Nov 05 2017

Breach highlights the need for a cyber health check

Category: cyber security,Risk AssessmentDISC @ 8:13 pm

Cyber Health Check

 

Deloitte breach highlights the need for a cyber health check

Javier Brias

Deloitte, one of the worldā€™s biggest accounting organizations, recently suffered a data breach that compromised confidential emails and plans of some of its blue-chip clients, according to theĀ Guardian.

The hackers also had potential access to usernames, passwords, IP addresses, architectural designs and health information.

Deloitte has confirmed it was breached but said that only a small number of clients were affected.

This breach is even more unfortunate because Deloitte offers clients advice on how to manage risks posed by cyber attacks. Its Cyber Intelligence Centre states that it can ā€œintegrate state-of-the-art technology with industry insight to provide round-the-clock business-focused operational security.ā€

The problem with a solutions-based approach

The fact that Deloitte is a global consultant with interests in cyber security proves that no one is safe from a cyber attack.

In todayā€™s cyber security market, technology vendors tend to focus on specific solutions, such as endpoint security, next-gen firewalls with IDS/IPS, email and web filtering, data loss prevention and identity access management. The problem is that mixing and matching solutions can cause interoperability gaps to materialise.

To understand the complexities of todayā€™s IT infrastructure, companies need to have a strategic plan that takes a global view of the technological landscape and identifies the possible vulnerability points.

How Cyber Health Check fills the gaps

Our independent, three-phaseĀ Cyber Health CheckĀ service combines on-site consultancy and audit, remote vulnerability assessments and an online staff survey to identify your current cyber risks in the three key exposure areas of people, processes and technology.

This service will provide you with a concise report describing your current cyber risk status and critical exposures, and will draw on best practice ā€“ such as ISO 27001, 10 Steps to Cyber Security and Cyber Essentials ā€“ to provide recommendations for reducing your cyber and compliance risks. The report also provides feedback on basic cyber hygiene, cyber governance framework, policies and procedures, and technical controls.

TheĀ Cyber Health CheckĀ service identifies your actual cyber risks, assesses your responses to those risks and analyses your risk exposure. The result is a best-practice action plan to mitigate those risks effectively and in line with your business objectives.

For more information, visit ourĀ Cyber Health CheckĀ page.

Contact us for more information


Tags: Cyber Health Check

Aug 08 2017

Cyber Resilience Guidance Standards Kit

Category: BCP,cyber security,DRPDISC @ 4:22 pm

The standards in the Cyber Resilience Guidance Standards Kit provide expert guidance on cyber security and business continuity.Ā These standards will help you build on the guidance of the standards in theĀ Cyber Resilience Core Standards Kit.

The standards included in this kit are:

  • PAS 555:2013:- This Publicly Available Specification (PAS) document from BSI details what good cyber security looks like.
  • ISO/IEC 27031:2011:- ISO/IEC 27031 outlines processes that will help you prevent, detect and manage IT incidents.
  • ISO/IEC 27032:2012:- Provides guidance on improving the state of cyber security.

 

Why should I buy this kit?

If you have purchased the standards in theĀ Cyber Resilience Core Standards KitĀ and want to get more expert guidance on ensuring the continuity of your organization in case of a cyber security incident, the standards in this kit are key.

Cyber Security Standards & Books



Tags: Cyber Resilience

Jan 29 2017

Top 5 excellent Antivirus Protection of 2017

Category: Antivirus,cyber security,Malware,Mobile Security,Network security,next generation firewallDISC @ 6:01 pm

Excellence is achievable but perfection is not. Find an excellent anti-virus product based on your requirements.

 

Malware are evolving faster than ever, so itā€™s encourging to discover that the latest generation of antivirus (AV) are better equipped to handle this evolving pace of change. Information security best practice recommends that every PC should run at least antivirus (antimalware), antispyware, and a firewall, and you keep it up to date. So if youā€™re not running an anti-virus, or may feel your anti-virus could do a bit more, take a look at the list below Ā and find an anti virus solution which fulfill your current needs based on the modern day threats.

 

All five antivirus solutions below includes On-Demand Malware Scan, On-Access Malware Scan, Website Rating, Malicious URL Blocking, Phishing Protection and Behavior-Based Detection.

 

1) McAfee Antivirus plus

[mks_col]

[mks_one_half]Unlimited protection for Windows, Android, macOS, and iOS devices. New behavior-centric antivirus engine. Essential antivirus protection for PCs, Macs, smartphones, and tablets. [/mks_one_half]

[mks_one_half] [/mks_one_half]

[/mks_col]

 

 

2) Webroot Secure Anywhere Antivirus

[mks_col]

[mks_one_half]For Cloud Security it will analyze files, phishing sites, malicious web pages, IP addresses, and mobile apps providing a real time view of current threats and enabling protection from zero day attacks.Can recover files encrypted by ransomware. Uses tiny amount of disk space. Very fast scan. Handles unknown malware. Includes firewall.[/mks_one_half]

[mks_one_half][/mks_one_half]

[/mks_col]

 

 

3) Bitdefender Antivirus Plus

[mks_col]

[mks_one_half]Effective ransomware protection. Many bonus features including password manager, secure browser, and file shredder. Wi-Fi Security Advisor. Always secure on the go.

[/mks_one_half]

[mks_one_half][/mks_one_half]

[/mks_col]

 

4) Symantec Norton Antivirus Basic

[mks_col]

[mks_one_half]Protection is always up-to-date to defend against spyware, malware, and unsafe websites, while safeguarding your identity and online transactions.Ā Powerful intrusion prevention. Norton Power Eraser blasts persistent malware. Password management.[/mks_one_half]

[mks_one_half][/mks_one_half]

[/mks_col]

 

5) Kaspersky Antivirus

[mks_col]

[mks_one_half]Kaspersky Anti-Virus helps protect against viruses, spyware & more. Great for antiphishing and speedy full-system scan.[/mks_one_half]

[mks_one_half][/mks_one_half]

[/mks_col]

 

Our recommendation is based on The best Antivirus protection of 2017

Top Rated Antivirus Protection

Tags: Antivirus software, bitdefender, kaspersky, McAfee, Symantec, webroot

Nov 08 2016

Six steps to reboot your cyber security strategy

Category: cyber securityDISC @ 2:49 pm

Cyber Security Strategy

By Marika Samarati

SecurityStrategy

The High Performance Security Report 2016 published by Accenture Security unearthed a clear disconnection between how companies perceive cyber threats and the reality of the situation. According to the report, 75% of security executives surveyed said they were confident in their cyber security strategies, and 70% reported that their organisations have successfully adopted a culture of cyber security fully supported by their top executives ā€“ yet one in three targeted attacks succeeded, resulting in a breach.

Itā€™s time to face reality rethink-cyber-security-strategy

To close the gap between perception and reality, the report invited companies to ā€œreboot their approaches to cybersecurityā€. Here is the reportā€™s six-steps to help you rethink your cyber security strategy:

1. Define cyber security success

One reason perceptions donā€™t match reality comes from the misalignment of cyber security strategies and business imperatives. Identify the best cyber security strategy for your company based on your assets and capabilities, which cyber threats it should secure your company from, and how you can measure its success or its failure in business terms.

2. Pressure-test security capabilities the way adversaries do

Get into the criminalsā€™ shoes: engage ethical hackers to run attack simulations and realistically assess your ability to defend your company from external threats. IT Governance is a CREST member and its suite of penetration tests have been verified as meeting the high standards mandated by CREST. Moreover, all of our penetration testers hold the Certified Ethical Hacker (CEH) qualification.

3. Protect from the inside out

The only difference between internal and external attackers is that the first know where key assets are located. Prioritize securing your key assets from insider threats, which usually have the greatest impact. If you want to know more about insider threat, read the bestselling Insider Threat ā€“ A Guide to Understanding, Detecting, and Defending Against the Enemy from Within.

4. Invest to innovate and outmaneuver

The wider and more diversified your strategy is, the easier it is to stay ahead of cyber criminals. Instead of spending money in existing programs, widen your suite of programs by investing in seven key cyber security domains: business alignment, strategic threat context, extended ecosystem, governance and leadership, cyber resilience, cyber response readiness, and investment efficiency.

5. Make security everyoneā€™s job

According to the report, ā€œFully 98 percent of survey respondents said that for breaches not detected by the security team, the company learned about them most frequently from employees.ā€. Consequently, a staff that is up to date with the latest cyber threats and cyber security best practices improves your threat detection capabilities and reduces the chances of staff-related security incidents. Implement a staff awareness program based on e-learning courses to empower your staff and make it part of your cyber security strategy.

6. Lead from the top

Cyber security should be discussed in the C-suite on a daily basis, not confined to the IT room. The CISO needs to proactively engage with enterprise leadership and make cyber security a top priority.


Tags: cyber security strategy

Nov 04 2016

Cyber security is not enough

Category: cyber securityDISC @ 1:11 pm

CyberresilienceSuite

Cyber security is not enough ā€“ you need to become cyber resilient

 

Cyber Resilience Implementation Suite

Itā€™s no longer sufficient to suppose that you can defend against any potential attack; you must accept that an attack will inevitably succeed. An organisationā€™s resilience in identifying and responding to security breaches will become a critical survival trait in the future. The Cyber Resilience Implementation Suite has been designed to help organisations create an integrated management system that will help defend against cyber threats and minimise the damage of any successful attack. This suite of products will help you to deploy the cyber security Standard
ISO27001 and the business continuity Standard
ISO22301 to create an integrated cyber resilience management system. The books in this suite will provide you with the knowledge to plan and start your project, identify your organisationā€™s own requirements and apply these international standards. Management systems can require hundreds of documents and policies. Created by experienced cyber security and business continuity professionals, the toolkits in the Cyber Resilience Implementation Suite provide documentation templates to save you weeks of researching and writing and the supporting guidance to ensure youā€™re applying the necessary polices for your business. Administration and updating of the documentation is made easy with the toolkitsā€™ integrated dashboard, easy customization of templates and one-click formatting.

Cyber Resilience Implementation Suite

 


Contents

This suite includes:

Start building cyber resilience into your organisation today.


Tags: Cyber Resilience, ISO 22301, iso 27001, iso 27002

Apr 12 2016

Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

Category: cyber securityDISC @ 3:30 pm

By Kelly Jackson Higgins

New study reveals that none of the top 10 US university computer science and engineering program degrees requires students take a cybersecurity course.

Thereā€™s the cybersecurity skills gap, but a new study shows thereā€™s also a major cybersecurity education gap — in the top US undergraduate computer science and engineering programs.

An analysis of the top 121 US university computer science and engineering programs found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 donā€™t offer any cybersecurity courses at all. The higher-education gap in cybersecurity comes amid the backdrop of some 200,000 unfilled IT security jobs in the US, and an increasing sense of urgency for organizations to hire security talent as cybercrime and cyber espionage threats escalate.

Robert Thomas, CEO of CloudPassage, whose company conducted the study, says the security gap in traditional computer science programs is worrisome, albeit not too surprising. ā€œThe results were pretty profound,ā€ Thomas says. ā€œWhen we tested the top universitiesā€™ computer science degrees, it was disturbing to find that very few require any kind of cybersecurity [instruction] as part of the curriculum to graduateā€ with a computer science degree, he says.

With IT security departments scrambling to fill positions, Thomas says CloudPassage wanted to gauge how universities are preparing computer science graduates for the cybersecurity job market. ā€œUniversities have a responsibility to start moving … to [address] bigger problems in security,ā€ he says.

Graduate-level cybersecurity programs are emerging, such as those of Carnegie Mellon, the University of Maryland-Baltimore County, and the University of South Florida, but the study was focused on undergrad computer science programs and their integration with cybersecurity. The universities in the study were based on rankings fromĀ US News & World Report,Ā Business Insider, andĀ QS WorldĀ of the top schools in the field.

The University of Michigan, which is ranked 12thĀ among US computer science programs by US News & World Report, is the only university in the top 36 that requires computer science students take a cybersecurity course, CloudPassageā€™s study found. Among the top 10, there are three universities that donā€™t offer cybersecurity courses as electives, either.

Michigan (#11 in Business Insiderā€™s Top 50 US computer science schools), Brigham Young (#48 in that rankings list), and Colorado State (#49), are the only top comp sci programs that require at least one cybersecurity class for a degree.

Among the universities in the study offering the most cybersecurity electives in their computer science programs are Rochester Institute of Technology (10 security elective courses) which is in the top 50 of Business Insiderā€™s list; Tuskegee University (10); DePaul University (9); University of Maryland (8); University of Houston (7); Pace University (6); California Polytechnic State University (5); Cornell University (5); Harvard University (5); and Johns Hopkins University (5).

Meanwhile, the University of Alabama, which is not ranked in either the US News & World Report nor Business Insider as a top comp sci program, was the only university that requires three or more cybersecurity courses, the study found.

A lack of awareness about cybersecurity among college-age students is another element of the education-gap equation. A recent study by Raytheon and the National Cyber Security Alliance found that millennials worldwide just arenā€™t entering the cybersecurity field, mainly due to lack of awareness of just what security careers entail. Half of women ages 18- to 26 say they donā€™t have cybersecurity programs and activities available to them, and 40% of men in that age bracket say the same. Nearly half of millennial men arenā€™t aware of what cybersecurity jobs entail.

ISC2, a nonprofit that offers cybersecurity certifications, has tracked the lack of higher-education programs in cybersecurity. Over the past two years, ISC2 via its International Academic Program has offered cybersecurity classroom materials and other services for colleges to use in their curriculum, as well as for faculty training. The goal of the program is to beef up cybersecurity content in the curriculum.

ā€œIf you look across the total number of colleges, a very small percentage have a cybersecurity curriculum,ā€ says David Shearer, CEO of ISC2. ā€œMany have not had the money or time or skills to develop cybersecurity programs.ā€

Shearer says ISC2 is working to fill those gaps with its academic outreach program. ā€œIf thereā€™s not a formal education for kids once they get to universities, we [the US] havenā€™t accomplished a whole lot,ā€ he says.

AFIS BILLBOARD POSTERS. WEB SECURITY. DEFENSE ...

AFIS BILLBOARD POSTERS. WEB SECURITY. DEFENSE BILLBOARD #132 (Photo credit: Wikipedia)

Awareness Gap

Aside from the top computer science programs not offering or requiring cybersecurity courses, many computer science graduates just arenā€™t aware of the opportunities in the cybersecurity field. Many are drawn to computer science because theyā€™re interested in writing new applications to solve problems in their areas of interest. Coding is considered ā€œcool,ā€ security experts say, while security is seen as a hindrance to application development, for example.

ISC2ā€™s Shearer says cybersecurity gets a bad rap sometimes in application development, and security is seen as mainly about strong passwords and patches, for instance. ā€œThey donā€™t see it as exciting, intriguing work, but they should,ā€ he says. “With greater awareness and education in this area [cybersecurity], today’s youth could see things like hacking as an interesting area they’d want to learn about.”

CloudPassage, meanwhile, also is reaching out to universities: it announced today that it will offer free CloudPassage Halo security-as-a-service platform accounts to US computer science programs as well as instructional templates, tutorials, and support. ā€œThey can use our infrastructure and products as an illustration, to get some experience,ā€ CloudPassageā€™s Thomas says.

Related articles




Oct 02 2015

Cyber crime costs the global economy $445 billion a year

Category: cyber security,CybercrimeDISC @ 3:06 pm

byĀ 

A new report ā€“Ā A Guide to Cyber Risk: Managing the Impact of Increasing InterconnectivityĀ ā€“ reveals that cyber crime costs the world $445 billion annually, with the top ten economies accounting for more than 50% of the costs. Since 2005 there have been 5,029 reported data breach incidents in the US alone, and at least 200 breaches in Europe involving 227 million records.

It is estimated that the average cost of a data breach is $3.8 million, which is up from $3.3 million a year earlier.

AGCS_Cyber_Crime_full

Source: A Guide to Cyber Risk: Managing the Impact of Increasing Interconnectivity, Allianz Global Corporate & Specialty (AGCS)

Cyber risks are underestimated

Published by Allianz Global Corporate & Specialty (AGCS), the report warns that ā€œcyber risk is the risk most underestimated by businessesā€ and asserts that ā€œeveryone is a targetā€.

73% of respondents who took part in an Allianz Risk Barometer 2015 believe that underestimation of cyber risks is preventing companies from being better prepared for them. Other hindrances include budget constraints (59%), failure to analyze the problem (54%), IT infrastructure that is too sensitive for major changes (30%) and failure to identify the right personnel (10%).

The US shows higher levels of awareness of cyber risk due to having tougher legislation than other countries. The majority of US states require companies to notify individuals of a breach. Europe is heading in the same direction, with the European Union (EU) currently reviewing its data protection law and planning to introduce more stringent rules in terms of data breaches.

Data shows that cyber attacks are becoming more frequent and sophisticated. The number of detected cyber attacks was up by 48% in 2014 according to theĀ Global State of Information Security Survey 2015.

In order to protect themselves from breaches, businesses should identify key assets at risk and make decisions as to what risks to accept, avoid, mitigate or transfer.

Future cyber risk trends

The AGCS report makes predictions that businesses will be increasingly exposed to risks from the supply chain and that we are yet to witness ā€œa major cyber event of truly catastrophic proportionsā€.

Jens Krickhahn, practice leader, Cyber & Fidelity at AGCS Financial Lines Central & Eastern Europe, explains:

ā€œBusiness exchanges with partners are increasingly electronic.

ā€œEven if a company is confident in its own IT controls, it is still exposed to cyber risk through its business partners, contractors and supply chains.ā€

The Internet of Things (IoT) is seen as one of the biggest factors that will change the face of cyber threats leading to interconnected risks. It will exacerbate vulnerabilities, bringing increasing potential for physical loss and data breaches.

ISO 27001 and cyber risks

Management of information security risks is at the core of theĀ ISO 27001, the international standard that sets out the specifications of an information security management system (ISMS).

ISO 27001 requires compliant organizations to carry out risk assessments based on agreed criteria. The outcome of the risk assessment should enable the business to balance expenditure on controls against the business harm likely to result from security failures.

Download IT Governanceā€™s free green paper,Ā Risk Assessment and ISO 27001, to learn more about managing cyber risks.


Tags: cyber attack, cyber criminals, cyber security, cyber threats, Cyber-warfare, Cybercrime

Jun 19 2015

Cyber Resilience Best Practices

Category: Cyber Insurance,cyber security,CybercrimeDISC @ 11:07 am
Cyber Resilience

Cyber Resilience

RESILIAā„¢ Cyber Resilience Best Practices

AXELOSā€™s new guide RESILIAā„¢ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle

RESILIAā„¢ Cyber Resilience Best Practices

BestĀ guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIAā„¢ portfolio.

RESILIAā„¢ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.

The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.

  • Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
  • Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
  • Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
  • Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
  • Aligned with ITILĀ®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBITĀ® and organization-specific frameworks.

 

Target market

 

  • Managers who are responsible for staff and processes where cyber resilience practices are required ā€“ for example those processing payment card information, sensitive commercial data or customer communications.
  • IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
  • IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
  • The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.

 

Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
RESILIAā„¢ Cyber Resilience Best Practices

Related articles


Tags: Chief Information Security Officer, CISO, Computer security, CSO, cyber crime, Cyber Defence, Cyber Insurance, Cyber protection, Cyber Resilience, cyber security, Cyber Security countermeasures, Cyber Security Safeguards, cyber threats, data security, Information Security, Information Technology Infrastructure Library, ISO, iso 27001, iso 27002

Feb 09 2015

Cyber Security safeguard offers much more than just protection

Category: cyber securityDISC @ 5:56 pm

What is most beneficial about cyber security safeguards, Well,Ā you will not only benefit from the better protection of your own information, but you will also gain a competitive advantage by demonstrating your cyber credentials.

English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)

For example, certification to ISO 27001 or evidence of compliance with the PCI DSS (for merchants and service providers) is often a tender or contractual requirement because it proves that an organization has been independently audited against internationally recognized security standards.

Those that implement an information security management system (ISMS) will benefit hugely from improved processes and control of data within the organization.

Furthermore, improving and having demonstrable cyber security can also reduce your cyber security insurance. And finally, it will also dramatically reduce the chances of you experiencing a cyber attack. Thatā€™s kind of improvement.

Related articles

May 12 2014

Bestselling Books at Infosecurity 2014

Category: cyber security,Information SecurityDISC @ 9:36 am

InfoseEurope2014

by Lewis Morgan @ITG

It has now been a week since Infosecurity Europe 2014. This year was my first at Infosec, and I found it to be one of the most interesting and diverse events I have ever been to.

During my short time on the IT Governance stand, I spoke to several people who were showing a keen interest in our wide range of books. It was a common opinion that our range of books is one of the broadest in the industry ā€“ something of which we are very proud.

To demonstrate our range of books and their popularity, We have created the below list of the 5 bestselling books at Infosecurity 2014*. All of the following books are available in multiple formats.

PCI DSS Pocket Guide

    A quick guide for anyone dealing with the PCI DSS and related issues. Now also covers PCI DSS version 3.0.

ISO27001 / ISO27002 Pocket Guide

    Now updated for the 2013 editions of ISO27001/ISO27002, this pocket guide gives a useful overview of two important information security standards.

Governance of Enterprise IT based on COBITĀ®5

    A perfect introduction to the principles and practice underpinning the governance of enterprise IT using COBITĀ®5.

Penetration Testing –Ā  Protecting Networks and Systems

    An essential guide to penetration testing and vulnerability assessment, which can be used as a preparation guide for Certified Penetration Testing Engineer exams.

Securing Cloud Services

    This book provides an overview of security architecture processes, and explains how they may be used to derive an appropriate set of security controls to manage the risks associated with working in the Cloud.

 

Related articles

Tags: Certified Penetration Testing Engineer, Cloud computing, cloud computing security, London, Payment Card Industry Data Security Standard, Penetration test

Mar 28 2014

How organization can handle cyberthreats

Category: cyber security,CybercrimeDISC @ 12:13 pm

CyberActivisim

CyberWar, CyberTerror, CyberCrime and CyberActivism

Successful cyberattacks can damage your organization, no matter who is behind them

The goals of the cyberterrorist, the cybercriminal, the cyberactivist and the state-sponsored hacker may not be the same ā€“ but the outcomes can be equally devastating. Each can cause serious challenges for your organisation, ranging from information theft and disruption of normal operations to loss of reputation or credibility.

Cyber security is much more than technology

Many books on cybersecurity focus on technical responses to these threats. As important as this is, human fallibility and other known vulnerabilities will still allow hackers to easily break into a system that has not taken account of these factors.

CyberWar, CyberTerror, CyberCrime andĀ CyberActivismĀ encourages cybersecurity professionals to take a wider view of what cybersecurity means, and to make the most of international standards and best practices to create a culture of cybersecurity awareness within their organizations that complements their technology-based defences.

A cyber aware workforce equals better security
This second edition takes a deep look at the changing threats in the cyber landscape, and includes an updated body of knowledge that describes how to acquire, develop, and sustain a secure information environment that goes beyond technology. This enables you to move towards a cyber aware organisational culture that is more robust and better able to deal with a wider range of threats. Related references, as well as recommendations for additional reading, are included at the end of each chapter making this a valuable resource for trainers and researchers as well as cybersecurity practitioners.

Pre-Order this book today and see how international standards can boost your cyber defences. (download – Adobe, ePub, kindle)

About the author
Dr Julie Mehan is the Founder and President of JEMStone Strategies and a Principal in a strategic consulting firm in the State of Virginia. She has delivered cybersecurity and related privacy services to senior commercial, department of defence and federal government clients working in Italy, Australia, Canada, Belgium, and the United States. Dr Mehan is also an Associate Professor at the University of Maryland University College, specializing in courses in Cybersecurity, Cyberterror, IT in Organizations and Ethics in an Internet Society.

Comprehensive Cyber Security Risk Management Toolkit

 

Related articles

Tags: CyberActivism, Cybercrime, CyberTerror, cyberwar

Mar 14 2014

Hacking Point of Sale

Category: cyber security,data securityDISC @ 9:28 am

Hacking Point of Sale

A hands-on guide to achieve better security at point of sale

Hacking Point of Sale – A must-have guide for those responsible for securing payment card transactions. Hacking Point of Sale is a book that tackles the issue of payment card data theft head on. It covers issues from how attacks are structured to the structure of magnetic strips to point-to-point encryption, and much more.

Packed with practical recommendations, it goes beyond covering PCI DSS compliance to offer real-world solutions on how to achieve better security at point of sale.

Hacking Point of Sale…

ā€¢A unique book on credit and debit card security, with an emphasis on point-to-point encryption of payment transactions (P2PE) from standards to design to application
ā€¢Explores most of the major groups of security standards applicable to point of sale, including PCI, FIPS, ANSI, EMV, and ISO
ā€¢Details how protected areas are hacked and how hackers notice vulnerabilities.
ā€¢Highlights ways of defending against attack, such as introducing cryptography to payment applications and hardening application code

An essential guide for security professionals that are charged with addressing security issues with point of sale systems.

Related articles

Tags: debit card, Information Security, Payment card industry, Payment Card Industry Data Security Standard, Point of sale

Feb 18 2014

Comprehensive Cyber Security Risk Management Toolkit

Category: cyber security,Security Risk AssessmentDISC @ 11:30 am

Cyber Security Toolkit

 

Govern and manage Cyber Security risk with this unique comprehensive toolkit suite

 

Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkitā€™s modular

There are a number of standalone, best practice approaches to managing cyber risk, none of which is on its own completely satisfactory. This toolkit helps you make an enormous leap forward by consolidating five separate approaches into a single, comprehensive, robust framework.

ā€¢ PAS 555:2013 is the new standard for cyber security risk governance and management; it was created to work with a range of other standards;
ā€¢ ISO/IEC 27032 is the international guidance standard for managing cyber security risk;
ā€¢ The Cloud Controls Matrix was developed by the Cloud Security Alliance for cloud service providers;
ā€¢ Ten Steps to Cyber Security is the methodology developed by the UKā€™s Business Department to help organizations of all sizes secure their cyber defenses;
ā€¢ ISO/IEC 27001: 2013 is the internationally recognized standard against which an information security management system can achieve accredited certification.

Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkitā€™s modular construction and control mapping matrix to add its additional controls to an existing ISO27001 management system.

This Cyber Security Governance & Risk Management Toolkit recognizes that mobile device management is a critical component of effective cyber risk control and therefore includes the ITGP BYOD Policy Toolkit as a value-added extra.

Included in this comprehensive toolkit suite is:

Related articles

Tags: Cloud Security Alliance, ISO/IEC 27001, National Institute of Standards and Technology, Risk management

Jan 31 2014

How to Achieve Cyber Resilience

Category: cyber securityDISC @ 1:09 pm

Becoming cyber resilient will give your organization the best chance of defending itself against and surviving from cyber attacks.

What does ā€˜cyber resilienceā€™ mean?

Cyber resilience is the ability to repel cyber attacks while protecting critical business assets, rapidly adapting and responding to business disruptions and maintain continuous business operations.

So how do I become Cyber Resilient?

IT Governance has developed a 7-step approach to achieving cyber resilience. See the graphic below and click to enlarge.

7steps

9781849285261_frontcoveronly_rgb_v1 Cyber Resilience Core Standards Kit 

These standards will help you to implement a management system that will allow you to take advantage of the opportunities associated with operating in cyberspace whilst mitigating the threats and risks.
Includes the information security standards ISO27001 and ISO27002 and the business continuity standards ISO22301 and ISO22313.

 

Build your knowledge of these key areas and be ready to help deliver your organizations cyber resilience strategy

Developing knowledge of the best practice advice and guidance in the key standards ISO27001 & ISO22301 is key to delivering a successful cyber resilience strategy. Whatever your preferred method of learning, IT Governance have the products to help build the knowledge and skills you need.

An Introduction to Information Security and ISO 27001 (2013) Written by acknowledged ISO27001 expert, Steve Watkins, this pocket guide introduces the principles of information security management and ISO27001. This guide will help you understand how to start planning a project to implement effective, reliable and auditable systems.
9781849285261_frontcoveronly_rgb_v1 ISO22301 ā€“ A Pocket GuideISO22301: A Pocket Guide will help you understand the Business Continuity international practice, and provides guidance on the best way to implement a fit-for-purpose BCMS.

Oct 18 2013

10 Steps To Assess Cyber Security Risk

Category: cyber security,Risk AssessmentDISC @ 9:00 pm

cyber attack ... Economic Pearl Harbor Will S...

October is National Cyber Security Awareness Month and it is an opportunity to engage public and private sector stakeholders ā€“ especially the general public ā€“ to create a safe, secure, and resilient cyber environment. Everyone has to play a role in cybersecurity. Constantly evolving cyber threats require the engagement of the entire nation ā€” from government and law enforcement to the private sector and most importantly, the public.

National Cyber Security Awareness Month

A cyber security risk assessment is necessary to identify the gaps in your organisationā€™s critical risk areas and determine actions to close those gaps. It will also ensure that you invest time and money in the right areas and do not waste resources where there is no need for it.

Even if you have implemented an ISO 27001 Information Security Management System, you may want to check if your cyber security hygiene is up to standard with the industry guidelines.Ā 

Cyber Security ToolKitĀ  | Cyber Security Standards | Cyber Security Books

Cyber security risk assessment:

Use an in houseĀ qualified staffĀ or anĀ experienced consultant(s), who will workĀ with your team to examine each of the ten risk areas (described below) in sufficient detail to identify strengths and weaknesses of your current security posture. All this informationĀ can be consolidatedĀ and immediately usable action remediation plan that will help you close the gap between what you are actually doing and recognized good practice. It will enable you to ensure that your cyber risk management at least matches minimum industry guidelines.

The ten risk areas that will be examined are:

Do you have an effective risk governance structure, in which your risk appetite and selected controls are aligned? Do you have appropriate information risk policies and adequate cyber insurance?

Do you have a mobile and home-working policy that staff have been trained to follow? Do you have a secure baseline device build in place? Are you protecting data both in transit and at rest?

Do you have Acceptable Use policies covering staff use of systems and equipment? Do you have a relevant staff training programme? Do you have a method of maintaining user awareness of cyber risks?

Do you have clear account management processes, with a strong password policy and a limited number of privileged accounts? Do you monitor user activity, and control access to activity and audit logs?

Do you have a policy controlling mobile and removable computer media? Are all sensitive devices appropriately encrypted? Do you scan for malware before allowing connections to your systems?

Do you have a monitoring strategy? Do you continuously monitor activity on ICT systems and networks, including for rogue wireless access points? Do you analyze network logs in real time, looking for evidence of mounting attacks? Do you continuously scan for new technical vulnerabilities?

Do you have a technical vulnerability patching program in place and is it up-to-date? Do you maintain a secure configuration for all ICT devices? Do you have an asset inventory of authorized devices and do you have a defined baseline build for all devices?

Do you have an appropriate anti-malware policy and practices that are effective against likely threats? Do you continuously scan the network and attachments for malware?

Do you protect your networks against internal and external attacks with firewalls and penetration testing? Do you filter out unauthorised or malicious content? Do you monitor and test security controls?

Do you have an incident response and disaster recovery plan? Is it tested for readily identifiable compromise scenarios? Do you have an incident forensic capability and do you know how to report cyber incidents?

Related articles

Aug 15 2013

Cyber Security Governance & Risk Management Toolkit

Category: cyber securityDISC @ 9:56 am

Cyber Security Toolkit

The threat from cyber space is real and growing.
To strengthen cyber security in your organization, there are several frameworks you can adopt:

ā€¢ ISO/IEC 27001
ā€¢ ISO/IEC 27032
ā€¢ PAS 555
ā€¢ the BIS Ten Steps to Cyber Security
ā€¢ the Cloud Security Alliance’s Cloud Control Matrix

These standards and guidance offer, between them, a comprehensive cyber security umbrella for your organization.

This is the only toolkit to consolidate the advice from the five leading approaches to managing cyber risk into a single, robust framework, and is made up of:

  • ISO27001 Documentation Toolkit – which will enable you to achieve external certification.
  • Independently developed Cyber Security Documentation ā€“ offering the guidance you need to put in place effective processes to achieve cyber resilience.
  • Documentation drawing on PAS 555, BIS Ten Steps, Cloud Controls Matrix and ISO27032 ā€“ extending the controls contained in ISO27001, and enhances the benefits of implementing an ISO27001 ISMS.
  • Cyber Security Framework Matrix ā€“ efficiently mapping the five separate approaches to a single comprehensive, robust, framework.
  • Bring Your Own Device (BYOD) Toolkit ā€“ these templates will enable your organization to benefit from improved productivity, reduced capital expenditure and a better work life balance for employees.

The Cyber Security Governance & Risk Management Toolkit consolidates the advice from these five leading approaches to managing cyber risk into a single, robust framework.

This toolkit helps you make an enormous leap forward by consolidating five
separate approaches into a single, comprehensive, robust framework.

Cyber Security Toolkit

GetĀ your copyĀ and start your cyber resilience project today!

Cyber Security Governance & Risk Management Toolkit

Jul 22 2013

Your employees arenā€™t the only threat to InfoSec and Compliance

Category: cyber security,Information SecurityDISC @ 1:18 pm
Information security

Information security (Photo credit: Wikipedia)

July 22nd, 2013 by Lewis MorganĀ 

I overheard a conversation the other day, one which left me so stunned that Iā€™ve decided to write about itā€¦.

Two men having dinner behind me (I got the impression they were both directors) were discussing the Ā£200k fine the NHS received for losing patient data. Eventually, the conversation turned into a discussion about information security as a whole. I wonā€™t go into all the details but one of them said, ā€œWe donā€™t particularly focus on cyber security, itā€™s always large organisations which are in the news about getting hacked and being a small company, weā€™re not under threatā€. It bothered me (probably more than it should have) that someone in control of an organisation has that attitude to cyber security. If an organisation of 5 employees was hacked, the same day as, letā€™s say DELL, were hacked ā€“ whoā€™d make it into the news? DELL would, why? Because itā€™s likely to be more of an interest to the readers/listeners and will have a bigger impact on the public compared to that of the smaller organisation.

I never see stories in the news of someone being hit by a bus in my local town, but it doesnā€™t mean Iā€™ll walk in front of one holding a sign saying ā€˜hit meā€™. Thatā€™s effectively what this director is doing, turning a blind eye to a large threat just because heā€™s not seen an example of a small organisation being hacked ā€“ chances are he doesnā€™t even read the publications which cover those stories.

Ignorance

Itā€™s a strong word, isnā€™t it? Personally I hate calling people ignorant, Iā€™d rather use a more constructive word such as ā€˜unawareā€™, but I feel that using the word ignorance will raise some eyebrows.

As a director of a company, your aim is to maximise revenue, minimise costs and anything in between.

You need a future for your organisation; this is usually done by investing in your marketing efforts, improving your products/services and providing the best customer service possible. But what do you do to actually secure a future? Itā€™s all good and well having a 5 year plan which seeā€™s 400% growth in revenue, but how do you make sure that your organisation will even exist in 5 years?

2 years into your plan and youā€™re hitting your targets ā€“ but youā€™ve just discovered that thereā€™s been a data breach and your customers credit card details have been sold online.

Your plans have now become redundant; they are depending on how prepared you are to handle the situation, so are your staff. The cost of recovering from a data breach for a small organisation is between Ā£35 ā€“ 65K (and thatā€™s not including fines). Can your organisation afford that? Probably not, but you could have afforded the costs which would have prevented this breach in the first place.

Letā€™s say that the breach happened because a new member of staff was unaware that they shouldnā€™t open emails in the spam folder. An email was opened, malicious software was installed and login credentials were stolen. You could have trained that member of staff on basic information security in under an hour, for Ā£45. But instead, you chose to ignore your IT Manager whoā€™s been raising spam issues at each monthly meeting but all you chose to hear is ā€œweā€™ve not been hackedā€ and ā€œinvestā€ which is enough for you to move on.

What your IT Manager is really telling you is ā€œWeā€™ve recently been receiving a large amount of emails into our spam filter, and some are getting through. I think we need to invest in a more advanced spam filter, and perhaps train some of the staff on which emails to avoid. A virus from an email could lead to a hack, itā€™s not happened yet but thereā€™s a chance it will.ā€

Forget blaming the IT Manager or the new member of staff when that breach happens, it comes down to you and your:

Inability to perceive cyber threats

Grey areas in appropriate knowledge

Naivety

Overhead cost restrictions

Refusal to listen to something you donā€™t understand

Absent mindedness

No interest in the customerā€™s best interests

Careless decisions

Eventual disaster

 

Cyber security threats are real, so why are you ignoring them?

To save money? Tell that to a judge

Introduction to Hacking & Crimeware

You donā€™t understand the threats? Read this book

 

Related articles

Tags: Computer security, data breach, Email spam, hackers, Information Security, Malware

Jul 15 2013

Boardroom Cyber Watch Report 2013

Category: cyber securityDISC @ 9:23 am

Cyber-Watch-2013-sml

Download the ā€˜Boardroom Cyber Watch Report 2013ā€™ Free!

  • Almost 75% of respondents say their customers prefer to deal with suppliers with proven IT security credentials;
  • 50% say customers have enquired about their companyā€™s security measures in the past 12 months.

 

The ā€˜Boardroom Cyber Watch 2013ā€™ is the first survey IT Governance has undertaken which specifically targets chief executives, board directors and IT professionals. Our aim is to shine new light on how company directors and board members currently perceive IT security issues as well as to provide them with practical guidance on how to address these challenges.

Boardroom Cyber Watch Report 2013

Boardroom Cyber Watch Report 2013

Price: FREE PDF Download

Learn more
Related articles

Tags: Canadian Cyber Incident Response Centre, Computer security

Jun 05 2013

CyberWar, CyberTerror, CyberCrime

Category: cyber security,CybercrimeDISC @ 10:14 am

CyberWar-CyberCrime-CyberCrime

Cyber wars between companies, hacker groups and governments can force entire countries to a standstill. A lone, but sophisticated, hacker can bring global organisations to their knees from just an internet cafĆ©. The threat isnā€™t even entirely external; perhaps the greatest threat sits uncomfortably in plain sight – from inside your staff.Ā  Arm yourself with the top cyber security titles:

CyberWar, CyberTerror, CyberCrime

This book is written by Dr Julie Mehan who is a Principal Analyst for a strategic consulting firm in the State of Virginia. She has been a Government Service employee, a strategic consultant, and an entrepreneur ā€“ which either demonstrates her flexibility or inability to hold on to a steady job! Until November 2007, she was the co-founder of a small woman-owned company focusing on secure, assured software modernization and security services. She led business operations, as well as the information technology governance and information assurance-related services, including certification and accreditation, systems security engineering process improvement, and information assurance strategic planning and programme management. During previous years, Dr Mehan delivered information assurance and security-related privacy services to senior department of defence, federal government, and commercial clients working in Italy, Australia, Canada, Belgium, and the United States.

Here are the contents of this book.

The world is becoming ever more interconnected and vulnerable, as has been demonstrated by the recent cyber attacks on Estonia. Thus the need for stringent and comprehensive methods for combating cyber crime and terror have never before been need more than now.
Information security should not be an after thought. It should be ingrained into the organisation’s culture. This book will help you create this forward thinking culture using best practices and standards.
Key Features:

  • Straightforward and no-nonsense guide to using best practices and standards, such as ISO 27001, to instil a culture of information security awareness within an organisation.
  • Distils key points on how to use best practices and standards to combat cyber crime and terror.
  • The information within the book is presented in a straightforward and no-nonsense style, leading the reader step-by-step through the key points.

 

 

What other people say about this book:
So what you have in CyberWar, CyberTerror, CyberCrime is a skillful blend of very readable, at times even entertaining and certain to stimulate introspection, guidance on just why and how cyber security is important to every organization connected to the internet ā€“ try to name one that is not .Ā  I would bet that truly effective leaders will purchase multiple copies and circulate CyberWar, CyberTerror, CyberCrime throughout the entire organization.
Leonard Zuga, Partner, Technology and Business Insider (TBI)
Ā 

ā€œThis book is a good basis for a security roadmap. Itā€™s well researched and well written.ā€

Peter Wood, Chief of Operations at First Base Technologies

Ā 

ā€œThis is a book that I will look forward to using to enhance both my undergraduate and graduate instruction in information security.ā€

Dr Bob Folden, Assistant Professor, Business Administration and MIS, Texas A&M University ā€“ Commerce

Ā 

ā€œThis is an interesting book that introduces the reader to the security of the Internet industry, goes into some details on how some abuse it. This is a very good book. You will enjoy it.ā€

Jerome Athias, Computer Security Researcher

Related articles

May 21 2013

Cyber Security Risk Governance and Management

Category: cyber securityDISC @ 11:33 am

 

PAS 555 ā€“ Cyber Security Risk Governance and Management

ITG-RiskGovernance

What does effective cyber security look like?

The many standards and sources of best practice on cyber security tend to focus on delivery (the how).

PAS 555:2013 is the new Cyber Security Risk Governance and Management standard, and details what effective cyber security looks like (the what).

PAS 555:2013 Cyber Security Risk Governance and Management

PAS 555 is intendedĀ for use by any organization that wishes to gain confidence in their management and governance of cyber security. Any organization irrespective of their size, type, nature of business or locationĀ can employ the PAS 555.

Simply buy the standard and get started with delivering effective cyber security today!

Related articles

« Previous PageNext Page »