(1 votes, average: 10 out of 10)
Loading ...Dan Swanson’s Security Resources: #4
My fourth column provides another diverse collection of leading resources.
This week’s question: “How prepared is your organization?” If you have any concerns on the robustness of your disaster recovery, business continuity, and/or your emergency management capabilities, I’d strongly recommend you check out the Canadian Centre for Emergency Preparedness.
Studying for your CISSP? The CCCure.Org web site is the place to go!
Feeling you need to ramp up your security training efforts? Check out ISC2’s comprehensive educational resource guide.
Finally, have you been questioning who is responsible for information security lately? Study the views of an internal auditor.
Enjoy.
Good luck and have another great week.
Dan Swanson
Dswanson_2005@yahoo.com
1. The (ISC)² 2007 Resource Guide for Today’s Information Security Professional - Global Edition provides the latest resources in educational references, year-long events listings and leading industry sponsors all in one handy downloadable reference guide.
2. The Systems Security Engineering Capability Maturity Model (SSE-CMM) was developed to advance security engineering as a defined, mature, and measurable discipline. It describes the characteristics essential to the success of an organization’s security engineering process, and is applicable to all security engineering organizations including government, commercial, and academic.
3. CCCure.Org The CISSP, SSCP, CISM, CISA, ISSPCS, and SANS GIAC GCFW Open Study Guides Web site is dedicated to helping people in achieving their goal of becoming a CISSP, SSCP, CISM, CISA, ISSPCS, or GCFW. Over the years it has become a vast container of resources that can assist you in mastering the domains of the specific Common Body of Knowledge related to each of the above certifications.
4. Ask the Auditor: Who is Responsible for Information Security?
The Auditor Responds: In short, the board of directors, management (of both staff and business lines) and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done — and that the company’s key assets are protected appropriately.
5. The Canadian Centre for Emergency Preparedness (CCEP) is a not-for-profit organization based in Canada & devoted to the promotion of emergency risk management to individuals, communities and organizations, in both government and the private sector, with the aim of reducing the risk, impact and cost of natural, human-induced and technological disasters. CCEP’s objectives are to raise awareness of the increasing risks of disasters, promote the need for sound disaster management practices and disseminate information on the availability of professional expertise and resources, including technology.
6. What Should Your Business Continuity Efforts Focus On?
A Reader Asks: Should your business continuity program (BCP) consider the impacts of emerging threats and changing business practices, and what are the key issues involved today?
The Auditor Responds (Short answer): Your BCP and disaster recovery programs should be designed to respond to a wide variety of potential incidents, covering both man-made disasters, such as power-grid or environmental control failures, and natural disasters, such as hurricanes and mass staff outages due to epidemics.
The long answer: http://www.itcinstitute.com/display.aspx?ID=2090
Related Posts
(No Ratings Yet) Loading ...Dan Swanson’s Security Resources: #3
There are several ongoing, long-term security efforts worth examining. The National Institute of Standards and Technology (NIST) has published hundreds of guidance documents relating to all aspects of information security over the years. Just as importantly, they consistenly maintain the currency of their guidance. The Center for Internet Security (CIS) has developed dozens of consensus-based security benchmark checklists that can be used for securing various technologies commonly in place, in most organizations. CIS tools have been a world wide standard in “hardening” various technologies. And the U.S. Department of Homeland Security Build-Security-In (BSI) initiative is truly amazing, its an endless source of advice and guidance and needs to be visited frequently as new items are added regularly.
As always, I have also included a few topic-specific resources.
Enjoy.
Good luck and have another great week.
Dan Swanson
Dswanson_2005@yahoo.com
1. Build Security In (BSI)
As part of the Software Assurance program, Build Security In (BSI) is a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team and other contributors develop and collect software assurance and software security information that helps software developers, architects, and security practitioners to create secure systems.
2. The Computer Security Division (CSD) of the National Institute of Standards and Technology (NIST), including the Federal Information Security Management Act (FISMA) library.
The mission of NIST’s Computer Security Division is to improve information systems security by:
• Raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies;
• Researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems;
• Developing standards, metrics, tests and validation programs:
o to promote, measure, and validate security in systems and services
o to educate consumers and
o to establish minimum security requirements for Federal systems
• Developing guidance to increase secure IT planning, implementation, management and operation.
3. The SANS (SysAdmin, Audit, Network, Security) Institute
SANS is one of the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system, Internet Storm Center.
4. CERT’s Resiliency Engineering Research
The cornerstone of their research is the development of the CERT® Resiliency Engineering Framework. The framework is the foundation for a process improvement approach to security and business continuity. It establishes an organization’s resiliency engineering process: a collection of essential capabilities that an organization performs to ensure that its important assets—people, information, technology, and facilities—stay productive in supporting business processes and services. The framework serves as a foundation from which an organization can measure its current competency, set improvement targets, and establish plans and actions to close any identified gaps. As a result, the organization repositions and repurposes its security and business continuity activities and takes on a process improvement mindset that helps to keep these activities productive in the long run.
5. The Center for Internet Security (CIS) is a non-profit enterprise whose mission is to help Organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. CIS members develop and encourage the widespread use of security configuration benchmarks through a global consensus process involving participants from the public and private sectors. The practical CIS Benchmarks support available high level standards that deal with the “Why, Who, When, and Where” aspects of IT security by detailing “How” to secure an ever widening array of workstations, servers, network devices, and software applications in terms of technology specific controls. CIS Scoring Tools analyze and report system compliance with the technical control settings in the Benchmarks. The CIS Benchmarks and Scoring Tools are available for download free of charge.
6. Microsoft releases guidelines for customer privacy
A 49-page document previously kept internally by Microsoft was released at an international privacy professionals’ conference in Toronto. The company hopes its Privacy Guidelines for Developing Software Products and Services will spur further industry discussions.
Related Posts
(No Ratings Yet) Loading ...Dan Swanson’s Security Resources: #2
I introduced my security resource education initiative last week (click here if you missed it). Each week, I’ll present six leading resources which will be useful to all information security professionals as well as many IT professionals.
As everyone knows there is no end to the professional development efforts for any professional and this column is dedicated to providing resources that will be useful for all IT security professionals and IT professionals to study and learn.
They are provided to support the improvement of your organization’s security practices and security posture, and always remember, there is no better way to learn than by doing.
The resources provided this week include guidance regarding:
• the insider threat issue,
• leading methods for developing secure Web code,
• what security is truly facing (a war), and
• a Web site dedicated to the ISO27000 security standard series.
Enjoy.
Dan Swanson
Dswanson_2005@yahoo.com
1. CERT® Insider Threat Research
The CERT insider threat research focuses on both technical and behavioral aspects of actual compromises. They produce models, reports, training, and tools to raise awareness of the risks of insider threat and to help identify the factors influencing an insider’s decision to act, the indicators and precursors of malicious acts, and the countermeasures that will improve the survivability and resiliency of the organization.
2. The Open Web Application Security Project (OWASP)
OWASP is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. Their open source projects and local chapters produce free, unbiased, open-source documentation, tools, and standards. The OWASP community also facilitates papers, conferences, local chapters, presentations, and mailing lists. If you’re new to application security, try their “getting started guide”.
3. The Information Warfare Site (IWS)
IWS is an online resource that aims to stimulate debate about a range of subjects from information security to information operations and e-commerce. It is the aim of the site to develop a special emphasis on offensive and defensive information operations. IWS first went online in December 1999. Since its launch it has undergone a complete redesign and many key texts have been added. In adherence to its founding principles IWS has developed several mailing lists to enable a more interactive debate.
4. The Defense-in-Depth Foundational Curriculum handbook discusses information assurance issues and how to address these at both organizational and technical levels. The handbook is written for students ranging from system administrators to CIOs who have some technical understanding of information systems.
5. Gary Hinson’s Web site has a variety of excellent resources. He maintains a comprehensive page of links for ISO 27000 resources and IT governance.
6. GAO Executive Guide: Information Security Management: Learning From Leading Organizations.
A high priority of the CIO Council is to ensure the implementation of security practices within the Federal government that gain public confidence and protect government services, privacy, and sensitive and national security information. This Executive Guide, “Information Security Management, Learning From Leading Organizations,” clearly illustrates how leading organizations are successfully addressing the challenges of fulfilling that goal. These organizations establish a central management focal point, promote awareness, link policies to business risks, and develop practical risk assessment procedures that link security to business needs. This latter point–the need to link security to business requirements–is particularly important, and is illustrated in a statement of a security manager quoted in the guide: “Because every control has some cost associated with it, every control needs a business reason to be put in place.”
Related Posts
(No Ratings Yet) Loading ...Dan Swanson joins our blogging team
I’m pleased to let you know that security expert Dan Swanson has joined our blogging team. Dan is a 25-year internal audit and information security veteran and currently a senior Information Security consultant at Seccuris Inc. He’s done consulting projects for more than 30 different organizations; spent almost 10 years in government auditing at the federal, provincial, and municipal levels; and in the private sector, worked mainly in the financial services, transportation, and health sectors. He’s written more than 125 articles on information security, internal auditing, security and other management topics, and is a regular columnist for ComplianceWeek between freelance writing and consulting assignments.
Dan’s MO is to put you in touch with the online security resources you need. You’ll find at least half a dozen useful links each week. He’ll be posting each Wednesday in our Security Insider blog. In fact, he would have posted this Wednesday, but his editor (that would be me) dropped the ball, so the post was cleared on Friday. (Let the flogging commence.)
Check back each week for more security resources.
Related Posts
(No Ratings Yet) Loading ...Dan Swanson’s Security Resources: #1
Recently someone forwarded me a comprehensive survey of Canadian IT professionals that indicated there was a lack of information security guidance available for IT and security professionals to follow. I strongly disagree with the point of view that more guidance is needed to operate a secure environment and implement secure systems and solutions, although certainly more papers on various challenging subjects would always be beneficial.
Each week over the coming months, I plan to highlight leading security resources and initiatives that will support your efforts to improve security practices within your organization. Each column, I will highlight a half dozen leading security focused resources covering various aspects of information security management.
Finally, people learn in different ways. Some like to read, some like to hear, some like to see, some like to discuss, etc. Whichever method works for you is fine. My approach is to highlight leading resources to people and let them determine what is the best way to digest the knowledge and, more importantly, apply it in the their professional efforts. I have found considering how to apply the general guidance to the specific organizational situation is one of the best ways to obtain a deep understanding of the key concepts, methods, and recommendations being presented by the various resources. In other words — implementing change is always the best teacher.
Share this posting with your colleagues. Good luck and have a great week.
1. The ISF Standard of Good Practice for Information Security
The ISF standard is designed to help any organization, irrespective of market sector, size or structure, keep the business risks associated with its information systems within acceptable limits. It is a major tool in improving the quality and efficiency of security controls applied by an organization.
2. CERT® Coordination Center (CERT/CC)
The CERT Coordination Center (CERT/CC), arguably the most widely known group within the CERT Program, addresses risks at the software and system level. Although it was established as an incident response team, the CERT/CC has evolved beyond that, focusing instead on identifying and addressing existing and potential threats, notifying system administrators and other technical personnel of these threats, and coordinating with vendors and incident response teams world wide to address the threats.
3. Information Security Handbook: A Guide for Managers
NIST has published a new information security handbook which should be “required reading” for pretty well most everyone involved with IT and/or IT Security although some people can certainly skim many of the sections in this 176 page document.
4. Secure Coding: Principles & Practices
Welcome to the on-line home of Secure Coding: Principles and Practices (O’Reilly, 2003). They provide information about the book and its authors; updated versions of links and tables that appear in the book; and also original supplemental material like op/ed pieces and vulnerability analyses. It’s all offered in the spirit of helping us build strong and light “virtual bridges” in the years to come.
5. The Information Systems Security Association (ISSA)
ISSA is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. With active participation from individuals and chapters all over the world, the ISSA is the largest international, not-for-profit association specifically for security professionals.
6. Process Agnostic Navigational View
The process agnostic approach incorporates security into each basic phase of software development. The best practices and methods described are applicable to any and all development approaches as long as they result in the creation of software artifacts.
https://buildsecurityin.us-cert.gov/daisy/bsi/438.html
Related Posts
(3 votes, average: 10 out of 10) Loading ...CanSecWest PWN to OWN 2008
So this is a rather interesting story, which beautifully lends itself to sensational press and great article titles like “MacBook Air hacked in two minutes” and “Vista falls, Linux holds strong”. This frankly, is exactly why TippingPoint and CanSecWest sponsor and host the contest. The very noble “we took another zero-day vulnerability off the streets” sounds like as good a reason as any to have some hacker fun. Hey, I’ll buy it.
Here’s the problem, few people bother to understand any detail of what happened. They just read the “Ubuntu wins” and figure it’s safe to assume that’s the most secure operating system choice, or that OSX fell first, so it must be the least secure.
Let’s look at what actually happened. Read the rest of this entry »
Related Posts
(2 votes, average: 8.5 out of 10) Loading ...ShmooCon 4
Last weekend was the 4th annual Shmoocon. Tickets for the event sell out very quickly as they limit attendance. This year, 1200 self-proclaimed hackers came to the event that promised “less moose than ever”. Far from the formality of a regular conference, Shmoocon runs talks by researchers presenting new findings and new tools. Attendees are encouraged to throw “Shmoo-balls” (soft stress balls) at any speaker they disagree with, spawning spirited debate and keeping everyone honest. It’s all done in the best of humour, and results in a gathering of some of the smartest minds in the business working on very difficult problems. There is a true connection and sense of camaraderie among everyone I meet. Great event. Read the rest of this entry »
Related Posts
(1 votes, average: 8 out of 10) Loading ...Is your enterprise environment full of data leaks?
Your company’s IT security profile may be like an old leaky ship. Data and information might be dangerously exposed and seeping into an outside malicious world – without you or your organization even knowing it. How secure is your IT security? Do you routinely test its robustness? Do you know how? Do you know the warning signs of “data leakage” – what to look for and where? Could your current risk exposure be sinking your business?
These issues of data security will be the topic of discussion I’ll be hosting on January 31 as part of IT World Canada’s Frankly Speaking series in Toronto, with special guest, security analyst David Senf of IDC Canada plus another yet-to-be-announced expert from Symantec Canada. Among other things, we’ll be discussing strategies for how to recognize the symptoms of data leakage, how to stop the bleeding, and ways to ensure a secure and protected IT environment.
It’s the things that you don’t know that can hurt you and your business. Where are your organization’s IT security holes?
I’ll be reporting on the key highlights of our upcoming discussion in a future posting in early February. Stay tuned.
Related Posts
(1 votes, average: 9 out of 10) Loading ...Spammers strike SkyDrive
Spammers have found a new way to dodge filters and creep into your inbox, and they’re using a Microsoft service to unwilling aid and abet.
Last August, Microsoft launched the beta of SkyDrive, a Windows Live service that allows users to upload files to be shared with others. This, by the accounts of some I’ve read, is a nifty little service. Of course, I couldn’t tell you myself, as, like many things Windows Live, its availability in Canada is trailing it use in the States by some several months. Read the rest of this entry »
Related Posts
(1 votes, average: 10 out of 10) Loading ...Eats, shoots and phishes
There’s an old writer’s joke about the importance of punctuation that goes like this: A panda walks into a bar. He sits down at a table, orders his food and eats it. Then he pulls out a gun, fires a shot into the ceiling and walks to the door. The bartender yells: “Hey! What do you think you’re doing?!” The panda throws him a well-thumbed dictionary and says, “I’m a panda. Look it up.” The dictionary definition reads: “Panda (n) — a fur-bearing mammal. Eats, shoots and leaves.”
(It’s also the title of a brilliant and funny book by Lynne Truss that any word geek or member of the Facebook group Good Grammar is Hot will appreciate during this gift-giving season.)
Computerworld Canada editor Shane Schick reminded me of this as we were discussing phishing attacks we’d received lately. (He also beat me to coining the title of this post, damn his eyes.)
Related Posts
