May
26
Statistically it has been shown that often many breaches to a business happen from the inside -- most notably becuase employees already have access to systems and enjoy a certain level of trust.
Reading a recent article by Ron Codon, UK Bureau Chief -- it becomes apparent that according to Matthjis van der Wel; who is head of forensics at Verizon Business; 80% of 600 breaches which happened over the last five years come from
outside an organisation! This can be found in the following
report published by Van der Wel in April.
The report goes on to emphasise that "organisations are making stupid (information security) mistakes as in failing to patch vulnerabilties, using default passwords and forgetting to close down user accounts when employees leave an organisation. The end result is data loss.
Quoted from the original article, some simple rules for reducing damage are the following:
- Do not use default passwords.
- Ensure that third-party suppliers (such as maintenance companies) do not use default passwords or shared credentials for all their clients.
- Do regular network scans to check what servers you have. If you don't know what you have, you can't protect it.
- Patch regularly, using an up-to-date network diagram to ensure all systems are covered.
- Ensure user accounts are closed when employees leave. "In the majority of the cases we've seen, a terminated employee was involved," says van der Wel. "Go through the user accounts list and check that all users are still employed within your organisation."
- Examine system file logs to establish what is normal behaviour on the system. Then you will be in a better position to recognise abnormal behaviour.
- Get IT staff to come up with different attack scenarios.
- Analyse IDS alerts, or outsource the process to a specialist service company. Do not just ignore the alerts like an annoying car alarm that keeps going off.
- Analyse IP addresses of outgoing connections.
Van der Wel's advice is to use your own staff to spot the systems' weaknesses. "Sit down with a couple of knowledgeable IT guys and come up with different attack scenarios. Ask how they would attack their own organisation. Imagine how that would show up in the log files. After that, go and look in the log files to see if anyone has done it. If you can think of it, so could others. We don't see many IT organisations spending their money doing things like that. They would rather spend the money on a new box." -- very well said!
Full article
Posted by Donald Tabone
May
26
During the 2008 cycles of ISACA exams, the CISA Refresher Webinars created a positive impact on numerous exam-takers and in many cases made a world of difference for those who passed the exam. Thanks to all ISACA Chapters and other friends, exam-takers from all over the world have registered for these free classes and benefited from the teachings offered.
FREE refresher webinars and the offering has been expanded to cover the June 2009 CISA, CISM and CGEIT exams. These webinars are designed to review the concepts to be tested in each exam and are not intended to replace or provide the knowledge you would learn in a complete review class. This is a free service to all exam-takers in the interest of increasing the passing rate.
Please find below the links to register for the CISA, CISM and CGEIT web-based seminars:
CISA May 26 at 3PM EST: https://www2.gotomeeting.com/register/830376282
CISA June 1 at 9AM EST: https://www2.gotomeeting.com/register/119400850
CISM: https://www2.gotomeeting.com/register/789736306
CGEIT: https://www2.gotomeeting.com/register/566801275
Source
Posted by Donald Tabone
May
15
In 2008, ISACA entered into a formal agreement with the University of Southern California (USA) Marshall School of Business Institute for Critical Information Infrastructure Protection to continue the development of its Systemic Security Management Model. The Business Model for Information Security takes a business oriented approach to managing information security, building on the foundational concepts developed by the Institute. It utilizes systems thinking to clarify complex relationships within the enterprise, and thus to more effectively
manage security.
This session introduces the model and its core concepts to organisations, particularly to:
-Senior business executives;
-Information security managers;
-Those who have responsibility for managing business risk;
-Individuals who have responsibility for the design, implementation, monitoring and improvement of an information security management system.
When: 1st June 2009
Where: Radisson SAS Baypoint Resort, St. Julians
Time: 17:00 - 19:00
Speaker: Mr. Derek Oliver, Chair of the Development Team
The attendance fee for this event is €20 including coffee break. ISACA members will be entitled to free entrance to this event.
Posted by Donald Tabone
May
13
Back in October 2007, I remember seeing an
article about a next-generation credit card that incorporates a 12-button keyboard, a microprocessor and an embedded alphanumeric display promises to provide unprecedented security in phone and online banking transactions.
Once again in BBC news today I come across another similar
article on the same lines regarding a similar credit card to combat fraud.
A credit card with a built-in display is being tested by Visa with the aim of reducing online fraud. The Emue Card generates and displays a unique code each time it is used. Developers say that the new technology would make it very hard for fraudsters, as any transaction would require the pin to generate the code. The card is currently being trialled by 500 employees of Deloitte with the aim of assessing the technology by the end of the year.
Sandra Alzetta, head of innovation at Visa, said that the card was bringing the principles of chip and pin technology to the online world.
"The card needs to be globally compatible: that means embossed characters for mechanical swipes, a magnetic strip for systems that require a signature, the fixed three digit security code and now the unique four figure code. "
"Once certified by Visa it is then down to the banks and credit card companies to decide if they take up the new technology, but Ms Alzetta said she was confident they would"
"One of the things we're testing is how long the battery lasts - the plan is for it to work for more than three years, which means your card should expire before it runs out of power."
Source
Posted by Donald Tabone
May
11
The European Commission is proposing that software makers give guarantees about the security and efficiency of their code
Software companies could be held responsible for the security and efficacy of their products, if a new European Commission consumer protection proposal becomes law.
[BSA director of public policy Francisco Mingorance] said the performance of a piece of software depends on the environment it operates in, how the code is updated, whether it is possible to adapt and modify the software, and whether the code is attacked.
According to Mingorance, the proposed regulatory extension would cover all software, including beta products, and would cover both proprietary and open-source software.
Right now, under the current EU Sales and Guarantees Directive, physical products are expected to carry a guarantee of two years. Extending those terms to software would have the effect of limiting customer choice, as contract terms would have to be extended to a minimum of two years, Mingorance added.
Software companies have long argued against accepting responsibility for the security and efficiency of their code. Linux kernel developer Alan Cox in 2007 told a House of Lords Committee that neither proprietary nor open-source developers should be held accountable for their code.
Source
Posted by Donald Tabone
May
11
This year the Information Security Solutions Europe Conference (ISSE 2009) will be held on 6-8 October 2009 in The Hague, The Netherlands.
ISSE is Europe's only independent, interdisciplinary, security conference. It is designed to educate & inform on the latest developments in technology, solutions, market trends and best practice.
Now in its eleventh year and jointly organised by EEMA, ENISA, TeleTrusT and the municipality of the Hague; ISSE 2009 will attract over 400 representatives from across Europe, providing an informal and stimulating environment for attendees to learn, share experiences and explore solutions with their European counterparts, focusing on security and related issues like cost of ownership, risk management and interoperability.
To join them or for further information please visit the event website at http://www.isse.eu.com
ISSE 2009 is co-organised by ENISA
Posted by Donald Tabone
May
7
In an effort to stop spreading the FUD about Twitter insecurity, DanaEpp shares some of her thoughts through a quick set of safe twittering rules.
@DanaEpp's 5 Rules of Safer Twittering
1. Never share information in a tweet that you wouldn't share with the world. You can never expect to take it back once it's on the Internet. Even though you can delete a tweet, 3rd party clients may still have it archived. If you feel you want to share private thoughts through Twitter, consider using a "Private Account" and limited it to only people you trust and want to share with. Of course, remember nothing prevents your friends from sharing your tweets with the world. So never share private information on Twitter. Ever. it's just easier that way.
2. There is no assurance that a Twitter account is the person you believe it is. Deal with it. Anyone can register an account if it doesn't already exist. As a real world example, for some time @cnnbrk was NOT an official CNN account, even though most of the Twitter world thought it was. It wasn't until recently that CNN bought the account from James Cox (the account holder) for an undisclosed amount of money. Another example is the fact that one of Susan's Twitter accounts was actually created by a fellow SBS MVP, and not actually her.
Continue reading "5 rules for safe twittering"
Posted by Donald Tabone
Twitter
