Dec 09 2024

A Spy in Your Pocket?

Category: Cyber Spy,Information Security,Spywaredisc7 @ 11:16 am

Ronan Farrow Exposes Secrets of High-Tech Spyware in New Film “Surveilled”

Pulitzer Prize-winning journalist Ronan Farrow and filmmaker Matthew O’Neill explore the alarming world of high-tech surveillance in their HBO documentary Surveilled. Farrow’s interest began after being tracked by Black Cube, an Israeli private intelligence firm, during his investigation of Harvey Weinstein’s misconduct. This experience led him to uncover more advanced surveillance technologies, including Pegasus spyware.

The documentary highlights Pegasus’s misuse by authoritarian regimes and democratic states like Greece, Poland, and Spain, targeting journalists and dissidents. Farrow interviews a former NSO Group employee, the makers of Pegasus, revealing its widespread abuse.

Farrow also uncovers that U.S. agencies under both the Biden and Trump administrations considered using such spyware. However, the full extent of its deployment remains unclear, raising concerns about unchecked surveillance practices globally.

Ronan Farrow Exposes Secrets of High-Tech Spyware in New Film “Surveilled”

How widespread is mercenary spyware?

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Apple Boosts Spyware Alerts For Mercenary Attacks

US judge rejects spyware developer NSO’s attempt to bin Apple’s spyware lawsuit

Pegasus is listening

NSO Group told lawmakers that Pegasus spyware was used by at least 5 European countries

NSO Group Pegasus spyware leverages new zero-click iPhone exploit in recent attacks

How to Take Your Phone Off the Grid

How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

#Pegasus #nso #endofprivacy

used by repressive regimes to spy on

#diplomats, #humanrightsdefenders, #lawyers, #politicalopponents, and #journalists.

Tags: NSO Group, NSO’s Pegasus, Pegasus


Dec 03 2024

Why Your Organization Needs ISO 27001 Amid Rising Risks

Category: Information Security,ISO 27kdisc7 @ 8:04 am

Why ISO 27001 Is Essential for Thriving Businesses

The Growing Importance of ISO 27001
Data breaches, ransomware attacks, and increasing compliance requirements pose significant risks to businesses of all sizes. Without a structured approach to safeguarding sensitive data, organizations remain vulnerable. ISO 27001, the international standard for information security management, provides a proven framework to protect businesses and reassure stakeholders. Its structured methodology can address security gaps and mitigate risks effectively.

Sign 1: Rising Cybersecurity Threats
With cyberattacks becoming more sophisticated, businesses of all sizes are targets. Small companies, in particular, face devastating consequences, as 60% fail within six months of a breach. ISO 27001 offers a systematic, risk-based approach to identify vulnerabilities, prioritize threats, and establish protective controls. For instance, an e-commerce company can use ISO 27001 to secure payment data, safeguard its reputation, and maintain customer trust.

Sign 2: Client Expectations for Security Assurance
Clients and partners increasingly demand proof of robust security practices. Questions about how sensitive information is managed and requests for certifications highlight the need for ISO 27001. Certification not only enhances security but also demonstrates commitment to data protection, building trust and offering a competitive edge in industries like finance, healthcare, and technology. For example, a marketing agency could avoid losing key clients by implementing ISO 27001 to showcase its security measures.

Sign 3: Navigating Regulatory Challenges
Strict regulations such as GDPR, PCI DSS, CPRA, and HIPAA mandate stringent data protection protocols. Non-compliance risks legal penalties, financial losses, and eroded customer trust. ISO 27001 simplifies compliance by aligning with various regulatory requirements while improving operational efficiency. For example, a software company handling EU data avoided GDPR fines by adopting ISO 27001, enabling regulatory compliance and global expansion.

Take Action Before It’s Too Late
If your business faces inconsistent security practices, data breach fears, or rising regulatory pressures, ISO 27001 is the solution. Scalable and adaptable for organizations of any size, it ensures consistent security across teams, prevents breaches, and facilitates recovery when incidents occur. Starting with a gap analysis and prioritizing high-risk areas, ISO 27001 provides a strategic path to safeguarding your business, strengthening trust, and gaining a competitive edge. Don’t wait—start your journey toward ISO 27001 certification today.

Contact us to explore how we can turn security challenges into strategic advantages.

10 key benefits of ISO 27001 Cert for SMBs

ISO 27001: Building a Culture of Security and Continuous Improvement

Penetration Testing and ISO 27001 – Securing ISMS

Secure Your Digital Transformation with ISO 27001

Significance of ISO 27017 and ISO 27018 for Cloud Services

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

Securing Cloud Services: A pragmatic guide

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: iso 27001, ISO 27001 2022, iso 27001 certification


Nov 29 2024

ISO 27001: Building a Culture of Security and Continuous Improvement

Category: Information Security,ISO 27kdisc7 @ 9:19 am

ISO 27001: Building a Culture of Security and Continuous Improvement

More Than Compliance
ISO 27001 is not just a certification; it’s a framework that embeds security into the core of your organization, fostering trust, efficiency, and resilience.


Security as a Journey
ISO 27001 promotes a proactive, continuous approach to security, adapting to ever-evolving cyber threats and embedding security as a company-wide mindset.


Key Practices for Continuous Improvement

  1. Regular Risk Assessments: Periodically evaluate vulnerabilities and prioritize mitigation measures to stay ahead of potential threats.
  2. Employee Engagement: Train employees to actively participate in protecting information and identifying risks early.
  3. Performance Monitoring: Use metrics, audits, and reviews to refine and align security measures with business goals.
  4. Incident Learning: Develop robust response plans, analyze incidents, and strengthen systems to prevent future issues.

Why a Security Culture Matters
A strong security culture builds trust, fosters innovation, and enables safe adoption of technologies like cloud computing and remote work, giving organizations a competitive edge.


Practical Steps to Embed Security

  • Set Clear Objectives: Align ISO 27001 goals with business priorities like risk reduction and client trust.
  • Engage Leadership: Secure top management’s active participation to drive initiatives.
  • Integrate Security: Make security a shared responsibility across all departments.
  • Focus on Risks: Prioritize and allocate resources effectively based on risk impact.
  • Encourage Communication: Foster open discussions about security concerns and solutions.
  • Scale with Growth: Adjust security practices as your organization evolves.

Overcoming Challenges

  • Resistance to Change: Highlight benefits to gain employee buy-in.
  • Resource Constraints: Use a phased approach to certification.
  • Integration Complexity: Leverage common principles with other frameworks like ISO 9001 for seamless integration.

The Way Forward
ISO 27001 isn’t just about protecting data—it’s about building trust, improving operations, and achieving competitive advantage. Start embedding its principles today for a stronger, more secure organization.

Contact us to explore how we can turn security challenges into strategic advantages.

Penetration Testing and ISO 27001 – Securing ISMS

Secure Your Digital Transformation with ISO 27001

Significance of ISO 27017 and ISO 27018 for Cloud Services

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

Securing Cloud Services: A pragmatic guide

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: iso 27001, security culture


Nov 27 2024

OSINT for ICS/OT Course
Review Questions

Category: Information Security,OSINT,OT/ICSdisc7 @ 3:14 pm

by Mike Holcomb

The OSINT Bible: The Complete Guide to Mastering Open-Source Intelligence | Discover Critical Information, Protect Sensitive Data, and Gain a Competitive Edge

Checkout previous OSINT posts here

Tags: OSINT


Nov 27 2024

Why Security Leaders Should Prioritize the MITRE ATT&CK Evaluation

Category: Attack Matrix,Information Securitydisc7 @ 10:19 am

The article emphasizes the importance of the MITRE Engenuity ATT&CK Evaluations for security leaders in navigating the complex cybersecurity landscape. These evaluations simulate real-world threats to test how vendors’ solutions detect, respond to, and report adversary tactics, techniques, and procedures (TTPs). The evaluations leverage the globally recognized MITRE ATT&CK framework, which categorizes TTPs into a structured model, helping organizations assess and address security gaps effectively.

Key factors that set MITRE ATT&CK Evaluations apart include their focus on real-world conditions, transparent results, and alignment with the ATT&CK framework. Unlike traditional assessments, these evaluations emulate attack scenarios, enabling vendors to demonstrate their capabilities under realistic conditions. The transparency of the results allows organizations to evaluate performance metrics directly, helping security leaders choose solutions tailored to their unique threat environments.

The 2023 MITRE ATT&CK Evaluation highlighted notable advancements, with Cynet achieving 100% visibility and analytic coverage without configuration changes—a first in the evaluation’s history. For 2024, MITRE plans to introduce more targeted evaluations, testing vendor solutions against adaptable ransomware-as-a-service variants and North Korean state-sponsored tactics, expanding coverage to Linux, Windows, and macOS platforms.

Cybersecurity leaders are encouraged to closely monitor the upcoming results, which will offer valuable insights into the strengths and weaknesses of vendor solutions. By leveraging these findings, organizations can refine their defenses, mitigate risks, and strengthen resilience against evolving threats. The Cynet-hosted webinar provides an opportunity to understand and act on these evaluations, making them a critical resource for informed decision-making.

For further details, access the full article here

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK(TM) Framework and open source tools

Previous articles on Mitre Att&ck Framework

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: CISO, MITRE ATT&CK Evaluation, Security Leaders


Nov 22 2024

Explore the new Atomic Red Team website

Category: Attack Matrix,Information Securitydisc7 @ 11:35 am

The redesigned Atomic Red Team website features a new browser interface, improved search capabilities, and easier test execution

Red Canary’s Atomic Red Team is an open-source framework designed to help security teams test their detection capabilities against adversary tactics defined in the MITRE ATT&CK framework. It provides small, portable tests, enabling organizations to simulate specific attacker techniques in a controlled environment. This framework empowers defenders to validate their security controls, identify gaps in detection, and better understand malicious behaviors. Atomic Red Team offers a highly flexible approach, supporting manual execution via command-line scripts or automated tools like Invoke-Atomic, a PowerShell module that simplifies running tests​

The platform focuses on making security testing accessible to teams of all sizes by offering easy-to-follow documentation and a community-driven approach. Tests are mapped to MITRE ATT&CK tactics, allowing users to tailor simulations to their environment while ensuring compliance with security protocols. By leveraging these tests, organizations can proactively enhance their detection capabilities, address visibility gaps, and prepare for real-world threats effectively

The new site provides several long-requested feature additions such as an easier method to execute the sometimes complex command lines in your environment, more detailed searching and filtering capabilities, and a generally more streamlined interface. This convenient interface ensures that even a casual user can learn about and launch tests in their own environment to help improve their security posture.

Previous posts on Att&ck Matrix

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services


Nov 22 2024

Researchers crack RSA and AES data encryption

Category: cyber security,Data encryption,Information Securitydisc7 @ 7:19 am

For the first time ever researchers crack RSA and AES data encryption

Chinese scientists reveal D-Wave’s quantum computers can break RSA encryption, signaling an urgent need for new cryptography solutions.

A group of Chinese researchers has successfully cracked RSA and AES encryption using D-Wave quantum computers. This breakthrough marks the first time such widely used encryption methods have been defeated. RSA, used in digital security protocols like HTTPS, relies on the difficulty of factoring large prime numbers. AES, on the other hand, protects sensitive data by converting it into unintelligible code. Both encryption methods are foundational to modern cybersecurity and global data protection systems.

The researchers employed a combination of advanced quantum computing and innovative algorithms to break the encryption. Quantum computers, unlike classical systems, process information using quantum bits (qubits), enabling parallel computations at an unprecedented scale. This capability makes them uniquely suited to solving problems like factoring large numbers or solving complex mathematical challenges—processes essential for breaking RSA and AES.

This achievement signals an urgent need for post-quantum cryptography, which can withstand quantum attacks. Governments and technology organizations worldwide are now accelerating the development of cryptographic systems designed for this new era. This breakthrough emphasizes the importance of adopting quantum-resistant encryption to ensure long-term security for sensitive information in areas like banking, healthcare, and national defense.

The implications of this research extend beyond encryption. Quantum computing’s power could revolutionize fields such as medicine, artificial intelligence, and materials science. However, it also presents significant challenges to current cybersecurity practices. Researchers and policymakers must urgently address these dualities to harness quantum computing’s potential while mitigating its risks.

You can access the details here

The value of quantum-resistant cryptography, post-quantum cryptography, and decentralized technologies just skyrocketed.

The research team’s experiments focused on leveraging D-Wave’s quantum technology to solve cryptographic problems. (CREDIT: DWave)

Inside Cyber: How AI, 5G, IoT, and Quantum Computing Will Transform Privacy and Our Security

Advancing Cyber Security Through Quantum Cryptography

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: PQC, QuantumComputing, Web3


Nov 20 2024

3 ISO 27001:2022 Controls That Help Secure Your Cloud Services

Category: Cloud computing,Information Security,ISO 27kdisc7 @ 12:52 pm

The article highlights three critical controls from ISO 27001:2022 to enhance cloud security, providing organizations with guidance on how to protect sensitive data stored in the cloud effectively:

  1. Contractual Assurance: Control 5.10 emphasizes acceptable use and handling of information, particularly third-party assets like cloud services. It stresses the importance of establishing contractual agreements with cloud providers to ensure data security. Organizations should verify providers’ compliance with standards like ISO 27001 or other independent certifications, check for business continuity guarantees, and ensure compliance with regulations like GDPR or PCI DSS where applicable.
  2. Cloud-Specific Policies: Control 5.23 introduces the need for processes and policies tailored to cloud services. These should cover the acquisition, use, management, and exit strategies for cloud services. Organizations are advised to define security requirements and clarify roles, responsibilities, and controls between the organization and the provider. Policies should also include handling incidents and outlining exit procedures to maintain security throughout the service lifecycle.
  3. Extending ISMS: While ISO 27001:2022 offers foundational controls, organizations can enhance their information security management system by adopting supplementary standards like ISO 27017 (focused on cloud-specific controls) and ISO 27018 (privacy in cloud services). However, these extensions currently align with the older ISO 27001:2013 Annex A, necessitating careful integration with updated frameworks.

These controls underscore the importance of robust policies, contractual due diligence, and clear delineation of responsibilities to secure cloud environments effectively. More details can be found here.

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cloud services, ISO 27001 2022


Nov 13 2024

How CISOs Can Drive the Adoption of Responsible AI Practices

Category: AI,Information Securitydisc7 @ 11:47 am

Amid the rush to adopt AI, leaders face significant risks if they lack an understanding of the technology’s potential cyber threats. A PwC survey revealed that 40% of global leaders are unaware of generative AI’s risks, posing potential vulnerabilities. CISOs should take a leading role in assessing, implementing, and overseeing AI, as their expertise in risk management can ensure safer integration and focus on AI’s benefits. While some advocate for a chief AI officer, security remains integral, emphasizing the CISO’s/ vCISO’S strategic role in guiding responsible AI adoption.

CISOs are crucial in managing the security and compliance of AI adoption within organizations, especially with evolving regulations. Their role involves implementing a security-first approach and risk management strategies, which includes aligning AI goals through an AI consortium, collaborating with cybersecurity teams, and creating protective guardrails.

They guide acceptable risk tolerance, manage governance, and set controls for AI use. Whether securing AI consumption or developing solutions, CISOs must stay updated on AI risks and deploy relevant resources.

A strong security foundation is essential, involving comprehensive encryption, data protection, and adherence to regulations like the EU AI Act. CISOs enable informed cross-functional collaboration, ensuring robust monitoring and swift responses to potential threats.

As AI becomes mainstream, organizations must integrate security throughout the AI lifecycle to guard against GenAI-driven cyber threats, such as social engineering and exploitation of vulnerabilities. This requires proactive measures and ongoing workforce awareness to counter these challenges effectively.

“AI will touch every business function, even in ways that have yet to be predicted. As the bridge between security efforts and business goals, CISOs serve as gatekeepers for quality control and responsible AI use across the business. They can articulate the necessary ground for security integrations that avoid missteps in AI adoption and enable businesses to unlock AI’s full potential to drive better, more informed business outcomes. “

You can read the full article here

CISOs play a pivotal role in guiding responsible AI adoption to balance innovation with security and compliance. They need to implement security-first strategies and align AI goals with organizational risk tolerance through stakeholder collaboration and robust risk management frameworks. By integrating security throughout the AI lifecycle, CISOs/vCISOs help protect critical assets, adhere to regulations, and mitigate threats posed by GenAI. Vigilance against AI-driven attacks and fostering cross-functional cooperation ensures that organizations are prepared to address emerging risks and foster safe, strategic AI use.

Need expert guidance? Book a free 30-minute consultation with a vCISO.

Comprehensive vCISO Services

The CISO’s Guide to Securing Artificial Intelligence

Hackers will use machine learning to launch attacks

To fight AI-generated malware, focus on cybersecurity fundamentals

4 ways AI is transforming audit, risk and compliance

AI security bubble already springing leaks

Could APIs be the undoing of AI?

The Rise of AI Bots: Understanding Their Impact on Internet Security

How to Address AI Security Risks With ISO 27001

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: AI privacy, AI security impact, AI threats, CISO, vCISO


Nov 06 2024

Cybersecurity: Key Information You Need to Know

Category: cyber security,Information Securitydisc7 @ 9:34 am

Cybersecurity involves technologies, processes, and measures aimed at safeguarding systems, networks, and data from cyber threats. A strong cybersecurity strategy minimizes the risk of attacks and prevents unauthorized access to systems, networks, and technologies.

Cybersecurity focuses on protecting computer systems from unauthorized access, damage, or events that would make them inaccessible.

People:

It is important that all staff are informed about how to identify and avoid common cyber threats, and for those responsible for the technical aspects of cybersecurity to keep up to date with the latest skills and qualifications.



Processes:

Processes are crucial in defining how the organization’s activities, roles, and documentation are used to mitigate the risks to the organization’s information. Cyber threats change quickly, so processes need to be continually reviewed to ensure you stay ahead.


Technology:

To mitigate cyber risks, you must first identify what risks your organization faces. From there, you can implement technological controls. Technology can be used to prevent or reduce the impact of cyber risks, depending on your risk assessment and the level of risk you consider acceptable.

Why is cybersecurity important?

  • The cost of cybersecurity breaches is risingEmerging privacy laws can mean significant fines for organizations. There are also non-financial costs to consider, like reputational damage.
  • Cyber attacks are increasingly sophisticated Cyber attacks continue to grow in sophistication. Attackers use an ever-expanding variety of tactics, including social engineering, malware, and ransomware.

Types of cybersecurity threats

Phishing

Phishing is a method of social engineering used to trick people into divulging sensitive or confidential information, often via email. These scams are not always easy to distinguish from genuine messages, and can inflict enormous damage on organizations.

Train your staff how to spot and avoid phishing attacks

Social engineering

Social engineering is used to deceive and manipulate victims into providing information or access to their computer. This is achieved by tricking users into clicking malicious links or opening malicious files, or by the attacker physically gaining access to a computer through deception.

Malware

Malware is short for “malicious software.” It can take the form of viruses, worms, Trojans, and other types of malicious code. Malware can be used to steal personal information, destroy data, and take control of computers.

Ransomware attacks

Ransomware is a form of malware that encrypts victims’ information and demands payment in return for the decryption key. Paying a ransom does not necessarily guarantee that you will be able to recover the encrypted data.

cyber secure today!

What is Cybersecurity ? : FAST/FOR BEGINNERS

Cybersecurity Bible: The Complete Guide to Detect, Prevent and Manage Cyber Threats | Includes Practical Tests & Hacking Tips for IT Security Specialists

The Cybersecurity Blueprint For Executives: A No-Nonsense Guide to What To Do When Attacked, How To Mitigate Risk, and Make Smarter Business Decisions … Leadership Impact

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cybersecurity


Nov 05 2024

How can ISO 27001 help SaaS companies?

Category: Information Security,ISO 27kdisc7 @ 12:13 pm

ISO 27001 certification is essential for SaaS companies to ensure data protection and strengthen customer trust by securing their cloud environments. As SaaS providers often handle sensitive customer data, ISO 27001 offers a structured approach to manage security risks, covering areas such as access control, encryption, and operational security. This certification not only boosts credibility but also aligns with regulatory standards, enhancing competitive advantage.

The implementation process involves defining an Information Security Management System (ISMS) tailored to the company’s operations, identifying risks, and applying suitable security controls. Although achieving certification can be challenging, particularly for smaller businesses, ISO 27001’s framework helps SaaS companies standardize security practices and demonstrate compliance.

To maintain certification, SaaS providers must continuously monitor, audit, and update their ISMS to address emerging threats. Regular internal and external audits assess compliance and ensure the ISMS’s effectiveness in a constantly evolving security landscape. By following ISO 27001’s guidance, SaaS companies gain a proactive approach to security and data privacy, making them more resilient against breaches and other cybersecurity risks.

Moreover, ISO 27001 certification can be a decisive factor for clients evaluating SaaS providers, as it shows commitment to security and regulatory compliance. For many SaaS businesses, certification can streamline client acquisition and retention by addressing data privacy concerns proactively.

Ultimately, ISO 27001 provides SaaS companies with a competitive edge, instilling confidence in clients and partners. This certification reflects a company’s dedication to safeguarding customer data, thereby contributing to long-term growth and stability in the competitive SaaS market. For more information, you can visit the full article here.

Need expert guidance? Book a free 30-minute consultation with a ISO27k expert.

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: iso 27001, saas


Oct 16 2024

Not all information security risks translate directly to business risks

There is a misconception among security professionals: the belief that all information security risks will result in significant business risks. This perspective is misleading because not every information security incident has a severe impact on an organization’s bottom line. Business decision-makers can become desensitized to security alerts if they are inundated with generalized statements, leading them to ignore real risks. Thus, it is essential for security experts to present nuanced, precise analyses that distinguish between minor and significant threats to maintain credibility and ensure their assessments are taken seriously.

There are two types of risks:

  1. Information Security Risk: This occurs when a threat (e.g., a virus) encounters a vulnerability (e.g., lack of antivirus protection), potentially compromising confidentiality, availability, or integrity of information. Depending on the severity, it can range from a minor issue, like a temporary power outage, to a critical breach, such as theft of sensitive data.
  2. Business Risk: This affects the organization’s financial stability, compelling decision-makers to act. It can manifest as lost revenue, increased costs (e.g., penalties), or reputational damage, especially if regulatory fines are involved.

Not all information security risks translate directly to business risks. For example, ISO27001 emphasizes calculating the Annual Loss Expectation (ALE) and suggests that risks should only be addressed if their ALE exceeds the organization’s acceptable threshold.

Example:

Small Business Data Breach: A small Apple repair company faced internal sabotage when a disgruntled employee reformatted all administrative systems, erasing customer records. The company managed to recover by restoring data from backups and keeping customer communication open. Despite the breach’s severity, the company retained its customers, and the incident was contained. This case underscores the importance of adequate data management and disaster recovery planning.

Several factors to consider when assessing the relationship between information security and business risk:

  • Business Model: Certain businesses can withstand breaches with minimal financial impact, while others (e.g., payment processors) face more significant risks.
  • Legal Impact: Fines and legal costs can sometimes outweigh the direct costs of a breach. Organizations must assess regulatory requirements and contractual obligations to understand potential legal implications.
  • Direct Financial Impact: While breaches can lead to financial loss, this is sometimes treated as a routine cost of doing business, akin to paying for regular IT services.
  • Affected Stakeholders: It is crucial to identify which parties will bear the brunt of the damage. In some cases, third parties, like investors, may suffer more than the organization experiencing the breach.

Ultimately, information security risks must be evaluated within the broader business context. A comprehensive understanding of the company’s environment, stakeholders, and industry will help in prioritizing actions and reducing overall breach costs.

Information Risk Management: A practitioner’s guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: business risks, Information Risk Management: A practitioner's guide


Sep 09 2024

AI cybersecurity needs to be as multi-layered as the system it’s protecting

The article emphasizes that AI cybersecurity must be multi-layered, like the systems it protects. Cybercriminals increasingly exploit large language models (LLMs) with attacks such as data poisoning, jailbreaks, and model extraction. To counter these threats, organizations must implement security strategies during the design, development, deployment, and operational phases of AI systems. Effective measures include data sanitization, cryptographic checks, adversarial input detection, and continuous testing. A holistic approach is needed to protect against growing AI-related cyber risks.

For more details, visit the full article here

Benefits and Concerns of AI in Data Security and Privacy

Predictive analytics provides substantial benefits in cybersecurity by helping organizations forecast and mitigate threats before they arise. Using statistical analysis, machine learning, and behavioral insights, it highlights potential risks and vulnerabilities. Despite hurdles such as data quality, model complexity, and the dynamic nature of threats, adopting best practices and tools enhances its efficacy in threat detection and response. As cyber risks evolve, predictive analytics will be essential for proactive risk management and the protection of organizational data assets.

AI raises concerns about data privacy and security. Ensuring that AI tools comply with privacy regulations and protect sensitive information.

AI systems must adhere to privacy laws and regulations, such as GDPR, CPRA to protect individuals’ information. Compliance ensures ethical data handling practices.

Implementing robust security measures to protect data (data governance) from unauthorized access and breaches is critical. Data protection practices safeguard sensitive information and maintain trust.

1. Predictive Analytics in Cybersecurity

Predictive analytics offers substantial benefits by helping organizations anticipate and prevent cyber threats before they occur. It leverages statistical models, machine learning, and behavioral analysis to identify potential risks. These insights enable proactive measures, such as threat mitigation and vulnerability management, ensuring an organization’s defenses are always one step ahead.

2. AI and Data Privacy

AI systems raise concerns regarding data privacy and security, especially as they process sensitive information. Ensuring compliance with privacy regulations like GDPR and CPRA is crucial. Organizations must prioritize safeguarding personal data while using AI tools to maintain trust and avoid legal ramifications.

3. Security and Data Governance

Robust security measures are essential to protect data from breaches and unauthorized access. Implementing effective data governance ensures that sensitive information is managed, stored, and processed securely, thus maintaining organizational integrity and preventing potential data-related crises.

Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

Data Governance: The Definitive Guide: People, Processes, and Tools to Operationalize Data Trustworthiness

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: AI attacks, AI security, Data Governance


Sep 02 2024

Build a secure future with DISC InfoSec

Category: Information Securitydisc7 @ 10:23 am

Your Trusted Partner in Information Security

DISC LLC, situated at Sonoma county, CA, is dedicated to offering premier information security services. As a consultant specializing in information security, we pride ourselves in helping businesses across the United States build resilient security programs.

Our Expertise

vCISO Services

When are vCISO services most appropriate? Our expert virtual Chief Information Security Officer (vCISO) services are designed to build a robust security program that effectively detects and mitigates risks. Reach out to us today to develop a security program tailored to today’s challenges.

ISO 27001 and ISMS Implementation

We specialize in implementing ISO 27001 standards and establishing Information Security Management Systems (ISMS) that ensure your organization’s compliance with the highest industry standards. Achieve certification and maintain a strong competitive edge in security compliance.

DISC InfoSec offers insights on ISO 27k through its posts

Comprehensive Security Risk Assessments

Our detailed security risk assessment services identify potential threats and vulnerabilities in your systems. By understanding these risks, we develop strategic measures to counteract them, safeguarding your business from data breaches and other security incidents.

Ensuring Security Compliance – GRC Consulting

In the Information Security and Compliance industry, organizations are increasingly seeking services that help them manage the growing complexity of cyber threats and regulatory requirements.

Maintaining security compliance is crucial in today’s digital landscape. DISC LLC helps organizations navigate complex regulatory requirements, ensuring they meet all necessary standards to protect their data and operations.

Overview: As regulations and standards like GDPR, HIPAA, CCPA, and ISO 27001 become stricter, organizations seek expert advice to ensure compliance and reduce risk.

Key DISC GRC Services:

  • Risk assessments and mitigation strategies.
  • Compliance audits and certification readiness (e.g., ISO27k, NIST 800-171, SOC 2).
  • Policy development and regulatory advisory.

Cloud Security

With the rapid adoption of cloud services, securing cloud environments (e.g., AWS, Azure, Google Cloud) is critical. Cloud security solutions focus on protecting data, identities, and workloads in cloud infrastructure.

DISC provide Cloud security assessments and architecture reviews.

How to manage information in the cloud: Best practice frameworks

Data Privacy and Protection

With regulations like GDPR and CCPA, and with advent of an AI organizations need to implement measures that protect sensitive data, data governance and ensure that personal information is handled according to legal standards.

Protecting sensitive data and complying with privacy regulations is essential. AI systems must be designed to handle data securely and adhere to relevant legal and ethical standards

Types of AI

Understanding the risks associated with AI systems: AI Risk Management

Why Choose DISC LLC?

  • Expertise: Our team consists of experienced professionals with extensive knowledge in infosec and compliance.
  • Customized Solutions: We provide tailored security solutions that align with your unique business needs.
  • Proactive Approach: Our proactive approach ensures timely detection and mitigation of security risks.

Contact DISC LLC today at info@deurainfosec.com or call us at +17079985164 to learn more about how our services can fortify your organization’s security posture.
Build a secure future with DISC LLC.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: DISC InfoSec Services


Aug 27 2024

LiteSpeed Cache Plugin Vulnerability Risked 5+ Million WordPress Websites

Category: Information Security,Web Securitydisc7 @ 11:15 am

WordPress admins using the Litespeed Cache plugin must update their sites with the latest plugin release to address a critical vulnerability. Exploiting the flaw allows an unauthenticated attacker to take control of target websites.

LiteSpeed Cache Plugin Vulnerability Could Allow Site Takeover

The security researcher John Blackbourn from PatchStack discovered a critical privilege escalation vulnerability in the LiteSpeed Cache plugin. LiteSpeed Cache for WordPress offers an exclusive server-level cache and numerous site optimization features. The plugin boasts over 5 million active installations, indicating its popularity among WordPress users. Nonetheless, it also shows how any vulnerability in the plugin potentially threatens millions of websites. Specifically, the vulnerability existed in the plugin’s crawler feature that exhibits a user simulation functionality to perform crawler requests as authenticated users. However, due to a weak security hash in this feature, the plugin allowed an unauthenticated adversary to spoof an authenticated user and gain elevated site privileges. The worst exploitation scenarios even allowed the installation of malicious plugins and a complete site takeover. This vulnerability, identified as CVE-2024-28000, received a critical severity rating and a CVSS score of 9.8. It affected all plugin releases until 6.3.0.1. Detailed technical analysis of the vulnerability is available in the recent post from PatchStack.

Vulnerability Patched With Latest Plugin Release

Upon noticing the vulnerability, Blackbourn responsibly disclosed the flaw via Patchstack to the plugin developers. In response, the developers patched the vulnerability with the LiteSpeed Cache plugin version 6.4. The researcher also received a $14,400 bounty under the Patchstack Zero Day program for this bug report. Since the patch has arrived, all WordPress admins must update their sites with the latest plugin release to avoid potential threats. Ideally, users should update to the LiteSpeed Cache plugin version 6.4.1, which appears as the latest release on the plugin’s official page.


Attribution link: https://latesthackingnews.com/2024/08/26/litespeed-cache-plugin-vulnerability-risked-5-million-wordpress-websites/

Essential WordPress Security Plugins

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Plugin Vulnerability, WordPress, Wordpress security


Aug 24 2024

Expertise in Virtual CISO (vCISO) Services

Category: Information Security,vCISOdisc7 @ 10:51 am

Deura Information Security Consulting

DISC InfoSec

Expertise in Virtual CISO (vCISO) Services

Deura Information Security Consulting offers comprehensive vCISO services designed to build robust security programs that effectively detect and mitigate risks. Our seasoned consultants will work with you to develop a security strategy tailored to meet today’s challenges.

Achieve Compliance with ISO 27001

Securing your information assets and achieving compliance is crucial. Our experts specialize in assisting businesses with ISO 27001 implementation. Benefit from our extensive experience in information security management systems (ISMS) to ensure your organization meets the stringent requirements of ISO 27001.

Services Offered

  • vCISO Services: Enhance your organization’s security posture with our virtual Chief Information Security Officer services.
  • ISO 27001 Implementation: Guidance on compliance and certification processes to achieve ISO 27001.
  • Security Risk Assessment:
  • Information Security Management Systems (ISMS):
  • Security Compliance Management:

Why Choose Us

At Deura Information Security Consulting, our focus is on creating and implementing security programs that address your specific needs. Contact us at info@deurainfosec.com or call +1 707-998-5164 to schedule a consultation.

Our extensive industry knowledge ensures that your security infrastructure is built to detect and mitigate risks effectively. Choose Deura Information Security Consulting for expert vCISO services and ISO 27001 compliance support.

In what situations would a vCISO or CISOaaS service be appropriate?

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: vCISO, vCISO services, Virtual CISO


Jul 31 2024

How Millions of Phishing Emails were Sent from Trusted Domains: EchoSpoofing Explained

Category: DNS Attacks,Information Security,Phishingdisc7 @ 11:44 am

Injecting spoofed headers with email relaying involves manipulating the email headers to disguise the true origin of an email, making it appear as if it was sent from a legitimate source. Here’s a detailed explanation of how this process works:

1. Understanding Email Headers

Email headers contain vital information about the sender, recipient, and the path an email takes from the source to the destination. Key headers include:

  • From: The email address of the sender.
  • To: The recipient’s email address.
  • Subject: The subject line of the email.
  • Received: Information about the mail servers that handled the email as it traveled from sender to recipient.
  • Return-Path: The email address where bounces and error messages should be sent.

2. Email Relaying

Email relaying is the process of sending an email from one server to another. This is typically done by SMTP (Simple Mail Transfer Protocol) servers. Normally, email servers are configured to relay emails only from authenticated users to prevent abuse by spammers.

3. Spoofing Headers

Spoofing email headers involves altering the email headers to misrepresent the email’s source. This can be done for various malicious purposes, such as phishing, spreading malware, or bypassing spam filters. Here’s how it can be done:

a. Crafting the Spoofed Email

An attacker can use various tools and scripts to create an email with forged headers. They might use a command-line tool like sendmailmailx, or a programming language with email-sending capabilities (e.g., Python’s smtplib).

b. Setting Up an Open Relay

An open relay is an SMTP server configured to accept and forward email from any sender to any recipient. Attackers look for misconfigured servers on the internet to use as open relays.

c. Injecting Spoofed Headers

The attacker crafts an email with forged headers, such as a fake “From” address, and sends it through an open relay. The open relay server processes the email and forwards it to the recipient’s server without verifying the authenticity of the headers.

d. Delivery to Recipient

The recipient’s email server receives the email and, based on the spoofed headers, believes it to be from a legitimate source. This can trick the recipient into trusting the email’s content.

4. Example of Spoofing Email Headers

Here’s an example using Python’s smtplib to send an email with spoofed headers:

import smtplib
from email.mime.text import MIMEText

# Crafting the email
msg = MIMEText("This is the body of the email")
msg['Subject'] = 'Spoofed Email'
msg['From'] = 'spoofed.sender@example.com'
msg['To'] = 'recipient@example.com'

# Sending the email via an open relay
smtp_server = 'open.relay.server.com'
smtp_port = 25

with smtplib.SMTP(smtp_server, smtp_port) as server:
    server.sendmail(msg['From'], [msg['To']], msg.as_string())

via Frontend Transport

The statement about the term “via Frontend Transport” in header values refers to a specific configuration in Microsoft Exchange Server that could suggest a misconfiguration allowing email relaying without proper verification. Let’s break down the key elements of this explanation:

1. Frontend Transport in Exchange

In Microsoft Exchange Server, the Frontend Transport service is responsible for handling client connections and email traffic from the internet. It acts as a gateway, receiving emails from external sources and forwarding them to the internal network.

2. Email Relaying

Email relaying is the process of forwarding an email from one server to another, eventually delivering it to the final recipient. While this is a standard part of the SMTP protocol, it becomes problematic if a server is configured to relay emails without proper authentication or validation.

3. The Term “via Frontend Transport”

When email headers include the term “via Frontend Transport”, it indicates that the email passed through the Frontend Transport service of an Exchange server. This can be seen in the Received headers of the email, showing the path it took through various servers.

4. Suggestion of Blind Email Relaying

The concern arises when these headers suggest that Exchange is configured to relay emails without altering them or without proper checks. This could imply that:

  • The Exchange server is not adequately verifying the sender’s authenticity.
  • The server might be forwarding emails without checking if they come from trusted sources.
  • Such a configuration can be indicative of an open relay, where the server forwards any email it receives, which is highly vulnerable to abuse.

5. Abuses of Open Relays

Open relays are notorious for being exploited by spammers and malicious actors because they can be used to send large volumes of unsolicited emails while obscuring the true origin of the message. This makes it difficult to trace back to the actual sender and can cause the relay server’s IP address to be blacklisted.

https://www.securitynewspaper.com/2023/12/20/how-to-send-spoof-emails-from-domains-that-have-spf-and-dkim-protections/embed/#?secret=pu82rHzNqA#?secret=1UMPUIgHIO

Here’s a detailed breakdown of the key points:

Scenario Breakdown

  1. Attackers Use a Genuine Microsoft Office 365 Account
    • The attackers have managed to send an email from a genuine Microsoft Office 365 account. This could be through compromising an account or using a trial account.
  2. Email Branded as Disney
    • The email is branded as coming from Disney (disney.com). This branding could involve setting the “From” address to appear as if it’s from a Disney domain, which can trick recipients into believing the email is legitimate.
  3. Gmail’s Handling of Outlook’s Servers
    • Gmail has robust mechanisms to handle high volumes of emails from trusted servers like Outlook’s (Microsoft’s email service). These servers are built to send millions of emails per hour, so Gmail will not block them due to rate limits.
  4. SPF (Sender Policy Framework)
    • SPF is a protocol that helps prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send emails on their behalf. The attackers benefit from this because:
      • The email is sent through Microsoft’s official relay server, protection.outlook.com.Disney’s SPF record includes spf.protection.outlook.com, which means emails sent through this relay server are authorized by Disney’s domain.
      .
  5. Spoofed Headers
    • Spoofed headers involve altering the email headers to make the email appear as if it originated from a different source. In this scenario, the attackers have spoofed headers to make the email look like it’s from Disney.
  6. SPF Check Passed
    • Since the email is sent via a server included in Disney’s SPF record (protection.outlook.com), it will pass the SPF check, making it seem legitimate to the recipient’s email server.

DKIM (DomainKeys Identified Mail)

DKIM is another email authentication method that allows the receiver to check if an email claiming to come from a specific domain was indeed authorized by the owner of that domain. This is done by verifying a digital signature added to the email.

Points of Concern

  • SPF Check Passed
    • The email passed the SPF check because it was sent through an authorized server (protection.outlook.com) included in Disney’s SPF record.
  • Spoofed Headers
    • The headers were manipulated to make the email appear as if it came from Disney, which can deceive recipients.
  • Gmail Handling
    • Gmail will trust and not rate-limit emails from Outlook’s servers, ensuring the email is delivered without being flagged as suspicious due to high sending volumes.

Potential for DKIM

To fully understand if the email can pass DKIM checks, we would need to know if the attackers can sign the email with a valid DKIM key. If they manage to:

  • DKIM Alignment
    • Ensure the DKIM signature aligns with the domain in the “From” header (disney.com).
  • Valid DKIM Signature
    • Use a valid DKIM signature from an authorized domain (which would be difficult unless they have compromised Disney’s signing keys or a legitimate sending infrastructure).

Proofpoint and similar services are email security solutions that offer various features to protect organizations from email-based threats, such as phishing, malware, and spam. They act as intermediaries between the sender and recipient, filtering and relaying emails. However, misconfigurations or overly permissive settings in these services can be exploited by attackers. Here’s an explanation of how these services work, their roles, and how they can be exploited:

Roles and Features of Proofpoint-like Services

  1. Email Filtering and Protection
    • Spam and Phishing Detection: Filters out spam and phishing emails.
    • Malware Protection: Scans and blocks emails containing malware or malicious attachments.
    • Content Filtering: Enforces policies on email content, attachments, and links.
  2. Email Relay and Delivery
    • Inbound and Outbound Filtering: Manages and filters both incoming and outgoing emails to ensure compliance and security.
    • Email Routing: Directs emails to the appropriate recipients within an organization.
    • DKIM Signing: Adds DKIM signatures to outgoing emails to authenticate them.
  3. Authentication and Authorization
    • IP-Based Authentication: Uses IP addresses to authenticate incoming email servers.
    • SPF, DKIM, and DMARC Support: Implements these email authentication protocols to prevent spoofing.

How Misconfigurations Allow Exploitation

  1. Permissive IP-Based Authentication
    • Generic Configuration: Proofpoint is often configured to accept emails from entire IP ranges associated with services like Office365 or Google Workspace without specifying particular accounts.
    • IP Range Acceptance: Once a service like Office365 is enabled, Proofpoint accepts emails from any IP within the Office365 range, regardless of the specific account.
  2. Exploitation StepsStep 1: Setting Up the Attack
    • Attacker’s Office365 Account: The attacker sets up or compromises an Office365 account.
    • Spoofing Email Headers: The attacker crafts an email with headers that mimic a legitimate sender, such as Disney.
    Step 2: Leveraging Proofpoint Configuration
    • Sending Spoofed Emails: The attacker sends the spoofed email from their Office365 account.
    • Proofpoint Relay Acceptance: Proofpoint’s permissive configuration accepts the email based on the IP range, without verifying the specific account.
    Step 3: Proofpoint Processing
    • DKIM Signing: Proofpoint processes the email, applying DKIM signatures and ensuring it passes SPF checks because it comes from an authorized IP range.
    • Email Delivery: The email is then delivered to the target’s inbox, appearing legitimate due to the DKIM signature and SPF alignment.

Example of a Permissive Configuration in Proofpoint

  1. Admin Setup
    • Adding Hosted Services: Proofpoint allows administrators to add hosted email services (e.g., Office365) with a single-click configuration that relies on IP-based authentication.
  2. No Specific Account Configuration
    • Generic Acceptance: The setup does not specify which particular accounts are authorized, leading to a scenario where any account within the IP range is accepted.
  3. Exploitation of Misconfiguration
    • Blind Relay: Due to this broad acceptance, attackers can send emails through Proofpoint’s relay, which then processes and delivers them as if they were legitimate.

A recent attack exploited a misconfiguration in Proofpoint’s email routing, allowing millions of spoofed phishing emails to be sent from legitimate domains like Disney and IBM. The attackers used Microsoft 365 tenants to relay emails through Proofpoint, bypassing SPF and DKIM checks, which authenticate emails. This “EchoSpoofing” method capitalized on Proofpoint’s broad IP-based acceptance of Office365 emails. Proofpoint has since implemented stricter configurations to prevent such abuses, emphasizing the need for vigilant security practices.

For more details, visit https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6

The Domain Name System: Understand Why Domain Name Is Still Relevant

How to Catch a Phish: A Practical Guide to Detecting Phishing Emails 

Step-by-step instructions on what to do if you fall prey to this type of cyber crime.  (Phishing in 2024)

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: EchoSpoofing, trusted domains


Jul 24 2024

Cybersecurity jobs available right now

Category: Cyber career,Information Security,InfoSec jobsdisc7 @ 12:31 pm

Cybersecurity jobs available right now…

Applied Cryptographer

Quantstamp | EMEA | Remote – View job details

As an Applied Cryptographer, you will research about various cryptographic protocols and have knowledge of cryptographic primitives or concepts, like elliptic curve cryptography, hash functions, and PCPs. You should have experience with at least one major language, like Rust, Python, Java, or C; the exact language is not too important. You should be familiar with versioning software (specifically, GitHub), testing, and a familiarity with algorithms and data structures.

Cloud Security Specialist

KMS Lighthouse | Israel | On-site – View job details

As a Cloud Security Specialist, you will design, implement, and manage Azure and Microsoft 365 security solutions. Monitor security alerts, lead incident response, and conduct regular assessments. Ensure compliance with ISO 27001, SOC2 Type II and NIST standards.

CISO

CYBERcom | Israel | Hybrid – View job details

As a CISO, you will develop and implement comprehensive cybersecurity policies and procedures. Ensure compliance with relevant regulations and standards (e.g., GDPR, ISO 27001). Conduct risk assessments and develop mitigation strategies. Advise on security best practices and emerging threats. Collaborate with clients to enhance their security posture.

Cyber Range Lead

Booz Allen Hamilton | Japan | On-site – No longer accepting applications

As a Cyber Range Lead, you will lead a team of professionals as they use cyberspace capabilities to evaluate potential weaknesses as well as the effectiveness of mitigations for cyber security solutions. You will leverage cyberspace operations systems to aggregate threat feeds that inform briefings for senior leadership aligned to our client’s mission area.

Cybersecurity Technical Consultant

Thales | Mexico | Hybrid – View job details

As a Cybersecurity Technical Consultant, you will provide onsite or remote consulting services and support to Thales customer with a focus on high quality, accuracy and customer satisfaction. Develop and deliver technical hands-on product deep knowledge transfer to customers. Track and ensure successful completion of high impact projects by creating project scoping plans, design guides and relevant documentation.

Cyber Security Advisor

H&M | Sweden | On-site – View job details

As a Cyber Security Advisor, you will conduct security assessment of in-house developed and/or by third-party provided solutions in order to ensure that they are in compliance with H&M’s security standards. Conduct security maturity and risk assessment for internal and external partners.

Cyber Security Engineer

PetroApp | Egypt | Remote – View job details

As a Cyber Security Engineer, you will develop and implement cyber security policies, procedures, and controls to protect the company’s digital assets. Conduct Pen-tests, monitor network traffic and security alerts to detect and respond to potential security breaches. Perform vulnerability assessments and penetration testing to identify and remediate security vulnerabilities. Conduct regular audits of security systems and processes to ensure compliance with industry standards and regulations.

Cyber Security Governance Risk & Compliance Manager

Munster Technological University | Ireland | On-site – View job details

As a Cyber Security Governance Risk & Compliance Manager, you will develop, implement, and maintain a robust IT governance, risk, and compliance framework in line with industry best practices and regulatory requirements. Drive risk maturity through project lifecycle and provide independent assessments, challenge inherent risks in material changes e.g., business decisions, projects, process changes, implementation of new systems, applications, and infrastructure.

Cyber Security Instructor

ABM College | Canada | On-site – View job details

As a Cyber Security Instructor, you will create dynamic classroom learning experiences using various teaching strategies to facilitate adult learners in achieving learning objectives in accordance with the program objectives as set out in the curriculum. Ensure students are motivated to learn and to maximize their potential. Develop different classroom strategies to ensure knowledge and skills acquisition and retention.

Digital Forensics and Incident Response Analyst

Accenture | Philippines | On-site – View job details

As a Digital Forensics and Incident Response Analyst, you will perform incident response to cybersecurity incidents, including but not limited to APT & Nation State attacks, Ransomware infections and Malware outbreaks, Insider Threats, BEC, DDOS, Security and Data breach, etc. Conduct in-depth investigations of cybersecurity incidents, identifying the root cause, the extent of the impact, and recommended actions for containment, eradication, and recovery, and providing a final report that contains recommendations on how to prevent the same attack in the future by strengthening security posture.

Director of Information Security, Cyber Risk and Compliance

S&P Global | Italy | On-site – No longer accepting applications

As a Director of Information Security, Cyber Risk and Compliance, you will become familiar with the Cyber Risk and Compliance team activities and Market Intelligence regarding SOC reporting, relevant regulatory requirements, control frameworks, internal and external audit processes, customer interactions including security questions and audits, and overall company and divisional cyber security processes and controls. Make recommendations related to balancing requirements and deadlines made by corporate departments with human resource and technical capabilities that exist in Market Intelligence. Negotiate differences to find and implement solutions acceptable to both corporate groups and Market Intelligence.

Head of Identity Management Platform

Nexi Croatia | Croatia | Hybrid – View job details

As Head of Identity Management Platform, you will leverage your strong background in Identity and Privileged Access Management, expertise in IT technologies, and in-depth knowledge of IT security to organize and lead complex projects, manage third-party teams, and oversee platform lifecycle activities such as upgrades and integrations.

Head of Consulting

Orange Cyberdefense | Norway | Hybrid – View job details

As a Head of Consulting, you will lead, mentor, and develop a team of cybersecurity consultants, fostering a culture of excellence and continuous improvement. Define and implement the consultancy department’s strategy in alignment with the company’s goals, ensuring the delivery of innovative and effective cybersecurity solutions. Ensure that all consultancy activities adhere to industry standards, regulatory requirements, and best practices, mitigating risks to both clients and the company.

Head of Security CU TH

Ericsson | Thailand | On-site – View job details

As a Head of Security CU TH, you will facilitate execution of and follow up on security strategy, policies & instructions, governance model and frameworks. Support the business in implementation and maintenance of ISO 27001 controls across the CU as per the MA scope and Ericsson Global ISO 27001 control framework. Manage local security incidents and support investigations.

IT Program Manager

Bose Corporation | USA | On-site – View job details

As an IT Program Manager, you will develop, implement, and manage cybersecurity programs in alignment with the organization’s strategic objectives. Oversee the security projects related to enterprise applications, with a focus on safeguarding sensitive data and ensuring compliance with regulatory standards. Facilitate regular security assessments and audits to identify vulnerabilities and implement corrective actions.

Penetration Tester

Navy Federal Credit Union | USA | On-site – View job details

As a Penetration Tester, you will manage penetration tests from inception through delivery. Identify and prescribe remediation for vulnerabilities in NFCU applications, systems, and networks. Leverage complex tactics including, but not limited to, lateral movement, network tunneling/pivoting, credential compromise, and hash cracking.

Principal Data Security Specialist

Oracle | Spain | On-site – View job details

As a Principal Data Security Specialist, you will focus on delivering technical and procedural guidance to assist customers in defining the platform requirement though to realisation of the subscription value. Research and evaluate emerging solutions and services to drive continuous improvement.

Senior Architect – Cyber Security

Presight | UAE | On-site – View job details

As a Senior Architect – Cyber Security, you will develop and implement security architecture solutions to secure the organization’s IT infrastructure. Design and review security policies, standards, and procedures. Conduct security assessments and risk analysis to identify vulnerabilities and recommend mitigation strategies. Lead security projects and collaborate with cross-functional teams to integrate security measures.

Senior CyberSecurity Architect

Hexagon Geosystems | European Economic Area | Remote – View job details

As a Senior CyberSecurity Architect, you will plan, organize, test, and document the implementation of new security systems and tools; define the success criteria and security requirements, and develop reference architecture, functional and non-functional requirements for proof-of-concept efforts and projects. Lead in performing threat modeling, security architecture review, and risk assessments of new and existing technical solutions.

(Senior) Information Security Officer

Oetker Digital | Germany | Hybrid – View job details

As a (Senior) Information Security Officer, you will develop, implement, and monitor a strategic, comprehensive company information security and IT risk management program, based on the Oetker Group-wide security directive. Manage and assist in the development in implementation of the information security policies, procedures, and guidelines. Provide guidance and counsel to the C-Level, the senior management team, and staff about information security and its alignment with business objectives and risk management.

Technology & Cyber Risk: Senior Officer – Cybersecurity Risk

Citi | Poland | On-site – View job details

As a Technology & Cyber Risk: Senior Officer – Cybersecurity Risk, you will review and evaluate compliance and cyber policies and procedures, technology and tools, and governance processes to provide credible challenge for minimizing losses from cyber risks. Assess cyber risks and evaluates actions to address the root causes that persistently lead to operational risk losses by challenging both historical and proposed practices. Support independent assurance activities to assess areas of concern including substantive and controls testing.

Vulnerability Manager

TTM Technologies | USA | Remote – View job details

As a Vulnerability Manager, you will be responsible for identifying, assessing, prioritizing, and managing vulnerabilities across our systems and networks. Conduct regular vulnerability assessments and penetration tests across our systems, applications, and networks.

Starting Your Cyber Security Career: Building a Successful Career in Cyber Security

Cybersecurity Career Master Plan


InfoSec services
 | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Cybersecurity Career Master Plan, Cybersecurity jobs


Jun 06 2024

How to Implement ISO 27001: A 9-Step Guide

Category: Information Security,ISO 27kdisc7 @ 8:47 am
https://itgovernance.eu/blog/en/a-9-step-guide-to-implementing-iso-27001?

How to Implement ISO 27001: A 9-Step Guide

The hardest part of many projects is knowing where to start.

ISO 27001 is no exception. This standard describes best practice for an ISMS (information security management system).

In other words, it lays out the requirements you must meet, but doesn’t show you the how. How you can adopt or implement them.

With ISO 27001:2013 certification no longer available, many organisations are preparing to adopt the 2022 version of the standard – which means tackling a new Annex A control set, among other new requirements.

ISO 27k Chat bot

1. Project mandate

The implementation project should begin by appointing a project leader.

They’ll work with other members of staff to create a project mandate, which is essentially a set of answers to these questions:

  • What do we hope to achieve?
  • How long will the project take?
  • Does the project have top management support?
  • What resources – financial and otherwise – will the project need?

2. Develop the ISO 27001 implementation plan

The next step is to use your project mandate to create a more detailed outline of:

  • Your information security objectives;
  • Your project risk register;
  • Your project plan; and
  • Your project team.

Information security objectives

Your information security objectives should be more granular and specific than your answer to ‘What do we hope to achieve?’ from step 1.

They’ll inform and be included in your top-level information security policy. They’ll also shape how the ISMS is applied.

Project risk register

Your project risk register should account for risks to the project itself, which might be:

  • Managerial – will operational management continue to support the project?
  • Budgetary – will funding continue to see the project through?
  • Legal – are specific legal obligations at risk?
  • Cultural – will staff resist change?

Each risk in the register should have an assigned owner and a mitigation plan. You should also regularly review the risks throughout the project.

Project plan

The project plan should detail the actions you must take to implement the ISMS.

This should include the following information:

  • Resources required
  • Responsibilities
  • Review dates
  • Deadlines

Project team

The project team should represent the interests of every part of the organisation and include various levels of seniority.

Drawing up a RACI matrix can help with this. This identifies, for the project’s key decisions, who’s:

  • Responsible;
  • Accountable;
  • Consulted; and
  • Informed.

One critical person to appoint and include in the project team is the information security manager. They’ll have a central role in the implementation project and eventually be responsible for the day-to-day functioning of the ISMS.


3. ISMS initiation

You’re now ready to initiate your ISMS!

Documentation structure

A big part of this is establishing your documentation structure – any management system is very policy- and procedure-driven.

We recommend a four-tier approach:

A. Policies
These are at the top of the ‘pyramid’, defining your organisation’s position and requirements.

B. Procedures
These enact the requirements of your policies at a high level.

C. Work instructions
These set out how employees implement individual elements of the procedures.

D. Records
These track the procedures and work instructions, providing evidence that you’re following them consistently and correctly.

This structure is simple enough for anyone to grasp quickly. At the same time, it provides an effective way of ensuring you implement policies at each level of your organisation. Plus, that you develop well-functioning, cohesive processes.

Tips for more effective policies and procedures

Your policies and procedures must also be effective. Here are four tips:

  1. Keep them practicable by balancing aspirations against the reality. If your policies and/or procedures appear too idealised, staff will be much less likely to follow them.
  2. Keep them clear and straightforward, so staff can easily follow your procedures.
  3. Use version control, so everyone knows which is the latest document.
  4. Avoid duplication. This will also help with the version control.

Make sure you systematically communicate your documentation – particularly new or updated policies – throughout your organisation. Be sure to also communicate them to other stakeholders.

Continual improvement

As part of your ISMS initiation, you’ll need to select a continual improvement methodology.

First, understand that continual improvement might sound expensive, but is cost-effective if done well. As ISO 27001 pioneer Alan Calder explains:

Continual improvement means getting better results for your investment. That typically means one of two things:

1. Getting the same results while spending less money.
2. Getting better results while spending the same amount of money.

Yes, you need to be looking at your objectives, and asking yourself how well your ISMS is currently meeting them. And where your management system falls short, money may have to be spent.

But many improvements have little financial cost. You can make a process more efficient – perhaps by cutting out a step, or automating some manual work.

While continual improvement is a critical element of an ISO 27001 ISMS, the Standard doesn’t specify any particular continual improvement methodology.

Instead, you can use whatever method you wish, so long as it continually improves the ISMS’s “suitability, adequacy and effectiveness” (Clause 10.1). That can include a continual improvement model you’re already using for another activity.


ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

Key strategies for ISO 27001:2022 compliance adoption

What is ISO 27002:2022

ISO 27k Chat bot

Implementation Guide ISO/IEC 27001:2022

Please send an email related to ISO27001:2022 implementation to info@DeuraInfoSec.com and we are happy to help!

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Implement ISO 27001, ISO 27001 2022


May 14 2024

Free & Downloadable Access Control Policy Template

Category: Access Control,Information Securitydisc7 @ 7:18 am
https://heimdalsecurity.com/blog/access-control-policy-template/

Ensuring the security of your organization’s information systems is crucial in today’s digital landscape.

Access Control is a fundamental aspect of cybersecurity that safeguards sensitive data and protects against unauthorized access. To assist you in establishing robust access control measures, we are pleased to offer a comprehensive Access Control Policy Template, available for download.

Download the templates

  1. Access Control Policy Template – PDF
  2. Access Control Policy Template – Word
  3. Access Control Policy Template – Google Docs.

What does the Access Control Policy template include?

Our Access Control Policy template is designed to provide a clear, structured framework for managing access to your organization’s information systems.

Here are some of the key components included in the template:

  • Document Control;
  • Purpose and Scope;
  • Policy Statement;
  • Roles & Responsibilities;
  • Access Control Principles;
  • Access Control Measures;
  • Access Control Technologies;
  • Monitoring and Auditing;
  • Incident Management;
  • Policy Compliance;
  • Policy Review.

Benefits of using our Access Control Policy template

Implementing an effective access control policy offers several key benefits:

  • Enhanced security: Protects sensitive data and systems from unauthorized access and potential breaches.
  • Regulatory compliance: Helps ensure compliance with relevant regulations and standards.
  • Operational efficiency: Clearly defined roles and responsibilities streamline access management processes.
  • Risk mitigation: Regular monitoring and auditing identify and address vulnerabilities proactively.

To take advantage of our comprehensive Access Control Policy Template, simply click on the links at the top of the article to download them. The download will start automatically.

You can then customize the template to fit the specific needs and context of your organization.

By doing so, you’ll be taking a significant step towards securing your information systems and safeguarding your valuable data.

Feel free to check out our other cybersecurity templates, such as patch management templatesincident response plan templatesemail security policy templatesthreat and vulnerability management templates, and more.

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company’s social media channels. Her contributions amplify the brand’s voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

RELATED ARTICLES

Free and Downloadable Account Management Policy Template [2024]

Free and Downloadable Email Security Policy Template [2024]

[Free & Downloadable] Cybersecurity Incident Response Plan Templates – 2024

[Free & Downloadable] Cybersecurity Risk Assessment Templates – 2024[Free & Downloadable] Threat & Vulnerability Management Templates – 2024

[Free & Downloadable] Patch Management Templates – 2024

Privacy Policy Template

Employee policy handbook template

The Complete Company Policies

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot


Next Page »