ISACA CACS 2014 – Day 1 Report

VCS Consulting’s Todd Voge is in Las Vegas this week attending the ISACA CACS 2014 conference.  This is an educational conference focused on Information Security and Auditing.

Day 1 started with the Keynote by Harry Markopolos, the whistle-blower who brought down Bernie Madoff.  Very interesting and entertaining hour.  Mr. Markopolos found the returns Madoff was promising wasn’t possible.  When he took his findings to the SEC, the banks involved and other agencies, everyone blew him off.  His persistence was key in bringing Madoff into custody and eventually in to prison for many, many years.  One of the main points was the numerous red flags that were raised, and ignored, by everyone taken in.  The banks ended up losing a serious amount of money and many people lost everything.  But why did they miss the flags?  Madoff was a great salesperson.  He had many different methods of making the sale and nearly never failed.  Mr. Markopolos did a great job of walking through the scam, showing where the red-flags were raised, and how experts in investment banking, stocks and other investment vehicles completely missed the boat.

The first break-out session attended was “Responding to Targeted Cyber Attacks”, presented by James Holley from Ernst & Young.  Mr. Holley spent over 10 years in the U.S. Air Force working in cyber security for the Office of Special Investigations (OSI) and investigating attacks on military networks.  Cybersecurity is continuing to be a very large need for our organizations.  But it is often overlooked.  Preparing for a cyber attack is extremely important.  Not just preparing, but actively monitoring and reacting to an attack needs to be done.  Preparing includes making sure you have plugged all of the known holes in your systems and verifying your monitoring systems can detect issues.  One of the big requirements is to have ALL packets inbound and outbound to/from your network be inspected for illicit data.  While this may seem to be a very large undertaking, it is necessary to make sure not only are you protected from external threats, but also from threats internal to the organization.

The next break-out session was “Beyond IT: Third-Party Risk” where Mr. Steven Bartolotta discussed how it is not just our organization that needs to be audited and under appropriate security controls, but the companies we deal with as well.  We all utilize 3rd-party vendors in our business.  But do you actually audit them?  Do you make sure they are following security standards and procedures in effect in your company?  If you don’t, you should.  You need to make sure your data is protected as well at the 3rd party as it is in your internal network.  Mr. Bartolotta went through various scenarios in proper auditing of 3rd parties.  It’s very important we do this.

Arguably the best session of the day came next.  This was “CyberAttacks: Prepared?” by Mr. Uday Pabrai.  Mr. Pabrai was by far the most dynamic speaker and he was genuinely excited about his subject.  Are you prepared for cyber attacks?  You may think you are, but you’d be surprised how unprepared you may really be.  The Chinese hacked into over half of the Fortune 1000 companies and spent on average of 365 days in the network before being discovered.  In one case, they were in the network for over 1700 days.  How can this happen?  As Mr. Pabrai stated, “It is not a matter of IF you will be attacked, it is a matter of WHEN.”   The speaker did a great job of explaining how the breaches at Target and Neimann Marcus where accomplished and how they went undetected for so long.  We have to make sure this doesn’t happen to our organizations.

The final session of the day was “Auditing IT Projects” presented by Ms. Katherine McIntosh.  Interesting session which discussed how Audit should be involved with all IT projects from inception to completion.  Making sure all Audit principles are adhered to during the design and coding phase will save much time and energy later down the road.  But, having someone from Audit on the project team can sometimes be difficult to swallow for a development team.  Audit is generally seen as the “enemy” and may be an unwelcome addition to the project team.  It is very important that Audit become an integral part of the team and that their opinions are weighed equally with those of other team members.

This was a very good start to the conference.  Day 2 should be equally fulfilling.