Thursday, December 29, 2011

ISC Listing of Information Security Resources

The International Information Systems Security Certification Consortium, Inc.has compiled a listing of links to useful resources in information security which is one of the most comprehensive available. It can be found on the ISC website using this link.

Monday, December 19, 2011

Endpoint Security is Changing Fast

Sophisticated social engineering techniques for hacking are becoming the norm. And it is moving fast, such that traditional tools don't do the job any more. Advanced Persistent Threat (APT) is one of the manifestations of this trend. It involves sending malware to people disguised in something that is likely to appear to them and to fool them. APT messages are very customized, based on knowledge of a person that is obtained from information available in the internet, through such social media as Facebook and perhaps other sources.They can even follow shortly after a person performs some action, such as paying bills on their bank website. In such a case, they might receive a message that their transaction has failed, or that their account has gone into an overdraft and they should log in (to a bogus account) and verify it. There are countless variations.

Most of us are aware of many of these messages and don't get fooled by them. However, there is a possibility that one variation might be sufficiently relevant that we are fooled, and it might only take once to cause a lot of damage.

Companies are exposed because all of their employees are exposed, and might inadvertently expose corporate assets to theft or damage.

Various solutions are available, many cloud based, that are particularly designed to keep up with the rapidly changing trends in this area. It is imperative to keep up with these tools. Such knee jerk reactions as prohibiting employees from using Facebook and the like just won't work. But some clearly defined and carefully designed policies around the use of corporate computers, resources and IDs are badly needed.

For more, check out this article.

Friday, December 16, 2011

IS Security Compliance with SOX

[Excerpted from "Security Via SOX Compliance," a new, free report posted this week on Dark Reading's Compliance Tech Center.]

Achieving compliance with Sarbanes-Oxley requirements remains a chief chore for all publicly traded companies—and a chief budget driver for IT compliance and security initiatives. Yet SOX’s computer security requirements remain vague, and auditors’ evaluations continue to be subjective.
IT managers often think of SOX as a technology mandate, but it is primarily an accounting and financial reporting mandate. Nowhere in the Sarbanes-Oxley Act will you see a reference to encryption, network security, password complexity or logging capabilities. Indeed, a SOX compliance effort should be driven by the business side, with IT playing the role of key facilitator.
So how do you approach compliance purely from an IT perspective? To pass a SOX audit, your company must implement security best practices for any system that touches anything and everything related to financial reporting and accounting systems. To achieve that goal, there are several elements you must put in place.
1. For Web-enabled applications, ensure that all sensitive data, along with authentication credentials, are Secure Sockets Layer (SSL)-encrypted. Most SSL implementations use RSA public/private key exchange for session setup and encryption. When an SSL session is set up, the Web server sends its public key to the client, and the client uses that public key to create a session key with the Web server.
2. Deploy all the common end-point protection tools that would be required in any secure environment. This applies primarily to end-point antivirus, malware protection, host intrusion prevention systems and client firewalls.
3. Reduce the operating attack surface on all clients and servers accessing critical financial systems. Most companies think they’re doing a good job here, but if employees are going to access critical financial and accounting applications from a fat client PC, there’s a whole lot more that needs to be done than simply performing Windows updates.
4. Consider application streaming or desktop virtualization for accessing critical financial and accounting applications. Most companies use streaming applications via Citrix XenApp or VMWare ThinApp to solve problems with performance, mobility and remote access. However, app streaming also is a terrific way to protect key applications from intruders.
5. Wrap your databases with activity monitoring and auditing software. SOX auditors are concerned primarily with the accuracy and integrity of your financial data. Simply stated, you should be auditing all activity on all tables that contain sensitive information.
To get the full details on these five tips -- and five additional recommendations on staying SOX-compliant, download the full report on security and SOX compliance.

Monday, December 12, 2011

Smaller Businesses Are Investing in More Powerful Technology

A recent survey by PWC revealed that smaller companies are placing emphasis on such technologies as social media and mobile computing. Both are rapidly becoming critical to effective business operations.

The study also found that they are particularly interested in cloud computing because it makes possible investing in advanced data management solutions such as ERP, which so far have been too big and complicated for many organizations. In the cloud, they can be obtained on a rental basis, which makes them financially viable. For more on this insightful survey, go to this link.

This means that some of the security and control implications of cloud computing and mobility will be increasingly prevalent in smaller businesses.

Wednesday, December 7, 2011

Audit Committees Concerned About IT Risk

The 2011 Public Company Audit Committee Member Survey - just released by KPMG's Audit Committee Institute - provides timely insights into the challenges, priorities, and expectations of today's audit committees.
Among other key findings, many of the 250 audit committee members responding to the survey said:
  • They are not satisfied that their oversight of various IT risks is effective, or that the company's strategic planning process deals effectively with the pace of technology change and innovation.
  • The one person they would most like to hear from more frequently is the CIO.
  • They want to spend more time with the CRO and mid-level management/business-unit leaders; and few are satisfied that they hear dissenting views about the company's risks and control environment, or rate their company's crisis response plan as "robust and ready to go."
  • The audit committee is devoting significant agenda time to legal/regulatory compliance risk, with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and impact of the SEC's whistleblower "bounty" program of particular concern.

  • Read KPMG's 2011 Public Company Audit Committee Member Survey

Tuesday, November 29, 2011

Securing Employee-Owned Devices

Most enterprises are dealing with the proliferation of EODs in organization, in different ways. Some ban them but a growing number of companies recognize the undeniable productivity benefits of allowing them. That leaves the big question - how to secure them. One approach is to secure the data by encryption, as mentioned in a recent post on this blog. But this isn't always possible either.

Monitoring is a key approach for many companies. They establish a system for identiying the devices that are connecting and then have a system for monitoring them. This allows a degree of flexibility that can help find an optimum level of productivity for the users. This article has more.

Wednesday, November 23, 2011

Why SAS 70 Was Replacd

Earlier in the year, SAS 70 was replaced with a new standard - SSAE No. 16 “Reporting on Controls at a Service Organization,” which provides for the issuance of SOC 1 reports, which deal with controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements.

Originally, SAS 70 was intended to be for the use of auditors who report on an organization that used service organizations to administer and run their internal control systems. However, they began to be used widely by IT auditors to report on the IT controls in the systems, and although they weren't intended to be used as general purpose reports, were often widely circulated by organizations who had them carried out to demonstrate their system was well controlled. Often this was for marketing purposes.

Now, service auditor reports for periods ending on or after June 15, 2011are required to conform to the guidance contained in SSAE No. 16. Reports under SSAE No. 16 are referred to as SOC 1 reports, or “Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.”Use of these reports is still restricted to the management of the service organization, user entities and user auditors.

The new standards also provide for SOC 2 and SOC 3 reports. SOC 2 reports are called “Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy” and SOC 3 engagement reports are called “Trust Services Report for Service Organizations.” The latter are available as general purpose reports, which can therefore be released to the public.

The three types of reports are intended to meet the needs that have been indicated for controls based reports, and hopefully will provide IT Auditors with a set of standards that will be useful to them while not compromising the purpose of their reports. For an article on this change, see this link.


Wednesday, November 16, 2011

WiFi Security

Securing WiFi networks is a critical part of most systems. But this area, like other areas has been rapidly changing. also, business needs are different from the needs of personal users, which is often where WiFi security has been focused in the past., For example, businesses need to accommodate the need to authorize new employees and to remove departing ones, which means that system-wide security needs to be flexible enough to accommodate this. Did you know that WEP and WPA are not sufficient for business level security on WiFi networks? Or that 802.11 should be upgraded to 802.11i? This paper highlights a number of do's and don'ts for effective security.

Monday, November 14, 2011

Common Security Issues for Small Business
Something Old, Something New

The Globe and Mail recently published an article entitled "Ten most overlooked security threats for small businesses". It provides an interesting and valuable source for small business to plan their security strategy. On the list, one will find all the old standards, which have been issues since time began - at least computer time. For example, it contains the items "Business interruptions due to backup data issues" and "Physical breaches and theft". But it also contains issues that are more recent in their origin, such as "Breaches caused by connecting (from) infected devices"and "Hijacked domain names". A useful article for many to consider.

Tuesday, November 8, 2011

Bring Your Own Device? Secure the Data

Inevitably there has been a growth in the numbers of personal devices being brought into the workplace. And they are data friendly, such as smart phones and tablets. Some companies are handling this trend as though the devices were company property, despite the fact they have no right to do that and fundamentally their efforts are doomed to failure. .

The answer lies in an approach that has been right for some time even before the infiltration of personal devices. Data Centric Security.

Under data centric security, the focus of the security policies and procedures is the data and not the devices. This has been the right way to go because data is increasingly more mobile and it is difficult if not impossible to know where it is at any time. So the data itself needs to be secure so that it doesn't really matter where it is.

The key to data centric security (no pun intended) is encryption. It's not the only element - attention still needs to be paid to systems - but it's the most important one because with encryption, data cannot be read by unauthorized people no matter where it is. This approach is essential with the proliferation of devices, including storage devices like memory sticks, but even more essential for managing data security in the age of BYOD.

See this article, for example.

Monday, November 7, 2011

PWC Global Security Survey

PWC has released its 14th global survey of the state of security for 2012. This survey is based on the responses of more than 9,600 CEOs, CFOs, CISOs, CIOs, CSOs, VPs and directors of IT and information security from 138 countries.

It shows that the level of confidence in security activities is high, with 72% of the respondents indicating they are  very confident or somewhat confident. On the other hand, the survey shows a degradation in certain security activities, which the report characterizes as troubling. Particular areas that have shown the biggest declines over the past three years are business continuity/disaster recovery planning, annual reviews of privacy policy and accurate inventories of data locations. For the latter, it could be that it is becoming impossible to describe the locations of data, since it moves around so quickly.

For the results of the survey, check out the PWC website.

Friday, November 4, 2011

Cloud-based Backup

One of the more popular cloud based applications, in fact one that preceded the popularity of the cloud itself, is online backup.  Use of services like Carbonite, IDrive, and Mozy have been widely used for years.

But are they safe? We all know about the successes of hackers in getting inside sophisticated and well protected systems. Why couldn't they hack into these services?

It's probably unwise to give a definitive answer in these days of ever more sophisticated hackers. However, there is every reason to suspect that such backups are very safe. The reason is the encryption systems they all use, which are among the best, and give you control over who can decrypt your data.

Time and again, encryption has been proven to be one of the most valuable security tools. Data is no good to hackers if they cannot read it. If they do manage to break into the cloud backup providers system, they also need to break into your computer and steal your encryption keys. A difficult job.

It's much easier for them to break into your computer and steal your unencrypted data, because most people do not encrypt their hard drives. So arguably, your data is safer being backed up in the cloud.

Here's another take on the issue.

Tuesday, November 1, 2011

The UWCISA Biennial Research Symposium

The 2011 Symposium, hosted by the University of Waterloo Centre for Systems Assurance, took place on October 21 - 22, 2011. It was sponsored by the Canadian Institute of Chartered Accountants, Caseware IDEA Inc., ISACA's Toronto Chapter, and the International Journal of Accounting Information Systems.

Attended by numerous noted researchers in the Information Systems Assurance area, the symposium featured several state-of-the-art presentations and timely sessions. 

The Keynote presentation, "Information System Assurance Practices in China: Where they are and where are they going?" was presented by Philip Yang, Partner of PricewaterhouseCoopers in Beijing, China and highlighted the international flavour of the event, which is indeed one of the world's top symposiums in the field.

Topical sessions included those on cloud security, privacy, and green IT. But there were many more. For the program listing and copies of the presentation slides, check this link.

Thursday, October 20, 2011

Security Still an Issue in Cloud Development Projects

At a recent conference, IBM and Amazon executives debated one of the biggest issues around the cloud - the extent to which users can rely on security built into the services of the provider. Amazon made the point that users should recognize that they are moving into a platform with a lot of security already built into it. IBM countered with the point that you can't rely on that - that each user and each applications contains its own needs and issues.

Both are right. There is some security there, but users need to go some steps further in order to make sure the security meets their needs. This might involve obtaining SSAE 16 reports (the old SAS 70), but should probably go further than that and include a through review of the security structure to make sure that it is adequate. That means involving the auditors in the development process - an old saw, but still a true one.

Here's a report on the debate at the conference.

Thursday, October 13, 2011

Security Professionals Face Serious Challenges

Recently, the International Information Systems Security Certification Consortium, Inc., (ISC)² sponsored a study carried out by Frost & Sullivan of more than 10,000 security professionals around the world.
Some of the key findings of this study can be summarized as:

  1. Application vulnerabilities represent the number one threat to organizations.
  2. Mobile devices were the second highest security concern for the organization, despite an overwhelming number of professionals having policies and tools in place to defend against mobile threats. 
  3. Professionals aren't ready for social media threats.
  4. A clear skills gap exists that jeopardizes professionals' ability to protect organizations in the near future. 
  5. Information security professionals weathered the economic recession very well.
  6. Cloud computing illustrates a serious gap between technology implementation and the skills necessary to provide security.
  7. Developing countries illustrated opportunities for growth with an experienced and more educated workforce.
  8. The information security workforce continues to show signs of strong growth. 

The study can be downloaded free of charge from this website.

Friday, October 7, 2011

Web Application Security: Business and Risk Considerations

ISACA has a White Paper on its website with the above title. The paper is an excellent resource for those interested in cloud risks and how to address them. That includes a lot of people!

One of the interesting parts of the paper is the table listing the various types of vulnerabilities encountered in the cloud. These include SQL Injection, Cross-site scripting and Insecure Direct Object Reference, among others. The paper goes on to list some areas of security to focus on, including some specific guidance on the old stand-by's of executive support, training and support.

The paper concludes with assurance considerations, including the use of Cobit to strengthen controls.

An excellent paper. You can download it through this link.

Tuesday, October 4, 2011

Social Media's Growing use for Cyber Crime

The FBI recently issued a report pointing to the growing use if Social Networks for criminal purposes. The report points to the traditional techniques of Phishing and Data Mining of Social Media sites as continuing serious problems. The report also points to the use of false persons being used to attract honest site users and therefore gain access to information that could be sensitive. Examples are setting up phony Facebook accounts to attract military personnel and then extract information they might have or information about their location.

Of course, corporate information could be at risk in such scams, and it is important for companies to have tightly drawn policies on the use of social media by their employees. One of the difficulties in such policies is that a company cannot interfere in the personal life of their employees, yet they can be duped through their personal activities into revealing sensitive information. A clear demarcation between business and personal use of social media is nevertheless a critical element of a security policy.

For more on the FBI report, see this link.

Wednesday, September 28, 2011

Smart Phone Security

Now that smart phones are being used more often for sensitive uses, like making and paying for purchases, it is clear that hackers are going to focus more attention on smart phones. companies like McAfee are putting out security software to protect them. And the US Department of Defense is calling for more protection for them and in particular for the Android Operating system, which is on the largest number of phones.

Companies need to be concerned about this area, as some of their sensitive data is going to end up on smart phones, so their defences need to extend to the phones. This is not a new idea, but the new landscape means that the degree of protection now needs to be at a level comparable to that of the corporate data in the main system, which has not been the case to date.

For more on the new environment for smart phones, check this NY Times article.

Thursday, September 22, 2011

Security Breaches are Becoming a Certainty

It has become clear, with the growth in use of the internet, mobile devices and social networking, that avoiding security incidents has become more difficult. Recent research, however, shows that they are a near certainty.

"A recent survey by the Ponemon Institute found that the threat from cyber attacks is nearing statistical certainty -- 90 percent of U.S. businesses were hit by at least one security breach in the last 12 months. Almost one in two said there was a significant increase in the frequency of cyber attacks over the past year, and 77 percent said attacks are more severe or difficult to contain."

For more, check this link.

Friday, September 16, 2011

Persistent vs Intermittent Attacks

"Researchers at North Carolina State University examined two Wi-Fi attack types -- persistent attacks, in which the attack persists non-stop until it can be identified and disabled, and intermittent attacks, which block access on a periodic basis, making them harder to identify and stop. They were able to measure the impact of both attacks."

They concluded that all attacks cannot be prevented and that a sensible policy would be to target those that would cause the most damage, which often would be the persistent attacks.

for a release on this study, check this link.

Monday, September 12, 2011

Protecting Mobile Devices

Hackers and malware are increasingly targeting mobile devices, particularly those use the Android system, although all others are at risk too. Users need to treat these devices as they do computers and take steps to protect them. This includes the following:

1. Establish a password for opening the device. We do this for our notebooks all the time.
2. Avoid downloading unproven apps.
3. Accept all patches.
4. Back up the data.
5. Don't jailbreak the device. Which some people do to free it up from dependence on a single supplier.

For more, check out this article.

Wednesday, September 7, 2011

People just don't Understand Mobile Security Threats

When it comes to laptops and notebooks, people get it. There are security threats and spam and they need to take precautions against them. People are used to being wary of emails that ask for personal information, or websites that they don't know and never heard of that sell products at low prices. They are used to installing anti-virus software and some even have a practice of erasing their cookies and browser history. People know that identity theft is a serious problem, and that they need to be careful.

Not so with mobile devices. Maybe its because they're small. Maybe because their power is a relatively new thing and they just haven't caught up to the idea that their cell phone has become a small computer with connections to many other computers. That viruses and malware that get into their phone can get into their other computers, even their work networks. Some companies are coming to terms with this idea, but in general mobile device users just don't get it.

And so they go on downloading apps without concerning themselves much about where those apps are coming from or who made them or whether they have been properly tested and protected. They don't even think about installing protective anti-virus software, not that much is available yet.

The result is that mobile devices are now the biggest single threat to data integrity of many organizations. This means that IT Assurance professionals need to pay more attention to this threat. That is - contemporary attention. Guidance and reference materials have been out there for a few years now. But most of it is obsolete simply because the technology for smart phones has advanced so fast. New tools are needed. But until then, experienced professionals can identify the risks in the devices being used, and how they are used and suggest behaviours that will mitigate those risks.

The biggest need at this point is to modify the behaviour of the users. The fraudsters get it. And the users need to get it too.

Wednesday, August 31, 2011

IT Risks are Business Risks

Information Technology has pervaded business so expensively that IT risk is now equated with Business Risks. IT Risks are Business Risks.

The realization of this fact can be seen in the increasing interest shown by Boards of Directors, Audit Committees and Senior management in IT Risk issues. At one time not very long ago, this was unheard of, with IT being viewed as the prerogative of the 'techies".

Ernst and Young has prepared a section of their website to explore the relationship between IT Risk and Business Risk. That site explores the topic under four headings:
Major IT trends affecting business risk include the continuing increase in cybercrime, the move to mobility, data leakage and the potential for harming business reputation, tighter IT related regulatory requirements, the spread of social media and the growth of cloud computing, among others. All of these trends pose significant IT risks, but they are so pervasive that the IT Risks they pose are also business risks. This is a site worth some careful study

Thursday, August 25, 2011

Social Networking Threats to Security

Facebook was found to be the greatest threat to security in a recent survey of 2000 computer users by Sophos. Of the 2000, 71% had been spammed, 46% had been phished and 45% had received malware. The numbers are not surprising. If anything they seem low. I've been phished and spammed daily and have received malware within the past few months. Here's a summary.

Wednesday, August 24, 2011

The Malware Race and Honeypots

Google just released a report on malware that follows by a week another report by NSS Labs, an independent security testing organization. NSS had given Explorer 9 high marks for stopping socially engineered malware. this is malware that entices a user to download it in the mistaken belief that it is a security software update, or something similar.

Google agreed that Explorer is effective in detecting such software but did point out that it comprises only 2% of the malware out there. One might counter that it's growing, though.

A value in the report is an assessment of several of the conventional defences against the more common types of malware.  They said that a much more common form of malware is that of drive-by malware, which exploits known vulnerabilities in browsers to surreptitiously download malware when the browser passes by.

Conventional defences are various forms of honeypot, which are digital lures away from the real system. These are widely used but Google says not effective in themselves. They say that a combination of defences is the most effective.

For an interesting writeup on these reports, click this reference.

Monday, August 22, 2011

How to Detect System Intrusions 

The numbers and scope of system intrusions continues to grow, which means that enterprises are taking some steps to address them. However, the nature and, more importantly, the effectiveness of such steps varies considerably. One of the man steps to take is to have good control systems in the first place. Any auditor knows that this is a challenge for many enterprises. And then there are specific steps for intrusion detention. These come in different flavours, from monitoring to content scanning to sophisticated detection software.

The protection of data is a tremendously important area for most enterprises, and it is a good idea to do everything feasible to protect it. A recent article in E-Commerce News explains a number of good ideas for approaching this issue. Here's the reference.


Friday, August 19, 2011

Selection of Cloud A Provider

There are a great many considerations when selecting a provider of cloud services. Security is certainly one of them. An important one.

One recent article in a cloud selection series points out two important elements to security that are particular important when evaluating cloud providers. One, perhaps predictably, is their encryption policies. Of course, encryption is important. But it's not enough just to see that they have encryption. It needs to be looked at closely. What kind of encryption? How is it applied? And when? The whole question is whether they data are protected in storage, in transit -  at all times.

The other major security (control) consideration is availability. If critical functional data are stored in a cloud, chances are they need to be available at a moments notice 24/7. Outages at the cloud level just are not acceptable.

There are other considerations that the article doesn't mention, like how good are the security processes, including authorizations for various actions affecting the data, as well as access by cloud personnel. Have outside auditors reported on those processes and are the reports available? An of course, are they reasonably problem free?

It's an important area, and one with increasing importance for many businesses.

Monday, August 15, 2011

O-ACEML for Better Security Compliance

Languages based on XML (Extensible Markup Language) that can cut across different information systems platforms are nothing new. We already have XBRL, EBXML, and a variety of others. XBRL has become a global standard for financial and business reporting.

Auditors, however, are still hampered by the existence of different platforms within a single overall system. Each platform typically has different ways to configure security, from password management to object access to user control and maintenance. That makes it difficult to apply corporate security policies, monitor compliance and identify issues.

It seems natural that XML might come to the rescue. Recently the Open Group and others released a specification, available on The Open Group website, that outlines O-ACEML (Open Automated Compliance Expert Markup Language).

The new standard is attracting some interest among auditors. It promises the ability to write security rules for corporate adoption in O-ACEML that could be interpreted by O-ACEML - aware systems and then translated into the protocol used by those individual platforms. So the same rule could be applied in any number of platforms within an overall information system. Clearly this would be valuable in promoting compliance with security policies.

Moreover, compliance can be monitored with those same rules, with output from individual platforms translated into O-ACEML and then transported back to the auditors for analysis.

These policy application processes and monitoring activities are a problem now. O-ACEML can make it all work.

Here's a discussion on the subject that's worth reading.

Tuesday, August 9, 2011

Auditing Embedded Controls

Controls embedded in applications present particular issues to auditors. Even their detection can require some technology experience. Understanding and auditing them even more. Also, they may be in the system but not used by important business processes. Or the risks they cover may be compensated by manual controls.

Providing assurance on such controls requires IT Assurance expertise as well as a thorough understanding of the related business processes. Therefore such work is often carried out on a collaborative basis.

This is one of the messages in an article on Deloitte's Information and Controls Assurance Website. It's a relatively new site of Deloitte Global Services with useful information for assurance providers and others with an interest in or responsibility for controls. Check it out here.

Thursday, August 4, 2011

Operation Shady Rat Revealed

In a striking example of the kind of security threats faced by enterprises these days, McAfee has released a report that shows some 72 enterprises having been attacked in a vast "snoop" operation. Several Canadian Government departments were among those hacked and there were 48 break-ins in the US. It takes an extremely large and effective organization to carry off attacks like this and there are allegations of state support for the attacks - as yet unproven. For one good summary of this situation, check out this article.
The Blackhat Security Conference

In Las Vegas, the annual Blackhat conference is underway. There is a variety of workshops and other sessions on the agenda, which can be found at the Blackhat Site.

Tuesday, August 2, 2011

Adequacy of Security - A New Debate; An Old Issue

The success of recent large scale hacking attacks has fostered a new debate that has been taking place in the world of IT Security Specialists. On one side, we have those who believe that the tools traditionally used for intrusion prevention and detection are no longer up to the task. Some security companies have been trying to address this situation; this perceived need for stronger products.

"One new solution to the problem of securing the IT infrastructure is the PoliWall network security appliance from TechGuard Security." Another is Damballa - a system that promises early detection of threats weeks before their occurence.

On the other hand, some experts say that very effective systems have been in place for years. The problem is that they have been poorly implemented. In some cases, the risk assessments were simply proven wrong, providing an optimistic take on the risk. In other cases, companies have not been willing to endure the inconvenience that sometimes follows from the implementation of a tight security system. One expert likens it to removing the batteries from a smoke detection system because the occasional beeps annoy you.

There seems little doubt that in many cases, good security principles have not been followed. this has always been true because IT security traditionally has not received the degree of attention that it warrants, taking second place to IT strategies that will help to produce revenue and traditional security techniques that can be more readily understood by business executives.

E-Commerce Times has published a two part series on this issue, which is worth a read.

Friday, July 29, 2011

Why has Information Security Gained Such a High Profile?

We hear about information security a great deal in the media and companies are focusing on it more strongly in their strategic plans. Why is this?

The first obvious answer lies in the large scale nature of recent attacks on organizations such as Sony, Google, Citigroup and the IMF - the sheer numbers of  people and organizations put at risk because of the exposure of their data to misuse. But to find real answers to the question, it is necessary to look a little deeper. For example, one of the answers is the proliferation of disruptive technologies, like the cloud and smartphones. Another is the mobility of data across platforms. Yet another is the large scale of resources put behind the hacking activities, including allegations of State support for illegal online activity.

These are big issues, and each of them call for particular responses. So how is an organization to respond to this complex and fast moving environment? As a starting point, it seems the approach needs to be a strategic one. Nothing new here, but the strategy needs to be relevant to the challenges inherent in the new environment. Here the issue becomes more complex, especially in an era of tight budgets.

Deloitte Touche recently ran an interview of two of its Principals to discuss these issues. They place a high importance on a multi-dimensional view of the risks and prioritization as part of a strategy. Check it out.

Tuesday, July 26, 2011

The Shifting Ground of Data Security

Several changes in the IT landscape of recent months, even years, has brought fundamental changes in the risk profiles of many organizations. The move to the cloud, of course, has been well documented and discussed from a security perspective. One Wharton Professor argues that the cloud movement has had the effect of placing vast amounts of data within easy proximity of single entry points, making the effort of hacking much more potentially rewarding. And so we have major new groups, backed by organized crime, even perhaps by countries, looking for massive rewards from hacking. Gaining access into a single website can yield huge amounts of useful information for the criminal, such as banking information or credit card data for thousands of people.

At the same time, governments are responding with mega programs, such as that of President Obama late last year.

Individual companies have much at stake and need to employ security precautions at the most effective level. But the question is whether they are doing that, or even trying very hard. Some think they are simply assessing the risks and hoping for the best. (unfounded perhaps but also perhaps needing some more study.) Some think that it has gotten to the point that no company can possibly protect itself.

The new high stakes environment certainly adds risks and should serve to focus the response to those risks, with the knowledge that attacks are likely to be of the highest sophistication and directed to the biggest targets.

This is the new world of IT Security in the age of the cloud. More at the Wharton Site.

Tuesday, July 19, 2011

Cloud Security Alliance Updating Guidance

The Cloud Security Alliance is a group formed to promote best practices in the provision of assurance in the cloud environment. their guidance has achieved a good deal of respectability in its brief life.

Recently, the CSA launched an initiative to find volunteers to update its initial guidance. To help potential volunteers, it released the CSA Cloud controls Matrix, which can be downloaded from its website.

Assurance in the cloud has become a major field and is one where the best of standards are needed. The CSA is one of several sets of guidance being offered for cloud security purposes. Others include ISO 27001/27002, ISACA COBIT, PCI, NIST and the AICPA's new SOC 1 and 2. Hopefully, better security in the cloud will emerge from all this effort.

Saturday, July 16, 2011

Compliance et al

Recently, ISACA conducted a survey of the top business issues facing enterprise It technology. The list is of course directed primarily to the concerns of IT Assurance providers and contains the following issues:
  • Regulatory compliance (Score: 4.6)
  • Enterprise-based IT management and governance (Score: 4.4)
  • Information security management (Score: 4.1)
  • Disaster recovery/business continuity (Score: 3.1)
  • Challenges of managing IT risks (Score: 2.5)
  • Vulnerability management (Score: 2.1)
  • Continuous process improvement and business agility (Score: 2.0)
Compliance has been a big issue since the SOX days, but shows no sign of abating. Assurance providers can expect to spend more of their time in this area for the foreseeable future. Nothing really new or startling in the list, but it does provide a good high level overview of where we are in the world of IT Assurance. See the press release here and the survey here.

Thursday, July 7, 2011

The Welcome End of SAS 70

On June 15, the AICPA released a new set of standards to replace Statement on Auditing Standards #70, fondly known as SAS 70. The old standard had been abused for years, being used for situations for which it was never intended and for which it was not particularly useful. SAS 70 originated in an era when companies began to get their accounts managed by outside organizations, known as service organizations. Auditors of the outsourcing companies were concerned that they did not have access to the systems used by the service organizations and therefore could not assess the risks arising from those systems that might affect their own report. They obtained SAS 70 reports to fill this gap.

SAS 70 was therefore designed for a rather limited purpose - to provide assurance on Internal Controls Over Financial Reporting, but it began to be used for other broader assurance on controls, often extending well beyond the limited scope of the original standard.

Accountants fretted for years about this abuse, but it went on and nothing concrete was every done, other than a little tweaking of the basic standards and some cries of protest from members of the profession who were most involved in the service and who were actually following the standard.

The cloud changed all that. Suddenly companies were outsourcing whole systems and needing assurance on the systems which often extended well beyond financial reporting or even had little or nothing to do with it. The need for a broader standard became clear and pressing.

The AICPA, on June 15, released a new framework SOC (Service Organization Control) which substantially extends the scope of these types of assurance engagements. The hope is that abuses will end and the new standards that follow in this framework will provide the needed service.

So far, there are some challenges in making the transition because company executives are so used to the idea of SAS 70 reports and of obtaining them for situations where they really are not appropriate. So some education is needed as well as a dedication by professional assurance providers to insist on selecting and following the appropriate standards.

For an excellent article on this area by the chair of the AICPA's Information Technology Executive Committee, follow this link.

Monday, June 27, 2011

Wiping Out the Data

In her recent report, Canada's Privacy Commissioner noted that Staples, the large business supplier retailer, took in numerous computers on trade and then failed to wipe out the data before re-selling them. This meant that the people turning them in did not wipe out the data themselves. She stated that of 149 computers involved, 54 of them still had previous owners' data on them.

The report points to the responsibility of people for their data. Of course, some of these previous users would be running small businesses and some would have sensitive data on them.

The first responsibility for the data rests with the owners. The people who traded their computers should have wiped out the data right away. In my opinion, they should have re-formatted their hard drives, which is the only way to make sure the data is removed and beyond the reach of recovery tools. As we all know, deleting files simply doesn't do the job, as recovery is usually easy to accomplish.

Then Staples had a responsibility to make sure the computers they sell do not contain any data from the previous owner. The company in its response said that they are investigating data wiping software to determine which will do the job most completely.

Business owners need to have policies for situations like this, even if only to serve a reminders of what to do when old computers, or in fact any equipment containing processors, like fax machines and printers, are traded or sold.

A single loss of data can be catastrophic to a company. All businesses need to have strict policies around the disposal of such equipment. They shouldn't be looking to Staples to protect their data. They should be doing it themselves.

Wednesday, June 22, 2011

CISCO's ARMS Going Down

A group of researchers at Cisco started maintaining an index a few years ago to measure the state of security in the world's computer systems. It's called the Adversary Market Resource Share (ARMS). With all the data breaches and losses in the past year, one might assume that the index is rising to new levels. However, they predict that this year it will be dropping below the previous year's level of 6.8 to perhaps 6.6.

The reason for this is that although the number of attacks has grown, the number of botnets successfully destroyed has also grown, making attacks lower than they might otherwise have been and leaving relatively lower numbers of successful attacks.

Good to hear that there is some progress being made. .

Monday, June 20, 2011

Data Loss Points to Need for Encryption

Yet another data loss has pointed to the need for encryption on laptops. Twenty computers went missing at the London health Services in the UK. One of them, not recovered, contained health records of as many as 8 million people. it was not encrypted.

An article on the subject pointed out that less than half of all UK companies encrypt the data on their laptops. some observers are raising the idea of sanctions for this oversight. It's a good idea. There is little excuse for not encrypting the data on laptops, particularly when they contain sensitive data.

Friday, June 17, 2011

Telecommuting Needs Security Precautions

Telecommuting has become a way of life for most enterprises. It's good for morale, productivity and costs. Employees are often encouraged to work at home, on the road, in planes, in hotels and anywhere else they can connect to the internet.

The perils are well documented and quite well known - loss of mobile devices through theft or carelessness. hacking of the devices at low security locations, like coffee shops or hotels.

Enterprises have been trying to deal with these threats. Many have required encryption of the devices, or at least encrypted data. Some have set up Virtual Private Networks to strengthen access to their networks. These and other precautions are worth considering for most enterprises.

One of the issues with telecommuting these days is the use by employees of their own devices such as laptops, notebooks, tablets and smart phones. All of these have security issues and all need to be addressed by the enterprise. One precaution that needs to be taken is to take steps to ensure that only authorized devices can access the networks. This can be done by device fingerprinting, using such key data as the device serial number and IP address to identify the devices that have been authorized to gain access and thus screen out hackers. Given the considerable extent of telecommuting that takes place now, these and other steps are often critical to an enterprises in devising its security policy. For more on this, check out this article.

Thursday, June 16, 2011

The Value of Pen Testing

Recent attacks on Citibank and the IMF have attracted a good deal of attention, both by the press and by security experts. Quite different views of those attacks are emerging.

In the press, the attacks are often characterized as advanced and sophisticated. They are said to be difficult to protect against - hazards of the modern age of web based cloud computing.

On the other hand, some experts see the attacks as just more of the same old, in this case exploiting a very common vulnerability known as insecure direct object references. These are situations where system objects such as URLs or database references are inadvertently left exposed within system code. Hackers can modify them and thereby gain access to otherwise secure resources. See, for example, this article.

The best way to achieve some protection for insecure direct object references is by using penetration testing. This involves employing professional hackers to try to hack into a system thereby identifying such points of vulnerability.

Once again, the risk of so-called sophisticated attacks can be mitigated by using well established and time-tested techniques such as pen-testing.

Saturday, June 11, 2011

Updating A Security Program

Companies that have a security policy (don't all of them?) need to update it regularly. This has been a basic precept of good security. But in modern times, it still is not always done and the times point even more than ever to the need for it.

Ernst & Young has released a document called "Information Security in a Borderless World" in which it points out, based on a survey, that many companies feel their security risk has increased. The reasons relate to the increasing incidence of global attacks, the increase in cloud computing and the use of mobile devices. On the latter, the study points out that banning mobile devices will actually increase security, contrary to the instincts of some companies.

Because of the current high risk environment, a corporate risk profile needs to be constantly revised. The study addresses three key questions to ask:

  • What is your organization’s risk culture?
  • Are you detecting and monitoring threats inside and outside the organization?
  • Have you anticipated new technology risks, such as mobile devices, social media and cloud computing?
You can download a free copy of the study from the E&Y website.

Thursday, June 9, 2011

Passwords and Reality

The recent rash of hacker attacks on Sony websites prompted at least one researcher to conduct a study of the use of passwords by users. What he found was unremarkable - that people are using passwords that are easy to crack. They are re-using passwords on different sites, and they are not using non alphanumeric passwords.

This is understandable. By now it is well known that strong passwords should not be common words, should be at least 8 characters in length and should use non alphanumeric characters. The problem is people want to use passwords they can remember, and they can't remember passwords that are difficult to crack. This is the basic conundrum of password administration. It's why passwords will never work as a security device.

Traditionally, the response of administrators and auditors has been to promote the use of stronger passwords, complete with frequent password changes, which makes it even more difficult to remember them. It just doesn't work.

The answer is to abandon the password system and adopt a biometric system. With biometrics, users don't have to remember anything. And their mode of entry is extremely difficult to duplicate and hack. There already are biometric solutions available, such as fingerprint readers, and more recently face recognition has been introduced. The ongoing rash of hacking attacks, that depend on the use of old fashioned passwords, will continue until passwords are abandoned.

Monday, June 6, 2011

Control of Personal Email Systems

Recent phishing attaches from China through Gmail has been reported to have been directed to high level government officials. This raises the question as to why high ranking government officials are using Gmail. Presumably they have access to secure private email systems run by the government. Gmail is not necessarily a weak system security-wise, however it is public and high profile and more easily accessible then other private systems. Also, it is in the cloud.

One would think that high level government officials would be using the most secure email system possible, and Gmail does not fit this profile.

There are some possible explanations, according to a recent article in Computerworld. For example, it is noted that most users have two accounts - one for business and one for personal usage. Often gmail is the system of choice for the personal account. That in itself may not be a problem, but it does raise the question whether it is possible to fully separate your personal from your business email. A user might, for example, forward business emails to a personal account to facilitate off site access. Or might answer a business message from a personal account.

This common situation raises security issues for any enterprise. Should personal email accounts be banned? Probably not enforceable. Should their use be controlled? That can be done. And the Chinese phishing expedition has raised the issue to a higher level.

Friday, June 3, 2011

Stronger E-Mail Security

The threats to security through email are growing daily. Now almost 20% of emails contain a link to malicious code. And then there are all the privacy concerns that go with the territory.

Email is one of the most critical elements of any information system. it forms the core of the communications structure within most organizations. So tight security over email is a necessity.

The webinar linked to this post provides an update to the modern threat scene and offers some positive ideas for string security measures. The webinar is offered by Lee Rothman, Manager of Security Systems Engineering Group at Symantec Hosted Services. Bullet-Proof Email: Mission Possible.

Wednesday, June 1, 2011

Relevant Factors in Security Risk Analysis

An independent consultancy, The Enterprise Strategy Group, recently asked 308 security professionals in large organizations what factors motivated their security risk analyses. Predictably, the most critical factor was regulatory compliance. However the frequency of security threats and general security best practices were also among the most critical items, not to mention the mention of security breaches in the press.. For a summary of the survey, visit this link.

Monday, May 30, 2011

How Internal Auditors Can Help With ERP Implementations

It has been a long time position of auditors that they should be involved in some way with ERP and other major project implementations. Much of this approach comes from observing such implementations from afar and then trying to sort out the many internal control problems that surface after the project goes live - problems that should have been addressed up front.

Of course, independence rules can be a barrier to the nature and extent of the assistance that auditors can offer., However, those requirements can be observed and still leave considerable scope for consulting activity of this type. Moreover, it is an important service and one that benefits management and the company.

The contributions that an auditor can make are not restricted to internal controls. Auditors have a great deal of skill with documenting documents and document flows. They also know how to delve into a system and identify major data points and repositories that are critical to a system.

This article on the IAA site provides a good overview of this topic.

Wednesday, May 25, 2011

Vaporstream Survey finds Email Security Related to Inherent Weaknesses of email

We've all done it - sent messages we wish on later reflection we hadn’t sent. Or hit reply all when we meant to just reply. Or replied to a listserve when we meant to reply to an individual.

Although companies have spent a lot of time and effort training employees, it just hasn’t worked in these areas. In a recent survey published by the security provider, Vaporstream, they concluded that the problems relate more to the inherent weaknesses of email that to the follies of the users. 

Good to hear. More here.

Sunday, May 22, 2011

The Obama Security Plan

The Obama administration has tabled its much anticipated legislation on Cybersecurity. It is the most comprehensive package of legislation to be issued by the US government to date.

The proposals are not without controversy, as expected in the area of the extent of oversight the government should implement. Some feel that more consultation with industry is required before a solution is reached. For example, the proposals would require that all private companies certify to the SEC that they have implemented an adequate security infrastructure. This would be a major shift for government regulation of security and also for the SEC itself.

An excellent overview article on this topic can be found at this site.

Monday, May 9, 2011

The Changing Landscape of IT Security

The IT landscape is changing because of such shifts as cloud computing, a proliferation of mobile devices, internet accessibility on a variety of devices, and more sophisticated internet based applications. As the pace of change in the world of IT Security continues to move along, there is a need for a fundamental rethinking of how to approach security.

The basics still apply - threat identification, risk and cost benefit analysis, determination of levels of acceptable risk. But the scope and range of the risks has changed dramatically. For example, the global nature of modern IT systems vastly increases the number and type of risks that most systems face.

Ernst and Young has released a white paper addressing these very issues - essentially a roadmap for applying the basics in the new environment. It can be downloaded free from the E&Y site.

Thursday, May 5, 2011

Cloud Services Call for Security and Assurance

Ever since companies have been making use of cloud services, they have recognized the risk involved in outsourcing critical applications to a cloud provider. They know that the safety of their data depends on the adequacy of the controls in place by the provider. Many of the companies therefore have placed an emphasis on the wording of their contracts, seeking out terms that limit their exposure and shift as much liability as possible to the provider.

The problem is this does not really address the problem. Once a breach takes place, the damage is done in terms of the impact on customers. The real damage is often felt in future business and reputation. While some of this can be compensated with large legal settlements, that is really an ineffective and expensive way to do it.

The best approach is to take preventive steps. This means making sure that the very best controls are in place by the provider before a breach happens. This can only be done by hiring an auditor to provide an assurance report on the provider's system - a service organization report. All of the big accounting firms have IT security experts who are very good at providing these reports.

Companies are remiss if they outsource important applications and do not obtain such reports. The money spent on them is a cost that can be much less than the business costs of a breach later on.

For another take on the issue, check out this article.

Tuesday, May 3, 2011

Security Threats for ERP Systems Have Changed Too

Over the past few years, we have seen a big change in the nature of security threats for enterprise systems. Many of the new threats arise from increased connectivity, which enables unauthorized intruders (hackers) to gain access to systems through internet and other connections. With the proliferation of such elements as wireless and mobile devices having internet access, the threats have become more frequent and diverse.

Recently several security related changes had to be made to the JD Edwards ERP system to reflect these new realities. Many IT experts say that the changes reflect the nature of the underlying problem - the old traditional approaches to ERP security, such as division of duties, although still necessary, don't cut it anymore. Such ideas born of the new age of connectivity, such as encryption and tight firewalls are more important than ever. For a take on this issue please click this link.

Sunday, May 1, 2011

Kansas City Conference

Efrim Boritz's blog summarizing the proceedings at the Kansas University Conference held April 29-30 on XBRL and related issues can be found at

Wednesday, April 27, 2011

Sony Playstation Data Stolen

Continually increasing connectivity means there are more vulnerablity points than ever. Recently Sony announced that their Playstation database has been hacked and customer data stolen. Most of the data appeared to be name, address, purchase information but Sony could not rule out the possibility that credit card information had been stolen too.

Playstations are connected to the internet and have the capability to buy products online. So they make a prime target for data theft. This attack demonstrates how the security of data must be structured to take into account all  such points of vulnerability and finding such points calls for more imagination than in the past. For more details on the Sony breach, check out this article.

Monday, April 18, 2011

Comments Welcome on New COBIT Process Assessment Model
ISACA® recently conducted a global survey to learn about related market needs, and the results showed that 89 percent of the nearly 1,400 respondents said that they need, and would find value in, a rigorous and reliable IT process capability assessment. Based on this research, an exposure draft of the COBIT Process Assessment Model (PAM) was developed. This exposure draft is now available for review and comment on ISACA’s web site through Thursday, 12 May 2011. This is a great opportunity to have an impact on this globally recognized guidance that has helped thousands of enterprises around the world. To comment, go to this link.
A New Threat for Firewalls

Firewalls are one of the mainstays of corporate security. They form in many cases the crucial point for establishing adequate security. However, a new threat has emerged.

"NSS Labs of Carlsbad, Calif., recently tested half a dozen network firewalls to evaluate security weaknesses, and all but one of them was found not to be vulnerable to a type of attack called the "TCP Split Handshake Attack" that lets a hacker remotely fool the firewall into thinking an IP connection is a trusted one behind the firewall." To read more, click this link.

Thursday, April 14, 2011

The Internet - A False Sense of Security

With the extensive use of the internet, including the movement to the cloud, the growing and pervasive use of social media and the extensive use of the internet for email, messaging and simply finding information, people generally have grown accustomed to the Internet, and familiar with the major providers of applications, such as Facebook, Microsoft, Google, etc.

While at one time not so long ago, people generally were wary of the internet, refusing for example to purchase on websites for fear of having their payment information stolen (or the payment itself), now a certain complacency has crept in, prompted not only by this familiarity but also by an increased sophistication of most users - a sophistication that enables them to identify simple phishing expeditions and phony offers of large sums of money.

But the problem is that the growing sophistication is more than offset by the deviousness of the various hacking and phishing attempts and the speed of change in such ploys.

A recent report by Symantec, the security company, shows that the complacency is dangerously misplaced. The report reveals that web based attacks increased an incredible 93% from 2009 to 2010. The attacks were high prior to 2009, so the base is not modest. One presumes that increases of considerable magnitude have continued in 2011. So it is getting much harder to avoid being a victim.

One of the more common tools employed by the phishers is the use of shortened URLs; the kind that people have become familiar with on social networking sites. These shortened URLs effectively hide the real URL, making it possible for a message to masquerade as being, say, from a well known bank, while the URL has nothing to do with the bank. Regular users of the Internet can notice with regular URLs whether the URL is likely to be legitimate. With shortened URLs, this is difficult or impossible. And the flavour of the day is targeted attacks, directed to particular companies or individuals, often in an attempt to obtain the personal information of customers.

People can't afford to be complacent about web based security, meaning they need to take precautions seriously. It also means web based providers need to ramp upo their security efforts. 93% increases are simply not acceptable.

Tuesday, April 12, 2011

PIPEDA Due for an Update

The US Congress is now in process of considering updating its Electronic Communications Privacy Act (ECPA) to deal with the impact of smart phones, social media and cloud computing. None of these areas were serious issues when the act was first written in 1986. In Canada we have the Personal Information Protection and Electronic Documents Act (PIPEDA). Although this act is newer, last updated in 2008, there may be a case for further update to reflect the fast changing issues around mobility, the cloud and social media.

Now those areas are huge. For example, the use of location based marketing and location based information for investigations have escalated greatly with the growing power of mobile units, bringing forward the question of just how private is a person's location at any point in time. Social media raises a host of issues around the provision of information about users on the sites, some of which have been addressed in Canada by the Privacy Commissioner, particularly in reference to the privacy practices of Facebook. However, the question is - does the act adequately address the issues arising from other social media?

The US Department of Justice objects to the Congressional thinking of updating the Act. They feel that the principles of privacy are adequately covered in the existing act. The Privacy Commissioner of Canada keeps a watching brief on these issues and the need for legislative changes. But the challenge is growing more complex daily. Are general principles enough?

Tuesday, April 5, 2011

Conquering the Security Silos

You would think that with all the attention in recent years to organizational silos and the need to work across them or at least interact, that this problem would be largely licked.

Such is not the case, at least in the area of IT Security. A recent survey carried out at the 2011 RSA conference looked into coordination between IT Security, It Operations and Risk Management teams across the organization and found that, while coordination between those groups has jumped considerably, it still stands at 47%. Or less that half of the organizations conduct such coordination.

Security in organizations needs to be managed organization wide because the alternative is to invite holes in the overall security umbrella. That's one of the reasons why organizations need Chief Security Officers with the authority to require cross organizational coordination. Hopefully this aspect of IT Security continues to improve. For a summary of the report, click this link.

Tuesday, March 29, 2011

Controls Over Social Media

As enterprises venture more deeply into the use of social media, they are beginning to see the need for having comprehensive policies and controls over their use by enterprise personnel. Such control systems are viewed as an essential part of the overall control system within the enterprise.

ISACA has released an Audit/Assurance Program for social media. It is intended as a tool that auditors can use in providing assurance relating to the effectiveness of controls over the enterprise’s social media policies and processes.Such a review, the Guide says, will focus on "governance, policies, procedures, training and awareness functions related to social media. Specifically, it will address:

  • Strategy and governance—policies and frameworks
  • People—training and awareness
  • Processes
  • Technology"
The program is constructed such that criteria would be based on COSO, as it is the most common framework in use. Auditors could also extend the program to cover the newer ERM Model. The program is intended to be a starting point for an auditor to develop appropriate programs in the circumstances. A comparison between these two frameworks is included. The guide also includes a maturity model evaluation and is aligned with the COBIT framework.

As the use by enterprises of social media grows, there will be an increased need to take the steps to ensure that the risks of such media are properly mitigated through the use of good control systems. This ISACA Guide is therefore very timely and will be very useful. To obtain it, click this link.

Monday, March 28, 2011

iPhones Security not so Secure

The Fraunhaufer lab based in Darmstadt, Germany, tests a variety of products for security flaws. Among them was a recent test of iPhones and Androids. Both they found were not too difficult to break. In the case of the iPhone, they broke it with five simple steps. They do need possession of the phone. By removing the SIM card, they can gain access to the passwords for the email system, which in turn they find usually provides them with other passwords. They were able to bypass the encryption system completely. The androids were even easier to break. That's just great! (irony). For a report on their test, check this site.

Tuesday, March 22, 2011

The Attack on RSA

RSA, which holds 70% of the market for encryption, recently suffered what they called a major sophisticated attack. Their systems were breached and some of the details of their encryption technology were stolen. At this point, nobody seems to know what exactly was stolen and what the impact might be.

Encryption of data has become the most important technique to preserve the integrity, security and privacy of corporate data. Something that has become both more important and more difficult since the advent of mobile units, cloud computing and data mobility. A breach of sensitive data could be catastrophic for an enterprise.

IT Security professionals are anxiously awaiting more news from RSA about what information was lost and what the implications might be. If the information is so extensive that an attack could be mounted against them, then they will need to change their encryption approach, or bolster it in some way. But at this point, they don't have enough information to be able to act.

It's not an event that inspires confidence in anything, and enterprises are understandably nervous. Here's a report on the breach.

Wednesday, March 16, 2011

Assurance for Cloud-based Systems

Gartner recently released a report entitled Gartner’s Top Predictions for IT Organizations and Users, 2011 and Beyond: IT’s Growing Transparency. In that report, there was a very notable prediction related to assurance. It stated: "By 2015, 80% of enterprises using external cloud services will demand independent certification that providers can restore operations and data."

Many readers will immediately think of the AICPA SAS 70 Reports. However, SAS 70 reports do not explicitly address non-financial controls and could not be counted upon to provide assurance in this respect.

The AICPA recognized this issue and the demand for assurance on Security, Availability, Processing Integrity, Confidentiality or Privacy and released new guidance specifically to deal with these engagements, generically referred to as SOC 2 Reports. SOC 1 reports (under SSAE 16) deal with financial controls and SOC 3 reports deal with the use of Trust Services seals for Service Organizations.

The new guidance, some of which is still in process of preparation, will enable assurance professionals to respond more effectively to the various needs for assurance on service organizations, which includes cloud providers.

Monday, March 14, 2011

KPMG Audit Committee Institute

KPMG established a worldwide network to provide resources and the opportunity for interaction for audit committees. The goal - to encourage better efficiency and effectiveness of audit committees and the corporate reporting process.

Each year, audit committee chairs and members are invited to join sessions where they make presentations and discuss issues. Reports on the proceedings and summary reports on the major issues are issued.

The reports for Winter 2011 from the Canadian Institute can be downloaded from its website. It contains results of surveys on the effectiveness of risk management as well as other timely issues. Well worth monitoring.

Tuesday, March 8, 2011

e-Discovery - Planning is Essential

Retrieval of electronic information as a result of discovery proceedings preparatory to a legal action is now an accepted element of legal proceedings. And given the expectations of courts and litigants regarding the ability to request and receive information, failure to deliver could be catastrophic.

An enterprise needs to identify the information that could be required in discovery proceedings and ensure its retention and security. This requires a careful evaluation of the risks of litigation and the information that could be relevant to such litigation.

When data are retrieved, it is important to preserve its integrity throughout the process. In addition, a company needs to be cognizant of the risk of inadvertently including information that might be linked or embedded that may be superfluous or unnecessary in the particular case.

All of these considerations and more require a carefully constructed system of controls over the designated information. The ISACA white paper "Electronic Discovery" provides an excellent starting point for developing such a system. It can be downloaded here.

Monday, March 7, 2011

Is P2P Encryption the Answer to PCI Compliance?

Point to point encryption is an appealing solution to the issue of control over payment systems. Establishing the first point of encryption within the payment terminal itself ensures that the data are encrypted at the time of the initial transaction. If the final encryption point is set far enough back in the system, the data can be secured throughout its lifecycle.

This, however, is where P2P falls short of its objective. It is usually not practical to maintain the encryption throughout a system because the system components vary and are not all compatible with a single encryption standard.

But even the ability to encrypt at the point of capture is worthwhile, since it reduces the risk of fraud or error at the terminal, which is an important advantage and can reduce the scope of a PCI audit by removing the terminal from the list of components that require detailed evaluation.

So while P2P Encryption may not be the whole answer, it makes a very good starting point, and can be used as a building block for an integrated and comprehensive security system down the road. For a good commentary on P2P, check out this article.

Friday, March 4, 2011

Cloud Security Carries Risk

Security in the cloud raises some delicate issues that don't exist elsewhere. The fundamental issue is that security is the responsibility of an enterprise, even when the security process is outsourced to a cloud provider. The responsibility lies with the enterprise, but the responsibility to actually carry out the security processes lies with the cloud provider.

That means the enterprise needs to ensure that the appropriate security procedures are being carried out but also needs to rely on the cloud provider to exercise those duties responsibly.

As with any outsourcing situation, the nature and strength of the agreement is critical. But the agreement can never completely remove any need for trust between the parties.

This interplay between trust and the need to verify what the provider is doing to meet its responsibilities is at the heart of an insightful article in The E-Commerce Times on Cloud Security.

Tuesday, March 1, 2011

Canadian Government Subjected to a Spear Phishing Attack

In late February, the Canadian Treasury Board and Department of Finance were the subject of a spear phishing attack. Spear phishing is a new technique in which the phishing message appears to come from a trusted person of authority within the organization - in this case within the department. The messages can therefore carry the authority of that person and if they are carefully crafted, their request can seem reasonable and well grounded.

Fortunately, in this case, the security apparatus in place enabled the intrusions to be detected and a lock-down was initiated to protect the data.

The incident points, however to the ever evolving sophistication of fraudulent activity and the need for intense vigilance to combat such activity. For an account of the attacks, check out this article.

Thursday, February 24, 2011

Reducing the Scope of PCI Audits Using Tokenization

The requirements for PCI audits specify that if credit card information is available in a network, then the security of the entire network is in scope. This can be an onerous task, so auditors and companies have sought ways to reduce that scope.

One way that works is to use tokenization, which simply places tokens in a network that reference back (for those with the keys) to the actual data.The data can then be kept in a secure location.

This way, the network that holds only the tokens can be excluded from the scope.

Tokenization is a useful solution to the issue of PCI audit scope. For a detailed paper on this topic, check out this reference. Registration is required to obtain the white paper.

Secure Cryptography for Enterprise Computing

Encryption has never been more important. As an ever-growing number of systems fall prey to malicious attack, encryption provides a last line of defense against data theft and other nefarious activities. In this Deep Dive, renowned security expert and InfoWorld contributing editor Roger Grimes provides a comprehensive guide to the uses, inner workings, weaknesses, and management issues related to encryption. For the white paper, click this link.

Thursday, February 17, 2011

The Growing Integration of Business and IT

Over the past few years, business, traditionally a reluctant courtesan of IT, has come to recognize that IT is fundamentally critical to corporate strategy. And much has changed. While many of the basic elements, such as desktop solutions, servers, multi-processors, laptops and so on are still being used, they have been enhanced and augmented by the Cloud, mobile units, social networking and the concomitant growth in availability of reams of data - unstructured data - that is useful to the enterprise. And so the concept of data visualization grew into prominence as a means of capturing and using these vast amounts of data.

Much has changed in the technology, which has led to big changes in the management issues and in the way data can be used for strategic purposes. For example, the availability of unstructured data, properly visualized, can be used to enhance BI and CRM systems, among others, leading to better marketing and strategic decisions.

Among the major management issues that arise from these changes is that of privacy and security. When data become available through social networks, for example, they are utilized through data visualization and often the privacy that should be awarded these data is not sufficiently considered in configuring its uses. Security management in this new environment is often a nightmare. Not only is there often minimal security around the unstructured data that is used, the security in the platforms and applications is scattered, varying and unreliable. To make it worse, it is often managed by different organizations because of the outsourcing involved. So the job of the security professional and the IS Auditors is made more difficult.

Deloitte has released an excellent white paper reviewing all these changes, and providing expert direction on the strategic implications. Check it out with this link.

Wednesday, February 16, 2011

Security and the Cloud

IBM has released a white paper that explores in some depth the issues around attaining adequate security in the cloud. A significant issue raised is that much of the security in cloud apps is often outsourced, which passes control, but not responsibility, to another party. Also, there is a visibility problem, in that it is often difficult to know just where the data is located, making it difficult to determine what security is in place to protect it.

The paper explores these and other issues, and is a valuable addition to the literature on the subject. In addition, the paper provides a useful explanation as to just what the cloud is and the variations that are in use.

The paper can be downloaded free from this site.

Wednesday, February 9, 2011

Control Over Change Management

To say that change is inevitable is more than a cliche. Nevertheless, it remains a constant factor in the world of IT and of course in the world at large. Coping with change is one of the biggest challenges of management and in IT one of the serious risk exposures. Good control over change management remains a priority for most IT Managements.

But change control cannot be managed in isolation. It is so important and pervasive that it needs to be swept into the bigger management picture.

That's why a paper released in  2009 by IBM remains relevant today. IT sets out 5 CIO challenges that can better be met with better Change Control Management. The paper shows the tight relationship between the CIO's job and change control. For that reason it's worth a read or a re-read. It's on this site.

Wednesday, February 2, 2011

An ISACA Guide on Mobile Security

Few areas in the past few years have challenged security professionals more than the growth of mobile units and their relationship to corporate IT systems. Not only have mobile units become ubiquitous, they had become more powerful and more involved with corporate decision making. So integration and security issues have become significant and even critical.

A guide released by ISACA last year addresses this area. it is intended to help organizations to:

"Implement a systematic approach to security in mobile application development with help from this practical guide. Featuring case studies, code examples and best practices, Mobile Application Security details how to protect against vulberabilities in the latest smartphone and PDA platforms. Maximizie isolation, lockdown internal and removable storage, work with sandboxing and signing, and encrypt sensitive user information. Safeguards against viruses, worms, malware and buffer overflow exploits are also covered in this comprehensive resource.
  • Design highly isolated, secure and authenticated mobile applications
  • Use the Google Android emulator, debugger and third-party security tools
  • Configure Apple iPhone APIs to prevent overflow and SQL injection attacks
  • Employ private and public key cryptography on Windows Mobile devices
  • Enforce fine-grained security policies using the BlackBerry Enterprise Server
  • Plug holes in Java Mobile Edition, SymbianOS and WebOS applications
  • Test for XSS, CSRF, HTTP redirects and phishing attacks on WAP/Mobile HTML applications
  • Identify and eliminate threats from Bluetooth, SMS and GPS services"
The guide is an important one for security professionals and IT Auditors.