Is hacktivism an acceptable choice? 1 Dec 2024, 1:51 pm

This week I attended CSO Online's CSO Security Summit in London, which was tracked into protection and culture tracks. One of the most interesting aspects of this was the focus on mental heath. As any incident responder (professional or accidental!) will know, these can be very stressful. We ignore these issues at our peril.

However the takeaway for me was an observation I made during Lisa Forte's panel: a lot of the discussion and debate around responding to hacktivism focusses on the symptoms (malicious cyber activity) rather than that cause (why young people think this is the way to use and develop their skills). Indeed Sarb Sembhi was the only person I’ve heard recently really talk about motivations, when he mentioned climate activism.

Hacktivism, the combination of hacking and activism, presents several challenges that raise concerns in both ethical and practical dimensions.

While hacktivists often justify their activities as a form of protest against injustice, these actions can lead to substantial collateral damage. Targeting websites or networks can disrupt services not only for the intended targets but also for innocent third parties. This can result in financial losses, data breaches, and a loss of trust in online services. But the biggest impacts can be on those who conduct the cyber activist activity.

Hacktivism often operates in a legally grey area. While hacktivists may claim to be advocating for social justice, their actions can violate laws related to computer security and privacy. This can lead to criminal charges and further complicate the legal landscape surrounding online activism. It’s hard to think of much offensive cyber activity that doesn’t lead to commission of an offense under legislation such as the Computer Misuse Act.

The tactics employed by hacktivists can undermine legitimate and peaceful protests. By resorting to digital sabotage, they risk alienating the public and creating backlash against broader movements for social change. This perception can diminish public support and obscure the original message that the hacktivists aimed to communicate.

The rise of hacktivism also raises issues of cybersecurity. As hacktivists target large organisations, these entities may bolster their security measures, leading to an increase in surveillance and cracking down on online dissent. Such a trend can restrict freedom of expression and stifle legitimate discourse.

Hacktivism can precipitate a cycle of retaliation among groups with opposing views - think cyber activity around Russia’s invasion of Ukraine, or Israel and Palestine. Such actions can escalate conflicts, resulting in heightened tensions and potentially leading to more severe cyberattacks, including those from state-sponsored actors.

It’s even possible to fund yourself detained aboard with very few rights as an enemy combatant: not what most young people will be focussed on when trying to use their cyber skills to address a perceived injustice or support a campaign for change.

We still need to improve our capability to give young people with an interest in cyber the right opportunities to progress that interest in appropriate way.

There remains limited readiness of the education community to support and guide those with a high technical aptitude with challenging work in school, and still - all this time on - very low female participation in STEM subjects.

Many schools do not even offer Computing at secondary level (14-18 / GCSE and A level in UK). Few primary school curriculums even provide the basic building blocks for later success.

We also don't fully understand how to help and support cognitive diversity, which can lead to talented young people feeling isolated and challenged to engage through established paths.

Finally, cyber is also an area of interest that is very hard for parents to support, monitor and guide on.

Jersey Cyber Security Centre supports several work experience students each year, all of whom have made a substantial contribution to our work. But it is the tip of the iceberg if we want to ensure everyone with an interest has a productive outlet for their talents, and understands the risks and personal impacts of taking the wrong path.

Ask anyone who started out in cyber in or before the 1990’s. We all know choosing the wrong path is too easily done.

___

Matt Palmer is an award winning cyber security leader. He currently runs the national cyber defence function for a small island state. He can be found on linkedin or on bluesky.

CSO30 award: thank you 1 Dec 2024, 1:37 pm

Thank you to CSOonline for the CSO30 cyber security award this week. It's much appreciated and a pleasure to be in such good company with so many capable and passionate people. Cybersecurity is still an incredible field where no two roles, or people, are the same.

___

Matt Palmer is an award winning cyber security leader. He currently runs the national cyber defence function for a small island state. He can be found on linkedin or on bluesky.

Introducing Incidentally: Why We Must Embrace Risk and Learn From Incidents 10 Sep 2024, 9:39 pm

Welcome to Incidentally: Why We Must Embrace Risk and Learn From Incidents

As humans, we don’t take risks just for the thrill of it. We take risks to make progress. Every incident is simply a manifestation of risk—its impact isn't guaranteed, nor is its probability—but its existence is certain.

Without risk, there would have been no tea clippers navigating the treacherous waters to India, nor space shuttles exploring the cosmos. Every new development brings with it the possibility of disaster, and as individuals and organizations, we need to reduce the likelihood of such events. Yet we must also prepare to manage the consequences when they do occur. It's through this ability to survive and adapt that we advance.

Risk is a Catalyst for Progress

Progress demands risk. This is true not just in technology or industry but also in cybersecurity. Just as any innovation requires taking a chance on failure, progress in the digital realm necessitates accepting the potential for cyber incidents. The key is acknowledging and managing these risks.

But the issue of risk isn’t just about cyber security—it's about the human condition. It's about our fears and desires, what drives us forward, and our constant pursuit of something better, or different. Every step we take toward progress involves risk. And when we survive the consequences, we learn and grow.

Incidents are about more than just survival. They reflect the care we take for others, for our organizations, and for our purpose. They reveal our need for safety, achievement, and meaning, resonating across all levels of human needs, from survival to self-actualization. In Maslow’s hierarchy, incidents touch every layer—they are, in essence, fundamental to progress.

Why I’m Launching This Newsletter Now

Despite the crucial role of risk and incidents in driving growth, there's surprisingly little open conversation about managing their impact. Perhaps it's because we naturally prefer to focus on successes and happy outcomes. But the truth is, we learn far more from our failures than from our wins. When we fail, the reality of our decisions becomes painfully clear, offering invaluable lessons in how we can do better.

Winston Churchill once said, “Truth is incontrovertible. Panic may resent it. Ignorance may deride it. Malice may distort it. But there it is.” In today’s world, flooded with misinformation and 'fake news,' this sentiment holds even more weight. We are often misled, whether by malicious actors or our own ignorance. And when panic sets in, it clouds our judgment, leading us to either freeze or under-respond—both of which play into the hands of those who wish to harm us.

But even in the chaos, the truth remains. Now is the time to seek it out.

A Space for Responders, Leaders, Learners, and Teachers

Incidentally isn't about providing you with all the answers. I don’t claim to have a perfect filter for cutting through the noise. You may know as much, or more, or less than I do—and that's fine. The purpose here isn’t to lecture, but to start a conversation.

I hope that through these posts, you find something interesting, thought-provoking, or even something you vehemently disagree with. If you do, I encourage you to join the conversation. Share your perspective, so we can all learn together.

What You Can Expect

This newsletter will be valuable to those who respond to cyber incidents, those who might one day face them, and those who hope they never will. If you're certain it will never happen to you, you're probably in the wrong place.

There’s a high probability that you’ll find valuable insights here, though I can't promise perfection. But the risk of not delivering on the promise, like all risks, is managed with expertise and prioritization. Please let me know if I fall short of your expectations.

As a note, I haven’t imported subscribers from my previous newsletter. I’ll be in touch to give them the option to join.

Join me here, and let’s explore the balance of risk, incident response, and progress together.

___

Matt Palmer is an award winning cyber security leader. He currently runs the national cyber defence function for a small island state. He can be found on linkedin or on bluesky.

Breaking Down Cybersecurity: The Real Meaning Behind the Jargon 27 Apr 2024, 9:37 am

Cyber security is often conflated with the term confidentiality, but that is not correct. Traditionally, professionals tend to define it as being about confidentiality, integrity and availability (known as the CIA triad), but that's not quite right either. So what is it?

In the process of advising on our new cyber security legislation, I've had to stop and reflect on what cyber security really is, and how we can explain it in simple but clear terms: Putting to one side the semantic discussions about terminology that professionals often love to have, and focussing instead on what cyber security really means in practice.

Essentially there are five elements to consider: Confidentiality, Integrity, Availability, Authenticity and Non-repudiation (these are often called the pillars of information assurance).

The two additional terms are authenticity and non-repudiation: Authenticity means knowing who did something; non-repudiation means being able to prove it. They are not quite the same: I know my son broke my office window because he was the only one who plays football in the garden; I can prove it because his sister saw him kick the ball.

The five of these elements interact: you cannot have one without the others if you want to have trust.

You can't have good cyber security without establishing trust, so we all need to understand what they mean. Here I explain each of these terms, along with some examples and reference incidents to help.

Confidentiality

Explanation: Confidentiality ensures that information is accessible only to those authorized to have access. It's about keeping data private and protected from unauthorized access.

Example: Think of online banking. Your financial details are confidential, which means they are protected so that only you and the bank can access them. Encryption, which scrambles data so that it can only be read with a special key, is a common method used to ensure confidentiality.

Reference incident: In 2017, the credit reporting agency Equifax experienced a massive data breach. Hackers accessed personal information of approximately 147 million people. This included Social Security numbers, birth dates, addresses, and more. The confidentiality of personal and sensitive information of millions of people was compromised, leading to risks of identity theft and fraud.

Integrity

Explanation: Integrity involves maintaining the accuracy and completeness of data. It ensures that information is not altered in an unauthorized manner.

Example: When you receive a bank statement, you trust that the transactions listed are exactly what you carried out and haven’t been changed in any way. Banks use various security measures to ensure that the data in your statement matches the actual transactions you made.

Reference incident: In 2010, the Stuxnet computer worm targeted Iranian nuclear facilities. The malware subtly altered the speed of centrifuges involved in the uranium enrichment process while displaying normal operating information to the monitoring systems. The integrity of the information and operations was compromised, causing physical damage to the centrifuges without the operators realizing it until the damage was severe.

Availability

Explanation: Availability ensures that data and services are available to authorized users when needed. This means keeping systems running and accessible, without improper interference or disruptions.

Example: For a website like Amazon, it’s important that the site is available and functioning whenever you want to make a purchase. This is managed through redundant systems and regular maintenance to prevent downtime.

Reference incident: In 2016, a major distributed denial-of-service (DDoS) attack targeted the DNS provider Dyn. This attack made major websites like Twitter, Spotify, and Reddit temporarily unavailable to millions of users.

Impact: The availability of these popular services was severely disrupted, highlighting vulnerabilities in the infrastructure of the internet.

Authenticity

Explanation: Authenticity means verifying that data, transactions, and communications are genuine. It confirms that sources and identities are who they claim to be.

Example: When you log into your social media account, you might receive a message with a code to your phone to confirm it’s really you. This two-factor authentication process is a way of ensuring authenticity by verifying that the person accessing the account is the legitimate owner.

Reference incident: In 2011, hackers broke into the network of RSA Security and stole information related to their SecurID authentication tokens. This breach compromised the authenticity of the token system used by thousands of organizations globally to secure access to networks. With the stolen information, attackers could potentially impersonate legitimate users, accessing confidential company networks and data.

Non-repudiation

Explanation: Non-repudiation prevents individuals or entities from denying their actions related to data or transactions. It provides a way to guarantee that someone cannot deny the authenticity of their signature on a document or a message they send.

Example: When you sign for a package on delivery, digital or on paper, there is a record that you received it. This is a form of non-repudiation, as you cannot later claim that you did not receive the package.

Reference incident: In 2016, emails and documents from the US Democratic National Committee (DNC) were hacked and leaked by WikiLeaks. Some DNC officials repudiated the authenticity of these documents, suggesting possible alterations by hackers as part of Russian interference in the U.S. presidential election. Despite these claims, investigations affirmed the authenticity of the emails. The leak had significant political repercussions, contributing to discord and mistrust within the Democratic Party, influencing public opinion during the election, and leading to the resignation of several DNC officials. US Prosecutors later indicted members of Russian hacking group Fancy Bear for the original breach.

___

Matt Palmer is an award winning cyber security leader. He currently runs the national cyber defence function for a small island state. He can be found on linkedin or on bluesky.

Applying agile principles to public sector change 21 Mar 2024, 10:21 pm

It is little known fact that before my son was born, I was taking a masters degree in public sector modernisation. Fatherhood meant I had to drop out, but not before making some observations. I also spent a decade in local government, soo I know a little bit more about public service delivery than I sometimes let on at work. Perhaps just enough to learn.

Right now at Jersey Cyber Security Centre we have two critical change projects:

1) creating and delivering a new public body to improve cyber security and resilience, and

2) designing and implementing the legislation needed to support this and make it effective.

Everyone understands the necessity. Most people are supportive. So the top questions I get asked are simple ones: why does it take so long? Does it need to be this slow? Why can't it be faster?

The easy answer is that public sector change takes a long time because there are lots of interested parties whose needs and views need to be considered to get the right outcome, and that the legislative process is an involved one precisely to ensure that this is done.

But whilst that's correct and would apply equally to all public projects, the truth of course is more nuanced.

Sometimes we may not be looking at the challenge of change delivery through the best lens.

Shortly after 2001, I was one of many to sign the agile manifesto for software development. This document went on to start a global movement and change how technology change is done: from grandiose projects that often failed, to iterative change that often delivered.

The agile manifesto states:

We are uncovering better ways of developing software by doing it and helping others do it.

Through this work we have come to value:

Individuals and interactions over processes and tools

Working software over comprehensive documentation

Customer collaboration over contract negotiation

Responding to change over following a plan

That is, while there is value in the items on the right, we value the items on the left more.

If we are honest with ourselves, how much time and effort do we really spend doing the things on the right that are necessary but less impactful, over the things on the left that are most impactful?

The things on the right need to be done, with the result that sometimes there's no time left for the things on the left. Delivery is pushed back: first weeks, then months, then years. And then eventually people begin to wonder if we can get things done at all. For a long time, that was the way of IT projects. Sometimes it still is.

But agile principles can be applied in other fields too, perhaps nowhere more so than where people are most impacted: public services.

So our resolution for Jersey Cyber Security Centre is that in delivering for our community we will seek to put people front and centre; delivering what we can now, and responding iteratively to changing needs.

That means we are putting:

Individuals and interactions over processes and tools

delivered through custom briefings and responding to individual organisational needs, rather than through one size fits all solutions. Walk in to JCSC (and you can!) and we'll seek to understand what your specific challenges are and help you respond accordingly, rather than present you with a template response. (Of course, I appreciate that's easier to do with our small scale).

Working public services over comprehensive documentation

by being iterative and step by step, introducing what we can now rather than trying to fix everything all at once. Public awareness and engagement came first as we could do that on day one, and now we are building and developing the supporting technical services. Those services that require an updated legal framework can come later: it doesn't stop us delivering now.

Stakeholder collaboration over contract negotiation

by listening to stakeholders and seeking to respond to their needs, and seeing governance processes as an enabler of change rather than a constraint on delivery. We don't need to get everything into a document on day one, at least not as much as we need to take the community with us. So we worked first informally, then under a scheme of delegation, and finally we will work under a formal legal framework and governance.

Responding to change over following a plan.

by bringing forward elements of delivery that can be accelerated, whilst accepting that other areas become more complex the more you learn. In some cases that has meant longer timescales than planned, in others shorter. And in some areas we have delivered services we never expected to. Other things we planned to do, we don't. And that's fine - it's about responding to needs and adapting to change.

Delivering a new national cyber security centre from a blank canvas was never going to be simple or quick: if we sought to create perfect from day one, right now we would have nothing but paper and plans. Instead, we have a working capability that is continually improving.

We're on the first steps of many, but it has taken me back and made me ask: how do we do this best? And can agile principles be applied more widely to public sector change to deliver better outcomes? I think perhaps they can.

___

Matt Palmer is an award winning cyber security leader. He currently runs the national cyber defence function for a small island state. He can be found on linkedin or on bluesky.

Why is Jersey introducing a new Cyber Security Law? 11 Mar 2024, 12:00 pm

In 2021 I took a new role as Director of Jersey's newly formed cyber response unit. We've come a long way from an initial concept as CERT to a full operational capability as Jersey Cyber Security Centre. And I suppose that's a good place to start.

But it's just not going to work unless we change it up.

Why is Jersey different?

In recent year organisations have adopted new technologies and systems faster than ever before. That's even more the case in an innovative digital island such as Jersey - and in doing so, they’ve opened up new opportunities that have benefited our economy and society.

But alongside these new opportunities, there are also new risks. Cyber criminals continually find new ways to extract sensitive data and personal information. And like any other jurisdiction, Jersey is at risk of being a target.

However, the fact that we are an independent jurisdiction means that we have a unique mix of risks. We manage our own power and water supplies, healthcare, and other vital infrastructure.  Our economy is built on professional services such as finance - industries whose international reputation is, in part, maintained by their ability build trust and handle sensitive data and information securely.

This means that successful cyber attacks could have significant impacts across the Island. Cyber crime is now one of the world's largest industries, and it does not discriminate. Additionally despite our being a small jurisdiction, there are plenty who wish us harm and plenty who are willing to act outside the law to achieve these ends.

Threats continue to evolve, and artificial intelligence (AI) will help them evolve even faster. New vulnerabilities continue to appear, and malicious actors will find ways to exploit them. Whilst it is never possible to eliminate all risks, organisations need to be vigilant and take steps to prepare. To do this, they need guidance on the standards they should meet. This includes guidance on how and when to share information about any serious cyber incidents.

Our plan to be different

Working harder does not solve the problem; too often in cyber security we build sandcastles on the beach and wait for the tide to come in, then start again. We simply can't continue on this path as it does not solve the problems, but rather creates an illusion of progress as the risks and impacts continue to increase. People lose their life savings to cyber criminals and scammers. Identity theft is sustained by frequent organisational data leaks. Organisations fail due to survivable ransomware. Unfriendly nations sustain their economies and their wars with our funds, with our intellectual property, and by doing us harm.

Nobody seems to be able to put their finger in the dyke, never mind find a sustainable solution to increasing cyber risks.

Whilst we won't fix this over night, we can't keep building our castles in the sand and hoping for the best.

So of course we need to reflect international good practice, but we also need to do something different compared to our traditional regulatory approach to managing systemic risks.

We need a legislative framework for cyber security that sets us up for success: one that enables organisations without creating undue burdens, one that supports and protects citizens by enabling resilient public services, and one that provides practical support rather than firing off penalties.

An approach that respects the things that make our Island special, whilst providing for the future rather than being rooted in the past.

To do that we need the right legal framework for Jersey Cyber Security Centre.

The one we are proposing is different to most other public policy responses to unacceptable risks.

JCSC will have no power to fine or penalise bad behaviour. We will have no power to insist, unless through adoption of our recommendations by an existing business or regulator. No power to name and shame those who don't do their bit. No power to investigate, to force compliance, or to require others to act.

We will in fact have one power, and one power only: the power to share information in confidence, and to have information shared in confidence with us.

And we will have one ability: the ability to help.

But whilst this is certainly going to take effort, it does not make for a weaker regime but rather for a stronger one, as it works together with those who carry this risk on behalf of our island as long as they are willing to work with us.

The draft Cyber Security (Jersey) Law is a key step in introducing this structure: it supports the Island’s overall cyber resilience by introducing support and providing clear expectations, but seeks to do so without creating any unnecessary burden on industry.

What will new new cyber law do?

Firstly, it establishes JCSC as an operationally independent, grant-funded organisation accountable to the Minister for Sustainable Economic Development, and defines what we are here to do. With the right legal structure and a clear basis for our work, we’ll be able to work closely and confidentially with organisations in the event of a cyber incident. It will also allow us to provide independent advice to Government and other local bodies, where appropriate.

Secondly, the draft Law sets out how we should be governed. It establishes a Technical Advisory Council (TAC) which will provide expert advice and guidance to support our decision-making. The Law will also require us to produce an Annual Report and regular Strategic Plan, to ensure transparency around our work.

Finally, and in common with the EU, the Law will introduce new reporting standards for some organisations, defined as Operators of Essential Services (OES). Basically, these are any organisations whose operations are critical for the welfare of islanders, for our economy, or our reputation. Some of these are obvious, such as healthcare, telecoms providers and banks. Others perhaps less so, such as ferry services (we are an island!) and Jersey's world class dairy industry.

OES will need to take appropriate steps to improve and secure their cybersecurity. They’ll also be required to notify JCSC and their customers if they experience a significant cyber incident, so we can learn from it and be alert to emerging threats.

There are however some things we are not looking to do.

Jersey is already a heavily regulated Island. We have a finance regulator, a competition regulator, a data regulator, a health and social care regulator, a telecoms regulator... the list goes on. There's already some thoughts about regulating cyber, and a lot of people so ask me 'where's the stick?'.

But fines and penalties are not the right plan. Every business CISO knows that a compliance mindset has never made for a successful cyber security program. What does make for a successful cyber security program is aligning that program with the objectives of the organisation. So that is exactly what we intend to do, but at jurisdictional scale.

When you contact Jersey Cyber Security Centre, you will do so knowing we are a critical friend who will support you, challenge you when needed, but ultimately keep your private matters confidential and have your back. We are not a law enforcement body, a regulator, or Government. We have no powers to fine you, penalise you, or tell you off. And it would not help if we did, because then it would be hard for you to be honest with us, and then you would not be able to share information with us openly, and we would not be able to help you or to learn from your experience to help others.

In fact, helping is our only power.

It's as superpower.

Because you will know we are only here to help, there is no downside to talking to us.

When you talk to us, magic will happen: in addition to supporting you, the information we learn can be used to protect the whole community.

This is how we stay one step ahead. A comprehensive solution would require a global response, and that we cannot do as an Island jurisdiction. But what we can do is spend less time building castles in the sand, and more time finding small ways to make a difference - just like the Dutch boy in the story who put his finger in the dyke to hold back the sea.

This Law will be a strong first step in moving from managing the status quo towards creating a cyber resilient island.

What, you ask, of those organisations that don't want our help, or bury their heads in the sand?

For some critical organisations, existing regulations and law enforcement will help to bridge the gap between what we can do and what is necessary to protect the island. We will work with these bodies, and where there are gaps we will need to learn together.

For most business however we have to accept that a cyber failure might be OK - after all it's your business not ours, and therefore it's your risk to take as long as others aren't unduly harmed by it. That said experience shows that those who don't talk to use before a cyber incident often engage with us afterwards: assuming of course that they are still around to do so. And if they are not still around to do so, perhaps economics rather than red tape will provide the solution.

We can't fix everything overnight, but we can take a strong step forward into the future and be prepared for what it brings.

And we can do that in a way that is right for our Island community.

You can read more about the proposed Cyber Security (Jersey) Law here.

Permalink

Challenging password dogma 25 Feb 2024, 11:02 pm

Passwords should be the easiest area of security. Every organisation has a password policy. Every organisation used passwords. Everyone at every organisation uses passwords. Everyone has been trained how to do it. And everyone has been doing it for a very long time.

And they are doing it all wrong.

Password best practice advice is generic, well accepted, and often repeated dogma. But is it right?

In a search for the most common password recommendations, I asked ChatGPT for its password advice. ChatGPT - like all large language models (LLMs) - is a great way of discovering established norms as it takes existing knowledge and attempts to predict the most likely, but not necessarily the best, output. This means that regardless of whether the established norms are right or wrong, an LLM is a great way to find out what they are.

As expected, the model generated this very predictable list of advice:

“1. Length & Complexity: A strong password should be at least 12 characters long, include numbers, symbols, capital letters, and lower-case letters.

2. Avoid Common Words: Don't use dictionary words, your own personal information, or common phrases as your password. They're too easy to guess.

3. Unique Passwords: Don't use the same password for multiple accounts. If one account gets compromised, all of them are at risk.

4. Regular Updates: Change your passwords every 3 to 6 months and avoid reusing old passwords.

5. Two-Factor Authentication: Whenever possible, enable two-factor authentication. It adds an extra layer of security by requiring a second step after entering your password.

6. Password Managers: Consider using a password manager. These tools generate, store, and automatically fill in complex passwords for you.”

Unfortunately, much of this is simply false. But which of these common recommendations are actually bad password practices?

Let’s take the easy ones first.

Number 3, to use unique passwords, is unquestionably sound advice for account security. A large number of passwords are compromised and easy to find either online or on the dark web. Many are built into password cracking tools, and many more reused passwords are simply very predicable once you know a little bit about the individual - favourite football teams, kids names - the sort of thing you could find on social media. So using the same passwords for multiple websites or applications is a bad plan for two reasons: Firstly, if compromised on one application it is compromised everywhere; and secondly, because reliance on generic passwords leads to poor password choice.

At mumber 5, MFA is also good advice. This is not about your choice of password or how you secure it, but rather about not relying on as password as the sole means of authentication. It is impossible to guarantee the security of a password as you are dependent on the user, the organisation, and the application or service, to ensure it’s security. 'Multi-factor authentication (MFA, also known as ‘two factor authentication’ or ‘two step verification’ uses your password plus something else to confirm who you are.

In addition to the password - something you know, and therefore something others can know - MFA also asks you for something you are (such as a fingerprint or iris scan), or something you have (such as number from a mobile phone authenticator app, or a physical key such as a YubiKey. This is much harder for the attacker - knowing your password is not enough. Whilst nothing is completely foolproof, MFA will reduce your risk by 99%+ as the cost of the attack is rarely justified. For most applications that is more than sufficient.

Not using MFA on the other hand places the account at great risk, as even unique passwords can be guessed, or hacked. There are some reservations - MFA that relies on SMS messages is better than nothing but insecure and easily hacked, and nothing can protect you if you respond to a criminal’s verification request with a ‘yes’. But still, I’ll happily take that 99%. MFA should be compulsory for every account and every network or application.

Finally, number 6 - to use a password manager - is also excellent advice. Most people have many passwords, often 300 or so. I have more than 600. It is impossible to set good passwords for these and remember them all, so it is essential to write them down. A good password manager will keep all your passwords secure whilst entering them automatically for you when needed.

You still need to look after the master password for the vault, but now you only have to remember one password rather than hundreds, and you can make sure that one uses good MFA. It’s still possible for a password manager to be breached, and for that reason I do not store my banking password in one. But for everything else, it’s a lot harder to breach than your head.

Often advice is to never write down passwords. this is one that ChatGPT mercifully missed. It’s terrible advice because remembering all these passwords is impossible without choosing really bad passwords and reusing them. So personally, and for organisations, it is best not to say this.

After all, a password in a desk drawer at home requires an attacker to by family, or to break into your house. Most cyber criminals do not live in your home, or in your neighbourhood, and would not want that risk anyway. So if the password to your knitting circle is on a post-it under the keyboard - it might be better in a password manager, but it’s a lot better than in your head.

This leaves numbers 1, 2 and 4.

These are awful practices that can make security worse. The reason for this is simple - good security works with the user, not against them. All of these make life harder for the legitimate user whilst often making it easier for a cyber criminal.

Let’s take them in turn and explain why.

1. Length & Complexity: A strong password should be at least 12 characters long, include numbers, symbols, capital letters, and lower-case letters.

We’re all familar with it. You spend ages thinking of a new password, and after typing it in wrong three times you finally get it right, only to receive a warning that your password ‘does not meet complexity requirements’. This is because passwords were being cracked or guessed, it was felt that increasing entropy by increasing the number of characters you could use from 26 letters to including uppercase letters, numbers and non-standard characters would make it harder for attackers.

That might be true if we were all robots. Unfortunately, the geniuses who came up with this forgot about the human. Because what everyone did was replace the first letter that looked like a number with a number, then add a non standard character on the end. Then make the first letter a capital. Why? Because we have to remember them, silly! Who can remember d%$vN6? Nobody. Who can remember D0nut$? Everyone.

The search for entropy (the degree of randomness, or essentially how long it takes to guess with no information) was a good one. But the solution was an absolutely awful one. So all these passwords were bad. If we didn’t have to have D0nut$, we might have had RatSlideProductiveDrain. The entropy in that is much higher, and it’s easier to remember than d%$vN6, too.

We’ll come back to that in a moment.

2. Avoid Common Words: Don't use dictionary words, your own personal information, or common phrases as your password. They're too easy to guess.

Security guidance has recommended against using common dictionary words since at least the 1960s. The reason was simple: a ‘dictionary attack’ is a form of brute force attack that cycles through each word in the dictionary until it finds yours. So if your password is ‘god’ like the bad guy in the movie Hackers, it won’t take long to crack it.

However technology has moved on. It is now very standard for access attempts to be rate limited (restricting the speed of access attempts to that expected by a human) and very standard to lock accounts after a certain number of access attempts - usually 3 or 5. This means the attacker will lock themselves out, and lock the legitimate user out alerting them to the attack, long before they gain access. This means that in most circumstances dictionary attacks are useless (the exception would be where the attacker already has the database of users and has all the time in the world to decrypt it - but that’s a different story altogether).

Dictionary words are however useful to a legitimate user, because these are the words we use every day. We’re all going to use words to make our passwords. Obviously some words are bad. Such as ‘password’. but making your password ‘Password1’ won’t help, it’s just as easily guessed. So feel free to use dictionary words. Just combine them.

UK NCSC actually recommends ‘three random words’. They key here is that 1) because there are three of them the passwords it not too short to be useful, and 2) because they are random, they can’t really be guessed. Now nothing is every truly random, but if the words have no personal connection with you they are no use to an attacker. On the other hand, ‘AlienTurtleCabbage’ is easy to remember, right? If it feels better to add a number or something, it will still make it more secure - but not by a lot. This is a pretty good password.

4. Regular Updates: Change your passwords every 3 to 6 months and avoid reusing old passwords.

This may be the worst password advice of all time, responsible for huge breaches and catastrophic security failures. Why? It’s simple. Nobody can remember lots of passwords, and changing them is painful. So most people quite rationally seek to avoid the pain by choosing very predictable passwords.

For example if you have to change your password every 3 months, the seasons. monthly, the month. Annually, a word that means something to you and add a digit on the end. When you forget it every few months, your latest sports hero or the megastar of the moment. These are of course all incredibly obvious to an attacker, but painful for the user.

And it gets worse.

Security people realised everyone was cutting corners and that was putting systems at risk, so they introduced new rules. To stop people resetting their password and instantly resetting it again to the one the remember, or cycling through the same set of passwords, restrictions were commonly introduced to prevent passwords being changed within 24 hours, and to remember previous passwords so they couldn’t be used again. These sensible sounding rules just made it even harder for users. The result of course was that passwords tended to follow simple patterns, or be written down - often in a file on the computer they were meant to secure.

Regular updates make your password less secure, not more secure. The practice clings on like a weed, embedded in many supplier assurance checklists, audit checklists, and regulatory statements. Ignore it, then explain why it is wrong. If you need some help demonstrating why this is daft, here’s NCSC being helpful again.

When might you want passwords to expire? If you believe your account is compromised you should always change your passwords. And if you have bad controls elsewhere in your organisation, perhaps if you are bad at removing users who have left, or have a culture of password sharing, occasional resets may still make sense (though a better control for leavers might be to disable dormant accounts, and a better control for sharing would be culture and IT process change).

All in all, this common advice is a bit problem. Dogmatic adherence to the solutions of the past against the weight of evidence is not a good basis for decision making. So don’t do it. Set rules that make sense and keep you secure, without making it painful for people to work.

So what does a good password policy look like?

In short, it would put defence before dogma - even if that challenges the expectations of colleagues, customers or regulators.

We’d need to consider both our user guidance, which is often communicated in an acceptable use policy or password policy, and our IT policy which users do not need to know but internal support teams do need to follow.

My recommended user guidance, which we will keep as simple as possible:

1. Set unique passwords

2. Set a password that is easy for you to remember, but hard for an attacker to guess. Good advice is to follow ‘three random words’ and maybe change it up a bit with special characters or numbers if you wish.

3. Don’t share passwords, even if you are asked to or it appears to be urgent.

4. Tell IT if you think your password is compromised.

5. Use the company provided password manager if you need to record passwords.

6. Never use any website or service for work that does not have multi-factor authentication (MFA).

7. Provide advice on common password practices to avoid, such as using pet names, family names, or hobbies.

8. Operate a no blame culture when something goes wrong, so users feel they can tell you if they make a mistake.

My recommended IT policy rules, to support this:

1. Enforce a minimum password length of 12 characters, so users cant select passwords too short to be effective.

2. Have a minimum password age of a day (so they if their password has to be changed, they cannot reset instantly to a known compromised password they like).

3. Preventing recently used passwords from being reused is still a good idea, as they could have been changed because they were compromised.

4. Do not allow common words such as the company name or the user’s name to be used.

5. Provide a corporate password vault. It doesn’t have to be costly - off the shelf software such as 1password, bitwarden or dashlane can can be procured and enabled in web browsers and on desktops for effective password management of business passwords. This also means IT can help the user if they lose their master password, and remove their access when they leave. Once this is done, lock down web browsers so they do not offer to remember passwords for users. There is really no guarantee these are secure.

6. If you feel the need, you can require one character that is not a standard lower case letter, such as a capital letter, number or special character - but never all three.

7. Do not automatically expire passwords. If your other controls over users are very poor (such as a poor leavers process) you might expire them no more than once per year. Even then, it would be better to improve the other controls.

8. Prevent your IT teams from sharing passwords or requesting user passwords under any circumstances. You will be told this is necessary for IT support, but this is not true. In the very rare circumstances the IT admin really does need access to a user’s account, they can reset the user’s password to a single user password, do what they need to do, and then have the user pick a new one. But usually they should use their admin accounts, which will be separately secured. If they object and you need a break glass on this, require a very high level of approval. If you ever get a request, you can sent them back to fix the process that made it necessary. I can’t stress the importance of this enough - if It teams ask users to use bad practices,

9. Require MFA on all accounts where a user needs to log in. Make it a procurement requirement for all new systems, online services, and applications. If an existing application or service does not support MFA, decommission it. To make sure it is decommissioned, have a policy of essential changes only and maintain a list which is monitored regularly by a senior committee until every system follows policy. In most cases, IT teams will be able to implement ‘single sign on’ so users don’t have to use a password at all. But this is not a fun or exciting project, so encouragement is often required. If possible, choose systems which do not use SMS based authentication.

One day, passwords will be redundant. Other solutions, such as passkeys are slowly gaining in popularity. But these have their issues too. For now, the best thing to do is have a password policy that works with your team, not against them.

That is always the most secure solution.

10 steps to effective board leadership on cyber security 21 Feb 2024, 12:27 am

In just a few years, cyber has transformed from the nerd in the corner into the Kim Kardashian of risk. Everyone, it seems, has an opinion on the issue. That’s because it’s serious — businesses can be built on, and destroyed by, cyber risk.

The World Economic Forum’s Global Risks Report has consistently ranked cyber attacks among the top seven risks facing the planet in terms of likelihood and impact, while high-profile CEOs including Warren Buffett of Berkshire Hathaway and Jamie Dimon of JPMorgan Chase see them as the number-one threat to business.

Despite this, a 2019 poll of 1,300 large international organisations by insurance broker wtw found that only 11 per cent of boards have taken direct responsibility for their firms’ cyber security.

Although the private sector’s investment in protective tech and compliance has increased, few business leaders have a clear understanding of cyber risk and confidence that the necessary safeguards are in place at their firms.

By definition the Board of Directors is not hands-on, yet directors have a huge role to play - and boards can take practical steps to improve their cyber leadership and impact their organisation’s cyber security risk.

Here are my top 10 actions boards and non-executive directors can take today, to find a path forward for board leadership on cybersecurity.

---

---

---

---

---

---

---

---

---

As a NED myself, I understand this challenge. The above steps can all be taken relatively quickly, and will put your board in a strong position to lead on cybersecurity, as well as providing confidence to your stakeholders and support to your cyber security leaders.

---

This article is an updated version of an article that first appeared in the UK Institute of Directors’ Director Magazine, and includes further recommendations led by reader feedback that were not included in the original article. Please share your thoughts in the comments below, and I will answer all questions asked.

When Cyber Security Board Reports Fall Short 19 Feb 2024, 1:30 pm

Telling the board about cyber security problems and plans can help a company be ready for and deal with cyber attacks.

Reporting cyber security to the board involves a delicate balance. Cyber security technical details need to be turned into strategic plans that match the organization's risk tolerance and business goals. Cyber security board reports take time and effort to get right - but what can go wrong?

The simple truth is that most cyber security board reporting fails due to a consistent set of issues.

Using too much technical language can confuse the board and make it hard to make good decisions. it's essential to communicate in terms the board can easily grasp. It’s your job to take something complex and make it simple. Risk dashboards are good, if they are specific and clear. On the other hand, if your report looks like the one illustrated here (with thanks to AI), it may be your last time in the boardroom for a while.

Not connecting cyber risks to business impact can overlook the importance of cybersecurity. It's crucial to understand how cyber threats can affect the company's finances, reputation, and operations.

Focusing only on following rules can overlook important security issues and new threats. Compliance is important, but it's not the only thing to consider.

Not taking cyber risks seriously can lead to complacency, while exaggerating them can cause panic and waste resources. Striking the right balance is key.

Appearing defensive is also a common issue. Board members are there for their judgement and insight, and will usually see straight through anything that sounds like less than the truth. They can also spot a lack of information; if you do not have enough data it is best to highlight the limitations and how you will be addressing them.

Giving unclear recommendations can confuse the board. Make sure suggestions are specific and actionable to help guide their next steps effectively. Recommendations should be specific, prioritized, and aligned with the organization's capacity to implement them.

Only discussing cyber security in the wake of an incident or during annual reviews is insufficient. Cyber security is a dynamic field, and regular updates are essential to keep the board engaged and informed.

The final frequent error is lengthy reporting. If you have done your job well, you may have multiple projects, metrics, reports and so on to summarise. Summarise them, and take no more than a couple of pages. If it's more than that, ask what can go in an appendix. Having done that, it's easy to drop the appendices from the report and make them available on request or in a reading room.

It's hard, because often you and your team have worked hard to do these. But remember that shorter letters take longer to write than long ones. Being succinct without losing specifics takes time, patience and challenge.

How can Chief Information Security Officers and cyber security leaders avoid these board reporting pitfalls?

Firstly, you almost certainly have allies. This may include a Chief Risk Officer or Chief Information Officer. They will do their own board reporting, and will be used to the needs of individual board members, including non-executive directors whom you may not see frequently. Ask other leaders them what they do, review their reports, and consider whether they are well received.

Ask them to review your report, or mentor you in delivering it. Often others can see things we can't because they have a different perspective. That includes spotting things that make sense to us, but not to anyone else.

Consider whether your reporting is consistent with other leaders who are reporting on similar areas such as risk and IT. Are you sending the same message, or a different one? If different, consider socialising it beforehand with other leaders and explaining why you are taking this to the board.

That does not always mean modifying your message: There was a time when I was advised by many not to mention that we had significant issues to tackle. Surprisingly to many, this was precisely the message the board wanted to hear. Because I had shared and discussed this plan in advance, once the board approved it, the need for a major cyber security program was accepted by senior management, even though the cost impacted other executives’ plans.

Do also familiarize yourself with your board. It's highly likely that board members will be open to telling you directly what they expect, and it's often possible to arrange an informal meeting. Be ready with questions. Learn a little about your board members and the other boards they are part of. Ask them about their experiences and what they found beneficial and effective.

Lastly, prepare and rehearse. In some instances, it took me over a year to perfect a basic template for board reporting, and then a few more years to fine-tune it according to the needs of board members and shifts in the board of directors' priorities and objectives.

Creating board reports is not a simple task, especially in technical domains like cyber security where it's challenging to obtain quantitative data that aligns financial impact or business goals. Effective boards will comprehend this and be ready to collaborate with you on it.

Nonetheless, bear in mind that the majority of the effort lies in the planning and interaction. A presentation to an IT team that lasts an hour might require 10 hours to draft and prepare, while a board presentation of 10 minutes might necessitate 100 hours of preparation.

If you're pressed for time, view it as a chance to pose these questions and initiate a conversation about their expectations. Board members will almost invariably appreciate the transparency and engagement.

How to obtain board support for your cyber security change programme or project

Does moving to the cloud mean compromising on security? 18 Feb 2024, 5:25 pm

Will moving to the cloud improve cyber security, or are cloud services an unnecessary cyber risk?

The transition to cloud computing is an evolution that many organisations are still undertaking to improve efficiency, scalability, and flexibility in their operations.

Cloud services offer recognised advantages, such as moving IT infrastructure costs to operating expenditure rather than capital expenditure, enhanced governance, and better collaboration, however they also introduce specific security considerations that need to be addressed to protect systems and data from compromise, and to maintain legal and regulatory compliance.

However, some organisations are now moving back to on-premise systems due to concerns around high operational costs, cloud performance issues, or cyber security.

Clearly, the cloud is not the panacea some thought it would be. But can be be secure, and if so - how?

Data Protection and Encryption

One of the primary concerns when moving to the cloud is the protection of data, both at rest and in transit. Data encryption is a fundamental security measure that should be implemented to safeguard information from unauthorized access. Organisations should ensure that their cloud service provider offers robust encryption methods for data at rest and in transit. Additionally, the use of encryption keys must be carefully managed, with keys securely stored and access strictly controlled.

Access Management and Identity Authentication

Effective access management is crucial in a cloud environment to prevent unauthorised access to data and resources. Organisations should leverage identity and access management (IAM) solutions that provide multi-factor authentication (MFA), role-based access control (RBAC), and the principle of least privilege, to minimize the risk of compromise. It is also essential to regularly review and update access permissions to reflect changes in roles and responsibilities within the organisation.

Compliance and Regulatory Requirements

Organizations must adhere to regulatory requirements and industry standards to protect sensitive information in the cloud. Compliance frameworks such as the General Data Protection Regulation (GDPR) in Europe, the Health Insurance Portability and Accountability Act (HIPAA) in the United States, and the Payment Card Industry Data Security Standard (PCI DSS) provide guidelines for data protection. Before migrating to the cloud, organisations should ensure that their CSP complies with relevant regulations and that they understand their own responsibilities in maintaining compliance.

Shared Responsibility Model

The shared responsibility model is a fundamental concept in cloud security, delineating the security obligations of the CSP and the customer. Generally, the CSP is responsible for securing the infrastructure that runs all the services offered in the cloud, while the customer is responsible for securing their data, applications, and identity management. Understanding the demarcation lines of this model is crucial for implementing effective security measures and avoiding gaps in security coverage.

Continuous Monitoring and Incident Response

Continuous monitoring of cloud environments is essential for detecting and responding to security threats in real-time. Organisations should implement security information and event management (SIEM) systems, intrusion detection systems (IDS), and other monitoring tools to identify suspicious activities and potential breaches. Additionally, having an incident response plan specifically tailored for the cloud is crucial to quickly and effectively address security incidents when they arise.

So should I go to the cloud - or return to on premise?

Moving to the cloud introduces a range of security considerations that organisations must address to protect their data and ensure compliance with regulatory requirements. These are the same risks that exist for on-premise IT infrastructure, but the controls and solutions are often different. By focusing on data protection, access management, compliance, understanding the shared responsibility model, and implementing continuous monitoring and incident response strategies, it is possible mitigate risks and gain the benefits of cloud computing securely and efficiently.

As cloud technology evolves, organisations will still need to regularly reassess their security posture and adapt to new threats and challenges to maintain the integrity and confidentiality of their data in the cloud.

Very few organisations could replicate the resources that companies such as Amazon, Google and Microsoft can put into the security of their platforms, but it’s what - and how - you build on those platforms that matters.

---

References:

1. **Amazon Web Services (AWS) - Cloud Security - https://aws.amazon.com/security/

2. **Microsoft Azure - Security Documentation - https://docs.microsoft.com/en-us/azure/security/

3. **Google Cloud - Security and Identity - https://cloud.google.com/security

4. **Cloud Security Alliance (CSA) - https://cloudsecurityalliance.org/

5. **National Institute of Standards and Technology (NIST) - Cloud Computing Security - https://csrc.nist.gov/publications/detail/sp/800-144/final

How to get fast board buy-in for your cyber security project 14 Feb 2024, 10:47 pm

To experts, the business case for cyber security change programmes can seem clear as day — it can be hard to understand why rational business leaders may say no to investment. Yet they do.

Here’s how to get a yes.

Winning board support for cyber security projects is a critical challenge for security leaders and Chief Information Security Officers.

Recently I was asked by a CISO (let’s call him Robert) why his Risk Committee pitch was not being heard. This was not an issue of slide content: the topic was important and the case for change was clear, but the committee simply did not seem engaged at all.

He is far from alone in this problem, with research indicating that some 75% of board members want to spend more on cyber than they do in practice.

This is a significant problem for security leaders, as a large part of leadership in cybersecurity is convincing stakeholders that supporting proposed a change is the right thing to do.

For Robert, the issue was not that he was losing the committee’s attention, but rather that he was never winning it in the first place.

He was not wasting their time. He had been told he would only had five minutes, and had prepared accordingly, so as he sat outside the boardroom waiting to be called in he was confident. At the previous meeting he had explained to them that some 80% of the company’s externally facing applications had never had security assessment, and so the organisation was taking a significant level of risk — with a future breach a near certainty. The committee had asked for his proposal to fix this, and he was ready to go straight in.

Robert jumped in with the plan - “further to my last report, we propose to invest $400k assessing the risks of our legacy websites. We have failed to take action in the past, and if we do not address this now we run a significant risk”. He went on to show that the risk exceeded the cost to fix by a factor of 10 times, that they were ready to start, and that the project could be delivered within 12 months.

It seemed cut and dried: he had the analysis in his report to back it up, and the funds were available to do it.

The committee should have been engaged but they were drifting to their phones and laptops. The result was uncertainty from committee members and a request for a further report in 3 months — during which time, Robert knew, the risk could easily materialise into a major cyber security incident.

Robert was clear about the audience and the pitch, however because he did not renew their attention from the previous meeting the rest of his pitch fell on deaf ears. He forgot that in the time since they last heard from him the committee’s attention had been on many other matters, and he would need to remind them why this was important and deliver a structured case for his plan.

In his defence, there was no time for a full 30-minute presentation, and delivering a structured business case in a few short minutes seemed impossible.

It’s not.

By using the simple 10 step method below, you can deliver an effective pitch and ensure that you have the attention of the room throughout.

The 10 steps to cyber security board pitch success

1. Purpose
   State simply the decision required so everyone is clear what they are being asked for. For Robert, this could be “I am requesting the committee’s support for a $4ook spend over 12 months to address legacy application risks”.

2. Engagement
   Obtain engagement by highlighting why the issue matters in as few words as possible, connecting with any previous discussions to refresh memories. For example “In my March report, the committee recognised that this was a critical and urgent issue and commissioned me to draw up a plan to address it”.

3. Empathy
   Recognise the decision that the group has to make, whilst avoiding any appearance of blame. Whether right or wrong, past decisions were made for a reason and there is usually no need to pick them apart or challenge them. “Recent incidents in the industry have shown that this now poses a much greater risk than we knew when these systems were introduced”.

4. Problem
   State clearly what the actual problem is. “We have 420 legacy apps of which only 31 have been assessed. Of those assessed 27 had critical issues — so we estimate that approximately 90% of the remaining sites will have issues we will need to address quickly”.

5. Impact
   This is business impact, not technical impact. If you have done a quantitative analysis this is where to raise it. If you have not, a qualitative comment will often suffice. “Many of these sites hold confidential data on our customers. If this is breached we will lose their trust and suffer significant costs, fines and penalties”.

6. Solution
   Provide the answer. This is what Robert jumped to directly — he spent all his time here, which is why he was not heard. We are only seven sentences into our pitch now (count them!), but those seven sentences really matter. Now we are all on the same page and ready to hear the proposal. “We will assess 35 sites a month on a risk prioritised basis over the next 12 months to cover the remaining 389 sites before the end of the year. As soon as we become aware of issues we will commence remediation, and we will report back to the committee quarterly on progress”. Offering to report back helps to build confidence and trust.

7. Obstacles
   Acknowledge any expected challenges in delivery. If you have done your research, you will understand the interests of those around the table and be able to instinctively spot the questions they are likely to raise. Even if not, major concerns are often easy to see by looking at it through the eyes of stakeholders. Usually these are political, resource related, or confidence related. “We know this will take some time for the application support team, and they are under pressure right now due to major system upgrades.”

8. Resolution
   Address the obstacle head on. “We have spoken to the Application Support Manager and IT Director, and confirmed that we can schedule work away from the end of the month when they are busiest”.
   Note — you may need to repeat steps 7 and 8 if there are a couple of issues you know will be raised. If there are more than two, create an appendix and refer to it: “We have socialised the plan widely and have addressed the key issues as shown in Appendix 1. I will be happy to discuss this further with you if there are any concerns”.

9. Proof
   Social proof is not a wild-eyed theory. Most rational human beings want to know that regardless of your internal analysis, there is some external frame of reference. If you don’t address this directly, you may be asked to pause to get an external view. It’s not personal. The good news is that it can be addressed quickly: “Our competitor XYZ Plc implemented a similar approach over three years — however given their major breach last month, a year into their program, we believe we should move faster”.

10. Ask
    This means going back to the beginning and the original request. “I would like to request the committee’s approval for the program as proposed”.

As you will see, this is quick to do - as little as 13 sentences.

It takes the audience with you as an ally, rather than appearing to apportion blame or responsibility for the status quo. It uses your prepared presentation for support, but does not assume pre-reading or duplicate it’s content. It has a clear beginning, middle and end: saying what you will cover up front to avoid surprises or lack of clarity about the ask, covering it concisely in business terms and addressing any areas of contention, then reminding the audience what you need from them.

And you can do this in less than five minutes. Have a try.

Lessons from the MGM cyber attack 14 Feb 2024, 10:13 pm

On September 12, 2023, MGM Resorts International experienced a cyber attack that resulted in them shutting down their systems. The investigation is ongoing, but crime groups Scattered Spider and APLHV are believed to have used social engineering to hack into the company.

What do we know now? And what can companies do to avoid being the victim of such scenarios?

The MGM system shut down

MGM tweeted September 12 about a “cybersecurity issue affecting some of the company’s systems.” They had to shut them down to protect customer data and their entire infrastructure. However, the issue persisted for several days, with hotel customers unable to use their digital room keys and slot machines not working at all. As of writing, the company has not made any updates on whether or not the system shutdown has been resolved, announcing only that they are continually working on resolving the issue.

Cause and culprits: What happened?

The primary suspect in the incident is Scattered Spider, a hacking group composed of people in their late teens and early 20s. ALPHV, a ransomware-as-a-service company, is also claiming responsibility for the incident, and they are denying that Scattered Spider had a role to play in the incident.

Whichever group is the culprit, they installed ransomware that allowed them to encrypt the system and demand payment in cryptocurrency. The hackers will only provide access to the files, data, and systems if MGM Resorts International sends the ransom.

To hack into the MGM system and install ransomware, Scattered Spider used “vishing,” a type of social engineering tactic similar to phishing. Instead of using email, they called unsuspecting members of the company and convinced them to divulge sensitive information. Hackers used a LinkedIn profile to pose as an employee. Then, they called the MGM Help Desk and stole security credentials after convincing an employee to share them.

MGM’s steps to solve the issue

MGM did not rush to make public announcements declaring the issue resolved. On September 14, they posted a statement on X (previously Twitter) mentioning that they are working on resolving the issue. This declaration was accompanied by a reassurance that their resorts are staying open and that they are still dedicated to addressing their guests’ needs.

Effect on guests and the company

Inconvenience may be the most notable impact on customers. Since systems were shut down, MGM employees had to manually handle many processes, such as checking in guests and providing receipts for casino winnings. There have been reports of long lines as MGM goes manual.

The full extent of the incident’s damage to MGM Resorts International is yet to be determined. In addition to financial costs, guests and customers may also lose trust in the company since their personal information may have been compromised.

In the long term, customers’ private information might be at risk. Most people who play at casinos or stay in hotels generally want their transaction details and personal data kept private from prying eyes.

Measures to implement against vishing

Allegedly, it took only a 10-minute phone call to attack MGM and shut down its systems. Vishing is a new threat that uses social engineering concepts from phishing but at a much faster execution rate. One reason why vishing becomes effective is that, unlike email, phone calls provide a sense of urgency. The receiver may feel more inclined to share information thanks to this demand for immediate action. In addition, hackers may pose as trustworthy or high-ranking members of a company, adding a layer of legitimacy to the request.

As new tactics like vishing become more prevalent, companies must go beyond just training for phishing scams. There should be a protocol to help verify the identity of a caller claiming to be a part of the company, before taking actions based on a call. In addition, cybersecurity training for employees should also address vishing tactics. In this case, focussed supplementary training targeted specifically at service desk staff may have helped.

Vishing works because it relies on hasty reactions, bypassing logic and reason too easily we because we are programmed to want to help. To avoid this type of scenario, employees must be able to discern language and methods designed to appeal to their emotions, especially the fear of disobeying orders or inherent trust. This practice will allow them to detect impersonators and avoid divulging sensitive information.

How to protect from vishing attacks

The cyber attack on MGM is a sobering reminder of how cyber attack tactics are rapidly evolving. With the rise of vishing and the growing risk of AI generated attacks, it may be time to re-evaluate your approach to phishing training to include this method, and support this though more effective technical measures.

Good controls to protect against this would include:

1. Training service desk staff to know what to look for

2. Authenticating callers, using multi-factor authentication where possible

3. Avoiding reliance on SMS based authentication as this is a proven attack method

4. Minimising admin and superuser credentials available to desk staff, or implementing additional approvals or 4-eyes review for high risk support transactions

5. Considering passwordless security options and additional authentication for high risk data

6. Improving monitoring of data access to identify and alert on unusual data access patterns.

7. Applying zero trust concepts so that data access transactions are continuously authenticated, rather than relying on network logon controls and trusting what happens next.

References

1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

2. https://abcnews.go.com/US/cyberattack-shuts-systems-mgm-hotels-las-vegas/story?id=103100708

3. https://twitter.com/MGMResortsIntl/status/1702290900217413783

4. https://www.kolide.com/blog/what-everyone-got-wrong-about-the-mgm-hack

5. https://cybernews.com/security/mgm-cyberattack-claimed-alphv-blackcat-ransomware-group/

6. https://twitter.com/vxunderground/status/1701758864390050145

7. https://www.bloomberg.com/news/articles/2023-09-11/mgm-resorts-says-it-shut-down-some-systems-following-cyberattack

8. https://www.forbes.com/sites/suzannerowankelleher/2023/09/13/ransomware-attack-mgm-resorts/

9. https://www.sangfor.com/glossary/cybersecurity/what-is-vishing

Project assurance skills and Prince 2 for IT auditors 13 Feb 2024, 11:45 pm

The challenge of IT Project Assurance

Project assurance can be a challenge; change programmes are notoriously complicated with many dependent parts contributing to an overall goal. Project managers often have a different view of success to their sponsors. Processes, governance, control and approach vary wildly. Controlling projects through effective change management and governance increases delivery cost, and should reduce delivery risk accordingly. But sometimes it just increases cost, and it all goes wrong anyway.

If you’re auditing projects, you may not have run major projects. So it’s important to keep any open mind. Often what appear to be deficiencies may not be, and just as often a minor deficiency can disguise major problems.

So assuming you want to improve your skills in this area and also perhaps provide some extra credibility to management, or demonstrate awareness to an auditee, you might decide to do some training. In the UK, project management training tends to comprise one of:

1. Training in software development methodologies such as Agile. Essential, but a little beyond our scope here as we are looking at all types of change project.

2. Informal or internal training in your company’s approach. You may not get this by default, but if your company trains their project managers internally they will often be happy to have you learn with them too.

3. The Project Management Institute’s PMP, and related professional project management qualifications. The accessibility of these vary as practical experience requirements are more geared to dedicated project and change management professionals. That said, there is now a project risk management qualification available that would be well suited to anyone looking at project assurance and IT project auditing.

4. Prince 2, a project management methodology (available globally, but more recognised in the UK) that is designed for larger projects, with it’s own qualification that can be done in about a week.

The rest of this article discusses Prince 2, for two reasons. Firstly, I’ve done it myself so I know what I’m talking about. Secondly this article is about enabling qualifications for IT audit careers, and this is one you can do. For other suggestions, skip to the end.

Prince 2

Prince 2 is a project management methodology for running controlled and managed projects and programmes. It was originally established by the UK government, and whilst there’s not a lot of evidence that they are any good at project management – and plenty of evidence to suggest they can be rather bad at IT project management – the methodology itself has been picked up by the private sector as a thorough approach to managing a project in a controlled way, and is now used globally with some success. Relatively few organisations apply it ‘by the book’ – most will adapt it to their own needs and risk profile.

How can I become a Prince 2 Practitioner?

You will need to undertake a course, normally around 5 days long, and two multiple choice exams. The first, Prince 2 Foundation, is fairly striaghtforward, closed book, and most course providers run this on the afternoon of the second day or the morning of the third day of the course.

The second exam, Prince 2 Practitioner, requires you to stay awake and pay attention all week whether you have prior project management experience or not. You’re allowed to take the manual to the second exam, but it won’t help much as there is a time limit. The best exam tip is to make sure you know exactly where everything is the manual, so if you have time at the end you can go through the questions you’re not sure about with the manual to hand.

What does Prince 2 cover?

The syllabus is based on the manual originally produced by the Office of Government Commerce (OGC), and is designed to enable you to manage a project using a defined methodology. As a result, it doesn’t cover other approaches to project management. The other point to note is that whilst it will explain the process, it doesn’t help you assess it’s appropriateness or applicability in your organisation or project.

What does it cost?

The fees are set by course providers – in the UK, expect to pay anything from £1,000 to £5,000, including the manual and exam fee. You can, in theory, take the exam directly. It’s more expensive though, and no-one does. To make sure you get value for money, ask around to find the good trainers and course providers in your area. Whilst it’s not cheap, pass rates are fairly good and arrangements can be made to resit.

How long will it take?

Generally a week. If you’re not familiar with project management, it’s a good idea to spend some time getting familiar with the approach first.

Do I get letters after my name?

You can call yourself a ‘Prince 2 Practitioner’. That’s quite a lot of letters though, so it’s one for the CV rather than the business card.

Do I need to do CPD?

No. The certification is valid for five years, after which you need to sit an update exam. Usually, this is done as part of a short refresher course.

Is it for me?

I certainly learned a lot about why managed projects go wrong, and why they cost so much!

If you audit projects run along fairly traditional lines or in a bureaucratic manner, it’s the most appropriate project management certificate. If you audit public sector projects in the UK, it’s a no-brainer. If, however, you spend your time with software development teams who use words like ‘agile development’ and ‘extreme programming’, you may find it harder to apply in a meaningful way.

If you’re not sure what approach your organisation takes, speak to the project managers and ask them if their methodology is based on or developed from Prince 2. If the answer is yes, Prince 2 Practitioner will raise your credibility and help you understand their approach, how major change programmes are governed and controlled, and what can go wrong.

How do I get started with Prince 2 Practitioner?

Visit the Axelos web site to find out more about Prince 2, or do a web search for training courses near you.

I like efficiency. What could I do instead?

Look at PMP-RMP. And agile, because agile development principles can be applied very successfully to projects in any field, well beyond software development! There’s even a Prince 2 Agile certification now.

A personal experience of CISSP boot camp 11 Feb 2024, 10:18 pm

Information risk and security is an infinite field of work and study. You can spend your whole life trying to gain the width or depth of knowledge necessary to do the job competently, and every day feel you know a little less than the day before.

At the same time, it’s one of the least mature professions you can find. It has been borne from a computing industry less than a century old, yet in many ways has grown beyond it. It’s often unclear whether it is a technical field or a management one, with passionate advocates arguing both that there are too many policy wonks and it’s time to get back to our technical roots, and that there are too many technical specialists who can’t see the wood for the trees.

Choosing CISSP

Against that background it is no wonder there is a deep cynicism of training programmes and professional qualifications in particular. The one qualification that employers seem to value above all others (apart from experience) is CISSP. It requires both technical understanding and business context. As such, its seen as rather hard and therefore a good differentiator.

With that in mind I decided to try my hand at it last year. Comments from industry colleagues and a quick reading of the syllabus convinced me that, whilst i’d have to call on all my experience in IT, business and risk, I would also need some form of refresher training to stand any chance of passing. In some areas my knowledge lacked depth, in others width. I also lacked time.

Choosing Firebrand

I rapidly found that the information security training market was fragmented with no clear or consistent view of the quality of courses of training providers. I was particularly concerned that it would be impossible to cover the CISSP syllabus in a short course. After some months looking in detail into the options and talking with colleagues, I picked a 7 day residential intensive CISSP boot camp from training provider Firebrand, and tried to arrive with an open mind.

I was pleased I did.

The Course

The instructor – flown in from the US for the course – was unquestionably an expert and able to explain theory both clearly and quickly. This was essential, as to pack the course into the week and get us prepared for an exam on day seven required an early morning start, full morning and afternoon sessions, and for many a return after dinner for more study. We rattled through at a rate of two domains per day for the week, returning at the end of the week to those areas generating most concern.

The hardest thing about such an intensive programme was staying awake and engaged, but fortunately the sessions were run in an interactive way that maintained interest for most throughout. It was sometimes brain overload, but that is I am sure inevitable given the nature of the syllabus.

Course materials were good, being based on ISC2′s official guide to the CISSP examination, complemented by an instructor who knew the strengths and weaknesses of the text and where to look for additional information and explanations.

Facilities

The location itself was a self contained business park and golf centre with an on site gym and plenty of car parking and fresh air, easy to find and just off the main road. For supplies the nearest supermarket was about 5 minus in the car, though with stationary, food and coffee included there wasn’t really anything you needed.

Given the intensive nature of the week you do need good accommodation, excellent food, and opportunities to relax. I rapidly found the gym next door (full gym facilities including a pool, with day membership available from the centre for a fiver), whilst others, including the instructor, were braver and opted for the bar. By day 2 I had a routine going – gym, breakfast, course, lunch, course, dinner, and back to my room to catch up on the world. It worked.

The food was excellent and there was always enough of it, although you had to order at lunchtime and it was easy to forget your choice at the end of the day.

The accommodation was basic but clean and acceptable (good bed, desk, chair, television, plenty of plug sockets and free coffee) and let down only by poor mobile reception indoors. Fortunately reception outside the building was just fine. However, there is really no excuse for not having free wifi!

The CISSP Exam

Exam day itself was almost an anti-climax, with a fairly leisurely start. The exam is scheduled to last 6 hours, but time is not the issue. Nor was refreshment – lunch was laid on in the next room and you took a break for lunch in small groups, basically when you wanted to. The issue with this exam is resilience – after about 100 questions I felt I was losing the will to live, and there are 250 in the exam. Still though the course content and the focus of the instructor was a genuine help, and I came back time and time again to elements of the week that, by putting what you know in the context of ISC2′s requirements, helps you answer the question.

People started walking out after about two and half hours, and I left after three having completed the paper and decided there was no point going back over my answers – that way lies madness! Some others were just leaving when I got back from my post-exam trip to the gym next door, so a few used the full six hours.

Did I pass at the end of the week? Yes, though I didn’t do so well on the mock tests they set during the course and I don’t know whether I would have passed without the course. Part of it is about attitude and approach and understand the style of questions, and you can’t learn that from a textbook.

Would I recommend it? Absolutely. At the end of the day, this is not an exam you want to do twice! I did gain more than a piece of paper, and a year on I still use the knowledge I gained in my work. If you are going to do CISSP or a similar certification, this is the way to do it.

Footnote

As a brief update, this was written in 2004 and updated slightly in 2024. With a few small differences (such as online rather than paper based exams), it still stands. And I’m still in cybersecurity.

Useful links:

• Firebrand Training

• ISC2

• Should I get CISSP Certified?

Should I get CISSP Certified? 11 Feb 2024, 9:57 pm

The focus of CISSP is purely Information Security. Having said that, its a very big field. CISSP’s reputation as a certification is for being ‘a mile wide and an inch deep’. In fact it’s so wide that rather like the Great Wall of China, you can probably see it from space.

That, and not technical depth, is what makes it hard. That’s a limitation too - CISSP means you understand something, but not that you know how to do it. And that does make sense, because it is extremely wide and you can’t possibly be an expert in everything.

However, it is not an auditor-specific qualification so it is complementary to CISA rather than an alternative to it. It’s a demanding, well thought out, and well manged certification that commands considerable respect, in some quarters more so than CISA and CISM (though I’m not sure that’s fair), and much as with these others if you see it as a learning experience rather than a rubber stamp, you’ll get a huge amount out of it.

How can I obtain a CISSP qualification?

You need to pass an exam and evidence 5 years of relevant experience, then get an endorsement. Sounds straightforward? Perhaps, but the exam is a six-hour marathon consisting of a vast array of intentionally confusing questions covering everything from the obvious to the extremely obscure. The field is covers – review the CBK or ‘common body of knowledge’ maintained by ISC2 – is vast and detailed.

There are lots of reasons not to do this exam. You can study for ages, but not know whether you know enough to pass. You can know everything, but not like their take on multiple choice questions – or you can just be a but too slow. For some the biggest reason not to do it is the sheer length of the exam, for others the breadth of the syllabus. A few have complained that food and water was not available – I’m told this is better now. For others still, it’s the fact that good people do fail.

ISC2 really should look at splitting the syllabus into several shorter hour exams to do it justice. But all in it is a good test.

Once you’ve done it you haven’t proved your a good IT auditor or Information Security practitioner, but you’ve proved you know your stuff.

The exam is not impossible or unreasonable – if you know the material you could even say it’s not particularly difficult – it just requires you to understand what you’re doing, as well as know what you’re doing. As it should, after all. Whilst it’s a 6 hour exam, you don’t need to use all the time and I did it in just over 3 hours, including checking over my work. That said, I know people who are just as technically capable as I am, if not more so, and took close to the full time allowed. Take the time you need, it’s a marathon not a sprint.

The experience is easier, if it takes a little longer – 5 years experience in information security, with 1 year off for a degree. There are no extra years off for other qualifications, but really don’t do CISSP unless you’ve been doing something relevant for the last five years as you probably won’t pass the exam anyway. If you’re light on experience you may wish to consider ISC2’s slightly lighter SSCP.

What does CISSP cover?

The syllabus is governed by the ISC2 CISSP CBK – it’s a lot of letters to describe a lot of content, and pretty comprehensive. If you’re a business policy wonk, be preapred to understand the underlying principles of networking and cryptography. If you’re a network monkey, be prepared to understand business, governance and risk.

The areas covered are:

1. Security and Risk Management

2. Asset Security

3. Security Architecture and Engineering

4. Communication and Network Security

5. Identity and Access Management (IAM)

6. Security Assessment and Testing

7. Security Operations

8. Software Development Security

There were 10 domains when I did it, but that doesn’t mean it’s any easier.

What does CISSP cost?

The exam is around $500 (assuming you enrol well in advance), but the main cost is training. Unless you’re supremely confident or just enjoy resitting exams, it’s definitely worth investing in a training course. Don’t accept anything under 5 days, and be sure to do the homework – a course that long can’t possibly teach you everything you need to know, so see it as a revision course and read around the syllabus in your weaker areas beforehand.

Be prepared also for travel costs unless you live in a major city, and keep an eye on exam dates as they often get booked up well in advance. You could do a lot worse than to sign up for a course that ends with the exam – the knowledge will be fresh, even you you might be tired! As for the cost of course – expect to pay between £300 ($400) and £600 ($800) a day in fees for most courses, plus VAT or sales tax, along with accommodation and travel costs. To a large extent you get what you pay for, but do your research and ask for referrals from friends or colleagues for course providers and specific tutors – it makes a big difference to how much you learn.

How long will CISSP take?

It varies depending on you and the time you have, but allow at least 3 months from registration to sitting the exam and allocate some time teach week to go through each area of the syllabus. If you have information security or IT audit experience, good IT knowledge and a strong background in business, a one week training course followed by the exam may be enough.. If there are gaps in your knowledge or you’re relatively new to the profession (less than 5 years proper experience leading audits or managing an Information security team), you will need more time and might want to consider doing something like SSCP, CISA or CISM first. You will want to take relevant courses, read up in weak areas, and spend a few months preparing for the exam. If you’re weaker in one area, it might be worth doing a course in that area first, or trying to get some on the job experience that covers it to make it easier to understand where the examiners are coming from.

Add several months if you have to resit. If you’ve done a six hour exam once, you definitely won’t want to do it three times.

“I passed, but I certainly wasn’t confident I had despite getting 90%+ on my “test” papers. But as I’d read, most people do leave with no idea how they’ve done. The worst part is the questions you agonise over and will probably never know what the “best” answer was….”

Do I get letters after my name?

Yes, you can use the letters CISSP, as long are you keep your certification up to date. The letters are worth a fair bit on the recruitment market, particularly if combined with CISA for auditors, CISM for security managers, or good technical qualifications.

Do I need to do CPD to retain my CISSP qualification?

Yes. You need 120 CPD points over three years, and at least 20 each year. Because of the way it’s calculated it’s quite a lot and recording it is a nuisance, and for the privilege of doing this you get to pay an annual fee. However as the alternative is to resit the exam, I recommend the CPD option – strongly.

Is CISSP appropriate for me?

Yes, if you’re an experienced professional looking to demonstrate general business competence and identify any critical gaps in your knowledge. Rightly or wrongly, CISSP is the one ‘must have’ IT security qualification from a recruitment perspective, and everyone will learn something be doing it.

No, though, if you’re new to IT audit or Information Security, even if you already have some IT experience. It’s the closest there is to a gold standard, but it’s not easy for newbies. If you’re new to Information Security or IT audit or looking to move in that direction from a relevant IT or operational field, maybe pass on CISSP for now and look at CISA or CISM as a qualification with a slightly narrower remit that will be easier to grasp, then follow up - CISSP just doesn’t make much sense without supporting real life experience.

How do I get started with a CISSP certification?

Visit the CISSP pages on the ISC2 web site and join, then pick a training provider.

Should I take a course, who with, and where can I do it?

There are lots of options. A good one is to do a one week boot camp course that leads up to the exam on the final day. Find out about my experience of CISSP training here.

Should I get CISM Certified? 11 Feb 2024, 9:15 pm

The Certified Information Systems Manager (CISM) qualification is provided by ISACA, and roughly on a par with it’s CISA IT audit qualification.

It is a certification for IT security managers, and like CISA tries to strike a balance between technical IT knowledge and business understanding, with a focus on information risk management, information security governance, incident management, and developing and managing an information security program.

It  requires a four hour multiple choice exam and five years relevant experience in an information security management role, although part of this can e waived for other relevant experience. Holders can use the post-nominal letters ‘CISM’, and their status can be verified on ISACA’s web site.

How can I obtain a CISM qualification?

There are two things you need to do to qualify: Pass a multiple choice exam, and demonstrate relevant experience. As with other ISACA qualifications, you can get a year or two off the experience requirement from relevant degrees and qualifications. You will also need to:

• Adhere to the Code of Professional Ethics: - Agree to adhere to the ISACA Code of Professional Ethics, which sets the standards for professional behaviour and competence.

• Submit the CISM Application: - After passing the exam, submit your CISM application, verifying your work experience and adherence to the Code of Professional Ethics.

• Adhere to Continuing Professional Education (CPE) Requirements: - Maintain your CISM certification by earning and reporting CPE hours annually, ensuring you stay updated on the latest developments in information security.

What does it cover?

The syllabus is split into four domains. You need to do well in all areas to pass the exam, but just like CISA, some areas are more important than others:

1. Information Security Governance (17%)

   This domain will provide you with a thorough insight into the culture, regulations and structure involved in enterprise governance, as well as enabling you to analyse, plan and develop information security strategies.

   Any wider information security management experience, and other qualifications such as ISC2’s SSCP or CISSP, will help you with this.

2. Information Security Risk Management (20%)

   This is about being able to analyse and identify potential information security risks, threats and vulnerabilities as well as giving you all the information about identifying and countering information security risks you will require to perform at management level.

   Any previous experience in operational risk, or wider risk management certifications, will help you here.

3. Information Security Program (33%)

   This domain covers the resources, asset classifications and frameworks for information security as well as managing information security programs - including security control, testing, communications, and reporting and implementation.

4. Incident Management (30%)

   This domain provides in-depth training in risk management and preparedness, including how to prepare a business to respond to incidents and guiding recovery. The second module covers the tools, evaluation and containment methods for incident management.

   This does not require hands-on forensic experience - it is about managing incidents rather than the technical handling. However, if you do have a background in security operations (SOC), incident response (CERT), or forensic processes, this will help.

Is is suitable for IT Auditors and assurance professionals?

It’s a great option for those looking to demonstrate knowledge of information security - a domain that is also 26% of CISA qualification. It’s also a great idea if you are looking to transition from IT Audit to Information Security Management or Cyber Security disciplines in the future. Whilst not by any means necessary, quite a lot of people have both CISA and CISM as they build on each other well. The alternative ‘addition’ to CISA would by ISC2’s CISSP - many who have moved from IT audit to information security, me included, have CISA and CISSP. However if you are considering doing CISM and CISSP, most people do CISM first as it is considered a little easier - the CISSP syllabus is broader in technical areas.

How long will it take?

If you are have prior management and/or information security experience beyond audit, good IT knowledge and a strong background in business, you may find it quite easy. However is is unwise to be complacent as the syllabus is quite broad and distinctly different to CISA. You may want to take relevant courses, read up in weak areas, and spend a few months preparing for the exam.

If you’re doing well in every area question bank quizzes, you should do well in the exam.

Do I get letters after my name?

Yes, you can use the letters CISM, as long as you keep your certification up to date.

Do I need to do CPD?

Yes. Like CISA you need 20 hours of verifiable CPD a year, and a total of 120 hours over 3 years. However, if you don’t have the time to go on a week-long course each year, ISACA branches run regular seminars, and you can also gain CPD from completing a quiz in their journal or from taking part in branch activities.

How do I get started with a CISM certification?

Visit the CISM pages on the ISACA web site and enrol.

Should I get CISA Certified? 11 Feb 2024, 2:06 pm

CISA is possibly the one ‘pure’ Information systems audit qualification that is recognised anywhere. It is balanced between technical IT knowledge and business understanding.

There are other IT audit certifications – from the IIA’s aborted QiCA to supporting CPA type accounting quals and tech quals such as CCNA – but none with the universal recognition CISA holds.

Having said that, it is a baseline and not a gold standard. If you can’t do this after a few years experience, you probably shouldn’t be an IT auditor. Holding it doesn’t prove your competence in any particular area – but it does verify that you understand what you are doing and have the skills and experience to undertake at least simpler audit assignments.

How can I obtain a CISA qualification?

There are two things you need to do to qualify: Pass a 200 question multiple choice exam in 4 hours, and demonstrate 5 years relevant experience. You can get a year or two off the experience requirement from relevant degrees and qualifications, or other relevant experience.

The exam is wide in it’s scope, but for anyone with a good all-round understanding of enterprise IT and a comprehension of business risk it should not be too hard. There is a book to support it and also a question bank for practice – both are worth having. The book is still mind-numbingly dull and best used as a tool to identify any areas within the syllabus that where you may need further study. The question bank is a far-too-accurate practice questions tool, and many candidates have noticed a strong similarity between some of the bank questions and exam questions on the day. Having written some of the questions used in the exam myself, I understand why this is the case. Still, if a few questions are similar it’s nowhere near enough to pass, so use the practice questions to identify areas of weakness. Address these areas with the book or other resources, then re-test yourself.

What does it cover?

The syllabus is split into five domains (previously six). You need to do well in all areas to pass the exam, but some areas are more important than others. It’s currently going through a refresh in 2024, so the new domains you’ll need to to understand are:

1. Information Systems Auditing Process (18%)

   Providing industry-standard audit services to assist organizations in protecting and controlling information systems, Domain 1 affirms your credibility to offer conclusions on the state of an organization’s IS/IT security, risk and control solutions.

   If you’re coming to IT audit from a financial or operational audit background with (say) a CPA or ACCA qualification, or with a couple of years existing experience of IT audit, you should find this familiar. If you are new to auditing, this will be mostly new to you.

2. Governance and Management of IT (12%)

   This domain confirms to stakeholders your abilities to identify critical issues and recommend enterprise-specific practices to support and safeguard the governance of information and related technologies.

   This is closely related to ISACAs CGEIT certification, and any IT management experience will help.

3. Information Systems Acquisition, Development and Implementation (12%)

   Basically, change. Domains 3 and 4 offer proof not only of your competency in IT controls, but also your understanding of how IT relates to business.

   Project management, systems development, and change management experience will help you here.

4. Information Systems Operations and Business Resilience (26%)

   As per Domain 3, but operations, including business continuity / disaster recovery aspects.

   Operational IT roles and disciplines such as ITIL will help you here.

5. Protection of Information Assets (26%)

   Cybersecurity now touches virtually every information systems role, and understanding its principles, best practices and pitfalls is a major focus within Domain 5.

   Any cybersecurity experience or certification (such as CISM or CISSP) will assist you with this domain.

This is a slight change from the previous weightings, and indeed the earlier six domain weightings (below taken from 2004), which were:

• IS Audit Process – 10% exam weighting

• IT Governance – 15% of Exam

• Systems and Infrastructure Lifecycle Management – 16% exam weighting (similar to domain 3)

• IT Service Delivery and Support – 14% exam weighting (now included in domain 4)

• Protection of Information Assets – 31% exam weighting

• Business Continuity and Disaster Recovery- 14% exam weighting (now included in domain 4)

You can see that whilst there have been changes over the years, the qualification overall has remained very consistent.

What does it cost?

The exam is around the $500 mark, and you can join ISACA at any time (you don’t need to take the exam first). You don’t have to attend a course, but a number of organisations run CISA preparation classes commercially, which are recommended.

How long will it take?

It varies from person to person. If you are have IT audit experience, good IT knowledge and a strong background in business, you may be able to get away with as little as a few hours preparation. If there are gaps in your knowledge, you have a technical background that has focused on specific areas of the syllabus, or your IT knowledge is weak (for example, you’ve moved recently from a general audit background to and IT audit role), you will need more time. You may want to take relevant courses, read up in weak areas, and spend a few months preparing for the exam.

If you’re doing well in every area on the CD, you should do well in the exam.

Do I get letters after my name?

Yes, you can use the letters CISA, as long are you keep your certification up to date.

Do I need to do CPD?

Yes. You need 20 hours of verifiable CPD a year, and a total of 120 hours over 3 years. However, if you don’t have the time to go on a week-long course each year, ISACA branches run regular seminars, and you can also gain CPD from completing a quiz in their journal or from taking part in branch activities.

Is it for me?

Given the very reasonable cost and the fact that most employers look for it when recruiting, if you’re an IT auditor and you haven’t done CISA yet you should probably have your head examined one way or another. The bottom line is that CISA makes you a safer hire, and therefore more likely to get the job you’re looking for at an acceptable salary. It also helps you improve your knowledge, provides you (and your clients/boss) with comfort that you do in fact know what you are talking about, and will help you identify areas to further improve.

How do I get started with a CISA certification?

Visit the CISA pages on the ISACA web site and enrol.

List of IT Audit Professional Bodies & Certifications 10 Feb 2024, 10:48 pm

The below list covers the key professional bodies and certifications to consider as part of an IT Audit career. Bear in mind that there are many different routes and the qualifications that are right for you will depend on your interests, professional background, current role, and goals.

Academic study is also very valuable, in particular any bachelors or masters degree. All of those listed are well recognised and any of the below will stand you in good stead. There are also many other qualifications of varying merit that I have not listed - buyer beware!

List of Professional Qualifications

Professional Body	Qualification	Notes
ISACA	Certified Information Systems Auditor	CISA
ISACA	Certified in Risk & Information Systems Control	CRISC
ISACA	Certified Information Security Manager	CISM
ISC2	Certified Information Systems Security Practitioner	CISSP
Chartered Institute of Internal Auditors (UK)	Chartered Internal Auditor	CMIIA
Institute of Internal Auditors (USA)	Certified Internal Auditor	CIA
Association of Chartered Certified Accountants	Chartered Certified Accountant	ACCA
American Institute of CPAs	Certified Public Accountant	CPA
Chartered Institute of Information Security	Professional / Chartered Member	MCIIS
Offensive Security (company)	Offensive Security Certified Professional	OSCP
CREST	CREST Registered Pentration Tester	CRT

List of Introductory Qualifications (early career)

Professional Body	Qualification	Notes
CompTIA	Network+
CompTIA	Security+
ISC2	Certified in Cyber Security
ISC2	Systems Security Certified Professional	SSCP
EC-Council	Certified Ethical Hacker	CEH
Axelos / ISEB	IT Infrastructre Library (ITIL4) Foundation
Project Management Institute (PMI)	Project Management Professional & others (see also PRINCE2)	CAPM, PMP, PMI-RMP

PS. Please let me know in the comments if you think I have missed anything!

---

What do auditors do all day? 9 Feb 2024, 11:37 pm

Updated from the original published on July 1, 2010

---

If you’ve ever sat at your desk wondering what exactly the bunch of outsiders hanging out in the audit room find to do with their time, or if you’re thinking of a career in audit but just can’t figure out what you will actually be doing all day, this is the article for you.

Here is my list of the top ten day-to-day tasks auditors undertake:

1. Planning audits - This means reviewing files, researching the company, reading board minutes, accounts, and news articles – trying to gain an understanding of where the company is at the time of the audit, and also so that during the audit you can assess it’s plans, direction and risks, and also consider whether their IT infrastructure and strategy are fit for purpose.

2. Arranging meetings - Harder than it sounds, arranging audits, planning meetings, liaising with clients and management.

3. Holding meetings - For most operational staff being audited, this is the visible bit. Auditors hold meetings with relevant staff to understand systems, processes and controls and to obtain evidence to support their operation.

4. Writing notes - Everything must be documented. That means plenty of paperwork – at least 70% of the total time. Writing up meetings, writing up fieldwork and testing, referencing files, copying documentary evidence, writing audit reports, and preparing files for review.

5. Closing audits – holding ‘exit meetings’ to go through findings with management, and dealing with audit file review points.

6. Interrogating systems and data analysis – interviews in other words, but with machines rather than people. This is generally IT auditors, or possibly general auditors using CAATs – Computer Assisted Audit Techniques.

7. Management – communicating with client, planning future audits, reviewing files and other such tasks.

8. Learning – undertaking training, wither formal or informal. Also learning ‘on the job’ with someone more experienced, or bringing a more junior colleague up to speed.

9. Reporting – the key deliverable for auditors is a report which normally goes to the board audit committee. First there is a draft report, for discussion with management. Responses from management, setting out what action they intend to take, are then incorporated into a final report.

10. Travelling – auditors often do more than most. Unless you work for a large centralised company, auditors often have to travel nationally and internationally to visit clients and conduct fieldwork.

One thing underlies all this – it’s all about producing evidenced, objective findings and communicating them effectively and constructively to both audit management and the client.

There is something in audit for everyone, but no-one would pretend that every task will have you rooted to the edge of your seat. If you enjoy communicating, think before acting, and don’t mind being organised, there should be nothing in this list to surprise you.

---

How do these activities reflect your role or understanding? Help others considering a career in IT audit and cyber security assurance by sharing in the comments below.

An introduction to IT Audit & Information Assurance careers 9 Feb 2024, 7:42 pm

Updated from the original published on July 1, 2010

---

Who should read this?

You’re here because you want to learn more about IT audit and assurance. So I’ll get straight to the point.

You’re probably here because you are interested in, or commencing, or early in career, in the field of IT audit and assurance. I welcome you and wish you the very best.

You may be here as a more experienced professional, evaluating or re-evaluating different routes or considering how best to develop your skills and your career. The opportunities are many, and I wish you continued success.

You might also be here because you are an audit client, a board member, or otherwise want to understand your auditors better. I commend you for your open minded approach and willingness to learn. It will be make you a better and more empathetic leader.

Whichever applies to you, welcome. This is all written, by hand, just for you.

How will this guide help me?

The IT Audit Careers Guide brings together all my writing on the topic of careers in IT audit and information (or cyber) assurance. This was originally posted on a website called ISRisk, and I have now updated it, added to it, and reposted it here because - 15 years later - it’s still popular. So much so that long after the original website died, people are still pulling it from Wayback Machine and asking me about it. When I took it offline, I didn’t realise it was helping people as much as it was. So now (if you like it) it’s here to stay. I hope you find it useful as you set out on your journey in audit and assurance.

Why should I listen to you?

It’s sensible to ask why I’m qualified to write about this. If everyone asked that before reading, there would me much less rubbish on the internet! I’m glad you asked though: you see - you’re asking good auditor questions already :-)

So here’s a little bit about me.

• I started my career in financial audit at KPMG, auditing big technology and telecoms companies.

• I continued it in public sector internal audit at RSM Tenon, with a focus on computer forensics and data analytics.

• I moved fully into ‘computer audit’ (as it was then called) at a UK mutual lender, auditing a range of financial services companies.

• I co-ordinated technology assurance for one of the worlds biggest banks

• I was audited (a lot) at various global financial services companies, whilst running 1st line information security, client advisory and IT functions

• I chaired the Audit Committee for a large social housing provider

• I brought in new auditors following a financial meltdown at an NHS Foundation Trust

• I chair the Audit Committee for a national financial services regulator.

Along the way I obtained a range of qualifications, including:

• Chartered Certified Accountant (FCCA)

• Certified in Information Systems Audit (CISA)

• Qualified in IT Service Management (ITIL), Computer Forensics (Encase), and Project Management (Prince 2)

• And various others.

So now we have met, we can get going without further formalities. Of course if you’d like to know more about me or ask me anything please do. You can find me on linkedin here (do follow and say hi).

What does the guide cover?

The guide is currently structured into four main parts

1. An introduction to audit, IT audit, and related assurance work. There are many different terms for these roles, but they all boil down to the same basic thing:
   helping organisations achieve sustainable success by ensuring they are only taking intended risks. It sounds simple, enough, but unpacking that sentence is a difficult and rewarding business. Note the underlined words: pretty much everything difficult in assurance is explained by these two words. You might also be surprised that rather than jumping in to pen testing or network auditing, we talk about audit more generally. That’s intentional: auditors have been around for thousands of years, yet must technology auditing practice ignores this. As a result, we are destined to repeat mistakes. By looking at assurance in it’s widest context, we can make new and original mistakes instead of the same old ones. That way lies progess - and success.

2. A section on qualifications and training. Be warned, this profession is unusual in have a surplus of competing and confusing certification bodies and schemes testing technical capability, combined with an deficit of professional bodies setting ethics and behaviours and professional practice requirements in a meaningful way. The result, of course, is snake oil. Don’t buy snake oil, and please don’t sell it. If you do, the organisation hiring you gets only fear, uncertainty and doubt. Qualifications are valuable and often quite rightly necessary, and claiming they universally are not is foolish. But look at them for what they are. Be discerning. There are easier paths and harder ones, but there are no shortcuts.

3. Information on different types of assurance role, to help you evaluate which could be right for you. This is largely self explanatory. My only guidance here it to remember there is rarely a single right path, and the ones that don’t lead where you think (or hope) are often the most interesting. Whatever you choose, keep learning.

4. Endnotes. Further thoughts for additional insight, and things I had fun writing, that might help you process and analyse the information in sections 1-3…. or they might not - but the only way to find out is to read the guide :-)

Good luck!

Let’s get started.

Matt

---

“Audit and assurance means helping organisations achieve sustainable success by ensuring they are only taking intended risks”

Help others considering a career in IT audit and cyber security assurance by sharing in the comments below.