M. Sarush Faruqi

I agree too. Nurturing young cyber talents is definitely a much better prospective then spending resources to hunt them down. As we heard from Mike Green’s presentation, the hacking community have their own culture. Young people who were drawn into hacking were immersed into the hacking culture. Most of these young hacker perform cyber attacks not for monetary purpose but to prove themselves as top hackers. As we learned from Professor Ed’s lecture, intent is important in determining fraud. These young hackers did not have any criminal intent and it is better to bring them to the good side instead of criminalizing them and destroying their future where they could potential cause cyber attack for the wrong reasons later on.

Interesting theory. I would worry about people using the skills they learned to go into the criminal side.

I think that the main problem is that a lot of people who are in their 30’s or 40’s don’t have a good understanding of developing software. I think that we need to be promoting programming languages at the k-12 level. This will give them an opportunity to develop excellent skills which then can be translated to other IT areas.

This is an interesting article. I totally agree with you that educate children and develop an interest in hacking is a good approach to addressing the shortage of cyber professional. Even though there are so many dangers, but parents still encourage their children to hack because they believe in the good that can come from hacking, including making the country more secure and helping encourage freedom of speech around the world. Like you mentioned, we have to ensure that beginner hackers between ages 8 and 18 are taught hacking techniques and ethics, it’s very important for them NOT to use the skills for unethical activities.

Hi Sarush,

It was an interesting post! I remember I posted one blog before explaining that people shouldn’t post their flight ticket in Instagram, personal information are accessible from barcode. Two Factor Authentication purpose is to make attackers’ life harder and reduce fraud risks. If we already follow basic password security measures, two-factor authentication will make it more difficult for cyber criminals to breach your account and will offer an extra layer of protection, besides passwords.

Really interesting post, Sarush, I am not an Instagram user but I’m surprised that it took them so long to add that valuable security feature to protect the users. Two-facter authentication is effective to deter hackers because hackers would spend time to hack an account when they know a secondary token is going to be needed. However, at the same time, Instagram users may need to type more words to access to their accounts which is a drawback.

The article you discussed is quite interesting. I think the European Banking Authority is dead on with its core concern about the financial sector. If the use of big data being collected by the industry erodes the integrity of the financial sector, the fallout could be calamitous to say the least. I’m not sure that “consulting with the industry to see if stricter rules are needed” is the right response though. I would think an unbiased opinion from outside the industry would be a better solution than going directly to the very industry who you want to more closely regulate its use of big data for input on whether to do so or not. The concern about high-risk clients being priced out of the insurance industry is an interesting concern. Those clients being priced out could negatively, and positively, impact both the industry and the overall economy of the EU as a whole. It will be interesting to see what the outcome of this concern leads to, especially with the EU being a bit more protective of individuals’ online privacy than other Western societies.

Sarush: I liked this article because – as you stated – it ties right in to our IT Governance portion of the lecture. A company’s internal controls, regardless of spending, are only as strong as the “tone from the top.” This direction from senior management (whether a steering committee, BoD or an Audit committee) really dictates how much fraud will be prevented / mitigated. I think many companies overlook this factor, which creates an environment that is susceptible to fraud. All of that spending and policy-writing doesn’t matter if the key members of the organization do no create a culture that supports internal controls.

I also thought the “Audit Interaction” section was important. In almost every organization, auditors are viewed as the police or the “bad guy,” coming to make life difficult for an employee(s). It’s important for companies to understand the value of Internal Auditors, and have that message communicated on a consistent basis. Again, back to the tone at the top. The same goes for the part about defining / identifying responsibilities and subsequent levels of accountability. Clearly identified ownership goes a long way in strengthening internal controls.

The third one that I thought was important, and also commonly overlooked – is the importance of communication in general. In terms of internal controls, most companies view that as a one-way street; there is direction from the top in the form of a memo or policy update once or twice a year, and that is sufficient. However, as internal auditors, we know that is not enough. Communication needs to be consistent and needs to go both ways. Decision-makers need to constantly be evaluating the efficiency and effectiveness of their controls, and that evaluation is more than just numbers. They need to hear from the staff / customers that these controls apply to about how well they are working. Furthermore, this two-way communication needs to be done on a consistent basis, and not just when there as an issue.

This article does a great job of highlighting different areas that will help strengthen controls (i.e. SoD, risk assessments, testing, etc.), but – again – none of these topics matter without strong IT governance. Thanks for sharing, Sarush, I enjoyed it.

On audit interaction- I think that one of the hardest things about being an auditor is getting people to trust you. People often think of auditors as the bad guys who are only there to get the employees in trouble or even fired. Reality is that is not the case. Auditors are there to help ensure that policies and controls are being followed, so that the threat of potential breaches or system downtime is properly mitigated. Would the organization rather find out about the potential for data breach from the auditors before it happens or when the data ends up on Wikileaks? That is what people have to realize, that auditors are there to help.