Disqus - Latest Comments for disc7

Re: Cyber Security safeguard offers much more than just protection

disc7 — Sat, 14 Feb 2015 19:21:19 -0000

Once more unto the Breach - Managing information security in an uncertain world: http://affiliate.itgovernan...

Re: DISC InfoSec FB Page

disc7 — Sun, 08 Feb 2015 20:14:38 -0000

Cyber Security
Books: http://bit.ly/1vCx39F
Satndards: http://bit.ly/1DbERVN
Toolkit: http://bit.ly/1BelHPT

Re: ISO 27001 is the litmus test for information security

disc7 — Fri, 18 Jan 2013 15:29:06 -0000

Interesting discussion about FedRAMP though.
Whatever I know about the FedRAMP so far is very interesting and intriguing. The core of FedRAMP is based on conformity assessment (where you measure the effectiveness of the control in this case NIST 800-53) which is based on ISO 17000. I briefly saw the CONOPS document which follow pretty much the same steps as ISO 27001 requirement (scope, assets boundaries, risk acceptance, risk assessment (SAR), document the as-is control in gap assessment, plan to implement new controls, continuous monitoring of controls (based on Deming PDCA model), the most important is 3PAO which is core of ISO 27001 certification).

Since both ISO 27001 and FedRAMP follow the similar steps. below is the post on project planning outline for ISO 27001 and how to select a project manager.
http://blog.deurainfosec.co...

Re: 5 Essentials changes to harden Network Infrastructure

disc7 — Tue, 15 Jan 2013 12:17:01 -0000

Will it help L2 dos attck if you disable icmp?

ICMP is usually used for network troubleshooting at layer3, which
can be used for ddos attacks from outside. So I will say ICMP is a
necessary evil so enable it when you need it otherwise it should remain
disable.
·
ARP and ICMP is layer 3 - Network Layer.

Layer 2 is Ethernet, PPP, HDLC, DSL, Frames, Network Switching, CAM table, MAC
address ...

So icmp ddos attack is possible only at L3 since it is a L3 protocol. Ex of L2
ddos attacks are manipulation of wireless frame content or Cam table overflow.
Therefore I agree by disabling icmp will not help L2 dos attacks.

A layer2 attack is hard to achieve from
the outside world, The effect of a DOS attack on L2 takes another dimension as
the Bandwidth is considerably higher.

Ex: L2 use CAM table overflow attack.
Content-Addressable Memory (CAM) (ARP)table address-learning process

Countermeasure: Limit amount of MAC addresses to be learned / port

Re: ISO 27001 is the litmus test for information security

disc7 — Fri, 04 Jan 2013 15:08:10 -0000

I concur that ISMS based on ISO 27001 is a litmus test for an organization by an independent certification body. During this process organization finds out as-is state of security, which threats may pose risk and what is their security strategy. Post below describes the six main benefits of ISMS based on ISO 27001 to clarify the point.
http://blog.deurainfosec.co...

Re: Make October YOUR Cyber Security Month

disc7 — Thu, 11 Oct 2012 23:40:33 -0000

Unfortunately, fraud is common on the web these days, it's not a matter of if but when. So awareness is the key, which will prepare an individual or an organizatoion for any event or an incident. I encourage the reader to share a useful link or make a comment to do their part in this security awareness month.

Re: Six main benefits of Information Security Management System

disc7 — Wed, 15 Aug 2012 15:02:27 -0000

　
ISMS is a part of doing business these days, soon your management will realize the importance of ISMS or one of your most importnant customer/vendor will ask you to have one. ISMS provides better information security and compliance work practices that support business goals & it is an Internationally recognized good security practice period.

Re: Top 10 Cyber Scams During Holiday Season

disc7 — Tue, 15 Nov 2011 13:18:01 -0000

The human link: There is an ever-widening disparity between the sophistication of a network and the people who use them. Cybercriminals often use social engineering toolkits to exploit unsuspecting employees when direct attacks on an organization's defenses fail. Educating employees on secure practices is not enough; organizations need to install the proper framework to empower and encourage employees to use these secure practices.

Re: Cloud services breached via Google code search

disc7 — Fri, 11 Nov 2011 16:17:41 -0000

Thanks for an informative comment

Re: Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker by Kevin Mitnick

disc7 — Thu, 03 Nov 2011 19:28:07 -0000

Fascinating read to overview of what really happened during Mitnick era of hacking and how he was able to wreak a havoc and get away with it for quite some time.

Re: A guide to contract and commercial management for professionals

disc7 — Thu, 27 Oct 2011 12:14:54 -0000

This authoritative guide represents the collective expertise of some the globes most experienced organizations and is specifically designed for business managers to understand the benefits that can be achieved; including:
•       A complete Reference Guide for all involved with Contract and Commercial management.
•       Practical guidance and checklists.
•       Aligns with the IACCM qualification and training.

Re: The End of Online Privacy? Fight the Internet Snooping Bill!

disc7 — Sat, 13 Aug 2011 15:51:18 -0000

Must watch, if you care about your privacy.

Re: Latest In U.S. Drone Technology

disc7 — Sun, 24 Jul 2011 01:18:42 -0000

Apparently a heavy investment in the drone (UAV) technology – UAV perhaps are becoming a weapon of choice and can be utilized anytime and anywhere – sounds like a technology from an outer space in which someone is pressing a button from thousands of miles away – Well UAV are used sometimes for surveillance but let’s be real they are also use to kill people who may be innocent. Remeber in US justice system you are innocent until proven guilty.

Re: The TickITplus Kick Start Guide has Been Launched

disc7 — Fri, 15 Jul 2011 12:51:56 -0000

Existing TickIT-registered organisations will need to make a transition to the new TickITplus Foundation level within the next three years.

Re: Do US companies do enough for their cyber security?

disc7 — Thu, 14 Jul 2011 01:12:02 -0000

Don't forget to download a free cyber security white paper from ITG website

What do you think - are US companies doing enough for their cyber security?

If they are not doing enough - do you think they should be held liable for the loses in case of an incident.

Re: Newly released ISO/IEC 27005:2011 helps improve risk management

disc7 — Thu, 07 Jul 2011 14:42:40 -0000

Read a copy of newly released ISO 27005:2011 which addresses Information Security Risk
Management for ISMS certification and annex E gives a good oversight of different risk assessment approaches.

ISO 27005 is the name of the prime 27000 series standard covering information security risk management. The standard provides guidelines for information security risk management (ISRM) in an organization, specifically supporting the requirements of an information security management system defined by ISO 27001.

The ISO 27005 standard comprises 55 pages, although the main part is just 24 pages, the rest being mostly annexes with examples and further information for users and is applicable to all types of organization. It does not provide or recommend a specific methodology and the standard deliberately remains agnostic about quantitative and qualitative risk assessment. This will depend upon a number of factors, such as the actual scope of the Information Security Management System (ISMS), or perhaps the industry/commercial/private/Govt sector.

Re: InfraGard Insights: Separation of Duties and…

disc7 — Wed, 29 Jun 2011 22:55:32 -0000

I must say priciple of least privilege and separation of duties are two very high priority security principles.

Here are some more
-- Economy of mechanism
-- Complete Mediation
-- Open Design

Re: The weakest link in computer hacking?

disc7 — Wed, 29 Jun 2011 17:54:44 -0000

"There’s no device known to mankind that will prevent people from being idiots"

Human factor is the weakest link most of the time but at the same time it is the job of security and privacy professional to train the masses and change their behavioral pattern. The security control applies to people, process and technology. The technology control are not the panacea for everything - it should be holistic approach which cover the policies and procedures and making sure these controls are implemented and observed.

Re: Meet Stringent California Information Security Legislation with Comprehensive Toolkit

disc7 — Sat, 25 Jun 2011 12:23:17 -0000

Thanks for your kind comments on my blog. I’m passionate about ISO standards as well, particularly ISO27k.

Re: How safe is your personal information on social network?

disc7 — Sat, 25 Jun 2011 02:05:39 -0000

Think of a scial network as public place - if you don't want some thing to become a public knowledge, don't put it on the social network sites.

Re: President lays out cyberwar guidelines, report says

disc7 — Fri, 24 Jun 2011 00:02:38 -0000

The cyber war is definitely getting some traction – cyber war policy guidelines seems like a reaction to high profile incidents in last few months. In information security arena you win the race when you are proactive NOT reactive. Strategically every nation understand that cyber war is a tool which can have more wide spread effects than a daisy cutter.
Strategically every nation understand that cyber war is a tool which can have more wide spread effects than a daisy cutter.

Re: LULZ Security Hacks CIA Website!

disc7 — Thu, 16 Jun 2011 13:56:17 -0000

A denial of service attack, like that which appears to have hit the CIA website, is against the law.

Re: Hacker Groups Attacks US Senate WebSite

disc7 — Wed, 15 Jun 2011 10:10:35 -0000

Senators may need to be transparent with public otherwise hackers may post their official records, perhaps a new form of transparent government

Re: Hacker Groups Attacks US Senate WebSite

disc7 — Wed, 15 Jun 2011 09:47:06 -0000

Hack attacks are definitely on the rise these days. Below is the latest high profile list which includes
Google, Citi Bank, Lockheed Martin, Sony, FBI and US Senate
Some of these assets are critical infrastructure which is a growing threat to national security.

Re: Credit card authorization process weakness

disc7 — Tue, 14 Jun 2011 15:38:49 -0000

I agree with you that credit card providers will reimburse the fraudulent charges but ultimately this cost is transfered to acquiring bank and rest of the credit card users community.