With corporations, criminals and governments all looking to capture your information via the internet, how safe are you once you logon?
How Disappear Erase Digital Footprint
Jun 24 2011
How safe is your personal information on social network?
Jun 22 2011
President lays out cyberwar guidelines, report says
President Barack Obama has developed guidelines for how the U.S. should respond to–and initiate–cyberattacks, the Associated Press is reporting.
Citing anonymous defense officials, the news service claims the guidelines include a wide range of cyberwar efforts to be employed by the U.S. during both peacetime and when conflicts are underway, including installing viruses on international computers and taking down a country’s electrical grid.
According to the Associated Press, the guidelines also allow for defense officials to transmit code through another country’s network to ensure the connection can be made. Though it wouldn’t necessarily carry a dangerous payload at the time, that connection could be used in the future if an attack was authorized on the specific country.
The Associated Press’ report on the president’s cyberwar guidelines comes just a week after the Chinese military called on its government to invest in more defense against the U.S.
“The U.S. military is hastening to seize the commanding military heights on the Internet, and another Internet war is being pushed to a stormy peak,” the Chinese military wrote in its official newspaper, Liberation Army Daily. “Their actions remind us that to protect the nation’s Internet security, we must accelerate Internet defense development and accelerate steps to make a strong Internet army.”
Read remaining post @ The Digital Home:
Jun 15 2011
LULZ Security Hacks CIA Website!
“Tango down – cia.gov – for the lulz,” the group, which had earlier claimed responsibility for hacking into the websites of the U.S. Senate, Sony, Nintendo and Fox News, wrote on its Twitter feed.
“While some people think this is a fun game that can also help point out corporate security weaknesses, the truth is that companies and innocent customers are – in the worst cases – having their personal data exposed,” Sophos senior technology consultant Graham Cluley said.
“There are responsible ways to inform a business that its website is insecure, or it has not properly protected its data – you don’t have to put innocent people at risk. What’s disturbing is that so many internet users appear to support LulzSec as it continues to recklessly break the law.”
http://www.youtube.com/watch?v=AozrqppyEf0
Cyber War: The Next Threat to National Security and What to Do About It
Jun 14 2011
Hacker Groups Attacks US Senate WebSite
Image via Wikipedia
US Senate Hacked! “We Don’t Like The U.S. Government Very Much” LULZ Security
The video states some reasons in significant rise of hack attack by Lulz Security on US information assets including critical assets (US senate) which is a growing threat to national security.
Leon Penetta warned in last week hearing that next Pearl Harbor might very well be a cyber attack which may affect power grid, financial system or government system.
“The Computer systems of exective branch agencies and the congress were probed or attacked on an average of 1.8 billion times per month last year” Sen. Susan Collins (R-ME)
http://www.youtube.com/watch?v=aFD3W6LhO04
Cyber War: The Next Threat to National Security and What to Do About It
Jun 12 2011
U.S. Underwrites Internet Detour Around Censors
By JAMES GLANZ and JOHN MARKOFF
The Obama administration is leading a global effort to deploy “shadow” Internet and mobile phone systems that dissidents can use to undermine repressive governments that seek to silence them by censoring or shutting down telecommunications networks.
The effort includes secretive projects to create independent cellphone networks inside foreign countries, as well as one operation out of a spy novel in a fifth-floor shop on L Street in Washington, where a group of young entrepreneurs who look as if they could be in a garage band are fitting deceptively innocent-looking hardware into a prototype “Internet in a suitcase.”
Financed with a $2 million State Department grant, the suitcase could be secreted across a border and quickly set up to allow wireless communication over a wide area with a link to the global Internet.
The American effort, revealed in dozens of interviews, planning documents and classified diplomatic cables obtained by The New York Times, ranges in scale, cost and sophistication.
Some projects involve technology that the United States is developing; others pull together tools that have already been created by hackers in a so-called liberation-technology movement sweeping the globe.
The State Department, for example, is financing the creation of stealth wireless networks that would enable activists to communicate outside the reach of governments in countries like Iran, Syria and Libya, according to participants in the projects.
In one of the most ambitious efforts, United States officials say, the State Department and Pentagon have spent at least $50 million to create an independent cellphone network in Afghanistan using towers on protected military bases inside the country. It is intended to offset the Taliban’s ability to shut down the official Afghan services, seemingly at will.
The effort has picked up momentum since the government of President Hosni Mubarak shut down the Egyptian Internet in the last days of his rule. In recent days, the Syrian government also temporarily disabled much of that country’s Internet, which had helped protesters mobilize.
The Obama administration’s initiative is in one sense a new front in a longstanding diplomatic push to defend free speech and nurture democracy. For decades, the United States has sent radio broadcasts into autocratic countries through Voice of America and other means. More recently, Washington has supported the development of software that preserves the anonymity of users in places like China, and training for citizens who want to pass information along the government-owned Internet without getting caught.
But the latest initiative depends on creating entirely separate pathways for communication. It has brought together an improbable alliance of diplomats and military engineers, young programmers and dissidents from at least a dozen countries, many of whom variously describe the new approach as more audacious and clever and, yes, cooler.
Sometimes the State Department is simply taking advantage of enterprising dissidents who have found ways to get around government censorship. American diplomats are meeting with operatives who have been burying Chinese cellphones in the hills near the border with North Korea, where they can be dug up and used to make furtive calls, according to interviews and the diplomatic cables.
The new initiatives have found a champion in Secretary of State Hillary Rodham Clinton, whose department is spearheading the American effort. “We see more and more people around the globe using the Internet, mobile phones and other technologies to make their voices heard as they protest against injustice and seek to realize their aspirations,” Mrs. Clinton said in an e-mail response to a query on the topic. “There is a historic opportunity to effect positive change, change America supports,” she said. “So we’re focused on helping them do that, on helping them talk to each other, to their communities, to their governments and to the world.”
For remaining article on U.S. Underwrites Internet Detour Around Censors
A version of this article appeared in print on June 12, 2011, on page A1 of the New York edition with the headline: U.S. Underwrites Internet Detour Around Censors..
Jun 09 2011
Citi credit card security breach discovered
Image via Wikipedia
“Citigroup says it has discovered a security breach in which a hacker accessed personal information from hundreds of thousands of accounts.
Citigroup said the breach occurred last month and affected about 200,000 customers.”
“During routine monitoring, we recently discovered unauthorized access to Citi’s account online,” said Citigroup, in a prepared statement. “A limited number — roughly 1 percent – of Citi bankcard customers’ accounting information (such as name, account number and contact information including email address) was viewed.”
According to its annual report, Citigroup has about 21 million credit card accounts in North America, where the breach occurred.
The statement went on to say that the customers’ Social Security numbers, dates of birth, card expiration dates and card security codes “were not compromised.”
Well the routine monitoring discovered the Citi Group incident which clearly shows that intrusion was not discovered during the incident but after the incident had happened.
Cyber intrusion cost will increase and depend upon how late the incident was detected. The organizations should change their corporate strategy to more proactive approach where they can maintain, monitor and improve security controls based on the current value of the information asset.
If you’re a Citibank customer, we suggest you take a look at your account and immediately report any irregularities.
Stopping Identity Theft: 10 Easy Steps to Security
http://www.youtube.com/watch?v=KH0zno_6d9M
Jun 08 2011
In cyberspy vs cyberspy, China has the edge
Image via Wikipedia
By Brian Grow and Mark Hosenb
WASHINGTON: As America and China grow more economically and financially intertwined, the two nations have also stepped up spying on each other. Today, most of that is done electronically, with computers rather than listening devices in chandeliers or human moles in tuxedos.And at the moment, many experts believe China may have gained the upper hand.
Though it is difficult to ascertain the true extent of America`s own capabilities and activities in this arena, a series of secret diplomatic cables as well as interviews with experts suggest that when it comes to cyber-espionage, China has leaped ahead of the United States.
According to US investigators, China has stolen terabytes of sensitive data — from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. And Chinese hackers show no signs of letting up.
“The attacks coming out of China are not only continuing, they are accelerating,” says Alan Paller, director of research at information-security training group SANS Institute in Washington, DC.
Secret US State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches — colourfully code-named “Byzantine Hades” by US investigators — to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China`s People`s Liberation Army.
Privately, US officials have long suspected that the Chinese government and in particular the military was behind the cyber-attacks. What was never disclosed publicly, until now, was evidence.
US efforts to halt Byzantine Hades hacks are ongoing, according to four sources familiar with investigations. In the April 2009 cable, officials in the State Department`s Cyber Threat Analysis Division noted that several Chinese-registered websites were “involved in Byzantine Hades intrusion activity in 2006.”
The sites were registered in the city of Chengdu, the capital of Sichuan Province in central China, according to the cable. A person named Chen Xingpeng set up the sites using the “precise” postal code in Chengdu used by the People`s Liberation Army Chengdu Province First Technical Reconnaissance Bureau (TRB), an electronic espionage unit of the Chinese military. “Much of the intrusion activity traced to Chengdu is similar in tactics, techniques and procedures to (Byzantine Hades) activity attributed to other” electronic spying units of the People`s Liberation Army, the cable says.
Reconnaissance bureaus are part of the People`s Liberation Army`s Third Department, which oversees China`s electronic eavesdropping, according to an October 2009 report by the US-China Economic and Security Commission, a panel created by Congress to monitor potential national security issues related to US-China relations.
Staffed with linguists and technicians, the Third Department monitors communications systems in China and abroad. At least six Technical Reconnaissance Bureaus, including the Chengdu unit, “are likely focused on defence or exploitation of foreign networks,” the commission report states.—Reuters
Cyber War: The Next Threat to National Security and What to Do About It
Related articles
- PRC and USA in ‘Heated Cyber-Espionage Battle’ (infosecurity.us)
- WikiLeaks Cable about Chinese Hacking of U.S. Networks (schneier.com)
Jun 05 2011
Hackers breach FBI partner’s site
LONDON — Nearly 180 passwords belonging to members of an Atlanta-based FBI partner organization have been stolen and leaked to the Internet, the group confirmed yesterday.
The logins belonged to the local chapter of InfraGard, a public-private partnership devoted to sharing information about threats to US physical and Internet infrastructure, the chapter’s president said.
“Someone did compromise the website,’’ Paul Farley, president of the InfraGard Atlanta Members Alliance, said in an e-mail exchange. “We do not at this time know how the attack occurred or the method used to reveal the passwords.’’
Copies of the passwords — which appear to include users from the US Army, cybersecurity organizations, and major communications companies — were posted to the Internet by online hacking collective Lulz Security, which has claimed credit for a string of attacks in the past week.
In a statement, Lulz Security also claimed to have used one of the passwords to steal nearly 1,000 work and personal e-mails from the chief executive of Wilmington, Del.,-based Unveillance. Lulz Security claimed it was acting in response to a recent report that the Pentagon was considering whether to classify some cyberattacks as acts of war.
The FBI said yesterday steps were being taken to mitigate the damage.
Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground
Jun 02 2011
Google blaming Chinese hackers for security breach
Image via CrunchBase
For the second time in 17 months, Google is pointing its finger at China for a security breach in one of its systems.
This time, Google says Chinese hackers were responsible for breaking into the personal Gmail accounts of several hundred people _ including those of senior U.S. government officials, military personnel and political activists.
The latest cyber attack isn’t believed to be tied to a more sophisticated one that originated from China in late 2009 and early last year. That intrusion went after some of Google’s trade secrets and triggered a high-profile battle with China’s Communist government over online censorship. (AP, ccg)
This seems pretty intrusive and targeted incident. I’m curious, what is a threshold trigger for declaring a cyber war between two countries. I understand this was not a very prolong incident but these small incidents here and there can certainly achieve some long term objectives for the other side. It is very difficult to prove the correct source of these incidents in the wild west of internet and also there is a lack of international law to pursue these cases as a criminal offense.
Apparently the pentagon recently concluded that computer sabotage can constitute an act of war and justify the use of military force, the wall street journal reported this week.
Well before the use of military force you have to prove beyond reasonable doubt that you are targeting the correct culprit nation. Well if this is the criteria to declare a war against other nation we better buy a good error and omission insurance. In cyber world it hard to prove and easy to spoof, where some groups will be eager to setup an easy victim to justify the use of military force…
Clinton: China hacking charge “Vey Serious”
Cyber War: The Next Threat to National Security and What to Do About It
Related articles
- China rejects Gmail spying claims (bbc.co.uk)
- ‘China hackers’ hit Google e-mail (bbc.co.uk)
May 30 2011
California computer glitch releases violent criminals
RT.com
Gang members, sex and drug convicts, and more were accidentally released from California state prisons after computer software designed to reduce prison numbers encountered a glitch.
Around 450 dangerous inmates were let go unsupervised onto the streets of California, the state’s inspector general confirmed.
A glitch in software lead to prison officials accidentally releasing “high risk of violence” inmates from jails as opposed to low risk inmates set for release to elevate the crowded prison system.
In addition, over 1000 inmates deemed high risk for drug and property offenses were also mistakenly released.
The information comes after the US Supreme Court upheld a lower decision and ordered California to alleviate prison overcrowding by releasing prisoners or building more prisons. The decision gives State prison officials only two years to cut the 143,335 prisoner count by around 33,000 either by reductions, new programs outside of prisons or constructing new prisons within the state.
According to Renee Hansen, a spokesperson for the California inspector general, no attempts have been made to find or return the former inmates to prison or at least place them on supervised parole.
The computer error placed all of those who were released on ‘non-revocable parole’ which means they do not have to report to parole officers. It also means they are free to live their lives and can only be sent back to jail if they are caught committing a new crime.
The software was not designed to be discretionary based on the history of inmates and issues releases without consideration to their crimes or their risk of re-offending. It uses a database of arrests that does not correlate information regarding convictions and the facts surrounding a case.
Effective Physical Security, Third Edition
May 27 2011
Hackers breach US defense contractors network
LONDON: Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N) and several other US military contractors, a source with direct knowledge of the attacks told this news agency.
They breached security systems designed to keep out intruders by creating duplicates to “SecurID” electronic keys from EMC Corp’s (EMC.N) RSA security division, said the person who was not authorized to publicly discuss the matter.
It was not immediately clear what kind of data, if any, was stolen by the hackers. But the networks of Lockheed and other military contractors contain sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.
Weapons makers are the latest companies to be breached through sophisticated attacks that have pierced the defenses of huge corporations including Sony (SNE.N), Google Inc (GOOG.O) and EMC Corp (EMC.N). Security experts say that it is virtually impossible for any company or government agency to build a security network that hackers will be unable to penetrate.
The Pentagon, which has about 85,000 military personnel and civilians working on cyber security issues worldwide, said it also uses a limited number of the RSA electronic security keys, but declined to say how many for security reasons.
The hackers learned how to copy the security keys with data stolen from RSA during a sophisticated attack that EMC disclosed in March, according to the source.
EMC declined to comment on the matter, as did executives at major defense contractors.
Lockheed, which employs 126,000 people worldwide and had $45.8 billion in revenue last year, said it does not discuss specific threats or responses as a matter of principle, but regularly took actions to counter threats and ensure security. (Reuters)
Managing Information Security Breaches
Pentagon: Hack attacks can be act of war
May 27 2011
How to Manage Information Security Breaches Effectively
A complete solution to manage an information security incident
Managing Information Security Breaches
Even when organisations take precautions, they may still be at risk of a data breach. Information security incidents do not just affect small businesses; major companies and government departments suffer from them as well.
A strategic framework
Managing Information Security Breaches sets out a strategic framework for handling this kind of emergency. It focuses on the treatment of severe breaches and on how to re-establish safety and security once the breach has occurred. These recommendations support the controls for the treatment of breaches specified under ISO27001:2005.
Top priorities
The actions you take in response to a data breach can have a significant impact on your company’s future. Michael Krausz explains what your top priorities should be the moment you realise a breach has occurred. This book is essential reading for security officers, IT managers and company directors.
Read this guide and learn how to …
The author uses cases he has investigated to illustrate the various causes of a breach, ranging from the chance theft of a laptop at an airport to more systematic forms of data theft by criminal networks. By analysing situations companies have experienced in real life, the case studies can give you a unique insight into the best way for your organisation to avoid a data breach.
If something did go wrong, how would you handle it? Even if you have done everything possible to prevent a data breach, you still need to know what to do, should one occur. This book offers advice on the strategies and tactics to apply in order to identify the source of the leak, keep the damage to a minimum, and recover as swiftly as possible.
If your company ever experiences an information security incident, then the way your customers see you will depend on how you react. This book tells you the key steps you need to take to hold on to the goodwill of your customers if a data breach occurs. The book also offers advice on what to do if you discover defamatory material about your business on YouTube or on forum sites.
Information security breaches are committed, often by ambitious or embittered employees. This book looks at ways to reduce the risk of staff selling product designs or customer data to your competitors for personal gain.
“Information security is a key Board responsibility. In today’s information economy, the confidentiality, availability and integrity of corporate information assets and intellectual property are more important for the long-term success of organisations than traditional, physical, tangible assets. This book is essential reading for security officers, IT managers and company directors to ensure they are prepared for, and can effectively manage, an information security breach, should it occur”.
May 24 2011
Learn to secure Web sites built on open source CMSs
CMS Security Handbook: The Comprehensive Guide for WordPress, Joomla, Drupal, and Plone
Open Source Software certainly does have the potential to be more secure than its closed source counterpart. But make no mistake, simply being open source is no guarantee of security.
Learn how to secure Web sites built on open source CMSs (Content Management Systems)
Web sites built on Joomla!, WordPress, Drupal, or Plone face some unique security threats. If you’re responsible for one of them, this comprehensive security guide, the first of its kind, offers detailed guidance to help you prevent attacks, develop secure CMS-site operations, and restore your site if an attack does occur. You’ll learn a strong, foundational approach to CMS operations and security from an expert in the field.
• More and more Web sites are being built on open source CMSs, making them a popular target, thus making you vulnerable to new forms of attack
• This is the first comprehensive guide focused on securing the most common CMS platforms: Joomla!, WordPress, Drupal, and Plone
• Provides the tools for integrating the Web site into business operations, building a security protocol, and developing a disaster recovery plan
• Covers hosting, installation security issues, hardening servers against attack, establishing a contingency plan, patching processes, log review, hack recovery, wireless considerations, and infosec policy
CMS Security Handbook is an essential reference for anyone responsible for a Web site built on an open source CMS.
May 19 2011
Paying attention to basics is key to healthy security ecosystem, says panel
Employee security awareness, firewalls, data leakage protection, and collaboration are all key components of a healthy information security ecosystem, according to a panel at the MIT Sloan CIO Symposium held Wednesday.
The moderator, Owen McCusker of Sonalysts, asked the panel to describe what companies can do to create a healthy information security ecosystem.
Michael Daly, director of IT security services at Raytheon, said that his company has developed information security guidelines that include employee security awareness training, firewalls and data segregation, and “command and control blocking” that focuses on outbound traffic.
“There are always going to be vulnerabilities on your systems that are unpatched. There is nothing you are going to be able to do about it. So you ask yourself, ‘If I’m attacked, what am I going to do next?’ Watch for the traffic that is leaving your network. That is a key point”, Daly told conferences attendees.
Defense in depth is a key information security strategy, noted David Saul, chief scientist at State Street, a Boston-based financial institution. “You need to use all of the tools you have available”, he stressed.
“You need to have firewalls, you need to have data leakage protection….You need to have a combination of technologies…as well as employee awareness”, he said.
Saul also recommended information security collaboration across industries. He noted that there is an organization in New England called the Advanced Cyber Security Center that brings together information security experts from the financial, defense, health care, energy, and high-tech industries to share best practices and threat information and expertise.
Kurt Hakenson, chief technologist for Northrop Grumman’s Electronic Systems, added that collaboration should be not only across industries but also among industry peers.
“Security folks tend to be protective about information about breaches. There is always a balance about sharing that information with your industry peers. You will find that for the operational folks that are involved in the day-to-day work, relationships are critical. Being able to get on the phone is so important, because the adversaries who are targeting you are using the same techniques. They are socially aware”, Hakenson said.
Daly noted that Raytheon and Northrop Grumman are involved with the US government in Project Stonewall, a defense industry group that shares threat information in real time.
Allen Allison, chief security officer at cloud service provider NaviSite, said that providers also share information about security threats. “We undertake analysis of what traffic should look like, does look like, or can look like compared to the norm. We share that with all of our partners”, Allison noted.
This article is featured in:
Compliance and Policy • Data Loss • Internet and Network Security • Security Training and Education
There are always going to be threats and vulnerabilities in your infrastructure that are unaddressed, there is no such thing as an absolute security. Watch for the traffic leaving your company to monitor an incident and have a comprehensive incident handling program to manage an incident.
It’s all about priortizing risks and mitigating them in cost effective way.
Related Titles for Information Security Awareness
May 16 2011
Your Security For Your Personal Finances
by Consumer Reports
Threats to Your Personal Finances and Six ways to Stay Safer
Banking from a public computer
Keylogging malware that can capture account numbers, passwords, and other vital data is a risk that has been linked to use of open Wi-Fi connections and public computers such as those in hotel lobbies.
Using unfamiliar ATMs
Thieves have been known to put out-of-order signs on a legitimate ATM and set up nearby freestanding bogus ones that “skim” data from your card. ATMs located inside banks within view of surveillance cameras aren’t risk-free, but they pose more challenges for crooks installing skimming equipment.
Two other important pieces of advice related to ATMs: Separate your PIN code from your ATM or debit card. Almost 1 in 10 people carry their code with the card, says ACI Worldwide, a payment systems company. And when typing your PIN into an ATM or card reader, use your free hand to shield the keypad from the view of hidden cameras or anyone nearby.
Dropping your guard at gas pumps
Card-skimming at gas stations is likely to increase during summer months, especially in vacation areas, so use cash or credit cards at the pumps if possible. If you must use a debit card, select the option to have the purchase processed as a credit-card transaction rather than typing in your PIN.
Ignoring your credit or debit cards
Monitor your accounts at least weekly to spot and report unauthorized transactions as soon as possible. Use services offered by your bank or card issuer that can help protect you, such as an e-mail or text alert if a transaction occurs for more than a certain amount.
Abandoning your receipts
Many transactions, such as filling up your tank and making a debit-card withdrawal, leave a paper trail. Don’t toss away receipts in the ATM lobby or leave them at the gas pump. Hold on to them until your transactions have cleared your bank account to make sure the totals match. Then shred the receipts if they have any information a thief might use.
Trashing your bills
Thieves harvest sensitive data from account statements and other financial documents placed in the trash and use them for ID theft, says Inspector Michael Romano of the U.S. Postal Inspection Service. Shred them first.
6 Ways to Stay Safer
1. Watch out for imposters
The fastest-growing scam in the past year has been imposter fraud, according to the latest annual report on consumer complaints from the Federal Trade Commission. Thieves claiming to be someone they’re not (such as a friend or relative stranded overseas in need of cash to get home, a bill collector, or an employee of a government agency) use Facebook messages, e-mail, phone calls, and text messages to persuade people to send money or divulge personal information such as Social Security or account numbers. Last year, 60,000 people reported that they were affected by this form of fraud, up from just five cases reported in 2008.
2. Learn to parallel park
Car thieves are becoming more professional. They’re stealing new cars by putting them on a flatbed tow truck, our expert says. Parallel parking hinders access to the front and rear of your car, making it difficult to tow. Also, be careful about whom you bump into at the grocery store, especially if your car has keyless entry and a push-button ignition. A thief with an antenna and a small kit of electronics can transmit your key’s code to another thief standing near your car, allowing him to open it, start it, and drive it away.
3. Hide the stuff in your car
Don’t leave electronics and other valuables visible inside your car. GPS units are less of a magnet these days; cell phones and laptops more so. Holiday gifts are a big target, so don’t stack them up in the backseat. Is there a worse move? Yes. Leaving your stuff in the back of a pickup truck.
4. Change your PIN
Make it a habit to routinely change the secret code for your debit card or ATM card. That gives you better protection against any thieves or skimming schemes.
5. Keep a financial inventory
Once a year take out all of the cards in your wallet, make a list of the account numbers and contact information you’ll need to cancel cards if they become lost or stolen, and hide it in a safe place, says Mark Rasch, a former Department of Justice computer-crime prosecutor who is a director at CSC, a business technology firm based in Falls Church, Va.
6. Change your Wi-Fi password
If you have a home wireless network, choose the highest-security option. That way your Web-browsing and financial transactions will be more protected. Go a step further and create your own administrative password rather than rely on a default password supplied by the router.
Related titles to protect your personal & private information
8 ways to protect your Facebook privacy
May 13 2011
Enterprise Risk Management: From Incentives to Controls
Enterprise Risk Management: From Incentives to Controls
Enterprise risk management is a complex yet critical issue that all companies must deal with as they head into the twenty-first century. It empowers you to balance risks with rewards as well as people with processes.
But to master the numerous aspects of enterprise risk management- you must first realize that this approach is not only driven by sound theory but also by sound practice. No one knows this better than risk management expert James Lam.
In Enterprise Risk Management: From Incentives to Controls- Lam distills twenty years’ worth of experience in this field to give you a clear understanding of both the art and science of enterprise risk management.
Organized into four comprehensive sections- Enterprise Risk Management offers in-depth insights- practical advice- and real world case studies that explore every aspect of this important field.
Section I: Risk Management in Context lays a solid foundation for understanding the role of enterprise risk management in todays business environment.
Section II: The Enterprise Risk Management Framework offers an executive education on the business rationale for integrating risk management processes.
Section III: Risk Management Applications discusses the applications of risk management in two dimensions – functions and industries.
Section IV: A Look to the Future rounds out this comprehensive discussion of enterprise risk management by examining emerging topics in risk management with respect to people and technology.
Failure to properly manage risk continues to plague corporate America from Enron to Long Term Capital Management. Don’t let it hurt your organization. Pick up Enterprise Risk Management and learn how to meet the enterprise-wide risk management challenge head on and succeed.
Here are the contents of the book.
Authors: James Lam
Publisher: John Wiley
ISBN 10: 0471430005
ISBN 13: 9780471430001
Pages: 336
Format: Hard Cover
Published Date: 24/06/03
“I would highly recommend this book to anyone with a serious interest in understanding risk management from a holistic perspective.”
May 09 2011
The Business Case for Information Security Management System
Today’s economy is about protecting the information assets which is essential to existence of an organization. After a major incident or a security breach it is unthinkable to say it is not going to affect your bottom line. Most of the organization has to comply with various standards and regulations and a breach in a state of non compliance will be business limiting factor, and the organization may be liable to contractual penalties and loss of potential business from current and future customers.
So Information Security Management System defined as a protection of information from various threats and risks on daily basis. Therefore mitigating information security risks are becoming a critical corporate discipline alongside with other business functions such as HR, IT or accounting.
Mitigating business risks not only improve the business efficiency but also maximize the return on investment and business opportunities.
It is a mistake to assume that information security is solely a technical problem left for IT to solve. These titles below are a non-technical discussion of security information management. It offers a framework that will help business leaders better understand and mitigate risks, prioritize resources and spending, and realize the benefits of security information management.
May 06 2011
NSA publish list of recommendations for Keeping Networks Secure
Image via Wikipedia
‘Best Practices for Keeping Your Home Network Secure’ is a new guide published by the National Security Agency. This document provides home users directions for keeping their systems secure and protected.
Users are faceing lots of security issues now a days, and trying to apply all the required security measures is complicated due to the fast pace of changes in technology and new vulnerabilities that may leave them open to new attack. Thess controls are industry best practice and mitigate most risks to safeguard your information assets.
The document is divided in 4 parts:
■ Host-Based Recommendations:
■ Network Recommendations:
■ Operational Security (OPSEC)/Internet Behavior Recommendations:
■ Enhanced Protection Recommendations:
To be safe on the internet, use these recommendaions as a best practice to reasonably safeguard your information assets. These best practice information controls may also help you to invest wisely and justify cost on security.
Related articles
- NSA Advises Upgrade To Windows 7 (it.slashdot.org)
NSA titles for IAM and IEM implementation and certification
Apr 29 2011
Top Five Hollywood Hackers Movie
Image via Wikipedia
In movies the hacker tries to hack into a Department of Defense computer by speed-typing passwords. We all know reality is nothing like this and we see it as the joke that it is.
But business management don’t see the inherent risks as affecting business bottom line but a hindrance to another new project; they don’t see the research, the probing, the social engineering, risk impact, risk probability and overall risk as security professional do. It is our job as a security professional to show the risks in business terms to management so they can make a reasonable decision based on business risk threshold rather than emphasis on hinderance to bottom line. Remember the return on investment in security is part of doing business, it’s about reducing risks on ongoing basis and keep the company profitable on long term basis (keep making the money).
Emphasize management’s accountability for the risk and most importantly for residual risks (remaining risk after implementing a control). Put the onus on the Information Asset Owner who should be at the management level not a technical staff (may delegate responsibilities in small companies). Make clear recommendations but let them make the key decisions AND make them accountable if things may go wrong.
So yes, management is more impressed by flash and glamour, Because they know and good at analyzing the business risks but take the security risks as business inhibiting to their new project and may like to accept the risks rather than taking the time to address the issue which should be a corrective control to mitigate the existing risk to acceptable level.
What do you think – Do the Hollywood movies add any value in a sense to emphasis the information security risks as a threat to business folks or they just fictional stories which make business people ignore the information security threat?
Which one is your favorite hacker movie….
Below are the top three hackers movies
3-Hackers, 2-Untraceable, 1-WarGames
Apr 25 2011
Phishing emerges as major corporate security threat
Image via Wikipedia
Source: Computer World
The successful use of phishing emails to breach secure organizations like Oak Ridge National Laboratory and RSA are stark reminders of the serious threat posed by what some experts have dismissed as as a low-tech method of attack.
Oak Ridge, a U.S. Department of Energy-run research lab, this week disclosed it had shut down all Internet access and email services after discovering a sophisticated data stealing malware program on its networks.
According to the lab, the breach originated in a phishing email that was sent to about 570 employees. The emails were disguised to appear as notes about benefits changes written by the lab’s HR department. When a handful of employees clicked on the embedded link in the email, a malware program was downloaded onto their computers.
In terms of internal security, people are the weakest link – which makes phishing the emerging threat to any organization. Regular awareness training is one of the key control to countermeasure Phishing.
Latest titles on Phishing and countermeasures
Related articles
- Top Federal Lab Hacked in Spear-Phishing Attack (wired.com)
- How to get ahead of spear phishing (securityskeptic.typepad.com)
- Phishing Attack Hits Oak Ridge National Laboratory (informationweek.com)
« Previous Page — Next Page »
