The article emphasizes that AI cybersecurity must be multi-layered, like the systems it protects. Cybercriminals increasingly exploit large language models (LLMs) with attacks such as data poisoning, jailbreaks, and model extraction. To counter these threats, organizations must implement security strategies during the design, development, deployment, and operational phases of AI systems. Effective measures include data sanitization, cryptographic checks, adversarial input detection, and continuous testing. A holistic approach is needed to protect against growing AI-related cyber risks.
Benefits and Concerns of AI in Data Security and Privacy
Predictive analytics provides substantial benefits in cybersecurity by helping organizations forecast and mitigate threats before they arise. Using statistical analysis, machine learning, and behavioral insights, it highlights potential risks and vulnerabilities. Despite hurdles such as data quality, model complexity, and the dynamic nature of threats, adopting best practices and tools enhances its efficacy in threat detection and response. As cyber risks evolve, predictive analytics will be essential for proactive risk management and the protection of organizational data assets.
AI raises concerns about data privacy and security. Ensuring that AI tools comply with privacy regulations and protect sensitive information.
AI systems must adhere to privacy laws and regulations, such as GDPR, CPRA to protect individuals’ information. Compliance ensures ethical data handling practices.
Implementing robust security measures to protect data (data governance) from unauthorized access and breaches is critical. Data protection practices safeguard sensitive information and maintain trust.
1. Predictive Analytics in Cybersecurity
Predictive analytics offers substantial benefits by helping organizations anticipate and prevent cyber threats before they occur. It leverages statistical models, machine learning, and behavioral analysis to identify potential risks. These insights enable proactive measures, such as threat mitigation and vulnerability management, ensuring an organizationās defenses are always one step ahead.
2. AI and Data Privacy
AI systems raise concerns regarding data privacy and security, especially as they process sensitive information. Ensuring compliance with privacy regulations like GDPR and CPRA is crucial. Organizations must prioritize safeguarding personal data while using AI tools to maintain trust and avoid legal ramifications.
3. Security and Data Governance
Robust security measures are essential to protect data from breaches and unauthorized access. Implementing effective data governance ensures that sensitive information is managed, stored, and processed securely, thus maintaining organizational integrity and preventing potential data-related crises.
DISC LLC, situated at Sonoma county, CA, is dedicated to offering premier information security services. As a consultant specializing in information security, we pride ourselves in helping businesses across the United States build resilient security programs.
Our Expertise
vCISO Services
When are vCISO services most appropriate? Our expert virtual Chief Information Security Officer (vCISO) services are designed to build a robust security program that effectively detects and mitigates risks. Reach out to us today to develop a security program tailored to todayās challenges.
ISO 27001 and ISMS Implementation
We specialize in implementing ISO 27001 standards and establishing Information Security Management Systems (ISMS) that ensure your organizationās compliance with the highest industry standards. Achieve certification and maintain a strong competitive edge in security compliance.
Our detailed security risk assessment services identify potential threats and vulnerabilities in your systems. By understanding these risks, we develop strategic measures to counteract them, safeguarding your business from data breaches and other security incidents.
Ensuring Security Compliance – GRC Consulting
In the Information Security and Compliance industry, organizations are increasingly seeking services that help them manage the growing complexity of cyber threats and regulatory requirements.
Maintaining security compliance is crucial in todayās digital landscape. DISC LLC helps organizations navigate complex regulatory requirements, ensuring they meet all necessary standards to protect their data and operations.
Overview: As regulations and standards like GDPR, HIPAA, CCPA, and ISO 27001 become stricter, organizations seek expert advice to ensure compliance and reduce risk.
With the rapid adoption of cloud services, securing cloud environments (e.g., AWS, Azure, Google Cloud) is critical. Cloud security solutions focus on protecting data, identities, and workloads in cloud infrastructure.
With regulations like GDPR and CCPA, and with advent of an AI organizations need to implement measures that protect sensitive data, data governance and ensure that personal information is handled according to legal standards.
Protecting sensitive data and complying with privacy regulations is essential. AI systems must be designed to handle data securely and adhere to relevant legal and ethical standards
Expertise: Our team consists of experienced professionals with extensive knowledge in infosec and compliance.
Customized Solutions: We provide tailored security solutions that align with your unique business needs.
Proactive Approach: Our proactive approach ensures timely detection and mitigation of security risks.
Contact DISC LLC today at info@deurainfosec.com or call us at +17079985164 to learn more about how our services can fortify your organizationās security posture. Build a secure future with DISC LLC.
WordPress admins using the Litespeed Cache plugin must update their sites with the latest plugin release to address a critical vulnerability. Exploiting the flaw allows an unauthenticated attacker to take control of target websites.
LiteSpeed Cache Plugin Vulnerability Could Allow Site Takeover
The security researcher John Blackbourn from PatchStack discovered a critical privilege escalation vulnerability in the LiteSpeed Cache plugin. LiteSpeed Cache for WordPress offers an exclusive server-level cache and numerous site optimization features. The plugin boasts over 5 million active installations, indicating its popularity among WordPress users. Nonetheless, it also shows how any vulnerability in the plugin potentially threatens millions of websites. Specifically, the vulnerability existed in the pluginās crawler feature that exhibits a user simulation functionality to perform crawler requests as authenticated users. However, due to a weak security hash in this feature, the plugin allowed an unauthenticated adversary to spoof an authenticated user and gain elevated site privileges. The worst exploitation scenarios even allowed the installation of malicious plugins and a complete site takeover. This vulnerability, identified as CVE-2024-28000, received a critical severity rating and a CVSS score of 9.8. It affected all plugin releases until 6.3.0.1. Detailed technical analysis of the vulnerability is available in the recent post from PatchStack.
Vulnerability Patched With Latest Plugin Release
Upon noticing the vulnerability, Blackbourn responsibly disclosed the flaw via Patchstack to the plugin developers. In response, the developers patched the vulnerability with the LiteSpeed Cache plugin version 6.4. The researcher also received a $14,400 bounty under the Patchstack Zero Day program for this bug report. Since the patch has arrived, all WordPress admins must update their sites with the latest plugin release to avoid potential threats. Ideally, users should update to the LiteSpeed Cache plugin version 6.4.1, which appears as the latest release on the pluginās official page.
Deura Information Security Consulting offers comprehensive vCISO services designed to build robust security programs that effectively detect and mitigate risks. Our seasoned consultants will work with you to develop a security strategy tailored to meet today’s challenges.
Achieve Compliance with ISO 27001
Securing your information assets and achieving compliance is crucial. Our experts specialize in assisting businesses with ISO 27001 implementation. Benefit from our extensive experience in information security management systems (ISMS) to ensure your organization meets the stringent requirements of ISO 27001.
Services Offered
vCISO Services: Enhance your organization’s security posture with our virtual Chief Information Security Officer services.
ISO 27001 Implementation: Guidance on compliance and certification processes to achieve ISO 27001.
Security Risk Assessment:
Information Security Management Systems (ISMS):
Security Compliance Management:
Why Choose Us
At Deura Information Security Consulting, our focus is on creating and implementing security programs that address your specific needs. Contact us at info@deurainfosec.com or call +1 707-998-5164 to schedule a consultation.
Our extensive industry knowledge ensures that your security infrastructure is built to detect and mitigate risks effectively. Choose Deura Information Security Consulting for expert vCISO services and ISO 27001 compliance support.
Injecting spoofed headers with email relaying involves manipulating the email headers to disguise the true origin of an email, making it appear as if it was sent from a legitimate source. Hereās a detailed explanation of how this process works:
1. Understanding Email Headers
Email headers contain vital information about the sender, recipient, and the path an email takes from the source to the destination. Key headers include:
From: The email address of the sender.
To: The recipientās email address.
Subject: The subject line of the email.
Received: Information about the mail servers that handled the email as it traveled from sender to recipient.
Return-Path: The email address where bounces and error messages should be sent.
2. Email Relaying
Email relaying is the process of sending an email from one server to another. This is typically done by SMTP (Simple Mail Transfer Protocol) servers. Normally, email servers are configured to relay emails only from authenticated users to prevent abuse by spammers.
3. Spoofing Headers
Spoofing email headers involves altering the email headers to misrepresent the emailās source. This can be done for various malicious purposes, such as phishing, spreading malware, or bypassing spam filters. Hereās how it can be done:
a. Crafting the Spoofed Email
An attacker can use various tools and scripts to create an email with forged headers. They might use a command-line tool like sendmail, mailx, or a programming language with email-sending capabilities (e.g., Pythonās smtplib).
b. Setting Up an Open Relay
An open relay is an SMTP server configured to accept and forward email from any sender to any recipient. Attackers look for misconfigured servers on the internet to use as open relays.
c. Injecting Spoofed Headers
The attacker crafts an email with forged headers, such as a fake āFromā address, and sends it through an open relay. The open relay server processes the email and forwards it to the recipientās server without verifying the authenticity of the headers.
d. Delivery to Recipient
The recipientās email server receives the email and, based on the spoofed headers, believes it to be from a legitimate source. This can trick the recipient into trusting the emailās content.
4. Example of Spoofing Email Headers
Hereās an example using Pythonās smtplib to send an email with spoofed headers:
import smtplib
from email.mime.text import MIMEText
# Crafting the email
msg = MIMEText("This is the body of the email")
msg['Subject'] = 'Spoofed Email'
msg['From'] = 'spoofed.sender@example.com'
msg['To'] = 'recipient@example.com'
# Sending the email via an open relay
smtp_server = 'open.relay.server.com'
smtp_port = 25
with smtplib.SMTP(smtp_server, smtp_port) as server:
server.sendmail(msg['From'], [msg['To']], msg.as_string())
via Frontend Transport
The statement about the term āvia Frontend Transportā in header values refers to a specific configuration in Microsoft Exchange Server that could suggest a misconfiguration allowing email relaying without proper verification. Letās break down the key elements of this explanation:
1. Frontend Transport in Exchange
In Microsoft Exchange Server, the Frontend Transport service is responsible for handling client connections and email traffic from the internet. It acts as a gateway, receiving emails from external sources and forwarding them to the internal network.
2. Email Relaying
Email relaying is the process of forwarding an email from one server to another, eventually delivering it to the final recipient. While this is a standard part of the SMTP protocol, it becomes problematic if a server is configured to relay emails without proper authentication or validation.
3. The Term āvia Frontend Transportā
When email headers include the term āvia Frontend Transportā, it indicates that the email passed through the Frontend Transport service of an Exchange server. This can be seen in the Received headers of the email, showing the path it took through various servers.
4. Suggestion of Blind Email Relaying
The concern arises when these headers suggest that Exchange is configured to relay emails without altering them or without proper checks. This could imply that:
The Exchange server is not adequately verifying the senderās authenticity.
The server might be forwarding emails without checking if they come from trusted sources.
Such a configuration can be indicative of an open relay, where the server forwards any email it receives, which is highly vulnerable to abuse.
5. Abuses of Open Relays
Open relays are notorious for being exploited by spammers and malicious actors because they can be used to send large volumes of unsolicited emails while obscuring the true origin of the message. This makes it difficult to trace back to the actual sender and can cause the relay serverās IP address to be blacklisted.
Hereās a detailed breakdown of the key points:
Scenario Breakdown
Attackers Use a Genuine Microsoft Office 365 Account
The attackers have managed to send an email from a genuine Microsoft Office 365 account. This could be through compromising an account or using a trial account.
Email Branded as Disney
The email is branded as coming from Disney (disney.com). This branding could involve setting the āFromā address to appear as if itās from a Disney domain, which can trick recipients into believing the email is legitimate.
Gmailās Handling of Outlookās Servers
Gmail has robust mechanisms to handle high volumes of emails from trusted servers like Outlookās (Microsoftās email service). These servers are built to send millions of emails per hour, so Gmail will not block them due to rate limits.
SPF (Sender Policy Framework)
SPF is a protocol that helps prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send emails on their behalf. The attackers benefit from this because:
The email is sent through Microsoftās official relay server, protection.outlook.com.Disneyās SPF record includes spf.protection.outlook.com, which means emails sent through this relay server are authorized by Disneyās domain.
.
Spoofed Headers
Spoofed headers involve altering the email headers to make the email appear as if it originated from a different source. In this scenario, the attackers have spoofed headers to make the email look like itās from Disney.
SPF Check Passed
Since the email is sent via a server included in Disneyās SPF record (protection.outlook.com), it will pass the SPF check, making it seem legitimate to the recipientās email server.
DKIM (DomainKeys Identified Mail)
DKIM is another email authentication method that allows the receiver to check if an email claiming to come from a specific domain was indeed authorized by the owner of that domain. This is done by verifying a digital signature added to the email.
Points of Concern
SPF Check Passed
The email passed the SPF check because it was sent through an authorized server (protection.outlook.com) included in Disneyās SPF record.
Spoofed Headers
The headers were manipulated to make the email appear as if it came from Disney, which can deceive recipients.
Gmail Handling
Gmail will trust and not rate-limit emails from Outlookās servers, ensuring the email is delivered without being flagged as suspicious due to high sending volumes.
Potential for DKIM
To fully understand if the email can pass DKIM checks, we would need to know if the attackers can sign the email with a valid DKIM key. If they manage to:
DKIM Alignment
Ensure the DKIM signature aligns with the domain in the āFromā header (disney.com).
Valid DKIM Signature
Use a valid DKIM signature from an authorized domain (which would be difficult unless they have compromised Disneyās signing keys or a legitimate sending infrastructure).
Proofpoint and similar services are email security solutions that offer various features to protect organizations from email-based threats, such as phishing, malware, and spam. They act as intermediaries between the sender and recipient, filtering and relaying emails. However, misconfigurations or overly permissive settings in these services can be exploited by attackers. Hereās an explanation of how these services work, their roles, and how they can be exploited:
Roles and Features of Proofpoint-like Services
Email Filtering and Protection
Spam and Phishing Detection: Filters out spam and phishing emails.
Malware Protection: Scans and blocks emails containing malware or malicious attachments.
Content Filtering: Enforces policies on email content, attachments, and links.
Email Relay and Delivery
Inbound and Outbound Filtering: Manages and filters both incoming and outgoing emails to ensure compliance and security.
Email Routing: Directs emails to the appropriate recipients within an organization.
DKIM Signing: Adds DKIM signatures to outgoing emails to authenticate them.
Authentication and Authorization
IP-Based Authentication: Uses IP addresses to authenticate incoming email servers.
SPF, DKIM, and DMARC Support: Implements these email authentication protocols to prevent spoofing.
How Misconfigurations Allow Exploitation
Permissive IP-Based Authentication
Generic Configuration: Proofpoint is often configured to accept emails from entire IP ranges associated with services like Office365 or Google Workspace without specifying particular accounts.
IP Range Acceptance: Once a service like Office365 is enabled, Proofpoint accepts emails from any IP within the Office365 range, regardless of the specific account.
Exploitation StepsStep 1: Setting Up the Attack
Attackerās Office365 Account: The attacker sets up or compromises an Office365 account.
Spoofing Email Headers: The attacker crafts an email with headers that mimic a legitimate sender, such as Disney.
Step 2: Leveraging Proofpoint Configuration
Sending Spoofed Emails: The attacker sends the spoofed email from their Office365 account.
Proofpoint Relay Acceptance: Proofpointās permissive configuration accepts the email based on the IP range, without verifying the specific account.
Step 3: Proofpoint Processing
DKIM Signing: Proofpoint processes the email, applying DKIM signatures and ensuring it passes SPF checks because it comes from an authorized IP range.
Email Delivery: The email is then delivered to the targetās inbox, appearing legitimate due to the DKIM signature and SPF alignment.
Example of a Permissive Configuration in Proofpoint
Admin Setup
Adding Hosted Services: Proofpoint allows administrators to add hosted email services (e.g., Office365) with a single-click configuration that relies on IP-based authentication.
No Specific Account Configuration
Generic Acceptance: The setup does not specify which particular accounts are authorized, leading to a scenario where any account within the IP range is accepted.
Exploitation of Misconfiguration
Blind Relay: Due to this broad acceptance, attackers can send emails through Proofpointās relay, which then processes and delivers them as if they were legitimate.
A recent attack exploited a misconfiguration in Proofpointās email routing, allowing millions of spoofed phishing emails to be sent from legitimate domains like Disney and IBM. The attackers used Microsoft 365 tenants to relay emails through Proofpoint, bypassing SPF and DKIM checks, which authenticate emails. This āEchoSpoofingā method capitalized on Proofpointās broad IP-based acceptance of Office365 emails. Proofpoint has since implemented stricter configurations to prevent such abuses, emphasizing the need for vigilant security practices.
As an Applied Cryptographer, you will research about various cryptographic protocols and have knowledge of cryptographic primitives or concepts, like elliptic curve cryptography, hash functions, and PCPs. You should have experience with at least one major language, like Rust, Python, Java, or C; the exact language is not too important. You should be familiar with versioning software (specifically, GitHub), testing, and a familiarity with algorithms and data structures.
As a Cloud Security Specialist, you will design, implement, and manage Azure and Microsoft 365 security solutions. Monitor security alerts, lead incident response, and conduct regular assessments. Ensure compliance with ISO 27001, SOC2 Type II and NIST standards.
As a CISO, you will develop and implement comprehensive cybersecurity policies and procedures. Ensure compliance with relevant regulations and standards (e.g., GDPR, ISO 27001). Conduct risk assessments and develop mitigation strategies. Advise on security best practices and emerging threats. Collaborate with clients to enhance their security posture.
Cyber Range Lead
Booz Allen Hamilton | Japan | On-site ā No longer accepting applications
As a Cyber Range Lead, you will lead a team of professionals as they use cyberspace capabilities to evaluate potential weaknesses as well as the effectiveness of mitigations for cyber security solutions. You will leverage cyberspace operations systems to aggregate threat feeds that inform briefings for senior leadership aligned to our clientās mission area.
As a Cybersecurity Technical Consultant, you will provide onsite or remote consulting services and support to Thales customer with a focus on high quality, accuracy and customer satisfaction. Develop and deliver technical hands-on product deep knowledge transfer to customers. Track and ensure successful completion of high impact projects by creating project scoping plans, design guides and relevant documentation.
As a Cyber Security Advisor, you will conduct security assessment of in-house developed and/or by third-party provided solutions in order to ensure that they are in compliance with H&Mās security standards. Conduct security maturity and risk assessment for internal and external partners.
As a Cyber Security Engineer, you will develop and implement cyber security policies, procedures, and controls to protect the companyās digital assets. Conduct Pen-tests, monitor network traffic and security alerts to detect and respond to potential security breaches. Perform vulnerability assessments and penetration testing to identify and remediate security vulnerabilities. Conduct regular audits of security systems and processes to ensure compliance with industry standards and regulations.
As a Cyber Security Governance Risk & Compliance Manager, you will develop, implement, and maintain a robust IT governance, risk, and compliance framework in line with industry best practices and regulatory requirements. Drive risk maturity through project lifecycle and provide independent assessments, challenge inherent risks in material changes e.g., business decisions, projects, process changes, implementation of new systems, applications, and infrastructure.
As a Cyber Security Instructor, you will create dynamic classroom learning experiences using various teaching strategies to facilitate adult learners in achieving learning objectives in accordance with the program objectives as set out in the curriculum. Ensure students are motivated to learn and to maximize their potential. Develop different classroom strategies to ensure knowledge and skills acquisition and retention.
As a Digital Forensics and Incident Response Analyst, you will perform incident response to cybersecurity incidents, including but not limited to APT & Nation State attacks, Ransomware infections and Malware outbreaks, Insider Threats, BEC, DDOS, Security and Data breach, etc. Conduct in-depth investigations of cybersecurity incidents, identifying the root cause, the extent of the impact, and recommended actions for containment, eradication, and recovery, and providing a final report that contains recommendations on how to prevent the same attack in the future by strengthening security posture.
Director of Information Security, Cyber Risk and Compliance
S&P Global | Italy | On-site ā No longer accepting applications
As a Director of Information Security, Cyber Risk and Compliance, you will become familiar with the Cyber Risk and Compliance team activities and Market Intelligence regarding SOC reporting, relevant regulatory requirements, control frameworks, internal and external audit processes, customer interactions including security questions and audits, and overall company and divisional cyber security processes and controls. Make recommendations related to balancing requirements and deadlines made by corporate departments with human resource and technical capabilities that exist in Market Intelligence. Negotiate differences to find and implement solutions acceptable to both corporate groups and Market Intelligence.
As Head of Identity Management Platform, you will leverage your strong background in Identity and Privileged Access Management, expertise in IT technologies, and in-depth knowledge of IT security to organize and lead complex projects, manage third-party teams, and oversee platform lifecycle activities such as upgrades and integrations.
As a Head of Consulting, you will lead, mentor, and develop a team of cybersecurity consultants, fostering a culture of excellence and continuous improvement. Define and implement the consultancy departmentās strategy in alignment with the companyās goals, ensuring the delivery of innovative and effective cybersecurity solutions. Ensure that all consultancy activities adhere to industry standards, regulatory requirements, and best practices, mitigating risks to both clients and the company.
As a Head of Security CU TH, you will facilitate execution of and follow up on security strategy, policies & instructions, governance model and frameworks. Support the business in implementation and maintenance of ISO 27001 controls across the CU as per the MA scope and Ericsson Global ISO 27001 control framework. Manage local security incidents and support investigations.
As an IT Program Manager, you will develop, implement, and manage cybersecurity programs in alignment with the organizationās strategic objectives. Oversee the security projects related to enterprise applications, with a focus on safeguarding sensitive data and ensuring compliance with regulatory standards. Facilitate regular security assessments and audits to identify vulnerabilities and implement corrective actions.
As a Penetration Tester, you will manage penetration tests from inception through delivery. Identify and prescribe remediation for vulnerabilities in NFCU applications, systems, and networks. Leverage complex tactics including, but not limited to, lateral movement, network tunneling/pivoting, credential compromise, and hash cracking.
As a Principal Data Security Specialist, you will focus on delivering technical and procedural guidance to assist customers in defining the platform requirement though to realisation of the subscription value. Research and evaluate emerging solutions and services to drive continuous improvement.
As a Senior Architect ā Cyber Security, you will develop and implement security architecture solutions to secure the organizationās IT infrastructure. Design and review security policies, standards, and procedures. Conduct security assessments and risk analysis to identify vulnerabilities and recommend mitigation strategies. Lead security projects and collaborate with cross-functional teams to integrate security measures.
Senior CyberSecurity Architect
Hexagon Geosystems | European Economic Area | Remote āĀ View job details
As a Senior CyberSecurity Architect, you will plan, organize, test, and document the implementation of new security systems and tools; define the success criteria and security requirements, and develop reference architecture, functional and non-functional requirements for proof-of-concept efforts and projects. Lead in performing threat modeling, security architecture review, and risk assessments of new and existing technical solutions.
As a (Senior) Information Security Officer, you will develop, implement, and monitor a strategic, comprehensive company information security and IT risk management program, based on the Oetker Group-wide security directive. Manage and assist in the development in implementation of the information security policies, procedures, and guidelines. Provide guidance and counsel to the C-Level, the senior management team, and staff about information security and its alignment with business objectives and risk management.
As a Technology & Cyber Risk: Senior Officer ā Cybersecurity Risk, you will review and evaluate compliance and cyber policies and procedures, technology and tools, and governance processes to provide credible challenge for minimizing losses from cyber risks. Assess cyber risks and evaluates actions to address the root causes that persistently lead to operational risk losses by challenging both historical and proposed practices. Support independent assurance activities to assess areas of concern including substantive and controls testing.
As a Vulnerability Manager, you will be responsible for identifying, assessing, prioritizing, and managing vulnerabilities across our systems and networks. Conduct regular vulnerability assessments and penetration tests across our systems, applications, and networks.
The hardest part of many projects is knowing where to start.
ISO 27001Ā is no exception. This standard describes best practice for an ISMS (information security management system).
In other words, it lays out the requirements you must meet, but doesnāt show you the how. How you can adopt or implement them.
With ISO 27001:2013 certification no longer available, many organisations are preparing to adopt theĀ 2022 version of the standardĀ ā which means tackling a newĀ Annex A control set, among other new requirements.
The implementation project should begin by appointing a project leader.
Theyāll work with other members of staff to create a project mandate, which is essentially a set of answers to these questions:
What do we hope to achieve?
How long will the project take?
Does the project have top management support?
What resources ā financial and otherwise ā will the project need?
2. Develop the ISO 27001 implementation plan
The next step is to use your project mandate to create a more detailed outline of:
Your information security objectives;
Your project risk register;
Your project plan; and
Your project team.
Information security objectives
Your information security objectives should be more granular and specific than your answer to āWhat do we hope to achieve?ā from step 1.
Theyāll inform and be included in your top-level information security policy. Theyāll also shape how the ISMS is applied.
Project risk register
Your project risk register should account for risks to the project itself, which might be:
Managerial ā will operational management continue to support the project?
Budgetary ā will funding continue to see the project through?
Legal ā are specific legal obligations at risk?
Cultural ā will staff resist change?
Each risk in the register should have an assigned owner and a mitigation plan. You should also regularly review the risks throughout the project.
Project plan
The project plan should detail the actions you must take to implement the ISMS.
This should include the following information:
Resources required
Responsibilities
Review dates
Deadlines
Project team
The project team should represent the interests of every part of the organisation and include various levels of seniority.
Drawing up a RACI matrix can help with this. This identifies, for the projectās key decisions, whoās:
Responsible;
Accountable;
Consulted; and
Informed.
One critical person to appoint and include in the project team is the information security manager. Theyāll have a central role in the implementation project and eventually be responsible for the day-to-day functioning of the ISMS.
3. ISMS initiation
Youāre now ready to initiate your ISMS!
Documentation structure
A big part of this is establishing your documentation structure ā any management system is very policy- and procedure-driven.
We recommend a four-tier approach:
A. Policies These are at the top of the āpyramidā, defining your organisationās position and requirements.
B. Procedures These enact the requirements of your policies at a high level.
C. Work instructions These set out how employees implement individual elements of the procedures.
D. Records These track the procedures and work instructions, providing evidence that youāre following them consistently and correctly.
This structure is simple enough for anyone to grasp quickly. At the same time, it provides an effective way of ensuring you implement policies at each level of your organisation. Plus, that you develop well-functioning, cohesive processes.
Tips for more effective policies and procedures
Your policies and procedures must also be effective. Here are four tips:
Keep them practicable by balancing aspirations against the reality. If your policies and/or procedures appear too idealised, staff will be much less likely to follow them.
Keep them clear and straightforward, so staff can easily follow your procedures.
Use version control, so everyone knows which is the latest document.
Avoid duplication. This will also help with the version control.
Make sure you systematically communicate your documentation ā particularly new or updated policies ā throughout your organisation. Be sure to also communicate them to other stakeholders.
Continual improvement
As part of your ISMS initiation, youāll need to select a continual improvement methodology.
First, understand that continual improvement might sound expensive, but is cost-effective if done well. As ISO 27001 pioneer Alan Calder explains:
Continual improvement means getting better results for your investment. That typically means one of two things:
1. Getting the same results while spending less money. 2. Getting better results while spending the same amount of money.
Yes, you need to be looking at your objectives, and asking yourself how well your ISMS is currently meeting them. And where your management system falls short, money may have to be spent.
But many improvements have little financial cost. You can make a process more efficient ā perhaps by cutting out a step, or automating some manual work.
While continual improvement is a critical element of an ISO 27001 ISMS, the Standard doesnāt specify any particular continual improvement methodology.
Instead, you can use whatever method you wish, so long as it continually improves the ISMSās āsuitability, adequacy and effectivenessā (Clause 10.1). That can include a continual improvement model youāre already using for another activity.
Ensuring the security of your organizationās information systems is crucial in todayās digital landscape.
Access Control is a fundamental aspect of cybersecurity that safeguards sensitive data and protects against unauthorized access. To assist you in establishing robust access control measures, we are pleased to offer a comprehensive Access Control Policy Template, available for download.
What does the Access Control Policy template include?
Our Access Control Policy template is designed to provide a clear, structured framework for managing access to your organizationās information systems.
Here are some of the key components included in the template:
Document Control;
Purpose and Scope;
Policy Statement;
Roles & Responsibilities;
Access Control Principles;
Access Control Measures;
Access Control Technologies;
Monitoring and Auditing;
Incident Management;
Policy Compliance;
Policy Review.
Benefits of using our Access Control Policy template
Implementing an effective access control policy offers several key benefits:
Enhanced security: Protects sensitive data and systems from unauthorized access and potential breaches.
Regulatory compliance: Helps ensure compliance with relevant regulations and standards.
Operational efficiency: Clearly defined roles and responsibilities streamline access management processes.
Risk mitigation: Regular monitoring and auditing identify and address vulnerabilities proactively.
To take advantage of our comprehensive Access Control Policy Template, simply click on the links at the top of the article to download them. The download will start automatically.
You can then customize the template to fit the specific needs and context of your organization.
By doing so, youāll be taking a significant step towards securing your information systems and safeguarding your valuable data.
Gabriella is the Social Media Manager and Cybersecurity Communications Officer at HeimdalĀ®, where she orchestrates the strategy and content creation for the company’s social media channels. Her contributions amplify the brand’s voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.
The Damselfly Advanced Persistent Threat (APT) group, also known as APT42, has been actively utilizing custom backdoor variants, NiceCurl and TameCat, to infiltrate Windows machines.
These backdoors are primarily delivered through spear-phishing campaigns, marking a significant escalation in the capabilities and focus of this Iranian state-sponsoredĀ hackingĀ group.
Sophisticated Tools For Stealthy Operations
The NiceCurl and TameCat backdoors represent a sophisticated toolkit in Damselflyās arsenal, enabling threat actors to gain initial access to targeted environments discreetly.
NiceCurl, a VBScript-basedĀ malware, is designed to download and execute additional malicious modules, enhancing the attackersā control over compromised systems.
On the other hand, the TameCat backdoor facilitates the execution of PowerShell and C# scripts, allowing for further exploitation by downloading additional arbitrary content.
These tools are part of a broader strategy employed by Damselfly to conduct espionage and potentially disrupt operations at targeted facilities.
According to Broadcom report, the groupās activities have been primarily directed at energy companies and other critical infrastructure sectors across the U.S., Europe, and the Middle East.
The sophistication of their methods and the critical nature of their targets underscore the high level of threat they pose.
These include adaptive, behavior, file, and network-based detection mechanisms, ensuring robust defense against Damselflyās tactics.
The security firmās efforts are crucial in mitigating the risks posed by such state-sponsored cyber activities, characterized by their complexity and stealth.
The operations of the Damselfly group highlight the ongoing challenges in cybersecurity, where state-sponsored actors employ advanced techniques and malware to achieve their objectives.
Using custom backdoors like NiceCurl and TameCat, coupled with spear-phishing campaigns, enables these actors to maintain persistence in their target networks and carry out their missions with a high degree of secrecy and efficiency.
Smishing is a type of social engineering attack. Social engineering is when a cyber attacker tricks their victim into doing something they should not do, such as giving money, their password, or access to their computer. Cyber attackers have learned the easiest way to get something is just ask for it. This concept is not new, con artists and scammers have existed for thousands of years, itās just that the Internet makes it very simple for any cyber attacker to pretend to be anyone they want and target anyone they want.
Phishing is one of the most common forms of social engineering as itās one of the simplest and most effective and an attack method we are all familiar with. However, both organizations and individuals are becoming not only far more aware of how phishing attacks work, but much better at spotting and stopping them. Phishing is still an effective attack method, but it is getting harder and harder for cyber criminals to be effective with phishing. This is where smishing comes in.
Smishing vs Phishing
Smishing is very similar to phishing, but instead of sending emails trying to trick people, cyber attackers send text messages. The term smishing is a combination of the words SMS messaging and phishing. You may have noticed a rise in random text messages that are trying to get you to click on links or respond to text messages. Thatās smishing.
Why the Increase in Smishing Attacks?
It is harder for organizations to secure mobile devices. Security teams often have neither the visibility nor control of employeesā mobile devices like they do for workstations. This means itās harder to both secure and monitor mobile devices.
There are far fewer security controls that effectively identify and filter smishing attacks. This means when a cyber attacker sends a smishing text message to victims, that message is far more likely to make it and not be filtered.
A text message tends to be much shorter than an email, there is far less context or information, making it harder to determine if the message is legitimate or not. In other words, people are more likely to fall victim.
Texting tends to be far more informal than email, as such people tend to trust and act on text messages more. In other words, people are more likely to fall victim.
The Smishing Attacks
So, what type of text messaging attacks are there? While these attacks are always evolving, some of the most common are detailed below.
Links
The text message entices you to click on a link, often through a sense of urgency, something too good to be true, or simple curiosity. Once you click on the link, the goal is usually to harvest your personal information (by getting you to fill out a survey) or your login and password (to your bank or email account, for example). Notice how, in the link in the message below, the cyber attacker uses HTTPS, an encrypted connection to make the link look more legitimate.
Scams
In these attacks, the cyber attacker will attempt to start a conversation with you, build trust, and ultimately scam you. Romance scams are one common example where cyber criminals randomly text millions of people to find those who are lonely or emotionally vulnerable, build a pretend romance, and then take advantage of them.
Call-Back
Like some phishing emails, the text message has a phone number in it and is urging the victim to call. Once the victim calls the phone number they are then scammed.
What to Do About Smishing Attacks?
While many security training programs focus on phishing, we far too often neglect text based smishing attacks. In fact, this can create a situation where your workforce is highly aware of phishing attacks but may mistakenly think that cyber attackers only use email for attacks. From a training perspective, we recommend you teach people that cyber attackers can use a variety of different methods to trick people, to include both email phishing and text based smishing. For smishing, we do not recommend that you try to teach people about every different type of attack possible. Not only will this likely overwhelm your workforce, but cyber attackers are constantly changing their lures and techniques. Instead, like in phishing training, focus on the most commonly shared indicators and clues of an attack. This way, your workforce will be trained and enabled regardless of the method or lures cyber attackers use. Of note, the indicators below are the same indicators of an email phishing attack.
Urgency: Any message that creates a tremendous sense of urgency, trying to rush the victim into making a mistake. An example is a message from the government stating your taxes are overdue and if you donāt pay right away you will end up in jail.
Pressure: Any message that pressures an employee to ignore or bypass company policies and procedures. Gift card scams are often started with a simple text message.
Curiosity: Any message that generates a tremendous amount of curiosity or is too good to be true such as notice of an undelivered UPS package or receiving an Amazon refund.
Sensitive: Any message that requests (or requires) highly sensitive information such as your password or unique codes.
Tone: Any message that appears to be coming from a coworker, but the wording does not sound like them, or the overall tone is wrong.
Hey 👏 I’m the digital assistance of DISCInfoSec for ISO 27k implementation.
I will try to answer your question. If I don’t know the answer, I will connect you with one my support agents.
Please type your query regarding ISO 27001 implementation 👇
Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation, and growth.
However, this shift towards a more interconnected digital ecosystem has not come without its risks.
According to the ā2024 State of SaaS Security Reportā by Wing Security, a staggering 97% of organizations faced exposure to attacks through compromised SaaS supply chain applications in 2023, highlighting a critical vulnerability in the digital infrastructure of modern businesses.
The report, which analyzed data from 493 companies in the fourth quarter of 2023, illuminates the multifaceted nature of SaaS security threats.
From supply chain attacks taking center stage to the alarming trend of exploiting exposed credentials, the findings underscore the urgent need for robust security measures.
Supply Chain Attacks: A Domino Effect
Supply chain attacks have emerged as a significant threat, with 96.7% of organizations using at least one app that had a security incident in the past year.
The MOVEit breach, which directly and indirectly impacted over 2,500 organizations, and North Korean actorsā targeted attack on JumpCloudās clients are stark reminders of the cascading effects a single vulnerability can have across the supply chain.
The simplicity of credential stuffing attacks and the widespread issue of unsecured credentials continue to pose a significant risk.
The report highlights several high-profile incidents, including breaches affecting Norton LifeLock and PayPal customers, where attackers exploited stolen credentials to gain unauthorized access to sensitive information.
MFA Bypassing And Token Theft
Despite adopting Multi-Factor Authentication (MFA) as a security measure, attackers have found ways to bypass these defenses, targeting high-ranking executives in sophisticated phishing campaigns.
Additionally, the report points to a concerning trend of token theft, with many unused tokens creating unnecessary risk exposure for many organizations.
Looking Ahead: SaaS Threat Forecast For 2024
As we move into 2024, the SaaS threat landscape is expected to evolve, with AI posing a new threat.
The report identifies two primary risks associated with AI in the SaaS domain: the vast volume of AI models in SaaS applications and the potential for data mismanagement.
Furthermore, the persistence of credential-based attacks and the rise of interconnected threats across different domains underscore the need for a holistic cybersecurity approach.
Practical Tips For Enhancing SaaS Security
The report offers eight practical tips for organizations to combat these growing threats, including discovering and managing the risk of third-party applications, leveraging threat intelligence, and enforcing MFA.
Additionally, regaining control of the AI-SaaS landscape and establishing an effective offboarding procedure are crucial steps in bolstering an organizationās SaaS security.
The ā2024 State of SaaS Security Reportā by Wing Security serves as a wake-up call for businesses to reassess their SaaS security strategies.
With 97% of organizations exposed to attacks via compromised SaaS supply chain apps, the need for vigilance and proactive security measures has never been more critical.
As the digital landscape continues to evolve, so must our approaches to protect it.
Interested in discovering how Python can bolster your abilities in safeguarding digital assets? Delve into the potential of Python for cybersecurity.
In the current digital era, cybersecurity holds greater significance than ever before. Python, renowned for its versatility and resilience, has emerged as a fundamental tool for cybersecurity professionals globally.
🔹 How Python can streamline threat detection and analysis. 🔹 Practical examples of Python scripts for automating security tasks. 🔹 Resources and tools to kickstart your journey into Python for cybersecurity.
Regardless of whether you’re an experienced cybersecurity professional or new to the field, Python has the potential to transform your approach to security challenges.
Franceās National Cybersecurity Agency (ANSSI) observed a significant rise in cyber espionage campaigns targeting strategic organizations in 2023.
These operations are increasingly focused on individuals and non-governmental structures that create, host or transmit sensitive data, ANSSI observed in its 2023 Cyber Threat Landscape report, published on February 27, 2024.
Besides public administration, the primary targets of cyber espionage activity included organizations associated with the French government, such as technology and defense contractors, research institutes and think tanks.
Overall, cyber espionage remained the top cyber threat ANSSIās teams dealt with in 2023.
ANSSI has also noted an increase in attacks against business and personal mobile phones aimed at targeted individuals.
There has also been an upsurge in attacks that have used methods publicly associated with the Russian government.
āThese attacks are not limited to mainland French territory: in 2023, ANSSI dealt with the compromise of an IT network located in a French overseas territory using an attack modus operandi publicly associated with China,ā reads the report.
30% Rise in Ransomware
Meanwhile, financially motivated attacks were also on the rise, with an observed 30% increase in ransomware attacks compared to 2022.
Small and medium enterprises (SMEs) and mid-sized businesses were the most targeted organizations, representing 34% of all cyber-attacks observed by ANSSI in 2023. Local administration came second, suffering 24% of all attacks in 2023.
In total in 2023, ANSSI recorded 3703 cyber events, 1112 of which were labeled as cyber incidents. In 2022, it recorded 3018 cyber events, including 832 cyber incidents.
The latest version of the LockBit ransomware, LockBit 3.0 (aka LockBit Black), was the most used malware in financially motivated cyber-attacks in 2023, taking over previous ransomware versions from the same threat group that dominated the ransomware landscape in 2022.
Overall, 2023 has seen significant changes in the structure and methods of attackers. They are perfecting their techniques in order to avoid being detected, tracked, or even identified.
āDespite efforts to improve security in certain sectors, attackers continue to exploit the same technical weaknesses to gain access to networks. Exploiting ‘zero-day’ vulnerabilities remains a prime entry point for attackers, who all too often still take advantage of poor administration practices, delays in applying patches and the absence of encryption mechanisms,ā reads the report, translated from French to English by Infosecurity.
The top five vulnerabilities exploited by threat actors to compromise French organizationsā IT systems in 2023 include flaws in VMWare, Cisco, Citrix, Atlassian and Progress Software products.
Pre-Positioning Activities on ANSSIās Radar for 2024
Finally, in a tense geopolitical context, ANSSI noted new destabilization operations aimed mainly at promoting a political discourse, hindering access to online content or damaging an organization’s image.
āWhile distributed denial of service (DDoS) attacks by pro-Russian hacktivists, often with limited impact, were the most common, pre-positioning activities targeting several critical infrastructures in Europe, North America and Asia were also detected.
āThese more discreet activities may nevertheless be aimed at larger-scale operations carried out by state actors waiting for the right moment to act,ā the report explained.
Vincent Strubel, ANSSIās director general, commented: “While financially motivated attacks and destabilization operations saw a clear upturn in 2023, it was once again the less noisy threat, which remains the most worrying, that of strategic and industrial espionage and pre-positioning for sabotage purposes, which mobilised the ANSSI teams the most.ā
These geopolitically driven threats will particularly be on ANSSIās radar in 2024, as Paris is prepares to host the 2024 Olympic and Paralympic Games.
An ongoing campaign of cloud account takeover has affected hundreds of user accounts, including those of senior executives, and impacted dozens of Microsoft Azure environments.
Threat actors attack users with customized phishing lures inside shared documents as part of this ongoing effort.
Some documents that have been weaponized have embedded links to āView document,ā which, when clicked, take users to a malicious phishing webpage to steal sensitive information and commitĀ financial fraud.
Attackers Targeting Wide Range Of Individuals
Threat actors appear to target a broad spectrum of people with varying titles from various organizations, affecting hundreds of users worldwide.
āThe affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers,ā Proofpoint researchers shared with Cyber Security News.
āIndividuals holding executive positions such as āVice President, Operations,ā āChief Financial Officer & Treasurerā and āPresident & CEOā were also among those targeted.ā
Threat actors have a realistic approach, as seen by the variety of positions they have targeted, intending to compromise accounts that have varying degrees of access to important resources and responsibilities across organizational activities.
In this campaign, researchers observed the usage of a particular Linux user agent that attackers employed during the attack chainās access phase.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
The āOfficeHomeā sign-in application is primarily accessed by attackers using this user-agent, along with other native Microsoft365 apps, like:
āOffice365 Shell WCSS-Clientā (indicative of browser access to Office365 applications)
āOffice 365 Exchange Onlineā (indicative of post-compromise mailbox abuse, data exfiltration, and email threats proliferation)
āMy Signinsā (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog)
āMy Appsā
āMy Profileā
Attackers use their own MFA techniques to keep accessing systems permanently. Attackers choose various authentication techniques, such as registering additional phone numbers to authenticate via SMS or phone calls.
Criminals get access to and download confidential data such as user credentials, internal security protocols, and financial assets.
Mailbox access is also used to target individual user accounts with phishing threats and migrate laterally across compromised organizations.
Internal emails are sent to the impacted companiesā finance and human resources departments to commit financial fraud.
Attackers design specialized obfuscation rules to hide their activities and erase any proof of malicious activity from the inboxes of their victims.
āAttackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies,ā researchers said.
Thus, in your cloud environment, be aware of account takeover (ATO) and possible illegal access to key resources. Security solutions must offer precise and prompt identification of both initial account compromise and post-compromise actions, together with insight into services and applications that have been misused.
In this Help Net Security interview, Robin Long, founder ofĀ Kiowa Security, shares insights on how best to approach the implementation of the ISO/IEC 27001 information security standard.
Long advises organizations to establish a detailed project roadmap and to book certification audits at an early stage. He also recommends selecting an internal team that includes a leader with the ISO 27001 Lead Implementer qualification and suggests that in some cases, the best approach to the standard may be to start by prioritizing a limited number of āsecurity winsā before embarking on full implementation.
A few general points about ISO 27001, before getting onto the questions:
1. The documentation behind ISO/IEC 27001:2022 (āISO 27001ā) is broken into two main parts: ISO/IEC 27001 itself, which contains the primary guidance, and a āguidance documentā called ISO/IEC 27002, which lists suggested information security controls that may be determined and implemented based on the risk analysis that is carried out according to the requirements of the primary document.
ISO 27001 is also supported by the other standards ISO/IEC 27000:2018 (IT security techniques) and ISO/IEC 27005:2022 (Information security, cybersecurity, and privacy protection), among others.
All these are developed and maintained by the International Organization for Standardization (ISO), which is based in Geneva, Switzerland.
2. Although there are a number of things that you are obliged to do if youāre seeking certified conformity to the standard, it is actually quite flexible about the details. Even the ārequirementsā ā the obligatory clauses in the 27001 document ā generally allow a fairly broad range of interpretation. This makes sense when you think that ISO 27001 has been developed as a one-size-fits-all system for all types and sizes of organization that handle sensitive information.
When you look at it like that, it immediately becomes less intimidating.
3. If you decide to go ahead and implement ISO 27001, itās highly recommended to put together a detailed road map that defines targets of what should be achieved by what date in the timeline of the project (Gantt charts are good for this ā look them up!). This helps to keep the project under control and reduces the risk of time and budget overrun. Breaking the project up into weekly components also makes it less daunting.
4. Youāll also need to define a (small) group of people to carry out, maintain and be accountable for implementation of the standard. You might call this the āISMS Teamā (where ISMS means Information Security Management System, another way to describe ISO 27001). This team should ideally incorporate expertise and experience in IT, business development and data protection, and have a channel to senior management.
How do you recommend organizations approach understanding and implementing ISO 27001ās wide range of controls and requirements, especially those new to information security management?
As a consultant myself, Iām aware of the conflict of interest, but I have to say that I do think it makes sense to hire external advice for assistance with implementation of ISO 27001, for internal audit, and interaction with certification auditors.
One of the main responsibilities of such an advisor is to assist with understanding of the standard and information security management generally, at both high and low levels. The range of ISO27002 controls ā for example ā is wide indeed, but a competent consultant will break them down into manageable portions that are taken on one by one, in a carefully planned order.
Whether or not you decide to hire a consultant, itās a pretty good idea also to send the leader of the ISMS Team on an ISO2 7001 Lead Implementer (LI) course. These courses typically run for about three days, and they are helpful. Note that ISO 27001 requires the organisation to provide evidence of the competence of key participants in the project, and the LI qualification for a team member indicates a reasonable degree of knowledge and commitment regarding the standard.
Of course, there are also a number of helpful online resources including the ISO27k Forum.
Implementing ISO 27001 can be resource-intensive. What advice do you have for organizations, particularly SMEs, in effectively allocating resources and budget for ISO 27001 implementation?
Itās true that implementation of ISO 27001 necessarily consumes resources, in terms of money and other assets ā particularly peopleās time. The critical question is whether the resource cost is offset by perceived gains, and this is largely about efficiency of allocation. Among other methods that we can use to attempt to optimise this are:
1. Use of a roadmap ā as mentioned above ā that takes the organisation all the way through to the two-stage certification audit process at a granular (weekly) level.
2. Early selection of the certification auditor and agreement of tentative dates for the certification audits. The benefits of doing this include the psychological one of getting an end date in the diary to help define the project roadmap. The cost of certification audits is also an important part of the overall budget, and the certification body will provide quotes for these at this stage.
Note that along with the two initial certification audits, there are a couple of (roughly annual) surveillance audits and a recertification audit after three years. These audits all cost money, of course, and require budgeting.
3. Watching out for some of the less obvious costs, including the potential charges associated with:
Legal work on modifications/additions to employment contracts, NDAs etc.
Software that you choose to install e.g., anti-malware, IDS, etc.
What strategies can be employed to convince top management of the necessity and benefits of ISO 27001 compliance?
Consultancy companies love to answer this question ā on their websites ā with a list of bullet points.
However, I can tell you that in nearly all cases there is just a single key factor at play, and it is a commercial one: Potential important clients or partners have been identified that require certification to the standard. Organisations that operate in sensitive sectors (finance, critical infrastructure, healthcareā¦) have already learned this or are in the process of learning it, and donāt need to be told about it. If they donāt know, then by all means tell them!
Other reasons that I consider completely valid and credible include:
Perceived improvement in the level of an organisationās information security provides assurance to other stakeholders apart from clients ā investors, senior management, regulators, suppliers and so on ā regarding information security risks to the organisation.
Implementation of ISO 27001 can help smaller companies with their expansion. For example, it can help with the development of sound HR policies, with procedures around business continuity, disaster recovery and change management, and several other areas.
Note that ISO 27001 isnāt by any means just about personal data but is also concerned with other types of sensitive information, in particular intellectual property or āIPā (including trade secrets and source code). For many tech start-ups, these are the main assets of the business, and need to be well protected.
Risk management and performance evaluation are critical yet challenging aspects of ISO 27001. How should organizations approach these elements to ensure an effective Information Security Management System (ISMS)?
These are indeed arguably the core areas of ISO 27001. Among the critical things to remember regarding risk assessments are:
You should really at least try to come up with all the possible information security risks (internal and external) that are or might be faced by your organisation. This is best done by brainstorming in a group based around the ISMS Team.
ISO 27001 fundamentally breaks down to: āWhat information security risks do we face? How should we best manage them?ā
Just as the chicken may come before the egg, note that what should happen in this case is that you identify the risks first and then select the controls that help to manage those risks.
You definitely donāt have to apply all of the controls, and nearly all organisations treat some, validly, as non-applicable in their Statement of Applicability. For example, businesses where all employees work remotely simply donāt have the full range of risks that can benefit from mitigation by the physical controls.
When it comes to performance evaluation, itās largely a case of working through the relevant clauses and controls and agreeing how good a job the organisation is doing trying to meet the associated requirements. The ones that are selected for monitoring, measurement and evaluation will depend on the type and size of the organisation and its business objectives. These are basically key performance indicators (KPIs) for information security and might include supplier evaluations and documented events, incidents, and vulnerabilities.
Specifically for cloud solutions like Microsoft 365, what unique challenges do organizations face in implementing ISO 27001, and how can they be addressed?
The switch towards remote working and use of cloud resources has been quite disruptive for ISO 27001. The 2022 version has been somewhat adapted (via modifications to the controls) to reflect the change in working conditions. However, it still gives a lot of attention to traditional physical places of work, networks, and pre-SaaS style suppliers.
The big switch away from locally downloaded software to cloud services means that we need to take advantage of the flexibility of ISO 27001 to interpret the 27002 controls in a corresponding way, for example:
Thinking less about networks and more about secure configuration of cloud resources.
Focusing on aspects of the āsupplier relationshipsā controls that are relevant to SaaS suppliers.
Remembering that if cloud resources are very important for handling and storage of sensitive data in your business, then the new control 5.23 (Information security for use of cloud services) is correspondingly important for your business and must be tackled carefully and rigorously. It almost definitely applies to you ā and thereās a lot there.
Note that business continuity/disaster recoveryĀ for an organisation with employees that work remotely using cloud services becomes largely a question of how the relevant cloud provider(s) manage backups, redundancy of storage/compute etc.
ISO 27001 requires a commitment to continuous improvement. How should organizations approach this, particularly regarding incident management and response?
This is an enigmatic section of clause 10 (Improvement) that organisations tend to struggle with (the second part is about dealing with non-conformities and is much clearer regarding what needs to be done).
It seems to me that the best approach is to raise the question of āhow can we make the ISMS better?ā at the periodic ISMS management meetings, come up with some examples whereby this may be achieved and then provide any observed progress in the right direction. That means that by the time of the first follow-up (surveillance) audit you should be able to present a list of several potential improvements along with how they are being achieved.
Iād like to finish up by mentioning that nothing stops your organisation implementing ISO 27001 without getting the certification, or even doing a partial implementation. Many businesses like the concept of ISO 27001 but arenāt quite ready to commit fully. In that case, I highly recommend the following implementation model:
1. Decide which areas of information security are priorities for your organisation in terms of incremental increase in security, resources (money, time, personnel) required and ease of implementation. You can call these your ālowest-hanging security fruitā if you must. Possible examples include access control, HR security or endpoint security. 2. Work through these one by one according to the relevant 27002 controls. 3. Once you have the highest priority areas covered off, start working on lower levels of priority. 4. After a few months of this, you may feel that ISO 27001 isnāt quite so formidable, and that you are ready to tackle it. Go for it!