Did you get an email from Target?

Are you one of the roughly 70 million people who got an email from Target last week about the store's mega security breach? If so, be careful.

Target did indeed do a blast to customers to offer one year of free credit monitoring. The problem is scammers are also on the prowl and are sending out similar emails.

Target even says it has identified and stopped at least 12 scams preying on consumers via email, Facebook and other outlets.

The Target emails went to customers whose personal information was in the Target database. Cyber thieves penetrated the records during the holiday shopping season breach discovered last month and stole info like names, phone numbers and email addresses. The full extent of the hacking is still under investigation.

In the meantime, here's what to do if you see an email from Target pop up in your inbox.

If you've already opened the email: Target has posted a copy of the email it sent out online. So go here to make sure the email you opened, the address it came from, and the link you clicked all matches up.

If it doesn't match, and especially if you clicked a link to an external website and entered personal information, you need to take action quickly.

First, get a copy of your credit report, check your bank and credit card activity on a daily basis and call the credit reporting agencies to tell them what happened. You can ask to have a fraud alert placed on your account, meaning it will be flagged to lenders if someone attempts to open credit in your name.

If you're really worried, you can request a credit freeze, which prohibits any credit from being extended under your name. But that's a big step because you will have to go through the process of undoing this whenever you need credit again.

If you entered a credit card or debit card number, reach out to those institutions to warn them of potential fraud as well.

If you haven't opened the email: To avoid any chance of a virus or of falling prey to a potential scam, it is  recommended to go directly to Target's website to view the letter you believe has landed in your inbox -- since even opening a fraudulent email could lead malware to be installed on your computer. And if you do open the email, don't click on any links.

All other correspondence from Target can be found here. The retailer emphasizes that it will never email a consumer and ask for personal information like a Social Security number or credit card information.

But it's not just emails claiming to be from Target that customers need to worry about.

If your personal information was compromised in the breach, that means scammers could contact you pretending to be anyone -- like another retailer.

Successful Digital Strategy: Bridge the gap between CIO and CMO

CIO & CMO doesn't trust each other, IT doesn't provide fast turn-around!

Business is largely about competition and, even within organizations, a healthy dose of rivalry between colleagues can be a good thing. However, a survey just conducted by Accenture Interactive (see The CMO-CIO Disconnect) points to a downright unhealthy relationship in many C-Suites which can do nothing but damage to firms. 

At a time when many executives say that improving digital reach will be a significant differentiator for their companies, research shows that two of the most important digital leaders — the Chief Marketing Officer (CMO) and the Chief Information Officer (CIO) — do not trust each other, understand each other, or collaborate with each other.

That is very bad news for their businesses and, not incidentally, for their own careers. When IT and marketing departments work at cross-purposes, the results are inefficiencies and mishaps and it is customers who suffer. Potential buyers simply don't have the time or energy to do business with a company that makes things harder for them.

To begin to mend the CMO-CIO relationship, it's important to understand the source of each side's frustrations. CMOs' answers to survey questions make it clear that they view IT as an "execution and delivery" provider, instead of as a strategic partner. CMOs do not believe they are getting fast enough turnaround on projects and adequate quality from the IT departments. Because many CMOs do not believe they are getting the service they want from their IT departments, many bypass the IT department and work with outside vendors. Forty-five percent of marketing executives say they would prefer to enable marketing employees to operate data and content without IT intervention.

For their part, IT executives believe marketers make promises they can't keep and do not provide them with adequate information on business requirements. The CIOs believe the marketing teams often do not understand — or appreciate — data integration or IT standards. Nearly half (49 percent) of CIOs say marketing pulls in technologies without consideration for IT standards. Forty-seven percent say the marketing team lacks understanding of data integration.

CEOs and others in the C-suite should not turn a blind eye to this tension, hoping for it to resolve itself. It is crucial for companies to instill more collaboration and understanding across the functions.

Here are five suggestions for supporting a CMO-CIO relationship that will ultimately benefit customer experience and drive sales:

Identify the CMO as the "Chief Experience Officer."

This is more than simply a change in nomenclature It is a constant reminder to the CMO that the job doesn't end with branding and advertising. The CMO must design and drive a customer experience that is consistently first-rate, at every touch point within the company — a goal that lays more emphasis on the role of IT and the need to reach a deeper understanding.

Signal that IT is the strategic partner to marketing

The CIO cannot be viewed as only the chief technology platform provider; the role must be elevated to a strategic member of the C-suite.

Get the two leaders working from the same playbook

Already, CIOs and CMOs spend more than 30 percent of their respective budgets on technology. It is time for them to agree on key business levers for marketing and IT integration, such as access to customer data and speed to market along with security, privacy, and standardization.

Change the skill mixes

Make sure the marketing department becomes more tech savvy and the IT department better understands marketing. Again, coming together around the consumer and customers will help to breakdown internal silos and align agendas. Upgrading their skills will help both departments make better decisions about technology and understand its impact on business outcomes.

Develop trust by trusting

It is time for leaders in organizations to extend their trust to — and accept it from — business units beyond their own.

Top 5 Tools Every Security Professional Must Learn

5 basic tools for security professionals

As the role of the information security professional continues to evolve within organizations towards that of an executive level position, we see a growing emphasis on traditional business administration skills over the more technical skills that previously defined the top security leadership job.

Nonetheless, Information Security Professionals need to keep abreast of the latest down-in-the-weeds tools and technologies that can benefit their organization’s security posture, as well as those tools that are widely available which could be misused by malicious actors to identify and exploit network security weaknesses.

ToolsWatch is a free interactive service designed to help auditors, penetration testers, and other security professionals keep their ethical hacking toolbox up to date with the latest and greatest resources.

ARMITAGE

Metasploit has become over the years the best framework to conduct penetration testing on network systems and IT infrastructure. Nevertheless, Armitage an open source effort to bring user-friendly interface to Metasploit.

Armitage demonstrations are very convincing and allow you to analyze weak and vulnerable machines in a network in just a few clicks. This tool has brilliantly hidden the complexity of Metasploit (for a non-technical audience) in favor of usability, and is a great way to demonstrate the security in depth of an IT architecture.

HASHCAT

There is constantly a battle between security folks and users when it comes to passwords. Although it is simple to deploy a Password Policy in a company, it’s also very difficult to justify it.

Because in a perfect world from users perspective, the best password would be the name of the family cat with no expiration date, and this fact applies  to any system that requires authentication.

HashCat has shown that the selection of a strong  password must be done carefully, and this tool allows us to demonstrate the ease with which a password can be recovered.

WIFITE

You know what you have connected to when using your hardwired network, but have you ever wondered if the air is playing tricks on you? To test your WiFi security, Wifite has the simplest way.

Wifite allows the discovery of all devices that have an active wireless capability enabled by default (like some printers for example). Wifite is a very simple and convincing way to validate the security of wireless networks.

WIRESHARK

Known for many years as Ethereal, WireShark is probably the best tool when it comes to sniffing for and collecting data over a network.

On the one hand, WireShark has boosted its capabilities with the support of several types of networks (Ethernet, 802.11, etc.) and also in the simplicity of its use through a very friendly user interface.

WireShark allows to demonstrate that outdated protocols such as Telnet / FTP should be banned from a corporate network, and that sensitive information should be encrypted to avoid being captured by a malicious user

SOCIAL ENGINEERING TOOLKIT (SET)

SET is a framework that helps the in creation of sophisticated technical attacks which operated using the credulity of the human. It can be used in the process of preparing a phishing attack mimicking a known website or trapping PDF files with the appropriate payload. The simplicity of use via an intuitive menu makes it an even more attractive tool.

It is the dream of every CISO to drive security awareness campaigns without ruining the security budget. With SET, the team in charge of security audits can design attacks scenarios and distribute them internally to the targeted users.

10 easyways to reduce security headaches in a BYOD world

How you can improve security "Old School style" in a BYOD World?

Security is a huge concern when it comes to BYOD. Here are several steps you can take to protect your network and keep your organization's data safe. 

You're about to officially allow Bring Your Own Device (BYOD) in your organization. Understandably, you're concerned with the security of your network and data. With all those unknown variables entering the mix, how will you safeguard your company and keep sensitive data from falling into the wrong hands?

To put your mind at ease, you need to tackle BYOD with an eye toward security. This means policies and plans must be put into place. With BYOD, you can't always think in the same way you do with standard networking. Here are 10 ideas that might help you get through this transition.

1: Secure your data
Before you allow any non-company devices onto your network, you need to make sure your data is secure. This should go without saying, but if you have sensitive data on open shares, you're asking for trouble. Every network administrator must know the company's data is secure. But if you are about to open the floodgates to BYOD, this must be a priority.

2: Tighten your network security
Just as you've secured your data, you must make sure your network security is rock solid. Do not rely on Windows Firewall to secure your data -- you need to deploy an actual, dedicated device (such as SonicWALL, Cisco, or Fortinet) to handle network security. Pay close attention to making sure the outside world is carefully locked out of your network. With all of those new devices coming in -- and the possible security holes they can create -- you must make sure you have a solid network security plan in place.

3: Implement a BYOD antivirus/anti-malware policy
Any device running an operating system that is susceptible to viruses must be running a company-approved antivirus solution. For devices that do not run a vulnerable platform (Android, IOS, Linux), make sure those users are not passing along suspect files to fellow workers (or customers). To that end, you can still require these users to install and use an antivirus solution to check all outgoing files for signs of infection.

4: Mandate encryption
If your BYOD users will be sharing data from outside your secured LAN, you should require them to use some form of encryption. This might mean any application that stores data on the device will require its own password to gain access to that data (this is on top of the device password). Also, if users are storing company passwords on the device, those passwords must be protected under a layer of encryption.

5: Take advantage of mobile application management (MAM)
You have to know what applications are being used on your network. This doesn't mean you have to prevent users from accessing Facebook or playing games (that's your call, of course). But you must make sure any application being used isn't a threat to the security of your company data. Some devices, like Android, allow you to side-load applications, so any application not on the Google Play Store can be installed. You want to make sure one of your employees isn't inadvertently letting a sniffer or port scanner loose on your network.

6: Require apps like Divide
There are apps out there, like Divide, that do a great job of placing a barrier between your personal and work data. In fact, Divide provides completely separate desktops, so the user can make no mistake. Gaining access to the business side of Divide requires a password -- as well as simply knowing how to gain access to that (mostly) obfuscated desktop.

7: Require multi-layered password protection

You must require all devices to be password protected. But just having a single password to gain access to the device isn't enough. Any application, folder, or file that houses company data must also be password protected. Though it might be an inconvenience, the more password protection those mobile devices have, the safer your data will be. At the same time, you should make sure that users do NOT have passwords (such as those for company VPNs) stored on the machine, unless they are stored in an application that requires encrypted password to open.

8: Implement company-wide phone wipe

If your users want BYOD, they have to be willing to sign on to a plan that gives you the power to wipe their phone if it's lost or stolen. Though this should be the case with every user (not just those using their devices for work), many don't see the value in making sure their sensitive data can be easily deleted if the phone winds up in the wrong hands.

9: Require use of company wireless when on premise

You know some users will "forget" to connect to your wireless network when they arrive. You do not want them doing business on their carrier network. Make sure all users understand that if they are to use their device on premises, they must use your wireless network. Not only will this help secure your company data, it will allow you to better monitor and control what goes on.

10: Limit device support

If you open your company up to BYOD, you are within your rights to limit that policy to certain devices. Say you only want to open this up to tablets that do not have a carrier (so they are limited to Wi-Fi only) or to a single platform. By doing this, you not only make your job easier, you help keep your company network/data more secure.

The Biggest Threat To Enterprise Is The Thumb Drive

How did Iranian nuclear facilities was destroyed? With a thumb drive. And how did Snowden allegedly smuggle out the blueprints to the NSA? With a thumb drive.

No, it wasn't by some ultra secretive means of super-complex cyber code writing and cloud encryption by which good ol' Eddy breached America's security in arguably the most secure compound on the planet — nope — he simply walked in with a thumb drive, downloaded the NSA, and walked out.

Carl Weinschenk of IT Business Times breaks down how bad a threat flash drives can be:

The U.S. Department of Homeland Security ran a test in which staffers dropped flash drives in the parking lot of government and contractor buildings. Sixty percent of folks who picked them up simply plugged them into networked computers. That percentage jumped to 90 percent if the drive had an official logo.

The Washington Times breaks down the threat further by reminding everyone that a "number of commercially available programs can switch off the USB port of every computer on the network."

NSA officials “were laying down on their job if they didn’t disable the USB port,” an unnamed government IT the specialist told the Washington Times, referring to the small socket on the side of a computer where thumb drives are plugged in.

Organizations, whether they're public or private, have had difficulty enforcing Bring Your Own Device security measures now for a number of years. Certainly there are places in government buildings where there are NO recording devices or storage devices allowed under ANY circumstances.

Regardless, Snowden managed to get one in and get one out.

Cyber Protection of Critical Infrastructure is becoming "Imperative"

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013

The digitisation of critical infrastructures has provided substantial benefits in terms of socio-economic developments – improved productivity, better connectivity, greater efficiencies. Yet some of these attributes also carry significant risks. Always-on Internet connectivity has ushered in a new cyber-age where the stakes are higher.

Disruption and destruction through malicious online activities are the new reality: cyber-espionage, cyber-crime, and cyber-terrorism. Despite the seemingly virtual nature of these threats, the physical consequences can be quite tangible.

The cyber protection of critical infrastructure has become the most immediate primary concern for nation states. The public revelation of wide-spread state-sponsored cyber-espionage presages an era of information and cyber warfare on a global scale between countries, political groups, hacktivists, organised crime syndicates, and civilian society – in short, to anyone with access to an Internet-connected device. The focus on cyber security is becoming imperative.

While some industries have had highly advanced cyber-defense and security mechanisms in place for some time (i.e. the financial sector), others are severely lacking and only just starting to implement measures (i.e. energy, healthcare). The drivers for the market in related products and services are numerous, but in large part many will be propelled by national cyber security strategies and policies.

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013. Increased spending over the next five years will be driven by a growing number of policies and procedures in education, training, research and development, awareness programs, standardisation work, and cooperative frameworks among other projects.

This Market Data on “Critical Infrastructure Security” breaks down spending for eight verticals: Defense, Energy, Financial, Healthcare, ICT, Public Security, Transport, and Water and Waste Management. The data is split by region (North America, Europe, Asia-Pacific, Latin America, the Middle East & Africa), by sector (private/public) and by type (product/service).

These findings are part of ABI Research’s Cyber Security Research Service.

Forecast on Top Trends in Data Breach, Privacy and Security

12 trends in privacy and security

First identified as an industry issue a decade ago, data breaches are now part of the consumer vocabulary. Data breaches have evolved from credit card fraud with financial consequences to medical identity theft with life-threatening implications.

According to leading experts, the frequency, severity, and impact of data breaches are expected to escalate. Industry experts :

1. Global criminals: Criminals are now globally connected and increasingly part of organized crime rings.

2. Advanced persistent threat (APT): APT is the biggest threat to organizations, whereby hackers gain access to a network and remain there undetected for a long period of time.

3. Malicious attackers: Hacktivists and national states have an advantage over today’s defenders of corporate data and IT infrastructure.

4. Breaches affect everyone and everything: Breaches affect large and small businesses of all kinds, regardless of sophistication, and high- and low-tech information.

5. Information can be infinitely distributed, causing limitless damage: The electronic health information privacy breach epidemic is an unanticipated “game changer” in that health information can be stolen from anywhere in the world, distributed to an infinite number of locations for an infinite period of time and can cause limitless damage.

6. Increased enforcement risk: Regulators at both the federal and state levels in many foreign countries have become, and will continue to be, increasingly aggressive in investigating security breaches and obtaining substantial monetary settlements or penalties from responsible organizations.

7. Identity theft will not go away, until the issue of identity is solved: "Identity-proofing" consumers involves verifying and authenticating with numerous technologies, and the flexibility of consumers to recognize a slight trade-off of privacy for security.

8. Real-time prevention: The rate of exposure for personally identifiable information is now so great, we must concede that the data itself is no longer able to be protected. Our defensive strategy must now shift to real-time prevention of the abuse of this sensitive information by criminal elements.

9. More digital devices and technologies, to digitize personal data: Drones, utility smart meters, automated license plate readers, and more powerful facial recognition software - all used to collect and digitize consumers' sensitive personal data - will provide more opportunities for government to resell consumer data, forcing consumers to demand better privacy protections and read/approve/decline company privacy statements.

10. Many data breaches are avoidable if commonsense security practices are in place: In recent cases where companies experienced data breaches, the companies' security practices did not protect against even readily foreseeable threats. Companies need to use “reasonable and appropriate security measures” for handling consumers’ personal information.

11. Long-term monitoring: Data obtained by hacking, theft or unauthorized access, isn't always used immediately by the perpetrators. Organizations need to develop a tactical plan for incident response that includes persistent, long-term diligence and monitoring, due to the possibility of lag time that can occur between the time of the breach and the fraudulent use of consumer information.

12. Continued business naiveté: Corporations continue their delusional belief that data security and cyber privacy are a byproduct of purchasing better technology. It helps, but it's the human beings using the technology correctly (or not, in the case of most breaches) that actually delivers results. Forward-thinking companies will focus assets on training the stewards of their valuable data.

What's your personal Disaster Recovery Strategy?

After the Storm Comes a Rainbow

If you've ever had a computer device unexpectedly fail on you, you know how it feels - like a flash flood, taking you by surprise and washing away everything you need.

Lets say, you have an external hard drive which stopped. Completely. Unexpectedly.

Did you had backups of that data? Do you make backups of your data regularly?

Here are some recommendations to help you from feeling the pain of a failed hard drive:

• Invest in an external backup drive for storing your backups. You can see some good guidance here.
  
• For data that is especially valuable (income tax data, photos, business data), make another copy on a different external drive and store at a different, secure location, such as a bank safety deposit box.
  
• Back up your email at least once a week; more often if you depend on it for business and would be lost without it.
  
• Most external hard drives can be configured to automatically make backups at specified intervals; look for external hard drives with these capabilities.
  
• If personal information is on your backup drive, encrypt it!
  
• If you want to use a cloud service to store your backups, make sure they will encrypt your data, and that they have terms of service that will allow you ample time to remove your data, completely, if there is ever the need.
  
• Regularly test backups to ensure the backup data is actually good.

Free eBook: 9 Steps to Cybersecurity

Explanation of Cybersecurity and How to Properly Integrate it into Your Organization

9 Steps to Cybersecurity from expert Dejan Kosutic is a free eBook designed specifically to take you through all cybersecurity basics in an easy-to-understand and easy-to-digest format.

You will learn how to plan cybersecurity implementation from top-level management perspective. Additionally, Kosutic covers all of your options and how to choose the ones that ultimately will work best.

President Obama issued “Executive Order - Improving Critical Infrastructure Cybersecurity" on February 12, 2013. 9 Steps to Cybersecurity will inform you of what you need to know at this timely and critical juncture. The goal of this book is to give you the essential information you need to make decisions that are crucial for the future of your organization. Simply fill out the short form on the right-hand side of the screen to download 9 Steps to Cybersecurity today.

Why is this Book Essential for You?

• Learn how to use risk management to make your cybersecurity a profitable investment
• Find out how cybersecurity can give your company an invaluable marketing edge
• Learn how to comply with various information security laws and regulations, including U.S. Executive Order - Improving Critical Infrastructure Cybersecurity Discover the invaluable tips for persuading upper management to act immediately
• Uncover the key elements of the CIA triad (Confidentiality, Integrity and Availability) and why it is vital to your company
• Learn everything you need to know in order to develop a cybersecurity plan and monitor the implementation by setting measurable targets

Who Should Read this Timely, Free eBook on Cybersecurity?

Anyone interested in the cutting edge of cybersecurity and what is necessary to secure information should download 9 Steps to Cybersecurity, which can be read in less than 2 hours. This free eBook will be of tremendous interest to any executives wishing to be well versed in the latest cyber safety information. CEOs, CFOs, Chief Information Security Officers and other managers will find this detailed and informative examination of the current state of cybersecurity to be a must-read book. Additionally, 9 Steps to Cybersecurity is written in completely non-technical language - Kosutic's goal was for the book to be easily accessible to all executives, regardless of whether they have technical knowledge.

Once you’ve read Dejan Kosutic's book, you will have a clear concept of cybersecurity, and the direction that your company should take. You will be able to properly implement cybersecurity and comply with the regulations and relevant deadlines. 9 Steps to Cybersecurity was specifically written to provide much-needed clarity and help you chart the most direct and most effective path for your company, period.

Download this free book today and go well beyond the jargon and the confusion.

7 Key Duties Of CISOs

CISO's Responsibilities 

The CISO's responsibilities would include: 

1. Overseeing the establishment and maintenance of a security operation that through automated and continuous monitoring can detect, contain and mitigate incidents that impair information security and enterprise information systems;
   
2. Developing, maintaining and overseeing an enterprise-wide information security program;
   
3. Developing, maintaining and overseeing information security policies, procedures and control techniques to address all applicable requirements;
4. Training and overseeing personnel with significant responsibilities for information security;
   
5. Assisting senior agency officials on cybersecurity matters;
   
6. Ensuring the enterprise has a sufficient number of trained and security-cleared personnel to assist in complying with cybersecurity law and procedures;
   
7. Reporting at least annually to enterprise executives the effectiveness of the agency information security program; information derived from automated and continuous monitoring, including threat assessments; and progress on actions to remediate threats.

The CISOs should posses the necessary qualifications, including education, training, experience and the security clearance needed to do the job.

NIST Glossary of Infosec Terms

Looking for a gift for your boss who doesn't quite understand information security lingo?

The National Institute of Standards and Technology has one you can give, and it's free. NIST has issued a draft of Interagency Report 7298 Revision 2: NIST Glossary of Key Information Security Terms.

As we are continuously refreshing our publication suite, terms included in the glossary come from our more recent publications. The NIST publications referenced are the most recent versions of those publications. It is our intention to keep the glossary current by providing updates online.

New definitions will be added to the glossary as required, and updated versions will be posted on the Computer Security Resource Center website.

The glossary includes most of the terms found in NIST publications. It also contains nearly all of the terms and definitions from CNSSI-4009, an information assurance glossary issued by the Defense Department's Committee on National Security Systems, a forum that helps set the US federal government's information assurance policy.

NIST is seeking comments and suggestions on the revised glossary, and they should be sent by Jan. 15 to secglossary@nist.gov.

How to crack/reset your Windows account?

Have you lost or forgotten your Windows password?

It's one of the security best practice to enable password on your Windows user account to ensure you have adequate protection from malicious access to your personal files. 

It is a common practice to forget your computer password if you're not using it for a while or perhaps just returned from holidays. Unfortunately, currently Windows operating systems doesn't have an option to reset your password like we commonly see in web applications such as Facebook, Hotmail etc.

In the majority of the cases, I have seen users have to format and reinstall the Windows to access their computer again but unfortunately they have to sacrifice  loss of their personal data if they haven't backed-up.

So what to do? How to crack/reset the password of the Windows operating system?

I recently come across this nice password resetter tool "Password Resetter", which cracks windows password in minutes without affecting your personal data.

As stated on their website that it can recover 99,9% of passwords from nearly any Windows installation in a matter of seconds! You do not need to remember old passwords in order to crack your Windows password.

Password Resetter recovers the lost Windows administrator or user password from any Windows Operation System. It supports Windows Vista, XP, NT, 2000 and the newest Windows 7.

How to use Password Resetter?

1) Download a copy of Password Resetter.

2) Burn the image on CD/DVD. The package comes with the detailed tutorial.

3) Once the bootable CD/DVD is ready, boot the system with this CD/DVD. Select the user account and then click on reset button.

Another cool feature?

It supports USB, which means you can crack/reset your Windows password with USB drives in case you do not have CD/DVD.  

This is not a freeware, you will need to purchase this software for around $35 for personal use.

Breach Preparation: 4 Key Steps

Tips to Develop Breach Plan

You have one shot to get it right. How should organizations prepare properly for a data breach?

Too often, organizations that go to the effort of creating a breach response plan - but then they fail to actually test it. That is as if you have a fire evacuation plan, but you don't actually execute the drill to make sure the people get out of the building.

To prepare properly for a breach, organizations should:

Select an Individual to Lead the Charge:

Pick that right individual that has enough knowledge of the company and an overview of the importance of the personal identity information that needs to be protected.

Conduct an Audit of All Subcontractors:

So many breaches today occur at third-party service providers. Organizations, then, should ask their key vendors about their own data breach response plans, as well as how big of a priority it is to protect the data they're handling. It's also important to have a formalized agreement of the vendors' breach plans and that they practice it.

Involve the Right Departments:

Privacy, public relations, customer service and information security departments all need to be involved in breach planning. Outside professionals, such as legal and law enforcement, should also be included in the preparation process.

Complete a Yearly Breach Drill:

The ones that actually practice it and have seen some of the hitches that go on, when they've actually experienced a real breach they've done much better in responding more quickly, satisfying the regulators, minimizing the cost and protecting brand reputation.

Recommendations For Your Information Risk Management and Security Strategy

The strategy associated with an enterprise’s information risk management and security (IRMS) program becomes a road map for its activities. When developing or refreshing your IRMS strategy, there are many considerations that should be accounted for to make sure it is beneficial to your enterprise and plausible for implementation and ongoing success.

Here are five things to consider when undergoing this effort:

1. Validate your strategy with your intended audiences early in its development
   
   The key to any successful strategy is the positive perception and realization of its value by the people it will impact.
   
   Too often IRMS professionals assume they intuitively understand their enterprise’s requirements and expectations, as well as the benefits that will be obtained by implementing their proposed strategies. While this may be the case, it is important to validate these assumptions with the customer of the strategy to ensure they agree. Without their support the strategy will have little chance of success.
   
   The easiest way to achieve this validation is to socialize the concepts and ideas that you intend to include in your strategy with key leaders and stakeholders early in the development process. If they are involved in shaping its development and agree with your views and approach, there is a much higher likelihood of successful execution.
   
2. Align the IRMS strategy with your enterprise’s information risk profile
   An enterprise’s approach to IRMS should be about information risk first and security second. When developing your IRMS strategy, make sure you align your programs and activities with your enterprise’s information risk profile.
   
   This profile will identify the information risk appetite of your enterprise. A risk-based strategy presented to a sponsor or leader has a high probability of gaining support since it is designed to align with needs and expectations. If your enterprise does not have a formal information risk profile, seek out the individuals who have risk management responsibilities in the enterprise (i.e., finance, legal, compliance) as well as business process and data owners to work with them to identify their information risk appetite and expectations of security to create a profile to support them.
   
3. Leverage staff as a force multiplier
   Leaders and individual contributors associated with IRMS programs and capabilities often feel as though they are overworked and undersupported by their enterprises. One approach that can help to ease this pain is to plan in your IRMS strategy to leverage your enterprise’s overall staff as a force multiplier.
   
   One strategy that is often successful is to identify individuals who will be tasked as IRMS champions within the key functions and services within your organization. By empowering these champions with knowledge, capabilities and expectations, they can assist you in meeting your IRMS objectives without having to significantly expand the budget or staffing of your program. Beyond the establishment and support of champions, the creation of a risk-conscious and security-aware culture within your enterprise can provide an effective force multiplier for your efforts as individuals incorporate IRMS as a business as usual activity.
   
4. Consider current and projected business conditions
   Current and projected economic and business conditions can have a distinct impact on ISRM strategy development. If your enterprise is currently or projected to contract or operate in an extremely cost-cautious manner, develop a strategy that accounts for this situation. Even when considering areas such as compliance, where many ISRM professionals assume their organizations will have to invest to ensure alignment, it is important to identify contingencies in cases where they are unwilling or unable to do so.
   
   Alternatively, if your enterprise is currently or plans to be operating in a business growth and expansion mode, this is an ideal time to invest in programs and capabilities that will ensure alignment with business needs and expectations. When developing strategies in either scenario, it is important to identify and validate the business value of your proposed strategy to gain the support of your enterprise’s leadership and program sponsors.
   
5. Ensure the strategy can be implemented and operate successfully with your existing budget and resources
   A common mistake made in the development of IRMS strategy is to assume that enhanced funding will be provided or sustained as part of its execution. Business conditions and information risk appetites of organizations can change quickly. IRMS can be an easy target for budget and resource adjustments.
   
   If the foundation of your strategy is based on the use of your current budget and resource allocation, your ISRM program and its capabilities will be more resilient during these types of fluctuations. Components of your strategy that require expanded budget and staff should be developed as modular initiatives whose business value can be clearly understood and monitored, but also easily adjusted if business conditions change.

Source from ISACA.

5 Tips to Improve Intrusion Detection

NIST Revising Guide on Detection, Prevention Software


Intrusion detection and prevention software has become a necessary addition to the information security infrastructure of many organizations, so the National Institute of Standards and Technology is updating its guidance to help organizations to employ the appropriate programs.


NIST is seeking comments from stakeholders on the guidance, Special Publication 800-93, Revision 1 (Draft): Guide to Intrusion Detection and Prevention Systems, before publishing a final version. SP 800-93 describes the characteristics of intrusion detection and prevention software technologies and provides recommendations for designing, implementing, configuring, securing, monitoring and maintaining them.


The types of intrusion detection and prevention technologies differ primarily by the types of events that they monitor and the ways in which they are deployed. The NIST publication addresses four types of intrusion detection and prevention software technologies:

• Network-based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity.
• Wireless, which monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves. IDPS for wireless is an important type for all organizations to have because of the growth of mobile devices and employees' desire to use their own wireless device for work.
• Network Behavior Analysis, which examines network traffic to identify threats that generate unusual traffic flows, such as denial of service attacks, certain forms of malware and policy violations such as client system providing network services to other systems.
• Host-based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

Intrusion detection systems automate the intrusion detection process whereas intrusion prevention systems have all the capabilities of an intrusion detection system and also can attempt to stop possible incidents. These technologies offer many of the same capabilities, and administrators can usually disable prevention features in intrusion protection products, causing them to function as intrusion detection software.


The Recommendations NIST says organizations that implement the following recommendations should facilitate more efficient and effective intrusion detection and prevention system use:

1. Organizations should ensure that all intrusion detection and provision system components are secured appropriately because these systems are often targeted by attackers who want to prevent them from detecting attacks or want to gain access to sensitive information in the intrusion detection and prevention system, such as host configurations and known vulnerabilities.
2. Organizations should consider using multiple types of intrusion detection and prevention technologies to achieve more comprehensive and accurate detection and prevention of malicious activity. The four primary types of intrusion detection and prevention technologies - network-based, wireless, network behavior analysis and host-based - each offer fundamentally different information gathering, logging, detection and prevention capabilities.
3. Organizations planning to use multiple types of intrusion detection and prevention technologies or multiple products of the same technology type should consider whether or not the systems should be integrated. Direct intrusion detection and prevention system integration most often occurs when an organization uses multiple products from a single vendor, by having a single console that can be used to manage and monitor the multiple products. Some products can also mutually share data, which can speed the analysis process and help users to better prioritize threats.
4. Before evaluating intrusion detection and prevention products, organizations should define the requirements that the products should meet. Evaluators must understand the characteristics of the organization's system and network environments, so that a compatible intrusion detection and prevention system can be selected that can monitor the events of interest on the systems and/or networks.
5. When evaluating intrusion detection and prevention products, organizations should consider using a combination of several sources of data on the products' characteristics and capabilities. Common product data sources include test lab or real-world product testing, vendor-provided information, third-party product reviews and previous experience from individuals within the organization and trusted individuals at other organizations.

Comments on the draft guidance should be sent to 800-94comments@nist.gov by Aug. 31.

Enable Do Not Track Feature In Web Browsers

How to enable the “Do Not Track feature” in a web browser, you are using?


You may not be aware about the all the modern web browser you are using, is tracking your every single details which might not be put to a good use, good or bad, not sure, but how would it feel if someone follows your every single click, every web page you are surfing, every single details you are entering somewhere and what it could mean, even I’m not sure.


But there are some features and settings which might put a stop on all these activities, a simple setting, a user have to tweak in order to enable the Do Not Track Feature. Most of the modern web browser supports “Do Not Track” Feature, it’s just you’ve to enable for it to work.


Let’s start with Google Chrome.


Unfortunately, there’s no built-in setting which you can enable Do Not Track feature in Google Chrome, but there are so many Google Chrome Extensions which you can use to add “Do Not Track” feature to it. So, simply use this Google Chrome extension to avoid any kind of web tracking. Just make sure you are using the latest Google Chrome web browser, at-least 17 or later. Add it, enable it, and you are free from spying.


Enable Do Not Track Feature In Mozilla Firefox

We don’t need any Add-on to enable Do Not Track feature in Mozilla Firefox. Just follow this quick tweak in Mozilla Firefox privacy settings and you are done. That’s the beauty of it.

• Click on Firefox button.

• Move over to Options.

• Under the Privacy Tab, check that box beside that says “Tell websites I do not want to be tracked”. Ok, and there you are, a free bird.

Enable Do Not Track Feature In Internet Explorer

To add that feature in Internet Explorer, visit this Do Not Track Test Page, and under the heading that says “To express your preference not to be tracked in IE9”, click on that link. Make sure you are clicking that using Internet Explorer 9.

Metasploit: The Penetration Tester’s Guide

Want a great book on Backtrack 5 and the Metasploit Framework?


Look no further than “Metasploit: The Penetration Tester’s Guide” written by the all star cast of David Kennedy (creator of the Social Engineering Toolkit), Jim O’Gorman (instructor at Offensive-Security), Devon Kearns (a BackTrack Linux developer), and Mati Aharoni (created BackTrack and founder of Offensive-Security). 


This is the most complete and comprehensive instruction book for Metasploit that I have seen so far. The authors walk you step by step, command by command through using the Metasploit Framework as a penetration tester. You move quickly from the basics of Penetration testing through using the platform to perform the different phases of intelligence gathering and exploitation. 


Excellent book for anyone interested in a hands on approach to computer security, the Metaslpoit pro who wants a great reference book and those new to Metasploit that want a step by step instruction manual.


Metasploit: The Penetration Tester’s Guide – Check it out!

The evolving role of the CISO

New study by IBM

A study by IBM’s Center for Applied Insights concludes that there are now three ‘types’ of CISO: influencers, protectors and responders. Evolution towards the ‘influencer’ role is necessary, and happening.

Security is now seen as a vital aspect of business, and the role and influence of the chief information security officer is correspondingly rising, concludes Finding a strategic voice, a new study from IBM.


The primary driver, suggests IBM, is that security is now recognised as a business rather than just a technology imperative. “In today’s hyper-connected world,” states the report, “information security is expanding beyond its technical silo into a strategic, enterprise-wide priority,” driven by the increasing number of high profile attacks.


The result is that while “many organizations remain in crisis response mode, some have moved beyond a reactive stance and are taking steps to reduce future risk.” Key to this is that business is beginning to understand what security experts have been saying for years: security is not a thing or a product that can be bought and installed – it is a continuous process at the heart of the business itself.

“The Influencers have the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. These leaders understand the need for more pervasive risk awareness.” Influencers have a strategic role on business security. “Responders,” says the report, “are more tactically oriented.

They are concentrating on foundational building blocks: incorporating new security technology to close security gaps, redesigning business processes and hiring new staff. While technology and business processes are still important to Influencers, they are in the mode of continuously innovating and improving rather than establishing basic capabilities.”


In reality, the clear implication here is that business either needs both an influencer and a responder, or that the influencer needs also to be a responder: strategy needs implementation tactics. But what of the protectors? This is the traditional view of security. Almost half of the report’s respondents take this role, a role that is likely to be the most prevalent in smaller companies.

“These security leaders,” says IBM, “recognize the importance of information security as a strategic priority. However, they lack important measurement insight and the necessary budget authority to fully transform their enterprises’ security approach.” “This data painted a profile of a new class of CISO leaders who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security,” said David Jarvis, IBM’s author of the report.

“We see the path of the CISO is now maturing in a similar pattern to the CFO from the 1970s, the CIO from the 1980s – from a technical one to a strategic business enabler. This demonstrates how integral IT security has become to organizations.”

In short, this IBM study demonstrates that security and the role of the CISO is evolving from a reactive stance to a proactive stance, both within security itself and the wider business – but there is still a long way to go from protector to influencer.


To read further please refer here.

Basic checklist for Remove Access Security

The Remote Access Security Checklist


The checklist of must-haves for any remote access policy.


Remote Access Policy Security Checklist


Antivirus software with real-time protection enabled - Make sure company-approved antivirus software is included on all remote access devices and set to update regularly.


Required personal firewall - In addition to antivirus software, a personal firewall should be configured and enabled on all remote devices. If a threat is detected all communications should be blocked.


Defined operating systems - Only allowed operating systems should be able to connect to the corporate network. If your company only uses and supports Windows computers, you should disallow *nix, Macs, etc.


Time out periods – Should be defined and set to when there is no activity on the computer. If there is no activity for 30 minutes for example, enforce a policy so the connection terminates. Be careful to test and make sure a download or upload triggers activity.


Targeted access to systems while on VPN - Only allow access to necessary internal resources. If a department only accesses one application on your internal network only provide them with access to that application.


Non-Disclosure Agreement - Vendors, third party companies, and even employees should sign an NDA in order to gain remote access. This will help protect any confidential information.

Managing The Threat Landscape for SAP Systems

A Ten Step Guide to Implementing SAP’s New Security Recommendations


SAP issued a revamped version of the whitepaper Secure Configuration of SAP Netweaver Application Server using ABAP, which is rapidly becoming the de-facto standard for securing the technical components of SAP.


According to SAP, the guidance provided in the whitepaper is intended to help customers protect “ABAP systems against unauthorized access within the corporate network”. In fact, many of the recommendations can also be used to protect SAP systems against remote attacks originating outside such a network. These attacks are targeted at the technical components of SAP Netweaver that are responsible for managing user authentication, authorization, encryption, passwords and system interfaces, as well as underlying databases and operating systems.


Breaches in these components can enable attackers to take complete control of an SAP environment. The following is a quick guide to help you comply with SAP’s recommendations.


1. Disable unnecessary network ports and services. In most cases, this means blocking all connections between end user networks and ABAP systems other than those required by the Dispatcher (port 32NN), Gateway (33NN), Message Server (36NN) and HTTPS (443NN). NN is a placeholder for your SAP instance number. Administrative access should only be allowed through secure protocols such as SSH and restricted to dedicated subnets or workstations through properly configured firewall rules.


2. Install the latest version of SAP GUI. This should be 7.10 or 7.20 with activated security rules configured with the ‘Customized’ setting and the ‘Ask’ default action.


3. Implement strong password policies, restrict access to password hashes in tables and activate the latest hashing algorithms. SAP does not specify the exact settings for password policy parameters but you should use frameworks such as the PCI DSS as a proxy. Refer to section 8.5 of the standard. Default passwords should be changed for standard users and the password hashing mechanism should be upgraded to the latest version available for your system. Wherever possible, downward-compatible hashes should be removed from the database.


4. Enable SNC and SSL. SAP client and server communication traffic is not cryptographically authenticated or encrypted. Therefore, data transmitted within SAP networks can be intercepted and modified through Man-In-The-Middle attacks. Secure Network Communication (SNC) should be used for mutual authentication and strong encryption. This can be performed natively if both servers and clients run on Windows. You will need to use a third party product to secure connections between heterogeneous environments such as AIX to Windows. SNC will secure network communication using the SAP DIAG and RFC protocols. For Web-based communication, you should switch to HTTPS/ SSL and restrict access to the relevant cryptographic keys.


5. Restrict ICF services. Many of the services enabled by default in the Internet Communication Framework (ICF) are open to abuse and could enable unauthorized and malicious access to SAP systems and resources. At a very minimum, you should deactivate the dozen or so services mentioned by SAP in the white paper. This can be performed through transaction SICF.


6. Secure Remote Function Calls (RFC). Wherever possible, remove trust relationships between systems with differing security classifications and hardcoded user credentials in RFC destinations. The belief that RFC connections using SAP_ALL privileges is fine as long as the user type is set to dialog is a myth. This represents a serious risk to the integrity of information in SAP systems.


7. Secure the SAP Gateway. The Gateway is used to manage RFC communications which support SAP interfaces such as BAPI, ALE and IDoc. Access Control Lists (ACL) should be created to prevent the registration of rogue or malicious RFC servers which can lead to the interruption of SAP services and compromise data during transit. You should also enable Gateway logging and disable remote access.


8. Secure the SAP Message Server. The Message Server is primarily a load balancer for SAP network communications. Similar to the Gateway, it has no default ACL which means it is open to the same type of attacks. You should filter access to the Message Server port using a firewall and create an ACL for all required interfaces.


9. Regularly patch SAP systems. Implement missing SAP Security Notes and patch systems at least once a month. Security Notes can be downloaded from the SAP Service Market Place.


10. Regularly monitor the SAP security configuration. Standard SAP services such as EarlyWatch (EWA) and the Computing Center Management System (CCMS) can be used to monitor some security-relevant configurations. However, they do provide the same coverage as professional-grade security tools such as those used to perform SAPSCAN, a vulnerability assessment specifically engineered for SAP systems. SAPSCAN automatically reviews the configuration of your SAP environment against SAP security recommendations and hundreds of other vulnerabilities not included in the SAP white paper.


Reference: Layer Seven Security