Dec 20 2011

ISO/IEC 27001 – BSI interviews Henk de Vries

Category: ISO 27kDISC @ 9:59 am

BSI and Rotterdam school of management, Erasmus university conducted a research study about ISO/IEC 27001 Information technology. Security techniques. BSI interviewed Henk de Vries who is one of the experts behind the study.

ISO27001 (ISO 27001) ISMS Requirements (Download now)

ISO27002 (ISO 27002) Code of Practice for ISM (Download now)

To Download a copy of ISO27003 – Implementation Guidance

To Download a copy of ISO27004 – Information Security Metrics

ISO27005 (ISO 27005)ISRM Standard (Download now)

ISO/IEC 27006 ISMS certification guide (Download now)

Tags: iso 27001, iso 27002, iso 27003, ISO 27004, iso 27005, iso 27006

Dec 15 2011

To Be or Not to Be CyberSecurity Expert

Category: cyber securityDISC @ 12:32 pm

History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It’s always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you’ll be glad you did. – Bruce Schneier

Realise the benefits of Internet technologies, while ensuring your company is protected from the associated risks.

If you want to make the Internet work for your business, you need to take the right precautions – Buy this book today!

Realize the benefits of Internet technologies, while ensuring your company is protected from the associated risks!

An effective risk management strategy is vital to your company s survival
Internet technologies have revolutionized the way that business is conducted. However, these innovations expose your business to various risks. Inadequate security can lead to the theft of customer data and, in the event of technological failure or a cyberattack, your business could lose its ability to function altogether. An effective risk management strategy is, therefore, vital to your company s survival.

Understand the origins of cyber risks and develop suitable strategies for their management
Cyber Risks for Business Professionals: A Management Guide is a general guide to the origins of cyber risks and to developing suitable strategies for their management. It provides a breakdown of the main risks involved and shows you how to manage them. Covering the relevant legislation on information security and data protection, the author combines his legal expertise with a solid, practical grasp of the latest developments in IT to offer a comprehensive overview of a highly complex subject.

Expert guidance examining the operational and technological risks
Drawing on interviews with experts from Clifford Chance, Capgemini and Morgan Stanley amongst others, the book examines the operational and technological risks alongside the legal and compliance issues. This book will be invaluable to lawyers and accountants, as well as to company directors and business professionals.

Dec 06 2011

vsRisk The Ultimate Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk AssessmentDISC @ 11:05 am

With over 10 years in the market and 2,500 global downloads, vsRiskTM has been helping organizations all over the world carry out successful risk assessments.
Risks assessment is the core competence of cyber security management. Every decision you make must be proportionate to the actual risk your organization faces. You must therefore assess risks on a structured asset-by-asset basis – and experience proves you need to save time and money with a risk assessment tool that automates and simplifies this process.
vsRisk is the definitive ISO27001:2005-compliant risk assessment tool which will help you become cybersecure

vsRisk – The Definitive Cyber Security Risk Assessment Tool
The vsRisk Assessment Tool has been designed with the user in mind to effectively identify, analyze and control their actual information risks in line with their business objectives. Key features of vsRisk include:
• Assessing key areas such as Groups, Assets and Owners
• Capturing your IS policy, objectives and ISMS scope
• In-built audit trail and comparative history
• Assessesing attributes on Confidentiality, Integrity, and Availability, in relation to Business, Legal, Contractual
• Comprehensive reporting and gap analysis

Alan Calder, CEO of Vigilant Software, talks you through the risk assessment process using vsRisk
Watch the video now >>>

This unique risk assessment tool helps you get on top of the critical risk assessment phase of your ISMS project and, most importantly, sets you up for future risk assessments as well.
Join the professionals and orders your today >>>

vsRisk and Security Risk Assessment

Dec 02 2011

How to get certified against ISO 27001?

Category: ISO 27kDISC @ 11:39 am

ISO27001 ISMS Requirements (Download now!)

By Dejan Kosutic

You have been implementing ISO 27001 for quite a long time, invested quite a lot in education, consultancy and implementation of various controls. Now comes the auditor from a certification body – will you pass the certification?

This kind of anxiety is normal – you can never know whether your ISMS (information security management system) has everything the certification body is asking for. But what is it exactly the auditor will be looking for?

First, the auditor will perform the Stage 1 audit, also called the “Document review” – in this audit, the auditor will look for the documented scope, ISMS policy and objectives, description of the risk assessment methodology, Risk Assessment Report, Statement of Applicability, Risk Treatment Plan, procedures for document control, corrective and preventive actions, and for internal audit. You will also have to document some of the controls from Annex A (only if you found them applicable in the Statement of Applicability) – inventory of assets (A.7.1.1), acceptable use of assets (A.7.1.3), roles and responsibilities of employees, contractors and third party users (A.8.1.1), terms and conditions of employment (A.8.1.3), procedures for the operation of information processing facilities (A.10.1.1), access control policy (A.11.1.1), and identification of applicable legislation (A.15.1.1). Also, you will need records of at least one internal audit and management review.

If any of these elements are missing, this means that you are not ready for Stage 2 audit. Of course, you could have many more documents if you find it necessary – the above list is the minimum requirement.

Stage 2 audit is also called the “Main audit”, and it usually follows a few weeks after Stage 1 audit. In this audit the focus will not be on the documentation, but if your organization is really doing what your documentation and ISO 27001 say you have to do. In other words, the auditor will check whether your ISMS has really materialized in your organization, or is it only a dead letter. The auditor will check this through observation, interviewing your employees, but mainly by checking your records. The mandatory records include education, training, skills, experience and qualifications (5.2.2), internal audit (6), management review (7.1), corrective (8.2) and preventive (8.3) actions; however, the auditor will be expecting to see many more records as a result of carrying out your procedures.

Please, be careful here – any experienced auditor will notice right away if any part of your ISMS is artificial, and is being made for the purpose of audit only.

OK, you knew all this, but it still happened – the auditor found major non-conformity and told you that ISO 27001 certificate will not be issued. Is this the end of the world?

Certainly not. The process goes like this – the auditor will state the findings (including the major non-conformity) in the audit report, and give you the deadline until which the non-conformity must be resolved (usually 90 days). Your job is to take appropriate corrective action; but you have to be careful – this action must resolve the cause of the non-conformity, otherwise the auditor might not accept what you have done. Once you are sure the right action is taken, you have to notify the auditor and send him/her the evidence of what you have done. In the majority of cases, if you have done your job thoroughly, the auditor will accept your corrective action and activate the process of issuing the certificate.

There you go – it took some time, but now you are a proud owner of the ISO/IEC 27001 certificate. (Be careful though – the certificate is valid for three years only, and can be suspended during that period if the certification body identifies another major non-conformity on the surveillance visits.)

Nov 25 2011

Secretary of Defense William S Cohen on the 3 Main Threats

Category: cyber securityDISC @ 10:41 pm

Secretary of Defense William S Cohen on the 3 Main Threats Facing the United States, secretary Cohen emphasis cyber threat is the most dangerous out of three. Click the link above to watch his video on three main threats.

Famous quotes from Secretary Cohen:
While we are not and cannot become the world’s policeman, neither can we become a prisoner of world events, isolated and tucked safely away in a continental cocoon.

There is no foolproof security that we can provide. But to say that we can’t protect against everything doesn’t mean that we shouldn’t protect against those that can cause us catastrophic harm.

For while the threat of nuclear holocaust has been significantly reduced, the world remains a very unsettled and dangerous place.

Terrorism is escalating to the point that Americans soon may have to choose between civil liberties and more intrusive means of protection.

We will not win the war on terror through military action. The sharing of information and intelligence will be vital to protecting our country.

The more reliant we become upon computers and information systems, the more vulnerable we become to cyber-terrorists who will conceive unlimited ways to cripple our infrastructure, our power grids, our banking systems, our financial markets, our space based communications systems.

Related books by Secretary of Defense William S Cohen

Nov 18 2011

Protection of credit card and ATM/debit card transactions

Category: Cybercrime,pci dssDISC @ 1:16 pm


By Azie Amini
Protection of credit card/ATM card transactions and the latest trends in banking, credit card or internet fraud.

• As we go towards the end of the year, one by one report each credit card missing and get a new one with a new account number (make sure you ask for a new account number, sometimes they send a new card with the same number). When you get each one, call the other credit card company and report the other one missing. Do this for each card so that when you start the new year with new credit cards. (The reason for it is that often thieves want to collect many stolen credit cards and then they sell a batch of hundreds of thousands of credit cards to a buyer. They often wait a year or two to collect many credit cards so often your credit card number is stolen sitting in their files without you knowing. All of a sudden they sell their large list of stolen credit cards and within a few days you will get hit with many transactions so your card is maxed in a very short time) and you will have the headache of having to report each transaction as false and hope your bank will not charge you. So change all your credit cards at least once a year to be safe.

• If any credit card company or bank calls you to report suspicious activities on one of your cards, do NOT give them your card number just tell them to read the number they have and you just say Yes or No. Also if they asked for the 3 digits on the back of your card, do NOT give it to them. They should tell you what info they have and all you say is Yes or No, nothing more. With me when I get calls like that, I tell them that I prefer to dial their toll free telephone number to talk to their fraud dept and see what may be the problem. Always suspect that the person calling is not really from your bank or credit card company but is a crook.

• Frequently check the balance of each banking account you have, as there are a lot of “Wire Transfer” fraud and often you only have 24 hours to stop a wire transfer, if you notice it later your bank may NEVER pay you back even though you did NOT authorize the wire transfer. (I know this sounds strange but I have talked to many lawyers whose clients lost their savings on unauthorized wire transfers and there is NO law to protect the person, the money is GONE). Check your bank balance daily.

• When you look for something on Internet, say using “Google” and you see a website that has all kinds of things posted on it; e.g. airplane tickets, charity stuff, news about movies, etc. Do NOT click on any links, these strange websites that have everything interesting on them are often set up by very smart crooks, very smart, and the links will direct all kinds of spyware (keyboard collection tools say to collect your banking user name and Passwords) loaded into your PC. Just exit and do NOT click on any links!

• Alway download the lastest Microsoft browser, word, Adobe updates, etc. These companies constantly try to add security features to their software. The moment you get an update from Microsoft or Adobe, load it asap. They sent you the updates because they have just fixed a security issue.

• Next time you order checks, do NOT put your first name and just have your initial and last name on them. If someone takes your check book they will not know if you sign your checks with just your initials or your first name but your bank or credit union will know how you sign your checks.

• When you are writing checks to pay on your credit card accounts, DO NOT put the complete account number on the “For” line. Instead, just put the last four or five numbers. The credit card company knows the rest of the number and anyone who might be handling your check as it passes through all the check processing channels won’t have access to it.

• Put your work phone # on your checks instead of your home phone. If you have a PO Box use that instead of your home address. Never have your Social Security Number printed on your checks!. You can add it if it is necessary.

• Place the contents of your wallet on a photocopy machine, do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place. Also, carry a copy of your passport when traveling anywhere.

Very important, when you know your credit cards are stolen do this:
• Call the three national credit reporting organizations immediately to place a fraud alert on your name and Social Security number.
The alert means any company that checks your credit knows your information was stolen and they have to contact you by phone to authorize new credit.
Here are the phone numbers to contact:
Equifax: 1.800.525.6285
Experian: 1.888.397.3742
Trans Union: 1.800.680.7289
Social Security Administration (fraud line): 1.800.269.0271

Related articles and Books

Credit Card Scams II

Fraud Prevention Techniques for Credit Card Fraud

100% Internet Credit Card Fraud Protected

Nov 15 2011

Top 10 Cyber Scams During Holiday Season

Category: cyber security,CybercrimeDISC @ 10:49 am

By Paul C Dwyer

“Tis the season to get scammed!”

Phishing Scams: PCD Says “Beware of emails that appear to be from charities. Not all will be real and bogus sites could steal your credit card details. These “Phishing” emails can also pretend to be banks, telephone companies and even the revenue commissioners. There is even now a category of “recession based” scams which involve targeting consumers with products such as pre approved loans etc. There is also an increase in “Smishing” attacks, that is phishing messages sent out by text.”

PBX / Telephone Fraud: PCD Says “This is the time of year when SME’s and indeed large enterprises phone systems often get hacked. Hackers penetrate the phone system and can reroute Euro 1,000’s of calls through the companies phone system. The criminals often sell call cards openly in markets and on the streets which operate off these hacked phone systems. The first the company know about it is when they return after Christmas to a massive phone bill. Consider having a security audit on your phone system.”

Free iPad’s: PCD Says “Offers of free iPads and similar gadgets are included in most cyber scams lists at the moment. Victims are often requested to participate in some sort of basic quiz or supply their mobile telephone number. In many cases their mobile phone is then “subscribed” to some sort of service that costs Euro X per week.”

Fake Delivery Services Invoices: PCD Says “Over the Christmas period, cyber criminals will email fake invoices and delivery notifications appearing to come from legitimate courier companies. The emails will indicate that they were unable to deliver a package to your address and of course ask you to confirm your address and provide credit card details pay for delivery.”

Smartphone App Scam: PCD Says “Malicious spyware is disguised in a game or an application, which is then marketed to users. If downloaded, the malware steals data from the phone, such as passwords and financial details. Always check a developer is legitimate and review comments regarding the app.”

Fake Goods: PCD Says “Don’t be stupid, if the offers looks too good to be true it probably is. Beware of imitation goods for sale, most are sub standard, many are dangerous and in some cases lethal. Be especially careful when buying computers good such as laptops etc, we have come across a number “preloaded” with key logging software. There are also lots of fake auctions and classified ad sites appear that over Christmas, make sure you are dealing with a genuine business.”

Social Networking Friend Requests: PCD Says “Scammers take advantage of this social time of year by sending out authentic looking friend requests via email. You should not click on the links in the email but sign into your social networking site and look there for friend requests. If you click on a link it could install malware on your computer. Beware of related scams such as “Help I’ve been Mugged!”, this is when you receive a fake distress message from someone in your network requesting money as they have been robbed whilst traveling.”

Fake Christmas Cards: PCD Says “Be careful if clicking on a Christmas E-card or Gift Cards. This method is used to install Malware and other bad stuff. Many E-cards look genuine and authentic so be very careful when considering click on them. If you use an E-Card service obviously make sure it is a reputable one.”

PC Support Fraud: PCD Says “Criminals will attempt to gain access to your computer by calling up and saying you have a problem with your computer. They often claim to be from large legitimate corporations and will either ask for a payment to fix your computer or ask you to download a software patch. In the first case they will steal your credit cards details and in the second instance they will infect your machine with spyware or malware that will provides access to your machine bandwidth to support other attacks.”

Social Network Virus: PCD Says “This is very basic and involves a friend posting a link on your social network wall page or in the status update. This gives the impression that the site is a safe site to visit. However, in some cases it is the result of malware and could result in the download of viruses on your machine.”

Shopping smart and avoid scams: financial literacy during the holiday season: hearing before the Committee on Banking, Housing

Nov 12 2011

A guide to the realities of the subversive multi-vector threats

Category: CybercrimeDISC @ 9:07 pm

Cybercrime and Espionage

A guide to the realities of the subversive multi-vector threats (SMTs) now emerging as potential bearers of doom for organisations and countries

This guide will enlighten you to the dangers posed by SMTs like cyber crime and espionage in the 21st Century. Forewarned is forearmed, and this is what this book will help you to achieve by having the knowledge of these threats so you can prevent them affecting your organisation or country.

The goals of these SMTs are many, but below listed are some of the potential consequences posed by these threats:

> The sale of intellectual from one organisation to a competitor
> Compromise of financial data and systems
> Undermine the security posture of a nation by another nation

These threats are very real, and as more people and nations become connected to the Internet the dangers increase.

In addition to what you’d expect from a book covering cyber crime and espionage, this book also delves into the psychological profiles of those perpetrating these crimes or attacks.

Key Features and Benefits:

  • A guide to SMTs that provides you with the knowledge necessary to defend against them. The knowledge you’ll glean from this book will help you to keep your company or nation’s systems safe and secure.
  • Covers not only corporate white-collar crime but also international espionage i.e. threats to national security. This book is particularly ideal for those in large public organisations where national security is a priority.
  • Written by two highly experienced information security professionals, they have extensive experience in both the private and public sectors having worked for such organisations as the CIA, McAfee and IBM to name a few.

    • To buy -> Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats

    Nov 10 2011

    Cloud services breached via Google code search

    Category: Cloud computingDISC @ 10:32 pm

    Researchers at Stach & Liu, a security consulting firm, have advised organizations against storing critical information on the public cloud until there are better intrusion detection systems available for cloud services, the Dark Reading website reports.

    The firm made the recommendation after discovering that access codes and passwords to thousands of public cloud services could be found via a simple Google search. The firm first reported the results of their cloud services security research at the Hacker Halted conference in October in Miami, according to Dark Reading.

    “It is not a good idea to put sensitive data out in the cloud right now — at least not until there are intrusion-detection systems that would let users see these types of searches on their cloud services,” Fran Brown, managing director of the firm, told Dark Reading.

    Nov 08 2011

    Looking for a secure USB stick with hardware encryption

    Category: Access Control,data securityDISC @ 10:55 pm

    CESG Approved USB Stick
    CESG is the UK Government’s National Technical Authority for Information Assurance

    Over 1 million SafeSticks are now in use in the NHS helping to keep patient data and other confidential data secure! Buy your SafeStick today!

    SafeStick is a secure USB stick with AES 256 bit hardware encryption and is FIPS 197 certified.

    SafeStick includes brute force attack lockdown protection. This means should the password to your SafeStick be entered incorrectly a number of times, the SafeStick is disabled or the data on it wiped.

    The antivirus and anti-mailware software available for SafeStick (at an extra cost) prevent any nefarious software from spreading on your SafeStick. With one in four virus or mailware attacks now spread by USB sticks, this is an essential control to have in place.

    Key Features and Benefits:

  • Uses AES 256 (FIPS 197 certified) hardware encryption to protect your data – this makes it highly unlikely that, should a drive be lost, that anyone would be able to access the data.
  • This stick is the one that was chosen for use by the UK’s National Health Service (NHS). To date over 1 million SafeSticks are now in use in the NHS helping to keep patient data and other confidential data secure!

    • SafeStick is a fully manageable enterprise solution when used in partnership with SafeConsole (available at an extra cost). SafeConsole allows you to kill a stick if it has gone missing. It also enables you to enforce group policies, allowing you to enforce such policies as allowing certain file types to be put on the drive whilst denying others. You can also reset passwords using SafeConsole.

    SafeStick is tough, durable, waterproof, heat resistant, crush proof. It can take anything you can throw at it.

    SafeStick is compatible with Windows 7, Vista, XP, 2000, 2003, 2008, Mac OSX, Linux and Citrix in an ultra small form factor and can be used as a either a standalone or enterprise solution.

    Simply plug in a SafeStick and within minutes you can be up and running. All you need do is set a password and any data placed on the SafeStick is encrypted.

    Order your SafeStick today!!!

    BlockMaster SafeStick 1G Encrypted USB Flash Drive

    BlockMaster SafeStick 2G Encrypted USB Flash Drive

    BlockMaster SafeStick 32G Encrypted USB Flash Drive

    Nov 03 2011

    Knowledge Management finally gets it’s own book: WKIDM

    Category: Data mining,data securityDISC @ 9:11 am

    by Melanie Watson
    That’s right, Knowledge Management finally has it’s own book: Information Lifecycle Support: Wisdom, Knowledge, Information and Data Management (WKIDM).

    The primary role of Knowledge Management is to “improve the quality of decision making” by making sure that information throughout the Service Lifecycle is accurate, reliable and trustworthy. This book covers all four areas of knowledge: data, information, knowledge and wisdom.

    This book, (endorsed by the OGC – the creators of the ITIL methodology) provides a comprehensive and much-needed source of information on data and information management. It examines the effective production, coordination, storage, retrieval, dissemination and management of information from internal and external sources.

    Information Lifecycle Support: Wisdom, Knowledge, Information and Data Management (WKIDM)

    Tags: it service management, ITIL, ITSM

    Nov 02 2011

    Inside IT: Cloud Computing & Security

    Category: Cloud computingDISC @ 2:13 pm

    IT Best Practices: The IT organization is undergoing rapid change. Changes like virtualization and consumerization present new opportunities for business, and new challenges for IT. Cloud computing shifts IT to more of a creator and distributor of services, but brings with it increased security concerns. In this podcast, Alan Ross, who leads the Security Architecture and Technology Development Team at Intel IT, talks about data security, application security, compliance, privacy, and other issues around these evolving technologies.




    Securing the Cloud: Cloud Computer Security Techniques and Tactics


    Cloud Security: A Comprehensive Guide to Secure Cloud Computing


    The Cloud Security Rules: Technology is your friend. And enemy. A book about ruling the cloud.

    Nov 01 2011

    CIA Mind Control Operation MK-ULTRA PSYCHOLOGICAL WARFARE

    Category: social engineeringDISC @ 10:52 am

    “MK-ULTRA” PSYCHOLOGICAL WARFARE

    CIA Mind Control Operation MK-ULTRA PSYCHOLOGICAL WARFARE . Mirrored. Documentary: The Most Dangerous Game. Interesting documentary on brainwashing and psychological warfare. CIA.

    http://www.youtube.com/watch?v=5ATYYqIrSI8

    Psychological Warfare (WWII Era Reprint)

    Mind Control: The Ancient Art of Psychological Warfare

    Ideas as Weapons: Influence and Perception in Modern Warfare

    Psychological Warfare and the New World Order: The Secret War Against the American People

    Oct 31 2011

    Hacker Halted: McAfee’s George Kurtz Discusses the War on Security

    Category: cyber securityDISC @ 11:55 am

    Presentation Abstract:by Anthony M. Freed

    “The explosive growth of Internet and IP-enabled devices is reshaping communication, collaboration and commerce opportunities for individuals and organizations around the world. At the same time, miscreants are abusing the Internet’s open and any-to-any communication architecture for malicious purposes, leaving many users at risk and the future of a secure Internet as an aspiration rather than a reality.”

    “The current cybersecurity model is reactive, disconnected and unable to keep pace with the seismic explosion in malware. Providing protection to a heterogeneous world of connected devices requires a new approach to security.”

    “McAfee CTO George Kurtz will show that incremental improvements can’t bridge the opportunity gap and explain the required paradigm shift of driving security down the stack.”

    Hacker Halted: McAfee’s George Kurtz Discusses the War on Security

    Hacking Exposed: Network Security Secrets and Solutions, Sixth Edition by George Kurtz

    Oct 28 2011

    Richard Clarke says clearly China As Source Of Cyber Hacks

    Category: cyber securityDISC @ 12:36 pm

    Richard Clarke the former Cybersecurity Czar for President George W. Bush and a noted expert on cyber war and counter-terrorism, in which Clarke identifies China’s government and its industries as a major source of the cyber security hacking and espionage that is taking place in 2011. In addition to discussing China’s cyber activity on the video, Clarke outlines four main buckets of cyber attacks today, and why many people consider 2011 the “Year of the Hack.”

    The Clarke video was put together and released in October 2011 to coincide with the Eighth Annual National Cyber Security Awareness Month, which is sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

    Cyber War: The Next Threat to National Security and What to Do About It

    Oct 27 2011

    GAO Report on Information Security Breaches

    Category: cyber securityDISC @ 10:31 am

    Per Greg Wilshusen (GOA Information Security Director) vulnerabilities exist in all 24 federal agencies and 11 out of 24 federal agencies have significant deficiencies. There has been a 650% increase in the incidents. Take a listen to the video to know more about the details of these vulnerabilities and more importantly the plans to mitigate these risks especially 11 agencies that have significant risks.

    On The Communicators, Greg Wilshusen, director of the Government Accountability Office’s (GAO) Information Security department, will discuss a report the GAO released this month that said 24 federal agencies’ computer systems are at risk of security breaches.

    Oct 26 2011

    A guide to contract and commercial management for professionals

    Category: Vendor AssessmentDISC @ 9:42 pm

    Contract and Commercial Management

    “Almost 80% of CEOs say that their organization must get better at managing external relationships. According to The Economist, one of the major reasons why so many relationships end in disappointment is that most organizations ‘are not very good at contracting’. This ground-breaking title from leading authority IACCM (International Association for Contract and Commercial Management) represents the collective wisdom and experience of Contract, Legal and Commercial experts from some of the world s leading companies to define how to partner for performance. This practical guidance is designed to support practitioners through the contract lifecycle and to give both supply and buy perspectives, leading to a more consistent approach and language that supports greater efficiency and effectiveness. Within the five phases described in this book (Initiate, Bid, Development, Negotiate and Manage), readers will find invaluable guidance on the whole lifecycle with insights to finance, law and negotiation, together with dispute resolution, change control and risk management. This title is the official IACCM operational guidance and fully supports and aligns with the course modules for Certification.”

    This is an Operational Guide. This book is a management guide to contract and commercial management that is both is both practical and straightforward.

    Based on the knowledge of contract, legal and commerce professionals, this guide will support you through each phase of the contract lifecycle and help you to take common language and approach that enables a progressive way of working.

    In this book you will find the information presented in four sections, these are:
    > Bid
    > Development
    > Negotiate
    > Manage

    Topics covered in these sections include:
    > Risk
    > Finance
    > Negotiation
    > Dispute resolution
    > Change control

    This title is endorsed by the IACCM (International Association for Contract and Commercial Management) – the association that represents contract and relationship management professionals and organisations.

    Key Features and Benefits:

      * A guide to best practice in the world of negotiating contracts and building relationships. This guide will give you the knowledge to take a comprehensive approach to negotiating contracts by using a common language.
      * The methods in this book are based on the experiences of practitioners worldwide, they are also progressive. Whereas some other approaches are adversarial and negative.
      * Endorsed by the IACCM the best practice organisation for contract and relationship management professionals. This proves the quality and relevance of the material

    to build commercial relationships get a copy of Contract and Commercial Management

    Oct 25 2011

    Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker by Kevin Mitnick

    Category: cyber security,CybercrimeDISC @ 8:45 am

    The Ghost in the Wires is a well written and captivating tale of Kevin Mitnick which tells his story of how artfully he used social engineering time and again as a first step for some of his famous hacks. During his social engineering hacks how he became an absolute authority on subject at hand and got the trust of a person on phone in just a matter of minutes.

    “When you use social engineering, or “pretexting,” you become an actor playing a role. I had heard people try to pretext and knew it could be painfully funny. Not everybody could go on stage and convince an audience; not everybody could pretext and get away with it.”

    Per Kevin what he likes about the best of Ghost in The Wires is his life story because it’s kind of like a Catch Me If You Can version for a computer hacker. What is unique about it that it is a true story. People really seem to like it.

    Ghost in the wires have been on the New York Times best seller list for a month so far. the only hacking book that made the bestseller list was a book called The Cuckoo’s Egg by Cliff Stoll.

    Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

    Audiobook Chapter:

    Oct 24 2011

    New Stuxnet-Like Worm Discovered

    Category: MalwareDISC @ 12:42 pm

    By Jeff James : Twitter at @jeffjames3
    In June 2010, security experts, analysts, and software providers were warning IT managers about Stuxnet, a new computer worm that was spreading rapidly over the internet. Stuxnet was distributed by Windows machines, and the intent of the worm wasn’t immediately clear. After a few months it was revealed that the vast majority of Stuxnet infections were in Iran, and Stuxnet seemed to have been specifically targeting the Siemens industrial control equipment used in the Iranian nuclear program.

    German security expert Ralph Langner was interviewed by NPR reporter Tom Gjelten earlier this year about Stuxnet, and Gjelten reported that Langner told him that the worm was so complex and sophisticated that it was “almost alien in design” and believed that only the United States had the resources required to create Stuxnet and orchestrate the attack. As more details emerged, it became clear that Stuxnet was likely developed by either Israeli or American intelligence agencies in an attempt to impede Iran’s nuclear program.

    Both Israeli and American security officials have sidestepped questions about their involvement, but Gary Samore, White House Coordinator for Arms Control and Weapons of Mass Destruction, stated at a December 2010 conference on Iran that “we’re glad they [the Iranians] are having trouble with their centrifuge machine and that we – the US and its allies – are doing everything we can to make sure that we complicate matters for them.” [Source: NPR’s Need to Know]

    Now security researchers from Symantec have revealed that they’ve discovered a new Stuxnet-like worm called W32.Duqu that shares much of the same code with Stuxnet. Symantec’s Security Research blog posted details about Duqu yesterday:

    “Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks.
    According to Symantec, Duqu also functions as a keylogger designed to “capture information such as keystrokes and system information” but lacks the specific code related to “industrial control systems, exploits, or self-replication.” Symantec’s research team believes that Duqu is collecting information for a possible future attack, and seem to point the finger at the original creators of Stuxnet, since the creators of Duqu seem to have direct access to Stuxnet source code:

    The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks.
    The arrival of Stuxnet signaled that cyberattacks have entered a new phase, with nation states and professional, highly-skilled programmers helping elevate cyberwarfare to a new, more sophisticated (and dangerous) level. Microsoft Technical Fellow Mark Russinovich offers up a fictional account of what can happen when terrorist groups turn to cyberwarfare in his novel Zero Day, and it’s a chilling preview of what the future of warfare could look like.

    While many fingers are pointing at U.S. and Israeli intelligence service for creating Stuxnet – and possibly Duqu — what happens when a hostile nation or well-organized terrorists develop the same level of cyberwarfare capability? Questions like these are undoubtedly keeping IT security professionals and experts at government security agencies awake at night.

    For more technical information on the Duqu worm, see Symantec’s W32.Duqu: The Precursor to the Next Stuxnet whitepaper [PDF] and a Symantec post that provides additional Duqu technical details.

    The New Face of War: How War Will Be Fought in the 21st Century

    Has Israel Begun A Cyber War On Iran With The Stuxnet ‘Missile’?: An article from: APS Diplomat News Service

    Oct 23 2011

    Palo Alto Networks takes Firewalls to next Level

    Category: Network security,next generation firewallDISC @ 8:50 pm

    Ashlee Vance, Bloomberg Businessweek
    For the past 15 years or so, security pros have relied on the trusty firewall and other hardware to keep bad guys from running amok on corporate networks. For the most part, this has meant blocking tainted e-mails and keeping workers away from harmful websites.

    The latest wave of Web services, like Skype and Google Docs, has introduced fresh problems. They can transfer files, store data and allow remote computer access in ways that can’t be easily patrolled by the standard sentinels.

    Nir Zuk has another option. He’s a veteran of the traditional firewall and security industry who struck out on his own six years ago to create a product for today’s Web. The company he founded, Palo Alto Networks, sells a next-generation firewall that makes modern Web services safe for the workplace and gives companies precise control over how their employees can use them.

    “Our customers don’t want to block Facebook,” Zuk said. “They want to use it, but they also want some control.”

    As interest in Web-based software has surged, so too have Palo Alto Networks’ sales. The company has hopped from office to bigger office since its birth at Zuk’s Palo Alto house in 2005. This year, the company moved into a giant headquarters in Santa Clara.

    A year ago, Palo Alto Networks had 1,000 customers; today it has 4,500, including Qualcomm, the city of Seattle, and eBay. Sales will exceed $200 million this year, according to Zuk, who adds that the company is gearing up for an initial public offering.

    Zuk says Palo Alto Networks owes much of its success to modern computing habits, which require more sophistication than what’s provided by traditional security products. Older firewalls are designed to monitor one-way traffic. E-mails and data from websites pour in, and the security products look for suspicious patterns. Yet threats can snake their way through a network in various ways: A worker might go to Facebook, click on a nefarious link, and download a virus. Soon enough, he’s using software from enterprise cloud computing company Salesforce.com to upload those infected sales data files and send them to colleagues.

    “Most security groups used to focus on blocking apps like Skype or GoToMyPC but now are often required to allow them to be used,” says John Pescatore, an analyst at the research firm Gartner. “That’s why firewalls needed to evolve.”

    Palo Alto Networks gives each Web service its own signature. This means that Palo Alto’s systems know when employees are using Skype or Salesforce.com, and have a general idea of what they’re doing there. Customers can set policies for how an application is used so that, for example, all employees can view Google Docs files, but only some can actually create them.

    Keeping track of all the traffic flowing through a corporate network requires a lot of computing horsepower, and part of Palo Alto Networks’ secret sauce is a homegrown chip that chews through data quickly. A Palo Alto Networks system can even peer into encrypted traffic: It’s fast enough to decrypt packets of information, check whether they’re safe, and then pass them on to the employee who requested them, all without much lag.

    Norm Fjeldheim, the chief information officer at chipmaker Qualcomm, says the Palo Alto Networks systems he bought replaced not just firewalls but also things such as intrusion detection hardware and other types of security systems. “They are doing the work that was done by multiple things in the past,” Fjeldheim said. “They watch over everything.”

    To date, Palo Alto Networks has raised a total of $65 million. In August, Palo Alto Networks lured Mark McLaughlin from his role as CEO of VeriSign to run the young company and prepare it for an IPO.

    Venture capital firm Sequoia Capital is one investor.

    Said partner Jim Goetz: “I don’t think we’ve ever seen an enterprise technology company grow as quickly.”

    Download the e-book now!
    Download a Free copy of “Next-Generation Firewalls for Dummies” ebook to find out why traditional firewalls can’t protect your network | Checkout the sample chapter online

    PALO ALTO NETWORKS RECOGNIZED FOR ENTERPRISE FIREMALLS.: An article from: Computer Security Update

    « Previous PageNext Page »