Home Tags COBIT


Fatih Ozavci from Context Information Security highlights risks of growing VoIP attack surface and threatsAugust 4, 2016: With more organizations turning to VoIP (Voice over Internet Protocol) and cloud-based Unified Communications (UC) systems to underpin their commercial services and corporate communications, IT response and security testing teams are struggling to keep pace with the VoIP attack surface and growing number of threats in the wild, according to Fatih Ozavci from Context Information Security, speaking at the Black Hat USA conference today. Fatih Ozavci, Context Information Security “A lack of understanding of modern VoIP and UC security, means that many service providers and businesses are leaving themselves at risk to threat actors repurposing this exposed infrastructure for attacks such as botnets, malware distribution, vishing, DoS and toll fraud,” said Ozavci. Ozavci points to potential vulnerabilities in major UC product suites and IMS platforms, such as bypassing security measures, injecting malicious content to messaging, caller identity spoofing and billing bypass, along with problems caused by insecure configurations. “By exploiting these vulnerabilities, attackers could gain unauthorized access to client systems or communication services such as conference and collaboration, voicemail, SIP trunks and instant messaging,” said Ozavci. The BlackHat presentation highlights weaknesses in UC messaging, federated communications and collaboration services that could be used to gain unauthorized access to the UC environment and client systems, as well as attacking client systems using signaling protocols and messaging. “These attacks can be used to compromise the client systems connected using protocol and software vulnerabilities,” said Ozavci, adding, “Dial plans, misconfigured SIP trunks, conference and network infrastructures are also major targets for advanced attacks.” The Context researcher has also looked at media transport protocols such as (S)RTP for voice calls, file, desktop and presentation sharing.

The media transmitted may have confidential or sensitive information, which can be an object of PCI, COBIT or compliance requirements such as credit card information on calls to IVR services or customer privacy information. “Due to insecure encryption and design issues, sensitive information in the media that’s been transmitted can be exposed and compromised,” said Ozavci. To help raise awareness of these VoIP and UC vulnerabilities, Ozavci has developed open source tools Viproxy and Viproy that can be used for VoIP penetration testing.

These are available at: www.viproy.com. Fatih Ozavci is speaking at Black Hat USA, Thursday, August 4, 2:30pm-3:20pm About Fatih OzavciFatih Ozavci is a managing consultant with Context Information Security and the author of the Viproy VoIP Pen-Test Kit, Viproxy MITM analyzer and the VoIP Wars research series. He has fifteen years’ experience in information security as a leading security consultant, researcher and instructor. His current research is focused on securing IMS and UC services, IPTV systems, mobile applications, mobility security testing, hardware hacking and BYOD/MDM analysis. He has discovered previously unknown (zero-day) security vulnerabilities and design flaws in IMS, Unified Communications, Embedded Devices, MDM, Mobility and SAP integrated environments and has published several security advisories for SAP Netweaver, Clicksoft Mobile, Cisco CUCM/CUCDM and Microsoft Skype for Business platforms. About ContextEstablished in 1998, Context’s client base includes some of the world’s most high profile blue chip companies, alongside public sector and government organizations, for technical assurance, incident response and investigation services.

An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents.

Context is also at the forefront of research and development in security technology.

Context delivers a comprehensive portfolio of advanced technical services and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide. www.contextis.com For more information for editors, please contact:Peter Rennison / Sam MorganPRPR, Tel + 44 (0)1442 245030pr@prpr.co.uk / sam@prpr.co.uk
Lack of IT integration and workload interoperability is pushing big enterprises such as Royal Dutch Shell to collaborate with IT providers and launch initiatives to develop IT standards to help them simplify IT management, cut integration complexities and save costs. Shell, BP and PriceWaterhouseCoopers (PwC), along with IT suppliers Microsoft, IBM and HP, have launched the IT4IT Forum – a supplier-neutral consortium that provides enterprises with a reference architecture to simplify their IT management, cut costs and improve IT efficiency. The IT4IT initiative is aimed at helping companies' IT departments address the strategic challenges brought about by the changing IT landscape. The reference architectures will support management and execution across the IT value chain and will allow enterprise CIOs to deliver services faster and with reduced cost and risk, according to The Open Group, the consortium working to develop IT standards. The forum launched as analyst firm Gartner published research to suggest many IT functions struggle to contain costs. Gartner said many organisations report the basic costs of running and maintaining their IT estates rising, leaving less budget for innovation and investing in business applications.  Initiatives such as IT4IT hope to identify opportunities for cost reduction, freeing up funding for innovation. Gartner estimated that, for an IT department's budget of $1bn per annum, the initiative could save between 5% and 20% of the total. Other members joining the IT4IT Forum include Achmea, AT&T, University of South Florida, Logicalis and Munich RE; and service providers Atos, Capgemini and Accenture. Why big customers are in the game "Like many other companies, Shell faces challenges around matching IT capabilities to core business needs, and reducing IT spend while delivering IT solutions faster,” said Shell CIO Alan Matula.  New technologies such as cloud, IT consumerisation and big data are adding further complexity to Shell’s substantial IT infrastructure and its IT team is increasingly stretched to respond to rising demand and the need for greater agility. At the Open Group conference, Hans van Kesteren, Shell’s vice-president and CIO for global functions, admitted the company has multiple end systems in place and faces huge integration challenges. "Standards will help us to mature our industry," he said. Shell spends millions on IT every year and its infrastructure comprises 140,000 desktops, 25,000 networks, 10 datacentres and more than 35 petabytes of storage every year. “We also have about 8,000 IT applications – 500 of which are absolutely business-critical. These applications cannot experience downtime,” Kesteren told delegates at the conference. “The forum will create a common language to share best practices and we will have common platform so when we buy apps or services it will all fit in and we don’t have to worry about integration.”  Enterprises stand to benefit from this work in various ways, such as “by enabling crucially needed interoperability in multi-supplier ecosystems and gaining a much deeper insight into what is happening in the IT function”, Matula said.  “We believe the emerging IT4IT standard will drive a change in the market that will enable us to consume IT management capabilities as a service and to streamline future sourcing decisions by including adherence to the standard in relevant contracts.” According to Matula, the forum is “on the verge of seeing an open standard for IT management come into place”. Move to streamline IT Shell’s efforts to develop IT standards and improve IT integration can be traced back to 2011, when it changed its approach and started talking to HP – its IT estate was invested heavily in HP - to jointly design a comprehensive and integrated model for managing its systems and deal with the challenges identified. Shell wanted to share its experiences with other customers facing similar challenges at that time.  “The IT function in many of our member organisations is under constant pressure to provide improved capabilities to the enterprise, while at the same time lowering total cost,” said Allen Brown, president and chief executive of The Open Group.  The IT4IT standard will enable IT departments to achieve the same level of business discipline, predictability and efficiency as other business functions. It will also embrace and complement existing processes and methodologies (such as CoBIT, ITIL and TOGAF), by taking a data-focused implementation model perspective across the entire IT value chain. One conference delegate told Computer Weekly she welcomed the initiative. “I do a lot of IT contract work for the public sector in the UK and the government will benefit hugely by this,” she said. “Government uses TOGAF and CoBIT and other frameworks and will benefit hugely from a common single standard.” According to the enterprise customers at the event, a lack of cooperation across IT systems results in sub-optimal use of IT resources. “It also makes it impossible for users to tackle complexities such as cloud, agility, mobility and BYOD,” said Chris Davis, chair of IT4IT Forum.  Rick Ancona, CTO at PriceWaterhouseCoopers LLP, said IT departments need to evolve to meet the needs of the business while managing IT services provided internally and externally. “By driving an industry standard at the reference architecture level, we will truly achieve interoperability among our software suppliers providing the strongest IT environment available, thus allowing us to focus our energies on differentiating the business services instead of focusing on how best to manage IT," Ancona said. Meanwhile European health insurance company Achmea said it supports the IT4IT initiative because it is a community-driven, open-standard initiative. “In our industry, control of the end-to-end IT value chain is mandatory. That particularly includes effective and dynamic management of a multi-sourced landscape, which can only become a cost-efficient and high-quality reality with the right level of standardisation,” said Ton van der Linden, its CIO. Customer-driven standards Enterprise customers hope the forum will define a new operating model for IT and drive IT providers to deliver toolsets optimised to support the new IT4IT industry open standard. For service provider Accenture, the forum is in line with its objectives of developing integrated automation that uses a common framework across its IT operations. "Hybrid architectures, new sourcing models and new delivery models mean the IT environment is more complex than ever, making it challenging for CIOs to maintain control while maintaining the agility and flexibility they need in today’s digital environment. Tools are available to help, but so far tend to be point solutions, developed in silos,” said Daniel Benton, global managing director, IT Strategy, Accenture. “It is not about having a new firewall product with 37 different lock systems on it. Today, IT is about understanding the complicated IT ecosystem and understanding the risks,” Benton told delegates. He warned that, in today’s digitised enterprises, CIOs are not driving the digital agenda anymore: “Someone else in the business is,” he said. According to HP, IT infrastructure in large enterprises are so fragmented and lacking in unified standards, that IT just cannot be optimised. “Customers are spending millions in integrating one IT system with another,” said Georg Bock, HP’s senior director of IT management software portfolio strategy.  According to Bock, customer-driven standards will make interoperability measurable. “It will give all types of users a proper mechanism to get interoperability in workloads and end silos.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
Enterprise risk management must include the software acquired by the organisation, said Eric Baize, founder member of software assurance industry group SAFECode. “Traditional risk management processes need to be refined to include software, because that is the new perimeter and vulnerabilities are its weakness,” he told the ISSE 2014 security conference in Brussels. Most large enterprises use risk management frameworks such as Cobit, he said, which all require addressing risk that can be introduced by third-party suppliers. “Most specify that, when technology is necessary to support service delivery, organisations assess the third party’s infrastructure and application security,” said Baize. This includes the software development lifecycle, he said, because one of the principles of software assurance is that it is the result of a comprehensive secure software engineering process. “But in many organisations there is often little understanding of software security and they tend to use ineffective, ad hoc methods of assessing software products,” said Baize. Four common - but wrong - approaches to software assurance There are four common approaches to software assurance, which all represent the wrong way of going about it, he said: The first is to require a software supplier to attest that no vulnerability exists in the code. “But this is not a realistic expectation and, if anybody attests that their software has no vulnerability, you can be sure of only one thing: They don’t understand software security,” said Baize. The second is to require a software supplier to share product source code. “The roughly 22-year-old Shellshock vulnerability reminds us that publishing source code has nothing to do with software security. Software assurance is the result of a process,” said Baize. The third is to require a software supplier to share known vulnerabilities. “But no organisation would trust somebody who shares information on how to attack them, so it does not make sense to ask software suppliers for products' threat models or penetration-test results,” said Baize. The fourth is to require a software supplier to adopt specific tools or coding standards. “Mandating specific tools and coding standards to improve software security is like forcing top chefs to cook ingredients with a microwave,” said Baize. “Rather than wasting time with these four approaches, there is a much more efficient way of assessing the security of software products,” he said. Review suppliers' practices and governance Baize draws the analogy of assessing which of two astronauts to send to Mars. He said it is more useful to know about regular exercise and healthy eating than body-mass index, blood pressure and cholesterol levels. “What counts more is evidence of a healthy lifestyle than point-in-time indicators that can be manipulated or influenced at the time tests are done,” he said. Similarly, Baize believes it is more meaningful to review a supplier’s secure development practices, product security governance, and vulnerability response processes. “Pen-testing, binary code analysis and network scanning provide only a partial and point-in-time view, and can be inconsistent and expensive,” he said. “The other approach is a more accurate predictor of risk of vulnerabilities, and can be more consistently applied.” How to assess software suppliers' processes A simple way of assessing suppliers' processes, he said, is to look at vulnerability reporting and response policy on the company’s website and at public security advisories. “Also consider adherence to ISO vulnerability response standards, look for white papers or public documents on supplier software assurance processes, and history of security certification,” said Baize. The “Holy Grail” would be to see adherence to newly developed standards for vulnerability response such as ISO 30111 and ISO 29147, and secure software development such as ISO27034-1, he said. “In summary, assessment of vulnerabilities in procured IT products is part of enterprise risk management and current ad hoc assessment methods are ineffective and inaccurate. “Assessment of vendor software assurance process is the most accurate and scalable approach, and emerging international standards provide a consistent framework for assessing suppliers’ software assurance processes. “In the meantime, simple methods allow for the assessment of the vendor software assurance maturity, and use of software testing tools best applies to vendors with low software assurance maturity.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
Banks and financial services enterprises in Poland considering cloud services are split between strict regulations and security concerns on one hand, and cloud’s benefits and reach in other sectors. Global finance has been in crisis for several years. In Poland, however, the situation is quite different – the financial sector has noted higher profits than others. In recent years, the profitability ratio for institutions in this sector (net profit in relation to invested equity) varied from 13% to over 20%, according to data from the National Bank of Poland. Meanwhile, the average profitability for a company in Poland is only 8%. Not surprisingly, cloud service providers consider Poland’s financial sector players as the most likely customers. Their offer is indeed taken into account by the banks, but with caution and deep introspection. While cloud’s scalability and high compute capacity has been touted as beneficial for the financial sector, there is still a high level of distrust about cloud services in banks and financial institutions in Poland, says Adam Tymofiejewicz, director of consulting at Comarch, one of the two largest IT integrators in Poland. What is limiting wide-scale cloud adoption in Poland? Cloud helps to reduce total cost of investment and facilitates the use of IT infrastructure at scale, says Dariusz Kowalski, hosting manager at Home.pl, the hosting company that provides cloud services too. But financial services enterprises are one of the most demanding IT customers. They usually want 24/7 technical assistance from the cloud service providers, and a high level of security and availability, Kowalski says. Financial institutions also insist that their cloud services provider holds the appropriate certificates and complies with the framework outlined by the financial regulatory authorities. Banks and insurance companies have some non-technical requirements in their wish list too, says Kowalski. They want the cloud provider to be an established, trusted player with experience in the market. “Banks rarely decide to entrust their data to players of unknown reputation and operating in a non–transparent way,” Kowalski adds. Banks’ cautious approach to the cloud is the result of the regulations that are special, formal and more rigorous than other industries. At the beginning of 2013, Polish Financial Supervision Authority (PFSA) issued “Recommendation D”, which increases the requirements for “managing risks associated with IT and telecommunication systems used by banks”. Banks in Poland are required to deploy advice contained therein until the end of 2014. The purpose of “Recommendation D” is to ensure that procedures at banks meet information technology standards – Code of ITIL (Information Technology Infrastructure Library), standards of group 27000, COBIT (Control Objectives for Information and Related Technology) or ISO 22301. Although “Recommendation D” does not have the status of a legal norm – it is merely advice – the banks cannot afford to ignore it. Failure to implement "Recommendation D" or its partial introduction can cause real losses, PFSA warns. “Among the risks are IT systems failures, decreased resistance for outside attacks and improper actions of a mechanism to inform the management about current challenges that should be faced by bank,” says Dariusz Stefaniuk, project manager at Baker Tilly International, a consulting company. For the second year in a row, banks’ CIOs devise their IT strategies around “Recommendation D” to please the board of directors. As a side effect, there is a weakened interest in implementing a cloud-based infrastructure. But banks are far from steering clear of the cloud because of its rising dominance within other segments such as retail, small and medium enterprises (SMEs) and the tech sector. Despite caution and regulatory requirements, some enterprises within the banking sector have taken their first steps into cloud and are yielding its benefits. Poland still lacks special law on cloud computing. But it can be argued that the current law is not an obstacle for cloud deployment, even within the banking and financial segment. It may be considered even favourable to cloud services, but on the condition that the use of IT outsourcing improves the quality and effectiveness of banking services. Banks deploying cloud services have already met requirements of the “Recommendation B” issued by PFSA in 1997. “This document recommends reduction of fixed assets and at the same time, investing in improvement of service quality, which is consistent with the basic principles of cloud computing,” says Robert Kobylanski, chief executive of CK ZETO, a subsidiary of Asseco, the largest IT company in Poland. Kobylanski estimates that more activities of banks will be supported by cloud-based solutions in near future. It is difficult not to agree with such a forecast, especially because it is also supported by official data and the predictions of ICT market experts who are buoyant about cloud adoption in Poland. In 2012, cloud computing services were used by around 7% of companies in the financial services sector – according to the Central Statistical Office of Poland report “Information Society in Poland 2009-2013”. By 2015, the savings of financial sector in central and eastern Europe will reach €183bn. It will be caused by data processing systems in the cloud – predict analysts of the Centre for Economics and Business Research in London. How cloud is seeping into Polish banks’ IT architecture Based on previous experience in implementing an IT cloud model in Poland, Kobylanski argues that the transformation of IT systems in financial institutions begins with the spreading of infrastructure as a service (IaaS) and platform as a service (PaaS).  “Why? From the user point of view, the biggest advantage of cloud services is an immediate, non-investment access to computing power – server resources, applications systems, virtualisation, storage resources, disk arrays, backup and archiving,” Kobylanski says. IT resources in the cloud enable IT specialists within banks to use rented compute power that, at the same time, complies with the standards, emphasises Kobylanski. A good example of it can be found in the work of developers during cloud systems testing and improving, he points out. From the user point of view, the biggest advantage of cloud services is an immediate, non-investment access to computing power Robert Kobylanski, CK ZETO With the increase of trust in security of cloud services for banks and decrease in prices, more advanced banking functions will be processed in the cloud, experts say. Dariusz Wichniewicz, director of telecommunications services at ATM, the company running the largest datacentres in Poland, agrees with Kobylanski. Financial institutions, including banks, for several reasons, prefer a private cloud, although it requires more financing than public cloud. However, it gives greater control over the data. In this model, banks do not have to share resources with other customers of the cloud, which gives greater comfort and safety, says Wichniewicz. The Polish market of banking applications available in the cloud is getting more interesting, says Radoslaw Maczynski, vice-president of DomData, an IT company. He adds that in addition to universal tools such as office suites, DMS (Document Management Systems) and solutions to create and manage backups, now providers even offer tools to support typical banking processes, for example, servicing debt collection. Small and medium-sized financial institutions lead the way  Currently, there are 129 small and medium-sized cooperative banks that derive the greatest benefits of the cloud. While the large commercial banks are still considering the use of cloud computing, cooperative banks have been using the benefits of cloud computing for several years. Every month, 2.5 million banking transactions in this vertical are processed in the cloud. “We believe in cloud computing model, as it is financially attractive for us. It enables us to apply the most modern IT solutions, which we could not afford if we were to use traditional approach such as an in-house IT,” says Eugenia Pokorska–Sawczuk, chief executive of the Cooperative Bank in Tczew. “Today, because of the cloud, our competitiveness is growing, and with it the ability to attract new customers,” says Pokorska–Sawczuk. The footsteps of small institutions follow the big banks. These, although recognising the advantages of cloud services, need to have much more time and money for implementation and require a culture change. Bank for Environmental Protection (BOS – Bank Ochrony Srodowiska) moved its entire communication infrastructure to the cloud in 2012. Integrated Solutions, a subsidiary of Orange, one of the four largest mobile network operators in Poland, implemented Unified Communications as a Service (UCaaS) at BOS. Today, nearly two thousand employees of the bank, in its headquarter and in local offices, use wired and mobile telephony, conferencing systems, communication devices and tools served from the cloud. “UCaaS helps us not to worry about investing in expensive hardware and software. Thanks to pay-as-you-go and pay-as-you-use models, we pay only for these IT resources that we actually use,” says Adam Grzbieluch, vice-president of BOS. “The transfer of care for network and telecommunications equipment to outside specialists is not only a source of savings. This is the first step to all further improvements in the area of technological solutions quality, optimising the cost of services and better management of IT staff in our bank .” The first bank in the cloud Idea Bank, subsidiary of Getin Bank, specialises in serving small businesses. It is the first bank in Poland that decided to implement a model of banking services that is fully provided in the cloud (Idea Cloud). This project is being implemented in cooperation with Efigence, widely unknown IT developer for the financial institutions. Start of this cloud bank is announced for the end of September this year. “I expect Idea Cloud will gain 100,000 to 150,000 thousand clients during the first year of operation , says Jaroslaw Augustyniak, CEO of the bank. Users of Idea Cloud will be able to issue invoices, declare and pay taxes, make business payments, monitor receivables, take loans and others. “Idea Cloud is an intelligent system that remembers everything that a busy entrepreneur can forget. The system automatically builds a history of relationships with customers and partners, helps to forecast cash flows of a business. It also includes a virtual safe with encrypted access, dedicated to all types of electronic data,” says Jakub Wojciechowski, project manager of Idea Cloud. In the next three to five years, technological innovations in the banking sector will be closely linked to the implementation of the cloud solutions, predicts Augustyniak. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK This was first published in August 2014
Information security professionals must have a good understanding of the business they support, says David Cass, chief information security officer (CISO) for publishing firm Elsevier. “They must know what is important to the business and what the key business drivers are so that information security can be aligned with those,” he told Computer Weekly. Many businesses have an increased need for agility and want to be able to test products quickly and adopt “fail-fast” models or expand rapidly, he said. The cloud is well suited to these cases, said Cass, but security professionals must be able to articulate what the business risks are, and provide adequate protection. “In the past, a security breach tended to mean the end of a CISO’s career, but now the bigger career-limiting factor is if you are unable to help the business to innovate,” he said. This generally means helping the business to use social media, mobility and cloud computing securely to enable new products and services.   The best way to achieve this is to take a partnering approach, said Cass. “My information security team is essentially a business-facing structure,” he added. Elsevier does not own any traditional IT infrastructure, so its information security team works with the business and technology suppliers to work out how to achieve business goals. This approach is enabled at Elsevier by the fact that, as CISO, Cass reports into the company’s legal department. “This means I am a peer with our CIO, and it give me the opportunity to peer with our business product owners and senior managers to work out how to achieve business goals,” he said. To support this process, Elsevier has created a risk framework for assessing applications that draws on industry best-practices, such as the COBIT framework, combined with a capability maturity model (CMM). Key areas of focus include network and system security, application security, data security, security operations, and security metrics. Several areas are evaluated in each of these. For example, data security includes data classification, data model and flows, data ownership, and access controls. “Based on the agreed risk level of an application that the business may want to create, the security team defines security and privacy characteristics that need to be met,” said Cass. “Then we will work with the CIO and his team to find ways to accomplish this, and if those characteristics can be met, we are agnostic as to whether this is done in the public cloud, Elsevier’s own hosted datacentre, or a co-located facility.” But this means recognising that the approach has to be different because some traditional security measures do not work in the cloud. For example, going to the public cloud may require using a system to log all transactions to meet the agreed-upon level of maturity for that particular application if it is a high-risk application. “By defining the security and privacy characteristics that we require, it gives the business a clear understanding of the true risk associated with an application,” said Cass. “And if they can meet the requirements in the public cloud, it also gives them the flexibility to assess whether it is more cost-effective to do so.” In this way, he said, it becomes a business decision based on the risk of the application and whether it is possible to meet the characteristics that security has worked with the business to define. The business also decides whether the cost to meet the required characteristics can be justified by what the application is trying to achieve and the revenue it can generate. Elsevier can use its risk framework for both new and existing applications. With new applications, the security team works with the business unit in the planning phase and technology teams in development. With existing applications, the framework is used to review the application development lifecycle and carry out a deeper security and privacy assessment. In this way, Elsevier can identify any potential gaps and retrospectively improve areas of code to meet the characteristics defined by the risk framework. The fact that these characteristics have been agreed by all the stakeholders means they are supported across the organisation. “As a result, the requirements are not perceived as something that has been inflicted on the business by the information security team,” said Cass. The risk framework was the result of a collaborative effort to look at what is important to Elsevier as a business and agreeing on a maturity model to support that. But Cass admits it was not without its challenges. As CISO, he still had to demonstrate business knowledge and an ability to work with the senior leadership of each of the groups involved. “My advice to other CISOs is to understand the business and look for ways to innovate at small scale to prove what is attainable, and to share as much information as possible to break down silos,” he said. “Once you can demonstrate that you understand the strategic direction of the business, you can look at how information security can help the business deliver on those goals.”   Cass will take part in a panel discussion on Security as an enabler: supporting enterprise innovation and transformation at Infosecurity Europe 2014 at Earls Court London on 29 April to 1 May. He will be joined by moderator Peter Wood for the ISACA London Chapter and fellow panellists Lee Barney of the Home Retail Group and Michael Colao of Axa. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
Global IT association ISACA has launched its Cybersecurity Nexus (CSX) programme to help address the global security skills shortage. According to the Cisco 2014 Annual Security Report, more than one million positions for security professionals remain unfilled around the world. CSX is aimed at helping IT professionals with security-related responsibilities to “skill up” and providing support through research, guidance and mentoring. A recent ISACA survey found that 62% of organisations have not increased security training in 2014, despite 20% of enterprises reporting they have been hit by advanced persistent threats. “Unless the industry moves now to address the cyber-security skills crisis, threats such as major retail data breaches and the Heartbleed bug will continue to outpace the ability of organisations to defend against them,” said Robert Stroud, ISACA international president-elect. CSX is designed as a comprehensive programme that provides expert-level cyber-security resources tailored to each stage in a cyber-security professional’s career. The programme includes career development resources, frameworks, community and research guidance, such as Responding to Targeted Cyberattacks and Transforming Cybersecurity Using COBIT 5. There is also a Cybersecurity Fundamentals Certificate that is aimed at entry level information security professionals with zero to three years of practitioner experience. The CSX program marks the first time in its 45-year history that ISACA will offer a security-related certificate. The certificate is for people just coming out of college and for career-changers now getting into IT security. The foundational level is knowledge-based and covers four domains: Cybersecurity architecture principles Security of networks, systems, applications and data Incident response Security implications related to adoption of emerging technologies The exam will be offered online and at select ISACA conferences and training events beginning this September. The content aligns with the US NICE framework and was developed by a team of about 20 cyber-security professionals from around the world. ISACA plans to add more to the CSX programme, including: A cybersecurity practitioner-level certification with the first exam in 2015, Cybersecurity Training courses, SCADA guidance and digital forensics guidance. A recent global poll of members of ISACA student chapters shows that 88% of the ISACA student members surveyed say they plan to work in a position that requires some level of cybersecurity knowledge. However, fewer than half say they will have the adequate skills and knowledge they need to do the job when they graduate. “Security is always one of the top three items on a CIO’s mind, yet IT and computer science courses at university level are not allocating a proportional amount of training to cybersecurity,” said Eddie Schwartz, chair of ISACA’s Cybersecurity Task Force. “Today, there is a sizeable gap between formal education and real world needs. This, in itself, is an area requiring immediate focus so that the industry can get better at detecting and mitigating cyber threats,” he said. According to Tony Hayes, ISACA international president, enterprises cannot rely on just a handful of universities to teach cybersecurity. “With every employee and endpoint at risk of being exploited by cyber criminals, security is everyone’s business. We need to make cybersecurity education as accessible as possible to the next generation of defenders,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
A top challenge facing information security professionals is the multiple points of entry created by new technologies and business models, says Ron Hale, acting CEO of global IT security association Isaca. “Security is no longer about defending the network perimeter because there is no perimeter any more as organisations embrace mobile and cloud computing,” he told Computer Weekly. In recognition of this, Isaca is increasing its existing business focus to help a wider community of security and business professionals identify which technologies offer the right balance of risk and reward. Evaluating new technologies Hale, who recently took over the role of Isaca CEO from Susan Caldwell, is driving an initiative to create services to help security and business professionals evaluate new business-enabling technologies. The initiative is being led by a committee drawn from a wide range of different business sectors with experience in connecting business leaders with the technicians who build enterprise IT systems. “We looked for people with experience in technology strategy, founding startup companies and building IT solutions that were unique and different to create new business opportunities,” said Hale. In the beta phase of the project, Isaca is taking the concept to various enterprise boards to get feedback that will be used to refine the planned offering and ensure it meets market needs. “The committee is very different to other Isaca committees and we are likely to end up with a very different product offering,” said Hale. The plan fits neatly into Isaca’s 10-year plan to treble membership, make content available to a wider audience, and engage more widely with business and technology professionals. Cyber security and privacy In addition to emerging technologies, the organisation is focusing on cyber security and privacy, engaging with government in the US and UK and collaborating with European Union cyber security agency Enisa. In cyber security, the aim is to provide unbiased information to enable decision-making at the higher levels and then connect those decisions to actionable things technicians can do to make it all work. Hale believes Isaca has a role in facilitating the communication between the business and security practitioners. “We aim to be the glue in the middle to bridge the gap and enable organisations to tie risk and vulnerabilities to business goals,” he said. As part of this aim, Isaca is working with the US National Association of Corporate Directors on a series of free videos for boards around the world to create awareness around cyber security. With a similar aim, Isaca plans to introduce content that will enable organisations to benchmark themselves against top-performing organisations in business metrics such as low-cost compliance. In privacy, Isaca aims to provide more content that will enable those who build and monitor systems to ensure their effectiveness. “Much of the content that is currently available has been created by people in the legal profession, so there is a need for something that is more practical for those who build and run systems,” said Hale. In the short term, Isaca is set to release content that ties in all aspects of the Cobit governance framework to help organisations deal with information and the challenge of big data. “It will help provide a common language for those who use information and those who create information systems,” said Hale. Support for graduates and security professionals Looking to the future, Isaca plans to play a greater role in helping graduates to transition to the world of work by providing practical experience to complement academic courses. The organisation also plans to develop programmes aimed at providing support to new, experienced and veteran information security professionals. Isaca also plans to engage more with other professional bodies and play a leading role in bringing security industry groups together. “Isaca recognises that no single organisation has all the answers, and that it is better to bring all the best pieces together because a combined solution is always stronger,” said Hale. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
“Expect more trouble,” a former international vice-president of Isaca has told information security professionals at the 2013 EuroCACS information security and risk management conference in London. Rolf von Roessing said the security challenges will only multiply as wireless data speeds increase and a growing number of devices become connected and interdependent in the “internet of things”. He warned that, while the vulnerabilities and threats associated with the Android operating system are multiplying “almost exponentially”, users of Apple’s iOS can no longer be complacent. “Android is currently more of a target than iOS, but attacks are happening against Apple mobile devices and, when they are breached, it is usually fairly serious,” said Rolf von Roessing. Connected clusters However, von Roessing sees even bigger challenges for security professionals in attacks that compromise a cluster of connected devices and exploit interactions between the devices. In the latest models of BMW cars, for example, navigation systems, locking systems, starting systems and mobile phones are all connected, he said.

Any of these systems could be infected and compromised. “Where there are clusters of wirelessly connected devices, it will become increasingly difficult to identify infections or where they have come from,” said von Roessing. This means even cars have become another mobile device that information security professionals will have to secure and include in the Cobit 5 framework for IT governance and management. “Forgetting to include a car key fob in Cobit could open up a potential area of vulnerability,” said von Roessing. The problem is magnified when you consider the increasing number of connected device clusters emerging, such as those around point of sale devices. Mobile challenge In the enterprise, mobile phones present a significant challenge to security professionals, especially where phones are brand-locked and prevent the use of mobile device management systems. “For effective protection, security professionals need access to mobile operating systems, but this is not always possible and consequently 30% to 40% of devices are under the radar,” said von Roessing. There is also the challenge of enterprise mobile users being unwilling to surrender their devices on a regular basis for security maintenance. The increasing number and complexity of wireless protocols is yet another challenge, especially when devices are designed to fall back to older, less secure technologies when network capacity is low. At the application level, particularly in Android, the challenge is the excessive permissions that apps require users to agree to when downloading them, said Von Roessing. “K-9 Mail, for example, demands 17 permissions, including the ability to manipulate contacts and create its own network sockets or side channels,” he said. Von Roessing advises that security professionals should weigh up the potential back doors in commonly used apps and encourage users to find less risky alternatives to the worst offenders. Risk-aware users “In the light of bring your own device (BYOD) programmes, it is more important than ever for end users to be aware of the risks involved,” he said. Considering the “tidal wave” of new and emerging risks associated with mobile devices, von Roessing said security structure and planning is essential. “Organisations need to set aside adequate budgets to deal with these challenges comprehensively, otherwise all efforts will simply be a waste of money because of all the security gaps,” he said. In addition to an adequate budget for technical security controls, von Roessing said organisations should ensure they either have adequate internal skills or access to trusted external parties that can be integrated into the organisation to deal with mobile security. Von Roessing re-iterated the importance of risk-aware users. “Reasonable and responsible use is essential, otherwise you can forget about technical security. Rules must back technical controls,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com