After a recent survey it shows online banking may not be as secure as you might think. People tend to think banks are the pinnacle of security and that assumption continues to their websites.
Sadly however, even in my own personal experience, the truth is far from that. Many many banks have flaws that can leak [...]
Posted on 09 September 2008
Posted on 09 September 2008
As you all probably known since version 3 Nessus turned to a proprietary model and started charging for the latest plugins locking most of us out. Now we finally have a new, properly organised forked development with the name of OpenVAS - at last a decent and free Vulnerability Scanner!
OpenVAS stands for Open Vulnerability Assessment [...]
Posted on 09 September 2008
So as most of you probably know the big buzz on the Internet last week was that Google (after supporting Firefox for so long) have actually launched their own browser.
It’s cooled Google Chrome. Now of course in typical Google fashion they call it BETA software, and a number of flaws have popped up during the [...]
Asset Identification and Valuation
26 December 2008
One of the most overlooked elements of a security strategy is the proper identification and valuation of the organization’s assets. The proper and cost-effective implementation of security controls requires that the organization conduct a thorough asset identification. A common mistake made by organizations is not accurately identifying the information’s value before implementing the security controls. [...]
Risk Mitigation Strategies
26 December 2008
To mitigate risk, the organization needs to know the threat, consequences of the realized threat, the frequency of the occurrence of a threat, and how likely this threat will occur. There are three strategic remedies to risk: Risk reduction Taking measures to alter or improve the risk position of an asset throughout the company. Risk transference Assigning [...]
Risk Assessment - The NIST Way, Part 2
26 December 2008
Step 4: Control Analysis The goal of this step is to analyze the controls that have been implemented, or are planned for implementation, by the organization to minimize or eliminate the likelihood (or probability) of a threat’s acting on a system vulnerability. To derive an overall likelihood rating that indicates the probability that a potential vulnerability may [...]
Risk Assessment - The NIST Way, Part 1
26 December 2008
The National Institute of Standards and Technology (NIST) defines nine steps in the risk assessment process. These steps are as follows: 1. System characterization 2. Threat identification 3. Vulnerability identification 4. Control analysis 5. Likelihood determination 6. Impact analysis 7. Risk determination 8. Control recommendations 9. Results documentation Let’s examine these steps in more detail. Step 1: System Characterization In assessing risks for an IT system, the [...]
Sarbanes-Oxley Internal Controls: Effective Auditing with AS5, CobiT, and ITIL: Robert Moeller
04 December 2008
Editorial Reviews Product Description Praise for Sarbanes-Oxley Internal Controls: Effective Auditing with AS5, CobiT, and ITIL “Having managed several dozen consultants assisting numerous clients to become SOx compliant, I can say Bob Moeller truly knows his stuff. This book should be read as much as a technical reference source as for its value as a pragmatic how-to guide. [...]
What is a DMZ and how do I build one?
04 December 2008
Eventually, if you get interested enough in Security, you are going to wonder what a DMZ is and why you should or should not have one. DMZ is an acronym that stands for De-Militarized Zone, and in the ‘real’ world it is the location between two hostile entities such as North and South Korea. In [...]
Software Security Total Risk Management: Blueprint for Effective Program Development
10 September 2008
Current challenges of the financial services sector aside, risk management has a long and venerable tradition of practical success in the world of insurance premiums and credit card interest rates. In the world of IT, however, the successful application of risk management techniques has been more elusive. This problem has been no more apparent than in [...]
New Guidance Helps CEOs and Boards Fulfill Responsibility for Information Security
10 September 2008
While organizations can survive the loss of most assets, such as facilities and equipment, few can recover from ths loss of critical information, including financial or customer data. To effectively protect this critical asset, information security must be addressed at the highest level of the organization, by boards of directors and chief executive officers (CEOs). To [...]
Partnering to Optimize IT and Security Management
10 September 2008
In an increasingly complex IT landscape, organizations face numerous challenges. They must optimize all layers of their IT environment-from data center infrastructure to mission-critical business applications-while prioritizing budgets and staffing to ensure the most productive use of limited resources. At the same time, IT managers must avoid burdening their highly skilled personnel with tasks that are [...]
Should IT security be separate from IT?
10 September 2008
The protection of your company’s infrastructure could be improved by creating a separate department with sole responsibility for all aspects of IT security The IT department faces an enormous range of management issues, of which IT security is one significant aspect. For 2006, security is no longer the most pressing of the IT issues; it does, [...]
BCP/DRP
Virtualization Causes Disaster Recovery Rethink
Posted on 09 September 2008
There has been a ‘‘significant increase’ in the number of organizations rethinking their disaster recovery (DR) plans because of virtualization, according to Symantec, in its fourth annual IT Disaster Recovery survey.
The survey found that due to the increasing popularity of virtualization, more than half of the respondents (55 percent) are rethinking their DR plans, and [...]
CoBIT
Meeting CobIT Control Objectives with Microsoft Terminal Services
Posted on 08 September 2008
This article will introduce how Microsoft Terminal Services can help organizations of any size meet regulatory mandates by following the CobIT methodology. The CobIT methodology, which is referenced via the Sarbanes-Oxley legislation, provides 215 control objectives in four high level domains. This article highlights how 52 of the control objectives are meet by using Microsoft [...]
IS Compliance
Activity Logging and Monitoring
Posted on 08 September 2008
Activity logging and monitoring will help assess policy compliance, identify intrusions and breaches, and support an effective response program. The degree of logging and monitoring is risk-driven and increases with data accessibility sensitivity.
Activity Monitoring
Systems and databases should log and monitor user activity performed. The scope and level of audit logging and analysis activity will depend [...]
IS Goverance
New Guidance Helps CEOs and Boards Fulfill Responsibility for Information Security
Posted on 10 September 2008
While organizations can survive the loss of most assets, such as facilities and equipment, few can recover from ths loss of critical information, including financial or customer data. To effectively protect this critical asset, information security must be addressed at the highest level of the organization, by boards of directors and chief executive officers (CEOs).
To [...]
IS Risk
More Practical Way For Qualitative Risk Analysis
Posted on 26 December 2008
Qualitative RA addresses more intangible values of a data loss and focuses on the other issues, rather than on the pure, hard costs. In a qualitative risk assessment, the seriousness of threats and the relative sensitivity of the assets are given a ranking, or qualitative grading, by using a scenario approach and creating an exposure [...]
IT Audit
Auditing Enterprise Data Security
Posted on 08 September 2008
Risk-based audit programs should be conducted by internal and/or external auditors to ensure the adequate implementation and effectiveness of data security policies and procedures. Audits involve the review of existing controls with the objective to provide management assurance that the controls implemented are effective and to report any deficiencies together with the appropriate recommended actions.
In [...]
ITIL
How to choose configuration management tools for ITIL compliances
Posted on 27 June 2008
Configuration management tools basically come in three different flavors:
Tools to discover configurations in the environment,
Tools that are dedicated to creating a Configuration Management Database (CMDB),
Suites of service management tools that include some level of configuration management capability.
1. Discovery Tools
The strength of point solutions:
Capability captures the target environment with the highest possible accuracy. Because of [...]
PCI DSS
Achieving PCI Compliance with Storage Security Systems
Posted on 02 September 2008
While hackers beating against the corporate firewall have captured the headlines, the breaches that are genuinely compromising business stability and consumer confidence are hitting data while in storage, known as data-at-rest. Businesses have made significant strides in protecting their networks from external intrusion, but today’s vulnerability is located in data storage. We examine the current [...]
- More Practical Way For Qualitative Risk Analysis
- Asset Identification and Valuation
- Risk Mitigation Strategies
- Risk Assessment - The NIST Way, Part 2
- Risk Assessment - The NIST Way, Part 1
- Sarbanes-Oxley Internal Controls: Effective Auditing with AS5, CobiT, and ITIL: Robert Moeller
- What is a DMZ and how do I build one?
- Software Security Total Risk Management: Blueprint for Effective Program Development
- New Guidance Helps CEOs and Boards Fulfill Responsibility for Information Security
- Partnering to Optimize IT and Security Management
About Me
The pagerank of this page is
The Alexa rank of this website is
Links to Site
Stats by Complete Stats
