Jan 19 2019

3 Compelling Reasons To Invest In Cyber Security – Part 3

Category: cyber securityDISC @ 11:40 pm

Cyber security is among the essential subjects to boards, alongside business strategy and leadership. Your compelling case to gain an investment is now here!

Source: 3 Compelling Reasons To Invest In Cyber Security – Part 3

🔒 securing the business 🔒

DISC InfoSec

 

Sep 19 2018

US lawmakers introduce bill to fight cybersecurity workforce shortage

Category: cyber security,Information SecurityDISC @ 10:04 am

Report claims US public and private sectors had over 300,000 cybersecurity-related job openings between April 2017 and March 2018.

By Catalin Cimpanu for Zero Day

softwarearchitect.jpg

US lawmakers have introduced a bipartisan bill in the House of Representatives meant to address the cybersecurity workforce shortage crisis.

The bill, named the Cyber Ready Workforce Act (H.R.6791), would establish a grant program within the Department of Labor.

According to the bill’s proposed text, the Secretary of Labor will be able to award grants to workforce intermediaries to support the creation, implementation, and expansion of apprenticeship programs in cybersecurity.

These apprenticeship programs may include career counseling, mentorship, and assistance with transportation, housing, and child care costs.

The Cyber Ready Workforce Act is meant to address a growing problem in the US workforce landscape where companies, across all sectors, are having a hard time filling cybersecurity jobs with trained personnel.

According to a CompTIA report based on data from CyberSeek, a free cybersecurity career and workforce resource, there were 301,873 cybersecurity-related job openings in the private and public sectors between April 2017 and March 2018.

Also: Bill that would have the White House create a database of APT groups passes House vote

Congresswoman Jacky Rosen (Dem., NV-03) introduced the bill last week. The bill is based on the state of Nevada’s recently introduced cybersecurity apprenticeship program.

The bill was also co-sponsored by Congressman Seth Moulton (Dem., MA-06), Congresswoman Elise Stefanik (Rep., NY-21), and Congressman Dan Donovan (Rep., NY-11).

The bill, which doesn’t yet have mirroring legislation in the Senate, has also gained the support of trade and workforce organizations such as CompTIA and The Learning Center.

Cybersecurity threats will continue to present national security challenges for America in the 21st century,” said Congressman Dan Donovan. “With these threats and the changing economic and technological landscape, America needs a workforce that can adequately advance our cybersecurity defense priorities.”

“Investing in and expanding our cybersecurity workforce doesn’t only fuel our economy, it keeps us safe,” said Congressman Seth Moulton. “While I was fighting on the ground in Iraq, Al-Qaeda was fighting us on the internet — and they were beating us online! And while we focused on Russia’s military in 2016, they attacked us through the internet. This bill is an important first step towards making sure we don’t get ourselves into such a vulnerable position again.”


Tags: cybersecurity workforce shortage

Apr 20 2018

Nine Things That Are Poised To Impact Cybersecurity

Category: cyber security,data securityDISC @ 6:18 pm

Read Forbes Technology Council list nine things that can impact cybersecurity on Forbes :

From the Equifax breach this past September to the recent hack of MyFitnessPal data through Under Armour, the number of high-profile cyberattacks has continued to climb in recent months. Every company, regardless of size, must be prepared for the possibility that they may be the next victim.

Read the full article here.

Tags: Business Insider Intelligence, data breach, equifax

Nov 26 2017

From CIA to APT: An Introduction to Cyber Security

Category: cyber security,CybercrimeDISC @ 3:53 pm


By Edward Amoroso

Most introductory books on cyber security are either too technical for popular readers, or too casual for professional ones. This book, in contrast, is intended to reside somewhere in the middle. That is, while concepts are explained in a friendly manner for any educated adult, the book also necessarily includes network diagrams with the obligatory references to clouds, servers, and packets.

But don’t let this scare you. Anyone with an ounce of determination can get through every page of this book, and will come out better informed, not only on cyber security, but also on computing, networking, and software. While it is true that college students will find the material particularly accessible, any adult with the desire to learn will find this book part of an exciting new journey.

A great irony is that the dizzying assortment of articles, posts, and books currently available on cyber security makes it difficult to navigate the topic. Furthermore, with so much information coming from writers with questionable backgrounds in cyber security, separating the wheat from the chaff has become an almost impossible task for most readers, experienced or otherwise.

This book is written specifically to address that problem. That is, we set out to create an accessible but technically accurate work on cyber security that would not insult the intelligence of our readers. We avoid the temptation to navigate away from the technical issues, choosing instead to steer toward the detailed concepts in the hopes that our readers will develop new understanding and insights.

The material here provides a technical grounding that is commensurate with what you might receive in a college course on the topic. If you are an engineer, developer, or student, then you are certainly in the right place. On the other hand, if you work in management, executive leadership, or some other non-technical role, then this is exactly the technical grounding in cyber that you’ve been looking for.

Anyone who has not been sleeping in a cave the past few years knows the consequences of misguided decision-making in cyber security. Business leaders colliding with this complex issue will find their intellectual property gone and their services blocked by hackers. Government and political leaders who misstep in this area will find their careers, programs, and campaigns ruined.

Consider this: Target, Home Depot, and Sony have seen massive attacks on their infrastructure, and most citizens, including our leaders, have no idea how or why this occurred. Similarly, we watched data leaks from the US Office of Personnel Management and the Democratic National Committee, and most people have only a vague sense of how such cyber attacks were accomplished.

Perhaps more disturbingly, decision-makers in our society have no idea how to reduce this risk. Because they typically have zero technical understanding, they are forced to suggest simple, trite measures they can understand like awareness, penalties, and compliance. Our approach here is to demonstrate that cyber security attacks are best avoided through improved technology and architecture.

Written from the perspective of the professional cyber security executive, long-time academic, and industry analyst (Edward Amoroso), and the graduate computer science student, software developer, and occasional hacker (Matthew Amoroso), this book provides a concise technical introduction to cyber security that keeps things as straightforward as possible, but without veering into silly analogies.

One brief warning to expert readers: At times, we have decided to take out our scissors and trim some of the more confusing details of a given cyber security issue. We’ve tried in these cases to smoothen the edges to make complex concepts more accessible, hopefully without changing the essence of the technology. This is a difficult task, we discovered, and we hope only fat was removed and never bone.

In the end, our hope is that this short book will help you become more technically equipped to navigate the mine fields of misleading and incorrect cyber security information found across the Internet and on television. It is our hope that you will be in a better position to make informed decisions about anything of consequence that might be affected by the growing potential for cyber attacks.

If you successfully complete this book, you will no longer have to shrug when asked about cyber security. Rather, you will be able to lean in and offer an informed opinion based on an introductory grounding in the fundamental aspects of cyber security technology. Our goal is to expand your understanding and make you a more informed and educated adult.

We are pleased that you’ll be spending time with our material. To not lose any momentum, proceed ahead and continue your reading right now with the first chapter on cyber threats.

This book is available for download today on Amazon.com!

 


Nov 19 2017

4 reasons you should get a cyber security qualification

Category: CISSP,cyber security,Information SecurityDISC @ 7:10 pm
 Luke Irwin

The dramatic rise in cyber attacks over the past few years has caught most businesses off guard. Their cyber security departments are severely understaffed, causing them to look desperately for qualified professionals to help tackle the threat.

There has never been a better time to get into cyber security, so if you’re looking to enter the field, or further your career in it, you could benefit massively from gaining a relevant qualification. Here are four reasons why:

  1. Cyber security professionals are well paid

Money isn’t everything when it comes to choosing your career, but it’s obviously a big factor for many people. We mentioned recently that people with a CISM®PCIor GDPR qualification could earn £60,000 or more a year.

Of these, the CISM (Certified Information Security Manager) qualification is the most versatile. It’s the globally accepted standard of achievement among information security, information systems audit and IT governance professionals.

According to ITJobsWatch, people with a CISM qualification earn £64,000 a year on average. This figure has grown by more than 9% in the past two years.

  1. There’s a high level of job security

The shortage of qualified cyber security professionals means that those in the field are less likely to be replaced or made redundant. Their skills are hard to find elsewhere, and the more someone gets to know the company, the more valuable they will become.

Additionally, because almost every organisation currently needs cyber security professionals, those with the relevant qualifications are more likely to find a position in a location or company that suits them.

  1. There’s room for career growth

For the same reason that cyber security is a safe career, it’s also one that offers plenty of room for growth. Qualifications plus experience is a powerful combination that can help you move into more senior positions.

As you gain experience, you’ll also get the opportunity to earn more advanced qualifications. For example, you must have at least three years’ experience in IT governance to be eligible for a Certified in Risk and Information Systems Control (CRISC) qualification, and five years’ experience to be eligible for a Certified in the Governance of Enterprise IT (CGEIT®) qualification.

  1. The work is rewarding

Cyber security is still a relatively young field, making it an exciting and prosperous place. The threats that organisations face are constantly evolving, so you’ll always have new challenges. Plus, you know that your hard work is for a good cause: to stop cyber criminals and keep your organisation safe.

What qualifications do I need?

The qualifications you need will depend on the career path you choose. If you’re interested in governance, risk management, and compliance, for instance, a CGEIT qualification is essential. If you’re interested in information security, you’ll need a CRISC qualification.

We’re currently running promotions on our CRISC, CGEIT, CISA and CISM training courses. If you book before 22 December, you’ll receive a 10% discount on the courses and a 5% discount on all reading materials.

Find out more about our:



Nov 05 2017

Breach highlights the need for a cyber health check

Category: cyber security,Risk AssessmentDISC @ 8:13 pm

Cyber Health Check

 

Deloitte breach highlights the need for a cyber health check

Javier Brias

Deloitte, one of the world’s biggest accounting organizations, recently suffered a data breach that compromised confidential emails and plans of some of its blue-chip clients, according to the Guardian.

The hackers also had potential access to usernames, passwords, IP addresses, architectural designs and health information.

Deloitte has confirmed it was breached but said that only a small number of clients were affected.

This breach is even more unfortunate because Deloitte offers clients advice on how to manage risks posed by cyber attacks. Its Cyber Intelligence Centre states that it can “integrate state-of-the-art technology with industry insight to provide round-the-clock business-focused operational security.”

The problem with a solutions-based approach

The fact that Deloitte is a global consultant with interests in cyber security proves that no one is safe from a cyber attack.

In today’s cyber security market, technology vendors tend to focus on specific solutions, such as endpoint security, next-gen firewalls with IDS/IPS, email and web filtering, data loss prevention and identity access management. The problem is that mixing and matching solutions can cause interoperability gaps to materialise.

To understand the complexities of today’s IT infrastructure, companies need to have a strategic plan that takes a global view of the technological landscape and identifies the possible vulnerability points.

How Cyber Health Check fills the gaps

Our independent, three-phase Cyber Health Check service combines on-site consultancy and audit, remote vulnerability assessments and an online staff survey to identify your current cyber risks in the three key exposure areas of people, processes and technology.

This service will provide you with a concise report describing your current cyber risk status and critical exposures, and will draw on best practice – such as ISO 27001, 10 Steps to Cyber Security and Cyber Essentials – to provide recommendations for reducing your cyber and compliance risks. The report also provides feedback on basic cyber hygiene, cyber governance framework, policies and procedures, and technical controls.

The Cyber Health Check service identifies your actual cyber risks, assesses your responses to those risks and analyses your risk exposure. The result is a best-practice action plan to mitigate those risks effectively and in line with your business objectives.

For more information, visit our Cyber Health Check page.

Contact us for more information


Tags: Cyber Health Check

Aug 08 2017

Cyber Resilience Guidance Standards Kit

Category: BCP,cyber security,DRPDISC @ 4:22 pm

The standards in the Cyber Resilience Guidance Standards Kit provide expert guidance on cyber security and business continuity. These standards will help you build on the guidance of the standards in the Cyber Resilience Core Standards Kit.

The standards included in this kit are:

  • PAS 555:2013:- This Publicly Available Specification (PAS) document from BSI details what good cyber security looks like.
  • ISO/IEC 27031:2011:- ISO/IEC 27031 outlines processes that will help you prevent, detect and manage IT incidents.
  • ISO/IEC 27032:2012:- Provides guidance on improving the state of cyber security.

 

Why should I buy this kit?

If you have purchased the standards in the Cyber Resilience Core Standards Kit and want to get more expert guidance on ensuring the continuity of your organization in case of a cyber security incident, the standards in this kit are key.

Cyber Security Standards & Books



Tags: Cyber Resilience

Jan 29 2017

Top 5 excellent Antivirus Protection of 2017

Category: Antivirus,cyber security,Malware,Mobile Security,Network security,next generation firewallDISC @ 6:01 pm

Excellence is achievable but perfection is not. Find an excellent anti-virus product based on your requirements.

 

Malware are evolving faster than ever, so it’s encourging to discover that the latest generation of antivirus (AV) are better equipped to handle this evolving pace of change. Information security best practice recommends that every PC should run at least antivirus (antimalware), antispyware, and a firewall, and you keep it up to date. So if you’re not running an anti-virus, or may feel your anti-virus could do a bit more, take a look at the list below  and find an anti virus solution which fulfill your current needs based on the modern day threats.

 

All five antivirus solutions below includes On-Demand Malware Scan, On-Access Malware Scan, Website Rating, Malicious URL Blocking, Phishing Protection and Behavior-Based Detection.

 

1) McAfee Antivirus plus

[mks_col]

[mks_one_half]Unlimited protection for Windows, Android, macOS, and iOS devices. New behavior-centric antivirus engine. Essential antivirus protection for PCs, Macs, smartphones, and tablets. [/mks_one_half]

[mks_one_half] [/mks_one_half]

[/mks_col]

 

 

2) Webroot Secure Anywhere Antivirus

[mks_col]

[mks_one_half]For Cloud Security it will analyze files, phishing sites, malicious web pages, IP addresses, and mobile apps providing a real time view of current threats and enabling protection from zero day attacks.Can recover files encrypted by ransomware. Uses tiny amount of disk space. Very fast scan. Handles unknown malware. Includes firewall.[/mks_one_half]

[mks_one_half][/mks_one_half]

[/mks_col]

 

 

3) Bitdefender Antivirus Plus

[mks_col]

[mks_one_half]Effective ransomware protection. Many bonus features including password manager, secure browser, and file shredder. Wi-Fi Security Advisor. Always secure on the go.

[/mks_one_half]

[mks_one_half][/mks_one_half]

[/mks_col]

 

4) Symantec Norton Antivirus Basic

[mks_col]

[mks_one_half]Protection is always up-to-date to defend against spyware, malware, and unsafe websites, while safeguarding your identity and online transactions. Powerful intrusion prevention. Norton Power Eraser blasts persistent malware. Password management.[/mks_one_half]

[mks_one_half][/mks_one_half]

[/mks_col]

 

5) Kaspersky Antivirus

[mks_col]

[mks_one_half]Kaspersky Anti-Virus helps protect against viruses, spyware & more. Great for antiphishing and speedy full-system scan.[/mks_one_half]

[mks_one_half][/mks_one_half]

[/mks_col]

 

Our recommendation is based on The best Antivirus protection of 2017

Top Rated Antivirus Protection

Tags: Antivirus software, bitdefender, kaspersky, McAfee, Symantec, webroot

Nov 08 2016

Six steps to reboot your cyber security strategy

Category: cyber securityDISC @ 2:49 pm

Cyber Security Strategy

By Marika Samarati

SecurityStrategy

The High Performance Security Report 2016 published by Accenture Security unearthed a clear disconnection between how companies perceive cyber threats and the reality of the situation. According to the report, 75% of security executives surveyed said they were confident in their cyber security strategies, and 70% reported that their organisations have successfully adopted a culture of cyber security fully supported by their top executives – yet one in three targeted attacks succeeded, resulting in a breach.

It’s time to face reality rethink-cyber-security-strategy

To close the gap between perception and reality, the report invited companies to “reboot their approaches to cybersecurity”. Here is the report’s six-steps to help you rethink your cyber security strategy:

1. Define cyber security success

One reason perceptions don’t match reality comes from the misalignment of cyber security strategies and business imperatives. Identify the best cyber security strategy for your company based on your assets and capabilities, which cyber threats it should secure your company from, and how you can measure its success or its failure in business terms.

2. Pressure-test security capabilities the way adversaries do

Get into the criminals’ shoes: engage ethical hackers to run attack simulations and realistically assess your ability to defend your company from external threats. IT Governance is a CREST member and its suite of penetration tests have been verified as meeting the high standards mandated by CREST. Moreover, all of our penetration testers hold the Certified Ethical Hacker (CEH) qualification.

3. Protect from the inside out

The only difference between internal and external attackers is that the first know where key assets are located. Prioritize securing your key assets from insider threats, which usually have the greatest impact. If you want to know more about insider threat, read the bestselling Insider Threat – A Guide to Understanding, Detecting, and Defending Against the Enemy from Within.

4. Invest to innovate and outmaneuver

The wider and more diversified your strategy is, the easier it is to stay ahead of cyber criminals. Instead of spending money in existing programs, widen your suite of programs by investing in seven key cyber security domains: business alignment, strategic threat context, extended ecosystem, governance and leadership, cyber resilience, cyber response readiness, and investment efficiency.

5. Make security everyone’s job

According to the report, “Fully 98 percent of survey respondents said that for breaches not detected by the security team, the company learned about them most frequently from employees.”. Consequently, a staff that is up to date with the latest cyber threats and cyber security best practices improves your threat detection capabilities and reduces the chances of staff-related security incidents. Implement a staff awareness program based on e-learning courses to empower your staff and make it part of your cyber security strategy.

6. Lead from the top

Cyber security should be discussed in the C-suite on a daily basis, not confined to the IT room. The CISO needs to proactively engage with enterprise leadership and make cyber security a top priority.


Tags: cyber security strategy

Nov 04 2016

Cyber security is not enough

Category: cyber securityDISC @ 1:11 pm

CyberresilienceSuite

Cyber security is not enough – you need to become cyber resilient

 

Cyber Resilience Implementation Suite

It’s no longer sufficient to suppose that you can defend against any potential attack; you must accept that an attack will inevitably succeed. An organisation’s resilience in identifying and responding to security breaches will become a critical survival trait in the future. The Cyber Resilience Implementation Suite has been designed to help organisations create an integrated management system that will help defend against cyber threats and minimise the damage of any successful attack. This suite of products will help you to deploy the cyber security Standard
ISO27001 and the business continuity Standard
ISO22301 to create an integrated cyber resilience management system. The books in this suite will provide you with the knowledge to plan and start your project, identify your organisation’s own requirements and apply these international standards. Management systems can require hundreds of documents and policies. Created by experienced cyber security and business continuity professionals, the toolkits in the Cyber Resilience Implementation Suite provide documentation templates to save you weeks of researching and writing and the supporting guidance to ensure you’re applying the necessary polices for your business. Administration and updating of the documentation is made easy with the toolkits’ integrated dashboard, easy customization of templates and one-click formatting.

Cyber Resilience Implementation Suite

 


Contents

This suite includes:

Start building cyber resilience into your organisation today.


Tags: Cyber Resilience, ISO 22301, iso 27001, iso 27002

Apr 12 2016

Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

Category: cyber securityDISC @ 3:30 pm

By Kelly Jackson Higgins

New study reveals that none of the top 10 US university computer science and engineering program degrees requires students take a cybersecurity course.

There’s the cybersecurity skills gap, but a new study shows there’s also a major cybersecurity education gap — in the top US undergraduate computer science and engineering programs.

An analysis of the top 121 US university computer science and engineering programs found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don’t offer any cybersecurity courses at all. The higher-education gap in cybersecurity comes amid the backdrop of some 200,000 unfilled IT security jobs in the US, and an increasing sense of urgency for organizations to hire security talent as cybercrime and cyber espionage threats escalate.

Robert Thomas, CEO of CloudPassage, whose company conducted the study, says the security gap in traditional computer science programs is worrisome, albeit not too surprising. “The results were pretty profound,” Thomas says. “When we tested the top universities’ computer science degrees, it was disturbing to find that very few require any kind of cybersecurity [instruction] as part of the curriculum to graduate” with a computer science degree, he says.

With IT security departments scrambling to fill positions, Thomas says CloudPassage wanted to gauge how universities are preparing computer science graduates for the cybersecurity job market. “Universities have a responsibility to start moving … to [address] bigger problems in security,” he says.

Graduate-level cybersecurity programs are emerging, such as those of Carnegie Mellon, the University of Maryland-Baltimore County, and the University of South Florida, but the study was focused on undergrad computer science programs and their integration with cybersecurity. The universities in the study were based on rankings from US News & World ReportBusiness Insider, and QS World of the top schools in the field.

The University of Michigan, which is ranked 12th among US computer science programs by US News & World Report, is the only university in the top 36 that requires computer science students take a cybersecurity course, CloudPassage’s study found. Among the top 10, there are three universities that don’t offer cybersecurity courses as electives, either.

Michigan (#11 in Business Insider’s Top 50 US computer science schools), Brigham Young (#48 in that rankings list), and Colorado State (#49), are the only top comp sci programs that require at least one cybersecurity class for a degree.

Among the universities in the study offering the most cybersecurity electives in their computer science programs are Rochester Institute of Technology (10 security elective courses) which is in the top 50 of Business Insider’s list; Tuskegee University (10); DePaul University (9); University of Maryland (8); University of Houston (7); Pace University (6); California Polytechnic State University (5); Cornell University (5); Harvard University (5); and Johns Hopkins University (5).

Meanwhile, the University of Alabama, which is not ranked in either the US News & World Report nor Business Insider as a top comp sci program, was the only university that requires three or more cybersecurity courses, the study found.

A lack of awareness about cybersecurity among college-age students is another element of the education-gap equation. A recent study by Raytheon and the National Cyber Security Alliance found that millennials worldwide just aren’t entering the cybersecurity field, mainly due to lack of awareness of just what security careers entail. Half of women ages 18- to 26 say they don’t have cybersecurity programs and activities available to them, and 40% of men in that age bracket say the same. Nearly half of millennial men aren’t aware of what cybersecurity jobs entail.

ISC2, a nonprofit that offers cybersecurity certifications, has tracked the lack of higher-education programs in cybersecurity. Over the past two years, ISC2 via its International Academic Program has offered cybersecurity classroom materials and other services for colleges to use in their curriculum, as well as for faculty training. The goal of the program is to beef up cybersecurity content in the curriculum.

“If you look across the total number of colleges, a very small percentage have a cybersecurity curriculum,” says David Shearer, CEO of ISC2. “Many have not had the money or time or skills to develop cybersecurity programs.”

Shearer says ISC2 is working to fill those gaps with its academic outreach program. “If there’s not a formal education for kids once they get to universities, we [the US] haven’t accomplished a whole lot,” he says.

AFIS BILLBOARD POSTERS. WEB SECURITY. DEFENSE ...

AFIS BILLBOARD POSTERS. WEB SECURITY. DEFENSE BILLBOARD #132 (Photo credit: Wikipedia)

Awareness Gap

Aside from the top computer science programs not offering or requiring cybersecurity courses, many computer science graduates just aren’t aware of the opportunities in the cybersecurity field. Many are drawn to computer science because they’re interested in writing new applications to solve problems in their areas of interest. Coding is considered “cool,” security experts say, while security is seen as a hindrance to application development, for example.

ISC2’s Shearer says cybersecurity gets a bad rap sometimes in application development, and security is seen as mainly about strong passwords and patches, for instance. “They don’t see it as exciting, intriguing work, but they should,” he says. “With greater awareness and education in this area [cybersecurity], today’s youth could see things like hacking as an interesting area they’d want to learn about.”

CloudPassage, meanwhile, also is reaching out to universities: it announced today that it will offer free CloudPassage Halo security-as-a-service platform accounts to US computer science programs as well as instructional templates, tutorials, and support. “They can use our infrastructure and products as an illustration, to get some experience,” CloudPassage’s Thomas says.

Related articles




Oct 02 2015

Cyber crime costs the global economy $445 billion a year

Category: cyber security,CybercrimeDISC @ 3:06 pm

by 

A new report – A Guide to Cyber Risk: Managing the Impact of Increasing Interconnectivity – reveals that cyber crime costs the world $445 billion annually, with the top ten economies accounting for more than 50% of the costs. Since 2005 there have been 5,029 reported data breach incidents in the US alone, and at least 200 breaches in Europe involving 227 million records.

It is estimated that the average cost of a data breach is $3.8 million, which is up from $3.3 million a year earlier.

AGCS_Cyber_Crime_full

Source: A Guide to Cyber Risk: Managing the Impact of Increasing Interconnectivity, Allianz Global Corporate & Specialty (AGCS)

Cyber risks are underestimated

Published by Allianz Global Corporate & Specialty (AGCS), the report warns that “cyber risk is the risk most underestimated by businesses” and asserts that “everyone is a target”.

73% of respondents who took part in an Allianz Risk Barometer 2015 believe that underestimation of cyber risks is preventing companies from being better prepared for them. Other hindrances include budget constraints (59%), failure to analyze the problem (54%), IT infrastructure that is too sensitive for major changes (30%) and failure to identify the right personnel (10%).

The US shows higher levels of awareness of cyber risk due to having tougher legislation than other countries. The majority of US states require companies to notify individuals of a breach. Europe is heading in the same direction, with the European Union (EU) currently reviewing its data protection law and planning to introduce more stringent rules in terms of data breaches.

Data shows that cyber attacks are becoming more frequent and sophisticated. The number of detected cyber attacks was up by 48% in 2014 according to the Global State of Information Security Survey 2015.

In order to protect themselves from breaches, businesses should identify key assets at risk and make decisions as to what risks to accept, avoid, mitigate or transfer.

Future cyber risk trends

The AGCS report makes predictions that businesses will be increasingly exposed to risks from the supply chain and that we are yet to witness “a major cyber event of truly catastrophic proportions”.

Jens Krickhahn, practice leader, Cyber & Fidelity at AGCS Financial Lines Central & Eastern Europe, explains:

“Business exchanges with partners are increasingly electronic.

“Even if a company is confident in its own IT controls, it is still exposed to cyber risk through its business partners, contractors and supply chains.”

The Internet of Things (IoT) is seen as one of the biggest factors that will change the face of cyber threats leading to interconnected risks. It will exacerbate vulnerabilities, bringing increasing potential for physical loss and data breaches.

ISO 27001 and cyber risks

Management of information security risks is at the core of the ISO 27001, the international standard that sets out the specifications of an information security management system (ISMS).

ISO 27001 requires compliant organizations to carry out risk assessments based on agreed criteria. The outcome of the risk assessment should enable the business to balance expenditure on controls against the business harm likely to result from security failures.

Download IT Governance’s free green paper, Risk Assessment and ISO 27001, to learn more about managing cyber risks.


Tags: cyber attack, cyber criminals, cyber security, cyber threats, Cyber-warfare, Cybercrime

Jun 19 2015

Cyber Resilience Best Practices

Category: Cyber Insurance,cyber security,CybercrimeDISC @ 11:07 am
Cyber Resilience

Cyber Resilience

RESILIA™ Cyber Resilience Best Practices

AXELOS’s new guide RESILIA™ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle

RESILIA™ Cyber Resilience Best Practices

Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIA™ portfolio.

RESILIA™ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.

The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.

  • Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
  • Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
  • Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
  • Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
  • Aligned with ITIL®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBIT® and organization-specific frameworks.

 

Target market

 

  • Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
  • IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
  • IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
  • The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.

 

Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
RESILIA™ Cyber Resilience Best Practices

Related articles


Tags: Chief Information Security Officer, CISO, Computer security, CSO, cyber crime, Cyber Defence, Cyber Insurance, Cyber protection, Cyber Resilience, cyber security, Cyber Security countermeasures, Cyber Security Safeguards, cyber threats, data security, Information Security, Information Technology Infrastructure Library, ISO, iso 27001, iso 27002

Feb 09 2015

Cyber Security safeguard offers much more than just protection

Category: cyber securityDISC @ 5:56 pm

What is most beneficial about cyber security safeguards, Well, you will not only benefit from the better protection of your own information, but you will also gain a competitive advantage by demonstrating your cyber credentials.

English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)

For example, certification to ISO 27001 or evidence of compliance with the PCI DSS (for merchants and service providers) is often a tender or contractual requirement because it proves that an organization has been independently audited against internationally recognized security standards.

Those that implement an information security management system (ISMS) will benefit hugely from improved processes and control of data within the organization.

Furthermore, improving and having demonstrable cyber security can also reduce your cyber security insurance. And finally, it will also dramatically reduce the chances of you experiencing a cyber attack. That’s kind of improvement.

Related articles

May 12 2014

Bestselling Books at Infosecurity 2014

Category: cyber security,Information SecurityDISC @ 9:36 am

InfoseEurope2014

by Lewis Morgan @ITG

It has now been a week since Infosecurity Europe 2014. This year was my first at Infosec, and I found it to be one of the most interesting and diverse events I have ever been to.

During my short time on the IT Governance stand, I spoke to several people who were showing a keen interest in our wide range of books. It was a common opinion that our range of books is one of the broadest in the industry – something of which we are very proud.

To demonstrate our range of books and their popularity, We have created the below list of the 5 bestselling books at Infosecurity 2014*. All of the following books are available in multiple formats.

PCI DSS Pocket Guide

    A quick guide for anyone dealing with the PCI DSS and related issues. Now also covers PCI DSS version 3.0.

ISO27001 / ISO27002 Pocket Guide

    Now updated for the 2013 editions of ISO27001/ISO27002, this pocket guide gives a useful overview of two important information security standards.

Governance of Enterprise IT based on COBIT®5

    A perfect introduction to the principles and practice underpinning the governance of enterprise IT using COBIT®5.

Penetration Testing –  Protecting Networks and Systems

    An essential guide to penetration testing and vulnerability assessment, which can be used as a preparation guide for Certified Penetration Testing Engineer exams.

Securing Cloud Services

    This book provides an overview of security architecture processes, and explains how they may be used to derive an appropriate set of security controls to manage the risks associated with working in the Cloud.

 

Related articles

Tags: Certified Penetration Testing Engineer, Cloud computing, cloud computing security, London, Payment Card Industry Data Security Standard, Penetration test

Mar 28 2014

How organization can handle cyberthreats

Category: cyber security,CybercrimeDISC @ 12:13 pm

CyberActivisim

CyberWar, CyberTerror, CyberCrime and CyberActivism

Successful cyberattacks can damage your organization, no matter who is behind them

The goals of the cyberterrorist, the cybercriminal, the cyberactivist and the state-sponsored hacker may not be the same – but the outcomes can be equally devastating. Each can cause serious challenges for your organisation, ranging from information theft and disruption of normal operations to loss of reputation or credibility.

Cyber security is much more than technology

Many books on cybersecurity focus on technical responses to these threats. As important as this is, human fallibility and other known vulnerabilities will still allow hackers to easily break into a system that has not taken account of these factors.

CyberWar, CyberTerror, CyberCrime and CyberActivism encourages cybersecurity professionals to take a wider view of what cybersecurity means, and to make the most of international standards and best practices to create a culture of cybersecurity awareness within their organizations that complements their technology-based defences.

A cyber aware workforce equals better security
This second edition takes a deep look at the changing threats in the cyber landscape, and includes an updated body of knowledge that describes how to acquire, develop, and sustain a secure information environment that goes beyond technology. This enables you to move towards a cyber aware organisational culture that is more robust and better able to deal with a wider range of threats. Related references, as well as recommendations for additional reading, are included at the end of each chapter making this a valuable resource for trainers and researchers as well as cybersecurity practitioners.

Pre-Order this book today and see how international standards can boost your cyber defences. (download – Adobe, ePub, kindle)

About the author
Dr Julie Mehan is the Founder and President of JEMStone Strategies and a Principal in a strategic consulting firm in the State of Virginia. She has delivered cybersecurity and related privacy services to senior commercial, department of defence and federal government clients working in Italy, Australia, Canada, Belgium, and the United States. Dr Mehan is also an Associate Professor at the University of Maryland University College, specializing in courses in Cybersecurity, Cyberterror, IT in Organizations and Ethics in an Internet Society.

Comprehensive Cyber Security Risk Management Toolkit

 

Related articles

Tags: CyberActivism, Cybercrime, CyberTerror, cyberwar

Mar 14 2014

Hacking Point of Sale

Category: cyber security,data securityDISC @ 9:28 am

Hacking Point of Sale

A hands-on guide to achieve better security at point of sale

Hacking Point of Sale – A must-have guide for those responsible for securing payment card transactions. Hacking Point of Sale is a book that tackles the issue of payment card data theft head on. It covers issues from how attacks are structured to the structure of magnetic strips to point-to-point encryption, and much more.

Packed with practical recommendations, it goes beyond covering PCI DSS compliance to offer real-world solutions on how to achieve better security at point of sale.

Hacking Point of Sale…

•A unique book on credit and debit card security, with an emphasis on point-to-point encryption of payment transactions (P2PE) from standards to design to application
•Explores most of the major groups of security standards applicable to point of sale, including PCI, FIPS, ANSI, EMV, and ISO
•Details how protected areas are hacked and how hackers notice vulnerabilities.
•Highlights ways of defending against attack, such as introducing cryptography to payment applications and hardening application code

An essential guide for security professionals that are charged with addressing security issues with point of sale systems.

Related articles

Tags: debit card, Information Security, Payment card industry, Payment Card Industry Data Security Standard, Point of sale

Feb 18 2014

Comprehensive Cyber Security Risk Management Toolkit

Category: cyber security,Security Risk AssessmentDISC @ 11:30 am

Cyber Security Toolkit

 

Govern and manage Cyber Security risk with this unique comprehensive toolkit suite

 

Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular

There are a number of standalone, best practice approaches to managing cyber risk, none of which is on its own completely satisfactory. This toolkit helps you make an enormous leap forward by consolidating five separate approaches into a single, comprehensive, robust framework.

• PAS 555:2013 is the new standard for cyber security risk governance and management; it was created to work with a range of other standards;
• ISO/IEC 27032 is the international guidance standard for managing cyber security risk;
• The Cloud Controls Matrix was developed by the Cloud Security Alliance for cloud service providers;
• Ten Steps to Cyber Security is the methodology developed by the UK’s Business Department to help organizations of all sizes secure their cyber defenses;
• ISO/IEC 27001: 2013 is the internationally recognized standard against which an information security management system can achieve accredited certification.

Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular construction and control mapping matrix to add its additional controls to an existing ISO27001 management system.

This Cyber Security Governance & Risk Management Toolkit recognizes that mobile device management is a critical component of effective cyber risk control and therefore includes the ITGP BYOD Policy Toolkit as a value-added extra.

Included in this comprehensive toolkit suite is:

Related articles

Tags: Cloud Security Alliance, ISO/IEC 27001, National Institute of Standards and Technology, Risk management

Jan 31 2014

How to Achieve Cyber Resilience

Category: cyber securityDISC @ 1:09 pm

Becoming cyber resilient will give your organization the best chance of defending itself against and surviving from cyber attacks.

What does ‘cyber resilience’ mean?

Cyber resilience is the ability to repel cyber attacks while protecting critical business assets, rapidly adapting and responding to business disruptions and maintain continuous business operations.

So how do I become Cyber Resilient?

IT Governance has developed a 7-step approach to achieving cyber resilience. See the graphic below and click to enlarge.

7steps

9781849285261_frontcoveronly_rgb_v1 Cyber Resilience Core Standards Kit 

These standards will help you to implement a management system that will allow you to take advantage of the opportunities associated with operating in cyberspace whilst mitigating the threats and risks.
Includes the information security standards ISO27001 and ISO27002 and the business continuity standards ISO22301 and ISO22313.

 

Build your knowledge of these key areas and be ready to help deliver your organizations cyber resilience strategy

Developing knowledge of the best practice advice and guidance in the key standards ISO27001 & ISO22301 is key to delivering a successful cyber resilience strategy. Whatever your preferred method of learning, IT Governance have the products to help build the knowledge and skills you need.

An Introduction to Information Security and ISO 27001 (2013) Written by acknowledged ISO27001 expert, Steve Watkins, this pocket guide introduces the principles of information security management and ISO27001. This guide will help you understand how to start planning a project to implement effective, reliable and auditable systems.
9781849285261_frontcoveronly_rgb_v1 ISO22301 – A Pocket GuideISO22301: A Pocket Guide will help you understand the Business Continuity international practice, and provides guidance on the best way to implement a fit-for-purpose BCMS.

Oct 18 2013

10 Steps To Assess Cyber Security Risk

Category: cyber security,Risk AssessmentDISC @ 9:00 pm

cyber attack ... Economic Pearl Harbor Will S...

October is National Cyber Security Awareness Month and it is an opportunity to engage public and private sector stakeholders – especially the general public – to create a safe, secure, and resilient cyber environment. Everyone has to play a role in cybersecurity. Constantly evolving cyber threats require the engagement of the entire nation — from government and law enforcement to the private sector and most importantly, the public.

National Cyber Security Awareness Month

A cyber security risk assessment is necessary to identify the gaps in your organisation’s critical risk areas and determine actions to close those gaps. It will also ensure that you invest time and money in the right areas and do not waste resources where there is no need for it.

Even if you have implemented an ISO 27001 Information Security Management System, you may want to check if your cyber security hygiene is up to standard with the industry guidelines. 

Cyber Security ToolKit  | Cyber Security Standards | Cyber Security Books

Cyber security risk assessment:

Use an in house qualified staff or an experienced consultant(s), who will work with your team to examine each of the ten risk areas (described below) in sufficient detail to identify strengths and weaknesses of your current security posture. All this information can be consolidated and immediately usable action remediation plan that will help you close the gap between what you are actually doing and recognized good practice. It will enable you to ensure that your cyber risk management at least matches minimum industry guidelines.

The ten risk areas that will be examined are:

Do you have an effective risk governance structure, in which your risk appetite and selected controls are aligned? Do you have appropriate information risk policies and adequate cyber insurance?

Do you have a mobile and home-working policy that staff have been trained to follow? Do you have a secure baseline device build in place? Are you protecting data both in transit and at rest?

Do you have Acceptable Use policies covering staff use of systems and equipment? Do you have a relevant staff training programme? Do you have a method of maintaining user awareness of cyber risks?

Do you have clear account management processes, with a strong password policy and a limited number of privileged accounts? Do you monitor user activity, and control access to activity and audit logs?

Do you have a policy controlling mobile and removable computer media? Are all sensitive devices appropriately encrypted? Do you scan for malware before allowing connections to your systems?

Do you have a monitoring strategy? Do you continuously monitor activity on ICT systems and networks, including for rogue wireless access points? Do you analyze network logs in real time, looking for evidence of mounting attacks? Do you continuously scan for new technical vulnerabilities?

Do you have a technical vulnerability patching program in place and is it up-to-date? Do you maintain a secure configuration for all ICT devices? Do you have an asset inventory of authorized devices and do you have a defined baseline build for all devices?

Do you have an appropriate anti-malware policy and practices that are effective against likely threats? Do you continuously scan the network and attachments for malware?

Do you protect your networks against internal and external attacks with firewalls and penetration testing? Do you filter out unauthorised or malicious content? Do you monitor and test security controls?

Do you have an incident response and disaster recovery plan? Is it tested for readily identifiable compromise scenarios? Do you have an incident forensic capability and do you know how to report cyber incidents?

Related articles

« Previous PageNext Page »