lire la suite

(12/07/2018 @ 19:56)

Dernière mise à jour : 20/07/2018 @ 21:15