According to Darkreading’s blog post (https://www.darkreading.com), we have witnessed a staggering 143% increase in ransomware attacks between Q1 2022 and Q1 2023, signaling a formidable shift in the global cybersecurity landscape.
A high percentage of these attacks have evolved beyond the traditional playbook of encrypting victims’ data and demanding payment for its release. Instead, threat actors are now focusing on stealing sensitive information and extorting victims through threats of selling or leaking this data to others. It seems easier to conduct an extortion scheme from data exfiltrated from a cloud environment as opposed to just encrypting the data due to the increase in the adoption of redundancies provided by availability zones and cheap cloud storage services.
Consider this scenario: a threat actor obtains detailed documentation of research that cost your company $50 million. They threaten to leak this information to a competitor in another country where labor costs are significantly lower. This would hand your competitor an unfair advantage, allowing them to fast-track product development and beat you to market.
What course of action is available to you under these circumstances?
Legal recourse might not be the best option. Jurisdictional issues could prevent a fair trial, potentially leaving you with an unpalatable choice: pay the ransom or risk even greater losses.
Eliad Kimhy, head of Akamai Security Research’s CORE team, highlights an alarming trend: “The in-house development of zero-day vulnerabilities is particularly concerning.”
An analysis of these attacks reveals a common thread: the use of phishing tactics. While we may not have control over the zero-day vulnerabilities exploited by attackers, we do have control over our response to phishing attempts.
Our focus should be on controlling what we can in our attempt to prevent and mitigate the risk of being victims of such attacks. For example, reducing susceptibility to phishing is a critical step in mitigating the risk of ransomware attacks. By taking action in the appropriate direction, we can keep our organizations safer in the face of this evolving threat.
I used to think all apples were the same until I went into the grocery store one day and met a lovely attendant who told me the right apple brand to buy. I tried a couple of the apples they had in the store and I could tell the difference in their taste. I got to learn that some apples are only good raw, some others are better for cooking, and some types are good for just about anything. It was a surprise to me to learn that almost half the apples grown in the United States end up as applesauce, jellies, juice, and other apple products.
Enough about apples for now; can we say all scoping engagements are the same?
Scoping in most audit engagements is centered on determining what is important to the audit engagement. If you have all the time in the world and also possess all the resources; then everything is important and must be covered in the audit engagement, but this is not always the case. We often adopt a risk-based approach to deciding what should be included in an audit engagement at a point in time or over a period of time. This method saves time and helps us to tailor our resources appropriately during the audit engagement. In PCI-DSS assessments, it is not so. Whatever is important to a credit cardholder data environment (CDE), must be in scope, and what is in scope must be assessed and documented. In the context of PCI DSS, scoping refers to the process of identifying and documenting the boundaries of the CDE. At this moment I would like to share what I think is important when it comes to PCIS-DSS scoping within a cloud environment.
Properly scoping a cloud environment is important in PCI DSS (Payment Card Industry Data Security Standard) because it helps us to ensure that only authorized personnel have access to sensitive cardholder data. Another main benefit of proper scoping in the cloud environment is to ensure that we prevent unauthorized access to this data by third parties such as service providers, especially because some service providers might not have effective controls to help secure your company’s data and it is also possible for these service providers to experience breaches or have some insider threat that could access your data.
There are several specific requirements in PCI DSS standards that are related to scoping and segmentation of the CDE. For example, requirement 1.3.6 mandates that the CDE be placed in an internal network zone (which is physically or logically) separated from the DMZ and other untrusted rest of the network. Also according to Appendix A1.1.1, logical separation with regard to service providers should be implemented as follows: • The provider cannot access its customers’ environments without authorization. • Customers cannot access the provider’s environment without authorization.
In a cloud environment, account segmentation refers to the practice of dividing a cloud account into smaller, isolated units called “segments.” This is often done to improve security, control access to resources, and manage costs.
Here are some of the ways to implement account segmentation in a cloud environment so as to meet PCI-DSS requirements:
Use multiple accounts: Each segment is created as a separate cloud account, with its own set of resources and permissions. This is a good option if you need to completely isolate segments from one another.
Use resource groups: You can use resource groups to organize resources within a single account. This allows you to apply permissions and policies at a more granular level, without creating multiple accounts.
Use network segmentation: You can use network segmentation techniques such as virtual private clouds (VPCs), subnets, and security groups to isolate segments from one another.
Use identity and access management (IAM): You can use IAM to control access to resources within a single account. This allows you to grant permissions to users, groups, and applications based on their needs.
Overall, account segmentation can help you improve the security and control of your cloud environment, but you would need segmentation penetration testing to help you determine whether or not the segmentation approach you adopted is effective. According to requirement 11.4.5, if segmentation is used, it must be verified periodically by technical testing to be continually effective, including after any changes, in isolating the CDE from all out-of-scope systems. Your Qualified Security Assessors (QSA) would have to assess and determine if your segmentation approach is adequate or not. The QSA would also decides if your scoping covers all the assets that should be reported in your CDE or not.
Proper scoping and segmentation of the CDE are important because they help ensure that only those systems and networks that need access to cardholder data have access to it and that all other systems and networks are restricted from accessing this data. This helps reduce the risk of data breaches and other security incidents involving cardholder data.
While it is better to say that each apple is different and unique, with a specific purpose, we can also rightly say that each scoping in audits is different and unique compared with scoping in PCI-DSS assessment. I would love to write more on scoping at a later date and write about how to really perform scoping for PCI-DSS assessment.
Have you ever gate-crashed a wedding? I once did. It was back in college, I think it was my freshman year. I was hungry and wanted to find something to eat. I was walking down the street and there was this group of well-dressed people entering an event center that was close to my residential hall. I just had this idea that I could get a free lunch so I followed them. The music was loud and there was a lot of dancing so I joined in the dance. I got the lunch pack and a very nice drink and immediately found my way out of the center. I had no idea who go married and was so happy I didn’t accidentally run into my Mom or a known relative at the wedding; I would have been in some form of trouble.
How in the world was I able to gatecrash that wedding? I think of one main reason; there was no one at the door checking the guests to see if they were allowed into the venue and I think they did not really care about it. It was good that I was just a hungry college student. This is what a lack of input validation can do to critical systems and data in your organization.
My colleagues and I usually talk about XML attacks and other kinds of injections but I had never heard about XSLT injections. I decided to learn more and these are some of my findings.
XSLT (Extensible Stylesheet Language Transformations) is a language used for transforming XML documents into other formats, such as HTML or XML with different formatting. It is commonly used for presenting XML data on the web, as it allows developers to control how data is displayed by creating templates that define the structure and layout of the output.
However, XSLT can also be vulnerable to injection attacks if an attacker is able to inject malicious XSLT code into an application that processes XSLT. This can allow the attacker to execute arbitrary code on the server or manipulate the data being transformed in undesirable ways.
To prevent XSLT injection attacks, it is important to properly sanitize any user input that is used in an XSLT transformation. This can be done by ensuring that input is properly validated and escaped to prevent malicious code from being executed. It is also a good idea to limit the functionality of the XSLT transformation to only what is necessary for the application, as this can reduce the potential attack surface.
Overall, XSLT is a powerful tool for transforming and presenting XML data, but it is important to be aware of the potential for injection attacks and take steps to prevent them.
It’s not so easy to gate-crash weddings as it was some years ago, but I hope this post sensitizes you and your programmers to pay more attention to enforcing proper input validation in your application development. Your auditors and assessors should also be looking out for injection flaws and might do a risk assessment to learn if they need to add XSLT injections to their list of possible attacks if they need to.
For more details on possible attacks related to XSLT injections, please check out Shivam Bathla’s blog post at pentesteracademy.com/
The CEO says, “We don’t have time to listen to the weather news; there is too much to do.”
His personal assistant replies, “A snowstorm might keep our employees from showing up at work and that would cost us more.
Has this ever happened to you? You forgot to check the weather forecast before driving into a snowstorm or a rainstorm. You promise yourself that would never happen again but it does. It has happened to me a couple of times but one particular experience taught me a lesson.
I drove my wife to a client’s location in Saltsburg Pennsylvania for a three-week audit. It was getting dark but I knew I would be able to make it back to Morgantown West Virginia before midnight.
The problem was I took a back road and then it started snowing. The snow got much and then turned into icy rain. I did not check the weather forecast as I would have been informed about the expected severe weather. My car started skidding and I somehow got stuck in a secluded area on black ice. I got out of the car but could hardly walk on the ice. I was stuck for what looked like hours but it was just a few minutes really. I sat there not knowing what to do until a policeman came by and offered me some assistance.
This experience thought me the value of listening to the weather news and also in correlation; the value of threat intelligence to the success of an organization’s effort in achieving its goals and objectives.
The weather might not cost your organization as much as a cyber threat would do and that’s why we need security intelligence.
Security Intelligence can be defined as the process through which data that is generated in the ongoing use of information systems is collected, processed, analyzed, and disseminated to provide insights into the security status of those systems.
The systems used to store, process and secure your critical data usually generate some form of data which according to best practice are logged and correlate for insightful decision-making. This form of intelligence is focused on your immediate business environment.
Cyber Threat Intelligence on the other hand is the process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources to provide data about the external threat landscape
Just like when I drove out into the snowstorm; I was limited by the information I had, Organizations are often limited by the information they have and Looking for information from inside and outside sources is very vital to the survival of any organization and the achievement of its goals.
One of the PCI DSS requirements mandates that organizations that store or process credit card information must look outside the organization for intelligence sources to assist with their vulnerability management.
PCI-DSS Requirement 6.1: “Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
Organizations use Cyber intelligence to predict and adapt to the behaviors of malicious actors whether they are criminal groups, activists, or even nation-states actors.
The forms of this information include:
Information about the malware and adversary uses of known command and control nodes as well as specific TTP (tactics, techniques, and procedures) used by these attackers.
Using Cyber intelligence information along with risk assessments, organizations can fine-tune and tailor their defenses against the threats that are specific to their environment more effectively and cost-efficiently.
This information could come from different sources:
OSINT or what is referred to as open source intelligence: These include data that is available to use without a subscription which may include threat feeds similar to the
commercial providers, and may contain reputation lists and malware signature databases. Examples are listed below:
▪ US-CERT
▪ UK’s NCSC
▪ AT&T Security (OTX)
▪ MISP
▪ VirusTotal
▪ Spamhaus
▪ SANS ISC Suspicious Domains
2. Proprietary : Proprietary threat intelligence is very widely provided as a commercial service offering, where access to updates and research is subject to a subscription fee.
The properties of this information include:
Timeliness: Property of an intelligence source that ensures it is up-to-date
Relevancy: Property of an intelligence source that ensures it matches the use cases intended for it .
Accuracy: Property of an intelligence source that ensures it produces effective results.
Confidence Levels: Property of an intelligence source that ensures it produces qualified statements about reliability.
In case you are interested it would snow all day tomorrow, at least where I live. That might not be as important to you as having timely relevant security intelligence to protect your critical assets.
He greeted me with lots of enthusiasm while he opened the door of the office for me to come in. I hardly noticed him and did not even respond to his greetings. I knew I had a busy day ahead of me and who really cares about a Janitor anyway? I was so focused on the report I got about a leak of some confidential data in our organization. The thoughts in my head were like this:
“We need a new Data loss prevention (DLP) system and that would cost us so much. How will I convince senior management that the expense is justifiable?”
“This is definitely an insider attack, possibly sponsored by one of our competitors in the Pharma industry. I can definitely think of a few names; but how in the world can we prove anything?”
“I am sure it’s someone from R& D that has been orchestrating the data exfiltration using steganography, instant messaging, or some other covert channel. We must search attached files in all emails sent out from the R&D department, but that would take so much time and resources which we cannot accommodate in this year’s budget.”
These were some of the thoughts floating in my mind as I walked past the Janitor. Who would blame me for not paying any attention to him with all that I had going on? How is a janitor important to our organization with all that we have to deal with? Maybe taking out some trash would reduce the smell from the basement, but who goes to the company’s basement anyway?
Who is the janitor?
Harry, the janitor had worked for our Company for about 5 years and this guy knew everyone in the R&D department by name. He held the door for them (had physical access to the room where systems with critical data were located.
He sometimes got them coffee and when the R&D team left on launch break, he was there in their offices cleaning up (had physical access to the systems).
Harry was more powerful and influential in our company Thank I thought.
There was a denial of service attack against one of our major databases so the incident response team working with an external security subject matter expert chose to review the logs review of the CCTV camera. They saw Harry going through the trash in the R&D department, taking pictures of documents and keeping some papers in his pockets as he was throwing out the trash.
We had never paid much attention to the dangers of dumpster diving or shoulder surfing in our organization.
It happened that the janitor whom I did not respect or thought much about, has cost our company thousands of dollars.
We had to pay for an external penetration test which cost about $70,000. The report from the test revealed gaps in our access controls for critical systems and the recommendations cost us an addition $120,000 to implement.
You should pay more attention to your janitors; you don’t know which one would be another Harry.
The pandemic kept a lot of people at home. Working from home and pretending to be working out at home. Spending so much time sitting at my home office made me decide to bring some exercise into my work schedule. I brought my exercise bike from the basement thinking that would help but I discovered that the only time I noticed the bike was there was maybe after the day was over. I then had this genius idea to purchase a foldable treadmill. We have a treadmill already, but it was down in the basement and maybe I use it three times a year, but the idea of the foldable treadmill was so fascinating, and I believed there was no way that would not work for me.
I was so excited looking on amazon and other websites but then I thought about the Facebook marketplace. I wanted to buy the treadmill, but I did not want to spend too much on it than I had to; we already have an expensive one that I rarely use anyway. It was then I found a seller that looked attractive to me. The price was $30, which looked too good to be true, but I was drawn by the price. It was a company here in the US so I assumed it was legit. Just to make sure it was a real company; I went to their website and made the purchase instead of buying it through the Facebook App. I wanted to buy two but thank God my wife persuaded me to buy one and wait to see how effective it was before ordering a second one.
I waited for almost two months, but my treadmill was not delivered. I contacted the seller only to be told my package had already been delivered to me, I was even given a tracking number which was for USPS. From the tracking, I discovered I had been shipped a waist pouch instead of a treadmill. I contacted the seller with an assumption that it was a mistake, but the seller insisted my package had been delivered to me and should be in my mailbox. How in the world can a treadmill be delivered into a mailbox? I reported the issue to PayPal but later found out that a lot of PayPal customers had similar experiences with this same company. PayPal investigated the transaction but could not offer a refund, which makes sense since a package was actually delivered, just not the product I ordered.
While most social engineering schemes utilize email as their attack vector, this scheme adopted social media platform (Facebook Market Place). The factors that make social engineering effective include different elements like trust, urgency, familiarity, authority, consensus, and intimidation. The particular scheme adopted some level of trust since most people, including myself, trust the Facebook marketplace based on past reputation.
It seems a little hard, but it might be possible to prove there was mail fraud as mail fraud is defined by U.S. law as any type of scheme involving fraud that intentionally deprives others of property through mail. It also includes wire communication, according to the Legal Dictionary website. The seller utilized the internet (Facebook Market Place to advertise the item, a website to sell it, and email to respond to customers’ requests), the elements of mail fraud seem included. Mail fraud occurs when U.S. Mail(in this case USPS) is used in furtherance of a criminal act. The seller could be convicted under 18 U.S.C. 1341 for committing mail fraud since some of the required elements were met. The requirements include the following elements: (1) the defendant (the seller) must have been engaged in a scheme to defraud; (2) the scheme must have involved material misstatements or omissions; (3) the scheme resulted, or would have resulted upon completion, in the loss of money, property, or honest services; (4) the defendant (seller)must have used U.S. mail in furtherance of a scheme to defraud; and (5) the defendant(seller) used or caused the use of U.S.mail. The seller’s use of USPS alone makes this a very good case, but it seems like a waste of time and effort to sue the seller except if it was a class-action lawsuit. It later occurred to me that the seller might actually not even be located in the US, so good luck to anyone who wants to track him down.
However, the summary of the whole issue goes back to caveat emptor; “let the buyers beware”; which is the principle that the buyer alone is responsible for checking the quality and suitability of goods before a purchase is made. This scheme appears to be another form of social engineering; as it is one of the ways attackers manipulate people to take actions they would not usually take, like enticing someone to buy a treadmill for $30 while the intention is to deliver a waist pouch.
I remember an interesting movie about an elaborate bank heist over a 24 hour period on Wall Street. Asides from the clever orchestration of the robbery by the thieves, the thieves used the same name or a version of the same name; they all called each other Steve, Stevie, or Stevo. When the detectives tried questioning the witnesses it was hard to know who was who, the thieves were all nameless. Names give identity to things just like in an organization, assets are named to help in their identification, prioritization, and protection. Also with names come access and restriction of access. Just imagine an organization where access to every resource is open to everyone? I mean ownership and access to all your assets have no restrictions by names. Imagine if everyone in your organization has access to all IT resources or has the same level of access to all IT resources. A janitor has the same access to your firewalls just as a network administrator so he could configure the firewall rules to allow some insecure ports and protocols. The CEO has the same kind of access to your financial applications with permissions for overrides and even the same rights as the Director of internal audit. Aside from the chaos and confusion that would result from such situations, it would be very difficult to know who did what. Think of a situation where the CEO decides to overstate revenues or misclassify expenses to favor the company’s financial position; he could do that without anyone knowing he did it, thereby facilitating a financial misstatement due to fraud.
You could also think of a system administrator having access to payroll applications as well as payroll files; he might decide to create a fictitious user account on the application or provision access to another employee to facilitate an embezzlement scheme. There could be a lot more damage caused when access to resources is not restricted based on the need. Unrestricted access is like having a house without doors or windows. While this kind of house would permit the occupants to move in and out of the building with so much ease and speed, it opens opportunities for theft and maybe worse things.
While it seems highly unlikely for everyone in an organization to have the same kind of access to resources; it is possible that some employees still possess some unnecessary access to systems and data in an organization. This could be seen in situations where employees move from one role to another: either through promotion or job rotation. Some organizations also have a structure that permits employees with higher roles to have higher privileges and rights; even though some of these rights and permissions might not be related to their current roles. For instance, a manager might retain access to a database associated with an application based on his past roles but in his current role; he does not directly utilize these data anymore. I have seen a situation like this, where the human resource department did not inform the system administrator about such role changes and therefore the unneeded access was not removed.
The principle of least privilege specifies that individuals or processes are granted only the privileges they need to perform their assigned tasks or functions, and nothing more. These privileges are a combination of rights and permissions which are assigned to users and this principle applies to regular users and administrators as well. A system administrator needs access to the systems in his domain but not to a domain he is not responsible for. He certainly does not need access to all the systems in the network. Imagine a situation where one of the system administrators has access to all domains. This might be because the organization would like an administrator to be able to replace another administrator should the need arise. While this kind of structure might be very useful and provide an opportunity for an administrator to observe the work of another administrator and learn from him, this could also create a vulnerability to IT resources. If an attacker obtains the credentials of such a system administrator, the impact of such an attack would be more since it could allow the attacker the opportunity to gain access to these other systems as well. It is best practice to ensure that system administrators have two accounts, one with a user account rights and permissions that are used for their daily tasks, and another with privileged rights which would only be used for system administrative work. This seems to be another way of applying the least privilege principle.
While certain services and applications require more rights and permissions beyond those of regular user accounts, it is highly important to ensure that services and applications run under the context of a user account; that these accounts are only granted the privileges needed by the service or the application. If an administrator configures all services and application accounts with full administrative privileges, an attack that compromises such services or application accounts would have a larger surface area or impact on more systems and data due to the administrative privileges of these accounts.
Last of all the principle of least privilege could help in securing databases. Although implementing input validation controls, adopting stored procedures, and utilizing Web Application Firewall in applications that have access to databases is really important for the prevention of SQL injection attacks, the principle of least privilege helps in minimizing the impact of SQL injections in relation to databases. For example, the principle of least privileged is being enforced when a database administrator grants a user access only to the tables, he or she needs in a database. This would drastically reduce the damage potential should there be an SQL injection attack; preventing bigger damages that could have occurred if such a user had access to the whole database. The principle of least privilege reduces risks in all IT environments.
Can you imagine entering a store like the Apple Store, but instead of seeing the nicely dressed Apple employees, you see some bouncers, bodyguards, and military officers with guns? You try to walk away but one of them tells you to stop so he could make sure you did not steal anything from the store. You are about to leave after a thorough body search, then you hear one of the gunmen say: “please come back again”. I believe you would most likely not return to that store. Their security might be at its best, but the customer’s shopping experience was obviously at its worst.
I remember my grandma telling me about a time when someone could leave a store unattended to; a customer might come in to make a purchase while you are away, and the customer would leave the money there for you. The funny thing is there was no closed-circuit television (CCTV) at that time; people were trustworthy and would not steal from you. Good news: those days are coming back. I mean you might be able to leave your store open without the need of a cashier and the customers could make their purchase without your presence while you would still get paid. I saw an ad about a prototype of this system. The company had invested so much into artificial intelligence and adopted a lot of other security measures to allow customers the luxury of a cashless system. With the use of an App on the customer’s phone, the customer could make purchases without the need for any cashier or attendant. This is a great combination of security and convenience. Aside from the fact that some customers like physical interactions, most customers may love this kind of system for the convenience it offers.
As auditors, we are concerned with the security of information systems and data and our job description clearly defines that we are responsible for ensuring that the controls around our organization’s systems are designed appropriately and operating effectively. How can we ensure that the stakeholders enjoy some level of convenience while we attempt to maintain the security of our organization’s assets? The question is, “how can we add value to our organization through our projects without appearing to be policing the stakeholders”?
Here are some tips to help foster convenience around IT audit processes while we achieve our audit goals:
Determine your stakeholders: It is very easy to know who your stakeholders are. Who do you interact with during the audit processes? Who do you report the findings to? On an external audit, you may work with different clients at different times, depending on your organization’s structure and how your audits are laid out. It is important that you list the stakeholders that would be involved in your audit during your audit planning phase. Asides from your direct contact person, you should learn about the other people that would affect your work process during your project. The list could span from the IT team or process owner you are auditing to the management you report to. The audit team should have a training session on how to facilitate a good working relationship with these stakeholders. The audit planning phase should address the need to send an email to the stakeholders that have been identified to inform them about the audit scope and the part being played by these stakeholders. It is very important to communicate with the stakeholders directly and not just send the engagement letter to the management while you ignore the other important stakeholder; remember you would most likely deal with these stakeholders even more than your deal with management during your projects.
Design the audit processes to be convenient for the stakeholders as well: While it is important to follow your regular audit plan for the year, it is also important to remember that the stakeholders have their different plans for the year as well. They would appreciate it if they could spend more time on their core duties and not just use hours answering your questions and getting documents for you. For example, you could make the work of a system administrator more convenient by reviewing the company’s IT security policy covering privilege access if you would be auditing privileged access. After your review, you can go ahead and email your questions to the system administrator before you have a walkthrough meeting with him/her to discuss the questions around the controls that are in scope. Since most people don’t like surprises, seeing the questions ahead of the meeting could give him/her some time to prepare ahead. Maybe a response email from the system administrator might even reduce the amount of time you need to spend with him/her at the walkthrough meeting. The focus of your audit process should be to assess the controls but do it in such a way as to avoid adding additional stress to the normal workload of the stakeholders.
The PBC List (Prepared/provided by client): This list includes the items such as documentation and evidence that the auditor would need from the client to perform the audit. It is best practice to send the PBC request at least 3 weeks ahead of the audit, but this should also be determined based on the experience of the audit team with the clients. If based on past experience, the client was not able to provide the necessary documentation when needed, it is better to send the PBC request list much earlier. The benefit of doing this is also to help you keep up with your audit timeline as well as allow the client ample time to get all the documents requested at their own pace.
The Executive status tracker: This tracker is used to communicate the status of the audit with the client. The tracker would list scheduled meetings between the audit team and the client. These meetings could be weekly status meetings with the client to discuss progress, delays, other needs, or might also involve validation of issues or potential audit findings. Just as it would be helpful to send the PBC request list earlier in a situation where the client had some challenges providing the necessary document in view of past experiences, it would also be very helpful to send the executive status tracker to the client as early as seen necessary or update the execute tracker as seen necessary based on the need.
These modifications to the audit process would help the stakeholders to adjust their schedule as needed, making it more convenient for them to work with you and you would still be able to achieve your audit goals. The clients and all stakeholders would most likely be happier when they know that you are not just adding value to the organization by your audit, but you also respect their time and other responsibilities, shown by how you make the process convenient for them while enhancing security.
Today, March 8 is International Women’s Day, and the month of March is celebrated as Women’s history month. What does that mean to you? What an opportunity to think about the contributions of women around the world as well as the challenges they face. Lots of women have influenced our lives in many ways. It is obvious that without women, the world of information technology, as well as information security, would not exist. A big thanks to organizations that are challenging the biases and gender inequalities affecting women in information technology as well as other areas.
I would like to mention a few of the women who have influenced information technology and laid the foundation on which many of the technological advancements are built today.
Ada Lovelace: The first programmer
Ada was born in London and lived between 1815 and 1852. She became an English mathematician as well as writer because her Mother, who homeschooled her; insisted that Ada should be taught science and mathematics.
It documented that Ada is the first programmer that ever lived. She wrote notes explaining how a specific engine could transition calculation to computation. The second Tuesday in October is known as Ada Lovelace Day to celebrate the achievements of women in STEM careers.
A woman who designed the very first compiler: Grace Hopper.
She was born in New Your city and lived between 1906 and 1992. Grace attended Yale University, receiving a PhD in mathematics and in 1943, she joined the Naval Reserve, retiring in 1966. It was during her service as a Naval Reserve that Grace joined the Eckert-Mauchly Computer Corp in 1949, where she designed a compiler which translated programmer’s instructions into computer codes. In 1957, Grace’s division developed the first English language data processing complier.
A woman developed and implemented codes which led to the development of the battery used in hybrid cars: Annie Easley.
She was an African American woman who was born in Birmingham, Alabama and lived between 1933 and 2011. She attended Xavier University where she majored in pharmacy for about 2 years. Shortly after graduating from University, she met her husband and they moved to Cleveland. There was however no pharmaceutical school nearby, so Annie applied for a job at the National Advisory Committee for Aeronautics (NACA), and she was one of four African Americans who worked there. At this role, she developed and also implemented codes which led to the development of the battery used in hybrid cars. Annie has encouraged a lot of women and people of color to study and enter STEM fields.
A woman helped in the development of the first personal computer: Mary Wilkes
She was born in 1937 in Chicago Illinois, and she graduated from Wellesley College in 1959 with a degree in philosophy.
Mary was involved in programming computers such as the IBM 709 and IBM 704. In 1961 Mary joined the digital computer group and contributed to the LINC development of TX-2. She designed and wrote the operators manual for the final console design of TX- 2 and she is known for helping in the development of the first personal computer and also known as the first person to have a PC in her home.
She inspired Steve Jobs’ creation of the first Apple computer:
Adele Goldberg
She was born in 1973 in Ohio and received a bachelor’s degree in mathematics from the University of Michigan and a PhD in information science from the University of Chicago in 1973.
In the 1970s, Adele was a researcher at the Xero Palo Alto Research Centre (PARC) and was the only women among the group of men who built the Smalltak-80. She presented the Smalltalk system to Steve Jobs who implemented many ideas into the Apple products. As a result, Adele Goldberg is known as one of the famous women in technology who inspired Steve Jobs creation of the first Apple computer. The Apple desktop environment may not look the way it does today, without Adele’s work.
A roman catholic sister and advocate for women in computer science:
Mary Keller
She lived between 1913 and 1985. Mary was an American roman catholic sister. In 1958 she started at the National Science Foundation workshop in the computer science department at Dartmouth College which at the time was an all-male school. After teaming up with 2 other scientists, they develop the BASIC computer programming language. In 1965, Mary earned her PhD in computer science from the University of Michigan. She later developed a computer science department in a catholic college for women called Clarke College. For 20 years she chaired the department where she was an advocate for women in computer science and supported working mothers by encouraging them to bring their babies to class with them. She is known as one of the famous women in technology for being the first woman to receive a PhD in computer science at Clarke University (Clarke College).
These are just a few of the women that have helped shaped the world of information technology over the years and there are still many more. Their contributions and the contributions of many women around the world should encourage every one of us to keep on challenging the biases and gender inequalities affecting women in information technology as well as other areas of life. If you are a woman subjected to some form of biases or gender inequality, please be encouraged by the great work of the women who have helped shape our world and keep your head up because you have a lot to offer our world; You bring both beauty and brains to our world.
Happy international Women’s day and a lovely women’s history month.
While Mr. Bean would most definitely not send you some malicious e-mail; someone else might. What will you do? Most likely you’d not even open it; right? I once opened such e-mail. I received an e-mail that I was being given a performance-based award from the company. I was excited and decided to thank my manager; I just assumed she must have recommended me for the award. I should have seen a red flag from the fact that the award was not associated with any specific project. I however was excited because this kind of awards usually come with some dollar amount in gift cards, fifty or hundred dollars sometimes. I sent a thank you e-mail to my manager and then called her almost immediately. My manager started laughing on the phone while she told me it was just a test from the compliance team. They were trying to see how many employees would fall for a phishing e-mail that appears to be from the company. Well, I technically passed the test, as I had not yet clicked on the link; but I was planning to. I only wanted to say thank you to my manger before clicking on the link to claim my amazon gift card or something like that. I believe your company might also send out such emails to you as part of your organization’s cybersecurity awareness and training program.
I read a blog post from Neil Lappage on baselining cybersecurity skills for all IT professionals and it made me think of cybersecurity audit. When it comes to cybersecurity, most organizations are either trying to be as protected as possible or they have given up on worrying about the cyber threats that could possibly affect them or their enterprise. I believe it’s better to learn from other company’s experience and secure your organization’s information system as much as possible. According to ZDNET, some of the data and information system breaches in 2020 are below:
It was reported that about 30 million records of Wawa Inc. (a chain of convenience stores and gas stations) containing customers’ details were made available for sale online.
A Texas school district (Manor Independent school District) lost $2.3 million during a phishing scam.
A database backing point-of-sale systems used in medical and recreational marijuana dispensaries was compromised, impacting an estimated 30,000 US users.
Clearview AI’s entire client list was stolen due to a software vulnerability.
GE warned workers that an unauthorized individual was able to access information belonging to them due to security failures with supplier Canon Business Process Service.
The Virginia Media reported that 900,000 users’ data was exposed through an open marketing database.
NutriBullet became a victim of a data skimming attack (Magecart attack), with payment card skimming code infecting the firm’s e-commerce store.
Marriott disclosed a new data breach impacting 5.2 million hotel guests.
These are just a few of the reported cybersecurity breaches in 2020. Auditing your cybersecurity program might be something you do on a yearly basis, but for those organizations that might want some direction on how to go about it; here are some steps to take:
1. Know the purpose, size, and scope of your organization’s cybersecurity program.
Since different organizations have different goals, the form and structure of the cybersecurity program in organizations also vary. A business entity’s cybersecurity program would depend on several factors among which the kind of asset that needs to be protected and revenue size will be the most important.
Another factor that might determine the size of the cybersecurity program of an organization includes the perceived threats and vulnerabilities of an organization based on a comprehensive risk assessment or threat modelling.
Sometimes the size of the cybersecurity program of an organization would be determined by the amount of senior management support for IT projects or their perception of the potential and actual threats and vulnerabilities that affects their organization (this is the control environment as described by the COSO internal controls framework). So, your audit team has the responsibility to help your management have a good perception of the cyber threats affecting your organization.
There are some industry specific requirements which could also determine the size of a company’s cybersecurity program. Examples include:
PCI DSS (Payment Card Industry Data Security Standard) requirements for retail companies or companies that process customers’ credit card information beyond a specified threshold.
Companies that have operations in Europe would be required to comply with European Union General Data Protection Regulation (GDPR) and this regulation would affect the amount of budget as well as the investment of company personnel on the organization’s cybersecurity programs.
To sum it up, the overall risk exposure of an organization and these other factors must be determined and documented to know the scope, size, and purpose of an organization’s cybersecurity program.
2. Have a well-documented audit program or steps to cover different areas of the program.
The audit program should be developed based on the first step mentioned above and should be focused on the scope of the cybersecurity audit. If your organization has a team of cybersecurity auditors that specialize in auditing the different areas in scope, then the IT audit team might review their most recent past audit reports.
Determine the people involved in the organization’ cybersecurity program (e.g., the CIO and find out the process owner to have him walk you through the processes involved in the cybersecurity program. This is to obtain necessary understanding of the control processes and relevant evidence like documentations (e.g. IT security policy covering the cybersecurity program, proof of its enforcement and the disaster recovery or response plan for the cybersecurity program). The IT security policy should cover various essential processes and systems to achieve the security needs of the assets. The focus should be on confidentiality, integrity, and availability of data as well as processes to secure the information system assets. It is important to verify how adequate the policy is in terms of coverage of your organization’s IT environment.
Performing your audit should also involve mapping the security attributes related to the assets in scope (which could be processes or systems) to the controls associated with those attributes. Just three attributes are mentioned above, but the list could be longer if the SABSA attributes (the Sherwood Applied Business Security Architecture attributes) are adopted.
3. Another important step in the cybersecurity audit would be to examine the cybersecurity awareness training programs and cybersecurity information communication process of your organization.
It is also important to evaluate the process of ensuring that the IT security employees have the required knowledge and skills to match the demand of securing the assets in scope. While it would be challenging to evaluate such criterion in the entire organization, sending out e-mail like the company generated test- phishing e-mail which I mentioned earlier would be helpful in training employees and accessing the risks of incoming threats.
