CISO

Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach’

2010-03-09T09:46:00.000+03:00

NIST has recently released the final publication of the "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach". This NIST special publication (NIST Special Publication 800-37, Revision 1) can be downloaded from csrc.nist.gov website. As per this guide, the Certification and Accreditation process of the federal government information

Guide to ISO 31000

2010-03-09T09:37:00.000+03:00

Three risk associations, Airmic, Alarm, and the IRM, have collaborated to publish a free guide to ISO 31000 titled "A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000". The guide is organized in two parts each containing four chapters with two appendices. The document is neatly organized and is useful for organizations implementing/ following ISO 31000

Top Cloud Security Threats Report

2010-03-09T09:10:00.001+03:00

The Cloud Security Alliance (CSA) and HP have published new research findings that detail the potential threats surrounding the use of cloud services. This seems to be a serious effort to bring up the security concerns related to the cloud.This 14 page report identifies 7 threats namely Abuse and Nefarious Use of Cloud Computing Insecure Interfaces and APIs Malicious Insiders Shared Technology

Money Mules

2010-02-09T09:39:00.000+03:00

In the recent days, we have seen many emails claiming to be from your bank and asking you to provide the user name, password, ATM Number PIN etc... First of all let me emphasize the fact that these are fake emails. Banks or any other responsible companies will never ask for these details of yours for any reason. Let me reiterate that never ever respond to such emails. Do not click on the

Typical data leakage scenario's

2010-01-19T06:48:00.000+03:00

Data leakage is a key threat which could give sleepless nights for any business executive and is definitely on the top priority of the CISO's and information security managers. I have looked into the DLP scenario's and various solutions. I have not found a single solution which covers more than 75% of the DLP, may be my expectations are higher.Many of my vendor's used to tell me that I will have

ISACA Kuwait chapter in formation

2010-01-17T21:03:00.000+03:00

We had a meeting today for the ISACA Kuwait chapter in formation. It was a good one. We were 10 people from various organization. The meeting started at around 6:15 which extended till 7:30. We had the meeting at the Salhiya complex in Kuwait City, which is graciously organized at the Conference room of Deloitte. A public event is planned for a wider audience during the first week of February.

Heartland to pay Amex $3.6m for massive payment breach

2009-12-21T13:50:00.000+03:00

In a recent development, Heartland Payment Systems will pay American Express $3.6m to settle claims related to the criminal breach of its payment processing network last year. During this security incident, which is disclosed by HP in January 2009, (incident took place during 2008) millions of credit card data has been stolen exploiting the security vulnerabilities in the web sites. Albert

NIST Updates Automated Computer Security Validation Guidelines

2009-12-17T15:52:00.001+03:00

The National Institute of Standards and Technology (NIST) has issued a draft publication for public comment that describes changes to the Security Content Automation Protocol (SCAP). SCAP is a suite of specifications that use the eXtensible Markup Language (XML) to standardize how software products exchange information about software flaws and security configurations. SP 800-126 Revision 1, The

Outsourcing the payment card related activities

2009-12-17T15:40:00.000+03:00

Many organizations outsource their work to third parties for meeting their business objectives. The objectives vary from simple low cost labor to risk management practices. Some organizations outsource part of the work while others outsource a major chunk of their work. In this essay, I will be covering some aspects of outsourcing the payment card related activities. The key focus is on doing a

Microsoft Security Essentials - First impression

2009-12-07T13:23:00.002+03:00

Recently I have decided to replace my current anti-virus software with Microsoft Security Essentials. So last weekend I have done this exercise. My initial thoughts are it is a nice work by Microsoft. It does not give much load to my laptop. Seems to have fairly good protection from virus. I have tried downloading some virus infected files, which triggered alerts. Also opened some old virus

IBM to buy Guardium

2009-12-03T11:41:00.000+03:00

The database security solutions company Guardium might get bought by the IT giant IBM. Guardium's product enables companies to extend the use of corporate applications to customers, partners and providers while ensuring that the databases used by those applications are shielded. More news at http://news.yahoo.com/s/nm/20091129/bs_nm/us_guardium_ibm

Phishing in the middle eastern banks are on rise

2009-12-03T11:29:00.001+03:00

Image via Wikipedia Recently I was noticing an increase in the phishing emails targeted to the Banks in Kuwait. This was very low in the past years, as low as only 10 attempts noticed at some banks. However, recently the number of attacks are risen drastically. I am wondering what made the phishers to target these countries all of a sudden? Is it the fact the cyber laws are not strong or that

Analysing the file integrity requirement of the PCI DSS

2009-10-25T11:06:00.000+03:00

I always wondered about the file integrity monitoring requirement of the PCI DSS standard. What is the purpose of this requirement? Is it a control or an compensating control. Isn't it something similar to the much debated "code review or web application firewall" subject? To understand more about this control, I looked into the control in detail. The file integrity requirement is referenced in

Cleared the CoBIT Foundation exam

2009-10-20T12:51:00.002+03:00

It is a while since I have scribbled my thoughts on this blog. Latest update is that I have cleared the CoBIT Foundation exam recently. The exam tests your knowledge on various skills related to IT Governance, primarily with the focus on the COBIT framework.I have used COBIT document for preparation and a li'l bit of stuff from internet. It gives a slightly better perspective on the governance

Cloud Security vsTwitter Security Incident

2009-07-22T08:23:00.004+03:00

The recent incident at the Twitter on the information leakage shall not be considered as a cloud security weakness. Reading through various blogs and the description from Twitter , it looks like the real cause is the weak security practices followed by a Twitter employee.Like many other users, I use the Google Apps for various solutions and email is one among them. So, if there is a security

PCI DSS guideline on Wireless Network

2009-07-20T21:31:00.001+03:00

The PCI Council published the guideline prepared by the PCI SSC Wireless Special Interest Group (SIG) Implementation Team named as PCI DSS Wireless Guideline (Information Supplement) to address the wireless security in the cardholder data environment (CDE)https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdfThis guideline has come out after 4 years of the security incident (TJ

France Creates New National IT Security Agency

2009-07-10T15:29:00.000+03:00

France has created a new national IT systems security agency to better defend its IT networks. The French Networks and Information Security Agency (FNISA) will conduct a round-the-clock watch on sensitive government networks in order to detect and respond to cyberattacks. That mission is increasingly important, as U.S. and South Korean government authorities have battled this week with

PCI Compliant Hosting

2009-06-22T15:39:00.000+03:00

PCI compliant hosting is one of the key aspect you need to look for when you plan to host some of the credit card data of your customers at hosting providers site. Some of the key aspects you should look for from a PCI DSS Compliance perspective are (to qualify a service provider as PCI compliant hosting provider): The hosting provider should support / allow the periodic pci scans/ vulnerability

NIST publishes the Guide to Enterprise Telework and Remote Access

2009-06-22T15:27:00.000+03:00

Final issue has published the final version of the standard for enterprise will telework and remote access security. The standard covers information security issues such as employees working from home and vendors working from remote sites. The document is very impressive as its covers more or less all aspects of the telework and remote access life cycle. This includes components like

what is visa cisp?

2009-06-21T15:28:00.000+03:00

VISA CISP is the Cardholder Information Security Program from VISA. This is similar to the program PCI DSS and is also known as VISA CISP PCI. Presently the visa cisp programme, has been replaced by the PCI DSS Compliance requirement. Visa mandated the visa cisp program with effective from 2001 and requires all its members to be in compliance with the visa cisp. In 2004, VISA CISP

PCI SSC Guidence for Merchants on PCI DSS

2009-03-27T15:30:00.000+03:00

PCI SECURITY STANDARDS COUNCIL LAUNCHES NEW RESOURCE TO GUIDE MERCHANTS TO PCI DATA SECURITY STANDARD COMPLIANCEPrioritized Approach framework helps merchants focus PCI Data Security Standard implementations through six security milestonesWAKEFIELD, Mass., Mar. 3, 2009 — The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card

Cable cut slows down the communications

2008-12-20T16:00:00.000+03:00

Three cables under the Mediterranean Sea which link Europe to West Asia have been damaged, causing partial slowdown in India’s Internet and telecom traffic. Experts said outsourcing traffic and Internet speed were affected yesterday. However, most BPO firms and individual Internet connections are working at normal speed today. Most of India’s Net traffic is routed through the US and

Microsoft to release the patch for the IE vulnerability

2008-12-17T16:49:00.000+03:00

A FLAW has emerged in Microsoft’s Internet Explorer web browser software which allows hackers to steal information from people’s PCs if they visit certain websites. Computer security experts only became aware of the issue when websites cropped up that were exploiting the flaw to steal user accounts for online gaming, which can then be sold on. Security problems such as this, which are discovered

Microsoft to release the patch for the IE vulnerability

2008-12-17T15:59:00.000+03:00

The Payment Card Process

2008-12-13T16:32:00.000+03:00

When a payment happens using a payment card (debit/credit) a verification process happens at the background which will decide whether to approve or reject the transacation. When a customer pays for products or services with a credit card, the card information is recorded—either by manual entry, a card imprinter, point-of-sale (POS) terminal, or virtual terminal—and then verified so that the