Jul 30 2023

How can we solve cybersecurity talent issue?

Category: Cyber career,Security trainingdisc7 @ 11:18 am

The cybersecurity talent issue is a significant challenge faced by organizations worldwide. Solving this problem requires a combination of short-term and long-term strategies to attract, develop, and retain skilled cybersecurity professionals. Here are some steps that can help address the cybersecurity talent shortage:

  1. Education and Training: Invest in cybersecurity education and training programs at various levels, from primary education to advanced professional certifications. Collaborate with educational institutions and industry experts to design comprehensive and up-to-date curricula.
  2. Promote Cybersecurity as a Career Choice: Raise awareness about the importance of cybersecurity as a career option. Target students and professionals from diverse backgrounds to encourage them to pursue cybersecurity careers.
  3. Apprenticeships and Internships: Establish apprenticeship and internship programs to provide hands-on experience to aspiring cybersecurity professionals. This can help bridge the gap between theoretical knowledge and practical skills.
  4. Industry Collaboration: Foster collaboration between academic institutions and the private sector. Industry partnerships can help ensure that cybersecurity programs align with current industry needs and practices.
  5. Cyber Range and Simulations: Set up cyber ranges and simulations to provide a safe environment for individuals to practice and enhance their cybersecurity skills. These platforms allow trainees to learn through realistic scenarios without risking real-world systems.
  6. Mentorship Programs: Create mentorship programs where experienced cybersecurity professionals can guide and support newcomers in their career development. This can be especially helpful in retaining talent and promoting professional growth.
  7. Competitive Compensation and Benefits: Offer competitive salaries and benefits to attract skilled cybersecurity professionals. Recognize their value and contribution to the organization’s security posture.
  8. Continuous Professional Development: Encourage and facilitate continuous learning and professional development for existing cybersecurity teams. This can be achieved through regular training, attending conferences, and participating in workshops.
  9. Diversity and Inclusion: Promote diversity and inclusion within the cybersecurity workforce. A diverse team brings varied perspectives and problem-solving approaches, ultimately enhancing the overall security posture.
  10. Public-Private Partnerships: Encourage partnerships between government agencies, private companies, and non-profit organizations to address the talent shortage collectively. Collaboration can lead to resource-sharing and more comprehensive solutions.
  11. Automation and AI Solutions: Implement cybersecurity automation and AI technologies to augment the existing workforce. Automation can handle repetitive tasks, allowing professionals to focus on more complex issues.
  12. Retaining Talent: Focus on employee retention by providing a supportive and rewarding work environment. Recognize and celebrate cybersecurity achievements and milestones within the organization.
  13. Ethical Hacking Competitions and CTFs: Support and sponsor ethical hacking competitions and Capture The Flag (CTF) events. These challenges attract cybersecurity enthusiasts and offer valuable learning experiences.

By combining these strategies and adopting a long-term perspective, organizations can start making progress in solving the cybersecurity talent issue. Remember that cybersecurity is an ever-evolving field, and continuous efforts are needed to attract and retain skilled professionals.

Blended training course will give you what you need to develop your career and pass the challenging CISSP (Certified Information Systems Security Professional) exam first time.

Cybersecurity and information resilience – BSI Group

Computer Security

InfoSec books | InfoSec tools | InfoSec services

Tags: CISSP, Computer security, Information resilience

Aug 03 2022

Start as you mean to go on: the top 10 steps to securing your new computer

Category: cyber security,Information SecurityDISC @ 1:35 pm

Whether you are getting ready for back-to-school season, getting new work laptop or fancying a new gamer’s pc, learn the steps to protect your new PC from cyberthreats.

With Windows 11 making headlines for all the right reasons, it could be a great time to invest in a new PC for the family or the home office. But any new household computing device should come with an attendant safety warning. Hackers will be after your data the minute it’s connected to the internet. And they have numerous ways to get it.

That’s why you need to think about cybersecurity even before plugging your machine in and switching it on. Take time out now to refresh your memory and make cyber-hygiene a number one priority.

What are the main threats to my PC?

As soon as you’re connected to the internet, malicious actors will be looking to steal your data, encrypt and hold your machine ransom, lift financial details, secretly mine for cryptocurrency, and much more. They’ll do so via some tried and true methods, which often rely on cracking, stealing or guessing passwords, or exploiting software vulnerabilities. Top threats include:

Phishing: One of the oldest con tricks in the book. Cybercriminals masquerade as legitimate and trustworthy sources (banks, tech providers, retailers etc) and try to persuade users into clicking on links and/or opening attachments in emails. Doing so will take users to a spoofed site requesting that they fill in personal information (like logins and/or address/financial details) or could trigger a covert malware download.

Drive-by downloads and malicious ads: Sometimes merely visiting an infested website or a site running a malicious ad could trigger a malware download. We may think that well-known sites may be less  compromised in this way as they are better resourced and can afford enhanced protection. But there have been plenty of counter-example through the years showing that it’s not always the case. That’s why its essential to invest in security software from a reputable provider and ensure that your browser’s security settings are correct.

Digital skimming: Hackers may also compromise the payment pages of e-commerce sites with malware designed to silently harvest your card data as it is entered. This is difficult to guard against as the issue is with the provider. However, shopping with better-known sites can reduce risk.

Malicious apps and files: 
Cybercriminals also hide malware inside legitimate-looking applications and downloads. Many of these are posted to online forums, P2P sites, and other third-party platforms. That’s why it makes sense to download only from trusted sources, and to use an effective security software tool to scan for malicious software.

Ten tips to keep your computer safe

Many of the below steps may be taken care of automatically by your PC manufacturer/Microsoft, but it pays to dig a little deeper to make sure all the settings are as secure as you need them to be. Here are our top 10 tips for computer safety:

  1. Apply automatic updates for the OS and any software running on the PC
  2. Remove bloatware that often comes with PCs. Check beforehand if you don’t recognize any software to ensure removing it won’t degrade the performance. The fewer pieces of software on the machine, the less opportunity for attackers to exploit bugs in it
  3. Install multi-layered security software from a reputable third-party vendor and keep it up to date
  4. Configure backups, and ideally back up a copy of data to a remote storage device kept offline
  5. Secure the browser by adjusting privacy and security settings and ensuring it is on the latest version
  6. Switch on and configure your firewall on the OS and home router, ensuring it is protected with a strong password
  7. Download a multi-factor authentication app in order to help protect your accounts from being hijacked via phishing and other attacks
  8. Avoid using USBs that you don’t own, in case they are loaded with malware
  9. Use a password manager to ensure that all your credentials are unique, strong, and hard-to-crack
  10. Only download apps/files from trusted sources and avoid pirated material, which can often be booby-trapped with malware

It goes without saying that, even by following these best practices, you could still be at risk when browsing online. Always proceed with caution, don’t reply to unsolicited emails/online messages, and ensure device encryption is switched on.

by Phil Muncaster, ESET


Internet attack on computer systems is pervasive. It can take from less than a minute to as much as eight hours for an unprotected machine connected to the Internet to be completely compromised. It is the information security architect’s job to prevent attacks by securing computer systems. This book describes both the process and the practice of assessing a computer system’s existing information security posture. Detailing the time-tested practices of experienced security architects, Securing systems explains how to deliver the right security at the right time in the implementation lifecycle.

Securing Systems

Tags: 10 steps to securing your new computer, Computer security, Securing Systems

Aug 19 2020

edX Courses | View all online computer science courses on edX

Category: Information SecurityDISC @ 1:18 pm

Find online courses from top universities. Search all edX MOOCs from Harvard, MIT and more and enroll in a free course today.

Source: edX Courses | View all online courses on edX.org


Download a Security Risk Assessment Steps paper!

Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet

Tags: Computer Science, Computer security

Aug 21 2015

Five ISO 27001 books you should read

Category: ISO 27kDISC @ 9:14 am

Take a plunge into the world of ISO 27001 with these recommended reads


As a professional embarking on your first journey implementing ISO 27001, you are probably hungry for knowledge and eager to make progress. While starting a new project may be exciting, it can also be daunting if you lack relevant experience and cannot rely on internal support and guidance.

Many ISO 27001 practitioners attend ISO 27001 Lead Implementer courses to gain practical knowledge and skills to develop an information security management system (ISMS). Some go even further by securing a budget to call in an experienced ISO 27001 consultant to guide them through the process and help them with the more complex aspects of the project. But most information security professionals start the journey by simply reading a lot on the subject and doing initial preparation on their own – a method that is not only cost effective, but also gives them a good foundation to understand what is needed for successful ISO 27001 delivery.

Here are five books from IT Governance’s own ISO 27001 library that we believe can help ISO 27001 practitioners prepare for ISO 27001 implementation.

The Case for ISO 27001

As the title says, this book explains the business case for implementing ISO 27001 within an organisation. It highlights the importance and outlines the many benefits of the Standard, making it an ideal supporting document for developing an ISO 27001 project proposal.

The Case for ISO 27001 can be ordered from the IT Governance website.

IT Governance – An International Guide to Data Security and ISO27001/ISO27002

Now in its sixth edition, the bestselling IT Governance: An International Guide to Data Security and ISO27001/ISO27002 is the perfect manual for designing, documenting and implementing an ISO 27001-compliant ISMS, and seeking certification. Selected as the textbook for the Open University’s postgraduate information security course, this comprehensive book offers a systematic process and covers the main topics in depth.

Jointly written by renowned ISO 27001 experts Alan Calder and Steve Watkins, IT Governance: An International Guide to Data Security and ISO27001/ISO27002, sixth edition is due to be released 3 September 2015, and is now available for pre-order.

Nine Steps to Success

If you are looking for a concise, practical guide to implementing an ISMS and achieving ISO 27001 certification, consider obtaining a copy of Nine Steps to Success. Written from first-hand experience, it guides you through an ISO 27001 implementation project step-by-step, covering the most essentials aspects including gaining management support, scoping, planning, communication, risk assessment and documentation.

ISO 27001 Assessments Without Tears

With ISO 27001 certification being the final goal for most organisations implementing the Standard, the pressure is usually on the ISO 27001 practitioners to ensure that staff are prepared to answer tricky auditor questions. ISO 27001 Assessments Without Tears is a succinctly written pocket guide that explains what an ISO 27001 assessment is, why it matters for the organisation, and what individual staff should and should not do if an auditor chooses to question them.

ISO 27001 in a Windows Environment

Most ISO 27001 implementations will involve a Windows® environment at some level. Unfortunately, there is often a knowledge gap between those trying to implement ISO 27001 and the IT specialists trying to put the necessary best-practice controls in place using Microsoft®’s technical controls. Written by information security expert Brian Honan, ISO27001 in a Windows Environment bridges that gap and gives essential guidance to everyone involved in a Windows-based ISO27001 project.

Tags: Chief Information Security Officer, Computer security, Data center, Information Security Management System, ISO/IEC 27001

Jun 19 2015

Cyber Resilience Best Practices

Category: Cyber Insurance,cyber security,CybercrimeDISC @ 11:07 am

Cyber Resilience

Cyber Resilience

RESILIA™ Cyber Resilience Best Practices

AXELOS’s new guide RESILIA™ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle

RESILIA™ Cyber Resilience Best Practices

Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIA™ portfolio.

RESILIA™ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.

The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.

  • Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
  • Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
  • Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
  • Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
  • Aligned with ITIL®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBIT® and organization-specific frameworks.


Target market


  • Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
  • IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
  • IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
  • The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.


Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
RESILIA™ Cyber Resilience Best Practices

Tags: Chief Information Security Officer, CISO, Computer security, CSO, cyber crime, Cyber Defence, Cyber Insurance, Cyber protection, Cyber Resilience, cyber security, Cyber Security countermeasures, Cyber Security Safeguards, cyber threats, data security, Information Security, Information Technology Infrastructure Library, ISO, iso 27001, iso 27002

May 15 2014

Cyber Resilience Implementation Suite

Category: BCP,Information Security,ISO 27kDISC @ 11:15 am


Cyber security is not enough – you need to become cyber resilient


The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.

Whether you know it or not, your organization is under cyber attack. Sooner or later, a hacker or cyber criminal will get through, so you need to ensure that you have the systems in place to resist such breaches and minimize the damage caused to your organization’s infrastructure, and reputation.

You need to develop a system that is cyber resilient – combining the best practice from the international cyber security and business continuity standards ISO22301 and ISO27001.

This specially-priced bundle of eBooks and documentation toolkits gives you all the tools you need to develop a cyber-resilient system that will both fend off cyber attacks, and minimize the damage of any that get through your cyber defenses.

The books in this suite will provide you with the knowledge to plan and start your project, identify your organization’s own requirements and help you to apply these international standards.

The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.

Download your copy today

This suite includes:

Tags: business continuity, Computer security, Cyber Resilience, cyberwarfare, ISO/IEC 27001

Mar 26 2014

Most common type of data breaches

Category: data security,Security BreachDISC @ 9:24 pm


Cyber attacks have become a regular occurrence in the last few years; in fact, you can’t turn the news on without some mention of a business suffering an attack. Most attacks are fuelled by criminals looking to steal valuable information, but what type of information is being stolen?

According to a report by Veracode, the top 5 types of information that are stolen are:

Payment Data

No surprises here of course. Card payment data is a very attractive form of information for cyber criminals to steal. Card data provides quick access to money in multiples ways such as siphoning the victims account, using their card for purchases or selling on the black market.

Selling and purchasing card payment data online is terrifyingly easy, so easy in fact that you could have bought several card details in the time it’s taken you to read this far.

Authentication Details

Details that allow authorised access into online systems are very valuable on the black market. Imagine the price tag on login credentials for the email address of a celebrity, or the president of an international bank.

Unfortunately, humans are subjects to bad habits such as using the same password for online accounts. So if cyber criminals manage to get hold of your Facebook password, then they will most likely be able to login to any of your accounts.

Copyrighted Material

Why would a cyber criminal pay for software when they could just steal it? With most websites being vulnerable to attack, a cyber criminal could in theory steal any software they fancy, costing organisations a large sum of money.

Medical Records

Thieves could sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.

Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.

Classified Information

Depending on how you define classified, this could include information such as your organisation’s top secret product idea or the code for your security door. Either way, if it’s labelled classified then you don’t want it to be in the hands of cyber criminals.

Protecting this information

There is a high chance that the five forms of information listed above can be found on your organisation’s network, so what are you doing to protect it?

Data Security Breaches: Notification Law

Tags: Computer security, data breach, data stolen, data theft, Identity Theft

Jul 22 2013

Your employees aren’t the only threat to InfoSec and Compliance

Category: cyber security,Information SecurityDISC @ 1:18 pm

Information security

Information security (Photo credit: Wikipedia)

July 22nd, 2013 by Lewis Morgan 

I overheard a conversation the other day, one which left me so stunned that I’ve decided to write about it….

Two men having dinner behind me (I got the impression they were both directors) were discussing the £200k fine the NHS received for losing patient data. Eventually, the conversation turned into a discussion about information security as a whole. I won’t go into all the details but one of them said, “We don’t particularly focus on cyber security, it’s always large organisations which are in the news about getting hacked and being a small company, we’re not under threat”. It bothered me (probably more than it should have) that someone in control of an organisation has that attitude to cyber security. If an organisation of 5 employees was hacked, the same day as, let’s say DELL, were hacked – who’d make it into the news? DELL would, why? Because it’s likely to be more of an interest to the readers/listeners and will have a bigger impact on the public compared to that of the smaller organisation.

I never see stories in the news of someone being hit by a bus in my local town, but it doesn’t mean I’ll walk in front of one holding a sign saying ‘hit me’. That’s effectively what this director is doing, turning a blind eye to a large threat just because he’s not seen an example of a small organisation being hacked – chances are he doesn’t even read the publications which cover those stories.


It’s a strong word, isn’t it? Personally I hate calling people ignorant, I’d rather use a more constructive word such as ‘unaware’, but I feel that using the word ignorance will raise some eyebrows.

As a director of a company, your aim is to maximise revenue, minimise costs and anything in between.

You need a future for your organisation; this is usually done by investing in your marketing efforts, improving your products/services and providing the best customer service possible. But what do you do to actually secure a future? It’s all good and well having a 5 year plan which see’s 400% growth in revenue, but how do you make sure that your organisation will even exist in 5 years?

2 years into your plan and you’re hitting your targets – but you’ve just discovered that there’s been a data breach and your customers credit card details have been sold online.

Your plans have now become redundant; they are depending on how prepared you are to handle the situation, so are your staff. The cost of recovering from a data breach for a small organisation is between £35 – 65K (and that’s not including fines). Can your organisation afford that? Probably not, but you could have afforded the costs which would have prevented this breach in the first place.

Let’s say that the breach happened because a new member of staff was unaware that they shouldn’t open emails in the spam folder. An email was opened, malicious software was installed and login credentials were stolen. You could have trained that member of staff on basic information security in under an hour, for £45. But instead, you chose to ignore your IT Manager who’s been raising spam issues at each monthly meeting but all you chose to hear is “we’ve not been hacked” and “invest” which is enough for you to move on.

What your IT Manager is really telling you is “We’ve recently been receiving a large amount of emails into our spam filter, and some are getting through. I think we need to invest in a more advanced spam filter, and perhaps train some of the staff on which emails to avoid. A virus from an email could lead to a hack, it’s not happened yet but there’s a chance it will.”

Forget blaming the IT Manager or the new member of staff when that breach happens, it comes down to you and your:

Inability to perceive cyber threats

Grey areas in appropriate knowledge


Overhead cost restrictions

Refusal to listen to something you don’t understand

Absent mindedness

No interest in the customer’s best interests

Careless decisions

Eventual disaster


Cyber security threats are real, so why are you ignoring them?

To save money? Tell that to a judge

Introduction to Hacking & Crimeware

You don’t understand the threats? Read this book


Tags: Computer security, data breach, Email spam, hackers, Information Security, Malware

Jul 15 2013

Boardroom Cyber Watch Report 2013

Category: cyber securityDISC @ 9:23 am


Download the ‘Boardroom Cyber Watch Report 2013’ Free!

  • Almost 75% of respondents say their customers prefer to deal with suppliers with proven IT security credentials;
  • 50% say customers have enquired about their company’s security measures in the past 12 months.


The ‘Boardroom Cyber Watch 2013’ is the first survey IT Governance has undertaken which specifically targets chief executives, board directors and IT professionals. Our aim is to shine new light on how company directors and board members currently perceive IT security issues as well as to provide them with practical guidance on how to address these challenges.

Boardroom Cyber Watch Report 2013

Boardroom Cyber Watch Report 2013

Price: FREE PDF Download

Learn more

Tags: Canadian Cyber Incident Response Centre, Computer security

Apr 23 2013

Cyber Security and Risk Assessment

Category: cyber security,Security Risk AssessmentDISC @ 9:19 am

Cyber security is the protection of systems, networks and data in cyber space.

If your system is connected on the internet, you should know and uderstand the risks of cyber space to take appropriate countermeasures.

To understand the risks of cyber security,The first place is to begin with is a risk assessment. By completing a risk assessment you can understand what the risks, threats and vulnerabilities of your networks, systems and data really are and begin to comprehend how to reduce and handle them. The authors of The Information Security Risk Assessment Toolkit provides handy step-by-step guidance on how to undertake a risk assessment. As we said Security Risk Assessment is an important first to assess risks but the second step of mitigating those risks in timely manner is crucial to protect your information assets.

Once you understand what the risks of your business are, you can then decide on how to mitigate those risks based on your organization risk acceptance.

Tools and techniques which work in mitigating cyber risks

The UK’s Cyber-security Framework for Business (published by the Department for Business, Innovation and Skills) is a 10-step framework to stop around 80% of today’s cyber-attacks
1. Board-led Information Risk Management Regime
2. Secure Home and Mobile Working
3. User Education and Awareness
4. User privilege management
5. Removable media controls
6. Activity monitoring
7. Secure Configurations
8. Malware protection
9. Network security
10. Incident Management

Build the resilience in your information security management system (ISMS) to cope with the other 20% of the risk.

The authors of Hacking 7 Exposed cover the latest methods used by third-parties to (logical/physical) access to information assets. They then detail how you can protect your systems, networks and data from unauthorised access.

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks

Tags: Computer security, cyberwarfare, Information Security, Information Security Management System, Risk Assessment, Risk management

Apr 15 2013

Implications of becoming a cybersecurity victim

Category: cyber securityDISC @ 7:17 pm

What are the potential implications of becoming a cybersecurity victim?

  • PWC/DTI Information Security Breaches Survey 2012
    • 93% large businesses suffered security incident last year
    • Average cost of worst incident for large business £110k to £250k
    • The average large organisation had 71 security breaches in the previous year, up from just 45 two years previously.
  • National High Tech Crime Unit survey 2004
    • Of 201 respondents 167 (83%) experienced high-tech crime in 2003
    • Impact of these crimes > £195million

Online, Keep Safe Resources

Below are some free online resources which any smaller business or home owner will find useful:

Safeguard your computer

* Workstations should be set up in a secure, clean, calm, stable environment.

* Don’t have loose cables that might be a safety hazard; tripping over a cable and pulling it out of the computer

*  Always log out of and shut down Windows, and switch your computer off when it’s not in use.

* The biggest risk associated with laptops (also known as notebooks) is, in fact, the loss or theft of the laptop.

The Essential Guide to Home Computer Security

Tags: Computer security, National Institute of Standards and Technology

Mar 06 2013

Your Cyber Security Project

Category: cyber securityDISC @ 12:04 pm

by James Warren

Internet technologies have revolutionised the way that business is conducted but these innovations expose your business to various cyber security risks.

Inadequate security can lead to the theft of customer data and, in the event of technological failure or a cyberattack, your business could lose its ability to function altogether. An effective risk management strategy is, therefore, vital to your company’s survival.

Cyber Security Risks for Business Professionals: A Management Guide Cyber Risks for Business Professionals: A Management Guide 

A general guide to the origins of cyber security risks and to developing suitable strategies for their management. It provides a breakdown of the main risks involved and shows you how to manage them.

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks. As the leading provider of cyber security products and services, ITG can help you with any aspect of your project:

Cyber Security Risks for Business Professionals: A Management Guide  >> ITG | eBay | Amazon

Tags: Computer security, cyber security, Information Security, ISO/IEC 27001, Risk management

Jan 23 2013

How public distrust is affecting cyber security strategies

Category: cyber securityDISC @ 11:44 am

According to this article published in SC magazine ’80 per cent of the UK public implicitly do not trust organisations to keep their data safe; with nearly half (41 per cent) feeling that it has become inevitable their data will be compromised by hackers.’ Do your stakeholders trust you?

Consumer confidence in cyber security has clearly eroded over the past couple of years, and there is an urgent need for organisations of all industries, whether public or private, to reassure consumers they are capable of…
How public distrust is affecting cyber security strategies

Cyber Cecurity Strategy Titles

Tags: Computer security, Fire and Security, Government Communications Headquarters, Government of the United Kingdom, Minister for the Cabinet Office

Nov 30 2012

Cyberattack: dangers, consequences and prevention

Category: cyber security,ISO 27kDISC @ 1:26 pm

Attacks on IT systems can have devastating consequences across industries – among them, the banking and financial sector. In order to protect the best interests of their customers, and the vast tracts of personal data for which they are responsible, banks have already been paying attention to their data protection practices, writes Alan Calder of IT Governance

The heartbeat and Achilles’ heel of every organisation, information technology (IT) is crucial to the functioning of the business world. Given this situation, attacks on IT systems can have devastating consequences across industries – among them, the banking and financial sector. In order to protect the best interests of their customers, and the vast tracts of personal data for which they are responsible, banks have already been paying attention to their data protection practices.

The threat landscape is by its very nature ever-changing, however, and sees the continual emergence of new forms of highly sophisticated cyberattack. As a result, banks and financial institutions are wise to upgrade to a distinctly more comprehensive form of cyber security.

A continually evolving threat

Successful cyberattacks – attacks on a business’ IT infrastructure by a malicious third party – are known to have severe consequences, both operationally and on the business’ reputation. Indeed, the UK government classifies cyberattacks as a ‘Tier 1 threat’ in the National Security Strategy, alongside international terrorism, international military crises and major accidents or natural hazards. The distinction between well-funded, state-sponsored cyberattackers and their ‘private sector’ counterparts is becoming more blurred, meaning that commercial organisations and individuals can increasingly find themselves on the receiving end of extremely sophisticated attacks. Symptomatic of this trend is Google’s move in June 2012 to begin warning Google account holders if they are believed to have been targeted by a state-sponsored attack.

In the world of retail banking, where IT plays such a crucial role, a cyberattack can have serious consequences in terms of practical and reputational damage. The sheer volume of personal customer data held by banks intensifies the threat and consequences of a successful cyberattack. In terms of data compliance and IT security, staff are, and always will be, the weakest link, mainly through a lack of understanding of responsibilities and not comprehending the severity of an IT security breach. These misunderstandings are far from trivial, however.

In addition, the threat landscape is constantly evolving. Today, for example, we are seeing the emergence of cyber fraud and cyber threat into the criminal mainstream. This fact, and the fact modern attacks now combine technological and social elements, means traditional technology-only defences are now inadequate. Thus, forms of security that, two years ago, might have been capable of protecting retail banking institutions, are now insufficient in the face of high-level cyberattacks.

A robust and comprehensive approach

In order to tackle specialised cyberattacks such as cyber fraud and cyber theft, banks and financial institutions would therefore do well to adopt a more robust approach to their cyber security. Ultimately, effective cyber security depends on establishing a defence strategy that is not only all-embracing but also interconnected.

One such strategy is that provided by the ISO27001 security management standard. The most significant international best practice standard currently available to any organisation seeking an intelligently organised and structured framework for tackling cyber risks, ISO27001 is, in essence, a management system. When effectively deployed, ISO27001 improves an organisation’s information security and resilience to ongoing and constantly evolving threats.

Above all, ISO27001 compliance supports organisations in building their defences against cyberattacks. Among other elements, this standard requires organisations to develop and test security incident response plans, or SIRPs; select and implement appropriate controls that reduce risk to an acceptable level, from securing cyber perimeters to training staff and securing inward- and outward-bound communication channels such as e-mails and instant messaging; and carry out risk assessments. Importantly, ISO27001 compliance also requires organisations to put in place a mechanism for auditing and management review of the effectiveness of selected controls – and of the management system that supports them.

Additional steps

In addition to establishing an organisation-wide security management standard, retail banks, as with other organisations, can go a long way towards significantly improving their data protection by introducing a number of basic measures. These measures include the implementation of regular staff awareness training about the threats and ramifications of a cyberattack, enterprise-wide policies on the use of encrypted USB sticks and laptops, and regular website and network penetration testing.

Otherwise known as ‘pen testing’, regular website and network penetration testing, for example, is vital to ensure hackers and cyber attackers are not given easy vulnerabilities to exploit. All internet-facing networks and resources are subject to automated, malicious probing.

When a vulnerability is detected, the exploitation of that vulnerability is also usually automatic. In a world where attacks on networks and applications are growing at an exponential rate, effective pen testing is the only way to establish true security. Quite rightly, the penalties incurred by organisations failing to defend themselves against such attacks are becoming ever steeper. Effective pen testing exposes and documents such weaknesses and recommends steps to reduce the risk.

Preparation is key

If knowledge is power, ignorance is danger – a danger that can impact banks on a number of fronts. If banks and financial institutions fail to refresh their data protection practices on a regular basis, educate their staff about the dangers of cyberattacks or enlighten their employees on the importance of data protection, they are at risk of being caught out by ever-more-sophisticated cyberattacks. Failure to prepare by adopting stringent security management standards is, ultimately, preparation to be vulnerable. .

Tags: Computer crime, Computer security, cyberwarfare, iso 27001, National Security Strategy, USB flash drive

Oct 11 2012

Make October YOUR Cyber Security Month

Category: cyber security,Information SecurityDISC @ 12:50 pm


The US Government has declared this October is the National Cyber Security Awareness Month (NCSAM).

The aim of this campaign is to:
 • Promote cyber security awareness amongst citizens and businesses
 • Educate individuals and businesses through a series of events and initiatives
 • Raise cyber awareness and increase the resilience of the nation in the event of a cyber incident

Cyber security is not just about protecting your critical assets, it can also help improve your internal systems and help you win new business.


Make October YOUR Cyber Security Month with these essential reads:

Above the Clouds: Managing Risk in the World of Cloud Computing

Assessing Information Security: Strategies, Tactics, Logic and Framework

IT Governance: An International Guide to Data Security and ISO27001/ISO27002 

21st Century Chinese Cyberwarfare

CISSP All-in-One Exam Guide, 6th Edition

More than 50 InfoSec topics in books available at DISC InfoSec store

Find out more on National Cyber Security Awareness month at Homeland Security's website

DISC online store for recommended InfoSec services/products



Additional online safety information:

What Teens Shouldn’t Put in Their Social Media Profiles

Child Safety Guide: How to Keep Kids Safe When They're Home Alone

Ways to Check if You’re Visiting a Safe Site

Internet Safety Tips for Seniors

How to Shop Safely Online

Things You Should Never Post Online but Probably Are

11 Photos You Should Never, Ever Post on Social Media


Online Safety tips for kids:

Less screen, More Green: Outdoor Safety Tips for Kids


The Parents’ Guide to Teaching your Teen Online Safety

Keeping Kids Safe Outdoors as the World and the Roads Reopen

Tags: Computer security, Federal government of the United States, Homeland Security, National Cyber Security Awareness Month, NCSAM, October, Security, U.S. government

Mar 24 2011

Federal Cyber Attacks Rose In 2010

Category: cyber securityDISC @ 9:16 pm

Injuries incurred by service members are cover...

Image via Wikipedia

Federal Cyber Attacks Rose 39% In 2010

Cyber attacks on the federal government increased in 2010 over the previous year, even though the total number of cybersecurity incidents was down overall, according to a new report from the Office of Management and Budget (OMB).

There were 41,776 reported cyber incidents of malicious intent in the federal network in 2010 out of a total 107,439 reported to the United States Computer Emergency Readiness Team (US-CERT), according to the OMB’s fiscal year 2010 report on federal implementation of the Federal Information Security Management Act (FISMA). The number represented a 39% increase over 2009, when 30,000 incidents were reported by the feds, of 108,710 attacks overall, according to the report.

To read more on Federal Cyber Attacks Rose 39% In 2010

Richard Clarke: U.S. Chamber committed felony in ChamberLeaks scandal

Tags: Computer security, Federal government of the United States, Flickr, Office of Management and Budget, United States, United States Computer Emergency Readiness Team, United States Department of Veterans Affairs, Veteran

Jan 06 2011

Security 2020: Reduce Security Risks This Decade

Category: Information SecurityDISC @ 10:59 am


Security 2020: Reduce Security Risks This Decade

Identify real security risks and skip the hype. After years of focusing on IT security, we find that hackers are as active and effective as ever. This book gives application developers, networking and security professionals, those that create standards, and CIOs a straightforward look at the reality of today’s IT security and a sobering forecast of what to expect in the next decade. It debunks the media hype and unnecessary concerns while focusing on the knowledge you need to combat and prioritize the actual risks of today and beyond.

IT security needs are constantly evolving; this guide examines what history has taught us and predicts future concerns
Points out the differences between artificial concerns and solutions and the very real threats to new technology, with startling real-world scenarios
Provides knowledge needed to cope with emerging dangers and offers opinions and input from more than 20 noteworthy CIOs and business executives
Gives you insight to not only what these industry experts believe, but also what over 20 of their peers believe and predict as well

With a foreword by security expert Bruce Schneier, Security 2020: Reduce Security Risks This Decade supplies a roadmap to real IT security for the coming decade and beyond.

Order this book for advice on how to reduce IT security risks on emerging threats to your business in coming years. Security 2020: Reduce Security Risks This Decade

From the Back Cover
Learn what’s real, what’s hype, and what you can do about it
For decades, security experts and their IT peers have battled the black hats. Yet the threats are as prolific as ever and more sophisticated. Compliance requirements are evolving rapidly and globalization is creating new technology pressures. Risk mitigation is paramount. What lies ahead?

Doug Howard and Kevin Prince draw upon their vast experience of providing security services to many Fortune-ranked companies, as well as small and medium businesses. Along with their panel of security expert contributors, they offer real-world experience that provides a perspective on security past, present, and future. Some risk scenarios may surprise you. Some may embody fears you have already considered. But all will help you make tomorrow’s IT world a little more secure than today’s.

Over 50 industry experts weigh in with their thoughts

Review the history of security breaches

Explore likely future threats, including social networking concerns and doppelganger attacks

Understand the threat to Unified Communication and Collaboration (UCC) technologies

Consider the impact of an attack on the global financial system

Look at the expected evolution of intrusion detection systems, network access control, and related safeguards

Learn to combat the risks inherent in mobile devices and cloud computing

Study 11 chilling and highly possible scenarios that might happen in the future

Tags: Bruce Schneier, Computer security, Consultants, Doug Howard, Intrusion detection system, Kevin Prince, Security, United States

Sep 09 2010

DHS Cyber security Watchdogs Miss Hundreds of Vulnerabilities on Their Own Network

Category: cyber securityDISC @ 8:36 am
Seal of the United States Department of Homela...
Image via Wikipedia

By Kevin Poulsen @wired.com

The federal agency in charge of protecting other agencies from computer intruders was found riddled with hundreds of high-risk security holes on its own systems, according to the results of an audit released Wednesday.

The United States Computer Emergency Readiness Team, or US-CERT, monitors the Einstein intrusion-detection sensors on nonmilitary government networks, and helps other civil agencies respond to hack attacks. It also issues alerts on the latest software security holes, so that everyone from the White House to the FAA can react quickly to install workarounds and patches.

But in a case of “physician, heal thyself,” the agency — which forms the operational arm of DHS’s National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes (.pdf).

“The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on … computer systems located in Virginia,” reads the report from assistant inspector general Frank Deffer.

Einstein, the government’s intrusion-detection system, passed the security scan with flying colors, as did US-CERT’s private portal and public website. But the systems on which US-CERT analysts send e-mail and access data collected from Einstein were filled with the kinds of holes one might find in a large corporate network: unpatched installs of Adobe Acrobat, Sun’s Java and some Microsoft applications.

In addition to the 202 high-risk holes, another 106 medium- and 363 low-risk vulnerabilities were found at US-CERT.

“To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system-security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures,” the report concludes.

In an appendix to the report, which is dated Aug. 18, the division wrote that it has patched its systems since the audit was conducted.

DHS spokeswoman Amy Kudwa said in a statement Wednesday that DHS has implemented “a software management tool that will automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities.”

Tags: Adobe Acrobat, Computer security, Intrusion detection system, Microsoft, National Cyber Security Division, Security, United States, United States Computer Emergency Readiness Team

Aug 30 2010

Cyber attacks against Water, Oil and Gas Systems

Category: CybercrimeDISC @ 9:49 am
National Security Authority
Image via Wikipedia

“This summer the Norwegian National Security Authority (NSM) discovered for the first time targeted computer attacks directed against internal process and control systems to ensure supply of electricity and water. Similar attacks were discovered in Germany and Belarus. EU’s cyber-security unit, ENISA, will in late October or early November carry out the first ever pan-European cyber security exercise.”

Cyber Criminals Attack Critical Water, Oil and Gas Systems

Tags: Belarus, Business, Computer security, Control system, European Union, Germany, National Security Authority, NSM

Aug 05 2010

DHS Quietly Dispatching Teams to Test Power Plant Cybersecurity

Category: cyber securityDISC @ 1:22 pm
DHS Logo
Image via Wikipedia

The Department of Homeland Security is quietly creating teams of experts charged with assessing the cyber security needs of power plants in the U.S. The question is why the secrecy? When plants vulnerabilities are known facts in both security and hacker communities, perhaps it is time to pay attention or impossible to ignore anymore even by DHS.

Utility Security: The New Paradigm

By Jaikumar Vijayan
The Department of Homeland Security (DHS) is quietly creating specialized teams of experts to test industrial control systems at U.S power plants for cybersecurity weaknesses, according to a report published today by the Associate Press.

According to the Associate Press report, DHS has so far created four teams to conduct such assessments, according to Sean McGurk, director of control system security. McGurk told the news service that 10 teams are expected to be in the field next year as the program’s annual budget grows from $10 million to $15 million.

To read the rest of the article….

Tags: Computer security, Control system, Homeland Security Department, power plants, Power station, United States Department of Homeland Security, utilities

Next Page »