Wednesday, December 29, 2010

ROBO Priorities

"A study conducted by industry analyst Enterprise Strategy Group found that the top three IT priorities for remote office / branch office (ROBO) locations were driven by business priorities: to improve information security, ensure regulatory compliance, and enhance disaster recovery. However, the many choices in data protection technologies and approaches, coupled with a wide range of vendors to choose from, can make data protection planning a daunting endeavor."


A white paper released by HP drills deeper into these challenges and the considerations for a better way to approach data protection. It explains the set  up and use of ROBO sites for backing up and safeguarding data in a variety of situations, from small business with the ROBO site consisting of some mobiles and laptops to very large duplicated data centers linked by online access through archives on disk or tape.

A good overview of an important area. You can download the white paper here.

Tuesday, December 28, 2010

The Emerging World of Internet TV

There is another security threat looming and its a big one. Before long, all electronic devices will be connected to the internet, including refrigerators, stoves, microwaves, home security systems and TV's. Some of them already are. This year will see a boom in Internet TV. Apple TV. Google TV. And various manufacturers like Sony and Samsung are rushing to come out with internet enabled TV.

This trend has been predicted for many years, but now it is actually coming to fruition.

What does this mean for IT Audit? First off, the new applications don't necessarily place much consideration on security. So the new connections often contain holes that can be exploited by hackers. To the extent they get connected to the internet, then hackers can have a highway into a corporate system. This already happens with the much ignored area of online printers and fax machines. Soon it will happen with the TV in the staff lounge or the refrigerator in the lunch room. Seeking out these security holes and plugging them will be the job of the security professionals, and checking up on them the job of the IT auditors. This article explains some of the ramfications.

It's an exciting new era!

Friday, December 24, 2010

The Top Ten Security Stories of 2010

It has been an active year in the IT world, with lots of new security implications for companies to consider. Mobile devices continue to proliferate, cloud computing continues to take off into the stratosphere, threats from insiders (such as disgruntled employees and former employees wrought by hard economic times) have increased,  Wikileaks has shattered all our illusions about privacy, Botnet gangs have grown and become more visible and so on and on. There are big implications for governments in ensuring the security and privacy of their systems and also for private businesses, who are having to implement new policies on the fly to cope with the rapidly changing landscape.

It makes the work of IT Auditors challenging to say the least. And points to the pressing need for those auditors to stay on top of emerging IT trends. For Informationweek's take on the top 10 security stories of 2010, check out this link.

Monday, December 20, 2010

IBM Releases its 2010 Global Risk Study

IBM Global Business Services has released its 2010 global Risk Study, in which it asked 560 IT managers and CIOs in all types of companies all over the world to talk to us about IT risk — what their biggest obstacles are, where their biggest challenges lie, where they see the greatest potential for adding business value.

A majority felt their organization is making progress with risk, but 82% felt that their level of risk mitigation is less than expert. some of the biggest risk areas were quite predictable, given the trends in IT. Social media was regarded as a risk area, as was cloud computing and mobile computing.

Mounting regulatory demands was cited as a source of a growth in the need to perform well in managing risk. Many felt, however, that although IT has become a core area for all businesses, management of IT risk has not kept pace with this fact.

The study has many predictable outcomes, but this does not undermine the fact that there is much to be done in managing IT risk as the world of business quickly becomes more automated, and more susceptible to failure from poor management of IT Risk. To download the report, click this link.

Thursday, December 16, 2010

Data Integrity

The AICPA Trust Services/Data Integrity Task Force is charged with the job of updating and maintaining the Trust Services Principles and Criteria (TSPC) and creating a framework of principles and criteria to provide assurance on the integrity of information.

The Task Force has recently developed an Audit Guide, Reporting on Controls Over a Service Provider’s System Relevant to the Security, Availability Processing Integrity, Confidentiality or Privacy of User Entities Information- An Application of the Trust Services Principles and Criteria.  For more on the guide, click here.

Also, it's worth checking out the AICPA page on the Task Force at this link.

Friday, December 10, 2010

E-Mail is the Big Security Culprit

A new report from software vendor Awareness Technologies points to personal email services like Gmail, Hotmail and Yahoo Mail as being "increasingly responsible for the accidental or deliberate loss of customer and corporate data."

Some companies ban such personal email services, but many do not. These services are all web based, and subject to a high degree of pressure from hackers, who have developed techniques to capture login IDs and passwords and then go in and seize the data either in the body of the messages or in attachments to them.

The findings resulted from a survey of data breaches at more than 10,000 sites. The survey also indicated that most of the data breaches could be traced back to the fault of employees, who were either poorly trained or gullible enough to fall for phishing expeditions.

One approach is to ban the use of personal email services on corporate computers, but this doesn't work well in today's environment since many employees mix their personal and business accounts. In addition, they often use their own personal computers or other devices for business purposes, and this is a growing trend.

Another approach is to embrace the use of personal email services and train the employees in their proper use and awareness of the threats that exist.

Since breaches arising from personal email services now outnumber those arising from the abuse of USB ports, previously the leader, email controls are more important than ever before.

For a report on the Survey, please check out this link.

Wednesday, December 8, 2010

The Need for Continuous Auditing and Continuous Controls Monitoring

When the foundations of modern auditing were formed, many years ago, the world was a simpler place. Most businesses operated out of one or two locations. They had a manufacturing plant or a retail outlet. Their inventories could be observed and their accounts receivable were due from regular customers who were not far away and could be contacted quite easily. The idea of balance sheet auditing reflected these facts and the idea formed that if you get the opening balances right and the closing balances right, then everything in between must be right. Only classification issues remain. This concept became the core of auditing and remnants of it remain to this day.

Then businesses grew more complex. And they went global. Now auditors were faced with the prospect of auditing assets like inventories in all, sometimes very remote, parts of the world. Even though the audit firms tried to grow so they could do global audits, they had trouble keeping up. It just wasn't practical to observe and confirm a majority of those assets and liabilities.

The recognition grew that reliance needed to be placed on internal controls to gain assurance that the assets and liabilities were being properly controlled while they were out of sight. And so the idea of controls based auditing gained prominence.

Over the past twenty years or so, the auditing profession, through its standards, has tried to find a good balance between the need to examine balances and the need to examine controls. Arguably it has never found a good and viable balance.

Add to the mix an increasingly sophisticated technology environment, with controls issues that most auditors do not understand, incredibly complicated accounting standards, and you have a recipe for disaster. And disasters have happened, with auditors being blamed and paying huge settlements and some CEOs and CFOs going to jail. Some informed observers have concluded that the modern global corporation is virtually unauditable.

A reasonable answer to this seemingly inpenetrable conundrum has been the idea of continuous auditing (CA). CA, the argument goes, enables auditors to gain that ongoing assurance they need that the controls to safeguard the assets and record the liabilities are in place and operating properly. CA is accompanied by the idea of Continuous Controls Monitoring (CCM). The idea is that the there is a good CCM system in place that the auditors monitor and receive exception reports whenever anomolies enter into the system. With this information they can identify issues on a timely basis, and act on them without waiting for the year end audit.

This is a good concept but then there is the reality that good CCM systems have been few and far between, so CA has not achieved the level of acceptance that it deserved and that is needed to address the continuing and very real issues around the auditability of a modern corporation..

A good deal more effort needs to be placed on the development and deployment of good CCM systems - systems that will enable the auditors to do the job that is demanded of them in the 21st century. With current technology, such systems are feasible, and are being developed. Selection of such systems has become a critical process.  A recent article in the ISACA journal (subscription needed) outlines a ten factor model for evaluating CCM systems. CA and CCM is a solution to the auditing dilemna that is long overdue, is now feasible and needs to be acted upon.
    

Monday, December 6, 2010

Wikileaks - A Call for Security Review

It is widely known by now that the sensitive data given to Wikileaks and then the world was originally obtained by Private Bradley Manning, who downloaded the data to CDs and then passed them over to Wikileaks. A cursory look at this occurance leads one to observe that it is probably that some of the most basic tenets of information security were not being followed by the military.

The principle of need-to-know and least privilege form the foundation of any security system. This means people are only given access to the information they need to do their jobs. In addition to the fact of access, the level of access should also be guided by these principles. virtually all systems provide for setting access levels as needed. The system will provide, for example, that the users having access to the information can do one or more of the following - read, copy, create, edit. For example, one user might be able to read only, while another might be able to edit it.

We know that Private Manning had access to the information and had the ability to read it and copy it. In addition, the drives on his computer were not disabled to prevent information being copied and removed, as happened in this case.

The question then is - did Pvte Manning need to have these access rights in order to do his job. We don't know, but logic would indicate that he likely did not.    

Whether or not he did have that need, the situation is a wake-up call for businesses to review their access privileges and consider whether the access provided to their information, especially the more sensitive variety, is in accordance with the basic principles of good security systems. Failure to establish such compliance could be very expensive in the age of Wikileaks. Check out this excellent article on this topic.

Friday, December 3, 2010

Mobiles are Computers
And Deserve the Same Level of Security

With the proliferation of mobile units attached to corporate systems, IT personnel are losing control of their systems. Mobile units, like smart phones, iPads and the like are not cell phones; they are powerful computers. The problem is that a great many organizations have not yet recognized this simple fact, even though they know it.

Security for mobile devices has not reached anything like the level of sophistication of other more mature computers. So the exposure is considerable. Here are the major threats:

Mobile Threat - Mobile Security Solution
Malware - Antivirus and antispam features
Loss and theft -  Ability to lock, locate, wipe and restore
Direct attack -  Firewall technology
Data communications interception -  VPN and encryption solutions
Exploitation and misconduct - Filtering capabilities

Many organization's need to conduct more rigorous risk analyses for their mobile devices and begin the process of implementing the appropriate solutions. While many of those solutions are still rudimentary, nevertheless the threats cannot be ignored. This white paper explores this area at a relatively high level.

Wednesday, December 1, 2010

Smishing and Vishing

As if there weren't enough threats plaguing the average cyber-citizen, now there are some new ones. The FBI has recently issued a warning to shoppers for the holiday season. Smishing is the same as the familiar phishing we encounter every day on the internet. The difference is that smishing takes place using SMS text messages. And of course, those are growing in popularity, beyond the ranks of the under 25's, for whom texting is an obsession.

Vishing is also similar to phishing, but makes use of voicemail. Not as trendy, but potentially effective for the naive and uninformed.

So take care over the holidays - and beyond - watch out for smishing and vishing! For more, check out this link.