The best way to protect an Information Asset is to reduce its attack surface. And that should always be the first line of defense. We should also implement appropriate security controls to avoid any attacks on the residual risk and to mitigate the amount of damages. The first and most important step in reducing the attack surface is to identify the Weakness / Vulnerabilities on an Information Asset. Steps in Identifying the Vulnerabilities include: 1. Identifying vulnerabilities in the Application 2. Identifying vulnerabilities in the Host 3. Identifying vulnerabilities in the Network Once the vulnerabilities are identified, the next step... Read more →
« June 2009 | Main | August 2009 »
Posts from July 2009
31 July 2009
Defending Information Assets by Reducing the Attack Surface
Posted by Praveen Karunakaran on 31 July 2009 at 08:22 AM in IT Security, Network Security, Operations Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
Weekly Summary of the "DHS Daily Open Source Infrastructure Report"
Department of Homeland Security Daily Open Source Infrastructure Report
The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered. This weekly summary provides a selection of those items of greatest significance to the InfoSec professional. Week Ending: Friday, July 31, 2009 Note: Be sure to read through to Friday, July 31, 2009. There are two serious issues there that you must be aware of. However, do not ignore Monday through Thursday. Infrastructure Report for 27 July 2009 So you believe Microsoft Office is the best tool! Perhaps you should re-evaluate. 40.... Read more →
Posted by Bob Johnston on 31 July 2009 at 06:45 AM | Permalink
|
Comments (0)
|
TrackBack (0)
27 July 2009
Are federal agencies receiving mixed messages on information security?
Since 2002, federal agencies have been following an unclear road of policies that have left them struggling to meet compliance rather than leading efforts to improve information security. The Federal Information Security Management Act (FISMA) has been interpreted through a multitude of policies from the Office of Management and Budget (OMB) through individual agency security programs. However, since its inception, reports continue from year to year through Department Inspector Generals (IGs) and the Government Accountability Office (GAO), suggesting that federal agencies are still persistently weak in information security. Has FISMA really met its purpose? The Federal Information Security Management Act,... Read more →
Posted by Matthew Metheny on 27 July 2009 at 09:12 AM in IT Security | Permalink
|
Comments (0)
|
TrackBack (0)
26 July 2009
Treating risks
Convention has it that there are just four ways of "treating" risks: Mitigate the risk, typically by reducing the associated threat, vulnerability and/or impact. Avoid the risk by not doing something risky. Transfer the risk, for example by forcing business partners to enter into a binding contract that places huge costs and liabilities on them for security breaches while leaving you appearing squeaky clean (don't laugh: PCI DSS does this). Accept the risk. Shrug your shoulders and accept that the costs of mitigating, avoiding or transferring the risk outweigh the advantages (as you perceive them). Well I'm not so sure... Read more →
Posted by Gary Hinson on 26 July 2009 at 09:45 PM in Risk | Permalink
|
Comments (0)
|
TrackBack (0)
25 July 2009
Videos from Team Cymru
Short videos (slide desks and voiceover) on various security topics, mostly relating to malware in some way. Basic information, but quite suitable for security awareness presentations. Read more →
Posted by Rob Slade on 25 July 2009 at 09:09 PM in Cybersecurity Training, IT Security | Permalink
|
Comments (0)
|
TrackBack (0)
24 July 2009
Weekly Summary of the "DHS Daily Open Source Infrastructure Report"
The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered. This weekly summary provides a selection of those items of greatest significance to the InfoSec professional. Week Ending: Friday, July 24, 2009 Infrastructure Report for 20 July 2009 Are you paying attention to the issues associated with Twitter? No. Perhaps you should! 32. July 16, BBC News – (International) Twitter calls lawyer over hacking. The microblogging service Twitter is taking legal advice after hundreds of documents were hacked into and published by a number of blogs. TechCrunch has made public some... Read more →
Posted by Bob Johnston on 24 July 2009 at 08:53 AM | Permalink
|
Comments (0)
|
TrackBack (0)
22 July 2009
Security Maxims
Roger Johnston's original list of security maxims. Read more →
Posted by Rob Slade on 22 July 2009 at 12:58 AM in Cybersecurity Training, IT Security, Operations Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
TCP covert channel
Advertised as RSTEG (Retransmission STEGanography), the technique described in this paper actually uses the standard TCP operations to allow you to set up a kind of covert channel. Interesting idea, although likely neither terribly dangerous nor important. Read more →
Posted by Rob Slade on 22 July 2009 at 12:26 AM in Cybersecurity Training, Digital Forensics, IT Security, Network Security, Privacy | Permalink
|
Comments (0)
|
TrackBack (0)
21 July 2009
DOCSIS introduction
Basic physical layer transmission fundamentals don't get covered much these days, which makes the more advanced technologies that much more mysterious. This DOCSIS (Data Over Cable Service Interface Specification) tutorial is fairly simplistic, but it does provide some starting concepts in order to understand what is going on with cable modems. More details, and other pointers, are available at Wikipedia. Read more →
Posted by Rob Slade on 21 July 2009 at 11:56 PM in Cybersecurity Training, Network Security | Permalink
|
Comments (0)
|
TrackBack (0)
Praxiom ISO 27001
Praxiom is primarily interested in selling you their products and services, but this section of their Website does have some helpful material in getting an overview of ISO 27001 and what people are doing about it. (The site also has materials on other parts of the ISO 27K family.) Read more →
Posted by Rob Slade on 21 July 2009 at 02:25 PM in Cybersecurity Certifications, Cybersecurity Training, IT Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
20 July 2009
Guidelines for social media
A useful collection of links to guidelines for the use of social networking media and systems. Read more →
Posted by Rob Slade on 20 July 2009 at 08:34 PM in Cybersecurity Training, Ethics, IT Security, Privacy | Permalink
|
Comments (1)
|
TrackBack (0)
18 July 2009
Enigma simulators
This site has an interesting collection of simulators of early twentieth century rotor cryptodevices, as well as papers on Enigma and related technologies. Read more →
Posted by Rob Slade on 18 July 2009 at 09:18 PM in Cybersecurity Training | Permalink
|
Comments (0)
|
TrackBack (0)
Economics against security
Another excellent Ross Anderson paper, this one dealing with the economics of security, and why the current system is stacked against proper security. Read more →
Posted by Rob Slade on 18 July 2009 at 08:23 PM in Cybersecurity Training, IT Security, Operations Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
Social network de-anonymizing
This paper, although rather abstract and academic, is a good survey of the research into social network data gathering, as well as a particular de-anonymizing attack. It points out the dangers of data aggregation that inherently exist in social networking. Read more →
Posted by Rob Slade on 18 July 2009 at 06:55 PM in Cybersecurity Training, Digital Forensics, Privacy | Permalink
|
Comments (0)
|
TrackBack (0)
Facebook privacy settings
Little known and seldom used settings that can help improve the privacy and security of your Facebook account. Similar settings may be available (and unused) on other social networking sites as well. Read more →
Posted by Rob Slade on 18 July 2009 at 06:35 PM in Cybersecurity Training, Privacy | Permalink
|
Comments (0)
|
TrackBack (0)
System Management Module Attack
This paper describes an attack on the Intel SMM (System Management Module). This is a very low level attack, and therefore would be able to circumvent almost all common software defences, and some that rely on hardware, as well. Read more →
Posted by Rob Slade on 18 July 2009 at 05:59 PM in Cybersecurity Training, Malware, Operations Security | Permalink
|
Comments (0)
|
TrackBack (0)
Moral code experiments
A very interesting presentation and intriguing research into moral behaviour. The culminating point is that we need to test and experiment with morality, since we seem to have many incorrect notions about it. Read more →
Posted by Rob Slade on 18 July 2009 at 05:43 PM in Cybersecurity Training, Ethics, Insider Risk, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
Weekly Summary of the "DHS Daily Open Source Infrastructure Report"
This week’s set of DHS reports makes it clear to me that information security professionals worldwide should be reading the report every day or the synopsis published at http://dhs-daily-report.blogspot.com/. Should you have your doubts, read the following weekly summary and determine whether you are up-to-date on each of the items discussed. The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered. This weekly summary provides a selection of those items of greatest significance to the InfoSec professional. Week Ending: Friday, July 17, 2009 Infrastructure Report for 13 July 2009 Do you... Read more →
Posted by Bob Johnston on 18 July 2009 at 10:35 AM in IT Security, Malware, Network Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
17 July 2009
Calabrese’s Razor Metric
An interesting, semi-quantified risk analysis tool. Allows you to address both the protective benefits and the resource/operational cost of various safeguards, and compare them against each other. Read more →
Posted by Rob Slade on 17 July 2009 at 11:40 PM in Cybersecurity Training, IT Security, Operations Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
14 July 2009
Passwords Re-examined
Bruce Schneier of course does it better justice than I ever could, but there was a great paper released that looks at passwords through a modern lens: Do Strong Web Passwords Accomplish Anything? Today's attack vectors are different--phishing is preferred over brute-force attacks, etc. Much like how Mr. Schneier likes to remind us that if you put up a strong front door using strong cryptography, attackers will just find a way around the door. They seek the path of least resistance. I was very encouraged to read the linked paper, so I wanted to pass it along who might not... Read more →
Posted by Don Franke on 14 July 2009 at 10:07 AM | Permalink
|
Comments (0)
|
TrackBack (0)
Search
Categories
- Center for Cyber Safety and Education (52)
- Cloud Security (137)
- Cybersecurity Certifications (387)
- Cybersecurity Training (315)
- Cybersecurity Workforce (254)
- Digital Forensics (30)
- Ethics (53)
- Government (127)
- Insider Risk (57)
- ISC2 Chapters (22)
- ISC2 Events (166)
- IT Security (389)
- Legal (46)
- Malware (116)
- Network Security (178)
- Operations Security (144)
- Privacy (117)
- Ransomware (90)
- Risk (204)
- Software Development (46)
- Spotlight (71)