ISACA Journal Blog

Applying Chaos Theory to Security

Jean Jacques Raphael, CISA, CISM, ISO 27001 LI, Jean Claude Célestin, Eric Romuald Djiethieu, FCNSP, ISO 27002 Foundation, ITIL v3 Posted: 8/12/2019 2:59:00 PM | Category: Security | Permalink | Email this post

It has become almost impossible to face cybersecurity issues just by using the presently available countermeasures; hackers always find aways to bypass them. Whatever the future state of technology, some information related to people and national security must be kept secret. To propose a viable response to this situation, Octosafes Inc. conceived a theoretical system based on 5 hypotheses and mathematic chaos laws. The 5 hypotheses are:

  1. A child born today can be identified and authenticated by a computer without using the child’s name or a numerical identifier (SSN).
  2. On a certain scale, e.g., micron (micrometer) or microsecond, it is impossible for 2 people or 2 objects to be exactly the same, e.g., identical twins, fingerprints or 2 sheets of paper in the same ream.
  3. To become safer or even impenetrable, information systems must obey new laws and new logic (other than Boolean logic).
  4. The computer can protect people by protecting itself.
  5. Based on the previous hypotheses, it is now possible to design information systems with limited compatibility, i.e., it is impossible for 2 computers to communicate if there has not been some “physical” interaction (remotely or not) between these 2 systems.

The 2 essential laws of chaos theory are:


Measuring Risk Quantitatively

Benoit Heynderickx, CISA, CRISC Posted: 8/5/2019 3:03:00 PM | Category: Risk Management | Permalink | Email this post

Quantitative risk has become a growing field of interest for information security professionals. This is good news, as I strongly believe that this is the right approach to perform meaningful information risk assessments.

The first time I discovered quantitative risk was by picking up a book in the library called The Failure of Risk Management.1 The book validated my concerns over the classical approach to risk management for information security that used qualitative indicators such as high, medium and low. As a practitioner of information risk management, I could not hide my disappointment amongst my peers and was really hopeful there might be a better way.


Where to Begin Addressing the Policy-to-Execution Gap

Mina Miri, Amir Pourafshar, CISSP, Pooya Mehregan, Ph.D., and Nathanael Mohammed Posted: 8/1/2019 3:04:00 PM | Category: Security | Permalink | Email this post

How do you transform security and privacy compliance requirements into practical steps that can be executed by a team? It is not easy, especially in an Agile environment that wants to move quickly—to say there exists a gap between complying with policies, and actually executing tasks to that end is just the tip of the iceberg. The rest of the iceberg looks like this:

  • Policies, regulations and standards are designed to be high-level and abstract. There are no simple steps to follow to meet them.
  • Policy-to-execution (P2E) platforms are limited to technical steps for only the software development life cycle (SDLC).
  • Regulatory bodies continue to publish new standards beyond the SDLC.
  • Organizations may perceive security as a disruptor.

For instance, section 4.2 of the PCI-SSLC requires that "[n]ewly discovered vulnerabilities are fixed in a timely manner. The reintroduction of similar or previously resolved vulnerabilities is prevented."


Addressing the Vulnerabilities of IoT Devices

Larry G. Wlosinski, CISA, CRISC, CISM, CISSP, CAP, CCSP, CBCP, PMP, CIPM, CDP, ITIL V3 Posted: 7/29/2019 3:00:00 PM | Category: Security | Permalink | Email this post

My recent Journal article on the Internet of Things (IoT) was inspired by an article I read on a botnet takedown that involved the digital recording devices that many people have connected to their television. It reminded me of the information security problems that came to light as new computer software was developed and used by many organizations and people. When the personal computer industry was in its infancy, there was no thought about misusing it (e.g., local denial-of-service attacks, adding malicious software to the computer). The only concern was getting it out in the marketplace and selling it. Information security and privacy were not a concern, device capabilities and features were.


The Need for Speed

K. Brian Kelley, CISA, CSPO, MCSE, Security+ Posted: 7/22/2019 3:01:00 PM | Category: COBIT-Governance of Enterprise IT | Permalink | Email this post

In the 1980's movie Top Gun, the protagonist utters the phrase, “I feel the need, the need for speed!” Peter “Maverick” Mitchell was an F-14 Tomcat pilot, an interceptor jet capable of flying more than twice the speed of sound. Fighter pilots love speed. Speed can be the key factor in winning aerial engagements. Speed is often a key factor in any competitive landscape, whether we are talking about fighters in the air, sports or business. Speaking of business, innovation is all about helping an organization develop processes and products that make it more competitive. As a result, innovation must be fast; the faster the better.

For security professionals and auditors, that means maintaining a balance between speed and protection. If we allow our organization to move too fast, beyond the capability of our controls, we incur risk that could be more costly than losing a product race to a competitor. On the other hand, if our processes cause enough delay where we are constantly behind our competitors, we are putting the long-term health of the organization in jeopardy.

        Page: 1 of 90     Next >   Last >>