Feb 04 2022

What Is Information Risk Management? Definition & Explanation

Category: Information Security,Security Risk AssessmentDISC @ 12:54 am

Information risk management is the process of identifying the ways an organisation can be affected by a disruptive incident and how it can limit the damage.

It encompasses any scenario in which the confidentiality, integrity and availability of data is compromised.

As such, it’s not just cyber attacks that you should be worried about. Information risk management also includes threats within your organisation – such as negligent or malicious employees – as well as residual risks.

For example, the framework can help you address misconfigured databases, software vulnerabilities and poor security practices at third parties.

In this blog, we take a closer look at the way information risk management works and how organisations can use its guidance to bolster their security defences.

Why is information risk management important?

In the face of ever-growing cyber threats, it can be difficult for an organisation to protect its information assets.

Last year, the World Economic Forum listed cyber crime alongside COVID-19, climate change and the debt crisis as the biggest threats facing society in the next decade. It’s clear, then, that organisations need a plan for identifying and addressing security risks.

With an information risk management system, organisations gain a better understanding of where their information assets are, how to protect them and how to respond when a breach occurs.

One way it does this is by forcing organisations to not only identify but also assess their risks. This ensures that organisations prioritise scenarios that are most likely to occur or that will cause the most damage, enabling them to make informed decisions in line with their security budget.

How risk management works

To understand how risk management programmes work, we need to take a closer look at what ‘risk’ actually is.

In an information security context, risk can be defined as the combination of a vulnerability and a threat.

As we’ve previous discussed, a vulnerability is a known flaw that can be exploited to compromise sensitive information.

These are often related to software flaws and the ways that criminal hackers can exploit them to perform tasks that they weren’t intended for.

They can also include physical vulnerabilities, such as inherent human weaknesses, such as our susceptibility to phishing scams or the likelihood that we’ll misplace a sensitive file.

This is different from a threat, which is defined as the actions that result in information being compromised.

So, to use the examples above, threats include a criminal hacker exploiting a software flaw or duping an employee with a bogus email.

When a threat meets a vulnerability, you get a risk. In the case of the criminal hacker phishing an employee, the risk is that the attacker will gain access to the employee’s work account and steal sensitive information. This can result in financial losses, loss of privacy, reputational damage and regulatory action.

A risk management system helps organisations identify the ways in which vulnerabilities, threats and risks intertwine. More importantly, it gives organisations the ability to determine which risks must be prioritised and identify which controls are best equipped to mitigate the risk.

Start protecting your business

At the heart of risk management is the risk assessment. This is the process where threats and vulnerabilities are identified. Organisations can use the result of the assessment to plan their next moves.

This process can be labour-intensive, but you can simplify the task with our risk assessment tool vsRisk.

With vsRisk, you’ll receive simple tools that are specifically designed to tackle each part of the risk assessment.

This software package is:

  • Easy to use. The process is as simple as selecting some options and clicking a few buttons.
  • Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
  • Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
  • Streamlined and accurate. Drastically reduces the chance of human error.

Risk Management Training

Tags: information risk management, Risk Assessment, Risk management, risk management training

Feb 01 2022

Cybersecurity staff turnover and burnout: How worried should organizations be?

Category: Information SecurityDISC @ 10:13 am
Cybersecurity staff turnover and burnout: How worried should organizations be?

The heightened risk of cyberattacks on businesses is being compounded by significant recruitment and retention issues within cybersecurity teams, making businesses more vulnerable to potential attacks, according to a research from ThreatConnect.

cybersecurity teams retention issues

With the number of data breaches in 2021 soaring past that of 2020, there is added pressure on cybersecurity teams to keep businesses secure. The research has found a concerning level of staff turnover, skills shortages, burnout, and low staff morale, pointing towards depleted reserves trying to manage the growing risk.

Cybersecurity teams recruitment and retention issues

  • Senior decision-makers across the US report an average security staff turnover rate of 20%.
  • 64% of senior decision-makers have seen a rise in turnover over the past year.
  • 43% of US respondents attribute a lack of skills as the biggest barrier for recruitment.
  • 1 in 5 US respondents are considering quitting their jobs in the next six months.
  • 57% of US respondents have experienced an increase in stress over the past six months.

The COVID-19 pandemic has created what many are calling the Great Resignation, which has affected all industries for the past two years. Employees, specifically those in the security industry, are now being expected to do more with less.

Cybercrime has increased significantly over the past year, making digital protection for businesses both more important and more difficult to achieve. Companies cannot afford to lose any security team members with cybercrime increasing so rapidly.

“In today’s digital ecosystem it is crucial that security employees receive adequate training, support, and resources needed to work efficiently in their jobs,” said Adam Vincent, CEO of ThreatConnect. “As employee turnover increases in this sector, it creates a vicious cycle that impacts a company’s performance and ability to mitigate cyber risks.”

“This makes it even more difficult for security teams to fulfill the company’s needs. Organizations must look at these numbers and recognize that there is more that can be done to protect their employees and in turn, the welfare of their company.”

Cybersecurity Career Master Plan

Breaking Out of Burnout

Tags: Breaking Out of Burnout, Cybersecurity Career, Cybersecurity jobs, Cybersecurity staff

Jan 28 2022

Deadbolt ransomware hits more than 3,600 QNAP NAS devices

Category: Information Security,RansomwareDISC @ 3:41 pm
Deadbolt ransomware hits more than 3,600 QNAP NAS devices

More than 3,600 network-attached storage (NAS) devices from Taiwanese company QNAP have been infected and had their data encrypted by a new strain of ransomware named Deadbolt.

Devices attacked by the Deadbolt gang are easy to recognize because the login screen is typically replaced with a ransom note, and local files are encrypted and renamed with a .deadbolt extension.

The threat actor behind the attacks is extorting not only the owners of the NAS devices but also the QNAP company itself.

According to a copy of the ransom note, device owners are told to pay 0.03 Bitcoin ($1,100) to receive a decryption key to unlock their files, while in an second note, the hackers demand 5 Bitcoin ($1.86 million) from QNAP to reveal details about the supposed zero-day vulnerability they have been using to attack its users, and another 50 Bitcoin ($18.6 million) to release a master decryption key that unlock all of the victims’ files.

For its part, QNAP was quick to formally acknowledge the attacks in a blog post on Wednesday, hours after hundreds of users started flocking to its support forum to report finding their files encrypted.

In the first days following the attack, the company has been telling users to disconnect devices from the internet and, if not possible, at least disable features such as port forwarding and UPnP on their routers, to prevent attackers from connecting to the NAS systems.

https://

therecord.media
/deadbolt-ransomware-hits-more-than-3600-qnap-nas-devices/

Ransomware Protection Playbook

Tags: Deadbolt ransomware, QNAP NAS, Ransomware Protection Playbook

Jan 26 2022

PwnKit: Local Privilege Escalation bug affects major Linux distros

Category: Information SecurityDISC @ 10:19 am
PwnKit: Local Privilege Escalation bug affects major Linux distros

An attacker can exploit a vulnerability in Polkit’s pkexec component, tracked as CVE-2021-4034, that affects all major Linux distributions to gain full root privileges on the system. The good news is that this issue is not remotely exploitable, but if an attacker can log in as any unprivileged user, it can allow to gain root privileges.

The flaw, dubbed PwnKit, was introduced more than 12 years ago (May 2009) since the initial commit of pkexec, this means that all the versions are affected.

Polkit (formerly PolicyKit) is a component used to controll system-wide privileges in Unix-like OS. It allows non-privileged processes to communicate with privileged processes. polkit also allow to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).

Researchers from Qualys Research Team have discovered a memory corruption vulnerability in SUID-root program polkit.

“The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution.” reads the post published by Qualys.”Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable.”

“This vulnerability is an attacker’s dream come true” explained Qualys:

  • pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable);
  • pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, “Add a pkexec(1) command”);
  • any unprivileged local user can exploit this vulnerability to obtain full root privileges;
  • although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way;
  • and it is exploitable even if the polkit daemon itself is not running.

Experts pointed out that it is very easy to exploit the flaw, while Qualys doesn’t plan to release a PoC for this issue other experts are already working on releasing it.

Bleeping Computer reported that a working exploit was publicly released less than three hours after Qualys published the technical details for PwnKit. BleepingComputer has compiled and tested the available exploit, which proved to be reliable as it gave us root privileges on the system on all attempts.

Jan 25 2022

OWASP Testing Guide

Category: Information Security,Web SecurityDISC @ 4:59 pm

Owasp-testing-guide-4.0Download

Owasp A Complete Guide

Jan 17 2022

Microsoft: Data-wiping malware disguised as ransomware targets Ukraine again

Category: Information Security,MalwareDISC @ 12:03 pm
Microsoft: Data-wiping malware disguised as ransomware targets Ukraine again

Microsoft said today that it has observed a destructive attack taking place in Ukraine where a malware strain has wiped infected computers and then tried to pass as a ransomware attack, but without providing a ransomware payment and recovery mechanism.

“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” the Microsoft Threat Intelligence Center said in a blog post late Saturday night.

The OS maker said the affected systems belong to multiple government agencies, non-profits, and information technology organizations, all based in Ukraine.

Microsoft said it has not yet identified the distribution vector or if the attack spread beyond the original Ukrainian targets.

The attack does not appear to be at the same scale and virality as the NotPetya and BadRabbit wiper events that targeted Ukrainian organizations in June and November 2017, respectively, and then spread all across the world.

Just like the NotPetya and BadRabbit wipers, Microsoft said that this recent one also comes with a component that overwrites a computer Master Boot Record (MBR) and prevents them from booting.

The malware corrupts files, rewrites MBR, hides as ransomware

The malware, which Microsoft calls WhisperGate, then replaces the boot-up screen with a ransom note, which, according to Microsoft, includes a ransom fee, a Bitcoin address to receive payments, and a Tox ID to get in contact with the attackers.

In case victims manage to restore their MBR and their boot-up sequence, Microsoft says the malware also corrupts files with a certain extension by overwritting their contents with a fixed number of 0xCC bytes up to a total file size of 1MB.

“After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension,” Microsoft said.

.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP

At the time of writing, the attackers’ Bitcoin address only contains one payment of $5, even if the ransom request is for $10,000.

No formal attribution just yet

Tags: Data-wiping malware

Jan 13 2022

14 CYBER SECURITY PREDICTIONS FOR 2022 AND BEYOND

Category: cyber security,Information SecurityDISC @ 10:46 am

14 Cyber Security Predictions For 2022 – by Mandiant

14-CYBER-SECURITY-PREDICTIONS-1Download

Blackout Warfare: Attacking The U.S. Electric Power Grid A Revolution In Military Affairs

Tags: Blackout Warfare, CYBER SECURITY PREDICTIONS

Jan 12 2022

NIST Cybersecurity Framework (CSF)

Category: Information Security,NIST CSFDISC @ 10:34 am

NIST-Cybersecurity-Framework-CSF-1Download

NIST Cybersecurity Framework – A Pocket Guide

NIST Cybersecurity Framework - A Pocket Guide

Tags: CSF, NIST Cybersecurity Framework

Jan 11 2022

Night Sky ransomware operators exploit Log4Shell to target hack VMware Horizon servers

Category: Information Security,Log Management,Log4j,RansomwareDISC @ 10:40 am
Night Sky ransomware operators exploit Log4Shell to target hack VMware Horizon servers

The Night Sky ransomware operation started exploiting the Log4Shell flaw (

CVE-2021-44228
) in the Log4j library to gain access to VMware Horizon systems.

The ransomware gang started its operations on December 27, 2021, and has already hacked the corporate networks of two organizations from Bangladesh and Japan respectively. The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom.

Researchers from MalwareHunterteam first spotted the ransomware family, once encrypted a file, the ransomware appends the ‘.nightsky‘ extension to encrypted file names.

In early January, threat actors started targeting VMware Horizon systems exposed on the Internet. VMware has addressed Log4Shell in Horizon with the release of 2111, 7.13.1, 7.10.3 versions, but unfortunately many unpatched systems are still exposed online.

On Monday, Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.

Tags: Log4shell, Night Sky ransomware

Jan 10 2022

Eight resolutions to help navigate the new hybrid office model

Category: Information Privacy,Information SecurityDISC @ 12:37 pm
Eight resolutions to help navigate the new hybrid office model

Here are some resolutions to follow to ensure your organization safely navigates the new hybrid office model.

1. Increase security awareness. The human factor is always the weakest link in cybersecurity. CISOs must stretch communications skills and create new channels to deliver education about information security. They must expand messages beyond phishing warnings to include topics such as laws and regulations that connect security with the business. Information privacy is a key topic.

2. Know who is connecting. Throughout the pandemic, the challenge of secure connectivity has been persistent. The bottom line is that secure VPN, single sign-on, and two/multi factor authentication are a must to validate and only allow in authentic users. Access and security logs must be carefully analyzed to identify any suspicious activity.

3. Secure VPNs and patch updates. VPNs hit the headlines at the start of the pandemic because many companies reinstated VPNs that were previously disabled without patching them first. Hackers took advantage of the situation, scanning for devices that they could exploit. Routine patching must be part of the security model and must be a top priority when it comes to safeguarding a business with work-from-home employees.

4. Secure the cloud. The cloud and “on demand” models have become hugely important for helping users access the applications they need to do work from anywhere. While this shift to the cloud has its productivity benefits, it has not come without its security challenges. It is important to remember that cloud environments are not automatically secure when they are first created. Securing them requires knowledge and time. To keep business safe, security controls must span all environments – providing 360-degree application protection for both the application surface and the cloud application infrastructure.

5. Know your suppliers. The SolarWinds vulnerability highlighted the need for companies to thoroughly evaluate the tools and services they integrate into their operations. This includes the careful installation and configuration of the product or service, tracking patches and new releases from the vendor, and monitoring for any suspicious behavior. In a highly sensitive environment, some companies may choose not to use third-party products or services.

6. Know the enemy. From nation-state attacks and climate hacktivists to disgruntled employees, security teams need to understand the techniques, tactics, and procedures used by malicious actors. By getting to know their adversaries, security will be better prepared to detect and evict threat actors who might be targeting their environment. Many security companies issue threat alerts that can be used to gather the latest intel to inform a security strategy. Continuous monitoring and analysis are required to detect and respond to these threats as soon as possible.

7. Maintain visibility. Companies need to make sure they can maintain visibility and consistency of security control posture across a collection of platforms, infrastructures, and technologies. Having visibility and control via security and development dashboards is a must. These dashboards should provide actionable analytics, automation, and customized controls.

8. Balance the load. Companies need sufficient capacity to balance the load on the network and scale to meet the needs of remote workers. After all, there is no point in having a secure network if every time it is accessed by large numbers of employees it fails because it can’t cope with demand. Since employee productivity depends on applications being available and accessible, CISOs must find appropriate solutions that provide business continuity. Those with multiple data centers should use global load balancing to ensure availability across data centers and the cloud.

CISOs have much to address moving forward in the new year. Fortunately, these eight resolutions can help ensure continuous improvements for safely navigating the new (out-of-) office reality.

How to keep your home office Safe and Secure

Hybrid Work Management

Hybrid Work Management: How to Manage a Hybrid Team in the New Workplace (A super-short book about how to analyze, plan, manage, and evaluate your team’s hybrid work arrangement) by [Hassan Osman]

Tags: hybrid office model, Hybrid Work Management

Jan 08 2022

One Book Reveals the Future of the Chinese-American Conflict

Category: Cyber War,Digital cold war,Information Security,Information WarfareDISC @ 11:02 pm

In great-power competition, force is the coin of the realm. The Great Nightfall: Why We Must Win the New Cold War explains how. 

Ambassador Middendorf delivers a seminal book for understanding military competition in an era of great-power competition. No one who is serious about the future security, prosperity and freedom of America should neglect this essential read.

Ambassador Bill Middendorf makes one unambiguous argument in his new book, The Great Nightfall: Why We Must Win the New Cold War. America won’t survive and thrive in an era of great-power competition without a strong, dominant military. There is one reason for that. China.  

The Great Nightfall lays out the threat posed by the Chinese Communist Party. It also makes a compelling argument for the kind of military the U.S. needs to match the dangers posed by Beijing. 

Middendorf has given a full lifetime of service to the nation, from his days at sea during World War II to diplomatic assignments and government posts. Among the latter, a turn as Secretary of the Navy. He was instrumental in designing the naval forces that completely outmatched the Soviets during the Cold War. Today, he remains America’s maritime Henry Kissinger, the nation’s preeminent thinker on naval modernization. 

In The Great Nightfall, Middendorf deconstructs great-power competition. Regardless of how many internet trolls, little green men, bank accounts and businesses a state controls, it’s not enough to make the state a great power. That requires real military power. 

Without the capacity to physically defend national interests, big states are fat banks waiting to be robbed. In contrast, nations that can defend themselves have a foundation on which to build sustainable diplomatic, economic and political policies. “The Cold War ended,” Middendorf argues in The Great Nightfall, “because we were the strongest military force in the world, backed by a unified NATO and strong allies in the Pacific.”  

In short, in great-power competition, force is the coin of the realm. The problem with contemporary competition, Middendorf notes, is that “[t]imes have changed.” China is on a path to challenge the United States for number one.  

One of the attributes the great-power competition shares with the Cold War is that our adversaries would prefer to “win without fighting.” In other words, they want to achieve victory without the debilitating costs and risks of direct military conflict. These opponents are predisposed to adopt indirect approaches to whittle-away at the strength and solidarity of the free world. That said, military competition plays an important role in their calculus, particularly for China. Chinese strategy envisions ultimately demonstrating sufficient military dominance that Beijing can intimidate other nations and bend them to its will. 

In some ways, the new era of great-power competition resembles a new type of arms race. And, as was the case during the Cold War, there are concerns that the competition could turn into armed confrontation. Indeed, The Great Nightfall maps out several scenarios—from North Korea to the South China Seas—where great powers could actually come to blows. 

The Great Nightfall, however, is fundamentally a book about how the United States can establish conventional and strategic deterrence in the modern world. “This book is not a call for war,” writes the author. “The best way to prepare for war is to be prepared to win it. We need to stop underfunding the military, especially in areas of research, non-conventional war, space, cyberwar, and artificial intelligence. War is changing, and we need to change with it. We cannot expect success fighting tomorrow’s conflicts with yesterday’s weapons.”  

Middendorf’s blueprint for protecting America in the twenty-first century stands out in two ways. First, he provides a detailed assessment of how to protect the U.S. capacity to build and sustain a modern military. Here, he addresses issues from research and development, to establishing secure, “clean” supply chains, to ship-building. Second, he delivers a comprehensive overview of future U.S. naval needs.

It is not just his naval service and stint as Secretary of the Navy that lead the ambassador to focus on seapower. Fundamentally, China’s potential as a global threat is rooted in its ability to project maritime power. And naval power, in the modern sense, is multidimensional, linking the ability to sail the seas with undersea warfare, air, space, and cyber operations. 

The outstanding contribution of The Great Nightfall is its extraordinarily deep evaluation of all aspects of naval power, covering the nature of the Chinese threats and the appropriate countermeasures. In the end, Middendorf delivers a seminal book for understanding military competition in an era of great-power competition. No one who is serious about the future security, prosperity and freedom of America should neglect this essential read.  

Tags: Chinese-American Conflict, New Cold War, The Great Nightfall

Jan 08 2022

What it takes to Start a Career in InfoSec

Category: Cyber career,Information Security,InfoSec jobsDISC @ 9:55 am

 A useful advice from Cybersecurity Learning Saturday event. 
Cybersecurity Learning Saturday is a free program to help folks to build their professional careers. #cybersecurity #career #InfoSeccareer

What-it-takes-to-Start-a-Career-in-InfoSec-1Download

Finding Your Cybersecurity Career Path

Proven techniques and effective tips to help you advance in your cybersecurity career

InfoSec Jobs

Tags: #cybersecurity #career, Cybersecurity Career Master Plan, infosec career, InfoSec career path

Jan 05 2022

CISO guide to bolstering cyber defenses

Category: CISO,Information Security,vCISODISC @ 9:27 am

CISO-guide-to-bolstering-cyber-defenses-1Download
CISO-mind-mapDownload

Why CIOs Should Report to CISOs – If the CISO is responsible for the security of the organization, then that same person also should be responsible for both security and IT infrastructure.

CISO Desk Reference Guide: A Practical Guide for CISOs

Tags: CISO, CISO guide

Jan 04 2022

List of data breaches and cyber attacks in December 2021 – 219 million records breached

Category: Cyber Attack,Data Breach,data security,Information SecurityDISC @ 10:35 am
List of data breaches and cyber attacks in December 2021 – 219 million records breached

List of data breaches and cyber attacks in December 2021 – 219 million records breached

Luke Irwin  4th January 2022

2021 was a difficult year many of us, and with the hope that COVID-19 will dissipate in the spring, this is a new year more than any other where we want to look forwards, not backwards.

But before we turn our attention to 2022, we must first round out 2021 with our final monthly review of data breaches and cyber attacks. December saw 74 publicly disclosed security incidents, which accounted for 219,310,808 breached records.

You can find the full list of incidents below, with those affecting UK-based organisations listed in bold.

Additionally, we’ll also soon be publishing our latest quarterly review of security incidents, in which you can discover the latest trends and take a look back at the year as a whole.

Contents

Big Breaches: Cybersecurity Lessons for Everyone

Tags: Big Breaches, cyber attacks, data breaches

Dec 28 2021

Top 3 ITG ISO 27001 books 

Category: Information Security,ISO 27kDISC @ 1:44 pm
Now that the festive frenzies have almost finished and you still have a few quiet days to spend at home, this is a great time to invest in your education. Enhance your knowledge of ISO 27001 with our wide range of books. Available in a variety of formats, including audiobook, softcover, Kindle and ePub, they cover everything you need to know about ISO 27001 and how to implement it. You can also focus on gaining an ISO 27001 qualification and top up your CPD/CPE points with our self-paced training courses. Until January 3, you can get 10% off self-paced training courses by using the promo code XMASTRAIN at checkout*. 
 ISO 27001 controls – A guide to implementing and auditing
ISO 27001 controls – A guide to implementing and auditing
ISO 27001 controls – A guide to implementing and auditing Ideal for information security managers, auditors, consultants and organizations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS (information security management system) based on ISO 27001. Similarly, for anyone involved in internal or external audits, the book includes the definitive requirements that auditors must address when certifying organizations to ISO 27001 Buy now

Nine Steps to Success – An ISO 27001 Implementation Overview, North American edition
Nine Steps to Success – An ISO 27001 Implementation Overview, North American edition
Get to grips with the requirements of the ISO 27001 Standard and discover how to make your ISO 27001 implementation project a success with this must-have guide from international ISO 27001 expert Alan Calder.
The ideal resource for anyone tackling ISO 27001 implementation for the first time, it details the key steps of an ISO 27001 project from inception to certification and explains each element of the ISO 27001 project in simple, non-technical language. Buy now

   Information Security Risk Management for ISO 27001/ISO 27002, third edition
Information Security Risk Management for ISO 27001/ISO 27002
Information Security Risk Management for ISO 27001/ISO 27002Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework and deliver real, bottom-line business benefits.
Buy now

Tags: ISO 27001 books

Dec 27 2021

The ultimate guide to PCI DSS compliance

Category: Information Security,pci dssDISC @ 11:56 am

The ultimate guide to PCI DSS compliance

Luke Irwin  

If your business handles debit or credit card data, you’ve probably heard of the PCI DSS (Payment Card Industry Data Security Standard).

It’s an information security framework designed to reduce payment card fraud by requiring organisations to implement technical and organisational defence measures.

We explain everything you need to know about the PCI DSS in this blog, including who it applies to, the benefits of compliance and what happens if you fail to meet its requirements.

Who needs PCI DSS compliance?

Any merchant or service provider that processes, transmits or stores cardholder state is subject to the PCI DSS.

  • Merchants are organisations that accept debit or credit card payments for goods or services.
  • Service providers are businesses that are directly involved in processing, storing or transmitting cardholder data on behalf of another entity.

Some organisations can be both a merchant and a service provider. For instance, an organisation that provides data processing services for other merchants will also be a merchant itself if it accepts card payments from them.

Benefits of PCI DSS compliance

The most obvious benefit of PCI DSS compliance is to reduce the risk of security incidents. When organisations implement its requirements, they shore up the most common weaknesses that attackers exploit.

According to the 2020 Trustwave Global Security Report, the majority of data breaches involving cardholder data were CNP (card-not-present) attacks. This indicates that e-commerce platforms are the most vulnerable, but this is only half the picture.

Data protection isn’t just about preventing cyber attacks; information can also be exposed by mistakes the organization makes. Such errors can also result in violations of the GDPR (General Data Protection Regulation) and other data protection laws.

PCI DSS compliance can help organisations prevent regulatory errors and the effects associated with it.

Is PCI DSS compliance mandatory?

The PCI DSS is a standard not a law, and is enforced through contracts between merchants, acquiring banks that process payment card transactions and the payment brands.

Compliance is mandatory for all organisations that process, store or transmit cardholder data. Covered organisations that fail to meet their requirements could face strict penalties.

Notably, the Standard doesn’t simply levy a one-off fine for non-compliance. Instead, organisations can be penalised between $5,000 (about €4,300) and $100,000 (about €86,000) a month until they achieve compliance.

Organisations can also face other punitive measures from their acquiring bank. For example, the bank might increase its transaction fees or terminate the relationship with the merchant altogether.

How do I achieve PCI DSS compliance?

The PCI DSS contains 12 requirements that organisations must meet if they are to achieve compliance.

They are combination of technical solutions, such as data encryption and network monitoring, alongside processes and policies to ensure that employees manage sensitive data effectively.

Those processes include steps such as changing default passwords, restricting physical access to locations where cardholder data is stored and creating an information security policy.

How do you know if you are PCI compliant?

To demonstrate that your organisation is PCI DSS compliant, organisations must audit their CDE (cardholder data environment).

There are three types of audit:

The type of audit you must conduct, and your exact PCI DSS compliance requirements, will vary depending on your merchant or service provider level. This information is based on the number of card transactions processed per year.

Level 1 merchants are those process more than 6 million transactions per year, or those whose data has previously been compromised. They must complete the following each year:

  • RoC conducted by a QSA or ISA.
  • Quarterly scan by an ASV.

Level 2 merchants are those that process 1 million to 6 million transactions per year. They must complete the following each year:

  • RoC conducted by a QSA or ISA, or an SAQ (SAQ D) signed by a company officer (dependent on payment brand).
  • Quarterly scan by an ASV

Level 3 merchants are those that process 20,000 to 1 million transactions per year. They must complete the following each year:

  • SAQ signed by a company officer.
  • Quarterly scan by an ASV (dependent on SAQ completed).

Level 4 merchants are those that process fewer than 20,000 transactions per year. They must complete the following each year:

  • SAQ signed by a company officer.
  • Quarterly scan by an ASV (dependent on SAQ completed).

The audit requirements for service providers are more straightforward. Level 1 encompasses any organisation that process and/or store more than 300,000 transactions per year. They are required to conduct a RoC by a QSA or ISA and have an ASV conduct quarterly scans.

Service providers that transmit and/or store fewer than 300,000 transactions per year must complete either an RoC conducted by a QSA or an ISA, or an SAQ D signed by a company officer. They must also have an ASV conduct quarterly scans.

Get started with the PCI DSS

As a QSA company, IT Governance provides services to support organisations at each stage of each organisation’s PCI DSS compliance project. You can find out complete list of PCI DSS services and solutions on our website.

Organizations looking for help achieving compliance should take a look at our PCI DSS Documentation Toolkit.

It contains everything you need to implement the Standard’s requirements, including template documents and a document checker to ensure you select and amend the appropriate records.

The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.

It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant. All you have to do is fill in the sections that are relevant to your organization.

PCI DSS Implementation Training Course | Qualified Security Assessor Company

PCI DSS: A pocket guide, sixth edition

PCI DSS: A pocket guide, sixth edition | IT Governance USA

Tags: PCI, pci dss

Dec 22 2021

All in One SEO Plugin Bug Threatens 3M Websites with Takeovers

Category: Information Security,Web SecurityDISC @ 1:16 pm
All in One SEO Plugin Bug Threatens 3M Websites with Takeovers

A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers.

A popular WordPress SEO-optimization plugin, called All in One SEO, has a pair of security vulnerabilities that, when combined into an exploit chain, could leave website owners open to site takeover. The plugin is used by more than 3 million websites.

An attacker with an account with the site – such as a subscriber, shopping account holder or member – can take advantage of the holes, which are a privilege-escalation bug and an SQL-injection problem, according to researchers at Sucuri.

wordpress plugin zero day

“WordPress websites by default allow any user on the web to create an account,” researchers said in a posting on Wednesday. “By default, new accounts are ranked as subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.”

The pair is ripe for easy exploitation, according to Sucuri, so users should upgrade to the patched version, v. 4.1.5.3. Marc Montpas, a security researcher at Automattic,  was credited with finding the bugs.

Privilege Escalation and SQL Injection

WordPress – Security Tips – How to outsmart hackers: A step-by-step guide

Tags: Plugin Bug, Wordpress Security Tips

Dec 17 2021

SANS 2021 Top New Attacks and Threat Report

Category: Cyber Attack,Cyber Threats,Information Security,Threat detection,Threat ModelingDISC @ 2:21 pm

SANS 2021 Top New Attacks and Threat Report Download

System Security Threats | Computer Science Posters

Tags: SANS 2021, System Security Threats

Dec 10 2021

The Red Team Guide

Category: Information Security,Security IncidentDISC @ 12:54 pm
The Red Team Guide – by Peerlyst

Download a copy of The Red Team Guide

Rtfm: Red Team Field Manual

The Red Team Field Manual (RTFM) is a no fluff, but thorough reference guide for serious Red Team members who routinely find themselves on a mission without Google or the time to scan through a man page. The RTFM contains the basic syntax for commonly used Linux and Windows command line tools, but it also encapsulates unique use cases for powerful tools such as Python and Windows PowerShell. The RTFM will repeatedly save you time looking up the hard to remember Windows nuances such as Windows wmic and dsquery command line tools, key registry values, scheduled tasks syntax, startup locations and Windows scripting. More importantly, it should teach you some new red team techniques.

Download a copy of The Red Team Guide

Incident Response Management Foundation Training Course

Tags: Red team, Red Team Field Manual, Rtfm, The red team guide

Dec 09 2021

Kali Linux 2021.4 released: Wider Samba compatibility, The Social-Engineer Toolkit, new tools, and more!

Category: Information Security,Linux SecurityDISC @ 10:40 am
Kali Linux 2021.4 released: Wider Samba compatibility, The Social-Engineer Toolkit, new tools, and more!

Samba Client, Kaboxer theme support

Starting Kali Linux 2021.4, the Samba client is now configured for Wide Compatibility so that it can connect to pretty much every Samba server out there, regardless of the version of the protocol in use. This change should make it easier to discover vulnerable Samba servers “out of the box”, without having to configure Kali.

With the latest update of Kaboxer tools no longer look out of place, as it brings support for window themes and icon themes. This allows the program to properly integrate with the rest of the desktop and avoids the usage of ugly fallback themes.

Here is a comparison of how zenmap looks with the default Kali Dark theme, compared to the old appearance:

Kali Linux 2021.4

New Tools in Kali Linux 2021.4

Here’s a quick run down of what’s been added (to the network repositories):

  • Dufflebag – Search exposed EBS volumes for secrets
  • Maryam – Open-source Intelligence (OSINT) Framework
  • Name-That-Hash – Do not know what type of hash it is? Name That Hash will name that hash type!
  • Proxmark3 – if you are into Proxmark3 and RFID hacking
  • Reverse Proxy Grapher – graphviz graph illustrating your reverse proxy flow
  • S3Scanner – Scan for open S3 buckets and dump the contents
  • Spraykatz – Credentials gathering tool automating remote procdump and parse of lsass process
  • truffleHog – Searches through git repositories for high entropy strings and secrets, digging deep into commit history
  • Web of trust grapher (wotmate) – reimplement the defunct PGP pathfinder without needing anything other than your own keyring

More on The Social-Engineer Toolkit

Kali Linux 2021.4 download

Tools and infosec training

Tags: Kali Linux, Kali Linux 2021.4

« Previous PageNext Page »