Competitive advantage with ISO 27001

ISO 27001 2013

Gain a competitive advantage with ISO 27001

by Neil Ford

We often talk of the operational benefits that conformance to ISO27001’s specifications will bring your organization, from the cost-saving advantages of increased efficiency to the peace of mind that a robust information security management system (ISMS) provides, but it’s important to remember that compliance with the standard also gives you a distinct competitive advantage, and will enable you to win new business as well as retain your existing clients.

Having the edge over your competitors is always beneficial, and when tendering for new contracts you want the best chance of success that you can get. Here’s how ISO27001 can help win you more business:

» ISO27001 is recognized in every country and every market in the world as the mark of highest competency in information security management. Prospective customers recognize this, and will often choose a supplier that holds an ISO27001 certificate over one that doesn’t.

» In the UK, requests for quotations and tender requests from public sector organizations including the MoD, the NHS and local authorities will ask that the supplier be compliant with ISO27001 or, if it is not, demonstrate the required information security measures by completing a long questionnaire or submitting to an inspection. Conformance to ISO27001 saves considerable time and money in the required due diligence of tender applications. (To be accepted by the MoD as an approved Enhanced Learning Credit (ELCAS) training provider, IT Governance Ltd was asked to be fully compliant to ISO27001.)

» ISO27001 itself recommends that compliant organizations maintain supply chain relationships with ISO27001-compliant suppliers. If you are looking to form trading relationships with larger ISO27001-certified commercial enterprises, you will need to be compliant with ISO27001 too.

» In the IT service industry, where the protection of data is paramount to winning and maintaining the trust of customers, an ISO27001 certificate is the only credible demonstrable of effective information security.

The implementation of an ISO27001 ISMS brings numerous recognized long-term benefits for your organization, and will pay for itself several times over in the extra business you win as a result of your certification. IT Governance supplies a wide range of ISO27001 products and services to help you achieve that end.

Leave a Comment

Pragmatic Application of Service Management

English: ITIL Service Desk

English: ITIL Service Desk (Photo credit: Wikipedia)

Enhanced IT Service Management though integrated management frameworks

Learn how to integrate COBIT®, ITIL® and ISO/IEC 20000 for better IT Service Management

With the increasing popularity of ITIL® as a framework for IT Service Management (ITSM), a number of organizations have realized that this approach is sometimes not enough on its own. As a result, service managers are looking for ways to enhance their ITIL-based ITSM without having to throw it away and start again. Many are already working towards compliance with ISO/IEC 20000 — the International Standard for IT Service Management. With the recent release of COBIT®5, service management practitioners have even more options. However, until now, there has been little guidance on how to merge these frameworks, standards and methodologies to develop best practice across the ITSM function and produce a robust enterprise philosophy for service delivery.

Guidance on creating an integrated system

Written by service management gurus Suzanne D. Van Hove and Mark Thomas, Pragmatic Application of Service Management is the first book to provide guidance on creating an integrated system based on the three leading service management approaches: COBIT®5, ISO/IEC 20000 and ITIL and, to provide a unique mapping to assist service management practitioners in their information gathering. This practical book presents a holistic view of the three and enables service managers to immediately adapt and deploy the guidance, quickly improving their ITSM function.

Create a stronger, more robust Service Management System

Packed with instructive illustrations and helpful tables, this book is ideal for service managers, consultants, auditors and anyone who is considering adopting, adapting or merging COBIT®5, ISO/IEC 20000 and ITIL. Through mini case studies, the authors apply their unique Five Anchor Approach to demonstrate how the improvement aspects of COBIT®5, ISO/IEC 20000 and ITIL can help identify and deal with common problems faced by today’s organizations. Read this book to learn how to merge COBIT®5, ISO/IEC 20000 and ITIL for better service management

About the Authors

Dr Suzanne D. Van Hove is the founder and CEO of SED-IT. A prior Board member of itSMF USA and recipient of the Industry Knowledge Award as well as Lifetime Achievement, she is an advocate for professionalism within Service Management.

Mark Thomas is the founder and President of Escoute, LLC, an IT Governance consultant as well as the previous President of the itSMF USA Kansas City LIG and COBIT® SIG. As a well- known ITIL and COBIT® expert with over 20 years of professional experience, Mark’s background spans leadership roles from datacenter CIO to Management and IT Consulting. Mark has led large teams in outsourced IT arrangements, conducted PMO, Service Management and governance activities for major project teams and managed enterprise applications implementations across multiple industries.

Download and read ITGP’s latest publications:

PragmaticApp

Pragmatic Application of Service Management



To know more on related Pragmatic Security Metrics

Pragmatic Security Metrics


Download ITIL – ITSM Toolkit


Leave a Comment

Is privacy a dependency of information security

Privacy

Privacy (Photo credit: g4ll4is)

Is privacy a dependency of information security?

by Jamie Titchener

If you read the news on a regular basis, you will find that most of the cyber security or data protection articles play heavily on the fear of an individual’s privacy being compromised.

But what many people don’t seem to realize is that privacy is in fact a dependency of information or cyber security. Only by having in place adequate information or cyber security policies and procedures can an organization ensure the privacy of their stakeholders, including customers, staff, suppliers, etc.

Whilst there are some unique challenges faced in the area of privacy relating to governmental legislation such as the UK Data Protection Act, organizations can start to effectively address many of the privacy concerns that their stakeholders have by adopting an approach such as implementing an ISMS that complies with ISO/IEC 27001/2.

By combining the right mix of people, process and technology in an ISMS, organizations can effectively manage many of the privacy risks that people are concerned about.

Find out more about ISO/IEC 27001 in An Introduction to ISO/IEC 27001 2013.

Leave a Comment

The Protection of Personal Information Act (POPI) in South Africa – Benefits and Challenges

POPI

by

In South Africa the Protection of Personal information Act (POPI) aims to regulate how companies secure the integrity and confidentiality of their data assets by taking technical and organisational measures to prevent the loss of, and damage and unauthorised access to, personal information. POPI was signed into law on 26th November 2013 but the commencement date is yet to be announced; companies have been given a year to achieve compliance with the Act. Penalties for failing to comply with the Act include prosecution, with possible prison terms of up to 12 months, and fines of up to R10 million. I believe that POPI will make life easier for IT organisations in South Africa.

Why is it so important for organizations to keep personal information safe?

Data breaches, and the resultant loss of information assets, can lead to huge financial losses for companies as well as the reputational damage and a loss of customer trust.  The lack of robust Information Security Management Systems (ISMS) can leave organisations of any size and sector open to data breaches. POPI’s objective is to regulate the way personal information is collected and stored by organizations, which will in turn increase customer confidence in the organizations. The Act will apply to all organizations, regardless of size or sector, whether public or private, including the Government. As a reminder of the importance of data security, the City of Johannesburg suffered a massive data breach in August 2013 which allowed anyone to read citizens’ personal billing information on the Council’s website, including full names, account numbers, addresses, and contact details. Anything could have happened to that information, including targeted phishing attacks, and the production of fake ID books and proof of residence, which could have been used for terrorist purposes.

POPI’s challenges

The major challenge of POPI is that companies will have to change the way they collect and store customer information as soon as possible: organizations have been given only a year to be compliant before the Act is enforced. Given the extent of changing business processes and employees’ attitudes it will be a serious challenge to reach compliance in only a year.

PwC’s “journey of implementation” report found that the majority of organizations in South Africa believe it will take several years to achieve compliance with POPI.

55

Source: PwC “The journey to implementation”

One way for South African organizations to make compliance with POPI easier would be to implement the international information security standard ISO27001, which sets out the requirements against which an organization’s information security management system can be independently audited and certified. Implementing the standard will help South African businesses fulfil the compliance requirements of any related legislation (including the Protection of Personal Information Act). Moreover, by implementing ISO27001, businesses ensure that they have effective controls in place to manage risk and protect personal information.

How to prepare for POPI

IT Governance SA has developed a wide range of ISO27001 books, training and tools to help organisations with weak information security management system, and recommends that companies look at the useful information about ISO27001 available on the company’s website.

Leave a Comment

How organization can handle cyberthreats

CyberActivisim

CyberWar, CyberTerror, CyberCrime and CyberActivism

Successful cyberattacks can damage your organization, no matter who is behind them

The goals of the cyberterrorist, the cybercriminal, the cyberactivist and the state-sponsored hacker may not be the same – but the outcomes can be equally devastating. Each can cause serious challenges for your organisation, ranging from information theft and disruption of normal operations to loss of reputation or credibility.

Cyber security is much more than technology

Many books on cybersecurity focus on technical responses to these threats. As important as this is, human fallibility and other known vulnerabilities will still allow hackers to easily break into a system that has not taken account of these factors.

CyberWar, CyberTerror, CyberCrime and CyberActivism encourages cybersecurity professionals to take a wider view of what cybersecurity means, and to make the most of international standards and best practices to create a culture of cybersecurity awareness within their organizations that complements their technology-based defences.

A cyber aware workforce equals better security
This second edition takes a deep look at the changing threats in the cyber landscape, and includes an updated body of knowledge that describes how to acquire, develop, and sustain a secure information environment that goes beyond technology. This enables you to move towards a cyber aware organisational culture that is more robust and better able to deal with a wider range of threats. Related references, as well as recommendations for additional reading, are included at the end of each chapter making this a valuable resource for trainers and researchers as well as cybersecurity practitioners.

Pre-Order this book today and see how international standards can boost your cyber defences. (download – Adobe, ePub, kindle)

About the author
Dr Julie Mehan is the Founder and President of JEMStone Strategies and a Principal in a strategic consulting firm in the State of Virginia. She has delivered cybersecurity and related privacy services to senior commercial, department of defence and federal government clients working in Italy, Australia, Canada, Belgium, and the United States. Dr Mehan is also an Associate Professor at the University of Maryland University College, specializing in courses in Cybersecurity, Cyberterror, IT in Organizations and Ethics in an Internet Society.

Comprehensive Cyber Security Risk Management Toolkit

 

Leave a Comment

Most common type of data breaches

DataSecurityBreach

Cyber attacks have become a regular occurrence in the last few years; in fact, you can’t turn the news on without some mention of a business suffering an attack. Most attacks are fuelled by criminals looking to steal valuable information, but what type of information is being stolen?

According to a report by Veracode, the top 5 types of information that are stolen are:

Payment Data

No surprises here of course. Card payment data is a very attractive form of information for cyber criminals to steal. Card data provides quick access to money in multiples ways such as siphoning the victims account, using their card for purchases or selling on the black market.

Selling and purchasing card payment data online is terrifyingly easy, so easy in fact that you could have bought several card details in the time it’s taken you to read this far.

Authentication Details

Details that allow authorised access into online systems are very valuable on the black market. Imagine the price tag on login credentials for the email address of a celebrity, or the president of an international bank.

Unfortunately, humans are subjects to bad habits such as using the same password for online accounts. So if cyber criminals manage to get hold of your Facebook password, then they will most likely be able to login to any of your accounts.

Copyrighted Material

Why would a cyber criminal pay for software when they could just steal it? With most websites being vulnerable to attack, a cyber criminal could in theory steal any software they fancy, costing organisations a large sum of money.

Medical Records

Thieves could sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.

Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.

Classified Information

Depending on how you define classified, this could include information such as your organisation’s top secret product idea or the code for your security door. Either way, if it’s labelled classified then you don’t want it to be in the hands of cyber criminals.

Protecting this information

There is a high chance that the five forms of information listed above can be found on your organisation’s network, so what are you doing to protect it?

Data Security Breaches: Notification Law

Leave a Comment

Hacking Point of Sale

Hacking Point of Sale

A hands-on guide to achieve better security at point of sale

Hacking Point of Sale – A must-have guide for those responsible for securing payment card transactions. Hacking Point of Sale is a book that tackles the issue of payment card data theft head on. It covers issues from how attacks are structured to the structure of magnetic strips to point-to-point encryption, and much more.

Packed with practical recommendations, it goes beyond covering PCI DSS compliance to offer real-world solutions on how to achieve better security at point of sale.

Hacking Point of Sale…

•A unique book on credit and debit card security, with an emphasis on point-to-point encryption of payment transactions (P2PE) from standards to design to application
•Explores most of the major groups of security standards applicable to point of sale, including PCI, FIPS, ANSI, EMV, and ISO
•Details how protected areas are hacked and how hackers notice vulnerabilities.
•Highlights ways of defending against attack, such as introducing cryptography to payment applications and hardening application code

An essential guide for security professionals that are charged with addressing security issues with point of sale systems.

Leave a Comment

Business Downtime and Disaster Recovery

Infographic: Business Downtime and Disaster Recovery

The Internet is the largest store of information ever created, and those who can harness its power stand to reap tremendous rewards. However, handling data is also a significant responsibility, and disasters can cause severe problems. Here are a few facts about downtime and how to recover from disasters.
Infographic Disaster Recovery

Causes of Downtime

The most common cause of downtime is UPS battery failure, which is attributable to power failures. Many of these failures begin at the power plant, but some can be created by faulty wiring. Errors are a close second for causing downtime, and cyber attacks and equipment failure trail after them. Most causes of downtime are preventable through better security and better power management.

Effects of Downtime

Downtime has a clear effect on businesses that operate online. Customers cannot place orders when websites are down, and clients cannot rely on services hosted by offline servers. The long-term effects can be even more damaging. Customers may choose to make their purchases elsewhere, and clients may move to a different provider who promises better reliability.

How to Implement a Disaster Recovery Plan (DRP)

The most effective way to deal with disasters is to use servers provided by experts. One option is to purchase a hosted dedicated server that is rated to handle problems gracefully and effectively. Those who choose to host their own servers will want to ensure that data is kept safe through RAID arrays and periodic backups. It is important to ensure that backups are also stored in a remote location where they will not be destroyed by local disasters.

Businesses will also need to ensure that everyone knows what to do when disaster strikes. UPS batteries provide a limited amount of time to respond, but they are worthless if employees don’t know what to do. Automation can help, but there are certain tasks and decisions people will have to make.

Data is the lifeblood of online businesses, and high uptime ratings are essential for keeping customers and clients happy. However, many companies still fail to plan for disasters effectively, and many have been bitten by small mistakes that led to disastrous results. Fortunately, there are a number of options available for handling disasters effectively and preventing greater harm.

Why achieve a Disaster Recovery and Business Continuity plan

Leave a Comment

Comprehensive Cyber Security Risk Management Toolkit

Cyber Security Toolkit

 

Govern and manage Cyber Security risk with this unique comprehensive toolkit suite

 

Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular

There are a number of standalone, best practice approaches to managing cyber risk, none of which is on its own completely satisfactory. This toolkit helps you make an enormous leap forward by consolidating five separate approaches into a single, comprehensive, robust framework.

• PAS 555:2013 is the new standard for cyber security risk governance and management; it was created to work with a range of other standards;
• ISO/IEC 27032 is the international guidance standard for managing cyber security risk;
• The Cloud Controls Matrix was developed by the Cloud Security Alliance for cloud service providers;
• Ten Steps to Cyber Security is the methodology developed by the UK’s Business Department to help organizations of all sizes secure their cyber defenses;
• ISO/IEC 27001: 2013 is the internationally recognized standard against which an information security management system can achieve accredited certification.

Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular construction and control mapping matrix to add its additional controls to an existing ISO27001 management system.

This Cyber Security Governance & Risk Management Toolkit recognizes that mobile device management is a critical component of effective cyber risk control and therefore includes the ITGP BYOD Policy Toolkit as a value-added extra.

Included in this comprehensive toolkit suite is:

Comments (1)

PRAGMATIC Security Metrics

PRAGMATIC Security Metrics

Applying Metametrics to Information Security

 

Whereas other authors are strong on the number theory behind metrics and measurement, PRAGMATIC Security Metrics is a reader-friendly guide for hard-working security practitioners.  Without totally ignoring the underlying complexities, the book explains and interprets security metrics straightforwardly, adding a unique new ingredient to the mix: the PRAGMATIC method.

PRAGMATIC Security Metrics explains:

  • Why information security is vital, yet (as with risk management in general) so difficult to get right;
  • Why meaningful metrics are necessary to manage anything systematically and rationally, instead of relying purely on guesswork, experience and gut feel;
  • Who needs security metrics – who are the audiences, consumers and users of metrics;
  • How information security is currently measured – an overview of approaches suggested used and elsewhere;
  • Finding or developing potential (candidate) security metrics, including a few less conventional sources;
  • Assessing and scoring potential security metrics using the PRAGMATIC method;
  • 150+ example security metrics, structured in line with ISO27k, scored using the PRAGMATIC method, and discussed as if they were being actively considered by management;
  • Advanced security metrics – as if the rest of this isn’t hard enough already!;
  • Using security metrics – analysis, presentation, motivation …;
  • The downsides of metrics – possible drawbacks to having more effective security metrics;
  • A case study – a realistic worked example, developing a set of security metrics for Acme Enterprises Inc, an hypothetical commercial organization facing a range of strategic, managerial and operational challenges;
  • Conclusions including a set of take-home messages – things to put into practice immediately.

At face value, the PRAGMATIC method is just a way to score security metrics, but there’s much more to it than that.  Think about it: how does your organization determine which security metrics are worth using?  If you pick up a suggestion for a new metric from a book, a friend or a flash of inspiration, how do you assess its merits?  The usual approach is entirely informal and subjective.  Scoring and assessing the metric in a structured way forces you to think it through, in detail.

What about the recipients or audiences for your metrics: do you deliver the security metrics you feel are important, or do you make the effort to find out what they want – and if so, how do you frame that discussion?  What do you do to make them set aside the time to work out and explain their needs?

The PRAGMATIC method is straightforward, cheap and easy to apply, meaning that busy security managers can get up and running in a matter of hours.

Metrics are used not only to track and report performance but to identify problem areas and opportunities, and so drive security improvements.  With a focus on using measurement data in support of management decisions, the book takes the discussion up a level by elaborating on the design of an information security measurement system with obvious application in support of an information security management system as described by ISO/IEC 27001.

As soon as you appreciate the power of the PRAGMATIC method, you’ll be itching to put it into practice, especially if you, your colleagues and managers are presently struggling with security metrics.  Aside from the P.R.A.G.M.A.T.I.C. mnemonic representing nine criteria for assessing and scoring metrics, the approach is pragmatic in the ordinary everyday sense of the word.  You certainly don’t need a doctorate in statistics to make use of this book!  Practical tips are scattered liberally throughout, with further information and references in the footnotes.  We separated them out from the main text to encourage you to read quickly through the book at first to understand the overall approach, then go back to explore particular aspects in more detail as you apply the learning.  It is an introductory guide/overview and an implementation guide/training manual, all rolled into one.

by W. Krag Brotby and
Gary Hinson

ISBN: 978-1439881521 and 1439881529

Pages: 512 (150,000 words)

Publisher: Auerbach/CRC Press

Published: 2013

Order your copy today!

Comments (1)

Why to use hardware-encrypted USB sticks

Hardware encryption has tangible benefits as file sharing and mobility tools, as backup drives and much more. Also hardware based encryption is more secure because the keys are embedded in the flash drive, require physical access to get, and very specialized knowledge to extract them.

  • Safeguard keys and critical security parameters within crypto-hardware
  • Authentication takes place on the hardware
  • Cost-effective in medium and larger application environments, easily scalable
  • Encryption is tied to a specific device, so encryption is “always on”
  • Does not require any type of driver installation or software installation on host PC
  • Protects against the most common attacks, such as cold boot attacks, malicious code, brute force attack

if you want your organization to avoid the risk of a data breach, you need to use hardware-encrypted USB sticks when you transfer data outside of the organisation, such as SafeXs 3.0. Using SafeXs 3.0 sticks will protect any data stored on them to a high degree as the data is hardware encrypted, which is more secure than using software encryption.

You should also use a USB stick management solution such as SafeConsole to ensure you are managing your secure USB sticks. This offers the advantage of being able to remote wipe data if a stick goes missing, enforce security policy across your sticks and a whole host of other security features.

Ensure your information security runs smooth through the use of a simple, secure USB stick such as SafeXs 3.0 that is  used in conjunction with SafeConsole Secure USB Management.

Integral® 16GB Crypto Drive – FIPS 197 Encrypted USB

Hardware Encrypted USB Flash Drive

Leave a Comment

Why achieve a Disaster Recovery and Business Continuity plan

What would you do if your systems were hacked or compromised by a virus? How would your IT systems cope in the event of flooding or an explosion?

What if your IT systems simply stopped working?

IT has brought many benefits to business. However, IT failures can seriously damage your ability to deliver products and services, harm your company’s reputation, and jeopardize your relationship with your customers. In short, poorly managed IT problems could threaten the survival of your business.

Create a Survival Plan

If you want to protect your business, you need to put in place a business continuity (BC) and disaster recovery (DR) plan to help your business survive. Disaster Recovery and Business Continuity, a quick guide for organizations and business managers shows you how to develop a plan that will:

•keep your information safe
•safeguard your company from viruses and phishing scams.
•store data safely, and prevent years of work from being lost by accident.
•ensure your communication links are secure, and keep you connected when disaster strikes
•bomb-proof your data
•protect your data in the event of fire or flood.

Read BCP/DRP practical guide and start building a business survival plan today

Comments (1)

How to Achieve Cyber Resilience

Becoming cyber resilient will give your organization the best chance of defending itself against and surviving from cyber attacks.

What does ‘cyber resilience’ mean?

Cyber resilience is the ability to repel cyber attacks while protecting critical business assets, rapidly adapting and responding to business disruptions and maintain continuous business operations.

So how do I become Cyber Resilient?

IT Governance has developed a 7-step approach to achieving cyber resilience. See the graphic below and click to enlarge.

7steps

9781849285261_frontcoveronly_rgb_v1 Cyber Resilience Core Standards Kit 

These standards will help you to implement a management system that will allow you to take advantage of the opportunities associated with operating in cyberspace whilst mitigating the threats and risks.
Includes the information security standards ISO27001 and ISO27002 and the business continuity standards ISO22301 and ISO22313.

 

Build your knowledge of these key areas and be ready to help deliver your organizations cyber resilience strategy

Developing knowledge of the best practice advice and guidance in the key standards ISO27001 & ISO22301 is key to delivering a successful cyber resilience strategy. Whatever your preferred method of learning, IT Governance have the products to help build the knowledge and skills you need.

An Introduction to Information Security and ISO 27001 (2013) Written by acknowledged ISO27001 expert, Steve Watkins, this pocket guide introduces the principles of information security management and ISO27001. This guide will help you understand how to start planning a project to implement effective, reliable and auditable systems.
9781849285261_frontcoveronly_rgb_v1 ISO22301 – A Pocket GuideISO22301: A Pocket Guide will help you understand the Business Continuity international practice, and provides guidance on the best way to implement a fit-for-purpose BCMS.

Leave a Comment

Why Two Thirds of Personal Banking Apps Have Vulnerabilities

Image representing iPhone as depicted in Crunc...

Image via CrunchBase

Personal Banking Apps study has been out,  a security researcher spent about 40 hours testing iPhone and iPad banking applications from the top 60 most influential banks in the world and his findings were totally shocking.

40 of those 60 applications were found to have major mobile security vulnerabilities, which is not something you’d expect to find in an application which authenticate you to your bank.

The conducted tests were split amongst six separate areas: transport security, compiler protection, UIWebViews, data storage, logs and binary analysis. Serious weaknesses were found in all of these areas.
40% of the applications can’t validate to the authenticity of SSL certificates, meaning that they’re vulnerable to monkey/man in the middle (MiTM) attacks

A full 90% of the apps contain non-SSL links, potentially allowing “an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.”

50% “are vulnerable to JavaScript injections via insecure UIWebView implementations… allowing actions such as sending SMS or emails from the victim’s device.”

70% have no facility for any “alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks.”

The incredibly troubling study brings to light a very serious problem for the banking industry — and for consumers, of course — that will only become more severe over time as mobile banking app usage grows. Sanchez notes in his report that the various security vulnerabilities he identified could allow malicious hackers to intercept sensitive data, install malware or even seize control of a victim’s device.

When Banks are using their mobile applications as a competitive advantage, you may think that they’d thoroughly test these applications for any existing security flaws with vulnerability assessment or mobile Penetration test, to reduce the vulnerabilities from two third to an acceptable level. Major security flaws shows that applications have not been tested for security vulnerabilities at every phase of the development. Above all it shows Banks have a weak Information Security Management System (ISMS) in place. This can be especially a worrisome trend for smaller Banks due to lack of existing information security resources and expertise.

Mobile Information Security and Privacy Books

Mobile Malware Protection from from phishing sites and malicious URLs

Leave a Comment

What to Log for Authentication and Access Control

Authentication and access control plays a critical role in web application security.  Mostly for logging, all authentication and access control events should be logged which includes but not limited to successes and failures. If  we are logging only the successful events, someone may brute force attack the passwords without any detection or notice. On the contrary, let’s say only failures are logged, a legitimate or valid user may misuse, corrupt, harm or simply abuse the system without any detection. Besides that all other authentication and access control related events (such as account lockout) are important and must be logged.

  • Failed log in
  • Successful log in
  • Account locked /disable
  • Account unlocked / enabled
  • Account created
  • Password changed
  • Username changed
  • Logged out

Logs should include the resources involved in the web application (IP address, URL, user name, http method, protocol version, etc…) and document the reason why access was denied for the failed event. Some application provides much better logs than others. generally log entries should contain (user ID, timestamp, source IP, Description of the event, error code, priority).

All error conditions should be logged including simple stuff as sql query errors, which can help to detect sql injection attack. Some errors related to the availability of the application are important for early sign to trigger BCP. Availability is one of the main pillar of information security, so it should be logged and monitored. Log error conditions should include but not limited to (failed queries, file not found and cannot open error, unexpected state, connection failure and timeout)

Besides the inherent benefits of log management, a number of laws and regulations further compel organizations to store and review certain logs. The following is a listing of key regulations, standards, and guidelines that help define organizations’ needs for log management – ISO 27001, ISO 22301, FISMA, GLBA, HIPAA, SOX, and PCI-DSS.

Guide to Computer Security Log Management: Recommendations of the National Institute of Standards and Technology: Special Publication 800-92

Security Log Management

 

Leave a Comment


SEO Powered By SEOPressor