Wondering About Risk Assessments

Since I have little knowledge on audits (only from what I learned in college), I have been reading up on the finer details of an audit.  I came across this documentation on the methods of carrying out a risk assessment in an audit.  The article lists three options for performing a risk assessment (though there are many ways of performing a risk assessment).  One way of doing it is by having an outside consultant coming in, looking at what the company wants to accomplish, analyzes the business processes, and determines what their exact risks are.  Another way of doing it is for a consultant to come in, work with management to identify risk, determine the level of risk to the company, and evaluate the controls in place.  The final way, as detailed in the article, is to have an assessment performed by many employees in the company, identifying the possible risk, ensure the controls are in place, and monitor whether the controls are working.  This, though, is meant for an audit of the financial statements.  While it’s true these methods can be used to audit other parts of the company, these are mainly for ensuring that the financial statements are reasonably correct and free from errors.

So how could I apply this to an I.S. audit?  The first step on an engagement is setting the scope and the objectives of the audit.  Then you move on to the risk assessment.  Where to use these methods will depend upon how the company operates, and on the inherent risk to the company.  If the company is more “top-down”, and things are usually dictated from the top, then perhaps it would be better to have a consultant come in, talk with management to identify risk, and perform more assessments from there.  A problem with this, though, is that you may not get buy-in from the lower employees.  At least, that’s what I can tell from such an approach.

As for other methods, well, I’m going to have to eventually learn those in detail.

The Problems With the Internet of Things

As more and more Internet of Things (IoT) devices are bought and set up, there is a growing concern for what they can do, in addition to their normal purpose.  The security researcher, Brian Krebs, had his website brought down by a Distributed Denial of Service (DDoS) attack.  The company who formerly hosted Krebs and his security, Akamai, said that the attack was brought on by hundreds of hacked IoT devices (he has since started using Google’s protective services).  This didn’t use reflection or replication attacks, either; it used traditional methods of denial of service, by flooding his site for requests.  Akamai says that this is the largest DDoS they have ever seen.  This brings me to the question: how can we prevent and/or mitigate these sort of attacks?

This attack was brought on mainly by unsecured, un-maintained IoT devices.  More recently, these devices have been manufactured, released, and not updated.  The average consumer of these IoT devices know that the features of the device make it such that one can easily control it from afar, often times with one’s mobile phone.  What they do not realize is that hackers can also break into these devices and use them, too.  Often, the manufacturer will throw in a free OS (such as GNU/Linux), add on their thin, proprietary layer, and sell it.  They do not realize the problem they are creating, as exemplified in the attack on Krebs’ website.

It is true that there is a cost to updating and maintaining these devices.  Which company wants to have a costly developer staff just to update the software on their line of light bulbs?  Then again, which company wants to be known for the product which aided in bringing down Google’s servers?  Either way, there’s going to have to be a way for these devices to get updated.

Usually what a user will find on these IoT devices is an embedded OS like GNU/Linux.  So why not develop a distribution that utilizes open standards and receives regular update?  Similar to Android, yet with stricter guidelines.  A company could, for instance, set up a distribution with safety, compatibility, and interoperability in mind.  They could work with the IoT device manufacturers in making products that work together, and can be updated regularly.  Though let’s not just talk about the manufacturers; the consumer also has a responsibility, too.  (It’s worth noting that there is an embedded GNU/Linux distribution that can be easily built and configured for IoT devices.)

The average consumer of IoT devices will have to learn about the extended benefits of these IoT devices, and they must realize that they come with a much greater risk.  Indeed, one cannot put a simple toaster in the same category as a light bulb which one can control with a mobile phone.  They must be made aware that an attacker can take control of their IoT devices and used for malicious purposes.  This doesn’t mean that they need to be scared into acting, though, because actions made in fear are, often times, poor choices.  They should be informed that it’s possible for this to occur, and that there are forces in place which are trying to counter these attacks.

Going forward, companies that make IoT devices, and consumers of IoT devices, must be more safety conscious, for there are malicious forces in the world who are ready and able to make use of these devices for their own nefarious purposes.

My attempts at watching a video on job hunting

For the past couple of days, I have put off watching this video called “5 Fast Ways to Make Yourself More Hireable”, which was put out by the The Society for Collegiate Leadership and Achievement. When I finally sat down to watch the thing, I couldn’t view it.

I don’t know why I couldn’t view it. Maybe it was my web browser (Firefox for life!), or maybe it was the add-ons that I have active. Even when turning them off, I still couldn’t watch the video. Now, I’m not one to be deterred by a simple browser error. That’s when I looked into the sources of the page.

In the sources of the page was a bunch of Javascript code. Perusing the code, I easily found code snippets (which were nicely marked) that were meant for outside services. I know it’s been a while since I’ve written anything related to HTML and Javascript, but boy was this code obfuscated. I could barely read this stuff.

Anyway, after digging through the muck, I found the actual source of the video: an embedded iFrame. Boy, I didn’t think sites still used those. Still, I was able to watch the video. And hopefully after that, I’ll be able to find the job I want.