Emerging Technology
Risk
“Assessing
and minimizing the risk of emerging technology security are the first things
enterprises do before using Internet of Things (IoT) technologies to manage IT
systems, building equipment, smart phones and other web-enabled intelligent
systems. To reduce risk, enterprises should pay more attention to newly
proposed technology initiatives, ensure involvement of IT auditors in the early
stages of any IT project, and extend the audit scope to include new
technologies and management systems. Additionally, the performance of post-implementation
review should be considered or viewed as a value-added audit project by the
audit team. The audit team needs to have the right level of support and
sponsorship to engage in the early stage of any IT projects. Auditors should
play a significant role in IT projects and be part of the monitoring processes
to ensure quality inputs and the merits of the project, rather than simply
being involved with the outcome.”
Mind the Internal
Threat
“While
the majority of enterprises use networks as the backbone for secure data
exchange transactions, standard encryption and firewall technologies can
provide some measure of protection from outside attacks and theft by
competitors, hackers or mercenaries. But what about the internal threat
committed by the enterprise’s employees armed with computer access and
passwords? The employee element is commonly overlooked. In fact, one of the
most common bugs exploited by hackers to gain access to the inner workings of
equipment is using default passwords. Default passwords are, from a
manufacturing point of view, a convenient way of ensuring that its engineers
can get into the company’s own computers when carrying out maintenance. Too
often, security administration is overwhelmed with the task of trying to do it
all (e.g., managing operating systems, applications, network, mobile devices,
physical security). Security administration must segregate duties and define
and deploy a security policy for one area before moving on to another hot spot.
In conjunction with preventing internal irregularities, segregation of duties
(SoD) should be applied so that the person responsible for assessing users’
level of access authorization is not the same person who implements the access
controls.”
Struggling to Deal With
Legacy Systems
“Now
that Microsoft has pulled the support plug for Windows XP, financial
institutions (FIs) and companies that have not switched to Windows 7 need to
explore their options. For FIs, this means upgrades to Windows 7 and Agilis 3 are
required to keep up with the latest patches and maintain Payment Card Industry
Data Security Standard (PCI DSS) compliance. Most FIs began a legacy system
replacement early in 2014. But some FIs failed to truly understand the
complexity of management reporting they had developed internally over the
years, not to mention integrating multiple systems from different vendors.
Specifically, neglecting the reliance on numerous system features or databases
that tied to the old system required processing and culture changes to switch
software and get off of those old functions. For these reasons, FIs felt that
they needed a more comprehensive compliance plan before jumping in with
upgrades. As a best practice, many FIs found it possible to get by with a
special contract with Microsoft in which they could keep Windows XP and get the
necessary security patches to remain compliant until they are ready to upgrade
in conjunction with other planned changes. Now that the Windows XP
transition deadline has passed, continuing to ignore the upgrade puts FIs at
risk. And because other requirements are coming, it makes sense to create a
plan that addresses not only a Windows 7 upgrade, but future needs as well.”
Cybersecurity Test
Tools
“Cyberattacks
on enterprises and banks worldwide reflect a frightening new era in
cyberwarfare. As many security experts say, ‘You cannot hack or protect what
you cannot see.’ Traditional network security strategies have become
increasingly complex and costly, yet they do not deliver the level of
reliability that modern mission-critical computing environments require. The
solution is moving to a deeper, inside-out software-based approach that greatly
reduces the number of vulnerabilities that hackers and cybercriminals can
exploit. Cybersecurity stealth tools do exactly this and are an innovative,
software-based approach to security that saves money, increases security, and
is an agile component that adapts to changes in critical business networks and
rapidly evolving regulatory requirements. To that end, it is good to see
developers starting to introduce security tools that bring together maintenance
and help-desk products with the security system. Security professionals should
become familiar with the tools, techniques and weapons used in attacking their
security infrastructure. Then they will be prepared to make a number of wise
acquisitions, bringing in the best-of-breed products.”
The
report goes on to detail a host of additional topics, all of which represent
critical points of entry into a facilities IT infrastructure. The point Sharkasi and ISACA are making is that
“attackers need to find only one weakness to get into an enterprise system and
spread their reach.” While one weakness
is all an attacker may require, as defenders we are responsible for securing
the whole system. This involves a
holistic approach that encompasses hardware, software and wetware (people) and
must be a concerted effort embraced by both the public and private sectors to
be effective.
References
Sharkasi,
O. Y. (2015). Addressing cybersecurity vulnerabilities. ISACA Journal. Retrieved from http://www.isaca.org/Journal/archives/2015/Volume-5/Pages/addressing-cybersecurity-vulnerabilities.aspx
