Monday, October 31, 2011

Borders Sells Personal Information

'About Face' Could Violate Your Privacy

Once spirited rivals, Borders and long-time competitor Barnes & Noble are now doing business together. That business? Your personal information.

If you were a Borders customer who allowed the national bookstore to store your personal information, there is a good chance that information may soon belong to Barnes & Noble. And we're not just talking your name and address. We're talking things like your credit card number - and even more personal yet - your purchase history.

If sharing this information with yet another store in general, or with Barnes & Noble in particular, doesn't sit well with you -- or you do not want your purchase history to become part of perpetual history by being passed along to another bookseller -- be sure to opt out by visiting the Barnes & Noble website.

But hurry. You only have until Nov. 2, 2011 to tell them no.

Saturday, October 29, 2011

Researchers Unveil Flaws in Skype

Pilfering Personal Identifiable Information (PII) via Skype

It's so easy that a child could uncover personally identifiable information of millions upon millions of Internet phone users, if the child is a sophisticated, high-school-age hacker.

That's how researchers from the Polytechnic Institute of New York University describe an easily exploitable flaw in Skype and other IP-based phone systems that could potentially disclose the identifies, locations and digital files of hundreds of millions of users, according to a new paper, "I Know Where You are and What You are Sharing."
A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user and use the information for purposes of stalking, blackmail or fraud.
"A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user - from private citizens to celebrities and politicians - and use the information for purposes of stalking, blackmail or fraud," Keith Ross, an NYU-Poly computer science professor who headed the research team, says in a statement issued by the school.

The flaw, for instance, could allow marketers to link effortlessly information such as name, age, address, profession and employer from social media sites such as Facebook and Linkedin in order to build inexpensive profiles, costing them pennies for each individual profile, a bargain.

Though researchers studied only Skype, they say their findings also apply to other IP-based phone systems. Their findings will be presented next month at the Internet Measurement Conference 2011 in Berlin.

Using commercial geo-location mapping services, researchers found they could construct a detailed account of a user's daily activities even if the user had not turned on Skype for 72 hours. Skype and its new owner Microsoft were informed of the researchers' findings. Skype's response wasn't clear on specific steps it has taken to address the vulnerabilities the researchers discovered.

The researchers, however, contend there's a fairly straightforward and inexpensive fix to prevent hackers from taking the critical first step in this security breach, that of obtaining users' IP addresses through inconspicuous calling. By redesigning the Skype protocol, a user's IP address would never be revealed unless the call is accepted. That, researchers say, would offer substantially greater privacy.

Thursday, October 27, 2011

New Stuxnet-Like Worm Discovered

Researchers Label the New Threat "Duqu"

A research lab has discovered on computers in Europe a worm very similar to Stuxnet, according to a blog posted Tuesday by the IT security provider Symantec.

Researchers at the lab, which Symantec did not identify, named the new worm Duqu [dyü-kyü] because it creates files with the file-name prefix ~DQ. It shares a great deal of code with Stuxnet; however, the payload is completely different, Symantec researchers say.

Symantec says Duqu is essentially a harbinger to a future Stuxnet-like attack. Stuxnet, discovered in June 2010, gained fame when it was credited with crippling Iranian uranium enrichment centrifuges. Israel and/or the United States are prime suspects in the creation of Stuxnet, which targets Siemens industrial software on equipment running on the Microsoft Windows operating system.

The newly discovered worm was written by the same authors of or those who have access to the Stuxnet source code and appears to have been created since the last Stuxnet file was recovered, Symantec says.

"Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party," the blog says. "The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."

Symantec says the attackers used Duqu to install a so-called infostealer to record keystrokes and gain other system information. "The attackers were searching for assets that could be used in a future attack," the blog says. "In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on Sept. 1. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010."

The blog says one of the variant's driver files was signed with a valid digital certificate that expires next Aug. 2. The digital certificate, belonging to a company headquartered in Taipei, Taiwan, was revoked last Friday.

Symantec says it had recovered additional variants of Duqu from another European organization with a compilation time of Monday, Oct. 17; however, these variants have yet to be analyzed.

Monday, October 24, 2011

New free version of Metasploit tool released

New version of free Metasploit tool aimed at newbie penetration testers

Two years after Rapid7 acquired the Metasploit Project, the company has rolled out a free and more user-friendly version of the open-source tool that is aimed at less technical users.

The new Metasploit Community Edition is a combination of the popular open-source Metasploit Framework and a basic version of the user interface of Rapid7's Metasploit Pro commercial product.

HD Moore, Rapid7's CSO and chief architect for Metasploit, says the free pen-testing tool features a new user interface and automation of tasks to make penetration testing more approachable for organizations and users not necessarily versed in penetration testing. There's a growing number of organizations that want to get started with pen testing, either for compliance reasons or just to test it out, he says.

"There's a huge number who want to dip their toe into security and don't want a complex learning curve. They just want to test it, and some are scared to test it," says Moore, who is also the creator of Metasploit. "[Now] they can get familiar with Metasploit ... and make sure they can prioritize vulnerabilities" and other security issues, he says.

It was two years ago today that Rapid7 announced it had purchased Moore's open-source Metasploit pen-testing tool project, and that Moore had joined the company and was remaining in charge of the project.

Metasploit Community is available for download here.

Saturday, October 22, 2011

DHS: “Anonymous” Sniffing around SCADA systems

Hacktivist group "Anonymous" are considering attacking SCADA system

A recently leaked DHS document (Download Here) warns that Hacktivist group “Anonymous” are considering attacking SCADA systems and Critical Infrastructures in some countries.

The document labelled as “for official use only” quotes several “twitter” posts believed to belong to Anonymous members discussing and exchanging information about SCADA projects.
”On 19 July 2011, a known Anonymous member posted to Twitter the results of browsing the directory tree for Siemens SIMATIC software. This is an indication in a shift toward interest in control systems by the hacktivist group.”
another tweet
“An anonymous individual provided an open source posting on twitter of xml and html code that queries the SIMATIC software. The individual alleged access to multiple control systems and referred to “Owning” them. The Twitter posting does not identify any systems where privileged levels of access to control systems have been obtained.”
The report insinuates that experienced Anonymous hackers can quickly gain the knowledge required to hack ICS “Industrial Control Systems” which is correct. But the report didn’t mention the fact that currently there is a gold rush amongst researchers to come up with SCADA vulnerabilities, just in the past couple of weeks anyone following the right and publicly available sources can count more than a dozen zero-day vulnerabilities out there.

Just by looking around, I am afraid to say that ICS are going to be the next target after the current wave of attacks on financial institutions “Occupy wall-street”.

Looking at the flow of events, Anonymous, LulzSec and Co. have already targeted Governments, Big corporates, Defense contractors,Banks and Stock exchanges….the next logical step down the food chain is Energy.

More on the topic:

- Washington times
- The register

Thursday, October 20, 2011

US-CERT - Control Systems Security Program

Cyber Security Evaluation Tool


Critical infrastructures are dependent on information technology systems and computer networks for essential operations. Particular emphasis is placed on the reliability and resiliency of the systems that comprise and interconnect these infrastructures. NCSD collaborates with partners from across public, private, and international communities to advance this goal by developing and implementing coordinated security measures to protect against cyber threats.

The Cyber Security Evaluation Tool (CSET) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS National Cyber Security Division (NCSD) by cybersecurity experts and with assistance from the National Institute of Standards and Technology.

This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.

Download CSET Assessment Fact Sheet


CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.

CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others.

When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.

Key Benefits
  • CSET contributes to an organization's risk management and decision-making process
  • Raises awareness and facilitates discussion on cybersecurity within the organization
  • Highlights vulnerabilities in the organization's systems and provides recommendations on ways to address the vulnerability
  • Identifies areas of strength and best practices being followed in the organization
  • Provides a method to systematically compare and monitor improvement in the cyber systems
  • Provides a common industry-wide tool for assessing cyber systems
How to Obtain it

CSET is available for download at the following link: Download CSET here

Alternatively, the Control Systems Security Program also offers onsite training and guidance to asset owners in using CSET during onsite assessments. These assessments are conducted at no cost to the asset owners. To assist an organization in planning and organizing for an assessment using the CSET, the following actions and items are recommended:
  • Identify the assessment team members and schedule a date.
  • Become familiar with information about the organization’s system and network by reviewing polices and procedures, network topology diagrams, inventory lists of critical assets and components, risk assessments, IT and ICS network policies/practices, and organizational roles and responsibilities.
  • Select a meeting location to accommodate the assessment team during the question and answer portion of the assessment.
  • Work with CSSP for onsite or subject matter support.
To request onsite assistance, please send mail to

Tuesday, October 18, 2011

How to mitigate the major threats and fully secure both private and public cloud?

Cloud Security Summit | Free Online Event

The adoption of cloud-based solutions has become a necessity for most enterprises. While a growing number of companies enjoy the agility and flexibility achieved through the cloud, security experts emphasize a number of risks and vulnerabilities related to this trending technology.

Attend this summit to hear from world-class thought leaders, analysts and experienced end-users on how to mitigate the major threats and fully secure both private and public cloud.

Sign up to attend the live interactive webcasts or view them afterward on demand here: .

Presentations include:

‘Application Security for Cloud-Based Companies’
Jim Manico, VP Security Architecture, WhiteHat Security

‘Privacy in Public: How Organizations are Securely Managing Sensitive Assets in Cloud’
Imam Sheikh, SafeNet

‘Effectively Communicating the Value of Cloud Security’
Michael Santarcangelo, The Security Catalyst

‘Is Your Data Safe in the Cloud?’
Eran Feigenbaum, Director of Security, Google Enterprise

‘Distributed Denial of Service — War Stories from the Cloud Front’
Michael Smith, Security Evangelist & John Buten, Senior Manager Enterprise Marketing, Akamai

‘The Missing "S" in Cloud’
Professor John Walker, CEO and Founder, Secure-Bastion

You can view the full lineup and sign up to attend any or all presentations at .

This summit is part of the ongoing series of thought leadership events presented on BrightTALK(TM). I hope you are able to attend.

Sunday, October 16, 2011

10 Domains of Cloud Security Services

Computer Security Alliance Foresees Security as a Service

Security poses a major challenge to the widespread adoption of cloud computing, yet an association of cloud users and vendors sees the cloud as a provider of information security services.

The Security-as-a-Service Working Group of the Cloud Security Alliance, a not-for-profit association formed by cloud-computing stakeholders, issued a report Monday that defines 10 categories of security services that can be offered over the cloud.

The alliance said its report is aimed at providing cloud users and providers greater clarity on security as a service in order to ease its adoption while limiting the financial burden security presents to organizations. The 10 security-as-a-service categories are:
  1. Identity and Access Management should provide controls for assured identities and access management. Identity and access management includes people, processes and systems that are used to manage access to enterprise resources by assuring the identity of an entity is verified and is granted the correct level of access based on this assured identity.

    Audit logs of activity such as successful and failed authentication and access attempts should be kept by the application/solution.

  2. Data Loss Prevention is the monitoring, protecting and verifying the security of data at rest, in motion and in use in the cloud and on-premises. Data loss prevention services offer protection of data usually by running as some sort of client on desktops/servers and running rules around what can be done.

    Within the cloud, data loss prevention services could be offered as something that is provided as part of the build, such that all servers built for that client get the data loss prevention software installed with an agreed set of rules deployed.

  3. Web Security is real-time protection offered either on-premise through software/appliance installation or via the cloud by proxying or redirecting web traffic to the cloud provider.

    This provides an added layer of protection on top of things like AV to prevent malware from entering the enterprise via activities such as web browsing. Policy rules around the types of web access and the times this is acceptable also can be enforced via these web security technologies.

  4. E-mail Security should provide control over inbound and outbound e-mail, thereby protecting the organization from phishing and malicious attachments, enforcing corporate policies such as acceptable use and spam and providing business continuity options.

    The solution should allow for policy-based encryption of e-mails as well as integrating with various e-mail server offerings. Digital signatures enabling identification and non-repudiation are features of many cloud e-mail security solutions.

  5. Security Assessments are third-party audits of cloud services or assessments of on-premises systems based on industry standards. Traditional security assessments for infrastructure and applications and compliance audits are well defined and supported by multiple standards such as NIST, ISO and CIS. A relatively mature toolset exists, and a number of tools have been implemented using the SaaS delivery model.

    In the SaaS delivery model, subscribers get the typical benefits of this cloud computing variant elasticity, negligible setup time, low administration overhead and pay-per-use with low initial investments.

  6. Intrusion Management is the process of using pattern recognition to detect and react to statistically unusual events. This may include reconfiguring system components in real time to stop/prevent an intrusion.

    The methods of intrusion detection, prevention and response in physical environments are mature; however, the growth of virtualization and massive multi-tenancy is creating new targets for intrusion and raises many questions about the implementation of the same protection in cloud environments.

  7. Security Information and Event Management systems accept log and event information. This information is then correlated and analyzed to provide real-time reporting and alerting on incidents/events that may require intervention.

    The logs are likely to be kept in a manner that prevents tampering to enable their use as evidence in any investigations.

  8. Encryption systems typically consist of algorithms that are computationally difficult or infeasible to break, along with the processes and procedures to manage encryption and decryption, hashing, digital signatures, certificate generation and renewal and key exchange.

  9. Business Continuity and Disaster Recovery are the measures designed and implemented to ensure operational resiliency in the event of any service interruptions.

    Business continuity and disaster recovery provides flexible and reliable failover for required services in the event of any service interruptions, including those caused by natural or man-made disasters or disruptions. Cloud-centric business continuity and disaster recovery makes use of the cloud's flexibility to minimize cost and maximize benefits.

  10. Network Security consists of security services that allocate access, distribute, monitor and protect the underlying resource services. Architecturally, network security provides services that address security controls at the network in aggregate or specifically addressed at the individual network of each underlying resource.

    In a cloud/virtual environment, network security is likely to be provided by virtual devices alongside traditional physical devices.

Friday, October 14, 2011

No Charge: Two Live Online CISSP Exam Prep Clinics

Earn Your CISSP in 2011

At no charge, you can attend TWO live online CISSP Exam Prep Clinics taught by a leading (ISC)2® instructor!

Register at:
  • CISSP Clinic I: Domains 1 – 4
  • CISSP Clinic II: Domains 5 – 10
Both clinics are available live online and on demand following the webinar*.

If you’ve been studying for the CISSP exam, you’ll want to attend these TWO live online CISSP Exam Prep Clinics sponsored by University of Fairfax, Information Security Community, 1105 Media-- FOSE & GovSec-- and Tenacity.

You’ll discover strategies to increase your chances of success! You’ll learn techniques to help you quickly assess which questions to address first, which to delay answering and how to eliminate the less likely answers. The Clinics include tips for all 10 domains covered in the exam.

Register today so you pass the CISSP Exam in 2011!


Thursday, October 20, 2011, 2 – 3 PM ET

Both clinics are also available on demand following each webinar*. There is No Charge for you to attend! Register now to prepare for your CISSP Exam.

Register Now:

Wednesday, October 12, 2011

Change your Facebook privacy settings to avoid strangers looking at your updates!

Stop strangers from stalking your wall posts, photos, videos etc.

Regardless of what you think about the "updates" Facebook regularly unleashes on its users, one thing is for sure: they'll keep coming. The latest changes are disturbing for reasons other than minor discomfort with the way your news feed page looks now.

One can be flat-out intrusive and invites peepers into your personal life if you, and your friends, do not have privacy settings to keep out such voyeurs! If you have not yet, change your Facebook settings now so that strangers can't view your personal information. What's more, make sure your kids' setting are changed as well; there are way too many creeps who are trolling FB pages for young victims.

New to Facebook - Subscribers

Subscribers are basically folks who want to see all your public posts in their newstream, without actually having you agree to be their friend. You can turn off the ability for people to, subscribe to you if you do not want this.

This is pretty much like those who "follow" others on Twitter. Except, of course, Twitter is a much different type of information-sharing community. And, on FB, your friends' settings can also make some of your comments to them public and viewable by subscribers even if none of your settings are "public".

Most of the folks I know who use FB do so to be able to interact with people they actually know since so many more types of information are shared on FB as opposed to a community where communications are made 140 characters at a time.

So, if you are not comfortable having someone you've never heard of before, or someone you know but who you would rather not know, stalking you and your wall posts, photos, videos, etc. on FB, you can turn off the ability for folks to "subscribe" to you.

Most of you will have had "subscribers" turned on when FB switched to this new format. To disallow folks from subscribing to you do the following:
  1. Go to your profile (click your name at the top right portion of the screen to get there)
  2. Click Subscribers link on the left menu
  3. Click the Edit Settings button in the top right part of your screen
  4. Click "Off" in the drop down menu to the right of "Subscribers"
Note: when you hide or decline a friend request, that person can still subscribe to your public updates if you have allowed subscribers. So, if you don't want people you don't know seeing all your posts automatically within their newstream, including your comments to others, turn off subscribers.

Saturday, October 8, 2011

NIST: Continuous Monitoring Guidance Issued

NIST: Also Revises SCAP Special Report

NIST made public its guidance on how best to employ continuous monitoring to assure the security of information and information systems.

Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations defines an information security continuous monitoring strategy and establishing an information security continuous monitoring program.

The National Institute of Standards and Technology said the purpose of the guideline is to assist organizations in the development of a continuous monitoring strategy and implement a program that provides awareness of threats and vulnerabilities, visibility into organizational assets and information about the effectiveness of deployed security controls.

According to the publication, the strategy:
  • Is grounded in a clear understanding of organizational risk tolerance and helps officials set priorities and manage risk consistently throughout the organization.
  • Includes metrics that provide meaningful indications of security status at all organizational tiers.
  • Ensures continued effectiveness of all security controls.
  • Verifies legislation, directives, regulations, policies and standards/guidelines.
  • Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets.
  • Ensures knowledge and control of changes to organizational systems and environments of operation.
  • Maintains awareness of threats and vulnerabilities.
NIST also unveiled the final release of SP 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol: SCAP Version 1.2.

SCAP consists of a suite of specifications for standardizing the format and nomenclature in which software flaw and security configuration information is communicated, to machines and humans. SP 800-126 defines and explains SCAP version 1.2, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content and the SCAP requirements not defined in the individual component specifications.

Major changes in version 1.2 include the addition Asset Reporting Format;, Asset Identification, Common Configuration Scoring System; and Trust Model for Security Automation Data, which provides support for digitally signing SCAP source and result content.

Wednesday, October 5, 2011

10 Free Security Tools That Actually Work

Security isn't free, right?

Well, in some cases it is. You can get everything from anti-virus to a firewall for less than a penny. In a pinch, it's a nice option to have.

Much like we did with free cloud storage services, here are the 10 free security tools that you can download now that actually work and will help keep you, your data and your machine free from attack.

Avast Software is among the leading free anti-virus and anti-spyware tools out there. With more than 173 million registrations and counting, Avast promises dependable and fast anti-virus and anti-spyware, strong enough for normal Web use. Avast also boasts a small footprint and claims that it can outperform some competitors' paid anti-virus suites.

Malwarebytes is the go-to free security tool. We even know of a few IT departments that recommend it (though they probably won't admit that publicly). The free anti-malware tool is quick and rarely throws out false positives. It scans all files and drives and once infected files are identified enables users to remove them. There's a paid version with added protection, but if a quick scan and malware removal is all you're after and you're short on cash, it's a nice tool to have.

AVG Free can keep most Web users secure, provided they stick to surfing, searching and social networking. AVG Anti-Virus Free 2012 was just released to keep PCs safe and sound.

Comodo offers prevention-based PC security via its free firewall offering, which the company says features Auto Sandbox Technology, defends PCs from Internet attacks and prevents malware from being installed.

BitDefender's Free Edition of anti-virus software acts as an on-demand virus scanner for system recovery and forensics. The free version uses the same ICSA Labs-certified scanning engines used by other BitDefender products to deliver basic protection for no cost. With the free edition of BitDefender, users get virus scanning and removal, scheduled scanning, immediate scanning, quarantine and reports.

ClamWin is a free, open-source anti-virus play for Microsoft Windows 7, Vista, XP, Me, 2000 and Windows Server 2003 and 2008. In use by more than 600,000 users globally, ClamWin offers users high detection rates for viruses and spyware, a scanning scheduler, automatic downloads of an updated virus database, a standalone scanner with right-click menu integration into Explorer and a Microsoft Outlook add-in to remove virus-infected attachments automatically.

ESET offers a free Online Scanner offering that detects and removes PC threats. The online scan uses only a browser and uses ESET's ThreatSense engine to sniff out and snuff threats. According to ESET, it offers one-click installation and activation and is always up to date with the latest threat signatures and algorithms from ESET's Threat Labs. It can detect known and unknown forms of malware, including viruses, works, Trojans, phishing and spyware. And all infected files are moved to a quarantine where they can be restored or removed permanently.

Rising offers a host of free security utilities including Rising Free Antivirus, Rising Free Firewall, Rising PC Doctor, Rising Free Online Scanner and Rising Mobile Security. The Antivirus Free Edition protects against viruses, Trojans, worms, rootkits and other types of malicious programs and malware and uses what Rising calls "Active Defense" technology and its patented "Unknown Virus Scan and Clean" and "Smartupdate" technologies.

PC Tools
PC Tools AntiVirus Free protects against basic cyberthreats with anti-virus and anti-spyware protection. The PC Tools free offering leverages Smart Updates and File Guard to protect a C and provide real-time protection, while E-mail Guard protects from malware that could e sent over e-mail. Made by the same folks that created Spyware Doctor, PC Tools AntiVirus Free gives users IntelliGuard real-time virus scan and removal to thwart viruses, worms, Trojans and more.

Ad-Aware Free Internet Security kicks free malware protection up a notch while promising not to slow things down. With real-time protection, Genocode detection technology, rootkit protection, automatic updates and more, Ad-Aware offers a full featured security suite for free. The offering vows to keep users safe from password stealers, keyloggers and online fraudsters while also leveraging behavior-based detection to find suspicious files and threats before they become a problem.

Monday, October 3, 2011

Free CISSP On-Demand WebCast by Shon Harris

WebCast on Information Security and Risk Management has offered a free On-Demand CISSP WebCast with Shon Harris to try out their training delivery platform.

The course offered is on CISSP Domain 1: Information Security and Risk Management, and is intended for IT professionals. The course description is below, along with a link to try it out.

Please feel free to forward to others in your organization who may be interested in this type of training.

Sign up for the free training course:

Course Description:

This free course module of Domain 1 of our CISSP Certification Training will give the student in-depth knowledge on such topics as: security definitions, vulnerabilities, regulations, risk management, data collection, security enforcement issues, and many more critical concepts. Test drive Career Academy's CISSP training today.

Whether you are a security professional, a seasoned engineer, or are looking for a career change, the Shon Harris CISSP Series brings together all the materials, tools, and study aids you need to take your career to the next level. Our superior technology based course curriculum, strictly adheres to all of (ISC)2 exam objectives. We have invited the foremost CISSP trainer and author, Shon Harris, to help us develop the ultimate training and certification program which includes everything you will need to fully prepare for the CISSP certification exams.

Use the link above to sign up, and or more information, visit

Saturday, October 1, 2011

5 Strategies to Improve IT Security

Building Security Culture, Monitoring Risk Top Tactics

The Energy Department's Energy Sector Control Systems Working Group, just published a paper, Roadmap to Achieve Energy Delivery System Cybersecurity, aimed at boosting cybersecurity in that industry.

The paper presents five strategies to improve IT security that's appropriate for other sectors, as well. They are:
  1. Build a Culture of Security: In a culture of security, extensive dialogue about the meaning of security and the consequences of operating under certain levels of risk is continuing, by various means, among citizens and stakeholders.

    When integrated with reliability practices, a culture of security ensures sound risk management practices are periodically reviewed and challenged to confirm that established security controls remain in place and changes in systems or emerging threats do not diminish their effectiveness.

  2. Assess and Monitor Risk: Risk assessment and monitoring give organizations a thorough understanding of their current security posture, enabling them to continually assess evolving cyberthreats and vulnerabilities, their risks, and responses to those risks.

  3. Develop and Implement New Protective Measures to Reduce Risk: New, protective measures are developed and implemented to reduce system risks to an acceptable level as security risks, including vulnerabilities and emerging threats, are identified or anticipated.

    These security solutions are built into systems, and appropriate solutions are devised for legacy systems.

  4. Manage Incidents: Managing incidents is a critical strategy because cyberassaults can be sophisticated and dynamic and any system can become vulnerable to emerging threats as absolute security is not possible.

    When proactive and protective measures fail to prevent a cyber incident, detection, remediation, recovery and restoration activities minimize the impact of an incident on a system. Post-incident analysis and forensics enable stakeholders to learn from the incident.

  5. Sustain Security Improvements: Sustaining aggressive and proactive systems security improvements over the long term requires a strong and enduring commitment of resources, clear incentives and close collaboration among stakeholders.

    Collaboration provides the resources and incentives required for facilitating and increasing sector resilience.