Oct 21 2008

12 Phishing Threats and Identity Theft

Category: Email Security,Identity TheftDISC @ 7:22 pm

Have you ever thought of losing something and you cannot live without it? Yes, that something can be your identity. Phishing is a practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information. In daily life people advise to retrace your steps when you lose something. The question is how you retrace your steps on cyberspace where some uber hackers know how to erase their footsteps to avoid detection. It is difficult to find phishers in cyberspace, and jurisdictional issues make it even harder to prosecute them. Then there is an issue of trust that phishers dupe people to believe that their web site is not fraudulent to collect personal/financial information.

Amongst the financial crisis, phishing might be on the rise because for many organizations information protection might be the last thing on their mind. The FDIC has created a webpage to inform and warn consumers about “phishing.” These days phishers have targeted social network organizations LinkedIn and Facebook where their members have been duped into revealing their sensitive data.

Mainly phishing attacks are targeted to steal the identity. Now the question is, how easy it is to steal somebody’s identity? Let’s say a phisher has your name and address, and then he/she can get your Social Security number with the search on AccurInt or other personal database website. A Social Security number is not the only bounty a fraudster can find on these websites, other personal/private information is available as well at minimal cost.

In the table below are the 12 threats to your online identity which can be manipulated in phishing scams, and possible countermeasures to protect your personal and financial information. Some threats are inadequate or no security controls in place. The last row of the table is a monitoring control to identify the warning signs of identity theft.

[Table=7]

Organizations should take necessary steps to protect against identity fraud and apply whatever state and federal legislation applies to your business. Organizations which are serious about their information security should consider implementing the ISO 27001 (ISMS) standard as a best practice, which provides reasonable due diligence to protect and safeguard your information.

US Bank phishing attack exposed
httpv://www.youtube.com/watch?v=n2QKQkuSB4Q


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: accurint, countermeasure, cyberspace, due diligence, equifax, experian, facebook, fdic, financial crisis, fraudster, identity fraud, information protection, isms, iso 27001, jurisdictional, legislation, linkedin, phishing, prosecute, safeguard, social security, threats, transunion, uber hacker

Oct 07 2008

vsRisk and security risk assessment

Category: ISO 27k,Security Risk AssessmentDISC @ 3:18 pm

Information Security Risk Management for ISO27001 / ISO27002

The State of California has adopted ISO/IEC 27002 as its standard for information security and recommends other organizations and vendors to use this standard as guidance in their efforts to comply with California law.

To achieve an ongoing compliance, major organizations require tools to comply with standard such as ISO 27002/ISO27001. vsRisk is an easy to use Information Security Risk Assessment tool which makes risk assessment process consistent, easier and produces required documentation to achieve ISO 27001 certification . vsRisk also aligns seamlessly with standards like ISO 27002, ISO 27005 and NIST SP 800-30.

vsRisk helps organizations to develop an Information Security Management System (ISMS) asset inventory and capture business, legal and contractual requirements against each asset. vsRisk is customizable to meet specific needs when introducing new risks, vulnerabilities and controls without any additional help from a consultant. vsRisk helps you focus on assets rather than on threats and vulnerabilities. This is an approach which works by treating business processes as an asset, which is examined for their criticality, lack of security and consequences of failed process can be examined. In this regards, vsRisk is an effective and efficient tool by identifying most important points and key issues right away, which focusing on threats doesn’t.

Major benefits of vsRisk tool:
1. It is the definitive ISO27001 risk assessment tool, compliant
with all the key information security standards – which means that
you can be certain that a vsRisk risk assessment will help you
achieve ISO27001 certification.
2. It is designed to be usable – your lead risk assessor and any
asset owners involved in your risk assessment are going to find
their task made easier
3. Unique features include the risk assessment wizard, which
standardizes the risk assessment process and guides asset owners
through the risk assessment process.
4. vsRisk creates a baseline from which future risk assessments can
easily be made.
5. vsRisk integrates with ISMS documentation toolkit, for even
greater usability.

“vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk assessment and can assess confidentiality, integrity and availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001. Providing a comprehensive best-practice alignment, it supports ISO 27001 and 27002 (ISO/IEC 17799) disciplines, and is ISO/IEC 27005 and NIST SP 800-30 compliant. It also offers a wizard-based approach that simplifies and accelerates the risk assessment process, plus integrates and regularly updates BS7799-3 compliant threat and vulnerability databases.”

The key to successful Risk Management is to protect your most important/critical assets. The importance/criticality of an asset might change over time. That is another reason to automate security risk assessment process to recalibrate your risks based on current state of security.

Risk Management to ISO27001/NIST Wizard-based risk assessment tool Simplifies compliance – To buy vsRisk tool!

Meet Stringent California Information Security Legislation with Comprehensive Toolkit

ISO27001 EXPERTS CAN HELP COMPANIES MEET STRINGENT CALIFORNIAN …
EIN News (press release) – Netherlands
vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk …

Tags: asset owner, automate security risk assessment, baseline, california, isms, iso 17799, iso 27001, iso 27001 certification, iso 27002, iso 27005, nist sp 80-30, sb 1386, vsrisk

Aug 08 2008

PCI DSS significance and contractual agreement

Category: pci dss,Security ComplianceDISC @ 11:52 pm





The PCI DSS (Payment Card Industry & Data Security Standard) was established by credit card companies to create a unified security standard for handling credit card information.  The retail service industry now understands the strategic significance of PCI DSS compliance, which was demonstrated when TJX announced that their system was compromised for more than 17 months, where well over 50 million customers’ credit and debit cards were breached. Retail business which fails to comply will be subject to penalties and fines, possibly lawsuits, and may lose their credit card processing capability. Non-compliance will not only expose businesses to fines and penalties but also make it vulnerable to many threats, which can exploit the vulnerabilities in the system and put your business to unnecessary risk. These risks could have been avoided with some due diligence. When business is non-compliant, any major breach will have a significant impact on business viability.


To start a process of PCI compliance, a merchant should determine if PCI DSS applies to their organization.  PCI DSS is applicable if your customer PAN (Primary Account Numbers) is stored, processed or transmitted in your organization. After determining the applicability of the standard, the merchant needs to determine where their business falls in the categorization of businesses by their bank in terms of merchant level.


Before commencing the risk assessment the assessor will perform the system profile to determine the applicability of the scope and set the boundaries of the system covered under PCI-DSS assessment. Planning is the key to success of a project; this is the phase where all the planning and project preparation will take place.   Now the key to the success of your on-going compliance is to simplify the scope of the project. The best way to achieve this to put all the PCI related assets in a precise segment to limit the merchant card holder environment.


Comprehensive risk assessment will be performed on the identified scope where risk analysis will identify the gaps based on PCI DSS standards and risk rating will prioritize the gaps for risk management.  Thorough risk analysis will generate a quality technical and process gap analysis, where you decide the mitigation/compensating controls to comply with PCI DSS.  After completion of the risk assessment the task of the risk management begins, to eliminate the gaps in your environment and to comply with the standard. Depending on the numbers of gaps the risk management team should set realistic goals to complete the tasks in hand.  Best practices recommendations suggest that the organization should eliminate/mitigate the high risks (high impact & probability) gaps to the organization, but sometime organizations decide to go after the low hanging fruits to start with their risk management process.


When the risk management process gets close to finishing and you are well on your way to comply with PCI DSS, you might think that perhaps your job is done. Well in a way, it’s just a beginning of a process where your organization is supposed to maintain the compliance with PCI DSS.  Based on expert opinion, PCI DSS is a process not a project. What you have done so far, is baseline your environment. Ongoing compliance is achieved by monitoring the relevant PCI DSS controls. Ongoing compliance will depend on the quality of the merchant’s information security management system (ISMS). A strong  ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time.  You can develop an automated PCI monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.


In a sense, PCI is neither a regulation nor a standard but a contractual agreement between the merchant and their acquirer bank, when merchants start transmitting PAN data that makes them contractually obligated to comply with PCI DSS. To understand their obligations, the merchant should make a proactive effort to understand their acquirer’s particular interpretation of PCI DSS requirements to get compliant.  Ongoing compliance will require adequate resources and automated controls in place to routinely monitor, maintain, review and improve the required systems. Ultimately, ongoing PCI compliance will enhance business efficiency and reduce the potential impact of adverse publicity on your business image.


 












Documentation Compliance Toolkit

PCI Compliance

Practical guide to implementation (Soft Cover)

Practical guide to implementation (Download)



PCI Compliance
httpv://www.youtube.com/watch?v=0NUTs-aFtOA

Tags: business efficiency, business image, compensating controls, comprehensive, contractual agreement, gap analysis, isms, iso 27001, merchant card holder, mitigate, pan, pci compliance, pci dss, risk analysis, Risk Assessment, risk management process, tjx

Aug 08 2008

ISO27k and compliance

Category: Information Security,ISO 27kDISC @ 2:42 am

Security review is performed to identify and analyze risks and weaknesses in the current security posture of an organization. An ISO assessment is performed utilizing international standard ISO 27002 and company security policy, the purpose of the review is to evaluate the information security posture of an organization based on international standard. The level of compliance will indicate how close your organization is to meeting the key objectives for each 133 controls defined within 11 security control clauses collectively containing a total of 39 main security categories and one introductory clause introducing risk assessment and treatment.

It is important to not only assess the control for completeness (all relevant areas are addressed) and comprehensiveness (each individual area is covered completely), but also this balanced framework serves as the basis for both measuring an organization’s effectiveness in addressing risk and structuring an organization’s overall security program. Because ISO 27002 requirements are largely a superset of other major regulations, achieving ISO 27002 compliance positions most organizations to be well on their way to meeting the requirements of SOX, HIPAA and GLBA.

To achieve ISO compliance, thorough assessment utilizing all 133 controls will provide mitigating solution guidelines for gaps. To give your business an edge, conduct a security review based on ISO controls, if you would like to compare your security practices with international standard.
The result of the assessment will not only establish and maintain security policy, but also validates the policy’s completeness, design new controls and provide a road map to mitigate risks. An assessment of risks will determine what issues need to be addressed and provide a guideline to meet security regulations and a road map to build a world class ISMS (Information Security Management System).

ISO27001 is an international standard which is considered as an information security best practice or due diligence and is part of the security controls and audit controls specification document. ISO27002 is a code of practice which recommends guidelines for information security management systems and is closely linked to ISO 27001. ISO27001 continues to provide comprehensive best-practice advice and guidance to private and public organizations around the globe on how to design and implement a compliant information security management system ISMS.
An ISMS is not simply a set of documents. Maintaining and improving ISMS allows it to grow over time to address new business requirements. An ISMS is simply a system which addresses information security risks facing an organization and identifies the level of organization compliance with applicable regulations.

Reblog this post [with Zemanta]

Tags: glba, Health Insurance Portability and Accountability Act, hipaa, Information Security, Information Security Management System, isms, iso 27002, iso assessment, iso compliance, ISO/IEC 27001, ISO/IEC 27002, sox

« Previous Page