Feb 12 2009

SB1386 and ISO27002

Category: ISO 27kDISC @ 7:08 pm

In April 20007, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.

[Table = 13]

Which businesses are affected by SB 1386 law?
o If you have a business in California
o Outsourcing company who does business with a company in California or have customers in California
o Data centers outside of California which store information of California residents

sb1386

Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.


The Comprehensive SB1386 Implementation toolkit comprises of:
1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
o automates and delivers an ISO/IEC 27001-compliant risk assessment
o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
o Comprehensive best-practice alignment
o Supports ISO 27001
o Supports ISO 27002 (ISO/IEC 17799)
o Conforms to ISO/IEC 27005
o Conforms to NIST SP 800-30
o The wizard-based approach simplifies and accelerates the risk assessment process;
o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).

Buy The SB-1386 & ISO27002 Implementation Toolkit NOW!

ISO assessment is a great first step towards ISO 27002 compliance and toward the final goal of ISO 27001 certification audit or for that matter any compliance audit.

ISO 27002 Framework for Today’s Security Challenges
httpv://www.youtube.com/watch?v=yRFMfiLbNj8

Reblog this post [with Zemanta]

Tags: Information Security, Information Security Management System, International Organization for Standardization, iso 27001, iso 27002, iso 27005, iso assessment, National Institute of Standards and Technology, sb 1386

Feb 10 2009

Defense in depth and network segmentation

Category: Information Security,Network securityDISC @ 2:17 am

Traditional security schemes are incapable of meeting new security challenges of today’s business requirements. Most security architectures are perimeter centric and lack comprehensive internal controls. Organizations which are dependent on firewall security might be overtaxing (asking security mechanism to do more than it can handle). Some of the old firewalls rule set stay intact for years, which might be a liability when the firewall rule set neither represent current business requirements and nor are protecting critical assets appropriately.

“Firewalls are typically managed by a succession of administrators who create their own rules, which then accumulate over a period of years. This creates rule duplication, which can impinge on performance, but also brings risks such as the use default or open passwords.”

The first step in defense in depth is designing a corporate network segmentation policy which describes which departments, application, services and assets should reside on a separate network. Network segmentation will assure that threats are localized with minimal impact on the organization. NIST, ISO27002, and PCI emphasis the importance of network segmentation but does not mandate the requirement. At the same time PCI Standard committee emphasize in new standards that the compliance scope can be significantly minimized by placing all the related assets in the same segment. Network segmentation is not only a common sense in today’s market but also one of the most effective and economical control to implement, simply a great return on investment.

Network segmentation benefits:
o Improve network performance and reduce network congestion
o Contain attacks (viruses, worms, trojans, spam, adware) from overflowing into other networks.
o Improve security by ensuring that nodes are not visible to unauthorized networks. Reduce the size of broadcast domain

Basic idea behind defense in depth is to protect your crown jewel in multiple layers of defense, should one fail, another will provide crucial protection. Another important thing to remember is that we cannot defend everything, so our defense in depth approach should be asset centric rather than perimeter or technology centric. Perform a thorough risk assessment to find out your most important assets and apply the defense in depth approach to protect the confidentiality, integrity and availability of those critical assets. Examples of network segmentation include wireless network, where you place the wireless network users in their own segment behind a firewall with their own rule set. This rule set will help to contain the users on wireless network as well as any potential attacks on the organization. To get to the content of another segment in the network, the wireless users has to pass through all the layers of protection.

Defense in depth diagram
defenseindepth
Different attacks will be handled by different layers. In the outer layer 1 will handle most of the network related attacks while the layer 2 will handle most of the script based attacks which target the operating system. Layer 3 will handle most of the application attacks which are complex and only utilized by skilled attackers. Layer 4 is your final frontier where you protect your crown jewel by moving many of the tools and techniques used at the perimeter closer to critical assets.



Related article
Network segmentation is a common sense





Defense in depth
httpv://www.youtube.com/watch?v=zTJSMjYd9c4&feature=related


Tags: Consultants, Firewall, ISO/IEC 27002, National Institute of Standards and Technology, Products, Rate of return, Security, Wireless network

Jan 30 2009

ISO 27k and CMMI

Category: Information Security,ISO 27kDISC @ 2:00 am

To become a successful business in today’s market, optimized information security controls may be the panacea for unmet security needs. One way to achieve optimized information security control is to perform ISO assessment and assess the organization security posture based on ISO 27002 code of practice and map each control with Capability Maturity Model Integration (CMMI) to find out the current CMMI level for each control. information The goal is to address the organization security needs as a whole, and assess how different departments and business functions are addressing the current business security requirements. The CMMI has five levels and evaluate security controls based on levels, not on specific objectives. Each level provides the basis for the next level where it is not possible to get to the next level without complying with previous level. ISO 27002 is a comprehensive framework which can be utilized to obtain the baseline upon which to build each level. For each control in ISO 27002, maturity levels are defined using maturity definition found in CMMI. In the assessment report maturity level of each control of ISO 27002 standard can be evaluated. Utilizing the color coded scheme provided by CMMI model, create a one page ISO control summary for executives which will not only help them to understand the current security posture but also can be instrumental for measuring progress and resource allocation.

The scope of the ISO27k standards includes various aspects of IT. The introduction to ISO 27002 states clearly: “Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in conversation. Whatever form information takes, or means by which it is shared or stored, it should always be appropriately protected.”

Benefits of ISO 27k framework:
o Framework addresses the security issues for the whole organization and limit data breaches
o Address compliance with various regulations like (SOX, HIPAA, and PCI) without creating silos.
o Reduce total cost of security by decreasing total number of controls required
o Perception of your business that you are serious about information security not just compliance
o Enhance partners and vendors confidence to do business with your organization
o Future deciding factor for national and especially international partners for more business
o Internationally recognized standard which addresses security awareness for the whole organization

isotocmmi

Assessment will give an organization a high level view of their current security posture and provide a road map for security strategy in a sense what needs to be addressed first utilizing risk based approach. This is also a good start if your organization is interested in the Information Security Management System (ISMS) or ISO 27001 certification. ISO 27001 is the standard for the certification which includes the set of requirements for ISMS. Justifiable scoping is the key to a quick and successful certification; organization may adjust their scope in a re-certification attempt. Perhaps in the first attempt you may need to include just a web portal in your scope and the entire infrastructure behind supporting that portal. Once the ISMS project scope is determined, here are some steps you can follow to prepare for ISO 27001 auditors.

1. Based on your scope, create an asset list
2. Find out asset threats and vulnerabilities and classify the asset based on CIA scale
3. Come up with risk matrix based on impact and likelihood of the risk
4. Create priorities based on impact and likelihood of the risk
5. Based on priorities, implement appropriate controls for risks which needs to be addressed
6. Do the risk assessment again, PDCA improve ISMS

“ISO27001 is a structured, technology-neutral, vendor-agnostic specification and code of practice for information security management in organizations of all sizes that should be adopted as part of an organization’s overall risk management strategy.”

This should give you a jump start to certification. You have already started the process of certification because most of the documentations in the risk assessment will become part of certification process later and will lead you to 12 steps which are part of PDCA cycle. ISMS certification process utilized Plan-Do-Check-Act (PDCA) cycle methodology which continually improve information security management system and meet the contractual, legal, and regulatory requirements for information security.

ISO assessment is utilized to analyze the current security posture of an organization where each control is defined and can be color coded using the base definition found in CMMI. Therefore ISO assessment is a great first step towards the final ISO 27001 certification audit or for that matter any compliance audit.

[TABLE=2]

ISO 27k framework for today’s security challenges
httpv://www.youtube.com/watch?v=yRFMfiLbNj8

Three useful titles on ISO 27k by Alan Calder

Related articles by Zemanta

Tags: Capability Maturity Model Integration, CIA scale, Information Security, Information Security Management System, International Organization for Standardization, isms, iso 27001, iso 27002, ISO/IEC 27001, PCI, PDCA, Risk Assessment, Risk management, Security, SOX HIPAA, vsrisk

Jan 22 2009

Web 2.0 and malware 2.0

Category: Malware,Web 2.0DISC @ 5:43 pm

Web 2.0 - No one owns it
A new position paper from ENISA describes the risks associated with web 2.0 and malware 2.0. Web 2.0 includes social networking, photo sharing, wikis and social bookmarking sites and malware 2.0 is defined as a web based infection in which user can be entrap by visiting website.

Web 2.0 applications are thriving because of their dynamic contents, in which users chip into the content and interact with each other. This dynamic interaction with other users comes with new threats of malware 2.0, in web 2.0 environment user trust the information without knowing anything about the author or integrity of the source, and that’s precisely why criminals are attacking these applications and using it to circulate malware 2.0.

ENSIA survey also evaluates the methods used by people to figure out if the web page is phony. People will be suspicious of a source if it only appears once on the web, but will start trusting the source (integrity of the source) if it appears more than once on the web. Assumption is somebody down the chain might have validated the source and as the source start spreading on the web somehow people start believing in the authenticity of the content.

“Misinformation is easily propagated through syndicated news stories, blog posts, and social data, which provides few trust cues to users. This has very serious consequences such as stock price manipulation and control of botnet via RSS feeds”

There is a need to establish an independent third party on the web to validate the source of the content. Availability of the web 2.0 content has to be balanced with a fitting dose of confidentiality and integrity of the content.

Survey results

[TABLE=12]

Related article
25 Most Shocking Crimes in Social Media History

    The Machine is Us/ing Us

httpv://www.youtube.com/watch?v=NLlGopyXT_g

Tags: availabiliy, confientiality, integrity, malware 2.0, On the Web, Photo sharing, risks, RSS, Security, Social bookmarking, Social network service, threats, Web 2.0, Web page, Website

Jan 14 2009

Cyber warfare and possibility of cybergeddon

Category: Information WarfareDISC @ 1:56 am

 

Background and Risks Associated with Various SCADA Systems | Envista Forensics

Cyber warfare poses a serious threat to critical infrastructure of a country. It has been a major challenge for DoD officials, cyber attackers have already stolen tera byte of data from their infrastructure.

 

Most of the security expert and FBI agree that cyber attacks pose biggest threat to US vital infrastructure. “Cybergeddon” our daily economy which depend on inter connected vital network infrastructure is hacked by cyber attacker.

SCADA (Supervisory Control and Data Acquisition – control power grids in all the utilities) “systems are used in industry to monitor and control plant status and provide logging facilities and are highly configurable“. SCADA system is a connection between control systems and the switches.

Cyber attackers have already led to multicity power outage outside of US. Recent attacks show that cyber attackers are getting more knowledgeable about SCADA system. In the past SCADA use to be exclusive system but now slowly getting integrated with the rest of the infrastructure and utilizing IP addressing scheme. Both introduce new threats and raise the risk of cyber attack.

Utilities are the most critical infrastructure in a sense because of other vital infrastructure dependency on power supply. Cyber attack on SCADA system has a potential of cybergeddon and should be protected as a very critical asset by both public and private sectors. Security through obscurity is not the answer for SCADA anymore.

 

In SCADA system, reasonable security can be achieved by embracing ISO 27k standard as a policy and eventually acquiring ISO 27001 (ISMS) certification. Organizations may start the certification process with limited scope (of critical processes) in the beginning, and increment the scope in each recertification attempt based on the resources available and management risk appetite. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of SCADA. ISMS as a process in-place provides reasonable security safeguard to zero day attacks.

 

How do I prepare for a power outage?

 


 

“SCADA system has been poorly managed for decades”

What is SCADA?

Tags: Cyber-warfare, cybergeddon, Information Security Management System, Information Warfare, International Organization for Standardization, ira winkler, iso 27001, SCADA, Security

Jan 06 2009

Digital frames and malware threat

Category: MalwareDISC @ 6:30 pm

Digital photo frame
No doubt, the digital frame is a hot state of the art technology item today. Some digital frames in the market carry a risk of infection through a Trojan horse (malware) which is capable of monitoring keystrokes and sending useful information back to its originator. In Jan 2008 there were multiple reports that digital picture frames attempted to install malware on devices connected to the frame. It’s Jan 2009, and digital frames are still embedded with malwares.

According to SF chronicle article by Deborah Gage (Jan 2, 2009, pg. c1) “These popular devices are now so powerful that they’ve become computers in themselves, although people who buy them don’t always realize that. And like computers, the frames are capable of carrying code that logs keystrokes, steals data and calls out to other malicious code once it’s installed itself on a PC. “ “Users don’t realize that bad guys can make use of each and every computer they can control, even if you don’t do Internet banking or have any sensitive information,” said Karel Obluk, the chief technology officer of AVG, a security vendor with offices in the United States and Europe. “They can profit by spam or other illegal activities and make (your) PC part of an illegal network. It’s something that users should always be reminded of.”

Consumers have to be wary of devices which have memory on-board.

December 29, 2008 (Computerworld) Amazon.com Inc. last week warned customers running Windows XP that a Samsung digital photo frame it sold until earlier this month might have come with malware on the driver installation CD. Amazon’s advisory identified the malware as “W32.Sality.AE,” the name assigned by Symantec Corp.

According to Samsung’s alert, “a batch of Photo Frame Driver CDs contains a worm virus in the Frame Manager software. This is a risk of the customers host PCs being infected with this worm virus.”
The Samsung SPF-85H is no longer available on Amazon.com.

“Samsung has issued an alert. … Our records indicate that you have purchased one of the digital photo frames through the Amazon.com website and are therefore affected by this alert,” said Amazon in the note.

Based on various security advisories — Only users running Windows XP are at risk from this virus or a Trojan, Samsung and Amazon said; Windows Vista is immune.

Some considerations to safeguard against Trojans:

 Turn off autorun in Windows, to stop Trojan and malware exploits from installing itself on your system.
 To find a Trojan on your system, configure Windows to show hidden files.
 Utilize antivirus software which look for Trojans and keep it turned on and up-to-date. Scan new devices for malware upon connection to a system.
 Perform application vulnerability assessment on digital frame which will look for hidden Trojans.
 Perform regular assessment to find new vulnerabilities
 Buy photo frames manufactured by vendors who can guarantee exclusion of malwares.
 Do your due diligence to find out for known vulnerabilities before buying a digital frame

Who should be responsible for to make sure digital frames are malware free or perhaps both? (consumer/vendors)

AP Impact: Viruses Hit Digital Photo Frames, GPS
httpv://www.youtube.com/watch?v=R19VKUyeXag

Reblog this post [with Zemanta]




Tags: amazon, anti botnet, anti trojan, anti virus, anti worm, illegal network, infection, Malware, photo frame, samsung, Trojan horse

Dec 29 2008

Network Access Control and Security

Category: Access ControlDISC @ 4:24 am

Wireless Internet Access Global Map

The purpose of network access control is to protect and safeguard assets attached to network from threats of unauthorized users gaining access to organization’s assets.

Network Access Control (NAC) authenticate users to make sure they are authorized to login and following the policies and procedures for login before authorized to use organization assets. Some of the threats to assets are insider fraud, identity theft and botnet infestation, where botnet can be utilized as a launching pad for attacks to other organizations.

Various laws and regulations have been introduced for various industries to protect organization data. Organization can be held liable, if they don’t practice due diligence or have adequate protection for their assets. Before putting the policy in place to protect these assets it might help to know specific threats to environment. Today’s threats come from well organized criminals who take advantage of unprotected assets. These days most of the cyber crimes are international crimes. Even though most of the countries have cyber crimes laws today but the legal system varies from country to country which slows cooperation between countries. Today’s technology is changing fast but the legal system is not changing fast enough to tackle new cyber crimes. We don’t have comprehensive international laws yet which cover cyber crimes to prosecute these criminals; most of cyber crimes are conducted from a country whose law enforcement agency either don’t have time and training to pursue these crimes vigorously or don’t have a jurisdiction in the country where the crime is committed. Sometime law enforcement agencies get help from Interpol to prosecute these individuals, but most of the time law enforcement agencies in various countries are helpless because these criminals are not in their jurisdiction. In some cases these criminals are utilizing state of the art tools to cover their tracks.

Some Considerations to tackle NAC: adapt ISO 27002 domain 11 sub category 11.4 (NAC) controls as a policy suitable to your organization.

1. Create a network access control policy: policy on use of network services
2. User authentication for internal and external connections
3. Enforce access control policy
3a. Up-to-date signature file (anti-virus, anti-worm, anti-trojan, anti-adware)
3b. Up-to date patches
3c. Equipment identification in network
3d. Backup access control logs remotely and review regularly
3e. Multihome firewall installed which segregate networks
3f. Harden system configuration
3g. Network connection control
3h. Network routing control
4. Assess the posture of your network regularly to redefine policies
5. Gartner MarketScope for Network Access Control, 2008
6. The Forrester Wave™: Network Access Control, Q3 2008

“In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.”

Nortel Secure Network Access and Microsoft NAP integration
httpv://www.youtube.com/watch?v=rqu88yx4FGc

Reblog this post [with Zemanta]




Tags: Cisco Systems, Forrester, Gartner, iso 27002, Juniper Networks, jurisdiction, Law, Law enforcement agency, Microsoft, Microsoft Windows, NAC Policy, Network Access Control, Police, Security

Dec 16 2008

Unstable economy and insider threats

Category: Information Security,Insider ThreatDISC @ 2:42 am

State of affairs
Image by Pulpolux !!! via Flickr
During the current unstable economy, organizations face increased threats from insiders during tough economic years ahead. During hard time organizations not only have to worry about outsider threats but will be facing an increased threat from disgruntled employees who might see no future with the organization during unstable economy. During these circumstances, when new jobs are hard to come by, revenge or financial need might play a motivating factor for a disgruntled employee.

In July 2008, San Francisco city network administrator (Terry Childs who hijacked the city network) was arrested and charged with locking his own bosses and colleagues out of city network. Basically his bosses got caught sleeping on their jobs because they were not monitoring this guy who happens to have the key to their kingdom. San Francisco city network controls data for its police, courts, jails, payroll, and health services. After 8 days in jail cell Terry Childs finally relinquished the password to Mayor Gavin Newsom in his jail cell. Why San Francisco’s network admin went rogue

Here are some considerations to tackle insider threats

Manage and monitor access
Manage your users through single sign on source like Windows active directory or Sun single sign on directory, which not only enable control access to sensitive data but also let you disable access to all resources when employee leave the company from a single location. Single sign on solution also provide comprehensive audit trail which can provide forensic evidence during incident handling.

Limit data leakage
Intellectual property (design, pattern, formula) should be guarded with utmost vigilant. Access to IP should be limited to few authorized users and controls should be in place to limit the data leakage outside the organization. Protect your online assets, and disable removable media to prevent classified data being copied into USB drives, CDs, and mobile phones.

Principle of least privilege
Which requires that user must be able to access to classified information only when user has legitimate business need and management permission. Sensitive data should be distributed on need to know basis and must have system logs and auditing turned on, so you can review the access is limited to those who are authorized. Proactively review the logs for any suspicious activity. In case suspicious activity is detected, increase audit and monitoring frequency of the target to detect their day to day activity. Limit access to critical resources through remote access.

Conduct background check
Conduct background check on all new and suspicious employees. All employees who handle sensitive data must go through background check. HR should conduct background verification, reference check and criminal history for at least 5 years. What type of checks will be conducting on an individual will depend upon their access to classified information.

Risk assessment
Conduct a risk analysis of your data on regular basis to determine what data you have, its sensitivity and where it resides and who is the business owner. Risk analysis should determine appropriate data classification based on sensitivity and risks to data. Regular risk assessment might be necessary, due to passage of time data classification might change based on new threats and sensitivity of the data.

Digital Armageddon – The Insider Threat
httpv://www.youtube.com/watch?v=FQ4bvCPwFMY

Reblog this post [with Zemanta]




Tags: Background Check, Detect activity, Gavin Newsom, Intellectual Property, Manage access, Monitor access, Online assets, risk analysis, San Francisco, Security, Tough Economy

Dec 05 2008

Telcos and information privacy

Category: Information PrivacyDISC @ 2:26 pm

Mobile Phone
Image via Wikipedia

With the economy in the tank, breach of privacy is not going to be a priority in Obama’s administration to do list. It will be quite difficult to make it a priority when Obama has signed a bill indemnifying telcos from suits due to privacy breaches.

During the presidential election campaign, Verizon employee gained unauthorized access to President-elect Obama’s mobile phone records. You might assume that if telcos are having a hard time protecting the privacy of high profile individuals, how would that make you feel as a cell phone owner? Don’t you wonder why the mainstream media didn’t publicize this case of high profile privacy breach more widely?

Basically Telcos have been immunized from privacy lawsuits so that big brother can snoop around our private phone records as they please. In this instance, law only applies to people and makes it illegal to snoop on each other but the telecom entities have been granted an exception by congress. Legal ruling require law enforcement to meet high “probable cause” standard before acquiring cell phone record. In recent report, document obtained by civil liberties group under FOIA request suggest that “triggerfish” technology can be used to pinpoint cell phone without involving cell phone provider and user knowing about it.

Organizations should implement directive, preventive and detective controls to protect the privacy of information. Where directive controls include the policies, procedures, and training. Preventive controls deal with the separation of duties, principle of least privilege, network, application and data controls. Detective controls involve auditing, logging and monitoring.

Verizon case shows lack of detective controls. Organization should have a clearly defined privacy policy which states that private information should be logged, monitored and audited. High profile individual should be identified and documented and reviews of audit logs should be conducted to identify inappropriate access to the privacy information of high profile individuals. The authorized person who has access to private information should be audited on regular basis to find out if they are following the privacy policies and procedures of the company. For privacy information, log who accessed which data, for who and when. Managers should train and monitor subordinate to help protect privacy information, which not only educate the subordinate but also serve as a major deterrence. Privacy is an essential ingredient of liberty and must be guarded with utmost due diligence.

“Those who give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety” Benjamin Franklin

Presidential Phone Compromised

Privacy Debate: Shouldn’t Public Demand High Threshold?
httpv://www.youtube.com/watch?v=HR6IEz4T7Yw

Reblog this post [with Zemanta]




Tags: auditing, Barack Obama, breach of privacy, Civil liberties, detective, directive, Lawsuit, logging, mobile phone, monitoring, preventive, privacy, Security, tiggerfish, Verizon

Nov 26 2008

Cyber threats and overall security assessment

Category: Information Warfare,Risk AssessmentDISC @ 3:13 am

The main screen showing star names (color-code...
Image via Wikipedia

In the past when senior management (execs) needed to understand the financial implication of cyber threats and their exposures, they turned their questionnaires toward IT for relevant answers. In other words IT risk assessment was the answer in the past to understand the financial implications of cyber threats. The IT risk assessment is not the comprehensive or overall assessment of the company to understand the total implications of cyber threats. The overall assessment will not only include IT but also other departments like HR and legal etc… Basically cyber threats are neither IT issue and nor a legal or HR issue any more, it’s simply an enterprise management issue.

In old days the firewall was used as a major defense against potential cyber threats. The new cyber threats are sophisticated enough to demand better defense. New threats (virus, adware, worms, Trojan, spyware, spam, phishing) use modern techniques to bypass defenses. The potential risks of these new threats demand an immediate attention (of CFO or higher) and approval for resource allocation to protect against cyber threats. To make a solid business case for security ROI, senior level execs need to know the overall risk they are reducing, and their highest priority.

[TABLE=12]

ANSI and ISA have jointly released a document to assist senior management to prepare for financial implications for cyber threats. Basic essence of the guide is to provide a tool to execs to understand the financial implications of potential cyber threats to their organizations.

“The 40 page guide was put together by task force of risk management execs from more than two dozen organizations. The new guide offered by ANSI and the ISA recommends that CFO ask their various team’s questions about the biggest threats to data confidentiality, integrity and availability,” to get to know the existing controls in place and any relevant mitigation plan. Risk analysis of this information can help execs to map the cyber threats risks into correct financial terms and make better resource allocation.
The senior execs who want to implement information security as a process in their organization should consider ISO 27001 (ISMS) as a best practice, which provides a reasonable on-going due diligence to protect and safeguard organization data.

Reblog this post [with Zemanta]




Tags: availability, Business, Chief financial officer, cyber threats, data confidentiality, exposure, Financial services, Human resources, Insurance, integrity, isms, ISO/IEC 27001, Management, overall assessment, risk analysis, Risk Assessment, Risk management, roi, Security

Nov 17 2008

Harmful Spyware and their stealthier means

Category: Information Security,MalwareDISC @ 2:55 pm

Dozens of pop-up ads covering a desktop.

Spyware is utilized to gather information about a person with or without their consent and it intercept or record personal/financial information. Some spyware are capable of sending information back to another computer (originator of the spyware).

Characteristic of Spyware

• Compromise user machine without their knowledge
• Use vulnerabilities in the software to push a spyware code on the machine
• Install Trojans to gather data
• Gather personal and financial information to send it to attackers

Spyware are used to gather different kind of information which includes but not limited to advertising, corporate monitoring, child monitoring, governmental monitoring. Besides their legal use which is based on company policy or regulations monitoring spywares can be used for spying on a person without their consent. More common types of spywares are adware (serve advertising) and key-loggers (record keystrokes)

How you can get spyware on your machine: Spyware can be installed on your machine in many ways.

Below are some of the common ways to deliver spyware.
• Spyware can be installed on a computer via a virus or an email Trojan.
• Spyware can be installed on a computer by taking advantage of security flaws in Internet Explorer.
• Spyware sometime are included in the shareware program. User agreement for the shareware may make a reference to grant permission to allow the recording of your internet use
• Pop-up downloads are becoming a preferred method of installing spyware and adware. Pop-up download windows ask the users to download a program to their computers.
• Another popular way to distribute spyware is a drive-by download. It installs itself on the computer without user knowledge. It can be installed by simply visiting a website.

Windows Defender is software that helps protect your computer against pop-ups, and security threats caused by spyware and other unwanted software by detecting and removing known spyware from your computer. Most popular antivirus products now include adware and spyware scanning. You can find more adware and spyware removal tools at the Spyware Protection and Removal guide. This Web page includes links to popular spyware removal programs, as well as a number of useful articles. Also in Internet Explorer 7 (IE7) you can turn on/off the pop-up blocker. IE7 -> Tools -> Pop-Up Blocker. There is a pop-up blocker setting where you can allow exceptions for some sites and setup pop-up filter to high, medium and low.

Anti-Spyware, Registry Cleaner & PC Optimizer

Computer users particularly need to watch out for bogus spyware removal programs. They are dangerous because they punish the user for doing something right. Victims think that this will remove the spyware, instead in some cases computer users are paying to install a spyware.
Checkout the Rouge Anti-Spyware Products table

How to Protect from Spyware
httpv://www.youtube.com/watch?v=_w-DZNbq66I&feature=PlayList&p=18F23434175F964D&playnext=1&index=26

Reblog this post [with Zemanta]




Tags: adware, bogus spyware, drive-by download, financial information, Internet Explorer, keylogger, Pop-up ad, rouge anti-spyware, Security, shareware, Spyware, trojan, virus, Windows Defender, World Wide Web

Nov 04 2008

Open Network and Security

Category: Information Security,Open NetworkDISC @ 7:54 pm

Made and uploaded by John Manuel - JMK{{#if: |...

Open networks are heterogeneous environment where users like to use all the applications and systems at any given time. In a heterogeneous environment, each department run different hardware and software, but you can control the protocols which will work on this environment.

Universities are famous for open network. Most Universities network is comprised of a Bank (To give loan to students), a restaurant, and a bookstore which have credit card processing ability. Students, alumni, researchers, employee and staff need access to utilize resources. Now how would you control access if same person assume all the roles mentioned above. Universities are basically transient communities, where users come back and plug-in their new devices and expect an immediate access to all the resources. Where the reputation of openness is challenge at every step of the way, now the question is how can they maintain reputation and yet control the environment based on security policies.

Reasonable security can be accomplished by focusing on a process rather than adding yet another security control. The process is based on risk assessment program where you assess your critical assets based on threat and vulnerability pair and measure the likelihood and impact of a threat if a given vulnerability is exploited.

The process start with knowing your assets – Network registration will detect when you plug-in your new equipment. Before you get an access, it detects a hardware address and username. You can also control common misconfigurations and noncompliance issues with network registration process. Some vulnerability management systems discover assets and perform vulnerability and security configuration assessment to proactively identify and prioritize risks. New vulnerabilities are accessed from trusted site on a regular basis and when vulnerabilities are identified, the management system needs to have an ability to remediate to comply with the information security policy.

Most of the departments in an open network contains different systems and applications and basically have different security appetite. Distributed IT Governance can address this issue where you develop policies and procedures which fit their needs and hand it over to the department to comply.
Open network requires pretty much open borders, Instead of securing the network/system emphasis should be on data protection.

[TABLE=9]

Recent news from AT&T to make its network open where customers can use any handset of their choice, perhaps a reaction to in response to recent moves from Verizon and Google to promote open network. Specifically Verizon announced that it would allow “any device” and “any application” to operate on its network. These open networks does provide flexibility for customers but at the same time burden lies on the shoulders of the corporations to provide right balance of security and privacy with availability of the network.

In an open network, reasonable security can be achieved by embracing ISO 27k standard and eventually acquiring ISO 27001 (ISMS) certification. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of an open network. ISMS as a process in-place provides reasonable security safeguard to your information and certainly help to minimize the liability in the court of law.

End-to-End Network Security: Defense-in-Depth by Omar Santos
httpv://www.youtube.com/watch?v=zTJSMjYd9c4

(Free Two-Day Shipping from Amazon Prime). Great books

Reblog this post [with Zemanta]




Tags: AT&T, Computers, Credit card, data protection, heterogeneous, impact, Information Security, Information Security Management System, isms, iso 27001, ISO 27k, ISO/IEC 27001, IT Governance, likelihood, Network registration, Omar Santos, Reasonable security, risk assessment program, security controls, threat, Universities network, Verizon, vulnerability, vulnerability management systems

Oct 29 2008

Laptop and traveling precautions

Category: Laptop SecurityDISC @ 12:58 am

Laptop security

Best practice emphasize the fact to backup the data if you can’t live without it, in the same way a traveler must avoid taking sensitive data on the road unless it’s absolutely necessary to do so. If you do plan to take sensitive data with you on the laptop, the necessary security controls must be implemented and go with the sensitive data. The data protection controls should be based on your information security policy data classification.

The laptop hardware itself is only worth few hundred dollars these days, but on the other hand it’s hard to put a price tag on the exposed data which may have a drastic impact on your organization, especially these days when most of the organizations are at the edge due to financial chaos.
Frequent travelers know it’s possible to lose a laptop or lose data because laptop may become inoperable due to hardware malfunction. Planning an important business trip should include encrypting sensitive data and backup on a remote website (Carbonite). So in case you lose your laptop or it’s is inoperable for some reason, you can remotely recover backed up files from site within reasonable time.

[TABLE=8]

Here is how you can encrypt your data on Windows laptop with built-in utility EFS

1. Create a new folder, and name the folder Private.
2. Right click the new folder and choose properties
3. Click advanced button
4. Check encrypt contents to secure data box and then click OK, Apply and OK again.

You have created a secure area where you can put your sensitive documents. Any file or subfolder you add to this folder (Private) will be encrypted automatically. Basically any type of file except Windows system file will be encrypted in this folder. Now if the attacker steal your laptop and remove your hard drive and mount on a system where the attacker has administrative privileges, the attacker will not be able to access the contents of the folder Private. On the other hand 256-bit AES encryption key is stored in encrypted form as a file attribute called the data decryption field (DDF). The EFS private key, needed to decrypt the DDF and extract the file encryption key, is also stored in encrypted form in the registry. The master key, which is used to obtain the key needed to access the EFS private key, is encrypted by the systems key and also stored locally. So the attacker will be able to decrypt the EFS protected files if he can somehow get possession of the system key.

Luckily we do have a choice whether to store the system key locally on your laptop. If you click start, then Run and then launch syskey.exe utility, you can choose how and where the system key will be stored. The dialogue box will present three options.

1. Store the startup key locally
2. Store the startup key on the floppy disk
3. Generate the startup key from a password

With the two non default options, you will be requiring to either insert the floppy or enter the password whenever the laptop is BOOTED. The floppy option is highly inconvenient for laptop users but the password options seem sufficient to protect the laptop data. On the laptop which doesn’t have a floppy drive, don’t try to click the floppy option because when you boot next time the laptop will be looking for the system key on a floppy before booting.

Survey: CISOs worried about mobile data security

**The real Hustle – Laptop Theft Scam
httpv://www.youtube.com/watch?v=Gb3ZiTJkCaA


Reblog this post [with Zemanta]




Tags: aes, Backup, Booting, carbonite, Cryptography, data classification, data ptotection, ddf, efs, encryption, exposed data, financial chaos, Hardware, Notebooks and Laptops, private key, Security, security controls, sensitive data, system key, threats, Windows

Oct 21 2008

12 Phishing Threats and Identity Theft

Category: Email Security,Identity TheftDISC @ 7:22 pm

Have you ever thought of losing something and you cannot live without it? Yes, that something can be your identity. Phishing is a practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information. In daily life people advise to retrace your steps when you lose something. The question is how you retrace your steps on cyberspace where some uber hackers know how to erase their footsteps to avoid detection. It is difficult to find phishers in cyberspace, and jurisdictional issues make it even harder to prosecute them. Then there is an issue of trust that phishers dupe people to believe that their web site is not fraudulent to collect personal/financial information.

Amongst the financial crisis, phishing might be on the rise because for many organizations information protection might be the last thing on their mind. The FDIC has created a webpage to inform and warn consumers about “phishing.” These days phishers have targeted social network organizations LinkedIn and Facebook where their members have been duped into revealing their sensitive data.

Mainly phishing attacks are targeted to steal the identity. Now the question is, how easy it is to steal somebody’s identity? Let’s say a phisher has your name and address, and then he/she can get your Social Security number with the search on AccurInt or other personal database website. A Social Security number is not the only bounty a fraudster can find on these websites, other personal/private information is available as well at minimal cost.

In the table below are the 12 threats to your online identity which can be manipulated in phishing scams, and possible countermeasures to protect your personal and financial information. Some threats are inadequate or no security controls in place. The last row of the table is a monitoring control to identify the warning signs of identity theft.

[Table=7]

Organizations should take necessary steps to protect against identity fraud and apply whatever state and federal legislation applies to your business. Organizations which are serious about their information security should consider implementing the ISO 27001 (ISMS) standard as a best practice, which provides reasonable due diligence to protect and safeguard your information.

US Bank phishing attack exposed
httpv://www.youtube.com/watch?v=n2QKQkuSB4Q


(Free Two-Day Shipping from Amazon Prime). Great books




Tags: accurint, countermeasure, cyberspace, due diligence, equifax, experian, facebook, fdic, financial crisis, fraudster, identity fraud, information protection, isms, iso 27001, jurisdictional, legislation, linkedin, phishing, prosecute, safeguard, social security, threats, transunion, uber hacker

Oct 17 2008

SmartPhone and Security

Category: Information Security,Smart PhoneDISC @ 1:53 am

Mobile spyware is malicious software which is used to spy and control mobile devices (BlackBerry, PDAs, Windows Mobile and Cell Phones). Mobile spyware will not only intercept the message between two devices but also determine the location of the device. Basically, mobile spyware software is installed on a mobile device to spy on them.

Small businesses are usually not equipped to handle these threats. Just like laptops and desktops – mobile devices need security controls like antivirus, personal firewall, encryption and VPN to provide needed level of protection. Small businesses need to be aware of the security threats, like they might think that they are installing a game, which might very well be a key logger (logs your key strokes) or trojan software.

[TABLE=6]

Hackers on the move, WSJ August 11, 2008 by Roger Cheng – where he writes about more companies are letting employees use their personal smart phone at work and the security experts warns about the present threats in the industry. http://online.wsj.com/article/SB121803418845416977.html

Tips to safeguard your smartphone
httpv://www.youtube.com/watch?v=S64J4BCCoi4


(Free Two-Day Shipping from Amazon Prime). Great books




Tags: antivirus, encryption, hacker, intercept, key logger, malicious, mobile phone, mobile spyware, personal firewall, roger cheng, security controls, security expert, spy, threats, trojan, vpn, wsj

Oct 13 2008

World Bank security breach and financial crisis

Category: Information Warfare,Security BreachDISC @ 1:56 am

The World Bank controls the World’s banking system, creates plans and strategies to develop economies to protect countries from financial turmoil. This information is a treasure trove of data which can be manipulated for huge monetary or political gain.

Amongst the financial crisis, a major security breach has been reported at World Bank that might tell us a story that protecting consumers’ data during these crisis might not be the first priority for many suffering financial institutions.

World Bank Under Siege in “Unprecedented Crisis

“It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.”
“In total, at least six major intrusions — two of them using the same group of IP addresses originating from China have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. ”

The World Bank’s technology and security expert states that the incident is an “unprecedented crisis.” Some security experts are saying that this might be the worst security breach to date at a global financial institution. The hackers controlled around 18 servers for more than a month and World Bank admits that sensitive data could have been stolen but they are not sure about the total impact of the breach.

Alan Calder wrote about “Data protection and financial chaos” and mentioned that “When financial markets appear to be in free fall, many organizations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist anymore?”
I concur with Alan on this point, in the midst of this chaos, our personal data might be at great risk and we have to be vigilant and carry the load to protect our data. At the same time, this might become another reason for the financial institutions’ demise if they let their guards down now and do not make a priority to protect customers’ data.

During this turmoil, some financial institutions’ upper management doesn’t have to worry about their responsibility of securing the customers data adequately when they already know that eventually the taxpayers will be paying for their mistakes and their bonus plan will stay intact. Unprecedented crisis are sometimes the result of unprecedented greed.

Glassner “I don’t know that the captain of the Titanic got a bonus for driving the boat into iceberg. They at least had the decency to go down with the ship” [quoted in ‘Wachovia’s Golden Parachutes” story in S.F. Chronicle of 10/10/08 pg. C1].

Bill Gates “I’m quite worried about the fiscal imbalances that we’ve got and what that might mean in terms of financial crisis ahead.”

Chinese hackers: No site is safe
httpv://www.youtube.com/watch?v=ovNVhk1rVVE&feature=related


(Free Two-Day Shipping from Amazon Prime). Great books




Tags: china, consumers data, data protection, deeply penetrated, financial chaos, financial crisis, full access, hackers, inicident, monetary gain, restricted treasury, Security Breach, sensitive data, spy software, treasure trove, unprecedented crises, unprecedented greed

Oct 08 2008

Skype and Information Privacy

Category: Information PrivacyDISC @ 1:00 am

According to an SF chronicle article by Peter Svensson (Oct 3, 2008, pg. c4) “A Canadian researcher (Nart Villeneuve) has discovered that the Chinese version of eBay Inc.’s Skype communication software snoops on text chats that contain keywords like “democracy”. “

In other words, the Chinese version of Skype was used for surveillance of text messages between two users. Researcher Nart Villeneuve not only found that the application was filtering specific words but that it was also passing the messages caught by the filters to other servers. Because of poor security on those servers, Nart was able to recover more than a million messages from those servers.

Well, based on Skype’s previous claim that messages between two systems are encrypted and only public keys on those systems can decrypt those messages, this is questionable. Also, this revelation does not agree with Skype’s claim that software discards the filtered messages.

Now the question arises that how do we know that our text messages on Skype are not being tapped in the United States?

Are privacy and security laws only applicable to consumers but not the corporations? If that’s true then our state of security and privacy is in pretty dire shape. It seems like consumers’ information is for sale to the higher bidder without our consent or appropriate compensation.

Without any credible evidence, our Govt. should not be able to perform wholesale surveillance (profiling) for the sake of security. We are building a society of fear where everybody is under surveillance and is a suspect until proven innocent, which sounds like we are living in a police state.

Laws of secrecy and unnecessary surveillance will ultimately diminish the fundamentals of democracy. To lift the cloud of secrecy behind these sorts of initiatives the public needs to put pressure on their public representatives to dig out the truth. Otherwise the mound of voluminous data from surveillance can be used to harass innocent people and be used as a tool to distract from reality.

We cannot expect our information to be secure unless we trust our Govt. to protect our privacy and corporations to secure our information.

Skype’s China Spying Uncovered
httpv://www.youtube.com/watch?v=60SFGH3lxLg


(Free Two-Day Shipping from Amazon Prime). Great books




Tags: compensation, credible evidence, democracy, dire shape, encrypted, filtering, poor security, reality, snoops, surveillance, voluminous

Oct 07 2008

vsRisk and security risk assessment

Category: ISO 27k,Security Risk AssessmentDISC @ 3:18 pm

Information Security Risk Management for ISO27001 / ISO27002

The State of California has adopted ISO/IEC 27002 as its standard for information security and recommends other organizations and vendors to use this standard as guidance in their efforts to comply with California law.

To achieve an ongoing compliance, major organizations require tools to comply with standard such as ISO 27002/ISO27001. vsRisk is an easy to use Information Security Risk Assessment tool which makes risk assessment process consistent, easier and produces required documentation to achieve ISO 27001 certification . vsRisk also aligns seamlessly with standards like ISO 27002, ISO 27005 and NIST SP 800-30.

vsRisk helps organizations to develop an Information Security Management System (ISMS) asset inventory and capture business, legal and contractual requirements against each asset. vsRisk is customizable to meet specific needs when introducing new risks, vulnerabilities and controls without any additional help from a consultant. vsRisk helps you focus on assets rather than on threats and vulnerabilities. This is an approach which works by treating business processes as an asset, which is examined for their criticality, lack of security and consequences of failed process can be examined. In this regards, vsRisk is an effective and efficient tool by identifying most important points and key issues right away, which focusing on threats doesn’t.

Major benefits of vsRisk tool:
1. It is the definitive ISO27001 risk assessment tool, compliant
with all the key information security standards – which means that
you can be certain that a vsRisk risk assessment will help you
achieve ISO27001 certification.
2. It is designed to be usable – your lead risk assessor and any
asset owners involved in your risk assessment are going to find
their task made easier
3. Unique features include the risk assessment wizard, which
standardizes the risk assessment process and guides asset owners
through the risk assessment process.
4. vsRisk creates a baseline from which future risk assessments can
easily be made.
5. vsRisk integrates with ISMS documentation toolkit, for even
greater usability.

“vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk assessment and can assess confidentiality, integrity and availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001. Providing a comprehensive best-practice alignment, it supports ISO 27001 and 27002 (ISO/IEC 17799) disciplines, and is ISO/IEC 27005 and NIST SP 800-30 compliant. It also offers a wizard-based approach that simplifies and accelerates the risk assessment process, plus integrates and regularly updates BS7799-3 compliant threat and vulnerability databases.”

The key to successful Risk Management is to protect your most important/critical assets. The importance/criticality of an asset might change over time. That is another reason to automate security risk assessment process to recalibrate your risks based on current state of security.

Risk Management to ISO27001/NIST Wizard-based risk assessment tool Simplifies compliance – To buy vsRisk tool!

Meet Stringent California Information Security Legislation with Comprehensive Toolkit

ISO27001 EXPERTS CAN HELP COMPANIES MEET STRINGENT CALIFORNIAN …
EIN News (press release) – Netherlands
vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk …




Tags: asset owner, automate security risk assessment, baseline, california, isms, iso 17799, iso 27001, iso 27001 certification, iso 27002, iso 27005, nist sp 80-30, sb 1386, vsrisk

Sep 29 2008

Vista and defense in depth

Category: Information Security,Vista SecurityDISC @ 3:47 pm

To be competitive and successful in today’s business environment demands a serious consideration of information security. Sometime low risk item could damage your company business and can lead to lose sensitive data. To recover from the aftermath of an incident can be a costly proposition.

One way to deal with the new threats is to be vigilant and know your weaknesses by assessing your infrastructure. On the other hand it helps a great deal to have an operating system which comes with built in security controls which you can turn on and off based on your security needs. Microsoft claims that Vista is the most secure operating system yet and was built with security as a top priority. However with all these built in security features, you may need to make some configuration changes to fit in your security requirements.

Windows Vista comes with many built in security features to protect your business assets. Below are the new security features.

[TABLE=4]

In the past access was the top priority for Microsoft operating system (open by default – start locking down as needed). Now in Vista the control is a top priority (closed by default – start opening up as needed).
Vista security development life cycle (SDLC) follows defense in depth model which compartmentalized and makes it tough for the intruder to get to the crown jewel. At the same time intruder risk the chance of detection at every layer. Defense in Depth model:

[TABLE=5]

Vista Service Hardening:
Vista service hardening is designed to run services with the least possible privileges. Four different features are utilized to achieve service hardening.

o Service isolation
o Least privilege
o Restricted network access
o Session 0 isolation

Service isolation – is a method by which a service can access an object without having a super user access account to secure the objects like registry keys.

Least privilege – Based on best practice each service should utilize the least privilege necessary to accomplish the task. Under Vista, when service initiate, it request for specific privileges provided by the local system.

Restricted network access – Under Vista, a service access can be restricted by TCP/UDP port, protocol, and direction that network traffic is flowing. Restricted network access will limit attack vector by blocking unnecessary ports, protocols and direction of the traffic.

Session 0 isolation – Vista does not allow any user application to run with session 0. All user applications must run in session 1 or higher. Only services and other non-user facing application run on session 0, to maintain isolation between services and user application.

Service hardening, when combined with other security features provides a tough defense. This defense in multiple layers is aimed to safeguard your system and also enables your business to be successful by keeping the threats at acceptable distance.


(Free Two-Day Shipping from Amazon Prime).




Tags: closed by default, compartmentalize, defense in depth, incident, intruder, least privilege, open by default, restricted network access, safeguard, sdlc, security features, sensitive data, service hardening, service isolation, session isolation

Sep 18 2008

Email and Security

Category: Email SecurityDISC @ 3:14 am

As we know, it is possible to spoof an email sender’s name, so now the question of how to authenticate the sender has become even more important, since email has been used to send sensitive information.

In the recent case of Gov. Sarah Palin’s email, her email account got hacked and the hacker posted the screen shot of her email to WikiLeaks. Freedom of information laws require messages from government email accounts to be placed into the public record, so some public officials try to use Yahoo/Gmail to keep the information out of public scrutiny.

First of all public figures should avoid using public email addresses and even if you do don’t make it so obvious by naming it eponymously as did Gov.Palin. This information is owned by the commercial email sites and system administrators can see the email in the mailbox and can capture the text in transit. In commercial sites you will draw a great amount of attention, If you happen to be a high profile figure.

Second, perhaps we should not use commercial channels for private or sensitive information. If it’s necessary to use email as for sensitive information, make sure your email is encrypted in accordance with the Advanced Encryption Standard.

Third, two factor authentication for sensitive email is industry standard now, which requires the user to possess something (Token) and something only the user knows (Password or PIN). Two factor authentications provide identity theft protection.

Finally, strong authentication is a solution to secure identities and use of the Advanced Encryption Standard minimizes the exposure of email content.

How to forge email addresses


(Free Two-Day Shipping from Amazon Prime).




Tags: authenticate, authentication, encryption, minimize exposure, palin, secure identities, spoof, theft protection

« Previous PageNext Page »