In conjunction with the guidance contained in ISO/IEC 38500, ISO/IEC TR38502 ISO/IEC19011:2011: Guidelines for auditing management systems, there is a new technical report proposed on providing guidance on audits to assess whether an organization’s governance of IT is aligned with the principles for governance of IT in ISO/IEC 38500.
BSI is seeking public comments on this new TR URL:http://standardsproposals.bsigroup.com/Home/Proposal/3684
“The primary audience for the technical report is auditors undertaking audit assessment of an organization’s governance of IT. The outcomes of such assessments will inform members of governing bodies who are responsible for the governance of IT and are accountable for the effective, efficient and acceptable use of IT within the organization; and those responsible for defining and implementing the governance framework for IT.”
IT auditor has a responsibility to help the management board to oversees complex IT environment. A governance framework defines the organisation structure, role and responsibility and accountability is important.
As 2015 approaches, it is time for new year resolutions and wishes. For security industry, we are busy preparing for another eventful year!!
When preparing for our budget and project portfolios, it maybe useful to look at predictions from leading security vendors. Cyber security is an intelligence game. Can Websense, Sophos, FireEye and TrendMicro predictions help us? I will write another post to provide my thoughts.
Legend : Orange cells are directly related to Smartphone. Red words are related to payment systems.
2015 Cyber Security Predictions
|Healthcare will see a substantial increase of
data stealing attack campaigns
|Exploit mitigations reduce the number of useful vulnerabilities
||Mobile and Web-based viruses remain a scourge, and hardly a week goes by without hearing of another data breach or a new malware.
||More cybercriminals will turn to darknets to share attack tools, stage attacks, and market stolen goods.
|Attacks on the Internet of Things will focus on
business use cases, not consumer products
|Internet of Things attacks move from
proof-of-concept to mainstream risks
|Mobile ransomware will surge in popularity. Cryptolocker attained a measure of success this year, and so attention is expected to further turn to mobile in order for attackers to gain access to your phone and contacts.
||There will be bolder hacking attempts as cyber activity increases.
|Credit card thieves will morph into
|Encryption becomes standard, but not everyone is happy about it
||Point-of-sale (PoS) attacks will also become a more popular method of stealing data and money — and PoS attacks will strike a broader group of victims with increasing frequency.
||An exploit kit that specifically targets Android users will surface.
|Authentication consolidation on the phone
will trigger data-specific exploits, but not for
stealing data on the phone
|More major flaws in widely-used software that had escaped notice by the security
industry over the past 15 years
| As retailers strengthen their defenses and more criminals get into the game, cyberattacks will spread to “middle layer” targets including payment processors and PoS management firms.
||Targeted attacks will become a norm.
|New vulnerabilities will emerge from decades
old source code
|Regulatory landscape forces greater
disclosure and liability, particularly
|Attacks on the enterprise supply chain will surge, as less mature or financially able companies become weak links in an ecosystem where only top firms can bolster their defenses to acceptable standards.
||Bugs in open source apps will continue to be exploited.
|Email threats will take on a new level of
sophistication and evasiveness
|Attackers increase focus on mobile
payment systems, but stick more to
traditional payment fraud for a while
|Lack of adequate response could result in a major brand going out of business
|| New mobile payment methods will introduce new threats.
|As companies increase access to cloud and
social media tools, command and control
instructions will increasingly be hosted on
|Global skills gap continues to increase, with
incident response and education a key focus
|With such risks in the corporate realm, cyber insurance as an industry is expected to grow.
||We won’t see head-on IoE/IoT device attacks, but the data they process will tell another story.
|There will be the new (or newly revealed)
players on the global cyber espionage/cyber war battlefield
|Attack services and exploit kits arise for mobile (and other) platforms
||More severe online banking and other financially motivated threats will surface.
||The gap between ICS/SCADA and real
world security only grows bigger
||Interesting rootkit and bot capabilities
may turn up new attack vectors
As a IT security guy, I used to read cyberattack and data breaches news, trying to learn from others missteps. However, in the past few months, it becomes impossible to keep up with those stories! There is a cyber security info explosion in mass media. Blogger, journalist, lawyers, bankers and even comedian started to comment on cyber security.
Just thinking, we may need a course to teach people how to (not to ) write about cyber attacks. Purely rely on fear factor is not helping.
Sharing of infrastructure means a lot of things, this time China GFW case taught us about sharing reputations.
Verizon EdgeCast Blog “CDNs and networks are being filtered or blocked by the Great Firewall of China.”
I really don’t like the opening story of this article but it is one of the most interesting story telling how software become part of our life and memory. Our love and hate with password will never end. Even in Sci-Fi world, Star Trek captain still needs a code to activate the auto-destruct system !
Read the stories about a mom discovered her son was gay when she researched on the password of the son’s password (“Lambda1969”) after he committed suicide, password may be serve as a will. Something the son believes that people will definitely found out after his death.
NYTimes : The Secret Life of Passwords
“Virtually all the people who revealed their passwords to me said they planned to stop using them. And yet they divulged them all the same.”
In one article, we see NetApp, Redhat and AWS. Cloud computing is now enabling mix & match of technologies.
NTU subscribed to Amazon Web Services (AWS) to cope with unexpected demands
Reading a law professor letter to NYTimes, I notice a line of thoughts encroached our society: Truth, fairness and objectivity are within reach with data analytics. The author arguing against using data scores to calculate sentencing said
“Data-driven predictions grounded in legitimate factors might be about as accurate as current profiling schemes. There is no persuasive evidence that the current troubling variables add much predictive value, once criminal conduct is already taken into account. But even if they do improve accuracy, this gain doesn’t justify sacrificing fairness.”
In turn, she tried to weight traditional and data driven methods, when justices and fairness are concerned. The underlying tone is that there is a correct sentencing and judges should pursue it whenever possible.
Human hunt of fairness and objectivity goes astray. A correct sentencing doesn’t exist, no matter how we hard we try, how smart our algorithms become. Using data driven decision making tools should not let us to play God’s (or Gods’ ) role.
If we accept data is not truth and we are not God, then the seemingly unfair situation “that people should be imprisoned longer because they are poor” is a fallacy. One way of the other, judges make decision based some references point, be it his/her visit to Disneyland or prison, be it the risk score of the convicted. There is no faultless human decision.