Does your company transmit, process or store payment carddata about any individual who lives in the State of Nevada?
If so you need to be aware of the new Security of Personal Information Act passed into law in Nevada.In a nutshell, data collectors or merchants who collect card data to do business
will be required to be compliant with PCI DSS in order to legally conduct
business in Nevada.
Understand the common threats to your business and think about how to prevent them, detect them and respond to them before they occur
Threat models are commonly used in information security analysis to
illustrate the potential for risks to impact an organization. The threat model
is used to describe the characteristics of a given threat and the harm it could
to do a vulnerable system.
If we do a project where we identify threats scenarios we’ll go into
detail.At a simple level we’ll identify
the pieces of the threat scenarios including the actor (WHO), the action (HOW),
the motivation (WHY), the vulnerability exploited (think WEAKNESS) and the
potential impact (think DAMAGE).
We do not address the probability of these events occurring which in
most cases is impossible to predict accurately.
Over your morning coffee run through these common scenarios and ask
yourself if you how they would impact you:
A trusted employee decides
to:
·Download
unauthorized software from the Internet which contains a Trojan horse or other
malicious software.
·Disable
antivirus scanning prior to the download of an emailed MS Office document.
·Transfer
information from a third-party computer to their work computer bringing in a
virus or other malicious software into the company.
·With any
number of portable memory devices data is copied from the network and is stolen
undetected.
A disgruntled employee
decides to retaliate against your company:
·With
knowledge of the backup tape courier routine the tape drop off is intercepted
and the information contained on the tapes are used to attack your company’s
reputation or are used for material gain.
·With any
number of portable memory devices data is copied from the network and is stolen
undetected.
A former employee decides to
retaliate against your company:
·With a
haphazard termination process the former employee uses his/her still active
network access and credentials to damage or steal information from an outside
location.
·With a
haphazard termination process the former employee gains access to a company
facility and uses his/her still active network credentials to damage or steal
information from an outside location.
An authorized visitor or an unauthorized visitor or intruder
penetrates one of your company’s facilities and:
·Unchallenged
as they walk the floors of the facility they exploit targets of opportunity
such as unlocked, unattended systems, backup tapes set unsecured waiting for
courier pickup, etc.
A third party caretaker of your
company information has a security incident.While that incident may not impact your company network, your company
has no controls to prevent that incident from impacting your company at a
business level.
Understanding the Security Risks With Social Media for Business
We have taken the plunge as a firm and use Twitter, LinkedIn and Facebook to promote our personal brands, market our business and build community with customers and prospects.
While we've embraced the 2.0 world, we've done so with eyes wide open. As we use the technology to create benefits we also acknowlledge we create risks that must be identified, addressed and managed.
Most professionals, most firms using these new technologies are not "professional paranoids" like we us.
If you are using Social Media and have concerns about the risks ... or if you have balked at adopting the technology because of your fears of those risks ... please join me for:
Jacadis presenting lunch & learn on web application security with Platform Lab in Columbus
I wanted highlight an upcoming lunch and learn reviewing web application security that might be of benefit to you if your business develops and deploys web applications. The event is free and lunch will be provided. Please register below, and send this on to individuals in your organization who would benefit.
Jacadis, the company I work for, is putting the lunch and learn on with its non-profit partner the Platform Lab, part of Tech Columbus.
Presenter: Simon Herring, CISSP – Founder and CTO Jacadis, LLC.
Cost: Free
When: September 16th, 2009 11:00 am — 1:00 pm - Lunch will be provided
Cyber thieves use automated scanners to find web security holes… Why don’t you?
Thousands of web applications have been developed by companies of every size and industry to support business growth, extend customer interactivity, and lower service delivery costs. But how deliberate are you in evaluating the security of web applications throughout the application’s lifecycle, from inception to retirement?
Consider the following:
Many web vulnerabilities exist due to limited knowledge of secure coding principles. Catching these weaknesses before “go-live” can decreases costs related to post-deployment patching and the risks associate with a security break-in.
The sophistication of web hackers and data thieves continues to increase. Just scanning during the development cycle assumes no new web application exploit techniques will be developed and shared in the Black Hat community. The “10 foot wall” you created last Fall won’t be able to withstand the “11 foot ladder” that cyber thieves throw-up this Summer.
In addition to being an established best practice for protecting general web servers, routine web application scanning can help you comply with federal, state, and industry regulations. With little marketing effort, you can also build security into your brand and show your existing or potential clients that protecting sensitive data is important.
The tools and processes are available to prevent the deployment of poorly coded and insecure web applications. Perhaps you know the risks, but you don’t know how to manage them, or where to begin. To answer these questions, we are hosting “Securing Web Applications using Acunetix WVS” to demonstrate how Acunetix Web Vulnerability Scanner (WVS) is an effective tool to add to your security routine.
In this edJACADIS seminar, we will:
Examine the components of a successful web application development process
Discuss the role of web application vulnerability scanning in the overall security process
Explore how Acunetix Web Vulnerability Scanner (WVS) can be used by developers and security analysts alike, to perform automated or manual web vulnerability testing.
Secure Value by making decisions and investments to account for risks before they become real negative events.
Secure Value posts have slowed down the last two weeks. I coach a 9 and 10 year old football team. I have to confess that my blogging time has been spent getting 16 boys ready to play football. Though I've been busy getting them ready to block and tackle my mind hasn't stopped thinking about the information security game or helping small and medium enterprises stay fit for their own battle.
Last night we were working through the details of a blocking drill. As a coach we tell our kids that you can make a choice ... you can suffer the pain of discipline now or suffer the pain of regret later.
And I realized that information security is the same thing. We don't want to spend the extra time to think up a stronger password, backup files, convene an information security committee meeting, write policy or invest in a firewall. All those things are pain of discipline actions. It will hurt a little bit now but help us avoid it hurting a lot later.
And hurting later includes the greater of the two pains, like the pain of regret. Like when we lose the key proposal or a customer contract to a bad sector on a laptop or server. Or when a client asks us to prove we have a security committee and follow whatever alphabet soup regulation they are accountable to. Or when our weak password is easily guessed and your business penetrated. Or when you have to terminate an employee for inappropriate behavior but can't produce the policy he violated. Or when ....
So take the time to hustle in practice and study your playbook at night ... Oh, sorry ..
Take the time to invest in your future and endure the pain of discipline by considering information security's role in your business and avoid the pain of regret that comes with the impact of a future predictable risk.
Sitting at a break in the action Campus Technology 09 thinking.
Comparing conference chatter from last year to this .. the pace of innovation has been rapid if the talk of all things 2.0 is any indication. Just about anyone will quickly engage and share how they are using social networking or web 2.0 technologies in the classroom, in their business, in research and innovation projects or just in life. But ask a question about security or privacy and it is obvious that the dive into the 2.0 pool hasn't included some basic thinking about security.
Innovation without security thinking simply sets the stage for bad things to happen in the future. Too many security practioners lament the social network. But stopping it is like trying to stop water from flowing downhill. The trick is diverting it, channelling it, guiding it to go where you want it to go.
Embrace these new technologies. As an entreprenuer I've already seen payoffs from being socially networked. But embrace them thoughtfully with intentional security.
I enjoy reading CSOonline. Even if its articles are geared toward big company information security technical practioners there are always some solid (and entertaining) nuggets available. This one might of use to the small and emerging business:
The article identifies and lists five bright ideas for small businesses and medium enterprises looking to secure their business:
Risk management should form the foundation of your security practices.
The ongoing confluence of information security and physical security is good news for SMBs.
Video surveillance and analytics are now within the reach of SMBs.
Outsourcing is more popular than ever.
Recognize that you can't take people out of the equation.
Number 3, video surveillance, might not be for everyone but the other 4 are definitely topics to be aware of when working to secure your small business environment.
Many web based businesses are ideas in the heads of non-technical entreprenuers that are translated into action by web application developers. Selecting the right web developer is key to a successful web based business.
Make sure you secure your value when you select a service provider to develop your great idea, million dollar mousetrap or next big thing by asking these questions:
1.Does the developer have an active portfolio of sites that handle content, information and processes similar to your planned site?
2.Will they let you select references from their portfolio (rather than tying you to those they hand pick)?Ask the references how site security was considered during the course of the project.
3.Does the service provider consider secure coding as important to your project’s success as the ascetics and functionality of the site?
4.Does the provider use templates as a base for their work or do they develop everything “from scratch” based on a custom model?
·If they use templates ….
oAre the templates developed in house, acquired from a trusted source, or acquired from the public domain?
oRegardless of the source, how do they validate that no known vulnerabilities are in the template code?
·If they write all of the code themselves …
oWhat is their development process?
oDo they develop all of the code in house with company employees?
5.Do they test the code before its release for performance and security vulnerabilities?
6.How do they validate they are delivering a secured site?
7.Will they include an independent 3rd party vulnerability assessment in their service that must be passed before you'll accept delivery?
8.Do they consider information security in their contract? Do they offer a guarantee that code is provided with no known vulnerabilities?
9.Does their service (and price) include maintenance on the code they provide? Does the maintenance include both in house developed code and template based code? Are security considerations included in their maintenance processes?
10.How do they monitor new vulnerabilities in the code they produce? Will they guarantee or warranty their code?
11.Does the service provider vault the code so you have a secure code set to restore to in the case of a breach?
Consideration for protecting company information in all business decisions builds and protects value.
Information security protects and builds value for businesses of all sizes.Yet, executives, entrepreneurs and business leaders who make business decisions about the information in their business do not have the tools to include information security into their decision making. This blog will detail information security topics at an executive level to assist business leaders, executives and entreprenuers in making decisions that build value.
As an entrepreneur I understand how critical trust is to success.People aren’t going to do business with organization’s they don’t trust.
As president of an information security solution provider, Jacadis (www.jacadis.com), Columbus, Ohio, I work with business leaders and executives nervous that their company's critical data might be exposed and who are scared they are not compliant with the layers of government rules and regulations.
Taking it one step further they should concern themselves with building a trustable business.
Most executives and entrepreneurs don’t have enough working knowledge of information security to include it planning.The field is highly technical filled with jargon, complicated technologies, rules and regulations all supported by an alphabet soup of acronyms.And so great business ideas get built and launched with little to no practical information security protections. Value is limited or exposed.
We don't build buildings without locks.
Decisions about how we collect, store, process and protect data impact customer trust. Yet, we do build technology solutions, information driven processes and innovative products without "locks". Why?
Is trust important in your business? Do you extend a trustable network to your customers?Do you have the tools to answer?
Image via Wikipedia![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=c7186f6b-5b45-4221-9915-fdafeb755ae3)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=9c826844-be73-4e29-89dd-3da52a8fe1cb)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=34d3de4f-abba-4ead-8f7a-88dc77dda82b)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=21bf0f4e-5079-40a6-8fa0-469a47fb9b3c)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=7dc1222c-4efc-4258-87b8-f68ec6e21900)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ccfe62ad-3373-46a7-ac5c-98eecdeb878d)
