FDA Survey by EY – risk mitigation and ROI

EY's study conducted June-Sept 2015 of 665 respondents on Forensic Data Analytics (FDA), involving 17 countries with anti-fraud/anti-corruption programs .  The interview pool included: 192 Internal Audit heads / CRO, 129 Head of compliance / CFO, 28 CEO/COO/CIO and other managers, etc…and spanned industry such as 162 financial services, 149 consumer products/retail, 59 life sciences and 77 technology/communication organization.
Key Trends:

• Cyber breach and insider threat tops risk and fastest growing at a rate 32% vs. 17% for bribery/corruption; followed by 12% for capital projects risk; 
• FDA investment gap has been reduced over the last couple years; 
• Technology growth and increase in virtualization with FDA adoption is on the rise by 25% vs. 12% last year (and social media  25% vs. 21% last year, and statistical analysis at 18% vs. 11% last year); 
• Correlation between positive results and large data, for both structured and unstructured;
• Increased government and public scrutiny of fraud risks – resulting from 53% response to growing cyber risks, 43% increased regulatory scrutiny, 32% increased risk of fraud in emerging markets and 31% pressure from the board or management team

See chart below but top perceived risks include: Financial services for cyber breach at 74%; Oil/gas for bribery/corruption at 52%; Life Sciences and Technology/Communication for Internal fraud/abuse at 49% each; Power/Utilities for capital project risk at 46%; Power/Utilities for merger/acquisition at 44% and Financial services for money laundering at 46%.

Additional takeaway:

• FDA is used in 77% of internal fraud, 70% of cyber breach /insider threat, 68% of bribery/corruption risk and 60% financial statement fraud…
• FDA spending proactively, making a strong push based on 63% of respondents – which results in nearly 60% lower cost on a per fraud incident basis than companies not using proactive data analytics
• Interestingly enough, 67% (from 45% 2 years ago) plan to conduct FDA completely in-house while another 24% doing in-house would consider outsourcing (leaving 9% who outsource)

While the industry has demonstrated great strides over the last couple years, continued commitment, investment and implementation of strategy will ensure it’s positive trend.  Finally, the benefits of FDA centered around faster response in investigations, increased business transparency, getting business to take more responsibility, early fraud detection and reduced costs of anti-fraud program.

AppSec gap continue to be theory vs practice - preso

ISACA Chicago presentation on application security identifies focus areas:

• Risk based approach is the goal
• Align to business strategy of 2-5 years direction with leadership buy-in, tactical step can be taken to adapt 
• Need for measureable results via metrics 
• Focus on IT weaknesses specific to organization 
• Unique challenges but same approach can apply 
• Find your application influencers
• It's a marathon not a sprint
• Remediation consideration for compliance and allowance for stead state before validation
• Remember appsec capabilities including stocking up on your tool belt
• Considerations: app assessment compliance/design | Threat modeling | Attack and Pen | Secure dev training | Full integration and security toll-gates in SDLC | Vendor risk management concept

Awaiting sides to post and 2 CPEs

Happy Data Privacy Day - inside job

Much attention goes to external sources of threat and the bad guys outside our organization.  But, how about the insiders that we need to trust?
Knowledge is king or at least is what you get paid for… So, when employees leave to greener pastures, they often take with them information created when on/in the job.  With tenure being less than 5 years on average, loyalty may not seem as valued – in a digital world where mobility and collaboration is the norm i.e. BYOD, Wi-Fi, USB, Cloud, IoT.
Sure there’s things such as legal hold or data recovery backups for missing/destroyed data, but numbers show 60% of organization polled had reported insider attempts to steal data and 93% believe they are vulnerable. Source Code42
So, who’s monitoring them? Who would even know? What cost does it have for any organization? What competitive advantage does it results in?

Key contributors and top threats include lack of: layered security architecture, data leakage protection, security awareness, systems vulnerability patching, mobile device management, removable media security…
For more more info, check out IBM X-Force Security Systems report , CSOOline, CyLab

2016 cybersecurity predictions - another view

Cybersecurity integration with business i.e. recall when information security was also tagged the enable…and an emphasis on detection over prevention/mitigation or the usual suspect of dwell time has also re-surfaced.  Themes that align with InfoSec of years past but now in new digital world.  So, Forcepoint security predictions for 2016:

• US Elections is a large/public event drawing attention (both media and for downstream technology decision) so preponderance of social and online media threat vectors equates toe. translation of related data leakage activities (and intellectual advantages).  
• Payment security always plays a role and with chip/pin and online targets, mobile wallets and bleeding edge payment landscape are sure to be sources for theft and fraud.  So, organization should be aware of exposures and everyone/consumers should be attuned to cyber tactics and know precautions.  
• .doman names offers organization to benefit from customized websites and perhaps opportunities to direct/filter ISP traffic, however, with any action/benefits comes reaction or threat/exposure.  So, adoption may come at a price, even if it’s just re-education or training behaviors.
• Insurance – we know is a tricky game in terms of what qualifies or disqualifies you and your payouts.  So, expect requirements leading to payment for breaches to be stringent and insurers to be defensive about downstream liability and perhaps variations / options resulting for type of cyber incidents.
• Data theft prevention because your data is worth money.  $1.5 per record to $20-40 range for bulk data and so value depend on who/what/where e.g. personal (credit) information of a 850 credit score is worth more than person with 600
• Aging Internet infrastructure resulting from technology changes/shifts and cost of conversion/upgrades or even expense of maintenance (hardware/software and labor) are high
• Complexity in technology transverses into exposures and when speed of deployment is not meeting business needs, image the speed in which monitoring or mitigating efforts are implementation, not i.e. little to none. Healthcare field penetration of technology will reach 40% by 2020 and that’s just with current expected growth or adoption.
• Privacy is in a state of evolution, whereby personal information and business data are intermingling in the devices uses but also behavior and overall cultural normals.

Back to the future - we'll aim to compare/contracts a year from now

Article source: Forcepoint.com

APDoS is the clear and imminent danger

Global Application and Network Security Report by Radware: Advanced Persistent Denial of Service (APDoS) attacks are imminent threats, involving network and application layer attacks.  With bursts of attacks now trending to be one hour, an increase of 27% from previous year, the present danger has shifted.  Typically 5-8 multi-vector attacks are exploited a time, generating over 10 million of requests (typically SYN floods for denial of services); hence, rendering the system inoperable…
Industry survey of 311 individual from varying global organizations represented a perspective in fighting cyber attacks, both technical and business, from 2015:

• 24% of the industry were Telecom or Cloud providers, 15% Financial Services, 14% Computer related, and 4% Healthcare/Biotech/Pharmaceuticals
• 30% were Network Engineers, 22% Security Engineers, 20% Mangers, and 5% CIO/CTO/EVP

The study revealed few are prepared to address cyber attacks, resulting from 90% having experienced attacked – in industries including: financial services to enterprise verticals and cloud to critical infrastructure .  And, no one is immune with high certainty related to threat of DDoS (Distributed Denial of Services) attacks.  The preparedness for this as well as APT (Advanced Persistent Threats) hovers around 60% which reflects weakness in overall security gap protection and prevention.  Additionally, a spike in ransom or SSL/TLS-based attacks from 16% to 25% is up in just one year.  While unauthorized access to confidential data is still high on the list, slowness to service delivery and customer service tops the list.  As a result, reputational loss showed a decline from 47% to 26% in one year (as service models are affect - though the two are not completely disconnected).
Automated defenses are preferred, yet only 6% have solutions against cyber attacks and 60% have a degree of manual solutions.  Additionally, an uptick of hybrid solutions have increase from 21% to 41%.
So, APDoS is a top prediction for this year and below is what follows:

• RansomDoS to hit cloud companies
• Privacy is endemic of human conditions and stewards of data beware of rights and penalties
• Introduction/proliferation of Permanent DoS (PDoS) that physically destroys firmware/hardware and renders unusable
• Uplift in cloud encryption 
• Of course, IoT (Internet of Things) and breach of rich data source in the wild wild Internet 

Article source: Radware.com

App Delivery Controllers - Gartner's Magic Quadrant

Bridging gap between application and underlying protocols and traditional packet-based networks
ADC for availability, scalability, end-user performance, data center resource utilization and security
Kinds: single or multi-instance hardware appliance, software-based instance, cloud-based as-a-service offering (OTT, Over-the-Top). A preview of a few:

• Citrix is ranked #2 with its vast array of software and hardware options (integration with Cisco, for example) and certainly enough funding and partnerships yet remaining cost-effective 
• ADC selection – influencing/optimizing delivery of enterprise application across networks
• A10 is the 4th largest ADC vendor so ideal for larger scale deployment and utilized APIs for increased functionality and known for high performance NAT (Network address translation) and SSL (Secure Socket Layer) functionality.  However, it’s WAF (Web Application Firewall) is not mature and lacks some functionality; and does not offer cloud OTT
• Amazon well known brand and speed-to-market rollout edges others and the product suite including balancers, DNS services and cloud network delivery is available on Amazon Web Services (AWS).  However, you tend to be limited by AWS as well as select ADC players and tendencies to require in-house support.
• Barracuda focuses on SMB (Small or midsize business) with rapid growth in the market and product rich offerings with good feature sets including newly offering balancers for increase security infrastructure.  However, limitation with ADC/WAF is restricting and has not played in the larger markets.

Aside from hardware and software options, desired profiles settings, aggregation and integration is key.  Features include below and full description at Gartner.com

IT Audit Transformation in a digital society

Top 10 transformation towards the digital IT journey by ISACA Journal, Transforming the Auditor:

1. Establish/solidify better integration across entire risk spectrum
2. Reexamine fundamental mission strategy and formulate capabilities needed to audit IT of tomorrow
3. Examine and realize end-to-end audit life cycle 
4. Continuous alignment and risk assessments, instead of outsiders coming in, to help advance business strategy in rapidly changing technology
5. Leveraging technology and provide a managed services approach
6. Establishing robust GRC (Governance, Risk and Compliance) to best offer automation, improved productivity, ensure consistency, enhance risk coverage and assessments
7. Advance analysis is key for trending and prediction of high risk
8. How to do this
9. Engage CRM (Customer Relationship Management) technology to manage interview process, capture risk notes and themes and making information available on real-time basis for global team inclusion
10. Leveraging collaboration technology throughout enterprise 

When Accenture applied these characteristics, audit totals increased by 250% from (16 to 45 annually) from 2012 to 2015.  It was noticed that monitoring proactively embarks awareness of changing risk profiles and resulted in leadership reaching out to audit team for strategic decisions rather than post decision. Lessons learned included:

1. Alignment of IT audit with business strategy – audit function nimble to changing technology/business needs
2. Clarify governance on a continuous basis not just annually and IA plan accordance with business strategy/risk
3. Run IT as a business with organization/people as customers with defined service offerings and focus on value-add and measure customer satisfaction
4. Manage performance metrics and critical success factor – and highlight deficiencies as well as achievements
5. Transforming people requires strong leadership to change internal culture and foster proactive change and radical shifts
6. Go big with increasing enterprise capabilities, applying rigor and discipline to internal business processes of IT
7. Communicate success by demonstrating value IT audit adds and speaking highly of accomplishments that is meaningful and measurable

Hyatt card breach update

If you stayed at a Hyatt between Aug 13 and Dec 8 last year, chances are you're card might have been compromised particularly if you at the hotel restaurants...spa, parking and other shops included. The malware breached about 250 hotels in 50 nations: link to Hyatt's notification website
While the chip and pin new cards will help in these matters i.e. but not solve the hacking problem, US finally joins the rest of the G20 nation to shift liability to merchants - if merchants equipment is not upgraded to EMV-compliant, and issuers not upgrading cards.  That being the case, e-commerce providers shift to being more the target.

2016 Effective Breach Investigations webinar

CPE webinar by ISACA/BrightTalk:
Using the Target breach example, the presentation began by highlighting the timeline, realization/investigation of compromised data from 40 M to 70 M personal information, public apology, testifying upon Congress and 113% drop in stock value once breach was made know.  To grasp the relative cost, an data beach considering cost per record of $154 (and 1B compromises in 2015) is 138 more expensive than a nonresidential fire which cost $26,700 per incident in 2014.  So, to effective combat the issue, speaker points to technical and incident process training, security awareness, right resources in both tools & team (business and IT), and a vendor pitch for packet capture and network analysis.  Understandably, based on forensics cases, converging on Network (packet) analysis solving majority of cases (compared to Host and Memory cases combined).  Of course, it is not a replacement technology or strategy shift, but certainly a key focus.  Additionally, storage and accessibility of packets is a must and ciphering thought packet logic/volume/relevance requires good tools and smart people.

Project Kickoff - You only get to make a first impression once

Everyone wants to be on a winning team and project kickoff sets that tone – since you’ve gotten this far in securing sponsorship and funds.  For each step and when preparing/presenting, remember the Why, What, Where, When, Who, and How (but keep it high-level and know your audience).  Review the 10 steps for a successful project kickoff and remember to set the agenda, empower others, and thank everyone…

Breach flash – DoD to future projections

Recent: Just 2 weeks into the new year and Dept. of Defense should be worried about a CFB Halifax military hard drive that was breached – said to contain blueprints of navy ships, training materials and military members’ personal information.  A lawyer related to other espionage case made the discovery.  Apparently the concept of least privileges is in question since the hard drive should have never contained that information, according to sources…
By the numbers European data source indicate: in the last 12 months, 90% of large companies and 74% of SMEs experienced a security breach; and large companies spent $2.1MM to $4.5MM resolving breaches which doubles from previous year and SME from $100K-$300K an uptick of $93K-$170K.

Future ITProPortal predictions:

• Out-dated software and infrastructure will pave way for vulnerabilities and create a snowball affect on breaches
• IoT will revolutionize how we do business but that market advantage can/will also result in increased data compromise / cost, and availability in the services we become reliant on
• Leveraging of social media for the upcoming political campaign will open the doors for increased social engineering and purification of content (good and bad, true and not-validated, etc.)
• Top-level domains allow other avenues for organizational opportunities, etc. but so does attack vectors; or perhaps it will be IPv6 – present but quite
• Cybersecurity insurance will be forefront and tested on both sides, from the issuer liability as well as the consumers’ level of protection
• Conjoining of data, whether that be additional PII based on Millennials mindset/industry trend in sharing, mixing of business and personal information in mobile devices, cloud, etc. and the global perception (and government/political ruling) of personal data
• Payment systems as well as currency will be challenged from availability/speed/type (bitcoin); but also avenues for device and data exfiltration 

And for some breaking news: BlackBerry PGP email hacked by Netherlands Forensic Institute which is bad news for a struggle company and touting it’s security is strong and position against backdoors.  Say it isn’t so...

The next revelation: Unsupported Microsoft IE versions

Recall Y2K preparation / anticipation?  Remember 2014 expiration of Windows XP?
Your company may have invested in necessary system changes and retention bonuses for Y2K, or paid for extended support for XP after the deadline; but perhaps the web browser might be a bigger deal – heck it can be the attack vector.  Since it is relied upon the minute you browse the Internet and so it does not take unauthorized internal perimeter access or successful phishing attack / social engineering or sophisticated XSS/CRF/Clickjacking targeting the Application that the browser communicates with…
Estimates have it that approximately 20% of browser traffic use IE 8/9/10 – yet the support/patch is set to expire Tuesday.  Where did the 18 months go? This was the allotted time Microsoft provided for your custom applications to be reviewed, migrated, integration, etc.  So, given the state of cybersecurity awareness and innumerable breaches these days, might be a good idea to upgrade to IE 11 ASAP.  Otherwise, there’s #Chrome and a few other browsers

Fitbit gets hacked with warranty fraud

Compromised Fitbit accounts were rendered inaccessible in December as it was used to falsify faulty devices to get to replacements.  Since numerous replacement request came from the hacked user accounts, Fitbit did not become aware of the issue until volumes of customer data was posted on Pastebin, a popular code sharing & hacker hangout site.  Cleverly, the Fitbit accounts/credentials were used to attain customer data from other e-commerce providers (and actual owners were locked out since hackers were able to change the account email addresses).  Hence, using same passwords for multiple accounts is an entry point to other accounts (and reportedly the source may have been from compromised workstations with password-stealing malware).  The Fitbit device models, GPS history and other client data was said to be exposed, and the Surge Fitbit model worth approx. $250 were the main target for fraud. The company has not released the total number of accounts compromised but BuzzFeed News indicated at least 24 known cases.
Expect IoT and wearable devices to brush the front pages going forward in the new year since the data kept and/or connected to them are equally at risk...and some devices do not have authentication, let alone strong or 2-factor.

Just another account – hacked at PayPal

Well known security journalist, Brian Krebs, was affected by an incident that occurred Christmas eve when his account was hacked. An unknown/new email address was added to his primary account even after he had changed it back (after getting an email from PayPal).  Apparently the hacker only needed his last 4-digits of SSN and a previously used credit card.  Unfortunately, the PayPal help desk monitoring placed on Krebs account was not able to detect the same perpetrator’s email address when added the second time.  While no funds were lost, it’s reported the hacker was attempting to send money to terrorist organization and/or ISIS.  Standard reply from PayPal about valuing customer data and services, etc. so we’ll see what developments arise…
BTW, Tamebay.com reports PayPal processing average of $8,773 payments per second, doubling the amount back in 2011; and estimated $20+ billion more than 2014 to the total of $260 billion in payments in 2015.  If that’s not enough, in store processing to about 18,000 physical stores, and money transfers via acquired company Venmo of about $5 billion.
With these volumes and financial industry heavy regulation e.g. FFIEC, you would think this sector would be ahead of the cybersecurity curve…

Malware on power grid results in Ukranine blackout

If confirmed, the latest major security breach and first energy infrastructure cyberattack occurred just before Christmas on the 23rd.  Three power authorities in Ukraine region suffered blackouts to hundreds of homes in the Ivano-Frankivsk region when an apparent malware infected the power grid and disconnecting electrical substations.  A malicious code identified as far back as 2007, related to BlackEnergy malware family, along with a KillDisk component delivered by backdoor has been evolving through 2015 (in Ukrainian news media and electrical power industry).  Apparently this variant may have been tied to Microsoft Office embedded macro function. Speculation also consist on Russian-sponsored hackers to be involved perhaps due to a prior Kaspersky report/research in 2014, or a physical outage that occurred in Russia in 2014 that Ukraine was blamed… That said, cybersecurity is as much a priority for energy industry as it is for governments and corporate / private sectors data - which may define 2016.
Article source forbes.com for incident recap and securelist.com for BlackEnergy specs.

GII principles flashback with today's IT/IA Governance

The era in electronic communication and technology convergence is the Global Information Infrastructure (GII) which is aimed at risks in compliance, compatibility and security. This extends the national boundaries and resolves around storage, transmission and interoperability of sensitive data over the Internet.  Internal Audit offers a keen perspective in navigating and correlating key system to the enterprise as a whole.  The relationship between IT and Internal Audit is essential since IT impacts operations and organizational investments that affect the bottom line. Yes, technology changes rapid, so routine audits of IT standards, processes and governance should afford senior leadership with decision-making capabilities (and competitive edge).  However, what should not be underscored is the human element in both the design/implementation of the infrastructure and the auditor's capabilities/methods.
The IT governance program should target the following areas: infrastructure, operating systems, applications/software and related security components; as well as the process automation for each of these components. The Internet is highly dependent on the overall IT infrastructure to deliver information, communication and products/services which can have vast number of threat vectors (and vulnerabilities) that rapidly change.
Recall the 5 fundamental principles of GII by the National Telecommunications & Information Administration – US Dept of Commerce:
- Encouraging Private Investment – with suitable standards, regulatory and reforms
- Promoting Competition – global governments working constructively
- Providing Open Access – improved access and support for services and vast participation
- Creating a Flexible Regulatory Environment – creation of optimal regulatory, innovation and transparency
- Ensuring Universal Service – multilateral information exchange

We'll check on progress of 2015 and to-be 2016 after Q1...