"I typically forward interesting security resources and news articles to information security contacts as a matter of professional courtesy. Over the years the list of people grew and it made sense to use a mailing list to automate distribution. If you're interested in information security, it may be the list for you. I keep the volume low and the value high". http://www.gideonrasmussen.com/gideons-infosec-list.html en-us Copyright 2002 - 2009 Gideon T. Rasmussen All Rights Reserved. Thu, 10 Dec 2009 21:35:00 EST Security Technology The Risk IT framework and best practice guidance was released earlier this week. It is well written and worth reviewing. The Practitioner Guide has material that can be leveraged. http://www.gideonrasmussen.com/message-50.html Thu, 10 Dec 2009 21:35:00 EST Security Technology This article by Jamey Heary provides solid examples of how social engineers exploit human weaknesses by intimidation, familiarity or charisma. Many organizations layer on physical and logical defenses with a focus on external attacks and disgruntled insiders. That approach does not address authorized personnel with good intentions. http://www.gideonrasmussen.com/message-49.html Mon, 23 Nov 2009 20:41:00 EST Security Technology Modern companies are challenged by the need to demonstrate compliance, mitigate risk and fund security initiatives. Reporting is the pursuit of simple truth. Like many technical challenges, the underlying complexity can be daunting. This article addresses a variety of techniques to report risk and compliance statuses, raise awareness and influence remediation. http://www.gideonrasmussen.com/article-21.html Fri, 03 Jul 2009 08:20:00 EST Security Technology My son used the word "beast" in a strange context a few weeks ago. When I asked, he said it meant "awesome". Later in the day I wondered, what is beast about security? In a business context, security protects assets, keeps secrets confidential and helps ensure availability of products and services. Business managers consider the expenses associated with security programs. That cost must be commensurate with risk to business objectives. http://www.gideonrasmussen.com/message-47.html Sat, 02 May 2009 13:11:00 EST Security Technology Hal Pomeranz has posted an objective metric used by the Center for Internet Security for hardening operating systems. The metric accounts for how well a control mitigates risk, subtracting the resulting costs or business impact of the control. http://www.gideonrasmussen.com/message-46.html Sun, 15 Mar 2009 21:27:00 EST Security Technology A friend sent me an article about kinetic fireballs. I found it fascinating; then quickly realized the content is likely classified Secret or Top Secret. http://www.gideonrasmussen.com/message-45.html Sun, 16 Nov 2008 13:24:00 EST Security Technology E-commerce merchants conduct business over the Internet by definition. As such, they are vulnerable to attack from remote locations around the world. This article provides guidance for protecting e-commerce websites in accordance with the PCI Data Security Standard (PCI DSS) and information security best practices. http://corp.bankofamerica.com/publicpdf/landing/merchantnews/pcidss/ecommerce.pdf Fri, 24 Oct 2008 20:55:00 EST Security Technology I thought this document would be of interest to many of you, given its focus on cyber security from a business perspective. "The Financial Impact of Cyber Risk, an action guide for C-Suite executives, is the first known document that provides guidance to help CFOs and executives responsible for legal issues, business operations and technology, privacy and compliance, risk assessment and insurance, and corporate communications mitigate the impact of cyber attacks.". http://webstore.ansi.org/cybersecurity Tue, 21 Oct 2008 19:47:00 EST Security Technology "This year, the economy is forcing decision makers to look even harder at outlays. Even so, companies are buying and applying technology tools at record levels. However too many organisations still lack coherent, forward-thinking security processes. Still, while the survey illuminates continuing problems, it also sees a path to safer data for companies that apply technology, but also develop processes and make them part of everyone's everyday work.". http://www.pwc.com/extweb/insights.nsf/docid/0E50FD887E3DC70F852574DB005DE509/$File/PwCsurvey2008_cio_reprint.pdf Tue, 21 Oct 2008 19:08:00 EST Security Technology October 1, 2008 marks the first revision to the Payment Card Industry Data Security Standard (PCI DSS) in two years. This article provides an overview of the changes, with recommendations for a PCI awareness campaign and implementation next steps. UPDATE: In a press release issued this morning, the PCI Security Standards Council announced "version 1.2 is effective immediately and version 1.1 of the standard will sunset on Dec. 31, 2008". http://corp.bankofamerica.com/publicpdf/landing/merchantnews/pcidss/Rasmussen_PCI_DSS_Update_article_October_1_2008_FINAL.pdf Wed, 01 Oct 2008 19:02:00 EST Security Technology Bill Sieglein has written a great article on the challenges of being compliant with laws and regulations, while needing to mitigate residual risk. It is along the same lines of my Techniques page and Beyond Minimum Compliance article. Bill gives practical advice for establishing a control baseline, conducting an assessment and tracking remediation. http://www.csoonline.com/article/print/450190 Thu, 25 Sep 2008 21:08:00 EST Security Technology The PCI Data Security Standard is nearly two years old. Organized crime has shifted focus to new attack vectors and theft of card data has become big business. To adapt, business management must adopt a comprehensive risk and compliance-based approach to safeguard card data. http://corp.bankofamerica.com/publicpdf/landing/merchantnews/pcidss/beyondminimum.pdf Fri, 11 Jul 2008 22:46:00 EST Security Technology "The "2008 Data Breach Investigations Report" spans four years and more than 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. This first-of-its-kind study, conducted by Verizon Business Security Solutions investigative experts, also found that 73 percent of breaches resulted from external sources versus 18 percent from insider threats, and most breaches resulted from a combination of events rather than a single hack or intrusion." http://newscenter.verizon.com/press-releases/verizon/2008/verizon-business-releases.html Thu, 12 Jun 2008 23:06:00 EST Security Technology Failure mode and effects analysis (FMEA) is widely used by corporations, manufacturing firms and the U.S. military to evaluate processes or systems (e.g. an incident-response process or a three-tiered application). It prioritizes potential failures by impact severity, probability of occurrence and likelihood of detection. FMEA risk ratings and narrative rationale can be used to quantify exposure to management and facilitate remediation. Most recently, FMEA was incorporated into Six Sigma and the Information Technology Infrastructure Library (ITIL). http://www.gideonrasmussen.com/article-17.html Sat, 26 Apr 2008 08:51:00 EST Security Technology My INFOSEC professional page has been revised to include advice beyond preparing for the CISSP, CISM and CISA. Page topics include: obtaining practical experience, becoming certified and taking control of your career. A career path diagram is included. The page also contains a few certifications you may not be aware of. http://www.gideonrasmussen.com/infosec-prof.html Sat, 23 Feb 2008 14:26:00 EST Security Technology This article provides an overview of FBI teams, InfraGard and the FBI Citizens' Academy. It was written after attending 8 FBI Citizens' Academy briefings. The content was distilled from 14 pages of class notes (not including hand written ERT notes and handouts). The topics will be of interest to security and business professionals (e.g. the computer crime program, the white collar crime program, engagement models, etc.). The FBI provides valuable services and support freely available to businesses. http://www.gideonrasmussen.com/article-16.html Fri, 16 Nov 2007 18:45:00 EST Security Technology I had my first exposure to an alternate duties list in the US Air Force. It is a useful way to keep track of roles that go unnoticed (until someone leaves). The list should include a description of each role and a primary and alternate for each. For example: http://www.gideonrasmussen.com/infosec-list/message-34.html Fri, 26 Oct 2007 20:30:00 EST Security Technology Here is a response to one of my contacts regarding a disaster recovery audit. She wanted to assess the effectiveness of security during a DR test. http://www.gideonrasmussen.com/infosec-list/message-33.html Tue, 26 Jun 2007 02:44:00 EST Security Technology The line between business and information security professionals is blurring. Government regulations have mandated security practices over the past decade. The resulting changes are evident. Security professionals are being given seats at the executive table and within lines of business. Business acumen is quickly becoming the eleventh domain of information security. To adapt, security professionals must align with business management and develop depth and breadth within business. http://www.gideonrasmussen.com/article-15.html Wed, 9 May 2007 23:56:00 EST Security Technology It's no secret that large U.S. businesses are in the crosshairs of foreign government entities and terrorists. According to Maj. Gen. William Lord, "China has downloaded 10 to 20 terabytes of data from the NIPRNet," the Department of Defense network used for transmitting sensitive information. It is only a matter of time before military and terrorist organizations target commercial organizations. In fact, the Department of Homeland Security recently warned of potential Internet attacks on the U.S. stock market and banking Web sites. Large businesses offer an attractive target and the potential impact is very high. http://www.gideonrasmussen.com/article-14.html Thu, 8 Mar 2007 02:43:00 EST Security Technology The Unified Compliance Project is worth considering. "ITCi's Unified Compliance Project (UCP) is the first independent initiative to exclusively support IT compliance management. The UCP parses and reconstructs complex corporate regulations into a holistic IT compliance view. Most importantly, by focusing on commonalities across regulations, standards-based development, and simplified architectures, the UCP supports a strategic approach to IT compliance that reduces cost, limits liability, and leverages the value of compliance-related technologies and services across the enterprise." http://www.gideonrasmussen.com/infosec-list/message-30.html Wed, 31 Jan 2007 03:03:00 EST Security Technology The CISSP and CISA are the top two information security certifications. Both are well regarded throughout industry and are worth the journey for professional development. Ensure you meet the minimum requirements before studying for either exam. I recommend taking the CISSP first, followed by the CISA within one year. http://www.gideonrasmussen.com/infosec-list/message-29.html Sat, 6 Jan 2007 02:33:00 EST Security Technology The TRC-Alerts mailing list provides FLASH style alerts as critical information relating to terrorism or homeland security is released. Examples include attacks relevant to U.S. homeland security, changes in the homeland security status, international conflict issues, or the capture of a high-profile terrorist. http://www.gideonrasmussen.com/infosec-list/message-28.html Sun, 31 Dec 2006 16:01:00 EST Security Technology An awareness campaign is the foundation of an effective information security program. It has three objectives: (1) Ensure all personnel have an awareness of common threats and a familiarity with security policies and procedures (2) Foster a culture of security and (3) Demonstrate the active support of senior management and information security personnel. Here are tips for establishing a strong security awareness program within your organization: http://www.gideonrasmussen.com/infosec-list/message-26.html Sun, 5 Nov 2006 15:19:00 EST Security Technology Security breach lists are an interesting read and can be useful for: * Identifying trends in emerging security threats * Providing examples of why a control is necessary * Citing real world compromises in presentations, etc. http://www.gideonrasmussen.com/infosec-list/message-25.html Mon, 16 Oct 2006 14:52:00 EST Security Technology In my experience many organizations are overwhelmed by compliance activities and lose sight of what INFOSEC programs are meant for, insulating the organization against unacceptable risk. When security resources are taxed with compliance activities, their core duties suffer. Common distractions include: http://www.gideonrasmussen.com/infosec-list/message-24.html Wed, 4 Oct 2006 23:41:00 EST Security Technology This free service is useful for being notified of emergency events. To subscribe, visit http://www.emergencyemail.org and... http://www.gideonrasmussen.com/infosec-list/message-23.html Sat, 16 Sep 2006 02:00:00 EST Security Technology As security professionals most of you know the VA lost control of 26 million social security numbers when a laptop was stolen on May 3rd. Here are the lessons learned from my perspective: http://www.gideonrasmussen.com/infosec-list/message-22.html Wed, 13 Sep 2006 02:40:00 EST Security Technology "The threat posed by authorized personnel is well documented by research and court cases. According to ACFE, U.S. organizations loose an estimated $652 billion to fraud annually. Unfortunately, insider threat is not limited to fraud. There is also sabotage, negligence, human error and exploitation by outsiders to consider. If you have not taken a hard look at insider threat controls in your organization, now is the time." Written by yours truly... http://www.gideonrasmussen.com/article-13.html Thu, 31 Aug 2006 23:09:00 EST Security Technology Properly configured, switches can add another layer of security to your network. This article provides best practices configurations that should be considered for any organization. The tips within can help isolate systems from hackers, prevent the spread of zero day viruses and prevent unauthorized systems from connecting to your network. http://www.gideonrasmussen.com/infosec-list/message-20.html Thu, 17 Aug 2006 00:51:00 EST Security Technology "As we started the research for the HIPAA and 17799 projects we came across a number of references to DITSCAP and NITSCAP. The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system." Read more and access the tool... http://www.gideonrasmussen.com/infosec-list/message-19.html Thu, 17 Aug 2006 00:18:00 EST Security Technology Last month I came across a report on Occupational Fraud & Abuse and was intrigued by its contents. It separates fraud into categories and details specific examples of how fraud is committed. http://www.gideonrasmussen.com/infosec-list/message-18.html Sat, 22 Jul 2006 01:02:00 EST Security Technology Systematic removal of accesses refers to revoking physical and logical accesses when a person leaves an organization or their role changes. In the absence of a formal process, lingering privileges can be used to access systems, applications and office space. Potential damage includes theft of funds, equipment or intellectual property, disclosure of confidential information, and/or damage to property or personnel. Read more... http://www.gideonrasmussen.com/infosec-list/message-17.html Thu, 6 Jul 2006 20:14:00 EST Security Technology This article provides solid advice for implementing security in your software development processes. It takes developers into consideration and includes resource links. http://www.spidynamics.com/spilabs/education/articles/software-security.html Thu, 22 Jun 2006 20:10:00 EST Security Technology This is my response to a post asking for high level questions to gauge security awareness in an organization: http://www.gideonrasmussen.com/infosec-list/message-15.html Tue, 6 Jun 2006 02:37:00 EST Security Technology The threat posed by insiders should be a concern for every organization. Authorized personnel have the accesses to cause serious damage through theft, sabotage, neglect or error. CERT and the US Secret Service banded together and conducted a study of insider security incidents. http://www.gideonrasmussen.com/infosec-list/message-14.html Mon, 22 May 2006 23:51:00 EST Security Technology Development managers know that security should be built into new applications and incorporated into patches and new functionality. The challenge is implementing security in the fast paced world of development operations. http://www.gideonrasmussen.com/infosec-list/message-13.html Thu, 11 May 2006 00:23:00 EST Security Technology There is a disturbing trend in Internet threats, hackers are attacking at the application layer. Router ACLs, firewalls, demilitarized networks, intrusion detection software, all for naught... The malicious traffic complies with TCP/IP and follows the enforced path restricted by network gear. Layered network controls are still an absolute requirement. The application layer must be hardened as well. Here is how I recommend approaching application security: http://www.gideonrasmussen.com/infosec-list/message-12.html Tue, 28 Mar 2006 03:34:00 EST Security Technology This article explains a common misconfiguration with serious security implications. The Split Tunneling feature of VPN clients leaves them connected to the Internet while accessing internal networks. This conduit exposes internal systems to hackers, viruses and other malware. http://www.gideonrasmussen.com/infosec-list/message-11.html Sun, 26 Feb 2006 05:00:00 EST Security Technology A FFIEC document considers "single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties." "Financial institutions should assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques." http://www.gideonrasmussen.com/infosec-list/message-10.html Tue, 21 Feb 2006 04:57:00 EST Security Technology NIST raises an important topic. Each organization must have a process to properly dispose of hardware and media. The alternative is external leaks of sensitive information. http://www.gideonrasmussen.com/infosec-list/message-09.html Wed, 8 Feb 2006 03:28:00 EST Security Technology This free toolkit hardens Windows XP to help mitigate the risk of establishing a public/shared workstation. Most organizations have at least one so I thought this would be of interest. http://www.gideonrasmussen.com/infosec-list/message-08.html Sun, 1 Jan 2006 16:09:00 EST Security Technology Here is a response to one of my contacts who is having difficulty retaining both team leaders and team members. His team is comprised of auditors. However most of the advice pertains to retaining INFOSEC professionals in general. http://www.gideonrasmussen.com/infosec-list/message-07.html Thu, 29 Dec 2005 16:47:00 EST Security Technology Included below is my response to a post in the cisspforum. The person was considering e-vaulting versus traditional off-site storage of backup tapes. http://www.gideonrasmussen.com/infosec-list/message-06.html Wed, 21 Dec 2005 04:37:00 EST Security Technology This article from Mark Russinovich explains how a user account can overcome Active Directory group policy settings due to a Windows design flaw (versus a security vulnerability). It also includes an application as a proof of concept. http://www.gideonrasmussen.com/infosec-list/message-05.html Thu, 15 Dec 2005 00:54:00 EST Security Technology In this article Mark Lachniet explains why it's important to analyze logs and provides an inexpensive way to monitor Cisco logs using the Kiwi Syslog Daemon and Sawmill. The article is well written and includes screen shots. http://lachniet.com/cheaplogging Tue, 13 Dec 2005 03:56:00 EST Security Technology Take a look at this guide for continuous auditing. It's well written and addresses an area that is often overlooked in information technology. http://www.gideonrasmussen.com/infosec-list/message-03.html Fri, 9 Dec 2005 02:46:00 EST Security Technology George Spafford has posted a great risk management template. Also check out his Daily News Email List and articles. http://www.gideonrasmussen.com/infosec-list/message-02.html Tue, 6 Dec 2005 01:56:00 EST Security Technology Recently Marcia Wilson authored an article on how to become an information security professional. She raises an interesting topic. Mentoring coworkers in how to break into the INFOSEC career field can be a powerful way to bolster your security program. Here are a few tips: http://www.gideonrasmussen.com/infosec-list/message-01.html Tue, 29 Nov 2005 23:41:00 EST Security Technology