True Cost of Compliance, by Ponemon & Tripwire

Posted on 17 September 2012 by Admin

Ponemon Institute has created a report, commissioned by Tripwire, about the cost of compliance. This is good material to look for any security manager.

Ponemon Institute and Tripwire Inc. conducted The True Cost of Compliance research to determine the full costs associated with an organization’s compliance efforts. This benchmark study of multinational organizations provides a clear understanding of the differences between compliance and non-compliance costs incurred when complying with laws, regulations and policies.

ponemon-2011

Main Resources:

TCOC-exec summary2

Succinctly put, compliance costs are proactive spending, while non-compliance costs are reactive spending. In this graph we can see that non-compliance costs are much more expensive than compliance costs — 2.65 times more expensive to be precise. However, this does not mean that an organization that spends on compliance will not experience non-compliance costs. What it tells us is that the total cost of compliance is very high because you’re balancing the preventative costs of compliance with the costs of failure, i.e. the reactive costs of non-compliance.

    • Charts
  • Audio podcast (33 min), (good one)

 

Findings

  • the cost of non-compliance can be more expensive than investing in compliance activities
  • industry and organizational size affect the cost of compliance and non-compliance
  • the gap between compliance and non-compliance cost is related to number of records lost or stolen in data breaches
  • the more effective an organization’s security strategy is, the lower the cost of non-compliance
  • ongoing internal compliance audits reduce the total cost of compliance
  • laws and regulations are the main drivers for investment in compliance activities
Posted in Security Certifications, Security Management, Security Training, Awareness and Reports | Comments Off on True Cost of Compliance, by Ponemon & Tripwire

McAfee’s Risk and Compliance Outlook Report

Posted on 17 September 2012 by Admin

Report produced by McAfee is interesting reading for having a view on risk and compliance challenges within companies.

McAfee retained Evalueserve to conduct an independent assessment of the factors organizations that use risk and compliance products face in 2012. This is the third in a series of global studies
that highlights how IT decision-makers view and address the challenges of risk and compliance management…

mcafee-compliance-report

Main Source

Key Findings:

  • There is a positive trend in security budgets for 2012 indicating same or more expenditure on risk and compliance.
  • Organization state ‘Compliance’ as the driver for almost 30% of IT projects.
  • Software and Appliance are the top choices for Risk and Compliance products.
  • Survey data showed rapid uptake towards Hosted SaaS and Virtualization.
  • Patch Management frequency is a challenge
Posted in ICT Leadership and Management, Security Certifications, Security Management, Security Standardization and Practises, Security Training, Awareness and Reports | Comments Off on McAfee’s Risk and Compliance Outlook Report

Verizon’s Payment Card Industry Compliance Report

Posted on 17 September 2012 by Admin

Verizon’s Payment Card Industry Compliance Report 2011 is available. It is good material to look if one wishes to have a view on PCI status.

This report analyzes findings from actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments conducted by Verizon’s team of Qualified Security Assessors (QSAs).

verizon-pci-report

Main Sources:

Key Findings:

  • While the compliance situation has neither worsened nor improved, it is still “disappointing.”
  • Lack of PCI compliance continues to be linked to data breaches.
  • Organizations struggle with key PCI requirements.
  • Failure to prioritize compliance efforts often means high-risk security threats are ignored.
  • PCI standard offers protection against the most common attack methods.
Posted in ICT Leadership and Management, Security Certifications, Security Management, Security Standardization and Practises, Security Training, Awareness and Reports | Comments Off on Verizon’s Payment Card Industry Compliance Report

Tip, secure communication channel from remote site to your home computer, for file transfers and for browsing internet

Posted on 16 September 2012 by Admin

This blog is miscellaneous add-on to the earlier blogs Tip, personal online file storage by using your home computer and Privacy and internet communication.

In the first blog, the solution for online storage was build by using

  • In home computer:
    • freeftpd
    • dynamic dns service (for example dyndns) and
    • dynamic dns update client
  • In remote (client) computer:
    • WinSCP

The tools were used to create secure (encrypted) communication to home computer.

Please note that for storing files into a cloud environment, one also need to encrypt files for more secure storage (by using Truecrypt, for example. I’ll try to create a blog for that later).

In the second blog, the secure communication was setup in the client side by using tools like

  • Putty or MyEnTunnel for creating secure connection
  • Firefox for browsing via above mentioned secure connection

In this blog, one secure connection is used to share both needs:

  • file transfer
  • Internet browsing

For example, if one does not have a trusted host (provider) in internet to protect your communication, then one could consider using your home computer. In this way, one can protect the communication at least up to your home computer.

What is needed?

  • In the home computer:
    • SSH server (see below chapter)
    • dynamic dns service (for example dyndns) and
    • dynamic dns update client
  • In remote (client) computer:
    • WinSCP for file transfer
    • MyEnTunnel for creating and maintaining secure connection
    • Browser, like firefox, to connect to internet via MyEnTunnel (and via home computer)

SSH server

There are several variants to choose from (see licensing terms, free for personal/non-commercial use):

  • OpenSSH (instructions example)
    • no GUI and therefore more complex setup
    • Can forbid/allow shell access, file transfer and forwarding separately (PLUS)
    • Allows also shell access (MINUS) together with file transfer, forwarding can be controlled
    • Can forbid/allow shell access, file transfer and forwarding separately (PLUS)
    • Can ban client IP address when brute force attack is detected (PLUS)

My favorites are Bitwise SSH Server and SilverSHield, since both can deny access to command shell. In addition, brute force detection in SilverSHield is important add-on if running these functions as service (mostly ON and active).

BitWise SSH Server Screenshot:

ssh-server-bitwise

SilverSHielD Screenshot:

ssh-server-silvershield

The brute force detection setting is done in this page: number of failed attempts and ban time can be define.

ssh-server-silvershield2

 

Note

Both these product do have commercial editions as well, and they are good choises since one can expect maintenance updates etc. With SilverSHielD, however, I was having connection problems with their main site?

Note

Creating secure connection to home computer also means that one need to have one port open that is accessable via internet. Some products contains filtering options for allowed client IP or IP range. However, monitoring is required to detect possible attacks, and one would need find a way to receive alerts from these tools.

Posted in Anvanced Tools, Tips | Comments Off on Tip, secure communication channel from remote site to your home computer, for file transfers and for browsing internet

Internet Security Threat Report, by Symantec

Posted on 12 September 2012 by Admin

Internet Security Threat Report is available from Symantec’s Threat Landscape page. Direct link to the report seems to be this.

Information sources:

  • Symantec Global Intelligence Network
  • Vulnerability database
  • Symantec Probe Network
  • Antifraud community

The figure below is an extract from their 2011 in numbers page.

ThreatReport2011

Some selected observations from the report:

  • Targeted Attacks, Cyber Espionage And Business
    • it’s no longer only the CEOs and senior level staff. 58% of the attacks are going to people in other job functions such as Sales, HR, Executives Assistants, and Media/Public Relations
  • 232 Million Identities Stolen

The report summarizes also Best Practise guidelines for business, for example

  • Defense-In-Depth
  • Monitor
  • Secure Your Websites
  • Use Encryption
  • Data Loss Prevention
  • Removable Media Policy
  • Password Policy
  • Educate Users
Posted in Security Management, Security Training, Awareness and Reports | Comments Off on Internet Security Threat Report, by Symantec

Wheelchair controlled by thought

Posted on 4 September 2012 by Admin

In this article “Smart chair: powered by thought“, there is a video, where person is guiding wheelchair with help of thoughts and eye blinks.

smart-chair

Posted in Innovation and new tech | Comments Off on Wheelchair controlled by thought

Google Glass Eyewear, Project Class

Posted on 4 September 2012 by Admin

In Wikipedia:

Project Glass is a research and development program by Google to develop an augmented reality head-mounted display (HMD).

  • hands free display
  • voice commands
  • Android operating system

glass photos glass photos3

Checkout

Links

Posted in ICT News, Innovation and new tech, Privacy | Comments Off on Google Glass Eyewear, Project Class