InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Jan 08 2022
A useful advice from Cybersecurity Learning Saturday event.
Cybersecurity Learning Saturday is a free program to help folks to build their professional careers. #cybersecurity #career #InfoSeccareer
Finding Your Cybersecurity Career Path
Proven techniques and effective tips to help you advance in your cybersecurity career
InfoSec Jobs
Jan 05 2022
CISO Desk Reference Guide: A Practical Guide for CISOs
Jan 04 2022
Luke Irwin 4th January 2022
2021 was a difficult year many of us, and with the hope that COVID-19 will dissipate in the spring, this is a new year more than any other where we want to look forwards, not backwards.
But before we turn our attention to 2022, we must first round out 2021 with our final monthly review of data breaches and cyber attacks. December saw 74 publicly disclosed security incidents, which accounted for 219,310,808 breached records.
You can find the full list of incidents below, with those affecting UK-based organisations listed in bold.
Additionally, we’ll also soon be publishing our latest quarterly review of security incidents, in which you can discover the latest trends and take a look back at the year as a whole.
Contents
Big Breaches: Cybersecurity Lessons for Everyone
Dec 28 2021
| Now that the festive frenzies have almost finished and you still have a few quiet days to spend at home, this is a great time to invest in your education. Enhance your knowledge of ISO 27001 with our wide range of books. Available in a variety of formats, including audiobook, softcover, Kindle and ePub, they cover everything you need to know about ISO 27001 and how to implement it. You can also focus on gaining an ISO 27001 qualification and top up your CPD/CPE points with our self-paced training courses. Until January 3, you can get 10% off self-paced training courses by using the promo code XMASTRAIN at checkout*. |
 ISO 27001 controls – A guide to implementing and auditing |
| ISO 27001 controls – A guide to implementing and auditing Ideal for information security managers, auditors, consultants and organizations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS (information security management system) based on ISO 27001. Similarly, for anyone involved in internal or external audits, the book includes the definitive requirements that auditors must address when certifying organizations to ISO 27001 Buy now |
 Nine Steps to Success – An ISO 27001 Implementation Overview, North American edition |
| Get to grips with the requirements of the ISO 27001 Standard and discover how to make your ISO 27001 implementation project a success with this must-have guide from international ISO 27001 expert Alan Calder. The ideal resource for anyone tackling ISO 27001 implementation for the first time, it details the key steps of an ISO 27001 project from inception to certification and explains each element of the ISO 27001 project in simple, non-technical language. Buy now |
 Information Security Risk Management for ISO 27001/ISO 27002 |
| Information Security Risk Management for ISO 27001/ISO 27002Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework and deliver real, bottom-line business benefits. Buy now |
Dec 27 2021
If your business handles debit or credit card data, you’ve probably heard of the PCI DSS (Payment Card Industry Data Security Standard).
It’s an information security framework designed to reduce payment card fraud by requiring organisations to implement technical and organisational defence measures.
We explain everything you need to know about the PCI DSS in this blog, including who it applies to, the benefits of compliance and what happens if you fail to meet its requirements.
Any merchant or service provider that processes, transmits or stores cardholder state is subject to the PCI DSS.
Some organisations can be both a merchant and a service provider. For instance, an organisation that provides data processing services for other merchants will also be a merchant itself if it accepts card payments from them.
The most obvious benefit of PCI DSS compliance is to reduce the risk of security incidents. When organisations implement its requirements, they shore up the most common weaknesses that attackers exploit.
According to the 2020 Trustwave Global Security Report, the majority of data breaches involving cardholder data were CNP (card-not-present) attacks. This indicates that e-commerce platforms are the most vulnerable, but this is only half the picture.
Data protection isn’t just about preventing cyber attacks; information can also be exposed by mistakes the organization makes. Such errors can also result in violations of the GDPR (General Data Protection Regulation) and other data protection laws.
PCI DSS compliance can help organisations prevent regulatory errors and the effects associated with it.
The PCI DSS is a standard not a law, and is enforced through contracts between merchants, acquiring banks that process payment card transactions and the payment brands.
Compliance is mandatory for all organisations that process, store or transmit cardholder data. Covered organisations that fail to meet their requirements could face strict penalties.
Notably, the Standard doesn’t simply levy a one-off fine for non-compliance. Instead, organisations can be penalised between $5,000 (about €4,300) and $100,000 (about €86,000) a month until they achieve compliance.
Organisations can also face other punitive measures from their acquiring bank. For example, the bank might increase its transaction fees or terminate the relationship with the merchant altogether.
The PCI DSS contains 12 requirements that organisations must meet if they are to achieve compliance.
They are combination of technical solutions, such as data encryption and network monitoring, alongside processes and policies to ensure that employees manage sensitive data effectively.
Those processes include steps such as changing default passwords, restricting physical access to locations where cardholder data is stored and creating an information security policy.
To demonstrate that your organisation is PCI DSS compliant, organisations must audit their CDE (cardholder data environment).
There are three types of audit:
The type of audit you must conduct, and your exact PCI DSS compliance requirements, will vary depending on your merchant or service provider level. This information is based on the number of card transactions processed per year.
Level 1 merchants are those process more than 6 million transactions per year, or those whose data has previously been compromised. They must complete the following each year:
Level 2 merchants are those that process 1 million to 6 million transactions per year. They must complete the following each year:
Level 3 merchants are those that process 20,000 to 1 million transactions per year. They must complete the following each year:
Level 4 merchants are those that process fewer than 20,000 transactions per year. They must complete the following each year:
The audit requirements for service providers are more straightforward. Level 1 encompasses any organisation that process and/or store more than 300,000 transactions per year. They are required to conduct a RoC by a QSA or ISA and have an ASV conduct quarterly scans.
Service providers that transmit and/or store fewer than 300,000 transactions per year must complete either an RoC conducted by a QSA or an ISA, or an SAQ D signed by a company officer. They must also have an ASV conduct quarterly scans.
As a QSA company, IT Governance provides services to support organisations at each stage of each organisation’s PCI DSS compliance project. You can find out complete list of PCI DSS services and solutions on our website.
Organizations looking for help achieving compliance should take a look at our PCI DSS Documentation Toolkit.
It contains everything you need to implement the Standard’s requirements, including template documents and a document checker to ensure you select and amend the appropriate records.
The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.
It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant. All you have to do is fill in the sections that are relevant to your organization.
PCI DSS: A pocket guide, sixth edition
Dec 22 2021
A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers.
A popular WordPress SEO-optimization plugin, called All in One SEO, has a pair of security vulnerabilities that, when combined into an exploit chain, could leave website owners open to site takeover. The plugin is used by more than 3 million websites.
An attacker with an account with the site – such as a subscriber, shopping account holder or member – can take advantage of the holes, which are a privilege-escalation bug and an SQL-injection problem, according to researchers at Sucuri.
“WordPress websites by default allow any user on the web to create an account,” researchers said in a posting on Wednesday. “By default, new accounts are ranked as subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.”
The pair is ripe for easy exploitation, according to Sucuri, so users should upgrade to the patched version, v. 4.1.5.3. Marc Montpas, a security researcher at Automattic, was credited with finding the bugs.
WordPress – Security Tips – How to outsmart hackers: A step-by-step guide
Dec 17 2021
SANS 2021 Top New Attacks and Threat Report Download
System Security Threats | Computer Science Posters
Dec 10 2021
Download a copy of The Red Team Guide
The Red Team Field Manual (RTFM) is a no fluff, but thorough reference guide for serious Red Team members who routinely find themselves on a mission without Google or the time to scan through a man page. The RTFM contains the basic syntax for commonly used Linux and Windows command line tools, but it also encapsulates unique use cases for powerful tools such as Python and Windows PowerShell. The RTFM will repeatedly save you time looking up the hard to remember Windows nuances such as Windows wmic and dsquery command line tools, key registry values, scheduled tasks syntax, startup locations and Windows scripting. More importantly, it should teach you some new red team techniques.
Download a copy of The Red Team Guide
Incident Response Management Foundation Training Course
Dec 09 2021
Starting Kali Linux 2021.4, the Samba client is now configured for Wide Compatibility so that it can connect to pretty much every Samba server out there, regardless of the version of the protocol in use. This change should make it easier to discover vulnerable Samba servers “out of the box”, without having to configure Kali.
With the latest update of Kaboxer tools no longer look out of place, as it brings support for window themes and icon themes. This allows the program to properly integrate with the rest of the desktop and avoids the usage of ugly fallback themes.
Here is a comparison of how zenmap looks with the default Kali Dark theme, compared to the old appearance:
Here’s a quick run down of what’s been added (to the network repositories):
Dec 07 2021
Let’s try to understand what CRLF injection is. In response to an HTTP request from a web browser, a web server sends a response, which contains both the HTTP headers and the actual content of the website. There is a special combination of characters that separates the HTTP headers from the HTML response (the website content), namely a carriage return followed by a line feed.
When a header ends with a CRLF, a new header is created on the server. So, a web application or a user will know when a new line begins in a file or text block.
An attacker can inject information into HTTP responses by using the CRLF characters that separate HTTP responses. As long as the header and body end in *CRLF>*CRLF>, the browser will understand that the header ends. Consequently, they have the option to store data in the body of the answer, where HTML is stored.
If an attacker enters the ASCII code for carriage return (%0d) and line feed (%0a) in a HTTPS header, they could identify them easily. The result would look like this:
https://xyz.com/index.php?page=home%0d%0a
Table of Contents
Dec 06 2021
Training available for individual or Corporate members
Dec 06 2021
Security and Privacy Preserving for IoT and 5G Networks: Techniques, Challenges, and New Directions
Related articles:
The Best & Worst States in America for Online Privacy
Wireless Wars: China’s Dangerous Domination of 5G
👇 Please Follow our LI page…
#InfoSecTools and #InfoSectraining
Dec 05 2021
Dec 04 2021
Cybersecurity Incident & Vulnerability Response Playbooks – Audiobook
![Cybersecurity Incident & Vulnerability Response Playbooks by [Cybersecurity and Infrastructure Security Agency]](https://m.media-amazon.com/images/I/51QvXBL8MYL._SX260_.jpg)
Dec 03 2021
Cloud services are an integral part of modern business. They provide a cost-effective way to store data; and with the rise in hybrid workforces, they deliver a reliable way for employees to access information remotely.
But as is often the case with technological solutions, the benefits of convenience comes with security risks. In this blog, we look at the top five Cloud security challenges that organisations face, and provide tips on how to overcome them.
A Gartner study found that 95% of Cloud breaches are the result of the result of misconfigurations.
2. Phishing scams
3. Insider threats
Insider Threats (Cornell Studies in Security Affairs)
4. Regulatory non-compliance
the risk of a data breach and create GDPR (General Data Protection Regulation) headaches.
5. Insecure UIs and APIs
Design secure network and API endpoint security for Microservices applications
You can find more tips like the ones in this blog by reading Securing Cloud Services: A pragmatic guide.
This book, written by security architect Lee Newcombe, explains everything you need to know about Cloud security. It covers the key concepts of Cloud computing and the its security architectures, and then looks at the security considerations you must acknowledge.
It’s ideal for anyone looking at implementing Cloud services, whether that’s infrastructure-, platform-, software- or function-as-a-service.
Dec 01 2021
With one month left in 2021, the annual total running total of compromised records is to just shy of 5 billion.
Keep an eye out for our end-of-year report in the next few weeks, where we’ll break down the findings of these lists – or subscribe to our Weekly Round-up to get the latest news sent straight to your inbox.
In the meantime, you can find the full list of security incidents below, with those affecting UK organizations listed in bold.
Contents
Different techniques and tools used by cyberattackers to exploit a system are thoroughly discussed and analyzed in their respective chapters.
Use promo code XMASTOOLS to redeem your 10% discount on any toolkit, but hurry – this exclusive offer ends December 5.
Toolkits are sets of documents and tools that allow you to easily create and maintain up-to-date compliance documents. Each toolkit contains:
* Pre-written policies, procedures, and templates created by industry experts that will save you time and money
* Additional tools to ensure complete coverage of the relevant standard, framework, or regulation
* Work instructions and guidance
Nov 29 2021
As a resource, the internet is a wonderful place for children to learn, explore ideas, and express themselves creatively. The internet is also key in a child’s social development, helping to strengthen communication skills, for example when playing games or chatting with friends.
However, parents should be aware that all these activities often come with risks. Kids online can be exposed to inappropriate content, cyberbullying, and even predators.
While keeping an eye on what your children see and do online helps protect them against these risks, it’s not easy monitoring your kids without feeling like you’re invading their privacy. Just asking what websites they visit may give the impression that you don’t trust your child.
The key to combatting any big risk is education. It’s important for you and your children to be aware of the dangers, how to protect against them, and how to identify the warning signs. This is why we’ve put together this guide, to help both you and your kids* understand how to navigate the internet safely.
*Look out for our “For Kids” tips below, which you can share with your kids and teens.
A 2020 study by the Pew Research Center found that:
More on Online Threats to Kids…
Nov 29 2021
Save 15% off books, toolkits, self-paced training courses, and selected Live Online training courses. Use code BF15 at checkout to claim your discount. But hurry, offer ends tomorrow 30 November, midnight PDT*.
This Black Friday ITG is offering you 15% off ITGP books, ITGP toolkits, self-paced training courses, and selected Live Online training courses.
Discover all resources  |
| Bestselling books |
 The California Privacy Rights Act (CPRA) – An implementation and compliance guide This book gives you a comprehensive understanding of the CPRA, covering key terms, security requirements, the breach notification procedure, and the penalties for non-compliance.  ISO 27001 controls – A guide to implementing and auditing The must-have book to understand the requirements of an ISMS (information security management system) based on ISO 27001.  Certified ISO 27001 ISMS Foundation Self-Paced Online Training Course This course provides a complete introduction to the key elements required to achieve ISO 27001 compliance. |
Nov 26 2021
Practical Cloud Security: A Guide for Secure Design and Deployment
MicroMasters® Program in Cloud Computing
