The RAS Team (three of us anyway) are attending the ISACA North America CACS Conference in Dallas, Texas this week (April 15-17). If there were an IT Audit Comic-con, this would be it. Minus the awesome costumes. Unless you count cowboy hats and belt buckles (which I do– I brought a different belt buckle for each day). Here is where we learn from IT Audit thought leaders and align IT audit strategy for emerging threats. If you’re a client of ours, then ISACA is who you can blame for those new comments.
I’m going to try to write up some of the highlights of each day while we’re here. I’m also tweeting from @Bryan_YHBCPA.
Before I get too far though, let me say that by late afternoon there was notable melancholy over the conference because of the Boston Marathon bombings. It goes without saying but I will say it anyway. Our thoughts and prayers are with those who have suffered injuries and lost loved ones, and hope the authorities bring swift justice to those responsible.
Now, onward to happy things. Day 1 kicked off with David Pogue, IT Journalist for an up-and-coming periodical called The New York Times, predicting the future of disruptive technology. We’re just beginning to see the capabilities of mobile devices. Two featured technologies included using your mobile device’s camera to get information about what is around you– to the point that through your phone, you can see where a subway train runs below you, and get real time directions to the closest stop. Also, and incredible technology/app that, using the camera, translates text into different languages. Think holding a restaurant menu written in spanish, looking at it through the camera app, and the text is automatically translated to English. In real time. I mean, WHOA! Clearly cameras are the future.
Pogue ended the keynote in a way I’ve never even seen Steve Jobs do– through live parodies of Piano Man, I Got You Babe and YMCA.
Sessions continued all day. There was a great demonstration from Patrick Mattson using Backtrack, Social Engineering Tookit and Metasploit to scrape LinkedIn to create a phishing site, and to exploit a vulnerability in Java (wait, Java’s not secure?). Auditors can use these nicely packaged tools to launch social engineering tests, or to demonstrate to management just how vulnerable the end user can make data. These are the things that keep IT folks awake at night.
The “Auditing Unix and Linux” session demonstrated to me that, as rapidly as technology is changing, these platforms are not changing nearly as fast. At their most fundamental, the file structures for these systems haven’t changed dramatically. However, what is changing is that many *NIX platforms are the foundation for the COTS products you purchase from vendors. Vulnerabilities left un-mitigated in the open source platform used in the COTS product could leave you susceptible. Better check under the hood of your new software to ensure it’s safe.
Finally, the top 10 game-changing technologies that IT Auditors should know about and begin considering in IT audit schedules and knowledge gathering. The usual suspects were there (cyber security, Vendor Management, big data). However, a couple interesting ones of note. The limited access to IT Audit resources (read: people) and allowing them to stay current with rapidly changing technology. As the consumerization of IT gains ground in companies, IT Assurance services are becoming highly sought after specialty. And IT auditors are not that common. Every time I tell some I do IT Audit, they look at me like a baby calf staring at a new gate (did I mention we are in Texas?).
Also, 3D printing is going to cause major disruptions to a lot of industries. Almost any small thing could literally be printed. As I sit here, I see an iPhone case, water bottle, and belt buckle, all of which could be printed. And consider firearms (again, we are in Texas); companies have made designs for firearms that can be printed from 3D printers. That should throw a wrench, which you could print from a 3D printer, into the gun control debate. Couple 3D printing with simple end user technology and DIY like Raspberry Pi, and the widget business could be in serious trouble. Need an automatic garage door opener? Print one yourself. How about a can opener? Print it. Letter opener? Print it. Huh– I didn’t realize how much I like things that open other things.
Finally, if you know or work with me, you’re aware of my fascination with Bar-B-Que restaurants. Ipso facto, dinner tonight was at Sonny Bryan’s Smokehouse. It had two things going for it– BBQ and we share a name. The meat was pretty good (albeit a little dry), the sauce came out warm and added plenty of punch to the pulled pork. The ribs and brisket, the flagship meats of Sonny Bryan’s, was delicious. If you go, pass on the pork and head straight to that meat.
So, overall, good day 1 for NACACS 2013.