IT Risks are Business Risks

Information Technology has pervaded business so expensively that IT risk is now equated with Business Risks. IT Risks are Business Risks.

The realization of this fact can be seen in the increasing interest shown by Boards of Directors, Audit Committees and Senior management in IT Risk issues. At one time not very long ago, this was unheard of, with IT being viewed as the prerogative of the 'techies".

Ernst and Young has prepared a section of their website to explore the relationship between IT Risk and Business Risk. That site explores the topic under four headings:

• How business risks overlap IT risks
• The IT megatrends
• Managing IT risks
• Taking action on IT risks

Major IT trends affecting business risk include the continuing increase in cybercrime, the move to mobility, data leakage and the potential for harming business reputation, tighter IT related regulatory requirements, the spread of social media and the growth of cloud computing, among others. All of these trends pose significant IT risks, but they are so pervasive that the IT Risks they pose are also business risks. This is a site worth some careful study

Social Networking Threats to Security

Facebook was found to be the greatest threat to security in a recent survey of 2000 computer users by Sophos. Of the 2000, 71% had been spammed, 46% had been phished and 45% had received malware. The numbers are not surprising. If anything they seem low. I've been phished and spammed daily and have received malware within the past few months. Here's a summary.

The Malware Race and Honeypots

Google just released a report on malware that follows by a week another report by NSS Labs, an independent security testing organization. NSS had given Explorer 9 high marks for stopping socially engineered malware. this is malware that entices a user to download it in the mistaken belief that it is a security software update, or something similar.

Google agreed that Explorer is effective in detecting such software but did point out that it comprises only 2% of the malware out there. One might counter that it's growing, though.

A value in the report is an assessment of several of the conventional defences against the more common types of malware.  They said that a much more common form of malware is that of drive-by malware, which exploits known vulnerabilities in browsers to surreptitiously download malware when the browser passes by.

Conventional defences are various forms of honeypot, which are digital lures away from the real system. These are widely used but Google says not effective in themselves. They say that a combination of defences is the most effective.

For an interesting writeup on these reports, click this reference.

How to Detect System Intrusions 

The numbers and scope of system intrusions continues to grow, which means that enterprises are taking some steps to address them. However, the nature and, more importantly, the effectiveness of such steps varies considerably. One of the man steps to take is to have good control systems in the first place. Any auditor knows that this is a challenge for many enterprises. And then there are specific steps for intrusion detention. These come in different flavours, from monitoring to content scanning to sophisticated detection software.

The protection of data is a tremendously important area for most enterprises, and it is a good idea to do everything feasible to protect it. A recent article in E-Commerce News explains a number of good ideas for approaching this issue. Here's the reference.

 

Selection of Cloud A Provider

There are a great many considerations when selecting a provider of cloud services. Security is certainly one of them. An important one.

One recent article in a cloud selection series points out two important elements to security that are particular important when evaluating cloud providers. One, perhaps predictably, is their encryption policies. Of course, encryption is important. But it's not enough just to see that they have encryption. It needs to be looked at closely. What kind of encryption? How is it applied? And when? The whole question is whether they data are protected in storage, in transit -  at all times.

The other major security (control) consideration is availability. If critical functional data are stored in a cloud, chances are they need to be available at a moments notice 24/7. Outages at the cloud level just are not acceptable.

There are other considerations that the article doesn't mention, like how good are the security processes, including authorizations for various actions affecting the data, as well as access by cloud personnel. Have outside auditors reported on those processes and are the reports available? An of course, are they reasonably problem free?

It's an important area, and one with increasing importance for many businesses.

O-ACEML for Better Security Compliance

Languages based on XML (Extensible Markup Language) that can cut across different information systems platforms are nothing new. We already have XBRL, EBXML, and a variety of others. XBRL has become a global standard for financial and business reporting.

Auditors, however, are still hampered by the existence of different platforms within a single overall system. Each platform typically has different ways to configure security, from password management to object access to user control and maintenance. That makes it difficult to apply corporate security policies, monitor compliance and identify issues.

It seems natural that XML might come to the rescue. Recently the Open Group and others released a specification, available on The Open Group website, that outlines O-ACEML (Open Automated Compliance Expert Markup Language).

The new standard is attracting some interest among auditors. It promises the ability to write security rules for corporate adoption in O-ACEML that could be interpreted by O-ACEML - aware systems and then translated into the protocol used by those individual platforms. So the same rule could be applied in any number of platforms within an overall information system. Clearly this would be valuable in promoting compliance with security policies.

Moreover, compliance can be monitored with those same rules, with output from individual platforms translated into O-ACEML and then transported back to the auditors for analysis.

These policy application processes and monitoring activities are a problem now. O-ACEML can make it all work.

Here's a discussion on the subject that's worth reading.

Auditing Embedded Controls

Controls embedded in applications present particular issues to auditors. Even their detection can require some technology experience. Understanding and auditing them even more. Also, they may be in the system but not used by important business processes. Or the risks they cover may be compensated by manual controls.

Providing assurance on such controls requires IT Assurance expertise as well as a thorough understanding of the related business processes. Therefore such work is often carried out on a collaborative basis.

This is one of the messages in an article on Deloitte's Information and Controls Assurance Website. It's a relatively new site of Deloitte Global Services with useful information for assurance providers and others with an interest in or responsibility for controls. Check it out here.

Operation Shady Rat Revealed

In a striking example of the kind of security threats faced by enterprises these days, McAfee has released a report that shows some 72 enterprises having been attacked in a vast "snoop" operation. Several Canadian Government departments were among those hacked and there were 48 break-ins in the US. It takes an extremely large and effective organization to carry off attacks like this and there are allegations of state support for the attacks - as yet unproven. For one good summary of this situation, check out this article.

The Blackhat Security Conference

In Las Vegas, the annual Blackhat conference is underway. There is a variety of workshops and other sessions on the agenda, which can be found at the Blackhat Site.

Adequacy of Security - A New Debate; An Old Issue

The success of recent large scale hacking attacks has fostered a new debate that has been taking place in the world of IT Security Specialists. On one side, we have those who believe that the tools traditionally used for intrusion prevention and detection are no longer up to the task. Some security companies have been trying to address this situation; this perceived need for stronger products.

"One new solution to the problem of securing the IT infrastructure is the PoliWall network security appliance from TechGuard Security." Another is Damballa - a system that promises early detection of threats weeks before their occurence.

On the other hand, some experts say that very effective systems have been in place for years. The problem is that they have been poorly implemented. In some cases, the risk assessments were simply proven wrong, providing an optimistic take on the risk. In other cases, companies have not been willing to endure the inconvenience that sometimes follows from the implementation of a tight security system. One expert likens it to removing the batteries from a smoke detection system because the occasional beeps annoy you.

There seems little doubt that in many cases, good security principles have not been followed. this has always been true because IT security traditionally has not received the degree of attention that it warrants, taking second place to IT strategies that will help to produce revenue and traditional security techniques that can be more readily understood by business executives.

E-Commerce Times has published a two part series on this issue, which is worth a read.