@ISACA Volume 24  27 November 2019

Five Key Lessons Learned From Publicly Disclosed Data Breaches and Security Incidents


Key lessons can be learned from publicly disclosed data breaches and security incidents. These lessons can help organizations more effectively focus their investments and efforts to prevent themselves from becoming victims in similar instances. Recently, both the pace and impact of data breaches and security incidents have increased, and many organizations are deficient in their information risk management and security programs.

The following 5 key lessons can be learned from publicly disclosed data breaches and security incidents:

  • Security policies and standards must meet your organization’s capabilities—Organizations are often held accountable to policies and standards in legal proceedings. In the Equifax Data Breach Settlement, the US Senate Banking committee highlighted that Equifax did not comply with their own published information security policies and standards on multiple occasions. For example, Equifax’s IT team was required to install critical patches within 48 hours. A 9 March 2017 email from an Equifax’s internal security team noted that the Apache Struts vulnerability required patching. Equifax did not complete patching for the Apache Struts vulnerability until August 2017, approximately 173 days later.
    In some cases, organizations develop and publish information security policies and standards with expectations and requirements that they believe they need to include to satisfy customers, regulators and other stakeholders even though they do not have the means or intention of being able to comply with them. This practice can be more damaging to an organization in legal proceedings and/or public perception than if they were to include expectations and requirements with which they could realistically and consistently comply. Establishing standards that can be successfully implemented and maintained gives organizations the opportunity to explain their strategy and plans to enhance their capabilities within commercially reasonable timeframes to align with leading practices, expectations and requirements.
  • Visibility of assets key to protection—You cannot protect what you do not know. In the case of the of the Equifax data breach, it was noted that the lack of patching of affected systems was, in part, due to reduced visibility. The vulnerability management scanning solutions that would have identified this issue were disabled due to an expired digital certificate.
    Oftentimes, organizations focus their visibility activities exclusively on production environments or Internet-facing assets. Capable and motivated adversaries are aware of this and often target assets outside of this focus as to avoid detection. It is important for organizations to develop and maintain a comprehensive asset inventory and to monitor all their systems and technologies that process, store or interact with sensitive data assets. This inventory should also include configuration management information about these capabilities so organizations can quickly identify vulnerable systems and technologies once a new credible threat or vulnerability is identified and validated.
  • Zero-day attacks are often not the biggest threat to an organization—Many organizations have a heightened level of concern for their ability to detect and repel zero-day attacks, even though they are more likely to be affected by attacks that exploit vulnerabilities they are already equipped to remedy. Adversaries will try to take advantage of zero-day attacks, but these attacks are often limited to advanced and capable attackers. In many cases, materially impacting attacks, such as the city of Baltimore (Maryland, USA) ransomware attack, take advantage of attack code and vulnerabilities that have been available for use and exploitation for significant periods of time.
    Organizations should focus their protective activities on well-known and understood threats and vulnerabilities that can negatively affect them immediately. Once they are secure, they can then spend time and effort on combating new and less mature attacks, unless one is imminent.
  • Vendor-based insider attacks can cause significant breaches and incidents—It is often the case that a knowledgeable and capable insider can cause significant material damage to an organization in ways that are not easily defended or remediated. In the Capital One data breach, it was not a Capital One employee who carried out the attack, but an individual who worked for a key and trusted vendor of Capital One, Amazon Web Services (AWS). This individual had intimate knowledge of Capital One’s Amazon-based operating environment and was able to evade defenses and controls to carry out one of the largest data breaches publicly disclosed to date.
    This situation highlights the need for organizations to extend their strategies for insider threat monitoring and prevention to third parties that interact with sensitive data assets, key business technologies and processes. “Trust, but verify” should be instilled in the governance processes for these vendors. Contracts should define expectations of monitoring capabilities and security controls to mitigate insider risk, and organizations should establish a regular set of communications and security reviews with third parties. This can help ensure that insider-threat-based security controls are constantly maintained, monitored and matured appropriately.
  • Expectations of due care are rising as security capabilities are considered easier to implement and follow—Organizations that have been subject to legal action as a result of data breaches and security incidents are often held to a standard known as due care. A recognized legal definition of due care that aligns with information risk and security programs is, “[Due care] refers to the level of judgment, care, prudence, determination and activity that a person or organization would reasonably be expected to do under particular circumstances.”
    The characteristics of due care change as expectations of affected parties evolve and the ability for organizations to more easily implement leading security practices and technologies becomes readily available. Both legal systems and the court of public opinion typically do not accept that foundational and hygiene-focused security measures and controls are hard to implement and maintain. These are considered a cost of doing business that should be incurred to provide proper protections. Organizations should focus on areas of information security hygiene with an immediate focus on visibility of assets, patching, configuration management and system hardening at a minimum. An April 2018 study by InformationWeek: Dark Reading found that 60% of organizations that experienced a data breach cited a known, unpatched vulnerability as the root cause, so patching a known vulnerability becomes an expectation of due care.

Publicly disclosed data breaches and security incidents highlight the threats and vulnerabilities that organizations consistently face every day. This information should be used as valuable intelligence to help organizations adjust their information risk and security strategy approach. Organizations that learn and implement strategies based on these examples strengthen their capabilities to combat and prevent future data breaches and incidents. At a minimum, organizations can use this information to understand due care expectations and incorporate these data into their information risk profiles and strategies.

John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Gain Insight Into Mitigating IT Risk


Source: Image Source;
Getty Images

IT risk management is essential as mitigating risk ensures that organizational value is kept intact. Join IS, IT and business professionals and experts for ISACA’s IT Risk Management Virtual Summit 2019. ISACA’s free virtual summit on IT risk management is a half-day event featuring live presentations and opportunities to connect with peers worldwide. It is intended to provide you with insight into identifying challenges and formulating solutions for managing and mitigating IT risk and compliance issues within organizations of every size in every field. Attendees will have the opportunity to:

  • Attend 3 live presentations centered around IT risk management
  • Engage with a panel of experts for a deeper dive into IT risk management in a roundtable discussion
  • Earn up to 4 free continuing professional education (CPE) hours

This IT Risk Management Virtual Summit 2019 is presented by ISACA and Adobe. The event takes place on 3 December at 9AM CST (UTC -6 hours).

To learn more about or register for this event, visit the IT Risk Management Virtual Summit 2019 page of the ISACA website.


Why Auditors Rarely Find Fraud

By Anthony Hodgkinson

In today’s world where corporate scandals often make front-page news, fraud prevention and detection are becoming a priority for management and decision-makers. An alarming fact reported by the Association of Certified Fraud Examiners (ACFE) stated that an average organization loses an estimated 5% of its annual revenue to fraud; hence, fraud is posed as one of the major risk factors facing an organization (both financially and reputationally).

Typically, a large majority of midsize to large organizations consider their internal and external auditors as pivotal for uncovering fraud and taking preventive measures to minimize the risk of loss incurred due to a fraud. However, this does not imply that independent auditors often identify fraud; in fact, the opposite is true in many cases. ACFE’s Report to the Nations points out the fact that auditors rarely find fraud—internal audit detects fraud 15% of the time, while external audit merely 4% of the time.

One reason auditors rarely find fraud is that audits are not designed to detect and/or prevent a fraud from occurring. Audit procedures and rules are more likely to determine whether an organization’s financial statements are fairly stated without any material discrepancies and whether appropriate internal controls are in place. They are not aimed at detecting and remediating a fraudulent occurrence. For instance, organizations exhibiting unethical culture and poor employee behavior are often held responsible for data breaches, whereas there is no relationship between auditors and the conduct of employees, as typical audit rules do not require auditors to consider qualitative and nonregulatory factors. Hence, auditors cannot be held accountable for fraudulent incidents in most cases.

Knowing all this, fraudsters try to take advantage of the gap between an auditors’ limited reach and the organization’s policies and procedures. This makes fraud prevention a mutual responsibility of the board, top-level management and auditors.

The following are some reasons why auditors rarely find fraud:

  • The audit universe has its limitations—During an audit engagement, auditors usually evaluate financial statements of the organization or test internal controls that are in place. Most of these audit procedures are aimed at detecting material facts and correcting material errors. Materiality, in this context, is a misstatement/weakness in internal controls over financial reporting that might affect decision-making and profitability of stakeholders. Hence, the audit universe captures transactions and controls that are at or above material level.
  • Lack of volatility in audit tests—Generally, auditors are not known to modify their testing methods from one exercise to another; their focus remains set on the specific thresholds of controls and the transactions occurring. This makes audit testing predictable as employees are often aware of the scope of the audit and the opportunities that exist under the auditor’s radar. Adding an element of surprise can be an effective method in detecting and preventing fraud, yet it is not commonly used by auditors.
  • Sampling is not enough to capture the whole story—Sampling is widely used for testing transactions in an audit. Auditors collect random samples of transactions to verify that they were correctly recorded and that the internal controls were in place and working at the time. An intrinsic limitation of sampling is that all transactions are not tested, therefore creating a high probability that a fraudulent transaction will not be captured in the auditors’ sample and, therefore, will go undetected.
  • Fraudsters might prove clever for inexperienced auditors—Today’s business model for audit enterprises relies on relatively inexperienced auditors to perform a major component of field work. Young and inexperienced auditors often do not know what questions to ask and are usually reluctant to ask difficult questions or challenge management’s decisions. On the other hand, fraudsters can produce fake documents or paperwork to pacify the busy auditor. Simply put, auditors without much experience might not be adept at recognizing suspicious transactions and/or fraudulent documentation.
  • Time and budget constraints—Just like any other project or engagement, auditors are also required to meet certain periodic and monetary deadlines. Limitations of resources and tight project deadlines may lead to audits not being as thorough as planned.
  • Heavy dependence on internal controls—The scope of testing and the types of audit procedures used are heavily influenced by the assessment of internal controls. Auditors review the organization’s policies and procedures that help ensure accurate processes and financial statements. Internal control deficiencies are often repeated year after year even with increased auditing procedures, while the client continues without addressing those deficiencies.

To learn more about the auditors’ role in detecting fraud, read the full article on Protiviti’s KnowledgeLeader.

Editor’s Note: © 2019 Protiviti Inc. All rights reserved. This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.


Share Your Feedback on the ISACA Podcast


Source: Visual Generation;
Getty Images

The ISACA Podcast offers thought leadership, practical strategies and career guidance in a quick and easy-to-digest format. To better serve you, ISACA welcomes your feedback on the podcast. If you want to learn more about a specific topic, wish episodes were a different length or would like episodes delivered in a different style, you can let us know in the ISACA Podcast survey.

If you are not a regular ISACA Podcast listener, you can listen to it on the ISACA Podcasts page of the ISACA website or subscribe to it on Apple Podcasts, Google Play, PodBean, Spotify or Stitcher. Subscribing enables you to access new episodes as they are released, approximately once per week. Episodes cover topics discussed in the ISACA Journal, cybersecurity news, ISACA conference sessions, SheLeadsTech and ISACA’s 50th anniversary. Podcast guests are leaders in IT security, audit, governance and risk, and many of them are authors or reviewers of ISACA white papers or Journal articles.

To learn more about the ISACA Podcast and listen to recent episodes, visit the ISACA Podcasts page of the ISACA website.


CISM: The Key to Moving From Auditor to Manager

Ferry Haris Shares His Experience as a CISM

In 2015, Ferry Haris, CISA, CISM, IT risk manager at APG Asset Management, decided that he wanted to branch out from his role as an auditor, but also continue to utilize his base of knowledge, so he pursued the Certified Information Security Manager (CISM) certification. When asked about how CISM has benefitted his career, Haris says, “Because of CISM, potential employers and colleagues see me as more than an auditor and as an expert in information security. Some colleagues even have changed their perception of the advice I give because they now think we speak the same language.”

Since becoming a CISM, Haris has found that he derives more satisfaction from his work and enjoys knowing he is positively contributing to his organization and his colleagues. He says the biggest challenge in his job is convincing others that security and risk management are everyone’s responsibility, but it helps that he has the knowledge from his CISM certification to correlate security terminology with business terminology. This knowledge allows him to better illustrate why security and risk management are more than just one function’s responsibility and are important across the organization.

One of Haris’s favorite parts of his job is the frequent travel, which allows him to meet many different people around the world. He says, “I never thought of working and living in several countries. But having both the Certified Information Systems Auditor® (CISA) and CISM certifications under my belt helps open up job opportunities outside of my home country. The global acknowledgement of ISACA certifications has helped me to become a global citizen.”

Overall, Haris has found certification demonstrates a commitment to continuous learning and gives you the opportunity to add value at your organization. He believes certifications help individuals stand out. To grow in your professional and personal lives, learning new things is essential.

To learn more about ISACA certifications, visit the Certification page of the ISACA website.


Pursuing a New Career With Passion: A Few Minutes With Zinet Kemal

New From SheLeadsTech

Zinet Kemal, CISA, CySA+, Network+, Security+, was a legal assistant in Ethiopia before moving to the United States 6 years ago. Once she arrived in the United States, her technology career journey began, but her interest in tech started much earlier. She has long been fascinated by the power of technology to help solve people’s everyday problems. Currently, Kemal works at Hennepin County as an IT auditor, identifying weaknesses in the system network, making recommendations to prevent security breaches and effectively evaluating IT risk by auditing cybersecurity controls, and she volunteers as technology director at the Information Systems Security Association (ISSA) Minnesota (USA) Chapter. She is most interested in cybersecurity and IT risk management and compliance. At Hennepin County, she also serves as chair of a subcommittee of the millennials’ employee resource group.

Here she shares her story about changing to a new career while also adapting to a new country with her family.

Q: What struggles have you faced entering the technology industry?
A: One of my biggest challenges changing careers has been attending school while raising a family. Raising 3 young children and attending classes can be difficult, and finding affordable childcare can be even more difficult. Even so, it has been rewarding to know that I can inspire and serve as a role model for my children. I show them how to be consistent, resilient and how to pursue goals. When making the switch to technology, I did not have the background in math, programming or the necessary computing concepts, and that was also a challenge. I have risen to the challenge, however, and studied harder to catch up to my other classmates who were born in the United States and have had exposure to these concepts earlier in their education. Outside of school, navigating and learning how to break into the workforce, including learning a different work culture in a new country was another hurdle.

Q: How have you seen the industry change during your career?
A: I am still newer to the industry, but I have learned and observed some interesting things about the industry itself since starting my journey. I have noticed in school that there are very few women in my classes and there are even fewer women of different ethnicities. I have learned that women in the cybersecurity industry only account for 11% of the workforce, though that number is expected to grow to 20% by the end of 2019. This figure is too low. The industry needs to continue pushing for more women in tech. Initiatives and associations such as SheLeadsTech and Women in Cybersecurity help increase awareness on the topic and move the needle in the right direction. I also believe women leaders are important in changing the industry because women role models help motivate other women who aspire to break into the field and also strive to become leaders.

Q: What advice do you have for others currently in or looking to join this industry?
A: For those who are looking to join this industry, I would say if you set your mind to it and are passionate about technology, you can do it, and it does not matter if you are changing careers, new to the country or lack experience. Avoid intimidation and stereotyping and tell yourself that if you put in the work you will go a long way. I will say in technology, one needs to be willing to adapt to change since things in technology constantly evolve. For those already in tech, knowing the goals and processes of your organization will help you not only see the bigger picture, but also make you indispensable to your team. Once you find something you are passionate about to specialize in, be open to learning and self-development. I like to explore and earn certifications so that I learn new concepts. As a working mother, I am very passionate about contributing to changing the narratives on issues of gender and the racial pay gap. I think this is especially important in technology and I will do what I can to encourage the industry to move toward equality and reducing disparity.

Q: What excites you about your career and the tech industry?
A: In my current role as an IT auditor, I enjoy learning about the different areas of IT and security concepts. With each audit engagement, I get the opportunity to learn and research a specific area of IT and security. This helps me develop expertise in that space and helps me get excited and stay engaged in my career. The fact that technology is constantly evolving makes it exciting in itself, and it pushes people to learn and keep up with the environment. I find that very fascinating.

Q: How do you progress your learning and share your knowledge with others?
A: When I arrived in the United States, I pursued my bachelor’s degree in computer science, an associate degree in computer programming, and a certificate in cybersecurity and privacy law. I pursue new certifications frequently and am currently working toward my Master of Science (MS) in cybersecurity. I also firmly believe that teaching can help you solidify and relearn concepts. To that end, in 2019, I began teaching a class in information security at a community college as an adjunct professor. I hope my teaching can inspire others and my knowledge can help them on their own journeys.

Q: What do you do when you are not working and teaching outside the home?
A: When I am not pursuing my career in tech, I enjoy spending time with my 3 children (soon to be 4) and my husband. I like seeing everyone in my life active and pursuing what they love. I am grateful to have a husband who is encouraging, believes in my potential and enjoys seeing me pursue what I love.

This article was originally published on the SheLeadsTech website.

The ISACA SheLeadsTech program and the SheLeadsTech newsletter shed light on the waves women are making in the tech industry today. By subscribing to the monthly newsletter, you will receive the latest event updates, webinar content, podcast content and insight into what women leaders like Kemal are uncovering in the tech industry. Subscribe to the newsletter on the SheLeadsTech website.