"I typically forward interesting security resources and news articles to information security contacts as a matter of professional courtesy. Over the years the list of people grew and it made sense to use a mailing list to automate distribution. If you're interested in information security, it may be the list for you. I keep the volume low and the value high". http://www.gideonrasmussen.com/gideons-infosec-list.html en-us Copyright 2002 - 2007 Gideon T. Rasmussen All Rights Reserved. Fri, 16 Nov 2007 18:45:00 EST Security Technology Failure mode and effects analysis (FMEA) is widely used by corporations, manufacturing firms and the U.S. military to evaluate processes or systems (e.g. an incident-response process or a three-tiered application). It prioritizes potential failures by impact severity, probability of occurrence and likelihood of detection. FMEA risk ratings and narrative rationale can be used to quantify exposure to management and facilitate remediation. Most recently, FMEA was incorporated into Six Sigma and the Information Technology Infrastructure Library (ITIL). http://www.gideonrasmussen.com/article-17.html Sat, 26 Apr 2008 08:51:00 EST Security Technology My INFOSEC professional page has been revised to include advice beyond preparing for the CISSP, CISM and CISA. Page topics include: obtaining practical experience, becoming certified and taking control of your career. A career path diagram is included. The page also contains a few certifications you may not be aware of. http://www.gideonrasmussen.com/infosec-prof.html Sat, 23 Feb 2008 14:26:00 EST Security Technology This article provides an overview of FBI teams, InfraGard and the FBI Citizens' Academy. It was written after attending 8 FBI Citizens' Academy briefings. The content was distilled from 14 pages of class notes (not including hand written ERT notes and handouts). The topics will be of interest to security and business professionals (e.g. the computer crime program, the white collar crime program, engagement models, etc.). The FBI provides valuable services and support freely available to businesses. http://www.gideonrasmussen.com/article-16.html Fri, 16 Nov 2007 18:45:00 EST Security Technology I had my first exposure to an alternate duties list in the US Air Force. It is a useful way to keep track of roles that go unnoticed (until someone leaves). The list should include a description of each role and a primary and alternate for each. For example: http://www.gideonrasmussen.com/infosec-list/message-34.html Fri, 26 Oct 2007 20:30:00 EST Security Technology Here is a response to one of my contacts regarding a disaster recovery audit. She wanted to assess the effectiveness of security during a DR test. http://www.gideonrasmussen.com/infosec-list/message-33.html Tue, 26 Jun 2007 02:44:00 EST Security Technology The line between business and information security professionals is blurring. Government regulations have mandated security practices over the past decade. The resulting changes are evident. Security professionals are being given seats at the executive table and within lines of business. Business acumen is quickly becoming the eleventh domain of information security. To adapt, security professionals must align with business management and develop depth and breadth within business. http://www.gideonrasmussen.com/article-15.html Wed, 9 May 2007 23:56:00 EST Security Technology It's no secret that large U.S. businesses are in the crosshairs of foreign government entities and terrorists. According to Maj. Gen. William Lord, "China has downloaded 10 to 20 terabytes of data from the NIPRNet," the Department of Defense network used for transmitting sensitive information. It is only a matter of time before military and terrorist organizations target commercial organizations. In fact, the Department of Homeland Security recently warned of potential Internet attacks on the U.S. stock market and banking Web sites. Large businesses offer an attractive target and the potential impact is very high. http://www.gideonrasmussen.com/article-14.html Thu, 8 Mar 2007 02:43:00 EST Security Technology The Unified Compliance Project is worth considering. "ITCi's Unified Compliance Project (UCP) is the first independent initiative to exclusively support IT compliance management. The UCP parses and reconstructs complex corporate regulations into a holistic IT compliance view. Most importantly, by focusing on commonalities across regulations, standards-based development, and simplified architectures, the UCP supports a strategic approach to IT compliance that reduces cost, limits liability, and leverages the value of compliance-related technologies and services across the enterprise." http://www.gideonrasmussen.com/infosec-list/message-30.html Wed, 31 Jan 2007 03:03:00 EST Security Technology The CISSP and CISA are the top two information security certifications. Both are well regarded throughout industry and are worth the journey for professional development. Ensure you meet the minimum requirements before studying for either exam. I recommend taking the CISSP first, followed by the CISA within one year. http://www.gideonrasmussen.com/infosec-list/message-29.html Sat, 6 Jan 2007 02:33:00 EST Security Technology The TRC-Alerts mailing list provides FLASH style alerts as critical information relating to terrorism or homeland security is released. Examples include attacks relevant to U.S. homeland security, changes in the homeland security status, international conflict issues, or the capture of a high-profile terrorist. http://www.gideonrasmussen.com/infosec-list/message-28.html Sun, 31 Dec 2006 16:01:00 EST Security Technology An awareness campaign is the foundation of an effective information security program. It has three objectives: (1) Ensure all personnel have an awareness of common threats and a familiarity with security policies and procedures (2) Foster a culture of security and (3) Demonstrate the active support of senior management and information security personnel. Here are tips for establishing a strong security awareness program within your organization: http://www.gideonrasmussen.com/infosec-list/message-26.html Sun, 5 Nov 2006 15:19:00 EST Security Technology Security breach lists are an interesting read and can be useful for: * Identifying trends in emerging security threats * Providing examples of why a control is necessary * Citing real world compromises in presentations, etc. http://www.gideonrasmussen.com/infosec-list/message-25.html Mon, 16 Oct 2006 14:52:00 EST Security Technology In my experience many organizations are overwhelmed by compliance activities and lose sight of what INFOSEC programs are meant for, insulating the organization against unacceptable risk. When security resources are taxed with compliance activities, their core duties suffer. Common distractions include: http://www.gideonrasmussen.com/infosec-list/message-24.html Wed, 4 Oct 2006 23:41:00 EST Security Technology This free service is useful for being notified of emergency events. To subscribe, visit http://www.emergencyemail.org and... http://www.gideonrasmussen.com/infosec-list/message-23.html Sat, 16 Sep 2006 02:00:00 EST Security Technology As security professionals most of you know the VA lost control of 26 million social security numbers when a laptop was stolen on May 3rd. Here are the lessons learned from my perspective: http://www.gideonrasmussen.com/infosec-list/message-22.html Wed, 13 Sep 2006 02:40:00 EST Security Technology "The threat posed by authorized personnel is well documented by research and court cases. According to ACFE, U.S. organizations loose an estimated $652 billion to fraud annually. Unfortunately, insider threat is not limited to fraud. There is also sabotage, negligence, human error and exploitation by outsiders to consider. If you have not taken a hard look at insider threat controls in your organization, now is the time." Written by yours truly... http://www.gideonrasmussen.com/article-13.html Thu, 31 Aug 2006 23:09:00 EST Security Technology Properly configured, switches can add another layer of security to your network. This article provides best practices configurations that should be considered for any organization. The tips within can help isolate systems from hackers, prevent the spread of zero day viruses and prevent unauthorized systems from connecting to your network. http://www.gideonrasmussen.com/infosec-list/message-20.html Thu, 17 Aug 2006 00:51:00 EST Security Technology "As we started the research for the HIPAA and 17799 projects we came across a number of references to DITSCAP and NITSCAP. The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system." Read more and access the tool... http://www.gideonrasmussen.com/infosec-list/message-19.html Thu, 17 Aug 2006 00:18:00 EST Security Technology Last month I came across a report on Occupational Fraud & Abuse and was intrigued by its contents. It separates fraud into categories and details specific examples of how fraud is committed. http://www.gideonrasmussen.com/infosec-list/message-18.html Sat, 22 Jul 2006 01:02:00 EST Security Technology Systematic removal of accesses refers to revoking physical and logical accesses when a person leaves an organization or their role changes. In the absence of a formal process, lingering privileges can be used to access systems, applications and office space. Potential damage includes theft of funds, equipment or intellectual property, disclosure of confidential information, and/or damage to property or personnel. Read more... http://www.gideonrasmussen.com/infosec-list/message-17.html Thu, 6 Jul 2006 20:14:00 EST Security Technology This article provides solid advice for implementing security in your software development processes. It takes developers into consideration and includes resource links. http://www.spidynamics.com/spilabs/education/articles/software-security.html Thu, 22 Jun 2006 20:10:00 EST Security Technology This is my response to a post asking for high level questions to gauge security awareness in an organization: http://www.gideonrasmussen.com/infosec-list/message-15.html Tue, 6 Jun 2006 02:37:00 EST Security Technology The threat posed by insiders should be a concern for every organization. Authorized personnel have the accesses to cause serious damage through theft, sabotage, neglect or error. CERT and the US Secret Service banded together and conducted a study of insider security incidents. http://www.gideonrasmussen.com/infosec-list/message-14.html Mon, 22 May 2006 23:51:00 EST Security Technology Development managers know that security should be built into new applications and incorporated into patches and new functionality. The challenge is implementing security in the fast paced world of development operations. http://www.gideonrasmussen.com/infosec-list/message-13.html Thu, 11 May 2006 00:23:00 EST Security Technology There is a disturbing trend in Internet threats, hackers are attacking at the application layer. Router ACLs, firewalls, demilitarized networks, intrusion detection software, all for naught... The malicious traffic complies with TCP/IP and follows the enforced path restricted by network gear. Layered network controls are still an absolute requirement. The application layer must be hardened as well. Here is how I recommend approaching application security: http://www.gideonrasmussen.com/infosec-list/message-12.html Tue, 28 Mar 2006 03:34:00 EST Security Technology This article explains a common misconfiguration with serious security implications. The Split Tunneling feature of VPN clients leaves them connected to the Internet while accessing internal networks. This conduit exposes internal systems to hackers, viruses and other malware. http://www.gideonrasmussen.com/infosec-list/message-11.html Sun, 26 Feb 2006 05:00:00 EST Security Technology A FFIEC document considers "single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties." "Financial institutions should assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques." http://www.gideonrasmussen.com/infosec-list/message-10.html Tue, 21 Feb 2006 04:57:00 EST Security Technology NIST raises an important topic. Each organization must have a process to properly dispose of hardware and media. The alternative is external leaks of sensitive information. http://www.gideonrasmussen.com/infosec-list/message-09.html Wed, 8 Feb 2006 03:28:00 EST Security Technology This free toolkit hardens Windows XP to help mitigate the risk of establishing a public/shared workstation. Most organizations have at least one so I thought this would be of interest. http://www.gideonrasmussen.com/infosec-list/message-08.html Sun, 1 Jan 2006 16:09:00 EST Security Technology Here is a response to one of my contacts who is having difficulty retaining both team leaders and team members. His team is comprised of auditors. However most of the advice pertains to retaining INFOSEC professionals in general. http://www.gideonrasmussen.com/infosec-list/message-07.html Thu, 29 Dec 2005 16:47:00 EST Security Technology Included below is my response to a post in the cisspforum. The person was considering e-vaulting versus traditional off-site storage of backup tapes. http://www.gideonrasmussen.com/infosec-list/message-06.html Wed, 21 Dec 2005 04:37:00 EST Security Technology This article from Mark Russinovich explains how a user account can overcome Active Directory group policy settings due to a Windows design flaw (versus a security vulnerability). It also includes an application as a proof of concept. http://www.gideonrasmussen.com/infosec-list/message-05.html Thu, 15 Dec 2005 00:54:00 EST Security Technology In this article Mark Lachniet explains why it's important to analyze logs and provides an inexpensive way to monitor Cisco logs using the Kiwi Syslog Daemon and Sawmill. The article is well written and includes screen shots. http://lachniet.com/cheaplogging Tue, 13 Dec 2005 03:56:00 EST Security Technology Take a look at this guide for continuous auditing. It's well written and addresses an area that is often overlooked in information technology. http://www.gideonrasmussen.com/infosec-list/message-03.html Fri, 9 Dec 2005 02:46:00 EST Security Technology George Spafford has posted a great risk management template. Also check out his Daily News Email List and articles. http://www.gideonrasmussen.com/infosec-list/message-02.html Tue, 6 Dec 2005 01:56:00 EST Security Technology Recently Marcia Wilson authored an article on how to become an information security professional. She raises an interesting topic. Mentoring coworkers in how to break into the INFOSEC career field can be a powerful way to bolster your security program. Here are a few tips: http://www.gideonrasmussen.com/infosec-list/message-01.html Tue, 29 Nov 2005 23:41:00 EST Security Technology