https://beta.commerce.gov/sites/commerce.gov/files/media/files/2016/eu_us_privacy_shield_full_text.pdf.pdf
Privacy Shield Specifics (Starting at Combined PDF Page 21):
-Notice
-Choice
-Accountability for Onward Transfer
-Security
-Integrity & Purpose Limitation
-Access
-Recourse
Monday, February 29, 2016
Big Data for InfoSec & Privacy
Most orgs now have multiple tools and processes to identify findings and to-dos regarding their risks.
However, these tools are often silo'd when compared to the org's policies, controls, and best practices.
With the introduction of RESTful APIs and JSON, the era of the master dashboard is upon us.
Looks for these artifacts to leverage GRC, ECM, EDM, SAST, DAST, vulnerability management, third-party management, and configuration management data moving forward.
However, these tools are often silo'd when compared to the org's policies, controls, and best practices.
With the introduction of RESTful APIs and JSON, the era of the master dashboard is upon us.
Looks for these artifacts to leverage GRC, ECM, EDM, SAST, DAST, vulnerability management, third-party management, and configuration management data moving forward.
Thursday, February 25, 2016
NY State & Upcoming Fin Svcs Cyber Reqs
CISO, AppSec, Vendor Mgmt, CSIRT, & more happiness.......
http://www.dfs.ny.gov/about/letters/pr151109_letter_cyber_security.pdf
Wednesday, February 24, 2016
Pen Testing Tool of the Week: Bluto
http://seclist.us/bluto-v-1-1-6-released-dns-recon-brute-forcer-dns-zone-transfer.html
http://www.toolswatch.org/2016/01/bluto-v1-1-14-passive-recon-tool/
http://www.toolswatch.org/2016/01/bluto-v1-1-14-passive-recon-tool/
Tuesday, February 23, 2016
AppSec, WAFs & ESAPI
While a client waits to deploy CDN, WAF, & DDoS services to their edge, we have suggested using OWASP's ESAPI as a stopgap.
She is old and imperfect, yet ESAPI still has a use.
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
She is old and imperfect, yet ESAPI still has a use.
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Friday, February 19, 2016
Ransomware & Bitcoin Payoffs
PLEASE stop doing this...invest in a solid DR strategy w/ frequent backups instead....
http://wbtw.com/2016/02/16/horry-county-schools-approve-paying-computer-virus-ransom-making-payment-problematic/
http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
http://wbtw.com/2016/02/16/horry-county-schools-approve-paying-computer-virus-ransom-making-payment-problematic/
http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
Debian Linux & ClamAV
Though it is not a silver bullet, ClamAV & Ubuntu go hand-in-hand.
With malware and other nastiness affecting Linux now, it is time to bulk up your Linux security baseline with ClamAV.
With malware and other nastiness affecting Linux now, it is time to bulk up your Linux security baseline with ClamAV.
NoSQL Overview
http://www.isaca.org/Journal/archives/2012/Volume-3/Documents/12v3-A-Primer-on-Nonrelational.pdf
Thursday, February 18, 2016
Cloud & Mobile Sockets
http://www.ibm.com/developerworks/cloud/library/cl-mobilesockconnect/index.html
Wednesday, February 17, 2016
Linux Malware, Vulnerabilities & Need for Bastion Hosts
Lately with Fysbis (1), glibc (2), and other Linux issues, we have been advocating more now than ever for organizations to use bastion hosts.
Bastion hosts are easier to patch than production servers, and they allow a Linux shop to insulate known Linux hosts / guests from the outside world.
Linux is on the map with malware, so leverage ClamAV, etc. as well as a defense-in-depth security architecture.
1. http://www.infosecurity-magazine.com/news/glibc-flaw-affects-linux-machines/
2. http://www.pcworld.com/article/3033229/security/russian-cyberspy-group-uses-simple-yet-effective-linux-trojan.html
Bastion hosts are easier to patch than production servers, and they allow a Linux shop to insulate known Linux hosts / guests from the outside world.
Linux is on the map with malware, so leverage ClamAV, etc. as well as a defense-in-depth security architecture.
1. http://www.infosecurity-magazine.com/news/glibc-flaw-affects-linux-machines/
2. http://www.pcworld.com/article/3033229/security/russian-cyberspy-group-uses-simple-yet-effective-linux-trojan.html
Tuesday, February 16, 2016
Contact Center Privacy Compliance
When involving potential PHI and CHD, contact center employees must be trained up on an organization's privacy practices.
To get there, a company must have their act together by naming a Privacy Officer who can launch an effective program with the proper procedures, etc.
To get there, a company must have their act together by naming a Privacy Officer who can launch an effective program with the proper procedures, etc.
Monday, February 15, 2016
Consolidating Data Stores (File Shares, EDM / ECM, Cloud Storage)
2016 seems to be the year of information governance for nControl as more and more organizations (law firms, hospitals, insurance companies, banks, CROs) look to consolidate their data stores.
It is as simple as picking a street from a strategic perspective. Though harder to execute.
Most organizations want to enable their employees from a workflow perspective, so many go down the using solely cloud storage route. That is fine as long as safeguards are in place (access controls, SSO, cryptography, retention schedules).
Regardless of whether cloud storage is used or not, it always seems redundant to use both file shares and EDM / ECM (SharePoint, Documentum) systems. That is why it should be on the road-map of IT management to figure this out in 2016.
It is as simple as picking a street from a strategic perspective. Though harder to execute.
Most organizations want to enable their employees from a workflow perspective, so many go down the using solely cloud storage route. That is fine as long as safeguards are in place (access controls, SSO, cryptography, retention schedules).
Regardless of whether cloud storage is used or not, it always seems redundant to use both file shares and EDM / ECM (SharePoint, Documentum) systems. That is why it should be on the road-map of IT management to figure this out in 2016.
Friday, February 12, 2016
Security Appliances & Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
Will these ever end?
No, as threat modeling evolves, and as IT consumers continue to use legacy IT assets, hackers will find a way to exploit them.
It all comes down to dollars. Vendors want to work on new offerings, while consumers will use legacy systems until it makes financial sense to move on.
Will these ever end?
No, as threat modeling evolves, and as IT consumers continue to use legacy IT assets, hackers will find a way to exploit them.
It all comes down to dollars. Vendors want to work on new offerings, while consumers will use legacy systems until it makes financial sense to move on.
Friday, February 5, 2016
Key Mgmt: Build vs Buy
Most orgs these days leverage cryptography for data protections. However, key management can be a logistical and administrative headache.
Hence, the use of key management systems (KMS) and services. With that said, orgs need to determine whether they want to build or buy said KMS solutions.
For small shops, a SKM (or SKIMP as I call it) solution may work. This solution is akin to the LAMP stack for small KMS deployments.
Larger, multinational shops may opt to go w a cloud solutions like AWS's KMS, Azure's Key Vault, or SafeNet's services.
Ultimately, the decision to build vs buy rests on the complexity, budget, and skill-set of an orgs IT shop. Rest assured, there are options for all types.
Hence, the use of key management systems (KMS) and services. With that said, orgs need to determine whether they want to build or buy said KMS solutions.
For small shops, a SKM (or SKIMP as I call it) solution may work. This solution is akin to the LAMP stack for small KMS deployments.
Larger, multinational shops may opt to go w a cloud solutions like AWS's KMS, Azure's Key Vault, or SafeNet's services.
Ultimately, the decision to build vs buy rests on the complexity, budget, and skill-set of an orgs IT shop. Rest assured, there are options for all types.
Wednesday, February 3, 2016
Non-Western Breaches
Not all breaches happen in the West, and not all breaches (anywhere) are reported.
FYI: http://www.databreaches.net/cn-hackers-steal-account-details-of-20-6-mln-taobao-users/
FYI: http://www.databreaches.net/cn-hackers-steal-account-details-of-20-6-mln-taobao-users/
Tuesday, February 2, 2016
The Real Problem with Mobile App Security
It seems that many organizations outsource mobile application development. Therefore, it is extremely important to ensure that security is a requirement enumerated in the contract (SLA, MSA, etc.) with said vendor.
Specifically, organizations should provide security requirements (logging, access controls, cryptography, IAM / IdM), perform threat modeling during design, perform static and dynamic analysis testing, as well as execute misuse cases during testing all with said vendor.
Malware in becoming more and more prevalent, especially on devices. So, organizations beware.
Specifically, organizations should provide security requirements (logging, access controls, cryptography, IAM / IdM), perform threat modeling during design, perform static and dynamic analysis testing, as well as execute misuse cases during testing all with said vendor.
Malware in becoming more and more prevalent, especially on devices. So, organizations beware.
Monday, February 1, 2016
Build vs Buy Decisions w IT Security
In danger of oversimplifying, this post will discuss the potential for building versus buying security solutions.
Some vendors who shall remain anonymous come in awfully high for security solutions. Due to this, some smaller shops will want to go with building SIEM, GRC, or WAF solutions. With that said, SMBs must realize that these tools require TLC to remain secure.
Note that an organization may be able to report compliance with PCI, etc. though they may not be able to keep secure.
Some vendors who shall remain anonymous come in awfully high for security solutions. Due to this, some smaller shops will want to go with building SIEM, GRC, or WAF solutions. With that said, SMBs must realize that these tools require TLC to remain secure.
Note that an organization may be able to report compliance with PCI, etc. though they may not be able to keep secure.
Subscribe to:
Posts (Atom)