Feb 28 2013

Cutting edge titles for IT professionals

Category: Information SecurityDISC @ 10:37 am

IT professionals

IT Governance Publishing (ITGP) are at the forefront of sourcing and publishing cutting-edge titles in the cyber security, compliance, business continuity and IT service management sectors. ITGP top 10 cutting-edge latest titles.

 

ISO22301 A Pocket Guide

This handy pocket guide explains what the ISO22301 Business Continuity Standard is and how to start planning a Business Continuity Management System (BCM) that complies with this international standard.
Buy Today ยป

Ten Steps to ITSM Success

This book provides guidance on implementing ITSM Best Practices in an organisation using an easy to follow ten step approach.
Buy Today ยป

30 Key Questions that Unlock Management

A direct response to real questions posed by real people doing real jobs. Each section contains practical advice and immediate steps you can take to deal with the issue at hand.
Buy Today ยป

The Quantum Age of IT

‘Charles has really nailed it for any executive struggling with IT strategy. How IT got here and where it’s going.’ – Randy Steinberg, Author, ITIL Service Operation, 2011 Edition, Principal โ€“ Migration Technologies.
Buy Today ยป

Running IT Like A Business

Running IT like a Business will show you how your IT function can provide much more than products and services and add real value to your business.
Buy Today ยป

Exploding the Myths Surrounding ISO9000 – A Practical Implementation Guide – Published 25th March

In this book management systems expert Andrew Nichols, who has over 25 years industry experience, explains in detail how to implement ISO9000 to maxium effect.
Buy Today ยป

ITIL and Organizational Change – Published 5th March

Thousands of organisations every year adopt ITIL, however many fail to achieve significant benefits. This book examines how to avoid common pitfalls and how to clear the many hurdles that can obstruct progress.
Buy Today ยป

Governance and Internal Controls for Cutting Edge IT – Published 5th March

Based on practical experience and real-life models, this new book covers key principles and processes for the introduction of new technologies and examines how to establish an appropriate standard of security and control.
Buy Today ยป

ITIL Lifecycle Essentials – Published 28th March

This book doesn’t just cover the information required to pass the foundation exam, but goes beyond this in providing practical guidance for when newly qualified practitioners enter the real-world.
Buy Today ยป

Related articles

Jan 11 2013

Why SoD should be reviewed in every assessment

Category: Information Security,Security Risk AssessmentDISC @ 2:33 pm

Similar to other controls SoD (Segragation of Duties) plays an important role in reducing certain potential risk of an organization.

SoD minimize certail risks, by deviding a task so it will take more than one individual to complete a task or a critical process. SoD control has been traditionally used in accounting to minimize risk of collusion. For separation of duties we donโ€™t want to give any individual so much control that they become a security risk without proper check and balance inplace. SoD is utilized to avoid unauthorized modification of data and to make sure critical data is available when needed by authorized personals, which includes but not limited to the availability of the services.

Separation of Duties (SoD) is not only an important principle of security but SoD control A10.1.3 of ISO 27001 wants organizations to implement this control.

Possible Controls to Implement SoD:

    * Separate the IT Dept from user function, meaning user should not be able to perform its own IT duties.
    * Separate the InfoSec and IT Dept. The individual responsible for the InfoSec has unique knowledge of organization security infrastructure, basically a knowledgeable InfoSec individual will have keys to the knigdom and should be segregated from the rest of the IT department. Also InfoSec individual should not be reporting to the IT director which is not only independence issue but conflict of interest. IT Dept is responsible for the avaiability of service whereas security professional is responsible for security (adding controls) to the same service.
    * The development and testing of application should be segregated. There should be a complete segregation of App development and App testing function. Also the person who put the App into production/operation and maintain should be a different individual.
    * Operation of IT should be seprate from maintenance of IT function in different teirs, meaning avaiability of the information should be separated from support & maintenance.
    * The database admin should be segregated from other IT function. DBA individuals are very knowledgeable super user and should not have any other IT duties.
    * Last but not the least about the main Uber user the Sys Admin (router, FW, Server, DT) should have a separate account when performing regular user function. These super users should be logged and audited on regular basis.

Related reference topics on DISC InfoSec

Related reference topics on eBay

Nov 25 2012

Become Cyber Secure this Cyber Monday

Category: Information Security,ISO 27kDISC @ 9:50 pm

ย ย 

ย 

Black Friday / Cyber Monday

ย 

Tips for staying safe this Cyber Monday

Cyber Monday is a marketing term for the Monday after Black Friday, the Friday following Thanksgiving in the United States, created by companies to persuade people to shop online. The term made its debut on November 28, 2005 in a Shop.org press release entitled “‘Cyber Monday’ Quickly Becoming One of the Biggest Online Shopping Days of the Year.

Cyber Secure this Cyber Monday
Cyber Monday is the well known one day online retail sale following the American holiday of Thanksgiving. What better time to top up your Cyber Security with our ‘Become Cyber Secure this Cyber Monday’ special offers?

No 3 Comprehensive ISO27001 ISMS Toolkit – Buy before the end of November and get half a day of Live Online Consultancy Free!

Cyber Monday Security deals

Cyber Monday deals for password protected and encrypted USB drive

Shop Amazon – Cyber Monday Deals Week

Tags: CyberMonday, Online shopping

Nov 06 2012

New Tools for IT and Security professionals

Category: BCP,Information SecurityDISC @ 11:40 am

IT Governance continually striving to create, source and deliver products that can help IT and Information Security professionals in the real world. Checkย out their latest on Business Continuity, ITIL & ITSM and Information Security products below to help you in your current and future projects. This is a perfect time of the year to start adding some of these tools in your wish list and stay abreast in your area of expertise.

ISO22301 BCMS Implementation Toolkit
New release

ย 

ITIL Lite: A Road Map to Full or Partial ITIL Implementation – ITIL 2011 Edition
New release

ย 

ITIL Foundation Essentials: The exam facts you need
Published on 6th November

ย 

Resilient Thinking: Protecting Organisations in the 21st Century
Published on 8th November

ย 

ISO19770 SAM Process Guidance: A kick-start to your SAM programme
Published 13th November

ย 
ย 
Related articles

Tags: Business, business continuity, Information Security, Information Technology, Information Technology Infrastructure Library, it service management, SAM, Software asset management

Oct 11 2012

Make October YOUR Cyber Security Month

Category: cyber security,Information SecurityDISC @ 12:50 pm

ย 

The US Government has declared this October is the National Cyber Security Awareness Month (NCSAM).

The aim of this campaign is to:
 โ€ข Promote cyber security awareness amongst citizens and businesses
 โ€ข Educate individuals and businesses through a series of events and initiatives
 โ€ข Raise cyber awareness and increase the resilience of the nation in the event of a cyber incident

Cyber security is not just about protecting your critical assets, it can also help improve your internal systems and help you win new business.

ย 

Make October YOUR Cyber Security Month with these essential reads:

Above the Clouds: Managing Risk in the World of Cloud Computing

Assessing Information Security: Strategies, Tactics, Logic and Framework

IT Governance: An International Guide to Data Security and ISO27001/ISO27002 

21st Century Chinese Cyberwarfare

CISSP All-in-One Exam Guide, 6th Edition

More than 50 InfoSec topics in books available at DISC InfoSec store

Find out more on National Cyber Security Awarenessย month at Homeland Security's website

DISC online store for recommended InfoSec services/products

ย 

ย 

Additional online safety information:

What Teens Shouldnโ€™t Put in Their Social Media Profiles


Child Safety Guide: How to Keep Kids Safe When They're Home Alone


Ways to Check if Youโ€™re Visiting a Safe Site


Internet Safety Tips for Seniors


How to Shop Safely Online


Things You Should Never Post Online but Probably Are


11 Photos You Should Never, Ever Post on Social Media
ย 

Online Safety tips for kids:

Less screen, More Green: Outdoor Safety Tips for Kids

ย 

The Parentsโ€™ Guide to Teaching your Teen Online Safety
ย 
Guide to screen addictions and responsible digital use
ย 

Keeping Kids Safe Outdoors as the World and the Roads Reopen

Tags: Computer security, Federal government of the United States, Homeland Security, National Cyber Security Awareness Month, NCSAM, October, Security, U.S. government

Sep 21 2012

Build resilience into your management system

Category: Information Security,ISO 27kDISC @ 10:15 am

ย 

Related BCP titles

ISO22301 and ISO27001 โ€“ The building blocks ofย organization management systemย resilience

The importance of mitigating the disruption to information technology services has been at the heart of disaster recovery and business continuity plans for many years. With the growth and dependency on IT and the increased risk of attack from outside sources (cyber-attack), the survival of all organisation will depend upon the protection of their critical information assets and building security at every layer.

The idea of cyber resilience โ€“ that an organisationโ€™s IT systems and processes should be resilient against natural disaster or outside attack is a key principle underlining the best practice and compliance to the ISO22301 and ISO27001 standards.

ISO 22301:2012 (formerly BS25999) is the international standard for business continuity within organisations and defines the specification and best practice for developing and implementing a robust business continuity management system.

ISO/IEC 27001:2013 helps businesses throughout the world mitigate the risks associated with cybercrime and provides the security assurance demanded by your board, shareholders, regulators and most importantly, your customers.

Related articles




Sep 10 2012

5 Reasons Why Patch Management Is Vital To Your Information Security

Category: Information SecurityDISC @ 10:53 am

Related Patch Management titles

Patching is a critical part of systems administration. I donโ€™t think anyone would argue that. But if your patching regimen consists of turning on Automatic Updates and calling it a day, or staying up until the middle of a Saturday night logging on to each server at a time to apply patches, you are missing the point. Patching is a task; patch management is how to perform that task easily, completely and in a scalable way. Patch management is vital to your information security because it is the only way to be sure you have taken care of all of the patching needs in your environment, and that you can audit and confirm that. Letโ€™s look at some of the reasons why patch management is so important.

1. Patch management is about more than just operating systems
While itโ€™s extremely important to ensure you have patched your operating systems, there are dozens of other applications out there that your users are running, which could be exploited by an infected attachment, a malicious script, and/or a compromised web page. Patch management applications can go beyond a Windows Update, addressing patches for operating systems, Microsoft and other third party applications, web browsers, media players and more. Patch management helps you ensure that no vulnerable apps are on your network.

2. Patch management is the most efficient way to handle both servers and workstations
You could probably manage to patch by hand all of your servers, and thereโ€™s a limited number of apps running on them, but trying to patch all your workstations and all the third party apps would be an impossible task without a patch management application to assess all the systems and their software, delivering those critical updates to each and every system that needs it. 100% compliance is the surest way to avoid incidents.

3. Patch management makes testing easy
Patching involves testing, and thatโ€™s why so many admins donโ€™t patch regularly. They fear a patch might introduce an incompatibility, and would rather take their chances since they donโ€™t have to time test. Patch management applications make it easy to push a patch to a group of systems for testing, before deploying to the rest of the network.

4. Patch management makes rollbacks easy
Sometimes, a patch needs to be rolled back, and doing that manually is out of the question. You are much more likely to deploy patches fully and on time if you can easily roll back if something turns out to be incompatible with a critical app, and a patch management application can uninstall patches from any or all systems just as easily as it can push them out.

5. Patch management makes reporting easy
One of the scariest things about relying on Automatic Updates is that you have no idea whether or not systems are actually patched, until you check them, one by one. With a patch management application, you can quickly and easily run reports to confirm that critical update for the zero day exploit really did get out to all your servers and workstations, and if one was missed, you can immediately identify and remediate it, before something bad happens.

Patch management is not a silver bullet. It wonโ€™t stop users from sharing passwords and it cannot prevent an admin from leaving a default configuration in place, but what it will do is enable you to keep your workstations, servers and critical applications up-to-date, fully patched and as secure as possible from hackers looking to exploit vulnerabilities in the software. That way you can spend more time on training users and verifying configs, and less time running around trying to update Flash for the tenth time this year.

This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.

Related articles




Tags: GFI, Patch (computing), Security, Windows Update

Aug 15 2012

Staff awareness training โ€“ an essential component of ISO27001

Category: Information Security,ISO 27kDISC @ 1:53 pm

Staff awareness and training are key for effective information security management and for achieving compliance with the ISO/IEC 27001:2005 standard.

As clause 8.2.2 of ISO 27002 (the Code of Practice for Information Security Management) sets out, it is imperative that security issues are addressed at the employee level and that a firm foundation is built for an employee to understand the implications of his/her actions and be mindful of these in their daily activities.
More importantly, you need to keep evidence that you have conducted formal staff awareness training.

What better way to obtain this evidence than deploying Information Security Staff Awareness eLearning within your organization?

The software enables your own corporate e-learning management portal to automatically retain records of which staff have accomplished the course. You can easily monitor the compliance status of the organization and see hard evidence of each employeeโ€™s level of understanding.

Information Security & ISO27001 Staff Awareness eLearning course offers you tangible benefits whilst enabling you to impart basic, and yet fundamental training on information security within your organization

Benefits of this eLearning include:
โ€ข Massive financial cost savings in comparison to traditional training options
โ€ข Minimal office disruption โ€“ staff train at their desks
โ€ข Minimal administration โ€“ comprehensive reports available
โ€ข Systematic evidence that training has actually been provided โ€“ underpinning disciplinary actions
โ€ข Simple to use with relevant and informative content

Related articles




May 25 2012

10 essential books for IT Professionals

Category: Information SecurityDISC @ 11:54 am

All books are available in softcover, eBook and Kindle-compatible formats at a better price than Amazon! *

Below are 10 latest publications from IT Governance:

ย  1)ย ย ย ย ย  30 Key Questions that Unlock Management
by Brian Sutton and Robina Chatham
ย  ย  ย 

ย 

ย  2)ย ย ย ย ย  The Concise PRINCE2
by Colin Bentley
ย  ย  ย 

ย 

ย  3)ย ย ย ย ย  50 Top IT Project Management Challenges
by Premanand Doraiswamy and Premi Shiv
ย  ย  ย 

ย 

ย  4)ย ย ย ย ย  Everything you wanted to know about Business Continuity
by Tony Drewitt
ย  ย  ย 

ย 

ย  5)ย ย ย ย ย  Everything you wanted to know about Agile
by Jamie Lynn Cooke
ย  ย  ย 

ย 

ย  6)ย ย ย ย ย  Cloud Computing: Assessing the Risks
by Jared Carstensen, Bernard Golden and JP Morgenthal
ย  ย  ย 

ย 

ย  7)ย ย ย ย ย  The ITSM Iron Triangle: Incidents, Changes and Problems
by Daniel McLean
ย  ย  ย 

ย 

ย  8)ย ย ย ย ย  Managing Business Transformation: A Practical Guide
by Melanie Franklin
ย  ย  ย 

ย 

ย  9)ย ย ย ย ย  Running IT like a Business: Accenture’s Step-by-Step Guide
by Robert E. Kress
ย  ย  ย 

ย 

ย  10)ย  21st Century Chinese Cyberwarfare (Pre-order)
by Lieutenant Colonel Hagestad

ย 
ย 
ย 




May 21 2012

Organisations can achieve ISO9001 QMS certification quicker with a bespoke toolkit

Category: Information SecurityDISC @ 1:40 pm

Check out the ITG site for details

Ely, England, 21 May 2011 – IT Governance Ltd, the global leader in management system standards, information, books and tools, is advising organisations that the quicker they implement the Quality Management System standard ISO9001, the bigger their chances are to attract new customers in the current economic conditions.

Vendors who have been asked by their clients to implement the ISO9001 standard can now achieve this quickly and effectively by using the ISO9001 QMS Quality Management System Documentation Toolkit. It contains over 60 separate documents that will help organisations accelerate the development and implementation of an ISO9001 quality management system. The toolkit can be downloaded immediately here: QMS-ISO9001 Toolkit

ISO9001 is the best practice specification that helps businesses and organisations throughout the world to develop a best-in-class Quality Management System (QMS). According to BusinessLink UK Government more than 1 million organisations are currently certified against ISO9001. The advantages to businesses from implementing ISO9001 include:

โ€ขgreater efficiency and less waste
โ€ขconsistent control of major business processes, through key processes lists
โ€ขregulation of successful working practices
โ€ขrisk management
โ€ขincreased customer satisfaction
โ€ขgreater consistency in the quality of products and services through better control of processes
โ€ขdifferentiation of your business from its competitors
โ€ขincreased profits

The ISO9001 QMS Toolkit, developed by IT Governance, contains a quality management manual, and a full set of policies and procedures, in addition to the necessary forms, records and work instructions to underpin those policies and procedures. It is the complete toolkit for implementing an ISO9001 quality management system.

ISO9001 in Plain English




Tags: iso 9001, QMS

Mar 10 2012

Security Controls and Principles

Category: Information SecurityDISC @ 11:01 pm

For security controls to be effective, apply the pillars of information security

— Principle of least privilege
— Separation of duties
— Economy of mechanisim
— Complete mediation
— Open design

  • Least privilege is Need to Know principle or default deny -essentially, don’t permit more then required to meet the business requirement to avoid extra risk
  • For separation of duties we don’t want to give any individual so much control that they become a security risk without proper check and balance inplace
  • The principle of economy of mechanism basically says that more complexity we introduce into security system, creates potential for failures
  • Complete Mediation says that control cannot be bypassed – no unofficial back doors
  • Open design – the securty of the system must not be based on the obscurity of the mechanism

    • Information Security: Principles and Practice




    Feb 21 2012

    50 Top IT Project Management Challenges

    Category: Information Security,ISO 27kDISC @ 10:58 pm

    A summary of the challenges facing todayโ€™s IT project manager
    Discussions on project management forums highlight many of the challenges facing a project manager during the course of a project. Unclear requirements, scope creep and undefined roles are well-trodden issues that can derail a project. Other challenges are less obvious, often more subtle, but equally destructive.

    Facing up to the challenges
    This book offers a focused and concise summary of 50 challenges facing todayโ€™s IT project manager. The authors draw on years of practical experience (rather than classroom theory) to outline these challenges and offer useful tips and advice on how to deal with them.

    Challenge and response
    Readers of this book will be better equipped to respond to key project management challenges, including

    โ€ข Building the team โ€“ getting the right resources, matching skills/knowledge, defining roles and responsibilities.
    โ€ข Project scope โ€“ clarifying assumptions, avoiding ambiguity, getting the time/cost estimates right.
    โ€ข Politics โ€“ communicating with management and stakeholders, dealing with conflict, handling interference and micro-managing.
    โ€ข Risk awareness โ€“ identifying inside/outside influences, recognising inbound and outbound dependencies.
    โ€ข Time management โ€“ using the right planning tools, balancing work versus meetings.
    โ€ข Failure โ€“ handling the blame game, protecting the team, rescuing the project.

    This book condenses into a handy summary much of the information and advice that can be found in project management related books and discussion forums. It is an ideal reference for anyone involved in IT project management, from professional service organisations (PSO) and project management offices (PMO), through to active project managers and studying graduates.

    Buy this book and deliver your next project on time, on budget and to specification!

    About the authors

    Premanand Doraiswamy has over 14 yearsโ€™ experience working in IT project management with Fortune 500 companies in various industries and is the author of IT Project Management โ€“ 30 Steps to Success, also published by IT Governance.

    Premi Shiv is a quality assurance specialist with 7 yearsโ€™ experience in IT processes and management solutions. With an optimistic approach and organisational skills, she has carved a niche in quality assurance.




    Sep 01 2011

    Information Security eBooks Download

    Category: Information SecurityDISC @ 12:14 pm

    information security eBooks download sites

    Studiesinn InfoSec eBook

    Information-Security eBookee

    Strategic-Information-Security

    The-New-School-of-Information-Security

    Insider’s Guide to Security Clearances

    Information Threats

    Information Security Risk Analysis by Thomas R. Peltier

    Information Security Risk Analysis, 2 Ed. by Thomas R. Peltier

    Information Security Risk Analysis By Tom Peltier shows you how to use cost-effective risk analysis techniques to identify and quantify the threats–both accidental and purposeful–that your organization faces. The book steps you through the qualitative risk analysis process using techniques such as PARA (Practical Application of Risk Analysis) and FRAP (Facilitated Risk Analysis Process) to:

    Evaluate tangible and intangible risks

    Use the qualitative risk analysis process

    Identify elements that make up a strong Business Impact Analysis

    Conduct risk analysis with confidence




    Jul 07 2011

    Securing the Enterprise in a Changing World

    Category: Information SecurityDISC @ 10:31 pm

    RSA Conference 2011 Keynote – Securing the Enterprise in a Changing World – Bill Veghte

    An applications transformation has begun, creating both challenges and opportunities: with users (consumers) demanding everything as a service, anywhere, how can enterprises secure critical corporate infrastructure assets and information? Building security into applications, assessing risk– even before coding begins, and applying quality and operational management using ITIL concepts to the practice of security are key.

    Enterprise Security




    Jun 29 2011

    TSA Is NOT Security It’s A JOKE!

    Category: Access Control,Information SecurityDISC @ 10:10 pm

    “Security measures that just force the bad guys to change tactics and targets are a waste of money,” said Bruce Schneier, “It would be better to put that money into investigations and intelligence.”

    The security boss of Amsterdam’s Schiphol Airport is calling for an end to endless investment in new technology to improve airline security.
    Marijn Ornstein said: “If you look at all the recent terrorist incidents, the bombs were detected because of human intelligence not because of screening … If even a fraction of what is spent on screening was invested in the intelligence services we would take a real step toward making air travel safer and more pleasant.”

    “TSA Is NOT Security It’s A JOKE!” Issac Yeffet
    http://www.youtube.com/watch?v=s7pICJ0i6Jc

    Don’t touch my Junk




    Jun 28 2011

    InfraGard Insights: Separation of Duties and…

    Category: Information SecurityDISC @ 10:31 pm

    InfraGard is a FBI partner site – which is a public-private partnership devoted to sharing information about threats to US physical and Internet infrastructure.

    Discussion of two important principles of information security:
    Separation of Duties and the concept of least privilege and the Impact on System Administration.

    Principles of Information Security




    Jun 12 2011

    U.S. Underwrites Internet Detour Around Censors

    Category: Information Privacy,Information SecurityDISC @ 11:05 pm

    By JAMES GLANZ and JOHN MARKOFF

    The Obama administration is leading a global effort to deploy โ€œshadowโ€ Internet and mobile phone systems that dissidents can use to undermine repressive governments that seek to silence them by censoring or shutting down telecommunications networks.

    The effort includes secretive projects to create independent cellphone networks inside foreign countries, as well as one operation out of a spy novel in a fifth-floor shop on L Street in Washington, where a group of young entrepreneurs who look as if they could be in a garage band are fitting deceptively innocent-looking hardware into a prototype โ€œInternet in a suitcase.โ€

    Financed with a $2 million State Department grant, the suitcase could be secreted across a border and quickly set up to allow wireless communication over a wide area with a link to the global Internet.

    The American effort, revealed in dozens of interviews, planning documents and classified diplomatic cables obtained by The New York Times, ranges in scale, cost and sophistication.

    Some projects involve technology that the United States is developing; others pull together tools that have already been created by hackers in a so-called liberation-technology movement sweeping the globe.

    The State Department, for example, is financing the creation of stealth wireless networks that would enable activists to communicate outside the reach of governments in countries like Iran, Syria and Libya, according to participants in the projects.

    In one of the most ambitious efforts, United States officials say, the State Department and Pentagon have spent at least $50 million to create an independent cellphone network in Afghanistan using towers on protected military bases inside the country. It is intended to offset the Talibanโ€™s ability to shut down the official Afghan services, seemingly at will.

    The effort has picked up momentum since the government of President Hosni Mubarak shut down the Egyptian Internet in the last days of his rule. In recent days, the Syrian government also temporarily disabled much of that countryโ€™s Internet, which had helped protesters mobilize.

    The Obama administrationโ€™s initiative is in one sense a new front in a longstanding diplomatic push to defend free speech and nurture democracy. For decades, the United States has sent radio broadcasts into autocratic countries through Voice of America and other means. More recently, Washington has supported the development of software that preserves the anonymity of users in places like China, and training for citizens who want to pass information along the government-owned Internet without getting caught.

    But the latest initiative depends on creating entirely separate pathways for communication. It has brought together an improbable alliance of diplomats and military engineers, young programmers and dissidents from at least a dozen countries, many of whom variously describe the new approach as more audacious and clever and, yes, cooler.

    Sometimes the State Department is simply taking advantage of enterprising dissidents who have found ways to get around government censorship. American diplomats are meeting with operatives who have been burying Chinese cellphones in the hills near the border with North Korea, where they can be dug up and used to make furtive calls, according to interviews and the diplomatic cables.

    The new initiatives have found a champion in Secretary of State Hillary Rodham Clinton, whose department is spearheading the American effort. โ€œWe see more and more people around the globe using the Internet, mobile phones and other technologies to make their voices heard as they protest against injustice and seek to realize their aspirations,โ€ Mrs. Clinton said in an e-mail response to a query on the topic. โ€œThere is a historic opportunity to effect positive change, change America supports,โ€ she said. โ€œSo weโ€™re focused on helping them do that, on helping them talk to each other, to their communities, to their governments and to the world.โ€

    For remaining article on U.S. Underwrites Internet Detour Around Censors

    A version of this article appeared in print on June 12, 2011, on page A1 of the New York edition with the headline: U.S. Underwrites Internet Detour Around Censors..




    May 24 2011

    Learn to secure Web sites built on open source CMSs

    Category: App Security,Information SecurityDISC @ 9:26 pm

    CMS Security Handbook: The Comprehensive Guide for WordPress, Joomla, Drupal, and Plone

    Open Source Software certainly does have the potential to be more secure than its closed source counterpart. But make no mistake, simply being open source is no guarantee of security.

    Learn how to secure Web sites built on open source CMSs (Content Management Systems)

    Web sites built on Joomla!, WordPress, Drupal, or Plone face some unique security threats. If youโ€™re responsible for one of them, this comprehensive security guide, the first of its kind, offers detailed guidance to help you prevent attacks, develop secure CMS-site operations, and restore your site if an attack does occur. Youโ€™ll learn a strong, foundational approach to CMS operations and security from an expert in the field.

    โ€ข More and more Web sites are being built on open source CMSs, making them a popular target, thus making you vulnerable to new forms of attack
    โ€ข This is the first comprehensive guide focused on securing the most common CMS platforms: Joomla!, WordPress, Drupal, and Plone
    โ€ข Provides the tools for integrating the Web site into business operations, building a security protocol, and developing a disaster recovery plan
    โ€ข Covers hosting, installation security issues, hardening servers against attack, establishing a contingency plan, patching processes, log review, hack recovery, wireless considerations, and infosec policy
    CMS Security Handbook is an essential reference for anyone responsible for a Web site built on an open source CMS.




    Tags: CMS, Drupal, Joomla, Open source, Plone, web security, WordPress

    May 19 2011

    Paying attention to basics is key to healthy security ecosystem, says panel

    Category: Information Security,Security AwarenessDISC @ 11:01 am

    Employee security awareness, firewalls, data leakage protection, and collaboration are all key components of a healthy information security ecosystem, according to a panel at the MIT Sloan CIO Symposium held Wednesday.

    The moderator, Owen McCusker of Sonalysts, asked the panel to describe what companies can do to create a healthy information security ecosystem.

    Michael Daly, director of IT security services at Raytheon, said that his company has developed information security guidelines that include employee security awareness training, firewalls and data segregation, and โ€œcommand and control blockingโ€ that focuses on outbound traffic.

    โ€œThere are always going to be vulnerabilities on your systems that are unpatched. There is nothing you are going to be able to do about it. So you ask yourself, โ€˜If Iโ€™m attacked, what am I going to do next?โ€™ Watch for the traffic that is leaving your network. That is a key pointโ€, Daly told conferences attendees.

    Defense in depth is a key information security strategy, noted David Saul, chief scientist at State Street, a Boston-based financial institution. โ€œYou need to use all of the tools you have availableโ€, he stressed.

    โ€œYou need to have firewalls, you need to have data leakage protection….You need to have a combination of technologiesโ€ฆas well as employee awarenessโ€, he said.

    Saul also recommended information security collaboration across industries. He noted that there is an organization in New England called the Advanced Cyber Security Center that brings together information security experts from the financial, defense, health care, energy, and high-tech industries to share best practices and threat information and expertise.

    Kurt Hakenson, chief technologist for Northrop Grummanโ€™s Electronic Systems, added that collaboration should be not only across industries but also among industry peers.

    โ€œSecurity folks tend to be protective about information about breaches. There is always a balance about sharing that information with your industry peers. You will find that for the operational folks that are involved in the day-to-day work, relationships are critical. Being able to get on the phone is so important, because the adversaries who are targeting you are using the same techniques. They are socially awareโ€, Hakenson said.

    Daly noted that Raytheon and Northrop Grumman are involved with the US government in Project Stonewall, a defense industry group that shares threat information in real time.

    Allen Allison, chief security officer at cloud service provider NaviSite, said that providers also share information about security threats. โ€œWe undertake analysis of what traffic should look like, does look like, or can look like compared to the norm. We share that with all of our partnersโ€, Allison noted.

    This article is featured in:
    Compliance and Policy โ€ข Data Loss โ€ข Internet and Network Security โ€ข Security Training and Education

    There are always going to be threats and vulnerabilities in your infrastructure that are unaddressed, there is no such thing as an absolute security. Watch for the traffic leaving your company to monitor an incident and have a comprehensive incident handling program to manage an incident.

    It’s all about priortizing risks and mitigating them in cost effective way.

    Related Titles for Information Security Awareness




    May 16 2011

    Your Security For Your Personal Finances

    Category: cyber security,Information SecurityDISC @ 10:30 am

    by Consumer Reports

    Threats to Your Personal Finances and Six ways to Stay Safer

    Banking from a public computer
    Keylogging malware that can capture account numbers, passwords, and other vital data is a risk that has been linked to use of open Wi-Fi connections and public computers such as those in hotel lobbies.

    Using unfamiliar ATMs
    Thieves have been known to put out-of-order signs on a legitimate ATM and set up nearby freestanding bogus ones that “skim” data from your card. ATMs located inside banks within view of surveillance cameras aren’t risk-free, but they pose more challenges for crooks installing skimming equipment.

    Two other important pieces of advice related to ATMs: Separate your PIN code from your ATM or debit card. Almost 1 in 10 people carry their code with the card, says ACI Worldwide, a payment systems company. And when typing your PIN into an ATM or card reader, use your free hand to shield the keypad from the view of hidden cameras or anyone nearby.

    Dropping your guard at gas pumps
    Card-skimming at gas stations is likely to increase during summer months, especially in vacation areas, so use cash or credit cards at the pumps if possible. If you must use a debit card, select the option to have the purchase processed as a credit-card transaction rather than typing in your PIN.

    Ignoring your credit or debit cards
    Monitor your accounts at least weekly to spot and report unauthorized transactions as soon as possible. Use services offered by your bank or card issuer that can help protect you, such as an e-mail or text alert if a transaction occurs for more than a certain amount.

    Abandoning your receipts
    Many transactions, such as filling up your tank and making a debit-card withdrawal, leave a paper trail. Don’t toss away receipts in the ATM lobby or leave them at the gas pump. Hold on to them until your transactions have cleared your bank account to make sure the totals match. Then shred the receipts if they have any information a thief might use.

    Trashing your bills
    Thieves harvest sensitive data from account statements and other financial documents placed in the trash and use them for ID theft, says Inspector Michael Romano of the U.S. Postal Inspection Service. Shred them first.

    6 Ways to Stay Safer

    1. Watch out for imposters

    The fastest-growing scam in the past year has been imposter fraud, according to the latest annual report on consumer complaints from the Federal Trade Commission. Thieves claiming to be someone they’re not (such as a friend or relative stranded overseas in need of cash to get home, a bill collector, or an employee of a government agency) use Facebook messages, e-mail, phone calls, and text messages to persuade people to send money or divulge personal information such as Social Security or account numbers. Last year, 60,000 people reported that they were affected by this form of fraud, up from just five cases reported in 2008.

    2. Learn to parallel park
    Car thieves are becoming more professional. They’re stealing new cars by putting them on a flatbed tow truck, our expert says. Parallel parking hinders access to the front and rear of your car, making it difficult to tow. Also, be careful about whom you bump into at the grocery store, especially if your car has keyless entry and a push-button ignition. A thief with an antenna and a small kit of electronics can transmit your key’s code to another thief standing near your car, allowing him to open it, start it, and drive it away.

    3. Hide the stuff in your car
    Don’t leave electronics and other valuables visible inside your car. GPS units are less of a magnet these days; cell phones and laptops more so. Holiday gifts are a big target, so don’t stack them up in the backseat. Is there a worse move? Yes. Leaving your stuff in the back of a pickup truck.

    4. Change your PIN
    Make it a habit to routinely change the secret code for your debit card or ATM card. That gives you better protection against any thieves or skimming schemes.

    5. Keep a financial inventory
    Once a year take out all of the cards in your wallet, make a list of the account numbers and contact information you’ll need to cancel cards if they become lost or stolen, and hide it in a safe place, says Mark Rasch, a former Department of Justice computer-crime prosecutor who is a director at CSC, a business technology firm based in Falls Church, Va.

    6. Change your Wi-Fi password
    If you have a home wireless network, choose the highest-security option. That way your Web-browsing and financial transactions will be more protected. Go a step further and create your own administrative password rather than rely on a default password supplied by the router.

    Related titles to protect your personal & private information




    8 ways to protect your Facebook privacy




    « Previous PageNext Page »