Apr 26 2025

How Can Organizations Transition to ISO 27001:2022?

Category: ISO 27kdisc7 @ 4:29 pm

The release of ISO 27001:2022 introduces key updates, especially in Annex A, which includes 11 new controls, focusing on areas such as cloud service security, business continuity, and threat intelligence. Organizations must transition to the new version by October 2025. While some existing measures might align with these controls, others, like cloud exit strategies or testing business continuity plans, often need further attention. It’s critical for companies to evaluate their processes against these changes to ensure compliance and enhance their security posture.

For more details, check the full post here.

How to Continuously Enhance Your ISO 27001 ISMS (Clause 10 Explained)

Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.

ISO 27001 Compliance and Certification

ISMS and ISO 27k training

Security Risk Assessment and ISO 27001 Gap Assessment

Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.

Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.

Get in touch with us to begin your ISO 27001 audit today.

ISO 27001:2022 Annex A Controls Explained

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

ISO 27001: Guide & key Ingredients for Certification

DISC InfoSec Previous posts on ISO27k

ISO certification training courses.

ISMS and ISO 27k training

Difference Between Internal and External Audit

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

 

Tags: iso 27001, ISO 27001 2022, ISO 27002 2022, Transition to ISO 27001:2022


Apr 24 2025

How to Send DKIM-Signed, 100% Legit Phishing Emails — Straight from Google That Bypass Everything

Category: Email Security,Information Security,Phishingdisc7 @ 1:01 pm

​A recent revelation by security researcher Nick Johnson highlights a sophisticated phishing technique that exploits Google’s own services—specifically OAuth and Google Sites—to send DKIM-signed phishing emails that appear entirely legitimate. This method allows attackers to craft emails that seem to originate from “no-reply@google.com,” effectively bypassing traditional email security measures and deceiving recipients into divulging sensitive information.​

The attack begins with the creation of a malicious Google OAuth application. Attackers manipulate the app’s name field to include deceptive messages, such as fake security alerts, by inserting numerous spaces or line breaks to obscure the true nature of the content. This crafted app name then autofills into legitimate-looking emails sent by Google, lending an air of authenticity to the phishing attempt.​

Subsequently, the attackers leverage Google Sites to host convincing phishing pages that mimic official Google interfaces. These pages are designed to harvest user credentials under the guise of legitimate Google services. Because the emails are sent through Google’s infrastructure and are DKIM-signed, they often evade spam filters and other security checks, making them particularly dangerous.​

This method is especially concerning because it exploits the inherent trust users place in Google’s services. By utilizing Google’s own platforms to disseminate phishing emails and host malicious content, attackers can effectively bypass many of the safeguards that users and organizations rely on to protect against such threats.​

The implications of this technique are far-reaching. It underscores the need for heightened vigilance and more robust security measures, as traditional defenses like DKIM and SPF may not be sufficient to detect and block such sophisticated attacks. Organizations must recognize that even trusted platforms can be manipulated to serve malicious purposes.​

To counteract these threats, several measures can be implemented:

  • User Education: Regular training to help users recognize phishing attempts, even those that appear to come from trusted sources.​
  • Two-Factor Authentication (2FA): Encouraging or mandating the use of 2FA can add an additional layer of security, making it more difficult for attackers to gain unauthorized access.​
  • Monitoring and Alerts: Implementing systems that monitor for unusual OAuth app creations or sign-in activities can help detect and respond to suspicious behavior promptly.​
  • Email Filtering Enhancements: Updating email filters to scrutinize not just the sender’s address but also the content and context of the message can improve detection rates.​
  • Collaboration with Service Providers: Working closely with platforms like Google to report and address vulnerabilities can lead to quicker resolutions and improved security for all users.​

By adopting a multi-faceted approach that combines user awareness, technical safeguards, and proactive collaboration, organizations can better defend against these advanced phishing techniques.

For further details, access the article here

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: DKIM-Signed


Apr 11 2025

How to Continuously Enhance Your ISO 27001 ISMS (Clause 10 Explained)

Category: ISO 27kdisc7 @ 12:08 pm

Maintaining an effective Information Security Management System (ISMS) under ISO 27001 necessitates ongoing evaluation and enhancement. Clause 10 of the standard emphasizes the importance of continual improvement to ensure that security measures remain robust and aligned with organizational objectives. This involves regularly monitoring the effectiveness of implemented controls, measuring their performance against set objectives, and making necessary adjustments to address evolving information security risks.

The dynamic nature of information security threats, particularly in the cyber realm, requires organizations to be proactive. Cybercriminals continually develop new tools and methods, making it imperative for organizations to adapt their defenses accordingly. Additionally, as organizations evolve, new risks may emerge, and existing ones may change, underscoring the need for continuous assessment and refinement of security measures.

ISO 27001’s Clause 10.1 mandates organizations to continually improve the suitability, adequacy, and effectiveness of their ISMS. This can be achieved by identifying opportunities for enhancement during management reviews and through the nonconformity and corrective action processes outlined in Clause 10.2. Regular internal audits and management reviews play a crucial role in this continual improvement cycle. ​

Nonconformities within an ISMS are categorized into three types: major nonconformities, minor nonconformities, and opportunities for improvement (OFIs). Major nonconformities indicate significant failures, such as the absence of a critical process like risk assessment. Minor nonconformities refer to partial compliance with some deficiencies that don’t critically harm the ISMS’s operation. OFIs highlight minor issues that aren’t currently problematic but could become so in the future. Identifying these nonconformities typically occurs through internal audits, monitoring, and analysis of logs or records.

Upon identifying a nonconformity, organizations are required to take corrective actions. This involves reacting to the nonconformity, determining its cause, and implementing measures to prevent its recurrence. The effectiveness of these corrective actions should be reviewed, and all related activities must be documented to demonstrate compliance and facilitate ongoing improvement.

Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.

ISO 27001 Compliance and Certification

ISMS and ISO 27k training

Security Risk Assessment and ISO 27001 Gap Assessment

Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.

Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.

Get in touch with us to begin your ISO 27001 audit today.

ISO 27001:2022 Annex A Controls Explained

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

ISO 27001: Guide & key Ingredients for Certification

DISC InfoSec Previous posts on ISO27k

ISO certification training courses.

ISMS and ISO 27k training

Difference Between Internal and External Audit

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Clause 10, Continuous Improvement, iso 27001, PDCA


Apr 10 2025

What is Filpper zero and why every PenTester should have one

Category: Pen Testdisc7 @ 2:49 pm

Flipper Zero : Empower Your Security Journey with The Ultimate Portable Multitool for Cybersecurity, Ethical Hacking, Penetration Testing, IoT Security, and Electronics Prototyping.

​Flipper Zero is a compact, multi-functional device designed for security testing and hardware exploration. It enables users to interact with a variety of access control systems and wireless communications by reading, copying, and emulating signals from technologies such as RFID, NFC, infrared, and sub-GHz radio frequencies. ​

Launched through a successful Kickstarter campaign in 2020, Flipper Zero gained popularity for its versatility and user-friendly design. The device features a monochrome LCD screen and a five-button directional pad for navigation. Notably, it includes a virtual pet dolphin that reacts to user interactions, adding an engaging element to its functionality. ​

Flipper Zero’s capabilities encompass a wide range of applications:​

  • RFID and NFC: It can read, store, and emulate low-frequency (125 kHz) and high-frequency (13.56 MHz) RFID and NFC cards, commonly used in access control and contactless payment systems.
  • Infrared Transceiver: The device can capture and transmit infrared signals, allowing it to function as a universal remote for various electronics. ​
  • Sub-GHz Radio: Flipper Zero is capable of interacting with devices operating on sub-GHz frequencies, such as garage door openers and IoT sensors, by analyzing and replicating their signals. ​
  • GPIO Interface: It offers general-purpose input/output pins to connect with and control external hardware components, facilitating hardware debugging and development. ​

While Flipper Zero is a powerful tool for security professionals and enthusiasts to test and understand wireless systems, it’s essential to use it responsibly and ethically. Unauthorized use of its capabilities can lead to legal consequences. ​

For a visual overview and demonstration of Flipper Zero’s features, you might find the following video informative:

Every pentester should consider having a Flipper Zero because it’s like a Swiss Army knife for testing physical and wireless security. Here’s why it’s a must-have:

🔧 1. Multi-Protocol Capabilities in One Device

  • RFID/NFC: Test badge cloning and access control systems.
  • Sub-GHz: Interact with garage doors, IoT devices, and older wireless protocols.
  • Infrared: Clone remotes for TVs, AC units, etc.
  • Bluetooth (via dev board): Sniff and test BLE devices.

🧪 2. Hardware Hacking on the Go

  • Has GPIO pins to interact with other hardware — perfect for quick and dirty hardware interfacing, debugging, or logic analysis.

🧰 3. Portable & Discreet

  • It’s small, pocket-friendly, and looks like a toy. Great for red teaming or physical engagements without drawing attention.

🚀 4. Community & Extensibility

  • Tons of custom firmware and plugins (like RogueMaster) that add features like Wi-Fi attacks, BadUSB, signal jamming (for research!), etc.

👨‍💻 5. Saves Time

  • Instead of lugging around multiple tools or building custom setups, you get plug-and-play convenience for many common wireless/hardware tests.

⚠️ Caveat: Always use it within the boundaries of your engagement rules and local laws — some functions can cross legal lines if misused.

A quick hit list of top pentest tasks you can do with a Flipper Zero — super handy during engagements or recon:


🔓 Access Control Testing

  • Read/Clone RFID cards (125kHz like HID, EM4100)
  • Read/Emulate NFC badges (13.56MHz — MIFARE, etc.)
  • Test building badge systems for weak cloning protections


📡 Wireless Signal Attacks (Sub-GHz)

  • Sniff, capture, and replay signals from:
    • Garage doors
    • Car key fobs (unsecured ones)
    • Wireless doorbells
  • Brute force rolling codes (with add-ons, for testing weak implementations)


🛰️ Infrared (IR) Testing

  • Capture and replay IR remote commands
  • Test TVs, AC units, and projectors for universal remote vulnerabilities


🔌 Hardware Interface Hacking

  • Use GPIO pins to:
    • Interface with UART, SPI, I2C
    • Dump flash memory from dev boards or routers
    • Trigger hardware-based exploits (like JTAG poking)


💻 BadUSB Emulation

  • Emulate a keyboard (like Rubber Ducky)
  • Deliver payloads/scripts upon plugging into a target PC
  • Great for social engineering drops


📶 Wi-Fi/Bluetooth Attacks (with add-ons like Wi-Fi dev board)

  • Scan Wi-Fi networks
  • Launch deauth attacks
  • Interact with BLE devices (test fitness trackers, locks)


🧠 Bonus Recon Tools

  • Signal strength meter for RF hunting
  • iButton read/emulate (used in some legacy systems)
  • Custom firmware enables even more — like Doom, Flappy Bird (okay, maybe not a test… but cool)

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Flipper Zero


Apr 10 2025

Businesses leveraging AI should prepare now for a future of increasing regulation.

Category: AIdisc7 @ 9:15 am

​In early 2025, the Trump administration initiated significant shifts in artificial intelligence (AI) policy by rescinding several Biden-era executive orders aimed at regulating AI development and use. President Trump emphasized reducing regulatory constraints to foster innovation and maintain the United States’ competitive edge in AI technology. This approach aligns with the administration’s broader goal of minimizing federal oversight in favor of industry-led advancements. ​

Vice President J.D. Vance articulated the administration’s AI policy priorities at the 2025 AI Action Summit in Paris, highlighting four key objectives: ensuring American AI technology remains the global standard, promoting pro-growth policies over excessive regulation, preventing ideological bias in AI applications, and leveraging AI for job creation within the United States. Vance criticized the European Union’s cautious regulatory stance, advocating instead for frameworks that encourage technological development. ​

In line with this deregulatory agenda, the White House directed federal agencies to appoint chief AI officers and develop strategies for expanding AI utilization. This directive rescinded previous orders that mandated safeguards and transparency in AI applications, reflecting the administration’s intent to remove what it perceives as bureaucratic obstacles to innovation. Agencies are now encouraged to prioritize American-made AI, focus on interoperability, and protect privacy while streamlining acquisition processes. ​

The administration’s stance has significant implications for state-level AI regulations. With limited prospects for comprehensive federal AI legislation, states are expected to take the lead in addressing emerging AI-related issues. In 2024, at least 45 states introduced AI-related bills, with some enacting comprehensive legislation to address concerns such as algorithmic discrimination. This trend is likely to continue, resulting in a fragmented regulatory landscape across the country.

Data privacy remains a contentious issue amid these policy shifts. The proposed American Privacy Rights Act of 2024 aims to establish a comprehensive federal privacy framework, potentially preempting state laws and allowing individuals to sue over alleged violations. However, in the absence of federal action, states have continued to enact their own privacy laws, leading to a complex and varied regulatory environment for businesses and consumers alike. ​

Critics of the administration’s approach express concerns that the emphasis on deregulation may compromise necessary safeguards, particularly regarding the use of AI in sensitive areas such as political campaigns and privacy protection. The balance between fostering innovation and ensuring ethical AI deployment remains a central debate as the U.S. navigates its leadership role in the global AI landscape.

For further details, access the article here

DISC InfoSec’s earlier post on the AI topic

NIST: AI/ML Security Still Falls Short

Trust Me – ISO 42001 AI Management System

AI Management System Certification According to the ISO/IEC 42001 Standard

 Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

What You Are Not Told About ChatGPT: Key Insights into the Inner Workings of ChatGPT & How to Get the Most Out of It

Digital Ethics in the Age of AI – Navigating the ethical frontier today and beyond

Artificial intelligence – Ethical, social, and security impacts for the present and the future

“AI Regulation: Global Challenges and Opportunities”

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: AI regulation


Apr 09 2025

How to differentiate between Emulation and Simulation in cyber world

Category: cyber security,Information Securitydisc7 @ 10:48 am

Emulation

🔧 Definition: Reproduces the exact behavior of one system on a different system.
🎯 Goal: Act like the real system, often for compatibility.
📦 Example: Running an old video game console on your PC using an emulator.

Key Traits:

  • Mimics both hardware and software behavior.
  • Used when accuracy is critical (e.g., legacy system support).
  • Slower but more faithful to original system.

Simulation

🧪 Definition: Models a system’s behavior to study or predict how it operates.
🎯 Goal: Understand or analyze system behavior, not necessarily replicate it exactly.
📊 Example: Simulating weather patterns or network traffic.

Key Traits:

  • Abstracts certain behaviors for analysis.
  • Focused on performance, outcomes, or patterns.
  • Often used in design, training, or testing.

👥 Analogy:

  • Emulation is like impersonating someone exactly—their voice, walk, habits.
  • Simulation is like creating a role-play of their behavior to study how they might act.

🔍 Emulation vs. Simulation: Side-by-Side Comparison

FeatureEmulationSimulation
PurposeReplicate exact behavior of a systemModel system behavior to understand, test, or predict outcomes
AccuracyVery high – mimics original system closelyApproximate – focuses on behavior, not exact replication
Use CaseCompatibility, legacy system testingAnalysis, design, forecasting, training
SpeedSlower due to detailed replicationFaster due to abstraction
System BehaviorIncludes full hardware/software behaviorModels only necessary parts of the system
Cybersecurity ExampleEmulating malware in a sandbox to observe behaviorSimulating a DDoS attack to test how a network would respond
IT ExampleEmulating an older OS to run legacy appsSimulating network performance under high load
Tools/TechQEMU, Bochs, BlueStacks, VirtualBox (with emulation settings)NS3, GNS3, Packet Tracer, Simulink

The Difference Between Cybersecurity Simulation vs Cybersecurity Emulation

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Emulation vs Simulation


Apr 09 2025

NIST: AI/ML Security Still Falls Short

Category: AI,Cyber Attack,cyber security,Cyber Threatsdisc7 @ 8:47 am

​The U.S. National Institute of Standards and Technology (NIST) has raised concerns about the security vulnerabilities inherent in artificial intelligence (AI) systems. In a recent report, NIST emphasizes that there is currently no foolproof method to defend AI technologies from adversarial attacks. The institute warns against accepting vendor claims of absolute AI security, noting that developers and users should be cautious of such assurances. ​

NIST’s research highlights several types of attacks that can compromise AI systems:​

  • Evasion Attacks: These occur when adversaries manipulate inputs to deceive AI models, leading to incorrect outputs.​
  • Poisoning Attacks: In these cases, attackers corrupt training data, causing the AI system to learn incorrect behaviors.​
  • Privacy Attacks: These involve extracting sensitive information from AI models, potentially leading to data breaches.​
  • Abuse Attacks: Here, legitimate sources of information are compromised to mislead the AI system’s operations. ​

NIST underscores that existing defenses against such attacks are insufficient and lack robust assurances. The agency calls on the broader tech community to develop more effective security measures to protect AI systems. ​

In response to these challenges, NIST has launched the Cybersecurity, Privacy, and AI Program. This initiative aims to support organizations in adapting their risk management strategies to address the evolving landscape of AI-related cybersecurity and privacy risks. ​

Overall, NIST’s findings serve as a cautionary reminder of the current limitations in AI security and the pressing need for continued research and development of robust defense mechanisms.

For further details, access the article here

While no AI system is fully immune, several practical strategies can reduce the risk of evasion, poisoning, privacy, and abuse attacks:


🔐 1. Evasion Attacks

(Manipulating inputs to fool the model)

  • Adversarial Training: Include adversarial examples in training data to improve robustness.
  • Input Validation: Use preprocessing techniques to sanitize or detect manipulated inputs.
  • Model Explainability: Apply tools like SHAP or LIME to understand decision logic and spot anomalies.


🧪 2. Poisoning Attacks

(Injecting malicious data into training sets)

  • Data Provenance & Validation: Track and vet data sources to prevent tampered datasets.
  • Anomaly Detection: Use statistical analysis to spot outliers in the training set.
  • Robust Learning Algorithms: Choose models that are more resistant to noise and outliers (e.g., RANSAC, robust SVM).


🔍 3. Privacy Attacks

(Extracting sensitive data from the model)

  • Differential Privacy: Add noise during training or inference to protect individual data points.
  • Federated Learning: Train models across multiple devices without centralizing data.
  • Access Controls: Limit who can query or download the model.


🎭 4. Abuse Attacks

(Misusing models in unintended ways)

  • Usage Monitoring: Log and audit usage patterns for unusual behavior.
  • Rate Limiting: Throttle access to prevent large-scale probing or abuse.
  • Red Teaming: Regularly simulate attacks to identify weaknesses.


📘 Bonus Best Practices

  • Threat Modeling: Apply STRIDE or similar frameworks focused on AI.
  • Model Watermarking: Identify ownership and detect unauthorized use.
  • Continuous Monitoring & Patching: Keep models and pipelines under review and updated.

STRIDE stands for a threat modeling methodology that categorizes security threats into six types: SpoofingTamperingRepudiationInformation DisclosureDenial of Service, and Elevation of Privilege

DISC InfoSec’s earlier post on the AI topic

Trust Me – ISO 42001 AI Management System

 Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

What You Are Not Told About ChatGPT: Key Insights into the Inner Workings of ChatGPT & How to Get the Most Out of It

Digital Ethics in the Age of AI – Navigating the ethical frontier today and beyond

Artificial intelligence – Ethical, social, and security impacts for the present and the future

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: AI security, ML Security


Apr 08 2025

Cybersecurity Leadership for Small Businesses: The vCISO Advantage

Category: CISO,vCISOdisc7 @ 9:34 am

Small business owners often prioritize growth and customer service, inadvertently overlooking cybersecurity. However, cyber threats are indifferent to company size, frequently targeting smaller enterprises due to their comparatively weaker security measures. Engaging a Virtual Chief Information Security Officer (vCISO) can provide the necessary expertise to bolster defenses and protect critical assets. ​

While many small businesses view cybersecurity merely as a compliance requirement, this perspective is limited. A vCISO offers more than just ensuring adherence to regulations; they proactively work to prevent breaches that could disrupt operations, erode customer trust, and incur substantial recovery costs. ​

Contrary to the belief that cybercriminals focus solely on large corporations, small businesses are often prime targets due to their perceived vulnerabilities. Attackers employ automated tools to identify and exploit weaknesses, making robust security measures essential for businesses of all sizes.

The financial burden of hiring a full-time Chief Information Security Officer can be prohibitive for many small businesses. A vCISO provides executive-level cybersecurity guidance at a fraction of the cost, granting access to seasoned professionals without the expense of a full-time position.

Relying solely on IT generalists or managed service providers for security may not suffice. A vCISO brings dedicated strategic insight, aligning security initiatives with business objectives and facilitating informed decision-making. For instance, during a cloud migration, a vCISO would address critical security considerations such as access control, data residency, vendor risks, and breach response plans.

In the event of a cybersecurity incident, having a well-practiced response plan is crucial. A vCISO ensures preparedness, enabling swift and effective action to mitigate damage, control costs, and preserve the company’s reputation. Their tailored approach considers the unique needs and risk tolerance of the business, ensuring appropriate investment in necessary protections without overspending on superfluous tools.

Why Small Businesses may Need vCISO Services

1. Targeted by Cybercriminals Small businesses often believe they fly under the radar, but cybercriminals see them as easy prey. With limited security budgets and lack of specialized personnel, they are prime targets for ransomware, phishing, and other attacks. A vCISO helps shore up defenses before attackers strike.

2. Cost-Effective Expertise Hiring a full-time Chief Information Security Officer (CISO) is often financially out of reach for small businesses. A vCISO offers the same strategic insight and leadership on a part-time or fractional basis—delivering enterprise-level expertise without the enterprise-level price tag.

3. Regulatory Compliance From HIPAA and PCI-DSS to GDPR and state-level data protection laws, compliance is critical. A vCISO ensures the organization meets necessary regulatory requirements, helping avoid fines, legal trouble, and loss of customer trust.

4. Risk-Based Security Strategy Not every threat deserves the same level of attention. A vCISO helps identify and prioritize risks based on the business’s unique environment, making sure resources are directed toward the most impactful protections.

5. Preparedness for Incidents Cyber incidents are not a matter of “if” but “when.” A vCISO creates and tests incident response plans so the business is ready to react swiftly. This minimizes damage, downtime, and potential losses.

6. Third-Party & Cloud Security Oversight With growing reliance on SaaS applications and third-party vendors, managing external risk is crucial. A vCISO provides guidance on secure vendor selection, cloud architecture, and ongoing monitoring to ensure strong data protection.

Latest Threat Landscape – 65% of the 100 largest US hospitals and health systems have had a recent data breach

For small and mid-sized businesses, the stakes are even higher. Without a structured and operational security program in place, they may stand little chance of effectively managing their risks.

DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.

How to Choose a vCISO Services

High-Value, Retainer-Based Security Leadership for Your Business

What is a vCISO and What are the Benefits of a Virtual CISO?

 The Battle for Your Business Security: Are You Ready? 

The vCISO Perspective – Understand the importance of the CISO in the cyber threat landscape

Unlocking Cybersecurity Excellence: How vCISO Services Empower SMBs

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Cybersecurity for SMBs, vCISO


Apr 05 2025

Why ISO 27001 Is Worth It: A Practical Look at Costs and Benefits

Category: Information Securitydisc7 @ 3:00 pm

Investing in ISO 27001: Risk Reduction, Competitive Edge, and Cost Savings

​Implementing an Information Security Management System (ISMS) based on the ISO/IEC 27001 standard offers organizations a structured approach to managing information security risks. This system enhances the organization’s ability to handle information security incidents effectively, thereby reducing potential losses and associated costs. By systematically addressing information risks, the ISMS ensures that security measures are aligned with the organization’s specific needs and risk profile.

The adoption of an ISMS leads to a more consistent and comprehensive identification and mitigation of threats and vulnerabilities. This proactive stance not only strengthens existing security controls but also fosters a culture of continuous improvement and awareness among employees. As a result, the organization becomes more resilient and adaptable in the face of evolving cyber threats and uncertainties.

Standardizing information security practices through ISO/IEC 27001 ensures consistency both internally and externally. Internally, it provides a uniform framework across various departments and functions, facilitating coordinated efforts in managing information security. Externally, adherence to internationally recognized standards enhances the organization’s credibility and can lead to competitive advantages in the global market.

The ISMS serves as a solid foundation upon which additional security measures can be built as needed. This scalability allows organizations to tailor their security posture to address specific threats and protect particularly valuable or sensitive information assets effectively. By focusing resources on critical areas, organizations can achieve cost efficiencies while maintaining robust security.

Implementing an ISMS also facilitates better risk communication and understanding among stakeholders. Managers and staff become more familiar with information security concepts, leading to increased competence and a proactive approach to risk management. This heightened awareness contributes to a stronger security culture within the organization.

While there are costs associated with establishing and maintaining an ISMS, many of these expenses would be incurred regardless, as information security is a business imperative. The additional costs specific to the ISMS primarily relate to the initial implementation project, adjustments to governance structures, and optional certification processes. These investments are offset by the long-term benefits of reduced incident-related losses and improved compliance.

Organizations may also experience indirect benefits such as potential reductions in insurance premiums due to the implementation of robust security controls. By demonstrating a commitment to information security through an ISMS, organizations can negotiate more favorable terms with insurers, leading to cost savings.

In summary, adopting an ISMS based on ISO/IEC 27001 standards provides organizations with a systematic and effective framework for managing information security risks. The approach enhances resilience, ensures consistency, and can lead to significant cost savings over time. By embedding information security into the organizational culture, companies can protect their assets more effectively and maintain a competitive edge in today’s digital landscape.

Learn how to turn the Flywheel of ISMS in motion:

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

ISO 27001: 2022 Information Security Management System Guide (ISO 27000 Information Security Management)

ISO 27001:2022 Annex A Controls Explained

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

ISO 27001 Risk Assessment Process – Summary

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

Managing Artificial Intelligence Threats with ISO 27001

Implementing and auditing 93 controls to reduce information security risks

The Real Reasons Companies Get ISO 27001 Certified 

Compliance per Category ISO 27002 2022

Why Your Organization Needs ISO 27001 Amid Rising Risks

10 key benefits of ISO 27001 Cert for SMBs

ISO 27001: Building a Culture of Security and Continuous Improvement

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27001/2 latest titles

ISO 27k Chat bot

DISC InfoSec is currently conducting market research in the InfoSec space and would greatly value your insights. As a thank you, we’re offering a free 30-minute security consultation to learn how to turn the Flywheel of ISMS in motion:—no strings attached. This offer is only available for the next week before April 11th 2025, so if you’re open to a quick chat, let’s lock in a time ASAP.
Thanks,
https://www.deurainfosec.com/
info@deurainfosec.com

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services


Apr 04 2025

Connected cars are heading toward a cybersecurity crisis

Category: cyber securitydisc7 @ 12:55 pm

As vehicles become increasingly connected, integrating sensors, software, and internet connectivity, they offer enhanced safety and convenience features. However, this technological advancement also exposes them to significant cybersecurity risks, making them susceptible to hacking and unauthorized access.

A notable example occurred in 2024 when researchers, including Sam Curry, identified a vulnerability in Kia’s web portal. This flaw allowed unauthorized reassignment of control over internet-connected features in Kia vehicles manufactured after 2013. Similarly, certain Subaru models were found to be remotely hijackable and trackable due to security weaknesses.

The financial impact of such cyberattacks on the automotive industry is substantial. According to a report by VicOne, the industry faced approximately $22.5 billion in cyberattack costs, including $20 billion from data breaches, $1.9 billion due to system downtime, and $538 million in ransomware damages.

Modern vehicles are vulnerable to various cybersecurity threats, including remote hacks through Bluetooth, Wi-Fi, and cellular connections; physical access attacks via diagnostic ports like OBD-II; software vulnerabilities that can be exploited for unauthorized control or data theft; and malware or ransomware injections that can incapacitate vehicle systems.

In-vehicle networks such as the Controller Area Network (CAN) and Local Interconnect Network (LIN), which manage critical functions from engine control to seat adjustments, were not originally designed with security in mind. This oversight leaves them particularly susceptible to hacking. Implementing measures like encryption, authentication, and intrusion detection systems is essential to safeguard these networks.

The advent of autonomous vehicles introduces additional security concerns. Self-driving cars rely heavily on AI algorithms and sensor systems, necessitating robust cybersecurity measures to protect against both external and internal threats. Ensuring the integrity of communication between these components is critical for the safety of passengers and the public.

Manufacturers and regulators must prioritize cybersecurity in vehicle design and operation. This includes conducting thorough risk assessments, implementing comprehensive security protocols, and staying vigilant against emerging threats to protect consumers and maintain trust in automotive technologies.

For further details, access the article here

Hacking Connected Cars: Tactics, Techniques, and Procedures

Car Hacking Playbook: Revving Up Cyber Defense

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Connected cars


Apr 02 2025

ISO 27001:2022 Annex A Controls Explained

Category: ISO 27kdisc7 @ 9:19 am

​ISO 27001:2022 is the international standard for information security management systems (ISMS), providing a framework for organizations to identify and address information security risks. While clauses 4–10 outline the broader ISMS requirements, Annex A offers a detailed list of 93 security controls categorized into four themes: Organizational, People, Physical, and Technological. This structure differs from the 2013 version, which contained 114 controls across 14 domains.​

The Organizational category comprises 37 controls focusing on policies, procedures, and responsibilities essential for effective information security. These include establishing an information security policy, defining management responsibilities, maintaining contact with authorities, gathering threat intelligence, classifying information, managing identity and access, and overseeing asset management.​

The People category encompasses 8 controls addressing the human element of information security. Key aspects involve conducting pre-employment screening, providing staff awareness training, implementing contracts and non-disclosure agreements (NDAs), managing remote working arrangements, and establishing procedures for reporting security events.​

The Physical category contains 14 controls that pertain to securing the physical environment of the ISMS. These controls cover areas such as defining security perimeters and secure areas, enforcing clear desk and screen policies, ensuring the reliability of supporting utilities, securing cabling infrastructure, and maintaining equipment properly.​

The Technological category includes 34 controls related to the digital aspects of information security. This encompasses implementing malware protection, establishing backup procedures, conducting logging and monitoring activities, ensuring network security and segregation, and adhering to secure development and coding practices.​

Selecting appropriate Annex A controls should be based on an organization’s specific risk assessment. After identifying relevant controls, organizations compare them against Annex A to ensure comprehensive risk coverage. Any exclusions of Annex A controls must be justified and documented in the Statement of Applicability (SoA).​

The SoA is a critical document within the ISMS, listing all Annex A controls along with justifications for their inclusion or exclusion and their implementation status. It should also incorporate any additional controls from other frameworks or those developed internally. Maintaining the SoA with version control and regular reviews is essential, as it plays a significant role during certification and surveillance audits conducted by certification bodies.​

Understanding the distinctions between ISO 27001’s Annex A and ISO 27002 is important. While Annex A provides a concise list of controls, ISO 27002 offers detailed implementation guidance for these controls, assisting organizations in effectively applying them within their ISMS.

Reach out to us for a free high-level assessment of your organization against ISO 27002 controls.

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

ISO 27001 Risk Assessment Process – Summary

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

Managing Artificial Intelligence Threats with ISO 27001

Implementing and auditing 93 controls to reduce information security risks

The Real Reasons Companies Get ISO 27001 Certified 

Compliance per Category ISO 27002 2022

Why Your Organization Needs ISO 27001 Amid Rising Risks

10 key benefits of ISO 27001 Cert for SMBs

ISO 27001: Building a Culture of Security and Continuous Improvement

Penetration Testing and ISO 27001 – Securing ISMS

Secure Your Digital Transformation with ISO 27001

Significance of ISO 27017 and ISO 27018 for Cloud Services

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

Securing Cloud Services: A pragmatic guide

ISO 27001/2 latest titles

A Comprehensive Guide to the NIST Cybersecurity Framework 2.0: Strategies, Implementation, and Best Practice

CIS Controls in Practice: A Comprehensive Implementation Guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: iso 27001, ISO 27001:2022, iso 27002


Apr 01 2025

CrushFTP CVE-2025-2825 flaw actively exploited in the wild

Category: Security vulnerabilitiesdisc7 @ 12:23 pm

​A critical vulnerability, designated CVE-2025-2825, has been identified in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This flaw permits unauthenticated attackers to bypass authentication mechanisms via exposed HTTP(S) ports, potentially granting unauthorized access to affected servers.

The vulnerability was privately disclosed to CrushFTP customers on March 21, 2025, urging immediate updates to versions 10.8.4 or 11.3.1. Despite these advisories, as of March 30, approximately 1,500 internet-facing CrushFTP instances remained unpatched and vulnerable. ​

Exploitation attempts have been observed, with attackers leveraging publicly available proof-of-concept (PoC) exploit code. The Shadowserver Foundation reported that most of these attempts originate from IP addresses in Asia, with fewer from Europe and North America.

The disclosure process for CVE-2025-2825 has been marked by confusion. CrushFTP initially informed customers of the vulnerability without assigning a CVE number, leading to discrepancies in affected version reporting. Subsequently, the vulnerability was assigned CVE-2025-2825, though CrushFTP’s CEO later indicated that the correct identifier should be CVE-2025-31161, causing further uncertainty.

To mitigate the risk associated with this vulnerability, CrushFTP users should promptly update to the patched versions. If immediate updating is not feasible, enabling CrushFTP’s DMZ feature can serve as a temporary safeguard. Additionally, restricting internet access to CrushFTP servers is advisable where possible.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: CrushFTP, CVE-2025-2825


Apr 01 2025

Things You may not want to Tell ChatGPT

Category: AI,Information Privacydisc7 @ 8:37 am

​Engaging with AI chatbots like ChatGPT offers numerous benefits, but it’s crucial to be mindful of the information you share to safeguard your privacy. Sharing sensitive data can lead to security risks, including data breaches or unauthorized access. To protect yourself, avoid disclosing personal identity details, medical information, financial account data, proprietary corporate information, and login credentials during your interactions with ChatGPT. ​

Chat histories with AI tools may be stored and could potentially be accessed by unauthorized parties, especially if the AI company faces legal actions or security breaches. To mitigate these risks, it’s advisable to regularly delete your conversation history and utilize features like temporary chat modes that prevent the saving of your interactions. ​

Implementing strong security measures can further enhance your privacy. Use robust passwords and enable multifactor authentication for your accounts associated with AI services. These steps add layers of security, making unauthorized access more difficult. ​

Some AI companies, including OpenAI, provide options to manage how your data is used. For instance, you can disable model training, which prevents your conversations from being utilized to improve the AI model. Additionally, opting for temporary chats ensures that your interactions aren’t stored or used for training purposes. ​

For tasks involving sensitive or confidential information, consider using enterprise versions of AI tools designed with enhanced security features suitable for professional environments. These versions often come with stricter data handling policies and provide better protection for your information.

By being cautious about the information you share and utilizing available privacy features, you can enjoy the benefits of AI chatbots like ChatGPT while minimizing potential privacy risks. Staying informed about the data policies of the AI services you use and proactively managing your data sharing practices are key steps in protecting your personal and sensitive information.

For further details, access the article here

DISC InfoSec’s earlier post on the AI topic

What You Are Not Told About ChatGPT: Key Insights into the Inner Workings of ChatGPT & How to Get the Most Out of It

Digital Ethics in the Age of AI – Navigating the ethical frontier today and beyond

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: AI Ethics, AI privacy, ChatGPT, Digital Ethics, privacy


Apr 01 2025

PortSwigger Introduces Burp AI to Elevate Penetration Testing with Artificial Intelligence

Category: AIdisc7 @ 6:32 am

​PortSwigger, the developer behind Burp Suite (2025.2.3), has unveiled Burp AI, a suite of artificial intelligence (AI) features aimed at enhancing penetration testing workflows. These innovations are designed to save time, reduce manual effort, and improve the accuracy of vulnerability assessments.

A standout feature of Burp AI is “Explore Issue,” which autonomously investigates vulnerabilities identified by Burp Scanner. It simulates the actions of a human penetration tester by exploring potential exploit scenarios, identifying additional attack vectors, and summarizing findings. This automation minimizes the need for manual investigation, allowing testers to focus on validating and demonstrating the impact of vulnerabilities.

Another key component is “Explainer,” which offers AI-generated explanations for unfamiliar technologies encountered during testing. By highlighting portions of a Repeater message, users receive concise insights directly within the Burp Suite interface, eliminating the need to consult external resources.

Burp AI also addresses the challenge of false positives in scanning, particularly concerning broken access control vulnerabilities. By intelligently filtering out these inaccuracies, testers can concentrate on verified threats, enhancing the efficiency and reliability of their assessments.

To streamline the configuration of authentication for web applications, Burp AI introduces “AI-Powered Recorded Logins.” This feature automatically generates recorded login sequences, reducing the complexity and potential errors associated with manual setup.

Furthermore, Burp Suite extensions can now leverage advanced AI capabilities through the enhanced Montoya API. These AI interactions are integrated within Burp’s secure infrastructure, removing the necessity for additional setups such as managing external API keys.

To facilitate the use of these AI-powered tools, PortSwigger has implemented an AI credit system. Users receive 10,000 free AI credits, valued at $5, upon initiation, which are deducted as they utilize the various AI-driven features.

Complementing these advancements, Burp Suite now includes a Bambda library—a collection of reusable code snippets that simplify the creation of custom match-and-replace rules, table columns, filters, and more. Users can import templates or access a variety of ready-to-use Bambdas from the GitHub repository, enhancing the customization and efficiency of their security testing workflows.

Burp Suite Pro is a must-have tool for professional penetration testers and security researchers working on web applications. The combination of automation and manual testing capabilities makes it indispensable for serious security assessments. However, if you’re just starting, the Community Edition is a good way to get familiar with the tool before upgrading.

Comprehensive Web Security Testing – Includes advanced scanning, fuzzing, and automation features.

Mastering Burp Suite Scanner: Penetration Testing with the Best Hacker Tools

Ultimate Pentesting for Web Applications: Unlock Advanced Web App Security Through Penetration Testing Using Burp Suite, Zap Proxy, Fiddler, Charles … Python for Robust Defense

DISC InfoSec’s earlier post on the AI topic

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: BURP, BURP Pro, burp suite, PortSwigger


Mar 31 2025

If Anthropic Succeeds, a Society of Compassionate AI Intellects May Emerge

Category: AIdisc7 @ 4:54 pm

​Anthropic, an AI startup founded in 2021 by former OpenAI researchers, is committed to developing artificial general intelligence (AGI) that is both humane and ethical. Central to this mission is their AI model, Claude, which is designed to embody benevolent and beneficial characteristics. Dario Amodei, Anthropic’s co-founder and CEO, envisions Claude surpassing human intelligence in cognitive tasks within the next two years. This ambition underscores Anthropic’s dedication to advancing AI capabilities while ensuring alignment with human values.

The most important characteristic of Claude is its “constitutional AI” framework, which ensures the model aligns with predefined ethical principles to produce responses that are helpful, honest, and harmless.

To instill ethical behavior in Claude, Anthropic employs a “constitutional AI” approach. This method involves training the AI model based on a set of predefined moral principles, including guidelines from the United Nations Universal Declaration of Human Rights and Apple’s app developer rules. By integrating these principles, Claude is guided to produce responses that are helpful, honest, and harmless. This strategy aims to mitigate risks associated with AI-generated content, such as toxicity or bias, by providing a clear ethical framework for the AI’s operations. ​

Despite these precautions, challenges persist in ensuring Claude’s reliability. Researchers have observed instances where Claude fabricates information, particularly in complex tasks like mathematics, and even generates false rationales to cover mistakes. Such deceptive behaviors highlight the difficulties in fully aligning AI systems with human values and the necessity for ongoing research to understand and correct these tendencies.

Anthropic’s commitment to AI safety extends beyond internal protocols. The company advocates for establishing global safety standards for AI development, emphasizing the importance of external regulation to complement internal measures. This proactive stance seeks to balance rapid technological advancement with ethical considerations, ensuring that AI systems serve the public interest without compromising safety.

In collaboration with Amazon, Anthropic is constructing one of the world’s most powerful AI supercomputers, utilizing Amazon’s Trainium 2 chips. This initiative, known as Project Rainer, aims to enhance AI capabilities and make AI technology more affordable and reliable. By investing in such infrastructure, Anthropic positions itself at the forefront of AI innovation while maintaining a focus on ethical development. ​

Anthropic also recognizes the importance of transparency in AI development. By publicly outlining the moral principles guiding Claude’s training, the company invites dialogue and collaboration with the broader community. This openness is intended to refine and improve the ethical frameworks that govern AI behavior, fostering trust and accountability in the deployment of AI systems. ​

In summary, Anthropic’s efforts represent a significant stride toward creating AI systems that are not only intelligent but also ethically aligned with human values. Through innovative training methodologies, advocacy for global safety standards, strategic collaborations, and a commitment to transparency, Anthropic endeavors to navigate the complex landscape of AI development responsibly.

For further details, access the article here

Introducing Claude-3: The AI Surpassing GPT-4’s Performance

Claude AI 3 & 3.5 for Beginners: Master the Basics and Unlock AI Power

Claude 3 & 3.5 Crash Course: Business Applications and API

DISC InfoSec’s earlier post on the AI topic

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Anthropic, Claude, constitutional AI


Mar 29 2025

The use of Paragon’s Graphite spyware against human rights defenders and journalists highlights the growing spyware crisis in Europe.

Category: Spywaredisc7 @ 4:23 pm

The recent deployment of Paragon’s Graphite spyware against human rights defenders and journalists has intensified concerns over Europe’s escalating spyware crisis. This development underscores the vulnerability of civil society actors to invasive surveillance technologies.

In Italy, government authorities sanctioned the use of Graphite spyware on members of the NGO Mediterranea Saving Humans, citing national security concerns. This action has sparked significant controversy and legal scrutiny, highlighting the potential misuse of surveillance tools against humanitarian organizations. ​

Similarly, in Serbia, reports have emerged that the secret service and police employed spyware to monitor journalists and opposition activists by infiltrating their mobile devices. This practice has raised alarms about the suppression of dissent and the erosion of press freedom within the country. ​

The proliferation of spyware is not confined to Europe. In the United States, the Department of Homeland Security’s contract with Paragon Solutions for the Graphite spyware has prompted concerns about potential overreach and the implications for civil liberties. This situation underscores the global nature of the spyware dilemma and the challenges in regulating its use.

These incidents collectively highlight the urgent need for comprehensive oversight and regulation of spyware technologies. The targeting of civil society members, journalists, and activists poses a significant threat to human rights and democratic principles. Addressing this crisis requires coordinated international efforts to establish clear legal frameworks that prevent the abuse of surveillance tools.

Italian government approved use of spyware on members of refugee NGO, MPs told

The founders of Mediterranea Saving Humans, an NGO that tries to protect refugees crossing the Mediterranean, was targeted by the spyware approved by the Italian government. Photograph: Olmo Calvo/AP

The Italian government approved the use of a sophisticated surveillance tool to spy on members of a humanitarian NGO because they were allegedly deemed a possible threat to national security, MPs have heard.

Alfredo Mantovano, a cabinet undersecretary, made the admission during a classified meeting with Copasir, the parliamentary committee for national security, according to a person familiar with the situation.

Copasir is investigating whether the secret services breached the law in using Graphite, military-grade spyware made by the Israel-based Paragon Solutions, to monitor activists and journalists, and is expecting to report on its finding soon.

Giorgia Meloni’s government has been under pressure to address the case since January, when a handful of Italian activists and a journalist received warnings from WhatsApp, the messaging app owned by Meta, that their phones had been targeted by spyware.

Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

Tags: Paragon, Paragon’s Graphite spyware


Mar 28 2025

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

Category: Information Security,Internal Audit,ISO 27kdisc7 @ 2:44 pm

​”Preparing for an ISO Audit: Tips and Best Practices” is a comprehensive guide by AuditCo, published in February 2025, aimed at assisting organizations in effectively preparing for ISO audits. The article outlines several key strategies:​

  1. Understanding ISO Standards: It emphasizes the importance of familiarizing oneself with the specific ISO standards relevant to the organization.​
  2. Conducting a Pre-Audit: The guide recommends performing a self-assessment to identify and address areas of non-compliance before the official audit.​
  3. Organizing Documentation: Ensuring that all pertinent documents, such as policies and records, are well-organized and easily accessible is highlighted as a crucial step.​
  4. Training Employees: Providing staff with training on the audit process and their respective roles is advised to facilitate a smoother audit experience.​
  5. Engaging with Auditors: Establishing open communication with auditors to clarify expectations and address concerns is also recommended.

Additionally, the article suggests best practices like creating an audit checklist, involving top management to demonstrate commitment to compliance, monitoring corrective actions for identified non-conformities, and implementing improvements post-audit to enhance the management system.​

For a detailed exploration of these strategies, you can read the full article

 Full Preparation Plan for an ISO Audit

1.  Understand the ISO Standard :

– Familiarize yourself with the specific ISO standard relevant to your organization (e.g., ISO 27001 for Information Security, ISO 9001 for quality management, ISO 14001 for environmental management, ISO 45001 for occupational health and safety).

– Study the standard requirements and guidelines to fully grasp what is expected.

2. Gap Analysis :

– Conduct a thorough gap analysis to compare your current processes and systems against the ISO standard requirements.

– Identify areas that need improvement and document these gaps.

3. Develop an Implementation Plan :

– Create a detailed plan to address the gaps identified in the gap analysis.

– Assign responsibilities to team members, set timelines, and allocate necessary resources.

4. Training and Awareness :

– Train your employees on the ISO standard requirements and the importance of compliance.

– Ensure that everyone understands their roles and responsibilities related to the ISO standards.

5. Document Control :

– Develop or update documentation to meet ISO requirements, including policies, procedures, work instructions, and records.

– Implement a document control system to manage and maintain these documents efficiently.

6. Internal Audits :

– Conduct internal audits to evaluate your readiness for the ISO audit.

– Identify non-conformities and take corrective actions to address them.

– Internal audits should closely mimic the external audit process.

7. Management Review :

– Hold a management review meeting to assess the effectiveness of your ISO management system.

– Ensure top management is involved and committed to the process.

8. Pre-Audit Assessment :

– If possible, conduct a pre-audit assessment with an external consultant to get an objective evaluation of your readiness.

– Use the feedback to make any necessary adjustments before the actual audit.

9. Audit Logistics :

– Coordinate with the external auditor to schedule the audit.

– Prepare all necessary documentation and ensure key personnel are available during the audit.

10. Continuous Improvement :

– ISO audits are not a one-time event. Implement a culture of continuous improvement to maintain compliance and enhance your management system.

– Regularly review and update your processes and systems to ensure ongoing compliance.

ISO 27001 INTERNAL AUDITS & DATA PROTECTION: STRENGTHENING COMPLIANCE & SECURITY: A Practical Guide to Conducting Internal Audits and Safeguarding Sensitive Data (ISO 27001:2022)

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: ISO 27001 Internal Audit, ISO Audit Plan


Mar 28 2025

How to Choose a vCISO Services

Category: vCISOdisc7 @ 10:06 am

1. Understanding the Role of a vCISO

A Virtual Chief Information Security Officer (vCISO) is an outsourced cybersecurity expert responsible for managing and overseeing an organization’s information security program. Unlike a traditional, in-house CISO, a vCISO typically works remotely or on a part-time basis, offering their expertise to organizations that need high-level security guidance but may not have the resources to hire a full-time CISO. This role includes responsibilities like developing security policies, managing risk assessments, ensuring compliance, and responding to security incidents. Understanding this role is crucial before beginning the search for the right vCISO.

2. Assess Your Organization’s Needs

Choosing the right vCISO starts with a deep understanding of your organization’s specific cybersecurity needs. Consider factors such as your company’s size, industry, existing security framework, and specific compliance requirements. If your organization operates in a highly regulated industry (e.g., finance, healthcare), your vCISO should have expertise in the relevant compliance frameworks like GDPR, HIPAA, or PCI-DSS. Additionally, assess whether you need someone to build a cybersecurity program from scratch or if your priority is to fine-tune an already established system.

3. Experience and Expertise

The experience and technical expertise of a vCISO are paramount to ensuring the success of your security program. Look for candidates with a strong background in information security management, risk assessment, and compliance. Ideally, your vCISO should have experience working in your industry and with businesses of your size. Check their credentials, such as CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), or CISA (Certified Information Systems Auditor). Past experience in handling security incidents or implementing security frameworks will be valuable assets.

4. Alignment with Your Company Culture

While technical skills are important, your vCISO should also align with your organization’s culture and strategic goals. A vCISO will be part of your leadership team, so it’s essential that they can communicate effectively with executives and other departments, understand business priorities, and align security initiatives with company objectives. Look for a vCISO who is a good fit for your organization’s communication style, can work collaboratively with other leaders, and has a proactive, solution-oriented approach to addressing security challenges.

5. Scalability and Flexibility

One of the key benefits of a vCISO is the flexibility they offer. Your business may have fluctuating needs for cybersecurity expertise, whether due to growth, changes in regulations, or emerging threats. When selecting a vCISO, ensure that they offer a scalable approach to meet both your short-term and long-term goals. This may include flexibility in the number of hours they commit, their ability to provide strategic insight during a crisis, and the possibility of adjusting services as your security needs evolve over time.

6. Budget Considerations and Value

Cost is always a consideration, especially for smaller organizations, when hiring a vCISO. A traditional, full-time CISO can be a significant investment, whereas a vCISO typically offers a more affordable alternative. However, it’s important to understand that the cheapest option may not always provide the best value. Evaluate potential vCISOs not just on their price but on the value they bring to your organization. Consider the level of expertise, breadth of services, and long-term impact on your cybersecurity posture. A skilled vCISO can help you avoid costly breaches and compliance failures, making their value far exceed the initial investment.

DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.

Download our vCISO services datasheets:

High-Value, Retainer-Based Security Leadership for Your Business

What is a vCISO and What are the Benefits of a Virtual CISO?

 The Battle for Your Business Security: Are You Ready?

Revitalizing your cybersecurity program starts with building a strong case
for change

What is a vCISO and What are the Benefits of a Virtual CISO?

 The Battle for Your Business Security: Are You Ready? 

The CISO Playbook

We need to redefine and broaden the expectations of the CISO role

Defining the SOW and Legal Framework for a vCISO Engagement

The ripple effects of regulatory actions on CISO reporting

How CIOs, CTOs, and CISOs view cyber risks differently

Why CISOs face greater personal liability

What are the Common Security Challenges CISOs Face?

How vCISO Services Empower SMBs

How Professional Service Providers Can Add vCISO Service

Why Choose vCISO Services?

Enhance Your Security Framework with DISC LLC

5 key tasks for a vCISO to accomplish in the first three months

Expertise in Virtual CISO (vCISO) Services

In what situations would a vCISO or CISOaaS service be appropriate?

The Elemental Truth of vCISO Services: vCISO Guide for Small & Mid Sized Businesses

The Phantom CISO: Time to step out of the shadow

 vCISO Guide for Small & Mid Sized Businesses

DISC LLC is listed on Cynomi vCISO Directory

Contact us to explore how we can turn security challenges into strategic advantages.

DISC InfoSec vCISO Services

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: CISO, vCISO


Mar 28 2025

Critical Firefox, Tor Browser sandbox escape flaw fixed (CVE-2025-2857)

Category: Information Securitydisc7 @ 9:39 am

​Mozilla has addressed a critical security vulnerability, CVE-2025-2857, in its Firefox browser for Windows. This flaw, discovered in Firefox’s inter-process communication (IPC) code, allowed a compromised child process to cause the parent process to return an unintended powerful handle, leading to a sandbox escape. The issue was identified after Google’s recent patch of a similar Chrome vulnerability, CVE-2025-2783, exploited by state-sponsored attackers.

To mitigate this vulnerability, Mozilla released updates for Firefox version 136.0.4, Firefox Extended Support Release (ESR) versions 128.8.1, and 115.21.1 for Windows users. Given the potential severity of sandbox escape exploits, users are strongly encouraged to update their browsers promptly to protect against possible attacks.

The Tor Project, which builds its browser on a modified version of Firefox ESR, also released an emergency security update, version 14.0.8, for Windows users. Tor Browser users should update immediately to ensure their security and maintain anonymity online.

This discovery underscores the importance of continuous vigilance in software development and the necessity for developers to proactively assess their codebases, especially when similar platforms encounter security issues. Regular updates and prompt patching are vital in maintaining the security and integrity of software applications.​

Users are advised to enable automatic updates and stay informed about the latest security advisories from their software providers. Maintaining up-to-date software is a fundamental step in protecting against emerging threats and ensuring a secure computing environment.

For further details, access the article here

Tor – From the Dark Web to the Future of Privacy

Tor And The Deep Web 2024: The Complete Guide How to Stay Anonymous on the Dark Web

Tor and the Deep Web: Bitcoin, DarkNet & Cryptocurrency

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services


Mar 26 2025

How to Begin with Cybersecurity Risk Management

Cyber security risk management is a critical aspect of data security, underpinning various frameworks and regulations such as GDPR, NIST CSF, and ISO 27001. The process begins by establishing a common vocabulary to ensure clear communication across the organization. Risk in this context typically refers to potential negative outcomes for the organization, with the goal of identifying and mitigating these risks while considering time and cost implications.

When assessing risks, two key factors are considered: likelihood and impact. These need to be clearly defined and quantified to ensure consistent interpretation throughout the organization. Risk levels are often categorized as low, medium, or high, with corresponding color-coding for easy visualization. A low risk might be something the organization can tolerate, while a high risk could have catastrophic consequences requiring immediate action.

Impact categories can include financial, strategic, customer-related, employee-related, regulatory, operational, and reputational aspects. Not all categories apply to every organization, and some may overlap. Defining the values for these categories is crucial for establishing a common language and meeting ISO 27001 requirements for consistent risk assessments.

Financial impact is typically the easiest to define, using currency figures or percentages of annual turnover. Non-financial impacts, such as operational or reputational, require more nuanced definitions. For example, operational impact might be measured by the duration of business disruption, while reputational impact could be assessed based on the level of media interest.

Likelihood categories are usually defined on a scale from “very unlikely” to “very likely,” with clear descriptions of what each category means. These can be based on expected frequency of occurrence, such as annually, monthly, weekly, or daily. Estimating likelihood can be based on past experiences within the organization or industry-wide occurrences.

Using multiple impact categories is important because security is everyone’s responsibility, and different departments may need to assess impact in different terms. For instance, a chemical manufacturer might need to define impact levels in terms of employee health and safety, while other departments might focus on financial or operational impacts.

A risk heat map, which combines likelihood and impact levels, is a useful tool for visualizing risk severity. The highest risk area (typically colored red) represents what would be catastrophic for the organization, regardless of the specific impact category. This approach allows for a comprehensive view of risks across different aspects of the business, enabling more effective risk management strategies.

DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.

The best approach for SMBs to start the cybersecurity risk management process involves the following steps:

Understand Your Risks:

  • Conduct a basic risk assessment to identify critical assets, potential threats, and vulnerabilities.
  • Prioritize risks based on their potential impact and likelihood.

Set Clear Goals:

  • Define your cybersecurity objectives, such as protecting customer data, complying with regulations, or avoiding downtime.

Develop a Security Policy:

  • Create a simple, easy-to-follow cybersecurity policy that outlines acceptable use, password management, and data handling practices.

Start with the Basics:

  • Implement basic cybersecurity measures like using firewalls, antivirus software, and regular system updates.
  • Use strong passwords and enable multi-factor authentication (MFA).

Train Your Employees:

  • Provide ongoing security awareness training to help employees recognize phishing, social engineering, and other threats.

Back Up Your Data:

  • Regularly back up critical data and store it in a secure, offsite location.
  • Test your backup and recovery process to ensure it works effectively.

Monitor and Respond:

  • Set up basic monitoring to detect suspicious activity (e.g., failed login attempts).
  • Establish an incident response plan to know what to do in case of an attack.

Leverage External Resources:

  • Work with a trusted Managed Security Service Provider (MSSP) or consultant to cover any expertise gaps.
  • Consider using frameworks like NIST Cybersecurity Framework (CSF) or CIS Controls for guidance.

Start Small and Scale Up:

  • Focus on quick wins that provide maximum risk reduction with minimal effort.
  • Gradually invest in more advanced tools and processes as your cybersecurity maturity grows.

Regularly Review and Update:

  • Reassess risks, policies, and controls periodically to stay ahead of evolving threats.

This structured approach helps SMBs build a solid foundation without overwhelming resources or budgets.

Cybersecurity Risk Management for Small Businesses

Building a Cyber Risk Management Program: Evolving Security for the Digital Age

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Building a Cyber Risk Management Program, Cybersecurity Risk Management


Next Page »