Jan 27 2019

How WhatsApp Merger With Facebook Messenger Puts Your Privacy At Risk

Category: Information PrivacyDISC @ 9:45 am

  • Information Privacy

    • Facebook Messenger, Instagram and WhatsApp are to be integrated under the hood so that messages will travel across a unified communications platform. So, what are the implications on privacy for users of these services?

    Source: How WhatsApp Merger With Facebook Messenger Puts Your Privacy At Risk


    Jan 26 2019

    Security Awareness Roadmap – Infographic via SANS Institute

    Category: Security AwarenessDISC @ 3:46 pm
  • #InfoSecAwareness

    •  

    Full Size Image: Security Awareness Roadmap


    Jan 25 2019

    How a Security Vendor Tricked Social Media Phishers

    Category: PhishingDISC @ 11:33 am

    UK-based Fidus Information Security was targeted by angler phishing

    Source: How a Security Vendor Tricked Social Media Phishers

    Subscribe to DISC InfoSec blog by Email


    Jan 25 2019

    Windows 7 migration warning: Plan now to avoid security worries later | ZDNet

    Category: Information SecurityDISC @ 9:56 am

    Malware can spread much more easily on obsolete platforms, warns security body. With less than a year until the end of Windows 7 support, don’t get caught out.

    Source: Windows 7 migration warning: Plan now to avoid security worries later | ZDNet

    Subscribe to DISC InfoSec blog by Email


    Tags: Windows 7, windows security

    Jan 24 2019

    Google Creates Online Phishing Quiz

    Category: PhishingDISC @ 11:59 am

    Google Alphabet incubator Jigsaw says knowing how to spot a phish plus two-factor authentication are the best defenses against falling for a phishing email.

    Source: Google Creates Online Phishing Quiz

    Subscribe to DISC InfoSec blog by Email


    Jan 24 2019

    Security is the no. 1 IT barrier to cloud and SaaS adoption

    Category: Cloud computingDISC @ 8:32 am

    More than 70% of tech professionals said security spending has increased in the past year, according to a Ping Identity report.

    Source: Security is the no. 1 IT barrier to cloud and SaaS adoption

  • Cloud Security


    • Tags: cloud security, Cloud Security Alliance

    Jan 23 2019

    Center for Internet Security releases Microsoft 365 benchmarks

    Category: App Security,Information SecurityDISC @ 11:01 am

    Follow the guidance in this CIS document to configure Microsoft 365 security settings to the level that suits your organization.

    Source: Center for Internet Security releases Microsoft 365 benchmarks


    Jan 23 2019

    Chinese Hacker Publishes PoC for Remote iOS 12 Jailbreak On iPhone X

    Category: Jail breakDISC @ 9:24 am

    Here we have great news for all iPhone Jailbreak lovers and concerning one for the rest of iPhone users.
    A Chinese cybersecurity researcher has today revealed technical details of critical vulnerabilities in Apple Safari web browser and iOS that could allow a remote attacker to jailbreak and compromise victims’ iPhoneX running iOS 12.1.2 and before versions.

    Source: Chinese Hacker Publishes PoC for Remote iOS 12 Jailbreak On iPhone X


    Tags: Jail Break

    Jan 22 2019

    Did you win at online casinos? Your data might have had exposed online

    Category: Security BreachDISC @ 1:47 pm

    Data belonging to online casinos found exposed online on unprotected Elastic search instance, it includes info on 108 million bets and user details

    Source: Did you win at online casinos? Your data might have had exposed online

  • More on Data Security

    • Jan 22 2019

    Businesses can safely delay patching most vulnerabilities

    Category: Information Security,Security patchingDISC @ 8:38 am

    Patching vulnerabilities is often seen as a key element of keeping systems secure. But a new report suggests businesses could be ‘smarter’ in their patching regimes and prioritize the i…

    Source: Businesses can safely delay patching most vulnerabilities

    🔒 securing the business 🔒

    DISC InfoSec

     


    Jan 21 2019

    New Rocke Group Malware Turns off Your Cloud Security Tools

    Category: MalwareDISC @ 11:09 pm

    A new Rocke Group malware sample “captured” and analysed by Palo Alto Networks Unit 42 has adopted code to uninstall five cloud security protection products

    Source: New Rocke Group Malware Turns off Your Cloud Security Tools

    🔒 securing the business 🔒

    DISC InfoSec

     


    Jan 21 2019

    Windows Zero-Day Bug That Lets Attackers Read Any File Gets Micropatch

    Category: Zero dayDISC @ 1:12 pm

    A micropatch is now available for a zero-day vulnerability in Windows that allows unauthorized read access with the highest privileges to any file on the operating system.

    Source: Windows Zero-Day Bug That Lets Attackers Read Any File Gets Micropatch


    Jan 21 2019

    Iranian developer advertised BlackRouter Ransom-as-a-Service

    Category: RansomwareDISC @ 12:53 pm

    An Iranian developer is promoting on a Telegram hacking channel the BlackRouter ransomware through a Ransomware-as-a-Service model.

    Source: Iranian developer advertised BlackRouter Ransom-as-a-Service


    Jan 20 2019

    8 Tips for Monitoring Cloud Security

    Category: Cloud computingDISC @ 6:30 pm

    Cloud security experts weigh in with the practices and tools they prefer to monitor and measure security metrics in the cloud.

    Source: 8 Tips for Monitoring Cloud Security

    🔒 securing the business 🔒

    DISC InfoSec

     


    Jan 19 2019

    3 Compelling Reasons To Invest In Cyber Security – Part 3

    Category: cyber securityDISC @ 11:40 pm

    Cyber security is among the essential subjects to boards, alongside business strategy and leadership. Your compelling case to gain an investment is now here!

    Source: 3 Compelling Reasons To Invest In Cyber Security – Part 3

    🔒 securing the business 🔒

    DISC InfoSec

     

    Sep 25 2018

    Privacy notice under the GDPR

    Category: GDPRDISC @ 8:58 pm

     


    A privacy notice is a public statement of how your organisation applies data protection principles to processing data. It should be a clear and concise document that is accessible by individuals.

    Articles 12, 13 and 14 of the GDPR outline the requirements on giving privacy information to data subjects. These are more detailed and specific than in the UK Data Protection Act 1998 (DPA).

    The GDPR says that the information you provide must be:

    • Concise, transparent, intelligible and easily accessible;
    • Written in clear and plain language, particularly if addressed to a child; and
    • Free of charge.

    Help with creating a privacy notice template

    The privacy notice should address the following to sufficiently inform the data subject:

    • Who is collecting the data?
    • What data is being collected?
    • What is the legal basis for processing the data?
    • Will the data be shared with any third parties?
    • How will the information be used?
    • How long will the data be stored for?
    • What rights does the data subject have?
    • How can the data subject raise a complaint?

    Below is an example of a customisable privacy notice template, available from IT Governance here.

    GDPR Privacy Notice Template - Example from the EU GDPR Documentation Toolkit

    Example of the privacy notice template available to purchase from IT Governance

    If you are looking for a complete set of GDPR templates to help with your compliance project, you may be interested in the market-leading EU GDPR Documentation Toolkit. This toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:

    • A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
    • Helpful dashboards and project tools to ensure complete GDPR coverage;
    • Direction and guidance from expert GDPR practitioners; and
    • Two licences for the GDPR Staff Awareness E-learning Course.


    Tags: GDPR Privacy, GDPR Privacy Notice

    Sep 24 2018

    Why your organisation should consider outsourcing its DPO

    Category: GDPRDISC @ 2:47 pm

    Why your organisation should consider outsourcing its DPO

    By Laura Downes

    Since the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018, demand for DPOs (data protection officers) has increased. The Regulation stipulates that certain organisations must appoint a DPO to support their GDPR compliance. DPOs also have an essential role as intermediaries between relevant stakeholders, such as supervisory authorities, data subjects, and business units within an organisation. 

    Your organisation will need to appoint a DPO if it:  

    • Is a public authority or body; 
    • Regularly and systematically monitors data subjects; or 
    • Processes special categories of data on a large scale. 

    The GDPR does not stipulate the level of experience a DPO must have, meaning some organisations might appoint an internal team member who does not have the experience or qualifications required, leaving them wide open to error.  

    Why you should consider outsourcing your DPO 

    Suitably skilled and experienced DPO candidates are hard to find. Outsourcing the role not only satisfies the requirements of the GDPR but also ensures your organisation is employing proper data handling and privacy policies. Furthermore, there is no conflict of interest between the DPO and other business activities. 

    An external DPO can work for your organisation on a fixed-fee or a per-hour basis. Signing up to a DPO service also means you can rely on several experienced DPOs rather than just one, which means more hands on deck should you ever suffer a breach. 

    DPO as a service (GDPR) 

    IT Governance’s annual subscription DPO service offers you hands-on support from one of our qualified DPOs, who will serve as independent data protection expert to your organisation. Your appointed DPO will: 

    Find out more >> 


    Sep 21 2018

    PCI DSS policies address the weakest link – people

    Category: pci dssDISC @ 9:38 am

    By Nick Calver @ITG

    Drafting detailed data protection policies and documentation is vital for improving security for your customers, stakeholders and brand because it shows your understanding and commitment to the PCI DSS (Payment Card Industry Data Security Standard). From policy, to procedure, to configuration standard, a significant proportion of PCI DSS compliance begins with documentation.

    Deploying security technologies can only go so far in protecting an organisation and helping maintain compliance.

    Nearly 1 in 5 data breaches caused by human error

    Verizon’s 2018 Data Breach Investigations Report identified that almost 1 in 5 data breaches (17%) were the result of human error.

    Policies are needed to address the weak link in security – people. If your employees don’t know or understand what’s expected of them, they can put cardholder data at risk, regardless of the other security measures you have in place. Policies play an important role in securing data. They are the foundation for everything else as they provide direction and instruction, and assign responsibility.

    What’s in a PCI policy set?

    PCI DSS compliance requires that all merchants and service providers document the processes and procedures they put in place. These policies and procedures can then serve as a guide, following the 12 requirements of the PCI DSS, from which you and your QSA (Qualified Security Assessor) can work during your assessment.

    The policies might address:

    Information security: This details the organisation’s security strategy in relation to the storage, processing and transmission of credit card data. It provides a detailed outline of information security responsibilities for all staff, contractors, partners and third parties that access the CDE (cardholder data environment).

    Formal security awareness: This identifies the organisation’s responsibilities when implementing a PCI security awareness training programme and is intended for anyone who has access to the CDE. Staff should take this program during their induction and repeat it at least annually or whenever there is a security incident.

    Incident response: This is a set of instructions for detecting, responding to and limiting the effects of an information security event. Without a plan in place, organisations might not detect an attack or fail to follow proper protocol to contain it and recover.

    Nothing here should surprise an experienced security professional. The policy requirements are basic information security best practices. Therefore, when structuring your PCI policy set we advise doing so alongside the development of your core information security policy.

    PCI DSS Staff Awareness

    Increase your employees’ knowledge of the Payment Card Industry Data Security Standard (PCI DSS) and how it affects your organization with the expertise at IT Governance USA Inc.

     


    Sep 20 2018

    Equifax fined by ICO over data breach that hit Britons

    Category: Cyber Insurance,data security,GDPR,Security BreachDISC @ 10:02 am

    Equifax

    Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.

    A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.

    The compromised systems were also US-based.

    But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.

    It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.

    Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.

    A further 14.5 million British records exposed would not have put people at risk, the company added last October.

    The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:

    • 19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
    • 637,430 UK data subjects had names, dates of birth and telephone numbers exposed
    • Up to 15 million UK data subjects had names and dates of birth exposed

     

    Guard let down

    Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.

    And appropriate steps to fix the vulnerability were not taken, according to the ICO.

    Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.

    And the fine of £500,000 is the highest possible under that law.

    “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.

    “This is compounded when the company is a global firm whose business relies on personal data.”

    An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.

    “As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

    “The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

    By BBC.com


    Sep 19 2018

    CISOs and the Quest for Cybersecurity Metrics Fit for Business

    Category: CISO,MetricsDISC @ 12:52 pm

    By Kevin Townsend

    Never-ending breaches, ever-increasing regulations, and the potential effect of brand damage on profits has made cybersecurity a mainstream board-level issue. It has never been more important for cybersecurity controls and processes to be in line with business
    priorities.

    Reporting Security Metrics to the Board

    recent survey by security firm Varonis highlights that business and security are not fully aligned; and while security teams feel they are being heard, business leaders admit they aren’t listening.

    The problem is well-known: security and business speak different languages. Since security is the poor relation of the two, the onus is absolutely on security to drive the conversation in business terms. When both sides are speaking the same language, aligning security controls with business priorities will be much easier.

    Well-presented metrics are the common factor understood by both sides and could be used as the primary driver in this alignment. The reality, however, is this isn’t always happening

    Using metrics to align Security and Business: Information security metrics

    SecurityWeek spoke to several past and present CISOs to better understand the use of metrics to communicate with business leaders: why metrics are necessary; how they can be improved; what are the problems; and what is the prize?

    Demolishing the Tower of Babel

    “While some Board members may be aware of what firewalls are,” comments John Masserini: CISO at Millicom Telecommunications, “the vast majority have no understanding what IDS/IPS, SIEMs, Proxies, or any other solution you have actually do. They only care about the level of risk in the company.”

    CISOs, on the other hand, understand risk but do not necessarily understand which parts of the business are at most risk at any time. Similarly, business leaders do not understand how changing cybersecurity threats impact specific business risks.

    The initial onus is on the security lead to better understand the business side of the organization to be able to deliver meaningful risk management metrics that business leaders understand. This can be used to start the process for each side to learn more about the other. Business will begin to see how security reduces risk, and will begin to specify other areas that need more specific protection.

    The key and most common difficulty is in finding and presenting the initial metrics to get the ball rolling. This is where the different ‘languages’ get in the way. “The IT department led by the CIO typically must maintain uptime for critical systems and support transformation initiatives that improve the technology used by the business to complete its mission,” explains Keyaan Williams, CEO at CLASS-LLC. “The Security department led by the CISO typically must maintain confidentiality, integrity, and availability of data and information stored, processed, or transmitted by the organization. These departments and these leaders tend to provide metrics that focus on their tactical duties rather than business drivers that concern the board/C-suite.”

    Drew Koenig, consultant and host of the Security in Five podcast, sees the same basic problem. “In security there tends to be a focus on the technical metrics. Logins, blocked traffic, transaction counts, etc… but most do not map back to business objectives or are explained in a format business leaders can understand or care about. Good metrics need to be tied to dollars, business efficiency shown through time improvements, and able to show trending patterns of security effectiveness as it relates to the business. That’s the real challenge.”

    Williams sees the problem emanating from a lack of basic business training in the academic curriculum that supports IT and security degrees. “The top management tool in 2017 was strategic planning,” he said. “Strategic planning is often listed as one of the top-five tools of business leaders. How many security leaders understand strategic planning and execution enough to ensure their metrics contribute to the strategic initiatives of the organization?”

    It is not up to the business leaders to learn about security. “The downfall for many CISOs in the past is believing that business needs to understand security,” adds Candy Alexander, a virtual CISO and president-elect of ISSA. “That is a mistake, because security is our job. We need to better understand the business, so that we can articulate the impact of not applying appropriate safeguards. The key to this whole approach is for the CISO to understand the business, and to understand the mission and goals of the business.”

    for more on this article: CISOs and the Quest for Cybersecurity Metrics Fit for Business

     

     


    Tags: CISO, infosec metrics

    « Previous PageNext Page »