Wednesday, August 29, 2012

10 Simple Things To Protect Your Privacy

Some of the easiest things you can do to protect your privacy

These are the really, really simple things you should be doing to keep casual intruders from invading your privacy.

1. Password protect your devices: your smartphone, your iPad, your computer, your tablet, etc. Some open bookers tell me it’s “annoying” to take two seconds to type in a password before they can use their phone. Choosing not to password protect these devices is the digital equivalent of leaving your home or car unlocked.

If you’re lucky, no one will take advantage of the access. Or maybe the contents will be ravaged and your favorite speakers and/or secrets stolen. If you’re not paranoid enough, spend some time reading entries in Reddit Relationships, where many an Internet user goes to discuss issues of the heart. 

2. Put a Google Alert on your name. This is an incredibly easy way to stay on top of what’s being said about you online. It takes less than a minute to do. Go here. Enter your name, and variations of your name, with quotation marks around it. Boom. You’re done.

3. Sign out of Facebook, Twitter, Gmail, etc. when you’re done with your emailing, social networking, tweeting, and other forms of time-wasting. Not only will this slightly reduce the amount of tracking of you as you surf the Web, this prevents someone who later sits down at your computer from loading one of these up and getting snoopy. If you’re using someone else’s or a public computer, this is especially important. Yes, people actually forget to do this, with terribles outcomes.

4. Don’t give out your personal details when asked. Obviously, if a sketchy dude in a bar asks for your phone number, you say no. But when the asker is a uniform-wearing employee at Best Buy, many a consumer hands over their digits when asked. Stores often use this info to help profile you and your purchase. You can say no. If you feel badly about it, just pretend the employee is the sketchy dude in the bar.

5. Encrypt your computer. The word “encrypt” may sound like a betrayal of the simplicity I promised in the headline, but this is actually quite easy to do, especially if you’re a MacHead. Encrypting your computer means that someone has to have your password (or encryption key) in order to peek at its contents should they get access to your hard drive. On a Mac, you just go to your settings, choose “Security and Privacy,” go to “FileVault,” choose the “Turn on FileVault” option. Boom goes the encryption dynamite. PC folk need to use Bitlocker.

6. Gmailers, turn on 2-step authentication in Gmail. The biggest takeaway from the epic hack of Wired’s Mat Honan was that it probably wouldn’t have happened if he’d turned on “2-step verification” in Gmail. This simple little step turns your phone into a security fob — in order for your Gmail account to be accessed from a new device, a person (hopefully you) needs a code that’s sent to your phone. This means that even if someone gets your password somehow, they won’t be able to use it to sign into your account from a strange computer. Google says that millions of people use this tool, and that “thousands more enroll each day.” Be one of those people. The downside: It’s annoying if your phone battery dies or if you’re traveling abroad. The upside: you can print a piece of paper to take with you. Alternately, you can turn it off when you’re going to be abroad or phone-less. Or you can leave it permanently turned off, and increase your risk of getting epically hacked. Decision’s yours.

7. Pay in cash for embarrassing items. Don’t want a purchase to be easily tracked back to you? You’ve seen the movies! Use cash. One data mining CEO says this is how he pays for hamburgers and junk food these days.

8. Change Your Facebook settings to “Friends Only.” You’d think with the many Facebook privacy stories over the years that everyone would have their accounts locked down and boarded up like Florida houses before a hurricane. Not so. There are still plenty of Facebookers that are as exposed on the platform as Katy Perry at a water park. Visit your Facebook privacy settings. Make sure this “default privacy” setting isn’t set to public, and if it’s set to “Custom,” make sure you know and are comfortable with any “Networks” you’re sharing with.

9. Clear your browser history and cookies on a regular basis. When’s the last time you did that? If you just shrugged, consider changing your browser settings so that this is automatically cleared every session. Go to the “privacy” setting in your Browser’s “Options.” Tell it to “never remember your history.” This will reduce the amount you’re tracked online. Consider a browser add-on like TACO to further reduce tracking of your online behavior.

10. Use an IP masker. When you visit a website, you leave a footprint behind in the form of IP information. If you want to visit someone’s blog without their necessarily knowing it’s you — say if you’re checking out a biz competitor, a love interest, or an ex — you should consider masking your computer’s fingerprint, which at the very least gives away your approximate location and service provider. To do this, you can download Tor or use an easy browser-based option like HideMyAss.com

Ignoring these is like sending your personal information out onto the trapeze without a safety net. It might do fine… or it could get ugly.

Source from Forbes.

Monday, August 27, 2012

iOS Hardening Configuration Guide

For iPod, iPhone and iPad running IOS 5.1 or higher

Australia's Defence Signals Directorate (DSD) has recently released iOS Hardening Configuration Guide which provides instructions and techniques for Australian government agencies to harden the security of iOS 5 devices.

Implementing the techniques and settings found in this document can affect system functionality, and may not be appropriate for every user or environment. However agencies wishing to differ from the mandatory controls specified in this guide must note that the product will no longer fall under the evaluated configuration.

In these cases, agencies should seek approval for non-compliance from their agency head and/or accreditation authority to allow for the formal acceptance of the risks involved. 

This guide is for users and administrators of iOS 5 or later devices. These devices include the iPod Touch, iPhone and iPad.

For further clarification or assistance, Australian Government IT Security Advisors can consult the Defence Signals Directorate by emailing dsd.assist@defence.gov.au.

You can download this guide from here.

Saturday, August 25, 2012

Effectively Assessing Information Risks within the Enterprise

3 Lines of Cyberdefence

By combining responsible management, risk management and compliance functions and internal audits, organizations will go far in securing their data and systems. 

To succeed, internal auditors and business systems owners, including chief information security officers, must collaborate more closely to assure the security of their organizations' data systems. 

A new report from PwC, Fortifying Your Defenses: The Role of Internal Audit in Assuring Data Security and Privacy, which identifies three lines of cyberdefense:  

Management: Companies that are good at managing information security risks typically assign responsibility for their security regimes at the highest levels of the organization. Management has ownership, responsibility and accountability for assessing, controlling and mitigating risks. Risk management and 

Compliance Functions: Risk management functions facilitate and monitor the implementation of effective risk management practices by management, and help risk owners in reporting adequate risk-related information up and down the enterprise.

Internal Audit: The internal audit function provides objective assurance to the board and executive management on how effectively the organization assesses and manages its risks, including the manner in which the first and second lines of defense operate.

It's vital that internal audits be at least as strong as the management and risk management and compliance functions for critical risk areas. Without internal audits that provide proficient and objective assurance, organisations risk having their information privacy practices becoming inadequate or outmoded. 

This is a role that internal audit is uniquely positioned to fill, but, it must have the support and the resources to match to do so.

Refer here to download the report.

Thursday, August 23, 2012

Managing Operational Risks and Vulnerabilities Created by Increased Connectivity

Industrial Controls System Security White Paper

Connectivity from the Top floor to the Shop floor – it's a common and growing trend with significant benefits and challenges. Watershed cyber security events like Stuxnet, Flame, and Duqu have focused attention on the operational risks and vulnerabilities created by increased connectivity.

Enterprises are striving to meet connectivity needs while minimizing information security risks. Enterprises need cost-effective solutions to address the network management and security challenges that arise from adding connectivity to automation systems and integrating them with Corporate business systems.

The purpose of this paper is to explain where vulnerabilities within a HMI/SCADA system may lie, describe how the inherent security of system designs minimize some risks, outline some proactive steps businesses can take, and highlight several software capabilities that companies can leverage to further enhance their security.

Pls refer here to download the whitepaper (registration maybe required).

Wednesday, August 22, 2012

Download: Qualification Requirements for Smart Grid Roles

Exact requirements for those interested in pursuing Smart Grid roles

Smart Grid Careers recently conducted a research in conjunction with Zpryme's Smart Grid Insights, a secondary report was released today outlining the experience, skills and academic requirements for candidates seeking to secure a position in the coveted Smart Grid industry.

Based on feedback from 184 executives responsible for recruiting candidates to fill Smart Grid roles, this new report features the following key data points for both new and experienced job seekers:

  • Required and preferred degrees and certifications
  • Needed skill sets
  • Length and type of work experience require

Access the detailed findings of this new release by downloading a FREE copy of the detailed report here (registration maybe required).

This research underscores the exacting requirements for those interested in pursuing Smart Grid roles. Potential candidates can leverage this data to guide their academic and initial career choices to ensure it leads to a path in the Smart Grid.

Tuesday, August 21, 2012

SAP Audit Guide for Expenditure

Download the Ultimate Guide to Auditing and Securing Procure-to-Pay Controls in SAP

The third installment of Layer Seven Security’s SAP Audit Guide was released today and can be downloaded at http://bit.ly/SvG956. The series has proven to be a popular resource for audit and security professionals with over 10,000 downloads to date.

The latest Guide focuses upon expenditure-related controls in areas such as vendor master data, purchasing, invoice processing and payment processing. Forthcoming volumes of the Guide will deal with areas related to inventory, human resource management and Basis.

Although the Guide was originally intended to the cover ERP-related modules most commonly implemented by SAP clients, Layer Seven Security will develop and issue similar guides for components such as Customer Relationship Management (CRM), Supplier Relationship Management (SRM) and the Enterprise Portal (EP).

Monday, August 13, 2012

11 Ways Enterprises Can Battle Malware

NIST guidelines will help you keep pace with changing Malicious Code Threat

As malicious code rapidly evolves, the National Institute of Standards and Technology is updating its guidance to reflect changes in the threat malware presents organizations.

NISTG says is the just-published draft of Special Publication 800-83 Revision 1: Guide to Malware Incident Prevention and Handling for Desktops and Laptops.
"Unlike most malware threats several years ago, which tended to be fast-spreading and easy to notice, many of today's malware threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to exfiltration of sensitive data and other negative impacts.
NIST, in announcing the draft revision, points out that protecting desktops and laptops remains critical even as many government agencies and companies focus on mobile security.

The guidance provides information on the major categories of malware that afflict desktop and laptop computers and furnishes practical procedures on how to prevent malware incidents and what to do when a system becomes infected.

To battle malware, the NIST guidance suggests organizations should:

  1. Develop and implement an approach to malware incident prevention.
  2. Plan and implement an approach to malware incident prevention based on the attack vectors that are most likely to be used now and in the near future.
  3. Ensure that their policies address prevention of malware incidents.
  4. Incorporate malware incident prevention and handling into their awareness programs.
  5. Implement awareness programs that include guidance to users on malware incident prevention.
  6. Maintain vulnerability mitigation capabilities to help prevent malware incidents.
  7. Document policy, processes and procedures to mitigate vulnerabilities that malware might exploit.
  8. Apply threat mitigation capabilities to assist in containing malware incidents.
  9. Perform threat mitigation to detect and stop malware before it can affect its targets.
  10. Consider using defensive architecture methods to reduce the impact of malware incidents.
  11. Sustain a robust incident response process capability that addresses malware incident handling.
NIST is seeking comments from stakeholders on the draft. Comments can be sent to 800-83comments@nist.gov by Aug. 31. A final revision is expected to be published by late summer.

Saturday, August 11, 2012

6 Steps to Handle IT Security Incidents

New Guide from the National Institute of Standards and Technology

The National Institute of Standards and Technology has issued a revision of its guidance to help organizations establish programs to manage computer security incidents.

NIST, in Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide, spells out what incident-response capabilities are necessary to rapidly detect incidents, minimize loss and destruction, mitigate weaknesses that were exploited and restore IT services.

Revision 2 updates the original guidance to reflect changes in attacks and incidents. "Understanding threats and identifying modern attacks in their early stages is key to preventing subsequent compromises, and proactively sharing information among organizations regarding the signs of these attacks is an increasingly effective way to identify them," NIST says in the introduction to the guide.

"This revised version encourages incident teams to think of the attack in three ways," says guide co-author Tim Grance. "One is by method - what's happening and what needs to be fixed. Another is to consider an attack's impact by measuring how long the system was down, what type of information was stolen and what resources are required to recover from the incident. Finally, share information and coordination methods to help your team and others handle major incidents."

The Recommendations

The guide advises organizations to:

  1. Reduce the frequency of incidents by effectively securing networks, systems and applications.
  2. Document their guidelines for interactions with other organizations regarding incidents. Because these communications often need to occur quickly, organizations should predetermine communication guidelines so that only the appropriate information is shared with the right parties.
  3. Be generally prepared to handle any incident but should focus on being prepared to handle incidents that use the most common attack vectors. Incidents can occur in countless ways, so it's not feasible to develop step-by-step instructions for handling every incident.
  4. Emphasize the importance of incident detection and analysis throughout the organization. Millions of possible signs of incidents may occur each day so automation is needed to perform an initial analysis of the data and select events of interest for review.
  5. Create written guidelines for prioritizing incidents. Incidents should be prioritized based on relevant factors, such as the functional impact of the incident (e.g., current and likely future negative impact to business functions), the information impact of the incident (e.g., effect on the confidentiality, integrity and availability of the organization's information) and the recoverability from the incident (e.g., the time and types of resources that must be spent on recovering from the incident).
  6. Use the lessons learned process to gain value from incidents. After a major incident has been handled, the organization should hold a lessons-learned meeting to review the effectiveness of the incident handling process and identify necessary improvements to existing security controls and practices. 

NIST says the guidelines can be followed independently of particular hardware platforms, operating systems, protocols or applications organizations use.

Wednesday, August 8, 2012

Recommendations For Your Information Risk Management and Security Strategy

The strategy associated with an enterprise’s information risk management and security (IRMS) program becomes a road map for its activities. When developing or refreshing your IRMS strategy, there are many considerations that should be accounted for to make sure it is beneficial to your enterprise and plausible for implementation and ongoing success.

Here are five things to consider when undergoing this effort:
  1. Validate your strategy with your intended audiences early in its development

    The key to any successful strategy is the positive perception and realization of its value by the people it will impact.

    Too often IRMS professionals assume they intuitively understand their enterprise’s requirements and expectations, as well as the benefits that will be obtained by implementing their proposed strategies. While this may be the case, it is important to validate these assumptions with the customer of the strategy to ensure they agree. Without their support the strategy will have little chance of success.

    The easiest way to achieve this validation is to socialize the concepts and ideas that you intend to include in your strategy with key leaders and stakeholders early in the development process. If they are involved in shaping its development and agree with your views and approach, there is a much higher likelihood of successful execution.
  2. Align the IRMS strategy with your enterprise’s information risk profile
    An enterprise’s approach to IRMS should be about information risk first and security second. When developing your IRMS strategy, make sure you align your programs and activities with your enterprise’s information risk profile.

    This profile will identify the information risk appetite of your enterprise. A risk-based strategy presented to a sponsor or leader has a high probability of gaining support since it is designed to align with needs and expectations. If your enterprise does not have a formal information risk profile, seek out the individuals who have risk management responsibilities in the enterprise (i.e., finance, legal, compliance) as well as business process and data owners to work with them to identify their information risk appetite and expectations of security to create a profile to support them.
  3. Leverage staff as a force multiplier
    Leaders and individual contributors associated with IRMS programs and capabilities often feel as though they are overworked and undersupported by their enterprises. One approach that can help to ease this pain is to plan in your IRMS strategy to leverage your enterprise’s overall staff as a force multiplier.

    One strategy that is often successful is to identify individuals who will be tasked as IRMS champions within the key functions and services within your organization. By empowering these champions with knowledge, capabilities and expectations, they can assist you in meeting your IRMS objectives without having to significantly expand the budget or staffing of your program. Beyond the establishment and support of champions, the creation of a risk-conscious and security-aware culture within your enterprise can provide an effective force multiplier for your efforts as individuals incorporate IRMS as a business as usual activity.
  4. Consider current and projected business conditions
    Current and projected economic and business conditions can have a distinct impact on ISRM strategy development. If your enterprise is currently or projected to contract or operate in an extremely cost-cautious manner, develop a strategy that accounts for this situation. Even when considering areas such as compliance, where many ISRM professionals assume their organizations will have to invest to ensure alignment, it is important to identify contingencies in cases where they are unwilling or unable to do so.

    Alternatively, if your enterprise is currently or plans to be operating in a business growth and expansion mode, this is an ideal time to invest in programs and capabilities that will ensure alignment with business needs and expectations. When developing strategies in either scenario, it is important to identify and validate the business value of your proposed strategy to gain the support of your enterprise’s leadership and program sponsors.
  5. Ensure the strategy can be implemented and operate successfully with your existing budget and resources
    A common mistake made in the development of IRMS strategy is to assume that enhanced funding will be provided or sustained as part of its execution. Business conditions and information risk appetites of organizations can change quickly. IRMS can be an easy target for budget and resource adjustments.

    If the foundation of your strategy is based on the use of your current budget and resource allocation, your ISRM program and its capabilities will be more resilient during these types of fluctuations. Components of your strategy that require expanded budget and staff should be developed as modular initiatives whose business value can be clearly understood and monitored, but also easily adjusted if business conditions change.
Source from ISACA.

Monday, August 6, 2012

Yahoo password breach shows we're all really lazy

Hackers at It Again


By entering database commands into online forms, attackers tricked Yahoo's back-end servers into releasing more than 450,000 user credentials. These hackers took it one step farther and published the credentials online.


Wonder if yours was among the credentials circulated? You can find out here.


If you find your email and password in this database, change your password immediately... and not only on Yahoo, but anywhere else you have used that password.


Social engineers are notorious for uncovering a victim's entire web profile, which could include potentially costly exposure (e.g. your online banking). Even if you don't see your password listed, it's a good security practice to regularly change your passwords in case someone has uncovered it some other way.


Also, never use the same password on social media sites as other types of sites, such as your employer's systems, online retail stores, banking, and so on.

Saturday, August 4, 2012

Nothing for Free Especially Mobile Apps

Mobile App Developers Scoop Up Vast Amounts of Data


Many of my friends use a large number of free apps, and I'm vigilant in reminding them: "Nothing in life is free."


I challenge them to consider: What information are you giving in exchange for the "super cool" app? What is the app's owner doing with that information?


Be careful what you freely give away to unknown suppliers who tempt you with tantalizing fun and games.


Here's a good article with a high-level overview that points to some good research on the topic.

Thursday, August 2, 2012

How to Spot a Fake LinkedIn Profile

Scams on Linkedin Exposed. How gullible job-seekers are beguiled!


LinkedIn is no stranger to fraud, having recently survived a heavily scrutinized password breach.


Unfortunately, it's largely up to you to protect yourself from falling into the snare of a scam artist posing as a legitimate professional connection. Understand that once you are linked with a fraudsters there is no telling what type of scams they will try to pull on you.


They may also victimize your other connections if you allow your linked connections to see one another (you can change your settings to prevent this). Because some LinkedIn users are in the practice of accepting all invitations, it's incredibly important to look out for scammers.


John Thomas of Bloglerati has put together an excellent collection of fake profiles on his Facebook page, along with the following red flags for spotting fake LinkedIn profiles:

  • Lower case first and last name
  • Stock photo for profile picture
  • Minimal info in profile
  • Belongs to a large number of groups
  • Generic company name
  • Rhythmic names, like Sam Smith or Joe Johnson