Who's Online
There are currently, 75 guest(s) and 33 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
|  |
(IN)SECURE magazine issue 18 has been released
Posted by boss on Friday, 26 September 2008 @ 00:56:49 EDT (371 reads)
Topic CISSP OSG INFO
cdupuis writes "(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. Issue 18 has just been released. Download it from: http://www.insecuremag.comThe covered topics include:- Security standpoint by Sandro Gauci: Closing a can of worms - Network and information security in Europe today - Browser security: bolt it on, then build it in - Passive network security analysis with NetworkMiner - Lynis - an introduction to UNIX system auditing - Windows driver vulnerabilities: the METHOD_NEITHER odyssey - Removing software armoring from executables - Insecurities in privacy protection software - A proactive approach to data breaches - Compliance does not equal security but it's a good start - Secure web application development - Avoiding a "keys to the kingdom" attack without compromising security - The insider threat - Web application security: risky business? - Enterprise application security: how to balance the use of code reviews and web application firewalls for PCI compliance Visit the (IN)SECURE Magazine web site at: http://www.insecuremag.comSubscribe to our RSS feed at: http://feeds.feedburner.com/insecuremagazineContact: - For information on contributing to (IN)SECURE Magazine, please contact Chief Editor Mirko Zorz at editor( at )insecuremag.com - For marketing inquiries do contact Marketing Director Berislav Kucan at marketing (at) insecuremag.com
OSG NEWS: The CCCure Family of Portals Usage Agreement
Posted by boss on Saturday, 30 August 2008 @ 20:11:06 EDT (447 reads)
Topic CISSP OSG INFO
cdupuis writes "IMPORTANT: USAGE AGREEMENT PLEASE DO READ BEFORE JOINING
This CCCure Family of Portals is offering free security education resources to help you expand your knowledge and skills, further your career, discuss with other who have the same goals as you do, and of course help you reach your certification goals.
As an anonymous user on our web sites you have limited access. Registration will give you lots of extra benefits and also allow you to access content such as our huge download section, our study guides, our quiz engine, our tutorials, our exam crams, our web links, and our forums to name only a few.
Leechers are definitively NOT welcome
In computing and specifically on this portal, being a leech or leecher refers to the practice of benefiting, usually deliberately, from others' information or effort but not offering anything in return, or only token offerings in an attempt to avoid being called a leech. Do take the time to contribute articles, powerpoint slide show, study guides, videos, quiz questions, news, downloads, links, forum posting, etc... If worst come to the worst and you do not have any free time to contribute, a donation is always appreciated as our operational expenses need to be paid on a monthly basis and money allow us to hire people to review and develop new content.
Usage Agreement (Please read, if you do not agree, do not join)
By registering on this web site you give implicit permission and authorize CCCure to send you advertising messages from our sponsors. The messages sent are for products or services that are security oriented. We will NOT send messages about male enhancement or other types of get rich/bigger scams or similar products and services. The messages from our sponsors are sent only a few times a month and your email address is NEVER given or resold to anyone else. We will pass the message on behalf of our sponsors but they never get access to your email address.
The web site is self supported through donations and advertising from our sponsors
Donations alone are totally ineffective and our yearly donations are very minimal at this point. We must completely rely on our sponsors to survive. This is why we have such a policy in place. The final benefit to you the members and visitors of the web site is always: FREE ACCESS
Forcing registration also ensures that we minimize the amount of junk that unscrupulous users attempt to post within our message area, comments, web links, download areas, forums, or any other place where they can post their unsolicited and unwanted messages. The greatest benefit of all is the fact that registration helps us in maintaining the quality of the content overall.
Once you are registered and logged in, you will no longer see this message and new menus and options will be available to you as a registered member.
If you do not agree with the policy above, please do not register
By registering you implicitly consent to our usage policy state above.
Best regards
Clement and Nathalie
Site Maintainers "
Our latest site administrator, meet my brother Alain:
Posted by boss on Thursday, 28 August 2008 @ 11:32:32 EDT (485 reads)
Topic CISSP OSG INFO
cdupuis writes "As you have experience yourself, all of our portals have been growing at frantic speed.
I was totally overwhelmed by the massive amount of emails and maintenance tasks that me and Nathalie had to cater to on a daily basis. I have asked my brother to get out of retirement (nice of me) to help me with the maintenance of our portals. He agreed and I was very happy he did. Below you have a short biography of my brother Alain who also believes in sharing and giving back to the community:
My brother Alain has recently retired from the Canadian Navy after more than 34 years of Service. During his career, he has worked primarily in the information technology field as an electronic technician, computer and communications technologist, combat system engineer, and software analyst. He has held various positions such as Chief Technical Officer in charge of maintaining a mainframe computer centre and Quality Assurance Officer during the construction of the Canadian Patrol Frigates. For his last 7 years of Service in the Navy, he has worked as a programmer and software analyst for the Combat System software used on the Canadian Frigates. He has specialized in large-scale, multi-million dollars software projects.
For the past 20 years, he has assisted his wife, Lynette, in her activities with the Block Parent Program in Ottawa, Victoria, and Halifax. His family received their first Block Parent window sign in Gloucester, Ontario. In 2002, the BPLink project asked Alain to join their team as a technical advisor. Because of his technical background, Alain was well suited for the job. Shortly after, he accepted the position of Project Manager on a voluntary basis, a job that he still performs today.
We are extremely glad to have Alain onboard and it will help GREATLY to maintain proper quality of service and prompt response to your queries.
Thanks Bro!
Clement "
Why Leaders Should Care About Security (podcast)
Posted by boss on Friday, 08 August 2008 @ 11:07:36 EDT (546 reads)
Topic CISSP OSG INFO
cdupuis writes "NOTE FROM CLEMENT:
The message above was posted on my friend Dan Swanson on his mailing list. If you wish to subscribe simply click on the subscribe link: Subscribe
Under the URL http://www.cert.org/podcast/ you will find a large collection of podcast that are extremely interesting. Do take a look and start racking up some CPE's. All of this is available for FREE, that the price I wish to pay for my CPE's.
Here is the message:
This podcast is intended to motivate leaders to pay attention to enterprise and information security, and the risks of not doing so. It introduces two landmark examples of organizations that did not treat adequate security as a high priority. It places security in a governance context and introduces how security can be viewed as a competitive advantage.
It discusses creating a culture of security, demonstrating duty of care, and determining who is ultimately responsible for security. It provides some next steps for taking action.
http://www.cert.org/podcast/show/leaders.html
Enjoy
Dan
"
Randy Pausch, Known for his "Last Lecture," Dies
Posted by boss on Friday, 25 July 2008 @ 21:41:24 EDT (632 reads)
Topic CISSP OSG INFO
cdupuis writes "
NOTE FROM CLEMENT: I usually do not write articles that are out of topics. But his story and the presentation of Mr. Paush has really touched me in a very special way. His presentation was so full of truth about our values and life that I listened to it a few times. If you have NOT listened to it, I would recommend very strongly you do so. The lecture is at: http://www.youtube.com/watch?v=ji5_MqicxSoBELOW YOU HAVE THE SAD NEWS THAT HE PASSED AWAY: Top News July 25, 2008, 1:30PM EST Randy Pausch, Known for his "Last Lecture," Dies Randy Pausch's final talk at Carnegie Mellon, in which he celebrates having fulfilled his childhood dreams, was an international sensation By RAMIT PLUSHNICK-MASTI Associated Press Writer PITTSBURGH (AP) - Randy Pausch, the Carnegie Mellon University computer scientist whose "last lecture" about facing terminal cancer became an Internet sensation and the basis of a best-selling book, died Friday. He was 47. Pausch died at his home in Chesapeake, Va., said Jeffrey Zaslow, a Wall Street Journal writer who co-wrote Pausch's book. Pausch and his family had moved there last fall to be closer to his wife's relatives. Pausch was diagnosed with incurable pancreatic cancer in September 2006. His popular last lecture at Carnegie Mellon in September 2007 garnered international attention and was viewed by millions on the Internet. In it, Pausch celebrated living the life he had always dreamed of instead of concentrating on his impending death. See full article at: http://www.businessweek.com/print/bwdaily/dnflash/content/jul2008/db20080725_243087.htm
Problem with access to the Quiz Engine
Posted by boss on Thursday, 26 June 2008 @ 12:01:42 EDT (275 reads)
Topic CISSP OSG INFO
cdupuis writes "Good day to all,
We are very sorry for the problems you had accessing the Quiz Engine.
There was a DNS issue the prevented people to access the quiz using the URL.
This should resolve itself over the next 24 hours as DNS are being updated.
In the meantime you can use:
http://207.45.179.106/~freeprac/quiz/home.php
The URL above will take you directly to the quiz engine.
Thanks to all for your patience
Clement and nathalie "
Biometric Systems study Information produced by Shon Harris
Posted by boss on Tuesday, 17 June 2008 @ 22:35:33 EDT (328 reads)
Topic CISSP OSG INFO
The BIG and FAT IT employee
Posted by boss on Saturday, 24 May 2008 @ 18:14:44 EDT (542 reads)
Topic CISSP OSG INFO
cdupuis writes "NOTE FROM CLEMENT:
Interesting article on health issues of IT worker. I can certainly related to this one as I have been putting on pounds over the past few years. We surely have a nice recipe for disaster in our jobs, we do not eat very well, we have stress, and we have a very sedentary employment. We have to discipline ourself into eating better, moving more, and eating less generous portions. See some statistics below:
Friday, May 16, 2008 12:02 PM/EST
IT Workers Weigh In on Health Habits
Feeling a little, shall we say, sluggish lately? You might be among the vast ranks of IT workers who have put on some extra heft while sitting at their desks.
A study by CareerBuilder.com found that half of U.S. IT workers have gained weight at their current jobs.
The study, which polled nearly 7,700 participants from Feb. 11 through March 13, found that 34 percent of IT workers report they have gained more than 10 pounds in their current positions. Even more alarming, 17 percent say they have put on more than 20 pounds!
Who knew managed services could be hazardous to your health? While the study doesn't specify anything about workers monitoring customer systems remotely, come on, you've got to admit that keeping an eye on a customer's systems from miles away by staring at computer screens surely produces far less sweat than even the minimal amount of walking to and from the truck a technician drives to a customer site for troubleshooting.
But let's not get crazy. The channel shouldn't turn its back on managed services just because that back is getting a few inches wider.
Perhaps a little more exercise during the day will do the trick, or taking better stock of what you eat. That is, if the extra weight bothers you. Hey, some people might enjoy the extra girth - who knows?
Another option for shedding some weight might be to take American Soda Machines up on its high-tech-themed soda vending machines offer. You could stock the machines only with diet drinks, or even better, water.
American Soda Machines promises that its machines offer a "fun, offbeat way to keep beverages cold, no matter the alcohol content." The company takes old machines and restores them. Restorations are customized, so if your company wants to put its logo or slogan on it, American Soda Machines will gladly oblige. For a fee, of course.
Granted, the high-tech industry's weight problem isn't going to be solved entirely by stocking customized soda vending machines. But it's a start. Think of all the calories you'll burn trying to tip the damn thing over once it takes your coins and refuses to spit out your drink.
Not to cast any aspersions on America Soda Machines' abilities, of course, but sooner or later every vending machine will steal your coins. It's a rule of some kind.
Then again, don't take advice from me on any of this. It turns out that 11 percent of IT workers buy their lunch from what CareerBuilder called "a notoriously unhealthy vending machine at least once a week."
But, hey, no matter the culprits, IT workers can take heart in another CareerBuilder finding: They are less chubby than financial services and government workers. Fifty-three percent of financial workers said they have gained weight at their current jobs, while the number for government workers is 52 percent.
For more on IT careers, click here. "
SecurAnchor Newsletter by Eric Cole
Posted by boss on Friday, 02 May 2008 @ 11:20:23 EDT (936 reads)
Topic CISSP OSG INFO
cdupuis writes "
|
|
| April 2008 |
Vol 4, Issue 3
|
|
 |
Security in the News
Your source for up to date security headlines
|
|
|
| |
Joe Stewart, director of malware research at SecureWorks, Inc., presented the results of his research into the size of botnets at the RSA conference, and asserted that botnets control over one million compromised computers and are able to generate more that 100 billion spam messages every day.
According to Mr. Stewart, the botnet controlling the most machines is Srizbi. This botnet is also known as Cbeplay and Exchanger, and has the capability of using its 315,000 controlled machines to generate 60 billion spam emails per day.
The Kraken worm's botnet is actually the Bobax botnet, and the Storm worm has been marginalized by its addition to Microsoft's Malicious Software Removal Tool hit list, knocking it down to number five on the list.
Bobax appears to be the number two botnet, controlling 185,000 machines. It can send 9 billion spam emails per day. Damballa has been making news claiming that Bobax is Kraken, or Kracken, and Damballa claims it controls 400,000 computers. However, Mr. Stewart said that Bobax goes by the name Kraken, as well as Bobic, Oderoor, Cotmonger and Hacktool.Spammer.
Mr. Stewart has developed a technique to generate an SMTP fingerprint for the various botnets, leading to more accurate identification and counts of botnet-controlled machines. SecureWorks also sampled the amount of spam that was observed as generated by various botnet-controlled machines and used probabilistic methods to extrapolate and determine how many spam emails the various botnets could generate.
Part of Mr. Stewart's aim was to help the little guy. As he explained, "I think it matters a lot to end users what a botnet's called. They go to look for information, perhaps after they've been infected, and all they have is that it's 'Agent XYZ.'" However, if there are various incompatible naming conventions, then it might be a worm with a new alias. "Then they'd find hardly any information on what it is or what data it may be after. I hope this trickles down to end users."
|
|
Anti-Tibetan Supporter Trojan Infects Pro-Tibetan Sites
|
|
Users who browse pro-Tibet sites can be infected with the Fribet Trojan. The best guess is that the Trojan is using a VML flaw (MS07-004) which Microsoft released a patch for last year. Unpatched systems visiting these sites can be subjected to an attack that creates a backdoor on the victimized systems.
The Trojan loads a 'SQL Native Client' ODBC library and executes SQL statements sent by command and control servers. This allows the attackers to gather data or modify databases the victims' machines are connected to with the appropriate logins and permissions. The monitoring feature of the Trojan allows the interception of passwords so the attackers will be able to log in to the databases.
Shinsuke Honjo and Geok Meng Ong, researchers for McAfee, wrote that, "This Trojan apparently can be used as an alternate to SQL injection attacks, but in a more direct way. Even the administrators of secure Web sites, protected against common SQL injection attacks, should ensure database backends are equally secure to defend against such a penetration vector."
|
|
 |
|
|
|
CAPTCHA Broken by Botnets
|
The Windows Live CAPTCHA system used for Hotmail and the equivalent system at Gmail have been compromised by botnets which can crack the system. CAPTCHA was designed to stop spammers from opening Hotmail and Gmail accounts. These systems display distorted characters and are supposed to force a human to read, recognize and type the characters, thus preventing the automated creation of email accounts.
CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart.
Spammers like Gmail accounts because they are free and not likely to be blacklisted. Now that the spammers own these types of free accounts, more spam is coming from those free providers' email accounts. Anti-spam services then attempt to slow down the flow of spam from those compromised accounts.
MessageLabs' Paul Wood said, "We're seeing more spam coming from Gmail and Yahoo. Where a service is widely abused its reputation goes down and it's held back in the queue. This happens automatically. These traffic management controls are not designed to block messages, they are intended only to slow down their transit. For messages that are subsequently blocked there should be a reason given in the non-delivery report."
February, 2008's spam report indicated that 4.6 percent of spam is sent from Web-based mail services. The Gmail-originated span doubled from January to February to 2.6 percent. Yahoo was the worst of the Web-based mail services, accounting for 88.7 percent of Web-based spam.
Meanwhile, in India, the spam rajas who do not have the good CAPTCHA-cracking bots employ sweatshop labor for $4 per day to establish Web-based email accounts
|
|
|
|
|
The GAO report stated that, "GAO found numerous defense-related items for sale to the highest bidder on eBay and Craigslist. A review of policies and procedures for these Web sites determined that there are few safeguards to prevent the sale of sensitive and stolen defense-related items using the sites."
The GAO investigators clicked around from January 2007 through March 2008, and came up with two F-14 components (from two vendors), night-vision goggles with the friendly force identifying 'component,' body armor and an Army combat uniform.
Continuing, the GAO report made the point that bad guys getting hold of this stuff could reverse engineer it to come up with countermeasures.
This GAO report, which the GAO characterized as not comprehensive in any way, did not address whether export controls would keep bad guys from getting the stuff, nor did it look at the failed property management practices which have made stuff available in the past.
Instead, we have the CEO of Craigslist called before Congress to explain what Craigslist is. Jim Buckmaster explained that the GAO report was mistaken when it called Craigslist "a global marketplace with international reach" and that instead Craigslist was a collection of separate local marketplaces. He also explained that users are discouraged from engaging in sales which require shipping.
|
Nine Years for $1.4M Fraud
|
To continue the theme of fraud and misrepresentation, the following comparison is offered. A Columbian man has been sentenced to nine years for computer fraud. This fraud (if unchecked) could have potentially affected more than 600 people and involved the staggering (attempted and actual) sum of 1.4 million dollars.
To refresh our memories, the contractor who sabotaged the Sixth Fleet navigation computers, which affected more than one submarine and put at risk the crews of every sub in the Sixth Fleet, received one year. To even look at the dollar value associated with the submarines is the wrong thing to do, but instead one must think about the potential loss of life associated with the possibility of a sub colliding with another sub or an undersea hazard.
When Simbaqueba Bonilla was seized by federal agents, the laptop he was carrying had the names and passwords of more than 600 people, as well as other personal and financial information about those people.
|
|
Single Photon Gate Realized
|
|
|
Quantum computing at the single photon level is closer to reality with the physicists at Bristol University in the United Kingdom creating an optical "controlled-NOT" gate on a silicon chip which can act on an individual photon. According to a press release from the university, this is "the building block of a quantum computer."
A quantum bit is called a "qubit" and the new gate, which processes the photon, or qubit, can now be realized on a single chip, whereas previously the gate occupied several square meters of space on an optical bench.
Mark Anderson, an influential voice in the technology community, wrote in his Strategic News Service newsletter that, "For those who believe that quantum computing is the next big breakthrough in the computing world, and who see the logic gate as a critical component, this is a critical step forward."
Professor Jeremy O'Brien, the lead researcher on the project, said that the chip "is a crucial step towards a future optical quantum computer, as well as other quantum technologies based on photons." One of Professor O'Brien's, Alberto Politi, also explained that it was the problem of scaling that this chip solved. Previously, the photons had to propagate through the air and required large optical elements. The new chip starts to solve these problems.
The chip has also enabled the researchers to observe quantum entanglement, an interaction of two particles in such a way that the state of an individual interacting particle cannot be defined, but the collective state of the interacting particles can be.
What is most important about this development, and which seems to have been left out of the discussion in the press, is the phenomenon associated with theoretical quantum computing, which is that the foundations of modern cryptography will be rendered obsolete. Symmetric key cryptography is a probabilistic exercise, and a quantum computer can try all of the possible keys to any encrypted message simultaneously. Presumably, then, the discrete log problem and the problem of factoring large numbers will also be solved, and therefore public key cryptography will also be useless for keeping any secrets.
|
|
Search Engine Optimization
|
|
Some individuals have employed questionable tactics to get the Web sites with which they are associated listed higher in the rankings for various search terms. Individuals who conduct these activities maintain that they are not breaking the law, and are only violating terms of service agreements. Search engine optimization has been going on since the advent of the meta tag, and as the search engines have come up with new ideas about relevance and what makes a Web site appear higher in the rankings for various search terms and phrases, optimizers have experimented, intuited, and even quit search engine companies to go into private practice, all in the name of getting those who pay, higher rankings. Those of us who believed in the Web as a level playing field and some concept of fairness have felt victimized by these tactics.
Now, apparently, so too the search engine providers themselves. The search engine optimizers (SEOs) had been finding the holes in the ranking algorithms and exploiting them. Google, around 18 months ago, started to penalize sites it thought were gaming the system, and then starting blacklisting the offending sites. According to critics of the tactic, some said that Google would delist sites without any warning.
Jeremey Schoemaker, the marketer known as Shoemoney, said that, "When people are ranking for a phrase and supporting their family, and then the next day they're off the map, that's really vicious. You can literally ruin someone's life."
One of the more cautious members of the SEO community, Eric Ward, who had been derided in the community for his by the book play, warned that black hat optimization was a dead end.
One of the ways that a site was deemed to be relevant was by how many other sites linked to it. In those days, SEOs built link farms - sites which were nothing but links to the sites which were hoped to get boosted in the ratings, and to each other, so that their rankings would help the end site in the rankings. The spiders crawled the links and added things up; the SEOs knew what to do.
When the search engines got wise to this technique and others like it, the SEO community started to polarize - with some working within the guidelines and others going to more extreme and shady tactics. And then sites which were infected with malware, sometimes through no fault of their own, were also penalized by the search engines.
RSnake is an individual with some experience with Web advertising, SEO work, and runs ha.ckers.org. He said that Google is making assumptions which are erroneous in their administration of search result rankings. RSnake said, "Google can shut you down at any time. But there are all kinds of weird things that could happen to you, upstream problems, a proxy goes bad, someone takes over your site, and there's no way for you to explain that it might not be your fault. They're making false assumptions about how the Internet works, which is that the owner of the IP address is always in control of what happens through that IP address."
Variations on the theme are rampant. Innocent sites are hacked to put links in the same color as the background on the site. Other tactics are cookie stuffing and attacks on high traffic blogs. MySpace and other social networking sites are used for the same linking purposes. And the value of search is lessened.
|
| Our mission is to keep your business focused by helping you navigate the sea of security threats you face on a daily basis. Secure Anchor provides creative solutions that keep you ahead of the attacks and provide peace of mind that your critical assests are securely anchored. In addition we are busy developing software solutions to meet the threats of tomorrow.
End your newsletter with a kick -- consider a postscript to reinforce one of the key product or service benefits.
Sincerely,
Eric Cole
Secure Anchor
|
|
|
|
|
| Pointsec Protector provides a policy driven mechanism that secures an organization's sensitive information by controlling data that enters and exits a PC or server via removable media and I/O devices on any port (USB, Firewire, IDE, Bluetooth etc). |
|
Are you???
|
 |
|
|
An Enterprise businesses or government agency
|
|
|
|
In Banking/financial services, federal/local government, healthcare, business services, technology and/or manufacturing |
|
|
|
In control of devices connecting to machines in your network
|
|
|
|
At Risk if Critical Data is lost
|
|
|
Do you Need to...
|
|
|
|
Reduce financial risk of lost or stolen data on personal devices connected to PCs or servers |
|
|
|
Comply with regulatory mandates |
|
|
|
Integrate into existing infrastructure |
|
|
|
Reduce operating costs
Let us send you a FREE USB device which contains a discovery tool to detect what is your exposure to Data Loss. If you would like one just send us an e-mail at newsletter@secureanchor.com and we will send it right out.
|
|
|
|
|
|
|
Secure Anchor | 11951 Freedom Drive | 13th Floor | Reston | VA | 20176
|
 "
The Academy April 2008 Contest
Posted by boss on Friday, 25 April 2008 @ 23:32:37 EDT (528 reads)
Topic CISSP OSG INFO
Great mailing lists maintained by Dan Swanson
Posted by boss on Friday, 25 April 2008 @ 18:56:56 EDT (541 reads)
Topic CISSP OSG INFO
Anonymous writes "NOTE FROM CLEMENT:
===============
Dan is someone who has been a long time supporter of the cccure.org website. I strongly encourage you to join his mailing list. It is always packed with treasures and great resources. Dan spends a lot of time researching resources and evaluating them. It is really worth subscribing to his mailing list.
Here is a note from Dan:
Good afternoon,
I now have over 1500 people that receive my free daily resource emails and the emails
now go out to more than 100 different cities!
Please pass this "invite" on to anyone you believe will want to try it out.
I also have a lot of students on my listserv, i.e. I encourage you to invite any students you know as well (to try it out).
Thanks.
HAGD.
Sincerely.
Dan
_______________________________________________________________
Dan Swanson publishes news and events in the governance, audit, IT audit andsecurity space. After almost 10 years of daily resource emails he has moved hislists to Yahoo and new subscribers now need to subscribe via Yahoo.
__________________________________________________________________
- see intructions below (on the "how" to join his mailing lists).
Dan Swanson, CMA, CIA, CISA, CISSP, CAP
A) Dan's CCC emails provide online resources in support of your Governance,Risk Management, and Internal Audit efforts. Content related to IT Audit andIT Security is provided on occasion. Resources related to leadership, quality,strategy, and management is frequently also included.
_______________________________________________________________
B) Dan's SEC emails provide online resources in support of your IT Audit andIT Security efforts. Content related to Governance, Risk Management, and Internal Audit is provided on occasion. Resources related to leadership,quality, strategy, and project management is frequently included.
______________________________________________________________________
To join Dan's 2 email lists you just need to send two blank emails to the addresses below. Finally, please consider forwarding thisinvitational email to anyone you believe will want to try it out. ______________________________________________________________________ To subscribe just send a blank email to these two addresses below: 1) Dans_CCCemails-subscribe@yahoogroups.com
Information Technology Investment Management from the GOA
Posted by boss on Friday, 25 April 2008 @ 14:14:20 EDT (557 reads)
Topic CISSP OSG INFO
cdupuis writes "Information Technology Investment Management:
A Framework for Assessing and Improving Process Maturity
Enjoy
This guide tackles effective management of IT investments; always an important topic.
Dan
Subscribe to Dan mailing list by sending an email with the subject of subcribe to:
"
IT Compliance and Controls - Best Practices for Implementation
Posted by boss on Thursday, 03 April 2008 @ 10:02:55 EDT (753 reads)
Topic CISSP OSG INFO
cdupuis writes " | | NOTE FROM CLEMENT: James is a friend of mine. We did many mandates and security engagements together. He's a great community player, an honest person, a great friend, and most of all the god of compliance. I am very excited about his new book and knowing him well I am sure it will be a must have in your library. Here is the announcement below:
My NEW book was released today worldwide and is available via Amazon and Barnes & Noble:
IT Compliance and Controls - Best Practices for Implementation
The work contains the results of analyzing thousands of information system controls across 140 unique international frameworks, mandated regulations, and industry guidance works. It balances security, risk management, operational resiliency, and business concerns.
The book contains more than a decade worth of experience that includes: auditing thousands of enterprises, assessing literally millions of computers across the planet, and analyzing and harmonizing well over a hundred government and industry standards.
Please consider adding this book to your library and integrating the principles with your organization and partners.
Feedback is always welcomed and you may find your feedback in the first few pages of my book’s next print run. Also, please be sure to visit my new blog where I post continuations and extensions of the book and to my PCI DSS site.
Cheers,
James DeLuccia IV |  
Areas of Interest include:
- SOX, PCI DSS, FERC, COBIT, ITIL, EU Directives, and more!
- Virtualization and Grid Computing
- Roadmap for Risk and Enterprise Governance
- Information Security
Industries Focused on: - International Operating Firms
- Retailers
- Financial Services
- Power and Healthcare
- Leading Enterprises
| | 
"
Centre for Internet Security Roadmap
Posted by boss on Tuesday, 01 April 2008 @ 12:16:56 EDT (781 reads)
Topic CISSP OSG INFO
cdupuis writes " **2008 CIS BENCHMARK ROADMAP** CIS is committed to:
(1) creating new consensus Benchmarks,
(2) maintaining the Benchmarks now distributed from the CIS website, and (3) promoting uniformity among the CIS Benchmarks. Below is the 2008 CIS Benchmark Development Roadmap (including the technical team leader where known): A. New Benchmarks currently in development: 1. Apache Tomcat – Adam Ely 2. Citrix Xen Server – Adam Cecchetti 3. Office 2003/2007 – Stephanie Smith B. Benchmark Updates currently in progress: 1. SuSE Linux – Nancy Whitney 2. Max OS X Leopard – Allan Marcus 3. Vmware ESX Server – Iben Rodriguez 4. Oracle 11g – Adam Cecchetti C. Other New Benchmarks and Benchmark Updates planned for 2008: 1. Web Browser – New 2. PostgreSQL – New 3. MS SharePoint – New 4. Office XP/2007 – New 5. Juniper JunOS – New 6. Citrix – New 7. Palm/Windows Mobile Handhelds – New 8. VoIP – New 9. Banner – New 10. Print Devices – New 11. Sybase – New 12. OS400 – New 13. Slackware – Update 14. AIX – Update 15. BIND – Update D. Benchmark Formatting
As one step towards promoting uniformity among the CIS Benchmarks:
(1) All new CIS Benchmarks will conform to a single new template set forth in the CIS Benchmark Format Guide v1.0 and
(2) CIS is working to convert all currently non-conforming CIS Benchmarks to the CIS Benchmark Format Guide. **XML BENCHMARK EDITING GUIDE RELEASED** CIS has released a new editing guide that will provide members with information on configuring custom policy entries in the benchmark XML files. The guide, named the “CIS XML Site Adaptation Guide”, is available from the Downloads section of the Members’ Web site. We welcome feedback on the guide, and hope to expand and enhance it in the future. **CIS-CAT BUG FIX UPDATE** CIS is actively working on the CIS-CAT bug list. The updated version includes an “Unsupported Operation" error that was caused by Java code issues and an error in the XML for the CIS Benchmarks for Windows XP Benchmark. Both issues have been resolved and the following has been recently posted to the CIS Members’ site: (1) an updated CIS-CAT audit tool, and (2) a corrected Windows XP Benchmark in XML (XCCDF). **CIS METRICS INITIATIVE** As announced in yesterday’s CIS Member Update, in addition to continuing its long-standing commitment to creating new and updated configuration benchmarks, CIS is spearheading a new effort to define a consensus-based set of metrics that will help CIS Members ensure that time spent on measurement is time well spent.
The consensus method has been a great success in defining configuration benchmarks and we anticipate it will be equally successful in getting the industry aligned around an evolving set of security metrics. Specifically, CIS plans to focus on practical metrics of interest to security professionals; metrics that will both:
(1) measure the effectiveness of the security practices you and others have adopted, and
(2) communicate the value of these practices in terms that business people can understand. CIS is partnering with Mike Rothman, the head of research firm Security Incite, to drive this effort. Mike will be launching a new wiki this week to manage the consensus effort. CIS Members interested in participating should send an email to Mike Rothman at mike.rothman@securityincite.com. "
SecureAnchor great newsletter by Eric Cole
Posted by boss on Sunday, 09 March 2008 @ 20:04:40 EDT (829 reads)
Topic CISSP OSG INFO
cdupuis writes "
| | | March 2008 | Vol 3, Issue 2 | | | 
| Security in the News
Your source for up to date security headlines | | | | | | |  McAfee calls the Trojan the WinCE/InfoJack. US-CERT warns that this Trojan can disable Windows Mobile application installation security. The Trojan steals the hardware devices' serial numbers, as well as OS and various other important information. The information is then uploaded to the attacker's Web server. McAfee warned that, "It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The Trojan modifies the infected device's security setting to allow unsigned applications to be installed without a warning." The Trojan has been distributed in legitimate installation files, including Google maps, games and stock trading applications. It can install as an autorun application on a memory card, thus installing to a host device when an infected memory card is inserted, allows unsigned apps to install without permission from the user, and it can copy itself out to avoid destruction upon deletion. McAfee researcher Jimmy Shah warns that the Trojan has the ability to automatically update itself and open a back door for other malware installations. The Trojan was communicating with a Web site which is now shut down, and was originally 'discovered' in China. Meanwhile, US-CERT is telling users to update their anti-virus software and to exercise caution in downloading. Obviously, there is much that users must learn about using their mobile computing devices. | | House Representatives Unimpressed by CyberSecurity Plan | | Members of the U.S. House of Representatives appeared to be unimpressed by DHS's efforts at cyber security. Representative Bennie Thompson (D-Miss.) said, "It's hard to believe that this administration believes it has the answers to securing our networks and critical infrastructure. I have enormous questions about this initiative. Thus far, I have been extremely disappointed in this administration's efforts in cyber security." At issue, in part, is the Einstein system. This system is an intrusion detection system that records data which traverses certain government systems, such as IP address of origination, size and destination. The data is not analyzed in real time, but stored for future analysis. DHS would like to expand Einstein's reach and scope so that it can record all traffic traversing the government's network. As Robert Jamison, Undersecretary of the National Protection and Programs Directorate at DHS explained, "Einstein currently handles a very, very, very small percentage of government traffic. We want to build it up to one hundred percent. We want to be able to detect malicious code. It will have coverage of external points and will be informed by our current knowledge of the threat. Right now, we don't have that situational awareness. Right now, our capability is passive. We're not doing it in real time." Not all of the Representatives were in a forgiving mood upon hearing this news. Representative Thompson, as well as Representative Jane Harman (D-Calif.) and Representative Bob Etheridge (D-N.C.) expressed surprise at the lack of informational exchange between agencies regarding threats and attacks. These elected officials thought there might have been some coordination between the agencies. Representative Harman was especially not amused, saying, "I have been sitting here with my mouth open. This hearing reminds me of the FEMA trailers. The fact that you don't have threat information is shocking. We are not being serious about our response to threats. How is that we're going to have in real time a response to a significant threat? I just don't see it." Her point seems to have been that if they weren't doing it yet, how could they do it in the future? However, she must not have been aware of the plan that was discussed and is waiting for the go ahead for monitoring all Internet traffic everywhere on American carriers. Presumably, the expanded Einstein would be a subset of the Total Internet Monitoring and Awareness Plan (TIMAP) - (The author just made that up - feel free to co-opt it). Either that or the government has their own carrier they interface with - but presumably the traffic would have to come from somewhere else anyway. It makes sense though, if there are offices of federal agencies overseas which interface with foreign carriers which may not be able to be monitored with TIMAP. Mr. Jamison countered with the following: "We're not looking at content now. We propose to do that. Our adversaries are very adept at hiding attacks in normal traffic. The only true way to protect our networks is to have an intrusion detection system." Mr. Jamison and the Deputy Undersecretary of the National Protection and Programs Directorate, Scott Charbo, expounded on the necessity of the more comprehensive Cyber Initiative. It was correctly noted that Einstein was only part of the surveillance plan. Representative Harman and Rep. Paul Broun (R-Ga.) wondered about the inspection of all government data traffic. Representative Broun said, "This looks almost like the fox guarding the henhouse. I'm not convinced that privacy is going to be protected in developing these systems." The problem isn't privacy per se; it's the idea of one agency being able to read all of the other agencies' traffic However, Mr. Jamison assured the worried lawmakers that DHS would study the 'privacy' problem before the system was deployed. Karen Evans, with OMB, said the government was going to limit the number of Internet connections. All government agencies reported the existence of any and all external network connections, and the total number came to about 4,000 external connections. According to a memo posted by the White House: "Trusted Internet Connections (TIC) initiative to optimize our individual network services into a common solution for the federal government. This common solution facilitates the reduction of our external connections, including our Internet points of presence, to a target of fifty. Additionally, the role of the US-CERT will be enhanced to improve our response capabilities. Each agency will be required to develop a comprehensive plan of action and milestones (POA&M) with a target completion date of June 2008. Initial agency POA&Ms must be sent to the Department of Homeland Security's (DHS's) National Cyber Security Division (NCSD) by January 8, 2008, for review and agreement with OMB, DHS, and the agency. " "To discuss this initiative further, we are planning a government-wide meeting on Friday, November 30, 2007." The White House also helpfully listed her number. You can contact Karen Evans at 202-395-1181 | |
| | | | | Former FBI Agent Says We Need Another Internet | | Patrick Dempsey, a former FBI agent, says that because criminals use the Internet and the criminal justice system is not ready to incarcerate all of these cyber criminals, that a new Internet is necessary. (By the way, maybe we need a new set of city sidewalks.) He cites various crimes, including identity theft (which could never happen when the waiter takes your charge slip), spam (which would stop if people would quite buying stuff from spam emails), bank robberies (which could not happen if banks and people kept their information secure) and organized hacking rings (which the social engineering expert said would not be necessary because every time he got into a company's system it was through the use of the telephone). His solution is to create a second Internet on which users would have to register to gain access. | | Lawyer Spies on Other Law Firm | | When you are a lawyer, just as when you are police or the government, following the law is optional as the story of Michael P. Markins, an attorney in Charleston South Carolina proves. Between November 2003 and March 2006, Mr. Markins committed the crimes of unauthorized access to email accounts at Offutt, Fisher and Nord, a firm at which his wife worked as an associate. Mr. Markins worked for the law firm of Huddleston Bolen LLP. He committed these crimes on over 150 separate occasions. He accessed the competing law firm's systems when the two firms were on opposite sides in an action regarding flooding. Mr. Markins gained access by compromising his wife's account and accessing the competing law firm's servers using her email account as a login credential. A brief filed by the Bar's Lawyer Disciplinary Board said that Mr. Markins accessed the compromised account from the Huddleston IP address. The brief also stated that no one could find evidence of any information Mr. Markins might have stolen about the litigation, saying, "Huddleston could not locate any compromised information about the mass flood litigation [on its computer system]. OFN could not establish that [Markins] accessed otherwise confidential client information about the mass flood litigation." This finding was written into the brief even though Mr. Markins did not allow investigation of his home computer. The investigation started when one of OFN's lawyers suspected that her email account had been accessed by | | | |
Main Library Area 
COBIT© Standard 
November 15th London CISSP
