Which of the following is the first step in selecting the appropriate controls to be implemented in a new business application?

Try the new Google Books

Check out the new look and enjoy easier access to your favorite features

Try the new Google Books

Check out the new look and enjoy easier access to your favorite features

Page 2

The first steps in information security strategic planning in any form of business are risk management and risk evaluation. This is necessarily broad, including business processes, people and physical infrastructure, as well as the information system. The security risk evaluation needs to assess the asset value to predict the impact and consequence of any damages, but it is difficult to apply this approach to systems built using knowledge-based architectures.1 Knowledge-based systems attempt to represent knowledge explicitly via tools, such as ontologies and rules, rather than implicitly via procedural code, the way a conventional computer program does. Usually, professionals face challenges to give assurance for organizations on asset valuation, risk management and control implementation practices due to the nonexistence of clear and agreed-on models and procedures. The main objective of this article is to propose simple and applicable models for professionals to measure, manage and follow up on assets, risk and controls implementation in the organization.

An ISACA Journal volume 5, 2016, article titled “Information Systems Security Audit: An Ontological Framework”2 briefly describes the fundamental concepts (owner, asset, security objectives, vulnerability, threat, attack, risk, control and security audit) and their relationships to the whole security audit activities/process. This article proposes different models that help to measure and implement concepts objectively by using the previously proposed ontological framework and empirical study. The objectives are to identify risk-based auditable areas required to carry out asset valuation and to help measure risk and identification of the existing control gap of the company’s IT assets for regulatory, management and audit purposes.

The previous ontological framework briefly presents concepts hierarchically from asset valuation to control implementation processes for a specific asset based on the summarized steps. This article shows how to take the steps sensibly:

1. Identify the owner and custody of the asset.
2. Identify and list information systems assets of the organization. (List all interfacing applications, people, hardware or other containers for each asset.)
   Containers are the place where an information asset or data “lives” or any type of information asset (data) is stored transported or processed.3
3. Identify the security objectives of confidentiality, integrity and availability (CIA) and a weighting of the asset to conduct an impact assessment based upon the criticality of the asset to the operation of the company.
4. Identify the asset’s security categories and its estimated value.
5. Determine the threat and vulnerability’s quantitative value and rates.
6. Estimate the probability of occurrence/likelihood of impact.
7. Identify existing controls and perform a gap analysis.

Asset Identification, Valuation and Categorization

Identification, valuation and categorization of information systems assets are critical tasks of the process to properly develop and deploy the required security control for the specified IT assets (indicate data and container). Organizations or individuals able to implement security for assets by using this model must first identify and categorize the organization’s IT assets that need to be protected in the security process.

Mapping an information asset (such as data) to all of its critical containers leads to the technology assets, physical records and people that are important to storing, transporting and processing the asset.4 The map of information assets will be used to determine all of the information assets that reside on a specific container. In addition, the value of a container depends on the data that are processed and transported (through the network) or stored (reside) within that specific container. Security audits should look into how the data or information is processed, transferred and stored in a secured manner.5

Risk Assessment and Management

The risk assessment comprises the qualitative assessment and quantitative measurement of individual risk, including the interrelationship of their effects. Risk management constitutes a strategy to avoid losses and use available opportunities or, rather, opportunities potentially arising from risk areas.6 Normally, no single strategy will be able to cover all IT asset risk, but a balanced set of strategies will usually provide the best solutions. Once the risk is identified, it can be evaluated as acceptable or not. If it is acceptable, no further actions are required other than communicating and monitoring the risk, but if the risk is not acceptable, it must be controlled through four separate options of prevention and/or mitigation measures:

1. Reduce the impact.
2. Reduce the likelihood.
3. Transfer the risk (to insurance or a subcontractor).
4. Avoid the risk. (Temporarily distancing the target from the threat summarizes the potential impact definitions for the CIA security objectives.)

This article discusses risk mitigation strategy based on the CIA security objectives.

The overall objective of this section is to quantitatively measure risk impacts of an organization’s specific IT assets and to propose a proper mitigation strategy. Concepts from the International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC) ISO/IEC 27001:2013, Information technology—Security techniques—Information security management systems—Requirements,7 and empirical analysis results taken from interviews with professionals are used to illustrate various conclusions and approaches to implementation. Hence, quantitative measurement of risk impact is implemented based on the following formula:

Risk Impact = Potential Risk * Probability of Occurrence

Potential Risk
This could be any type of risk that is conceivable for a business or any risk associated with an action that is possible in certain circumstances. This risk also refers to a threat or damage that may occur on operations of the business. When a business undertakes any operations within a particular industry and in specific markets, it faces potential risk. Risk potential should be estimated without a detailed consideration of the individual risk, at as little expense as possible.8 Potential risk is a product of total asset value, severity of vulnerability and severity of threat:

Potential Risk = Total Asset Value * Severity of Vulnerability * Severity of Threat

Probability of Occurrence
This is an estimate of how often a hazardous event occurs. The likelihood can be expressed in terms of the frequency of occurrence.9 A review of historic events assists with this determination. Each hazard is rated in accordance with the numerical ratings and definitions shown10 in figure 1.

Asset Valuation
This is a method of assessing the worth of the organization’s information system assets based on its CIA security.

Total Asset Value = Asset Value * Weight of Asset

Assumptions for asset valuation include:

• The value of an asset depends on the sensitivity of data inside the container and their potential impact on CIA.
• CIA of information will have a minimum value of 1 for each.
• The value of levels for CIA are as follows: A rating of 3 is high, 2 is medium and 1 is low.
• The value of the information asset is determined by the sum of the three (C + I + A) attributes.

Based on the model, it is possible to create a matrix for value of an asset as illustrated in figure 2.

Weight of Asset

Therefore, to evaluate the sensitivity of assets, the concept of “weight” or “weighting” was developed, which helps to measure each asset’s value based on the data it holds/processes compared to other assets. To measure the value of the asset’s weight, the rating concepts shown in figure 3 can be used—3 for high, 2 for medium and 1 for low—to show value of a specific asset as compared to the another asset, based on business objectives. This concept differentiates this approach for the asset valuation concept.

Asset Categorization

At this stage, the organization should categorize assets in three levels based on the total asset value determined in the total asset matrix table. The category of an asset indicates the level of concern that needs to be given to that asset. Therefore, more security implementation, investment or attention would be given to category I assets (value of the total asset between 20 and 27) than to category II assets (between 12 and 18, inclusive, the highlighted amounts in figure 4) and to category III (value of 10 or less) assets. From figure 4, it can be concluded that the total asset value ranges from 3 (minimum) to 27 (maximum).

Vulnerability and Threat Assessment and Rating Methodology

The presence of vulnerability does not in itself cause harm; vulnerability is merely a condition or a set of conditions that could allow assets to be harmed by an attack.11 When a vulnerability is exploited by a threat, it increases the likelihood of attack and leads to risk.12 Vulnerability rating gives an indication or opportunity to see the weakness inherent or residing in the information assets of the organization.

Vulnerability and threat valuation assumptions include:

• The same 1 to 3 rating scale will be used, in which a specific vulnerability or threat rated as high is assigned a 3, medium a 2 and low a 1 (figure 5).
• The severity of the threat and the vulnerability is graded as very low (1), low (2), medium (3), high (4) and very high (5) (figure 6).

Vulnerability Rating Factors

Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.13

Susceptibility is simply to measure the effort required to successfully exploit a given weakness. For example, fire is a threat. Poor fire prevention standards, poorly managed flammable liquids and poor circuit insulation are some of the weaknesses (vulnerabilities) or factors that help the fire threat to happen and cause damage.

Exposure (attacker access to the flow) is the potential exposure to loss, resulting from the occurrence of one or more threat events. It may be disseminated across other system components. Figure 5 depicts a model to rate the susceptibility and exposure of a flow or vulnerability of an asset.

Threats Assessment and Rating Methodology

A general list of threats should be compiled, which is then reviewed by those most knowledgeable about the system, organization or industry to identify those threats that apply to the system.14 Each threat is derived from a specific vulnerability, rather than identifying threats generally without considering vulnerability. Measuring the value of a threat depends on the rating value of its impact and capability. Impacts are a forceful consequence or a strong effect of the launch of a threat on the business.

Capability is a measure of a threat agent’s ability (including the level of effort required) to successfully attack an asset by exploiting its vulnerabilities, e.g., the threat agent’s technical ability, knowledge and available material to exploit the vulnerability.

As with vulnerability measurement elements (susceptibility and exposure), rating, capability and impact should also be considered for threat measurement. Figure 8 shows how to use capability and impact for threat ratings.

The model for grading the severity of the threat uses impact and capability of the threat, similar to the severity of vulnerability matrix in figure 6 and figure 7. The only difference is susceptibility and exposure for vulnerabilities are replaced with impact and capability for threat.

Risk Impact Measurement

Risk management is the act of determining what threats the organization faces, analyzing the vulnerabilities to assess the threat level and determining how to deal with the risk.15 Security risk management is a strategy of management to reduce the possible risk from an unacceptable to an acceptable level.16 There are four basic strategies for managing risk: transference, acceptance, avoidance and mitigation.17

Risk assessment requires individuals to take charge of the risk management process. Risk assessment is the determination of a quantitative or qualitative estimate of risk related to a well-defined situation and a recognized threat (also called a hazard). Quantitative risk assessment requires calculations of two components of risk: the magnitude of the potential risk and the probability that the loss will occur.18

Risk Impact = Potential Risk * Probability

Probability or Likelihood of Risk

Based on the previously discussed risk analysis concepts, risk mitigation options are acceptable, tolerable and intolerable risk, the values of which follow.

Acceptable risk has a risk impact value of less than 540, which is the product of the maximum asset value (27), low vulnerability value (2), low threat value (2) and the maximum frequency of likelihood (5). The calculation, therefore, is 27*2*2*5=540.

Tolerable risk has a risk impact value ranging from 540 to 1,215, which is the product of the maximum asset value (27), medium vulnerability value and threat value (3 each), and the maximum frequency of likelihood (5). The calculation is 27*3*3*5=1,215. Intolerable risk has a risk impact value greater than 1,215, which means the risk beyond the tolerable risk amount, 1,215.20

Control Implementation and Gap Analysis

A common mitigation for a technical security flaw is to implement a patch provided by the vendor. Sometimes the process of determining mitigation strategies is called control analysis.21 Control mechanisms are used to restrain, regulate or reduce vulnerabilities; they can be corrective, detective or preventive.22 It is possible to mitigate a risk by implementing different control techniques, but before implementing a new control, the assessor is responsible for identifying and measuring the existing control and showing the gap from the expected control of an asset.

Assumptions for control valuation include:

• CIA of information has a minimum valuation of 0.
• The value of levels of control implementation to CIA are high (3), medium (2), low (1) and none (0) figure 10.
• The value of the control implementation is determined by the sum of the three attributes.

Based on figure 10, a control matrix is presented in figure 11.

Figure 12 shows calculations for existing controls and risk mitigation.

Adding controls to mitigate the risk impact first requires identification of the existing control (the total amount of control measured by adding the value of CIA for each asset), then identification of the possible control (the sum of a control value of CIA derived by considering the maximum technology applied to that specific asset and the conditions to satisfy adoption of that additional control).

The following formulas will calculate the “to be controlled risk” and the “mitigated risk”:

To Be C = Maximum Possible Control – Existing Control

Mitigated Risk = Risk Impact ÷ Existing Control

No organization can ever be 100 percent secure or free of risk. There will always be remaining, or residual, risk. In the first example shown in figure 13, the possible control is equal to the existing control (which is high for CIA). Therefore, the remaining risk, 375, is residual, not mitigated further because it already represents the maximum possible control. As per the risk analysis concepts described in this article, the 375 risk is acceptable because it is less than the maximum acceptable risk level of 540.

Conclusion

Managing the risk and valuation of an organization’s valuable IT assets is the first and critical stage of information security planning and security control implementation. Objectively measuring concepts like vulnerability, threat, risk impact, mitigated risk and implemented control of an asset is relatively the most difficult task in the process, because of a lack of uniformity on subjective judgments during the rating selection (high, low, medium) and the quality and accuracy of the results are highly dependent on the assessors’ professional experience. The models described in this article can minimize error and introduce uniformity of activities and process results carried out by different individuals/organizations. Generally, information security risk management/evaluation is still a very complex field of research, with a lot of unexplored areas. More research is needed to explore essentials. This research work can be based on the model proposed in this article and perhaps could be focused on creating mechanical or robotic techniques to implement quantitative measurement, thus avoiding subjective judgments of high, low or medium.

Endnotes

1 Foroughi, F., “Information Asset Valuation Method for Information Technology Security Risk Assessment,” Proceedings of the World Congress on Engineering 2008, vol. I, www.iaeng.org/publication/WCE2008/WCE2008_pp576-581.pdf
2 Shemlse, G. K.; “Information Systems Security Audit: Ontological Framework,” ISACA Journal Practically Speaking blog, 26 September 2016, https://www.isaca.org/resources/isaca-journal/issues/2016/volume-5/information-systems-security-audit-an-ontological-framework
3 Caralli, R., et al.; “Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process,” Carnegie Mellon University, USA, May 2007, www.sei.cmu.edu/reports/07tr012.pdf
4 Caralli, R. A.; J. F. Stevens; L. R. Young; W. R. Wilson; “Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process,” May 2007, www.sei.cmu.edu/reports/07tr012.pdf
5 Olivia, “Difference Between Information System Audit and Information Security Audit,” DifferenceBetween.com, 16 April 2011, www.differencebetween.com/difference-between-information-system-audit-and-vs-information-security-audit/
6 Op cit, Foroughi
7 Kamat, M.; ISO27k Implementers’ Forum, “Matrices for Asset Valuation and Risk Analysis,” 2009
8 Op cit, Foroughi
9 Ibid.
10 Village of Briarcliff Manor, Disaster Mitigation Act 2000 Hazard Mitigation Plan, New York, USA, July 2007, p. 5–9
11 National Information Assurance Training and Education Center, NIATEC Glossary, USA, http://niatec.info/Glossary.aspx?term=6344&alpha=V
12 Op cit, Shemlse
13 Kiyuna, A.; L. Conyers; Cyberwarfare Source Book, Lulu.com, 14 April 2015, p. 42
14 Elky, S.; “An Introduction to Information System Risk Management,” SANS Institute InfoSec Reading Room, 31 May 2006, www.sans.org/reading_room/whitepapers/auditing/introduction-information-system-risk-management_1204
15 Gregg, M.; CISSP Exam Cram 2, Pearson IT Certification, USA, 2005
16 Op cit, Elky
17 Ibid.
18 RFC 4949, Internet Security Glossary, Version 2, August 2007, https://tools.ietf.org/html/rfc4949
19 Op cit, Kamat
20 Ibid.
21 Op cit, Gregg
22 Ibid.

Shemlse Gebremedhin Kassa, CISA, CEH
Is a systems and IT auditor for United Bank S.C. and a security consultant for MASSK Consulting in Ethiopia. He has a multidisciplinary academic and practicum background in business and IT with more than 10 years of experience in accounting, budgeting, auditing, controlling and security consultancy in the banking and financial industries. Kassa is highly motivated and engaged in IT security projects and research, and he strives to update current systems and IT audit developments to keep up with the dynamically changing world and ever-increasing challenge of cybercrimes and hacking. He has published articles in local and international journals including the ISACA Journal.

Page 2

Does the recent distributed denial of service (DDoS) attack on Dyn1 officially mark the passing of the Internet of Things (IoT) fear, uncertainty and doubt (FUD) stage, or is this still the beginning of the stage? IoT FUD pertains to IoT vulnerabilities leading to loss of data, service and possibly life. Traditionally, FUD about a security breach or regulatory noncompliance is the primary driver for management to invest in information security. The same FUD applies to IoT security, although it involves multiple variables that need to be considered. The resolve to address IoT device security at various levels—hardware and software, government and enterprise, consumers and services—is widespread. This soaring resolve is primarily due to the sheer quantity of IoT devices that are available and the ease with which these devices can be compromised and converted into thingbots. Thingbots are botnets of infected IoT devices that can be used to launch attacks that are like the Dyn attack, which affected more than one million devices, of which about 96 percent were IoT devices.2, 3

The primary issue is with IoT device hardware, which is manufactured mostly outside of the United States and needs to be regulated.4 The retail industry sector has been the leading adopter of IoT technology because it reaches out directly to numerous customer bases, unlike the health care sector, which does not have benefits that are transparent immediately to the end user and has higher risk.

IoT Security—The Game Plan

The game plan for IoT security provides an overview of the IoT ecosystem and addresses standards, frameworks and regulatory proposals that have developed recently. Figure 1 depicts an IoT ecosystem in which information security forms an integral part.

IoT Standards and Framework Developments
A positive repercussion of the Dyn DDoS attack was the US Department of Homeland Security (DHS) release, in 2016, of principles and guidelines for securing the IoT.5, 6 These guidelines are not legally mandatory, but are definitely a sign of a good start toward IoT device security. Some of these guidelines are well-known mantras to most security professionals in the game:

• Leverage security from the feasibility phase.
• Apply security updates, patching and vulnerability management.
• Follow proven security practices.
• Prioritize controls based on the magnitude or impact.
• Provide oversight and proper governance of the IoT.
• Plug in the device off of the network if there is no absolute business need.

Also in 2016, exemptions to the US Copyright Law were approved that allow independent researchers to be able to hack almost any IoT device.7 Although numerous limitations apply to the exemptions, they were granted for two years. This will help researchers unlock software for their research without any legal implications. The intentions are right, but the impact of this change, positive or negative, is yet to be seen.

The Industrial Internet Consortium, primarily comprised of IoT-related enterprises, rolled out the Industrial Internet Security Framework (IISF), which outlines best practices to assist developers and end users with gauging IoT risk and possibly defending against this risk.8 In early 2017, the US Federal Trade Commission (FTC) announced that it is granting prize money to anyone who develops an innovative tool that detects and protects home devices from software vulnerabilities.9

Another recent development in IoT security is the Sigma Designs S2 security framework, which will be part of every Z-Wave-certified IoT device that is manufactured after March 2017 and is backward-compatible on existing Z-Wave IoT chipsets, making the devices more secure.10

Regulatory Proposals
Cyber security researcher and Harvard University lecturer Bruce Scheiner recently proposed a more regulated IoT industry in a meeting with two US House of Representatives’ subcommittees—the Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing and Trade.11 He presented the comparison of the cost versus the incentive and drive for IoT device manufacturers to patch vulnerabilities periodically. Scheiner pointed out that most IoT devices provide lower profits and that the more frequently replaced devices, such as smartphones, are patched more often, compared to devices that are seldom replaced, such as thermostats and refrigerators. Smart cars and Blu-ray players fall in between. IoT thermostats and refrigerators that are not likely to be replaced are at a higher risk, if they are not patched. If there is not a profit or cost benefit for the manufacturer to patch a less frequently replaced product, there is no drive for the manufacturer to patch it regularly; hence, it should be regulated. The other side of this argument is that regulation of the IoT industry would stunt the growth of innovation.

The US Food and Drug Administration (FDA) has been providing some guidance to manufacturers on the best practices to build security into medical devices since October 2014. In December 2016, the FDA added a guide that lists the best ways to secure medical devices after they enter the consumer’s hand, primarily to prevent any harm to patients. The guide also states that the IoT device manufacturers need to report to the FDA if the use of a device had resulted, or can result, in any kind of serious harm or the death of a person. Reporting to the FDA is waived only if customers and device users are notified about the vulnerability in the device within 30 days, the device is fixed within 60 days, and this information is shared with the Information Sharing and Analysis Organization (ISAO).12, 13 The premise is somewhat similar to the optical character recognition (OCR) sanctions on US Health Insurance Portability and Accountability Act (HIPAA) violations, but the difference is that the FDA guides are just recommendations and are not legally binding. It is believed that these guides will eventually lead to legislation, as in the case of HIPAA.

More recently, the US Senate Commerce Committee approved the Developing Innovation and Growing the Internet of Things (DIGIT) Act. It is currently waiting on approval from the full senate. The DIGIT Act creates a working group that would focus on the security, privacy and other issues relating to IoT.14

The Game of IoT Security

The number of connected IoT devices is estimated to reach 200 billion by 2020.15 Similarly, it is estimated that approximately 4 billion people will be online by 2020.16 The online exposure increases multifold by 2020 for the simple reason that human-to-machine (H2M) interactions increase along with the machine-to-machine (M2M) interactions.

The IoT Arena
Figure 2 shows a conceptual IoT architecture. The IoT devices fall generally into one of two categories—one type of device interacts with a gateway and the other has a gateway built into the device. The second category of devices includes mostly devices that need to be in constant motion, e.g., smart cars and fitness wearables.

Defense
Defense starts at the chip or hardware level. The hardware on which the IoT device is built forms the basis for a robust and secure IoT device. This is like laying a strong foundation for a house to ensure a stable and sustainable end product.

Device-Manufacturer Level
As shown in figure 1, the chip and hardware of the IoT device is where the life cycle of an IoT device starts and is also the right time to steer the process in the right path.

Hardware
Primary threats to an IoT device at the hardware level are that it can be stolen, physically modified, replaced and cloned. Hardware vulnerability examples include prebuilt weak default passwords or hard-coded credentials and counterfeit integrated circuits.

The nonprofit Internet of Things Security Foundation (IoTSF) aids all IoT manufacturers, vendors and end users to help secure IoT devices.17 Nevertheless, the best countermeasure to combat the hardware vulnerabilities is to regulate the process of manufacturing an IoT device. The manufacturers of IoT devices need to be accountable for not adhering to the appropriate IoT regulatory standards (there are not any standards at the time of this writing), industrial standards and/or guidelines. Today, there are no legal implications for not following the standards, but there can be a pushback at the enterprise level in adopting a substandard IoT device from a manufacturer. This pushback can prevent most hardware vulnerabilities and software weaknesses that may be inherently available in IoT devices. If hardware vulnerabilities are not mitigated, the rest of the controls, methodologies, frameworks, time, resources and investment to make IoT devices secure cannot be effective. Some of the regulations and pushback need to be driven by the respective governments, with assistance from the security community.

Software
Major threats to the software or firmware on IoT devices are that the software can be modified or decompiled to extract credentials and leveraged to perform the DDoS attacks. The vulnerabilities at the software level are:

• Insecure code
• Hard-coded default passwords
• Improper software testing leading to backdoors
• Absence of strong authentication during M2M, H2M and machine-to-human (M2H) interactions

The Open Web Application Security Project (OWASP) helps IoT manufacturers build secure IoT software and periodically categorizes the top 10 IoT software vulnerabilities.

Enterprise/Network Level
Like other network devices, the most common IoT device threats at the enterprise/network level are eavesdropping, man-in-the-middle (MiTM) attacks and bandwidth theft. The suggested three steps to protect against these threats are:18

1. Identify and inventory the IoT devices in the enterprise and make sure they are integrated into the enterprise asset management program.
2. Define standards and baselines for the IoT device security based on enterprise policies and standards.
3. Implement the necessary security controls to mitigate IoT risk.

Segmentation of all of the IoT devices onto a separate network zone is recommended, which makes it easier to quarantine the entire IoT zone in the case of a breach.19 The rest of IT can continue its operations without any major impact.

If segmentation and zoning are not feasible, adopting a software-defined networking (SDN) model that not only improves IoT security, but also helps with identifying the location of the breach is suggested.20

Other commonplace controls that need to be implemented for IoT devices are the same controls that apply to most of the IT infrastructure today. They are two-factor authentication, stronger passwords or key-based authentication.

It is of paramount importance to realize that the key to having these defense methodologies work as expected is to secure the IoT devices and the network from the day that they are introduced into the network. If not, the possibility is high that these IoT devices are hackable forever and they will not be able to be patched and secured. If such a rogue IoT device is detected, it should be replaced immediately.21

IoT devices need to be able to carry out a multifactor authentication, e.g., phone the human user/owner of the IoT device, before the user/owner performs the security update.

Public key infrastructure (PKI) authentication for communication between IoT devices and gateways is a recommended countermeasure to prevent an IoT device from being jailbroken to install unauthorized software. Only certified software should be permitted to be installed during upgrades and patching.

Frameworks are being introduced that can help to implement a robust security model for IoT devices. The KeyScaler 5.0 product from Device Authority offers certificate and key provisioning specifically for IoT devices during the registration process.22

Offense
The best defense always starts with a good offense. Early detection and preventing attacks in real time is the priority for security teams and has become the new mantra. Many recent breaches happened months ago or in some instances years ago (e.g., the Yahoo breach), before they were detected and the response processes began.23

Testing
Quality testing of the IoT software is altogether different from traditional software testing. Autonomy, connectivity and momentum are the three factors that make IoT software-quality testing different from traditional software testing.24 The concept that security is a process and not an add-on feature is well known. The IoT software testing for weaker passwords, buffer overflow vulnerabilities, etc., must follow the OWASP best practices. IoT devices should also be tested on universal serial bus (USB) ports for vulnerabilities. The key is to reduce the attack surface of the IoT device to the maximum extent possible. Additionally, like any other IT system that is close to the Internet, one should store, transmit and process only the minimum amount of sensitive information.25

IoT Risk Management
Forescout categorizes IoT devices into three levels:

• Disastrous—IP-connected devices that are hooked directly to the Internet are at high risk. They can cause damage to the enterprise by gaining access to sensitive information or cause critical infrastructure impairment.
• Disruptive—Interconnected systems, such as the voice over Internet protocol (VoIP) phones and printers, can result in disruption in business operations.
• Damaging—Devices such as smart bulbs and refrigerators can be used to snoop around the enterprise network to possibly gain access to metadata about the network.26

FDA guidance recommends that device manufacturers form or join an information sharing and analysis organization (ISAO), which is similar to the information sharing and analysis centers that exist today. An ISAO can help participating organizations by sharing looming security threats and risk in real time and devising appropriate responses in a timely manner.

Analytics and Detection
Recent advancements in data analytics improvises the actionable intelligence metric for security. Products such as Adaptive Defense not only provide security teams with information on the executables that enter the network, but also proactively confirm an incident, rather than just alerting for all suspicious events.27 PatternEx combines artificial intelligence (AI) with analyst intuition to offer a threat prediction platform that detects current and emerging threats in real time across the enterprise. This will and should be the trend going forward, especially with the limited resources and analysts, continuous monitoring, security budgets, and more devices being added to the network creating still more ways to get hacked. Determining the point at which an intrusion actually happened after detecting that it happened is the key. AI can, hopefully, reduce the time and resources that are needed to detect an intrusion soon.

Team IoT Governance

The risk of an insecure IoT device is relative based on the domain in which it is operated and the jurisdiction in which it thrives. For example, privacy is at utmost risk when the device handles protected health information (PHI), compared to when it is in an industrial set up, in which the infrastructure or services are at risk. The geography of where the IoT device operates also matters because the legal and regulatory bindings can differ from place to place. The governance of IoT devices needs to be handled separately, but under the IT governance umbrella. The four critical success factors that contribute to an effective IoT project are an efficient IoT project management team, a project stakeholder who has the authority to drive the IoT project, data and telecommunication infrastructure to support IoT, and subject matter experts to maintain high data quality and integration issues.28

At a project-management level, the eight steps29 that can help enterprises to put in place a sustainable IoT security program are:

1. Identify information
2. Prioritize the devices
3. Evaluate data loss risk
4. Evaluate IoT access risk
5. Perform IoT incident response planning
6. Formulate a big data strategy to manage the vast amount of IoT data generated
7. Devise policies for privacy of sensor data
8. Protect IoT devices

Conclusion

The IoT footprint will vary in size based on the industry vertical. As enterprises move forward on the IoT bandwagon to be more profitable and to be able to reach out to an extended customer base, they need to have an IoT strategy that encompasses the entire IoT device life cycle (from procurement to end of life) in place. Enterprises need to build an IoT risk strategy that evaluates and manages risk. Consider IoT as part of the overall security and risk management portfolio and have a dedicated focus on continuously evaluating and monitoring IoT risk. Early adoption of security into the IoT device life cycle, at the hardware and software level, is the best practice.

The FUD factor mentioned earlier will continue to drive management to invest in information security and, more specifically, IoT security in the near future, at least until the risk of breaches reduces.

Endnotes

1 York, K.; “Dyn Statement on 10/21/2016 DDoS Attack,” Oracle, 22 October 2016, http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
2 Ibid.
3 Martin, C.; “U.S. to Issue IoT Principles After Internet Cyberattack,” MediaPost, 26 October 2016, www.mediapost.com/publications/article/287614/us-to-issue-iot-principles-after-internet-cybera.html
4 Atluri, I.; “The Rewards and Risks of Our Smarter Future,” InfoSecurity Professional, International Information Systems Security Certification Consortium, Inc. November/December 2014, www.isc2.org/uploadedfiles/(isc)2_member_content/member_resources/infosecurity_professional_magazine/infosecurity-professional-magazine-nov-dec-2014.pdf
5 Op cit, Martin
6 Martin, C.; “U.S. Issues Guidelines for IoT Security,” MediaPost, 18 November 2016, www.mediapost.com/publications/article/289288/us-issues-guidelines-for-iot-security.html
7 Armerding, T.; “Feds Provide Legal Loophole to Hacking IoT Devices,” CSO, 28 November 2016, www.csoonline.com/article/3144648/internet-of-things/feds-provide-legal-loophole-to-hacking-iot-devices.html
8 Lawson, S.; “Industrial IoT Inches Toward Consensus on Security,” ComputerWorld, 19 September 2016, www.computerworld.com/article/3122244/internet-of-things/industrial-iot-inches-toward-consensus-on-security.html
9 Federal Trade Commission, “FTC Announces Internet of Things Challenge to Combat Security Vulnerabilities in Home Devices,” USA, 4 January 2017, www.ftc.gov/news-events/press-releases/2017/01/ftc-announces-internet-things-challenge-combat-security
10 Zurier, S.; “Z-Wave Alliance Ups IoT Security,” SC MEDIA, 12 December 2016
11 Gross, G.; “US Lawmakers Balk at Call for IoT Security Regulations,” CSO, 16 November 2016, www.csoonline.com/article/3141920/security/us-lawmakers-balk-at-call-for-iot-security-regulations.html
12 CNBC, “New Cybersecurity Guidelines for Medical Devices Tackle Evolving Threats,” The Verge, 29 December 2016, www.cnbc.com/2016/12/29/new-cybersecurity-guidelines-for-medical-devices-tackle-evolving-threats.html
13 Food and Drug Administration, “Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff,” USA, 28 December 2016, www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
14 Zurier, S.; “No Clear Policy,” SCMagazine, March 2017, https://media.scmagazine.com/documents/287/0317_digital_edition_71636.pdf
15 Sun, L.; “IoT Stocks: What to Watch in 2017,” The Motley Fool, 23 November 2016, www.fool.com/investing/2016/11/23/iot-stocks-what-to-watch-in-2017.aspx
16 Microsoft Secure Blog Staff, “The Emerging Era of Cyber Defense and Cybercrime,” Microsoft Secure Blog, 27 January 2016, http://blogs.microsoft.com/microsoftsecure/2016/01/27/the-emerging-era-of-cyber-defense-and-cybercrime/
17 Dickson, B.; “Why IoT Security Is So Critical,” TechCrunch, 24 October 2015, https://techcrunch.com/2015/10/24/why-iot-security-is-so-critical/
18 Moyle, E.; “Three Steps to Better Security in IoT Devices,” TechTarget, July 2016, http://internetofthingsagenda.techtarget.com/tip/Three-steps-to-better-IoT-device-security-in-the-enterprise
19 Kerravala, Z.; “How Network Segmentation Provides a Path to IoT Security,” NetworkWorld, 17 December 2015, www.networkworld.com/article/3016565/security/how-network-segmentation-provides-a-path-to-iot-security.html
20 D’Abreo, C.; “What CIOs Need to Know About IoT and Security Risks,” Masergy Blog, 21 October 2015, www.masergy.com/blog/what-cios-need-know-about-iot-and-security-risks
21 SecureRF, “Why Dyn Suffered a DDoS Attack and How Consumer IoT Device Security Vulnerabilities Can Be Addressed,” 23 October 2016
22 Stephenson, P.; “Access Control,” SC Magazine, 14 December 2016
23 Cross, K.; “This Is the New Reality for Cyber Security: Accept That Hackers Will Get In,” MarketWatch, 10 December 2016, www.marketwatch.com/story/this-is-the-new-reality-for-cyber-security-accept-that-hackers-will-get-in-2016-12-09
24 Lawton, G.; C. McKenzie; S. Raman; “IoT Applications Pose New Problems for Developers,” TechTarget, February 2016, http://internetofthingsagenda.techtarget.com/ehandbook/IoT-applications-pose-new-problems-for-developers
25 Sullivan, D.; J. Sullivan; “IoT Security Testing: Cover All Your Bases,” TechTarget, May 2016, http://internetofthingsagenda.techtarget.com/feature/IoT-security-testing-Cover-all-your-bases
26 ForeScout Technologies, Inc., How Hackable Is Your Smart Enterprise?, USA, 2016, https://www.forescout.com/wp-content/uploads/2016/10/iot-enterprise-risk-report.pdf
27 Zurier, S.; “When It Comes to IoT, More Security Is Needed,” SC Magazine, 12 December 2016, 
28 Schulz, Y.; “Critical Success Factors for IoT Projects,” ITWorldCanada Blog, 25 June 2015, www.itworldcanada.com/blog/critical-success-factors-for-iot-projects/375399
29 O’Donnell, L.; “8 Strategic Steps for Long-Term IoT Security,” ITbestofbreed.com, 20 March 2015, www.itbestofbreed.com/slide-shows/8-strategic-steps-long-term-iot-security/page/0/2

Indrajit Atluri, CRISC, CISM, CEH, CISSP, CSSLP, HCISPP, ITILv3
Is a cyber security professional with expertise in IT governance, risk management and compliance. His current focus areas include security of emerging technologies, such as the Internet of Things, big data and security analytics, and their implications on information risk and privacy. Atluri is associated with the information security firm Secur80. He can be reached at .

Page 3

For 50 years and counting, ISACA® has been helping information systems governance, control, risk, security, audit/assurance and business and cybersecurity professionals, and enterprises succeed. Our community of professionals is committed to lifetime learning, career progression and sharing expertise for the benefit of individuals and organizations around the globe.

Today, we also help build the skills of cybersecurity professionals; promote effective governance of information and technology through our enterprise governance framework, COBIT® and help organizations evaluate and improve performance through ISACA’s CMMI®. We serve over 165,000 members and enterprises in over 188 countries and awarded over 200,000 globally recognized certifications. ISACA is, and will continue to be, ready to serve you.

Validate your expertise and experience. Whether you are in or looking to land an entry-level position, an experienced IT practitioner or manager, or at the top of your field, ISACA® offers the credentials to prove you have what it takes to excel in your current and future roles.

Take advantage of our CSX® cybersecurity certificates to prove your cybersecurity know-how and the specific skills you need for many technical roles. Likewise our COBIT® certificates show your understanding and ability to implement the leading global framework for enterprise governance of information and technology (EGIT). More certificates are in development. Beyond certificates, ISACA also offers globally recognized CISA®, CRISC™, CISM®, CGEIT® and CSX-P certifications that affirm holders to be among the most qualified information systems and cybersecurity professionals in the world.

ISACA® is fully tooled and ready to raise your personal or enterprise knowledge and skills base. No matter how broad or deep you want to go or take your team, ISACA has the structured, proven and flexible training options to take you from any level to new heights and destinations in IT audit, risk management, control, information security, cybersecurity, IT governance and beyond.

ISACA delivers expert-designed in-person training on-site through hands-on, Training Week courses across North America, through workshops and sessions at conferences around the globe, and online. Build on your expertise the way you like with expert interaction on-site or virtually, online through FREE webinars and virtual summits, or on demand at your own pace.

Get in the know about all things information systems and cybersecurity. When you want guidance, insight, tools and more, you’ll find them in the resources ISACA® puts at your disposal. ISACA resources are curated, written and reviewed by experts—most often, our members and ISACA certification holders. These leaders in their fields share our commitment to pass on the benefits of their years of real-world experience and enthusiasm for helping fellow professionals realize the positive potential of technology and mitigate its risk.

Available 24/7 through white papers, publications, blog posts, podcasts, webinars, virtual summits, training and educational forums and more, ISACA resources.

Author: ISACA | Reviewed by Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Date Published: 1 May 2017
Download PDF

This 88-page book is divided into six chapters and two appendices. The chapters follow the natural sequence of cyber security activities; after an introduction, there follow chapters on preparation, investigation, eradication, post-eradication and conclusion. The appendices include questions relating to other issues that the investigation team should address and tools required for investigations.

This book is useful for security professionals, consultants and students pursuing cyber security as it provides guidance for identifying/detecting, responding and eradicating targeted cyberattacks. Information systems (IS) auditors can use this book to understand what they should be looking for while performing an IS audit to assess the preparedness of the auditee to respond to targeted cyberattacks.

Chapter one introduces the changing landscape of cyberattacks, covering the life cycle of targeted attacks and advanced persistent threats (APT). Organizations require this information to understand the nature of attacks and plan for investigations.

The book then describes the basics of information security that are required to detect and respond to targeted attacks. Early detection helps in controlling the spread of an attack and the damage due to an attack. The basics of information security include risk management, asset management, incident management, emergency response management and building intelligence.

The third chapter covers conducting investigations of security breaches and references the incident response life cycle. The chapter also addresses the focus of investigation and evidence collection for forensic requirements. It emphasizes getting answers to who attacked, determining how the attack might have happened, and identifying the spread and objectives of the attack.

The fourth chapter discusses eradicating an incident and the need to do so more efficiently and faster to prevent the attacker from reestablishing the attack. The chapter offers a great deal of detail on eradication planning and executing the plan with precision.

The next chapter discusses post-eradication activities, e.g., monitoring for reentry, verifying and strengthening controls, and documenting lessons learned. It also emphasizes the possibility of making relevant changes to the strategic plan (if required).

The book concludes by emphasizing the importance of being prepared to respond to cyberattacks. Appendix A provides a useful questionnaire for the investigation team.

Although small in size, the book addresses the current security threat of targeted attacks and guides readers in preparing to detect and respond to these attacks.

Editor’s Note

Responding to Targeted Cyberattacks is available from the ISACA Bookstore. For information, visit www.isaca.org/bookstore, contact Support or telephone +1.847.660.5650.

Reviewed by Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
visiting Faculty and Industry expert at the National Institute of Business Management (India) and a consultant and trainer in IT governance and information security.