 |
Welcome to a new ISACA® Year! Your new Board of Directors is in place and has exciting plans for this fiscal year. We already have the September meeting under our belt - wasn't that a wonderful event! Thanks to all who work to make these meetings happen. Building on our success of previous years and the honor of receiving the K. Wayne Snipes award, we are eager to serve you, the members, with events to meet your needs. In addition to our Monthly Meetings, which will usually include a Pre and Post meeting, we are planning Certification Review Sessions, Seminars, as well as Joint Events with other audit and security minded groups. Stay tuned for information on some evening Networking Events, a time for kicking back and having some fun after a hard days work. |
|
Our Chapter Website is the source for all current information. We welcome feedback and suggestions on the site and all events. Feel free to contact me or any of the board members. We are here for you! Thanks and Take Care, Sue Pagel, CISA, CSOX |
October 8, 2009 - Meeting Agenda
Our meeting on October 8, 2009 is joint with the Dallas ACFE (Association of Certified Fraud Examiners) Chapter. These are the outstanding speakers and topics scheduled:
|
Pre-Luncheon Session - 10:30 AM - 11:20 AM A focus on the aspect of eDiscovery that a CFE or other investigator would most likely be involved with. More and more companies are involved in large scale eDiscovery requests for litigation and fraud investigations. These requests frequently call upon a wide range of skilled personnel within the company to comply with the court ordered requests for information. This presentation will focus on the differences in evidence collection methods and techniques for civil litigation versus fraud investigation. After this presentation, the attendee will be better able to recognize these differences and tailor an appropriate response to electronic data collection for eDiscovery. A total of 1.0 CPE credits will be awarded. Luncheon Session - 11:30 PM - 1:30 PM Technology has helped us become more productive, it has enhanced our media experience through digitizing movies and audio, and it keeps us safe; but it has always been our "big brother". This presentation will discuss how data is digitally stored, managed and collected and analyzed in response to questionable activity and/or to determine root cause of technical issues. A total of 1.0 CPE credits will be awarded.Post Luncheon Session - 1:40 PM - 2:30 PM Computers are becoming increasingly important in many types of crimes. Computers are used by almost every company and most individuals have computers in their homes. Special Agent Covey will discuss the types of crimes that the FBI has been investigating recently and how computers played a part in these schemes. A total of 1.0 CPE credits will be awarded. |
For details and to register, go to ISACA October 8, 2009 - Registration.
At each monthly meeting, we have a gift card drawing following the luncheon presentation, where we give away four $50 gift cards to popular merchants in the area. The most requested are Home Depot, Lowe's, Macy's, Nordstrom and Best Buy.
To be eligible for the drawing, you must have checked in and paid at the registration table prior to the luncheon and be present at the time of drawing. Walk-in's who have paid and registered are also included in the drawing. We let the speaker draw the names from the basket to ensure objectivity, and the lucky winners are subsequently photographed for posterity.
The next winner could be you!
 |
September 2009 Luncheon Winners
Michele Curry, Barry Selby, Rhett Staehling, Cheryl McKay-Dorrell
 |
Tracy Durham, CISA, CSM, ASM |
Your local ISACA® Board recognizes that, with our economy where it is today and rising unemployment rates, we have members looking for the "Next Great Opportunity". At the same time, we recognize that there are firms and recruiters searching for the kind of talent available within our local Chapter.
So, to help bring jobs and job seekers together expeditiously, the Board has agreed to eliminate all monthly fees for the posting of positions, through the end of 2009. Members can then examine the available positions on the ISACANTX.ORG job board at http://www.isacantx.org/index.cfm/Job_Postings.
Our members already had the option of posting available job openings at no charge, but for the next few months, non-member organizations and job recruiters will have the same privilege - to post their relevant jobs FOR FREE. This is a win-win for all concerned employers, recruiters, job candidates and our ISACA® chapter. All we ask is that you put the system to work as quickly as possible. Get Those Jobs Posted.
All that is required to post a position available at your company is a quick email to jobs@isacantx.org. Just include a completed Job Posting Template. Each job posting will be displayed for one month and can be reposted again or removed at any time by request. Also, the posted job descriptions will be printed and available to interested members at the registration table at our monthly chapter meeting.
Interested in positions outside the DFW area, even world-wide? ISACA® International maintains a Career Centre that hosts hundreds of available opportunities. Just select Career Centre from the left-hand menu options at www.isaca.org.
 |
Bryan Plantes |
Fall 2009 Review Courses: CISA & CISM
Providing a real boost to your chances of passing the CISA or CISM exam on December 12, 2009, we will shortly launch our exam review courses, just as we have done over the past 20+ years. It's our hallmark effort to help our members elevate their professional posture, especially in this tough economy.
To be honest, both exams, CISA & CISM, are difficult - 200 questions in four hours, with a required passing score of 75%. You have to fully prepare yourself intellectually, physically and psychologically to win.
You must win, and we can help.
Our seasoned instructors will touch on the most important concepts, practices and technologies, plus share with you those battle-field tested skills that make you more competent, comfortable and confident to pass these exams and gain the prestigious credentials you have sought for so long.
CISA review class: Four Saturdays - October 31; November 7, 14 and 21.
CISM review class: Three Saturdays - October 31; November 7 and 14.
Location: UT Dallas, School of Management, Richardson, TX
We expect you will have already studied the official 2009 ISACA® CISA/CISM Review Manual before our kickoff day of October 31 2009. If you do your part to study hard, and we do our part to review smartly, past experience has shown this combination to work very well.
Optional, but strongly recommended, is to study using the practice questions CD (version 9) for CISA or CISM. This is your simulated battlefield.
We not only provide excellent nourishment for your mind during the class, but also food for your body during our training sessions (breakfast, lunch, snacks and drinks are included), so you can better focus on these intensive review classes.
In addition, you will earn 28 CPE points for the CISA course, and 24 points for the CISM course. At a cost as low as $9.00 per CPE hour, some attend for the CPE credits alone, without planning to take the exam.
All this for only $300 for non-members, or a preferred price of $250 for ISACA members. This is an unmatched value, pleasantly offered by a crew of local chapter volunteers.
Seats are limited, so please register early! The last day to register for these Review Courses is October 28, 2009.
For registration details, please visit www.isacantx.org.
If you have any questions, please contact us at certification@isacantx.org.
 |
Robin Rong, CISM, CISA, CISSP, OCP, LTCP, FLMI, HIPAAP, HCAFA, AFSI, PCS, ARA |
ISACA International provides a monthly newsletter to chapter leadership and encourages us to communicate any pertinent content to our membership. Below are a few key excerpts from the September 2009 issue:
December Exam Registration and Changes
The final registration deadline for the 12 December 2009 CISA, CISM and CGEIT exams has been extended to October 7th, 5:00 PM Central Time. To view details on the exams, please visit www.isaca.org/cisaboi, www.isaca.org/cismboi or www.isaca.org/cgeitboi.
Registration is available at www.isaca.org/examreg.
For those already registered, changes to registration information such as exam site or language, are free until 10 October 2009. US $50 will be charged for all changes to exam registration information received between 10 October and 16 October 2009. No changes will be accepted after 16 October 2009. Please direct candidates to contact exam@isaca.org with any questions or change quests.
Candidates unable to take the exam may request a deferral of their registration fees to the next exam date. Deferral requests received on or before 16 October 2009 will be charged a US $50 processing fee. From 17 October through 25 November 2009, a US $100 fee will be charged. No deferrals will be accepted after 25 November 2009.
July Certifications
Worldwide, in July 2009, 335 Certified Information Systems Auditor (CISA), 146 Certified Information Security Manager (CISM) and seven Certified in the Governance of Enterprise IT (CGEIT) candidates were awarded certification.
ISACA International's Calendar of Events
October:
14-16 October........... IT Governance, Risk and Compliance Conference, Henderson, Nevada, USA
November:
2-6 November........... ISACA Training Week,San Francisco, California, USA
9-11 November......... Information Security and Risk Management Conference, Amsterdam, The Netherlands
Attendees can immerse themselves in an environment that stimulates learning and provides networking opportunities with an unmatched group of peers at the Information Security and Risk Management Conference. This conference is an adaptation of the Network Security Conference and the Information Security Management Conference, combining elements of each to be an all-encompassing security event. The content-rich sessions explore and discuss new research from ISACA, including the Business Model for Information Security and Risk IT. Plus, this year, the Information Security Management Forum is integrated into the conference, featured as special, interactive sessions throughout the conference streams. Attendees can earn up to 32 continuing professional education (CPE) hours - 18 for attending the conference and seven for each day of the optional preconference workshops. For more information on this conference or to register, please visit www.isaca.org/isrmc.
2010:
21-24 March 2010........ European Computer Audit, Control and Security (EuroCACSSM) Conference, Budapest, Hungary
22-26 March 2010........ ISACA Training Week, Dallas, Texas, USA
ISACA International has announced that online renewals are now available for the upcoming year - 2010! Members requested that the opportunity to renew be made available earlier than normal to take advantage of available existing corporate funds.
2010 promises to be a very exciting year, with the debut of a completely updated and dynamic ISACA.org web site where you can strengthen your professional knowledge and connections.
Get a jump on 2010 and ensure your member benefits continue uninterrupted through 31 December 2010 - Renew today! (Payment may be submitted now while any CPE reporting requirements can be met over the coming months. Please note, your certification is not renewed until payment is received and the required number of CPE hours is reported, if any.)
CGEIT maintenance fees will not be payable online until 19 October 2009. However you can remit all other fees now and return later to process your CGEIT renewal.
To renew online, simply and securely, please login to www.isaca.org with your personalized login credentials. This will place you within "My ISACA" where a link to "My Renewals" is provided in the left-hand navigation menu. You will also have the opportunity to renew your certification during this process. For login assistance, please visit www.isaca.org/login.
Below is a library listing of links to resources for continuing education credits (CPE) and other useful sources of information related to Information Systems auditing, security and privacy.
ISACA® International provides numerous online webcasts that include CPE's. Please note you will need to create an account and login to watch the presentations. (3 CPE credits a month)
http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders1/Events3/Webcasts/ISACA_e-symposia_and_Webcasts.htm
For its members, (ISC)2 certifies Certified Information Systems Security Professional (CISSP) and related concentrations, Systems Security Certified Practitioner (SSCP) and others. (ISC)2 provides several sources of free and low-cost CPE.
Login at http://www.isc2.org/ and go to the "CPEs" tab for lots of great CPE ideas.
This site gives information on security and links to government publications.
http://csrc.nist.gov/
This site is created and maintained by the Defense Information System Agency (DISA), and has useful baseline check lists for configuring systems. Additionally, it is a fun site to look around.
http://iase.disa.mil/stigs/
These are live web broadcasts that allow you to listen to a knowledgeable speaker while viewing presentation slides that you download in advance. You need a SANS Portal account. If you don't have an account, just go to the SANS Portal page and fill in the simple registration form, it's free. Webcasts are also archived for later review as desired. http://www.sans.org/webcasts/faq.php
This is an online resource for internal audit, IT audit and business risk management professionals. The Website "www.knowledgeleader.com" is updated weekly with new articles on hot topics and new tools to help you manage your organization's risks. This is not a free tool, but they have a 30 day trial period.
These are Open Study Guides Web sites that provide resources for people interested in achieving a goal of attaining some of the leading information security professional certification (CISSP, SSCP, CISM, CISA, or GCFW). Here you will find free CISA and CISSP practice exams, as well as discussion forums on various topics that allow different people to share their experiences. Free to join, but registration is required. (http://www.freepracticetests.org/quiz/quiz.php),
Your North Texas ISACA® chapter plans to continue building on to this library list of valuable sources by welcoming every chapter member's participation. Please forward any suggestions for additional resource links to us at communications@isacantx.org. A brief explanation of the benefits provided by the site would be appreciated as well.
"The ISACA North Texas Chapter presents the above websites as technical references for use in promoting continuing education, essential for all chapter members and professionals. Please be aware that our chapter, officers and/or members do not endorse any of the websites."
 |
Iddah Wangondu, CISA, GSNA, CIA |
Cyber Criminals Gaining Support by Overseas Operations
by Gordon Smith, President and CEO of Canaudit
I am very concerned about recent cyber incidents. There has definitely been an uptick in incidents, with new incidents reported daily. Even more interesting, the increase is in organized attacks and scams rather than single hacker-type attacks. These broad-based attacks have been around for years, increasing with the invention of bot armies (PCs that are compromised, backdoored, and available to attack sites in concert). These attacks have reached a fever pitch as new scams have been developed and executed against poorly controlled American businesses. The most detailed report I have seen regarding one of these newer attacks appeared in the Washington Post on July 2, 2009 (see article here ).
The article details how cyber criminals engineered a scam to create wire transfers from a Bullitt County, Kentucky bank account. The cyber thieves used spyware to capture the accounts and passwords. They then changed the email address used by the bank to confirm wire transfers. After this was complete, they proceeded to steal $415,000. The interesting part of this case is that they "hired" unsuspecting people, using online employment sites, to receive the fraudulent transfer and forward it to overseas banks. The Washington Post article does an excellent job of describing the mechanism for this fraud. It is, to say the least, quite a bold scheme. My concern as an auditor is that this fraud indicates the need for additional client-side controls, which are currently missing from many applications. In addition, we need new controls such as automated scrutiny of online transactions.
This scheme was able to work because the client machine was trojaned. Popular opinion is that the client must absorb the risk. In this case, I believe that the bank, First Federal Savings Bank, could be impacted by the bad publicity related to the incident (see story here). The reputational risk is such that we now need to reach out to our clients to ensure that their machines and the applications on their machines are safe to connect to our network.
I would like to dig a little deeper. Let us look to other areas where new fraud puts organizations at risk. My first thought is the growing number of people who work from home. They may work from home full-time, one or two days a week, or sporadically. They may use corporate or personal machines. If they are using corporate machines, one would expect the machines are protected with anti-malware software to prevent against viruses, trojans and other malicious software. I am also very concerned about staff using their home computers to login to their work email. I know that many people do not have anti-virus/malware software on their machines. Others have installed the software but stopped paying for the updates necessary to keep it current. As a result, their machines are at risk. Each time they visit a web site or open an email they may inadvertently load a keystroke logger onto their machines. When they log into the VPN or webmail application, their login credentials may be compromised.
If staff members are logging into a VPN, remember that they may have access to the internal network. If their home machine is backdoored, trojaned, or has an unauthorized keystroke logger installed, the cyber criminals may be able to login to the VPN and have access to the internal network and the devices, files and databases within it. Once they have the credentials to login to the VPN, criminals can log themselves in to capture data or take control of corporate machines for use as part of a broad-based attack on our national information infrastructure (covered later in this article).
Some of our clients require two-factor authentication. Those using tokens and other external devices, such as smart cards, to login should still be protected if the account and password is compromised. Those using digital certificates may not be so lucky. Once the cyber thief has access to a machine, they may be able to escalate their rights in order to steal the digital certificate or cookies required to complete a successful login. In previous articles, I have described how to escalate rights and easily take control of databases (see http://www.canaudit.com/articles.html). Extend these concepts to home PCs that have been compromised and we have an Information Technology Perfect Storm. Your security is defeated and your data and databases lie exposed to the hackers.
Home workers are not the only concern. There are also contractors who may login remotely through the VPN. This could be from their office in Canton, Ohio or Bangalore, India. If their machines are compromised and credentials stolen, then the cyber criminals will have access to program and data files the contractors have. Again, they may be able to use this access to escalate their rights up to and including the domain level. They could also compromise the Storage Area Network (SAN) to gain complete access to all of your organization's critical information. Some of the SANs have known default passwords which we have used on several client audits. Yes, they work. The warning here is that if someone is able to get into the internal network using compromised credentials, LogMeIn, or a similar product, they can easily launch a SAN attack.
Now that the risk is established, lets look to controls. The first and most important is to ensure all machines that connect to your organization's network, both internally and externally, use anti-virus and anti-spam software. The software should be updated as soon as updates are made available. It is no longer acceptable to wait several days or weeks to implement vendor updates to the malware signatures. This may be difficult for your clients. If they do not have the software, you can suggest they get it. However, there is not a lot of leverage here as customers generally do not want to buy additional software and vendors do not want to give the impression that their web sites may not be secure.
For customers that have high-value or high-volume accounts, you may want to provide the software and installation assistance to ensure that the anti-malware is in place and properly installed. This is only a slight modification of the old giveaway programs used by some banks: "Open a new account and get a new toaster!" Now it is: "Do business with us online and we will provide security software to protect your transactions."
Contractors should also be required to ensure that their machines have up-to-date anti-malware software and current malware signatures. To enforce this, you should execute your right-to-audit clause on some of your vendors each year. I suggest taking some of the largest, plus one or two of the smallest, and subjecting them to an onsite audit. Whether malware comes in through a contractor providing 300 engineers for your project or through a sole proprietor contractor, the damage to your firm can be the same. Another good control is to subject the contractor to a security test prior to awarding them a contract. This could be in several forms such as a self-completed checklist or an onsite audit. While this may seem far-out by today's standards, in five years it will be the norm as malware incidents drive audit risk and future audits.
Do not forget to audit your offshore contractors and outsourcers as well. Every one or two years, the IT auditors should visit the foreign contractors to ensure that all contract terms, corporate policies and security requirements are met or exceeded. I am very concerned that authentication credentials may be shared by overseas contractors, particularly larger firms that "follow the sun". These contractors use their various offices around the world to support your IT requirements. As one office closes, your support may transfer to another office. The login credentials may move from one office to the next, creating a serious security issue.
It is also important to monitor the patterns of those who connect to your network. If Gordon Smith normally does two transactions a week, and today he has performed seven transactions, it is possible that the extra activity is fraudulent. It would be prudent to call Mr. Smith to confirm the transactions. If any of Mr. Smith's personal data changes, particularly email address or telephone number, it could be a signal that his credentials have been compromised. The email and phone numbers are used to contact a client when suspicious activity occurs. Watch for changes to the contact information. These changes should be confirmed by email to the old and new email addresses and possibly by phone to the old phone number as well. My stockbroker puts a hold on my online transactions after changes have been made to my personal information. I have to perform transactions over the phone until the confirmation window is concluded. As soon as a change is made to my information, they send out an email and a letter. The confirmation window is the mail time of the letter plus two days to ensure that I have read it. Although inconvenient, this is a good control.
Application controls must also be implemented. Daily and weekly transaction limits can be useful in preventing blatant procurement or EFT frauds. Variances in shipping addresses can be useful to detect diversion of goods frauds. Mailed and emailed confirmations can serve as detective controls provided changes to personal or billing information is properly confirmed as previously mentioned.
The last suggested control I will discuss relates to a security breach involving personal health information (PHI). Medical records were recently compromised by what was termed a "virus". The "virus" mentioned in the article is called Coreflood (see detail here). Several times a day, machines connected to your network should be scanned for malware. Ensure that your security folks test for all known spyware and malware. In some cases, they will balk at this suggestion. I consider this the same as car seat belts when they first came out. Many people did not wear them, as they did not see the benefit. Even I balked at wearing one until the police started to enforce it. Now we know that seat belts really do save lives. Let me tell you, actively searching for spy and malware will lead to early detection of a potential security breach and mitigate the damage that can be done.
The second item I want to cover in this article is the ability for nations, individuals, groups and conglomerates to paralyze a website. Earlier this month, the alleged North Korean attacks against government sites and the New York Stock Exchange demonstrate the distributed denial-of-service (DDoS) attack (see stories here and here).
I have two concerns. The first is that most organizations do not perform regular web application audits. We believe that this is an essential part of a security or IT audit regimen. Our Web Application Security Assessments generally reveal that there are significant security flaws in web-based applications. These flaws must be detected and remediated before your organization becomes a victim of organized criminals seeking to earn a living off of companies with shoddy controls. I need not mention the everyday hacker and the risks they pose. These are already well known.
I am also concerned that news articles represent that there is little that can be done to respond to a denial-of-service attack. That is not only incorrect, but it leads to an acceptance of a serious risk without proper evaluation. Cisco wrote a fantastic white paper on this issue (see here).
I use three slides in my IT Audit and Security Boot Camp to show the before, during and after examples of a DDoS. One of these slides is below. It shows how to successfully deal with a DDoS:
In the example shown, the ISP for the client is using a cleansing agent to identify the DDoS messages and filter them out. This cleansing agent is a massive software application that is invoked when a DDoS is detected for supported clients. We suggest that you check with your ISP to determine if they have this type of software and what the cost of invoking the product is. If they do not have a product, then it is time to look for a new ISP. Do not wait until the bot army of compromised machines is pointed at your site and commences firing.
The bad guys are constantly scouring the Internet and phishing in their quest for poorly secured machines. Once found, they take control of the machines, place their software on them, and organize them into a battle group for hire. They then rent out their bot armies to those who can pay. In some cases, even governments have been known to use bot armies. The Russians apparently did prior to and during their attack on Georgia on August 7, 2007. It crippled the ability of Georgia to respond to the attack. On July 4, North Korea may have done the same thing to our government.
The lesson here is do not let complacency or a feeling of hopelessness prevent your firm from building the cyber defenses needed in today's environment. You need to be able to ensure controls are in place in your network and the networks that connect to yours. You also need to be able to respond to a cyber attack and deflect a DDoS by a massive bot army. All of these things can be achieved. Given the risks of the last few weeks, now is the time to start a detailed risk analysis of the client-side and application risks.
The opinions expressed in this article are mine and mine alone. I look forward to receiving your comments on this article and answering any questions you may have. You can email me at Gordon@canaudit.com. If you would like to receive articles like this in the future directly, please opt-in to our distribution list at http://www.canaudit.com/mailinglist.html.
Reprinted with permission from Canaudit, Inc.
All rights reserved Canaudit, Inc.