Archive for the ‘Risk Management’ Category
January 2, 2012
A list of threats that we read/discussed in 2011….and agreed that some of them may become major threats in near future. Mobile and Cloud security are going to be the most talked about security issues in 2012 (though, Cloud is missing from this list).
Emerging threats from 2011 are on track to become the major players for cyberactivity in 2012, including mobile banking, “legal” spam and virtual currency. McAfee Labs also predicts that attacks involving political motivation or notoriety will also make headlines, including high-profile industrial attacks, cyberwarfare demonstrations and hacktivist attacks targeting public figures.
Posted in Risk Management, Security Strategy, Threat Management | 1 Comment »
December 17, 2011
Electronic Authentication Guideline (NIST Special Publication 800-63-1), from the NIST expands the options for government agencies that need to verify the identity of users of their Web-based services.
This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrict the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes NIST SP 800-63.
Posted in Authentication, Laws and Regulations, Policy and Governance, Risk Management | Leave a Comment »
November 24, 2011
William Jackson / GCN
The system, which is being tested in a lab environment, uses a host-based agent to “learn” a user’s behavior and to look for anomalous behavior or other signatures, said computer scientist and project leader Justin Beaver.
……….
Among the characteristic information leveraged by the system are system call sequences. Each function on a computer initiates a series of calls for services. This occurs at a low level in the operating system, out of the user’s view, and creates a characteristic pattern for each user over time. Researchers found that normal patterns remain surprisingly consistent for individuals as they switch between computers and jobs.
Posted in Risk Management, Secure Coding, Social Engineering / Phishing, Training / Awareness | Leave a Comment »
November 21, 2011
ENISA’s Report
The top risk for individuals utilising life-logging devices and scenarios is the threat to privacy that accompany using them. Loss of control over this data might result in individuals being subjected to financial fraud or unauthorised access might result in reputational harm or discrimination and exclusion. This risk is compounded by the nature of life-logging in that apart from privacy threat to individuals coming from commercial entities and governmental agencies, there is also a threat of deliberate or accidental data collection about one person by other individuals.
Dependency on the availability of certain devices or services is also increasing the risks for individuals, as the mobile devices, sensors or services become more attractive targets for attackers. In this direction, it is particularly important the link between tangible and intangible assets, as we can also see in Future Internet scenarios; a related risk is the loss of autonomy.
Finally, we should consider risks such as psychological damage, related to discrimination, exclusion, harassing, cyberstalking, child grooming, feeling of being continuously under surveillance (paranoid behaviour), pressures related to work performance, peering into other peoples life etc.
Posted in Consumer Information Protection, Risk Management, Social Engineering / Phishing, Tech and Laws | Leave a Comment »
November 11, 2011
J. Nicholas Hoover / InformationWeek
“We are losing ground because we are inherently divergent from the threat,” she said, noting that while the size of viruses has remained small over the years, the defensive security apparatus continues to grow. “Such divergences are the seeds of surprise, and this [size disparity] is a striking example of why it’s currently easier to play offense rather than defense in cyber. This is not to suggest that we stop doing what we are doing in cybersecurity. But if we continue only down the current path, we will not converge with the threat.”
Posted in Laws and Regulations, Risk Management, Security Strategy | Leave a Comment »
October 2, 2011
In private sector, security dashboards have become a norm…..for fed agengies, the requirement has been known for a while – but now it’s time to comply to ensure more focused action plans for improving their IS posture.
The Department of Homeland Security (DHS) outlined new requirements for FISMA, the National Institute of Standards and Technology (NIST) security standard for federal IT solutions. One of them calls for agencies to establish monthly data feeds to CyberScope, a compliance tool developed to help the feds to better and more actively monitor cybersecurity.
……
Indeed, CyberScope represents a major shift in the way federal agencies report FISMA compliance in that it replaces once-a-year compliance reporting with a more operational, consistent approach.
Posted in Cybersecurity, Metrics, Risk Management | Leave a Comment »
October 1, 2011
Ericka Chickowski / Dark Reading
While database security activities in and of themselves might not necessarily be enormous tasks to tackle individually, it is scale that trips up organization. It can take a long time to implement a carefully planned security program blanketed across hundreds or even thousands of databases. In the meantime, organizations can’t afford to leave critical data flapping in the wind. By segmenting the network and compartmentalizing data by criticality, you can effectively perform a database security triage to put other compensating controls around the most important data.
Posted in Information Security, Infrastructure Security, Risk Management | Leave a Comment »
October 1, 2011
The National Institute for Standards and Technology (NIST) is currently seeking comments through Nov. 4 on its Guide for Conducting Risk Assessments.
In addition to providing a comprehensive process for assessing information security risk, the publication also describes how to apply the process at the three tiers in the risk management hierarchy—the organization level, mission/business process level, and information system level.
To facilitate ease of use for individuals or groups conducting risk assessments within organizations, a set of exemplary templates, tables, and assessment scales for common risk factors is also provided. The templates, tables, and assessment scales give maximum flexibility in designing risk assessments based on the express purpose, scope, assumptions, and constraints established by organizations.
Posted in Policy and Governance, Report / Paper, Risk Management, Standard / Framework | Leave a Comment »
August 20, 2011
Cebula and Young / Carnegie Mellon
This report presents a taxonomy of operational cyber security risks that attempts to identify and organize the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. Each class is broken down into subclasses, which are described by their elements. This report discusses the harmonization of the taxonomy with other risk and security activities, particularly those described by the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publications, and the CERT Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®) method.
Posted in Information Security, Policy and Governance, Report / Paper, Risk Management | Leave a Comment »
July 16, 2011
Stefanie Hoffman / CRN
The 19-page document, called the “Department of Defense Strategy for Operating in Cyberspace,” establishes that cyber space be a domain protected by the U.S. military in the same way it defends land, sea and air.
In general, the strategy calls for new ways to bolster defenses of critical cyber infrastructure, such as the computer networks of the U.S. military and defense contractors, while developing new weapons and methods to retaliate against U.S. adversaries launching cyber attacks.
Posted in Report / Paper, Risk Management, Security Strategy, Tech and Laws, Uncategorized | Leave a Comment »
July 10, 2011
The Framework and Process Reference guide exposure drafts are available for download from the ISACA site.
This foundational COBIT volume introduces the following, which combine to provide a comprehensive, effective framework to support the governance and management of enterprise information and related technology:
- Principles
- Drivers
- Benefits
- Enablers
- Other aspects
The COBIT 5 Process Reference Guide incorporates and is the successor to COBIT 4.1, Val IT and Risk IT processes. It describes the:
- Goals cascade
- Process model
- Process reference model
- Detailed processes
The online questionnaire will remain open until 31 July 2011.
Posted in Policy and Governance, Risk Management, Security Strategy, Standard / Framework | Leave a Comment »
July 2, 2011
The Federal Financial Institutions Examination Council (FFIEC) today issued a supplement to the Authentication in an Internet Banking Environment guidance, issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies’ supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.
Posted in Authentication, Laws and Regulations, Policy and Governance, Risk Management | Leave a Comment »
June 19, 2011
InfoWorld
The industry has already come up with the CVE (Common Vulnerabilities and Exposures) system for uniquely identifying security flaws without each vendor using a different nomenclature, and the CVSS (Common Vulnerability Scoring System), a system for rating their severity. The CVRF is the last major plank of this industry overhaul.
The idea is that instead of each vendor using its own report design, in the future they will adopt the CVRF, removing the time-consuming and potentially insecure chore of having to translate between incompatible reports, one into the other, many times over.
Posted in Risk Management, Threat Management, Vulnerability Analysis | Leave a Comment »
February 27, 2011
The National Institute of Standards and Technology (NIST) is seeking input from federal, state, local, and tribal governments, industry, and academe, for the 2011 update of Special Publication 800‐53, Recommended Security Controls for Federal Information Systems and Organizations.
The 2011 initiative will include an update of current security controls, control enhancements, and supplemental guidance as well as an update on tailoring and supplementation guidance that form key elements of the control selection process. Key focus areas include but are not limited to:
Insider threats; Software application security (including web applications); Social networking, mobiles devices, and cloud computing; Cross domain solutions; Advanced persistent threats; Supply chain security; Industrial/process control systems; and Privacy.
Posted in Cybersecurity, Report / Paper, Risk Management, Standard / Framework | Leave a Comment »
February 17, 2011
Just two weeks ago, we all saw the end of an era when DHS annouced that the color coded threat system will be phased out and replaced with new system known as National Terrorism Advisory System.
Today, Norton released Cybercrime Index, which quantifies the state of cybercrime and converts danger level into a simple number. Is it beginning of a new era?
At the top level, the CyberCrime Index takes this data and creates a number evaluating the relative risk of the threats of the day. However, it also provides a more in-depth look at active threats, threat trends, and provides advice on what kinds of behaviors are being most heavily targeted that day.
Posted in Anti Virus, Infrastructure Security, Risk Management, Threat Management, Training / Awareness | Leave a Comment »
February 3, 2011
This is a follow up to the 2008 report “Securing Cyberspace for the 44th Presidency”, published by Center for Strategic and International Studies (CSIS), which included 25 recommendations for change. Now two years later, CSIS published this report to review where progress has been made on these recommendations and where action is necessary. The report identified 10 key areas where the nation must take action. The report starts with
2010 should have been the year of cybersecurity. It began with a major exfiltration of data from Google and other Fortune 500 companies, saw the Department of Defense describe how its classified networks had been compromised, watched the Stuxnet worm cut through industrial control systems, and ended with annoying denial of service attacks over Wikileaks.
and suggest cloud as one of the solutions -
Cloud computing has weaknesses, but it also offers the opportunity to aggregate and automate cyber defense. Much of the burden of security will shift from consumers and businesses to service providers that may be better equipped to meet advanced challenges.
which is correct but it’ll not come free – data security during transmission from end user to cloud and authentication will be two big ticket items that we need to pay for. The report ends with……and with what will not work.
Many of the solutions still advocated for cybersecurity are well past their sell-by date. Public-private partnerships, information sharing, and self-regulation, are remedies we have tried for more than a decade without success. We need new concepts and new strategies if we are to reduce the risks in cyberspace to the United States.
Posted in Cybersecurity, Policy and Governance, Privacy, Report / Paper, Risk Management, Security Strategy, Tech and Laws, Threat Management | Leave a Comment »
January 24, 2011
This is one of the best examples of the relation between data, security, and risk. Russell Thomas discusses how Data reports on the past, Security is a judgement about the present and Risk is the cost of the future that we need to reduce by balancing “how secure we want to be” and “how much risk can we take”.
..to measure security we need to add inference and judgement processes that extend our data into the present, given the threat landscape we believe we are facing. But to make a judgement about security and make decisions about alternative security postures, we need a useful estimate of risk to decide how much security is enough.
To tie these all together over time requires effective social learning processes, including model validation through experiments and data analysis. Likewise, risk estimation and security judgement processes tell us what data we need to collect and how to analyze it.
Posted in Information Security, Metrics, Risk Management, Security Strategy | Leave a Comment »
