Oct 21 2011

Britain Would Strike First in Cyberwar, Government Says

Category: cyber securityDISC @ 8:32 am

UK Foreign Secretary Hague: Britain willing to strike 1st to defend itself against a cyberattack from enemy state

@FoxNews
LONDON – Britain is prepared to strike first to defend itself against a cyber attack from an enemy state, Foreign Secretary William Hague said Tuesday.

His warning was the first clear signal that the UK has developed new weapons for the online battlefield.

Hague told The Sun that the globe was in the grip of a new and financially-crippling “arms race in cyberspace.”

He said he could not guarantee that Britain would be able to repel a major cyber assault on the nation’s essential infrastructure — including water works, power plants and the air traffic control system.

But he said, “We will defend ourselves in every way we can, not only to deflect but to prevent attacks that we know are taking place.”

Hague gave no clues on the makeup of Britain’s new electronic arsenal, saying, “The rest of the world will have to guess.”

The British government is pouring an extra £650 million ($1 billion) into developing deterrents to hostile viruses, which are being produced almost constantly.

“We are trying to prevent an arms race in cyber space,” Hague said. “Given that the Internet changes every day, and billions more people will have access to it over the coming years, the potential for that arms race to grow and go out of control is enormous.”

He added, “There is no 100 percent defense against this, just as there isn’t against any other form of attack. We have to defend critical national infrastructure. We have to defend national security. We have to defend our entire commercial and economic system.”

Hague spoke ahead of a cyberspace conference. Senior officials from more than 60 nations and bosses of online giants will meet in London next month to discuss the cyber menace and draw up an “international rule book” on how best to fight it.

Oct 20 2011

Finding And Securing Sensitive Data In The Enterprise

Category: data securityDISC @ 9:40 am

By Robert Lemos @ DarkReading.com

Your organization’s most valuable data may be stored in scattered – and insecure – locations. Here are some tips for identifying that data and making sure it doesn’t leak out

When Michael Belloise joined human resources outsourcing firm TriNet four years ago as the IT manager, the amount of sensitive data held by the company put him on edge.

TriNet handles payroll and benefits for its customers. As such, its systems store Social Security numbers, birth dates, employee ID numbers, and addresses for 100,000 workers at other companies. That data isn’t necessarily subject to the kind of detailed privacy and security rules covering financial transactions or healthcare information, but it’s highly sensitive nonetheless.

Belloise brought in data loss prevention vender Vontu (now part of Symantec) to install a data discovery appliance that finds and monitors all data leaving the company’s network. The results, says Belloise, were shocking.

“I dare not drop any numbers about what we saw, but it was egregious,” he says.

TriNet had secure ways of transmitting and storing data, but its employees were using alternative, less-secure methods, including unencrypted portable media, drop boxes, and attachments to email sent from personal accounts. In most cases, they were skirting the rules in order to serve customers faster, but some of the activity looked questionable and possibly malicious. The security violations didn’t result in any data breaches, but the results were eye opening, Belloise says.

“It was to the point where you couldn’t put your head in the sand anymore, because it was that shocking,” he says.

Belloise called a meeting of C-level execs and embarked on a mission to secure the company’s data. TriNet first studied its data to gauge the risk it faced. Then it altered processes and educated employees to minimize misuse of data, and also installed a DLP system to monitor compliance.

TriNet’s experience isn’t all that unusual. Sensitive data has a habit of spreading throughout companies and ending up in places it shouldn’t be–places it’s more likely to be stolen or accidentally leaked. Lost, stolen, and inappropriately disposed-of laptops have accounted for the greatest number of breach incidents in most of the last five years, according to The Leaking Vault 2011, the Digital Forensics Association’s comprehensive report. But much of the information that’s on those laptops shouldn’t have been there to begin with.

Read more on Finding and Securing Sensitive Data >>>

Related topics to Secure the Enterprise Data

Data Protection for Virtual Data Centers

The Data Asset: How Smart Companies Govern Their Data for Business Success

Privacy and Big Data

Oct 16 2011

iPhone 4 hackers open password marketplace

Category: Smart PhoneDISC @ 10:09 pm

A huge source of personal data in the palm of your hand – that’s what a smartphone has become nowadays. But all the private information kept on your hi-tech device can easily become public knowledge.
Privacy For Sale: iPhone 4 hackers open password marketplace

Smartphone security: here’s how to start securing smartphones and the data they’re accessing.(Security): An article from: Mobile Business Advisor

Oct 15 2011

How IPSEC Stops the Three Most Common Attacks Against Your Network

Category: Network securityDISC @ 2:05 pm

Oct 11 2011

California governor allows warrantless search of cell phones

Category: Smart PhoneDISC @ 9:12 pm
Cell phone Sagem my202X ubt

Image via Wikipedia

Here’s another reason to password-protect your mobile phone: California’s governor just recently vetoed a bill that requires a court-ordered warrant in order to search mobile phones upon arrest. This means that if you get arrested in the state of California, the arresting officer can search your smartphone — which gives him access to emails, call logs, texts, location data, banking apps, and more — without needing a warrant.

To Read More on the CNN article….

Tags: Arrest, california, California Supreme Court, CNN, Jerry Brown, Mark Leno, mobile phone, Search warrant

Oct 11 2011

How to configure your Linksys router for maximum security

Category: Network securityDISC @ 10:59 am

Oct 05 2011

Information Security: Everything you need to know

Category: ISO 27kDISC @ 12:36 pm

To understand more about securing and protecting information assets and implementing ISO 27001 (Information Security Management System) then we recommend IT Governance: A Manager’s Guide to Data Security and ISO 27001 / ISO 27002, Fourth Edition. This book contains everything you need to know about information security and data protection, as it covers viruses, hackers, online fraud, privacy regulations, computer misuse and investigatory powers.

Read more >>

Oct 04 2011

New California Data Breach Notification Law

Category: Security and privacy LawDISC @ 8:52 pm

Information Security Law: The Emerging Standard for Corporate Compliance

At the beginning of September, there was an addition to the Data Breach Notification laws of California. S.B. 24 was signed into law and will take effect the first day of 2012. This law will require specific actions be taken in the event of a data breach. Those actions include a standardized notification process and a notification sent to the Attorney General of California (if the breach affects 500 or more California residents.)

Why is this relevant to you or yours customers? If you encrypt your customer’s personal information, you do not have to make the appropriate notifications, because you have safe guarded your customers’ data. This keeps you out of the press, out of lawsuits and helps you handle your customers’ data responsibly.

You can read more about this legislation here:

Oct 03 2011

CYBERCONFLICT

Category: cyber securityDISC @ 10:08 pm

Our assessment is that cyberattacks will be a significant component of future conflicts. Over thirty countries are creating cyber units in their militaries. It is unrealistic to believe that each one will limit its capabilities to defense. Moreover, the centrality of information technology to the U.S. military and society virtually guarantees that future adversaries will target it.

to read more on The Pentagon’s cyberstrategy, one year later

Cyber-Conflict and Global Politics

Cyberpower and National Security (National Defense University)

Sep 28 2011

Department of Homeland Security Releases Cyber Security Evaluation Tool (CSET)

Category: cyber securityDISC @ 3:27 pm


Homeland Security: A Complete Guide to Understanding, Preventing, and Surviving Terrorism

The Cyber Security Evaluation Tool (CSET) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS National Cyber Security Division (NCSD) by cybersecurity experts and with assistance from the National Institute of Standards and Technology. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems. The tool is available for download, and the program also offers training and support at no cost to organizations engaged in administering networks that control facilities identified as being crucial to both the nation’s economy and national security.

CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization’s enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.

CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others. When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.

Key Benefits

•CSET contributes to an organization’s risk management and decision-making process
•Raises awareness and facilitates discussion on cybersecurity within the organization
•Highlights vulnerabilities in the organization’s systems and provides recommendations on ways to address the vulnerability
•Identifies areas of strength and best practices being followed in the organization
•Provides a method to systematically compare and monitor improvement in the cyber systems
•Provides a common industry-wide tool for assessing cyber systems

Download CSET
[Source]

Sep 23 2011

IT GOVERNANCE PRAISES ISO27001 BUT WARNS AGAINST COMPLACENCY

Category: ISO 27kDISC @ 9:31 pm

Geneva, Switzerland, September 2011 – Alan Calder, Chief Executive of IT Governance (ITG), the one-stop shop for information security expertise, is today advising organisations globally to embrace the ISO27001 security management standard, yet warning nobody should be complacent.

Speaking at the United Nations’ Information Security Special Interest Group’s symposium in Geneva, Calder said: “ISO27001 is international best practice for any organisation seeking a structured framework to address cyber risks. ISO27001 has many strengths, including helping organisations secure the right balance of data availability, integrity and confidentiality. A further benefit of ISO27001 is the flexibility to integrate with other management standards. This point is vital – effective cybersecurity depends on establishing a comprehensive and interconnected defence strategy.

“Every organisation should remember, however, that ISO27001 certification does not equate with invincible security. ISO27001, effectively deployed, improves an organisation’s information security and resilience, but new threats are constantly evolving. Defences, therefore, need to evolve, too. There is no room for complacency. ISO27001 rightly expects you to continually reassess your business, risk and compliance environment in line with ‘real-world’ developments.

“There is never a time for complacency in information security. The need to keep strategies under constant review has never been greater. The revolutionary wonders of ‘Web 2.0’ can rapidly turn into ‘Threat 2.0’. The speed and degree of change in the modern business, compliance and security worlds is unprecedented, from new standards and threats to new technologies, such as Google+ and Android telephones. Any technological advance brings new security risks, as hackers immediately start finding ways to burrow in and exploit vulnerabilities. Everyone must be prepared.”

Sep 23 2011

Copy Machines, a Security Risk

Category: Identity TheftDISC @ 8:22 pm

Think you know how to keep your information safe? Think again.

Sep 12 2011

Mobile Malware

Category: Malware,Smart PhoneDISC @ 8:07 pm

Lookout Mobile Security

By Mandira Srivastava

Do you think it is safe to access sensitive data on mobile phone? Do you know that malware can steal valuable information from your phone? As smartphone sales are growing, the development of mobile malware, viruses that penetrate the security system of mobile devices, also increases.

Mobile malware has been around for many years, it has been a problem for computers for a long time and now because of the evolution of the smart phone it has started to hit mobile handsets. Because the smart phones are becoming increasingly more sophisticated and their operating systems are becoming more similar to a computer, it is now possible for them to be infected with malware and it is important for all business owners to be aware of this.

Just like computer malware, mobile malware is installed on your smartphone and will attempt to steal information and data stored on your phone. The information that can be stolen includes documents, passwords, email login details and even credit card details just like on a PC. Mobile malware has increased rapidly during the last year and there is more and more stealth malware appearing. Stealth malware is when the malware is running in the background on the phone without the user being aware of it.

With wireless payment systems and mobile shopping apps becoming more popular it is also possible that the malware will be able to intercept credit card details. Also, text messaging that is sometimes used to send banking codes could be used by the criminals to get sensitive information. If you are considering using a mobile payment system for your business, make sure it is tested and secure.

Malware has been found on all of the current phones and operating systems, including the iPhone and the Android phones.

One of the main ways that the malware can access your phone is through the Wi-Fi networks and Bluetooth. Because the smartphone can easily be connected to wireless networks this can make it easier to download the malware. You can avoid this happening to your phone by only using secure and trusted Wi-Fi networks and by only accepting Bluetooth connections from people whom you know and keeping the Bluetooth switched off when you aren’t using it.

Email has always been a popular target for the hackers and with text messaging being so popular, they have also used this to spread the malware as well as phishing scams to try to steal your identity. It is a good idea to apply the same precautions you use before opening a strange email before opening a suspicious text.

Mobile security is becoming more and more important especially for businesses and it is a good idea to implement some security measures in order to avoid the malware spreading. You can, for example, always use a password for your phone so no one else can use it if it is stolen and only download apps from official sites and not third parties.

Sep 05 2011

Risk Assessment Critical for the Security of Information Assets

Category: ISO 27k,Risk AssessmentDISC @ 10:05 pm

Information Security Risk Management for ISO27001 / ISO27002

Today, there is hardly any organisation that doesn’t recognise the critical role that information technology plays in supporting its business objectives.

September 01, 2011 /24-7PressRelease/ — Today, there is hardly any organisation that doesn’t recognise the critical role that information technology plays in supporting its business objectives. As a result, IT security has come to the forefront and the ISO 27001 information security standard has been embraced by numerous organisations worldwide as a best practice approach for implementing Information Security Management System (ISMS).

Risk assessment plays an important role in managing ISO 27001 controls. This is the part with which many project managers struggle when implementing an ISMS. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets. Therefore it is imperative that a thorough risk assessment is being undertaken and no risk is left unexplored. Risk assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures.

IT Governance Ltd, the global leader in information security products and services, has developed a risk assessment tool, vsRisk, that automates and accelerates the risk assessment process. It enables project managers to monitor the day-to-day execution and management of the controls as well as generating reports for audit purposes.

Uniquely, vsRisk (www.itgovernance.co.uk/products/744) can assess the confidentiality, integrity and availability for each of the business, legal and contractual aspects of information assets, as required by the ISO 27001 standard. The tool can serve as a day-to-day operational tool, showing at a glance where an organisation stands in its progress towards ISO 27001 compliance. A free trial version can be requested here www.itgovernance.co.uk/iso27001-risk-assessment.aspx

Alan Calder, CEO of IT Governance, comments, “vsRisk reduces the time and cost of undertaking an ISO 27001-compliant risk assessment. It simplifies each step of an ISO 27001 risk assessment, allowing compliance project managers to capture their information security policy and objectives, plus the scope of their information security management system, and undertake a rapid appraisal of all key areas, including groups, assets and owners. ”

vsRisk (www.itgovernance.co.uk/products/744) offers an in-built audit trail, comparative history, comprehensive reporting and gap analysis that radically reduces the manual record keeping traditionally associated with risk assessments. The tool minimises the need for specialist knowledge and significantly undercuts the cost of generalist risk management tools, thus, making ISO27001 compliance achievable for a far wider range of organisations and professionals.

As well as supporting ISO/IEC 27001:2005 and ISO/IEC 27002, vsRisk v1.5 complies with BS7799-3:2006, ISO/IEC 27005, NIST SP 800-30 and the UK’s Risk Assessment Standard.

vsRisk is produced by Vigilant Software, the specialist software subsidiary of IT Governance and can be purchased online from www.itgovernance.co.uk/products/744.

Sep 01 2011

Information Security eBooks Download

Category: Information SecurityDISC @ 12:14 pm

information security eBooks download sites

Studiesinn InfoSec eBook

Information-Security eBookee

Strategic-Information-Security

The-New-School-of-Information-Security

Insider’s Guide to Security Clearances

Information Threats

Information Security Risk Analysis by Thomas R. Peltier

Information Security Risk Analysis, 2 Ed. by Thomas R. Peltier

Information Security Risk Analysis By Tom Peltier shows you how to use cost-effective risk analysis techniques to identify and quantify the threats–both accidental and purposeful–that your organization faces. The book steps you through the qualitative risk analysis process using techniques such as PARA (Practical Application of Risk Analysis) and FRAP (Facilitated Risk Analysis Process) to:

Evaluate tangible and intangible risks

Use the qualitative risk analysis process

Identify elements that make up a strong Business Impact Analysis

Conduct risk analysis with confidence

Aug 27 2011

12 Steps to IT Security

Category: Security AwarenessDISC @ 9:35 pm

This video outlines 12 steps to take to protect your business from the threat of e-Crime.

Aug 20 2011

ISO27002 Implementation Intro.m4v

Category: ISO 27kDISC @ 10:25 pm

Making the Implementation of ISO27001 easier for you to do within your organisation. This video is your introduction.

Aug 19 2011

If you See Something Say Something – DHS

Category: CybercrimeDISC @ 10:40 pm

“Dept Of Homeland Security Attempt To Induce A Permanent State Of Fear & Paranoia!”
DHS encourages floks in public to spy on others for the sake of security?
http://www.youtube.com/watch?v=gjeMCCQlCPA

Aug 12 2011

The End of Online Privacy? Fight the Internet Snooping Bill!

Category: Information PrivacyDISC @ 9:24 pm

The End of Online Privacy? Fight the Internet Snooping Bill! (Must watch/share)
HR1981 would force the company you pay for Internet access to store a year’s worth of personal data and hand it over at the request of law enforcement. For sake of protecting childern from Pornographers does not mean that you start collecting everybody data “just in case” they may commit crime in future.

The New York Post noted that if legislators were required to assign bills honest names, this one would read: Forcing Your Internet Provider to Spy On You Just in Case You’re a Criminal Act of 2011.

CLICK HERE TO EMAIL YOUR LAWMAKERS: http://act.demandprogress.org/letter/snooping_bill/

Aug 08 2011

How to decide between ISO 27001 Cert and ISO 27002 Compliance

Category: ISO 27kDISC @ 9:40 pm

It is one of an important decision for your organization when you have to decide between ISO 27001 certification and ISO 27002 compliance. When continuous compliance with the standards may save you money in short run but ISO 27001(ISMS) certification outweighs benefits in long run. ISO compliance is a commitment for an organization when it has to be audited (internal) on regular basis to show to your vendors and partners. At the same time ISO certification has to be audited by independent external auditors.

Things that may affect your decision:
a) What will be the cost of achieving ISO compliance? Pick a scope and perform a gap analysis based on ISO 27002 to see where the gaps are. Find out the cost of treating the gaps for your organization including the cost of consultant, cost of tool, and cost of project management. These processes may vary from organization to organization.

b) Does ISO certification will benefit the organization because its competitors already have done it? (How much business an organization may lose or perhaps prospective new customers.)

c) Achieving certification may save money, time and efforts in long run by aiding your organization in compliance effort (PCI, HIPAA, SOX, NIST, GLBA). (Hey auditor we are already certified in specific controls, How much of the spending can be safe on other audits.)

d) Do enough customers will demand/require the certification in order to do business with them? Not having ISO certification may be a business disabler and organization may lose important customers which will affect company’s bottom line.

Risks of being non-compliant:
• No assurance to customers regarding InfoSec controls
• May lose customers in the long run
• May affect future business

Benefits of certification:
• Business enabler
• Align with the business goals
• Everyone is responsible for InfoSec
• De-facto InfoSec standards
• ISO 9000, ISO 14000, ISO 20000 compatible
• Commonly accepted best practice
• Capable of external certification

Tags: iso 27001, iso 27002

« Previous PageNext Page »