Pubcast: 2011 Predictions

A couple of weeks ago Tony Olivier invited me to join some top security experts on a podcast to discuss InfoSec trends for 2011 in South Africa. Being my first podcast experience I didnt have much to say, but I found it to be an extremely insightful and interesting discussion ranging from compliance to technology to foursquare. To Helaine, Kris, Craig, Haroon, Matt and Tony – well done guys!

If you have the time do head to DiscussIT.co.za and have a listen.

http://www.discussit.co.za/index.php?option=com_content&task=view&id=283&Itemid=1

IT Audit or IT Security Audit?

I’ve just read a short but interesting post from David Hoelzer over at SANS where he asks the question of whether as IT Auditors we audit IT or IT Security.

http://it-audit.sans.org/blog/2009/11/10/it-audit-and-it-security-audits-is-there-a-difference/

Quite an old post but only found its way to me via Twitter recently. Anyway, the conclusion is that we audit a little of both, in that we 1) must validate the internal control environment of systems, applications and infrastructure, and 2) to do this effectively (and in part to validate the control is sustainable) we must also look at policies, procedures and standards governing the control environment.

I certainly agree with this view, but do also feel that we have more to offer. The role of Internal Audit itself has evolved over the past decade and business is increasingly looking to us for assurance and more value-add. Thus there are other risks that we need to consider and report on, such as strategic risk and governance. IA needs to be closer to the business and follow a risk-based approach. As Mervyn King noted, “Internal Audit needs to move from the back room to the Boardroom”.

Through all of this we as Internal Auditors need to work smarter and closer with other assurance providers. additionally in today’s technologically pervasive environment IT Audit has a role to play in assisting the rest of audit to work smarter by harnessing electronic processes. By this I mean that IT Audit can make better use of CAATs and data analytics to improve business process audits (i.e. testing a broader data set and avoiding sample risk) as well as identifying and testing automated controls that can free up business auditors to focus on more procedural controls. Controls maintaining the integrity of Management Information may not be always be there to manage a security risk for example, but can be very important in the context of a business’ strategy and/or Board level reporting.

In summary, I agree that pure-IT Audit must include an element of IT Security into the audit, but that we must also innovate and strive to understand more of how the application environment works, and the information that flows through these systems, in order to validate non-security controls that also impact the business’ risk profile.

NEWS: “World IPv6 Day” on June 8 2011

Some of the major Internet players such as Facebook, Yahoo, Google (incl YouTube) and Akamai are to test access using IPv6 later this year. This is in preparation for the IPv4 available ranges running in the foreseeable future. The intended outcome of this test is also to raise awareness and to stimulate the usage of IPv6. We havent seen much adoption since the protocol was developed over a decade ago. It’s going to be a big change (no more remembering 4 bullet-separated numbers as addresses), but probably a necessary evil to sustain our ever-increasing demand for connectivity.

Check out the full story on the Internet Society’s page: http://isoc.org/wp/newsletter/?p=2902

Quote of the month

Security pro Brian Krebs (krebsonsecurity.com) recently wrote an article on a client that is suing its bank after $440k was stolen via cyber theft:

http://krebsonsecurity.com/2010/11/escrow-co-sues-bank-over-440k-cyber-theft/

The issue or control breakdown in this case appears to be that the bank allowed transfers of money to other accounts using only a single password for protection. Krebs provides some useful insight into building security systems for online banking, or indeed any other processes that originate outside of one’s security domain:

“Any security or authentication mechanism that does not start with the assumption that the customer’s system is already compromised by malicious software does not have a prayer of defeating today’s malicious attacks

A great quote!