Dishing-Off Your Old Device?

Did you know that in the wrong hands that "old" device can mean "new" problems for you?

Have you, like many adults, given a child in your life a hand-me-down mobile device? Maybe it's a "disabled" cell phone or your old iTouch that you let them play around on.

Savvy criminals are increasingly targeting mobile devices (even outdated ones) because they are very often loaded with personal data, including bank and credit cards numbers cached on mobile browsers, passwords, contact information, email and GPS histories.

If you are dead-set on letting your children play with these devices, be sure they have been wiped completely clean of your personal and business information. For tips on how to do this, give this eHow Tech post a thorough read.

10 Supply Chain Risk Management Best Practices

NIST Interagency Report Aims to Mitigate Vulnerabilities

The National Institute of Standards and Technology has issued a new report to help organizations mitigate supply chain risks. NIST says the 10 supply chain risk management practices can be applied simultaneously to an information system or the elements of an information system.

The practices are:

1) Uniquely identify supply chain elements, processes and actors. Knowing who and what is in an enterprise's supply chain is critical to gain visibility into what is happening within it, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into the supply chain, it is impossible to understand and therefore manage risk and to reduce the likelihood of an adverse event.

2) Limit access and exposure within the supply chain. Elements that traverse the supply chain are subject to access by a variety of actors. It is critical to limit such access to only as much as necessary for those actors to perform their roles and to monitor that access for supply chain impact.

3) Establish and maintain the provenance of elements, processes, tools and data. All system elements originate somewhere and may be changed throughout their existence. The record of element origin along with the history of, the changes to and the record of who made those changes is called "provenance."

Acquirers, integrators and suppliers should maintain the provenance of elements under their control to understand where the elements have been, the change history and who might have had an opportunity to change them.

4) Share information within strict limits. Acquirers, integrators and suppliers need to share data and information. Content to be shared among acquirers, integrators and suppliers may include information about the use of elements, users, acquirer, integrator or supplier organizations as well as information regarding issues that have been identified or raised regarding specific elements. Information should be protected according to mutually agreed-upon practices. 

5) Perform supply chain risk management awareness and training. A strong supply chain risk mitigation strategy cannot be put in place without significant attention given to training personnel on supply chain policy, procedures and applicable management, operational and technical controls and practices. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, provides guidelines for establishing and maintaining a comprehensive awareness and training program.

6) Use defensive design for systems, elements and processes. The use of design concepts is a common approach to delivering robustness in security, quality, safety, diversity and many other disciplines that can aid in achieving supply chain risk management. Design techniques apply to supply chain elements, element processes, information, systems and organizational processes throughout the system.

Element processes include creation, testing, manufacturing, delivery and sustainment of the element throughout its life. Organizational and business processes include issuing requirements for acquiring, supplying and using supply chain elements.

7) Perform continuous integrator review. Continuous integrator review is an essential practice used to determine that defensive measures have been deployed. Its purpose is to validate compliance with requirements, establish that the system behaves in a predictable manner under stress and detect and classify weaknesses and vulnerabilities of elements, processes, systems and any associated metadata.

8) Strengthen delivery mechanisms. Delivery, including inventory management, is an essential function within the supply chain, which has a great potential for being compromised. In today's environment, delivery can be physical such as hardware or logical such as software modules and patches. 

9) Assure sustainment activities and processes. The sustainment process begins when a system becomes operational and ends when it enters the disposal process. This includes system maintenance, upgrade, patching, parts replacement and other activities that keep the system operational. Any change to the system or process can introduce opportunities for subversion throughout the supply chain.

10) Manage disposal and final disposition activities throughout the system or element life cycle. Elements, information and data can be disposed of at any time across the system and element life cycle. For example, disposal can occur during research and development, design, prototyping or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys and partial reuse of components.

NIST says the recommendations in the interagency report are for information systems categorized at the FIPS 199 high-impact level. But NIST says agencies and other agencies can choose to apply the recommended practices to specific systems with a lower impact level, based on the tailoring guidance provided in the draft of NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.

Refer here to download the report.

SAP Audit Guide for Expenditure

Download the Ultimate Guide to Auditing and Securing Procure-to-Pay Controls in SAP

The third installment of Layer Seven Security’s SAP Audit Guide was released today and can be downloaded at http://bit.ly/SvG956. The series has proven to be a popular resource for audit and security professionals with over 10,000 downloads to date.

The latest Guide focuses upon expenditure-related controls in areas such as vendor master data, purchasing, invoice processing and payment processing. Forthcoming volumes of the Guide will deal with areas related to inventory, human resource management and Basis.

Although the Guide was originally intended to the cover ERP-related modules most commonly implemented by SAP clients, Layer Seven Security will develop and issue similar guides for components such as Customer Relationship Management (CRM), Supplier Relationship Management (SRM) and the Enterprise Portal (EP).

Learn the process of documentation writing to implement ISO 27001

ISO 27001 Video Tutorials

One of the biggest obstacles for companies starting to implement ISO 27001 is writing various documents required by this information security standard.

Information Security & Business Continuity Academy has launched ISO 27001 Video Tutorials, a new product that facilitates the process of documentation writing.

According to ISO Survey of Certifications published by the International Organization for Standardization (ISO), ISO 27001 is within the 5 most popular management standards, and is also one of the standards with the highest growth in the number of certified companies – about 20% annually.

However, the fact that a large percentage of companies that have started to implement this standard never finish the job is less known. The reason for failure is very often insufficient time or lack of knowledge for writing the documentation – ISO 27001 has very specific requirements about how the documentation should look like.

At the moment 13 video tutorials are available, and each month 2 new tutorials will be published. A total of 50 video tutorials are planned, which will cover all the steps in ISO 27001 implementation – from setting up the project all through successful certification.

Dejan Kosutic, the author of the video tutorials said:

"I've worked with quite many companies as a consultant, and most of those companies struggle with the same thing – how to fill in the documentation. I believe these video tutorials will increase the success rate of ISO 27001 projects by at least 25%, and increase the speed of implementation by 50%".

The Seven-Step Information Gathering Process

Basic guide to perform information gathering including some useful tools

Footprinting is about information gathering and is both passive and active. Reviewing the company's website is an example of passive footprinting, whereas calling the help desk and attempting to social engineering them out of privileged information is an example of active information gathering.

Scanning entails pinging machines, determining network ranges and port scanning individual systems.

1. Information gathering
2. Determining the network range
3. Identifying active machines
4. Finding open ports and access points
5. OS fingerprinting
6. Fingerprinting services
7. Mapping the network

The Seven Steps Of The Pre-Attack Phase

Step	Title	Active/Passive	Common Tools
One	Information gathering	Passive	Sam Spade, ARIN, IANA, Whois, Nslookup
Two	Determining network range	Passive	RIPE, APNIC, ARIN
Three	Identify active machines	Active	Ping, traceroute, Superscan, Angry IP scanner
Four	Finding open ports and applications	Active	Nmap, Amap, SuperScan
Five	OS fingerprinting	Active/passive	Nmap, Winfigerprint, P0f, Xprobe2, ettercap
Six	Fingerprinting services	Active	Telnet, FTP, Netcat
Seven	Mapping the network	Active	Cheops, traceroute, NeoTrace

Safeguarding Personal Remote Access Against Cyber-Attacks

Personal Access … Public Attacks?

I have noticed that more staff are using personal devices and untrusted servers to access corporate networks, which is creating the ideal stalking ground for cybercriminals.

I wanted to bring your attention to 2 of SC magazine’s upcoming webcasts that may prove useful. (I have had some great feedback from members who have attended their webcasts as they are far more content than sales led).

The full list can be found at http://www.scwebcasts.tv

Details of SC’s next 2 webcasts are pasted below for you to assess their relevance for you and your team:

Safeguarding Personal Remote Access Against Cyber-Attacks
Streamed live to your desk on the 2nd June at 3.30pm.

Tune in live to hear:

• How cybercriminals are preying on those staff using personal computers or servers to access your network with a list of recent ATP attacks
• What you can do to shore up this gap in your company’s ramparts

Speakers include:

- Nick Harwood, Head of Security & Governance, Royal London
- Dave Jevans, Founder & Chairman of IronKey & APWG

Secure your free place at http://www.scwebcasts.tv

Smart Security for SMEs: The Key Threats And How To Tackle Them
Streamed live to your desk on 30th June at 3pm

Tune in to hear:

• The main ways in which SMEs’ security is being compromised
• An indispensable checklist for SME’s to ensure they have the key bases covered and stay safe online

Speakers:
Philippe Courtot, Chairman and CEO for Qualys + special guest CISO

Secure your free place at http://www.scwebcasts.tv

*ALSO WORTH MENTIONING is that SC’s sister title, Management Today, is running a webcast on Avoiding Information Overload to streamline security and productivity. It features the innovative driving forces behind pioneering companies such as Skype. It can be found at http://www.managementtodaywebcasts.com if you’re interested.

I hope that you enjoy the webcasts. As always, do feel free to contact me with any thoughts or questions.

How to Develop & Maintain Information Security Policies & Procedures

1 hour presentation designed for professionals who are responsible for writing, approving or reviewing security policies or procedures

Information security policies and procedures are the cornerstone of any information security program - and they are among the items that typically receive the greatest scrutiny from examiners and regulators.

But beyond satisfying examiners, clear and practical policies and procedures define an organization's expectations for security and how to meet those expectations. With a good set of policies and procedures, employees, customers, partners and vendors all know where you stand and where they fit in re: information security.

The key to creating effective policies and procedures is to start with a solid risk assessment, and then follow a measured program that includes:

• Implementation
• Monitoring
• Testing
• Reporting

The webinar from Banking Information Security is designed for IT professionals, risk managers, auditors or compliance officers who are responsible for writing, approving or reviewing security policies or procedures.

It's a daunting task to create effective policies and procedures, and it's ongoing work to monitor and maintain them. But in this age of endless information security threats, please remember: Policies and procedures aren't just a "nice to have" - they're a must.

Information security policies and procedures are the cornerstone of any information security program - and they are among the items that typically receive the greatest scrutiny from examiners and regulators. Cursory, disconnected or poorly communicated security policies will fail and likely drag down the overall information security program with them.

Register for this webinar to learn:

• How to ensure your policies map to your own institution's risk profile;
• How to structure your policies and presentations to senior management and board members; The basics of information security policies and what they must cover.