Feeds:
Posts
Comments

Posts Tagged ‘Compliance Management’

Hi Everyone!

This video special for those who did not able to come for the training

Enjoy and understand it ! =)

Stay tune for our McAfee Total Protection for Compliance Technical Overview by E-SPIN video

For more information/inquiry, please do not hesitate to contact us or visit our website on http://www.e-spincorp.com

Read Full Post »

No matter how large or small your company is, you need to have a plan for security program to ensure the security of your information assets. Such a plan is called a security program by information security professionals. Whether yours is five or 200 pages long, the process of creating a security program will make you think holistically about your organization’s security. A security program provides the framework for keeping your company at a desired security level by assessing the risks you face, deciding how you will mitigate them, and planning for how you keep the program and your security practices up to date.

  • Product information, including designs, plans, patent applications, source code, and drawings
  • Financial information, including market assessments and your company’s own financial records
  • Customer information, including confidential information you hold on behalf of customers or clients
  • Failure to protect your data’s confidentiality might result in customer credit card numbers being stolen, with legal consequences and a loss of goodwill. Lose your clients’ confidential information and you may have fewer of them in the future.
  • A data integrity failure might result in a Trojan horse being planted in your software, allowing an intruder to pass your corporate secrets on to your competitors. If an integrity failure affects your accounting records, you may no longer really know your company’s true financial status.

elements of a good security program

Having a security program means that you’ve taken steps to mitigate the risk of losing data in any one of a variety of ways, and have defined a life cycle for managing the security of information and technology within your organization.

Elements of a good security program

A good security program provides the big picture for how you will keep your company’s data secure. It takes a holistic approach that describes how every part of your company is involved in the program. A security program is not an incident handling guide that details what happens if a security breach is detected (see The Barking Seal Issue Q1 2006). It’s also not a guide to doing periodic assessments, though it probably does dictate when to do a security assessment (see The Barking Seal Issue Q2 2008).

Your security program defines what data is covered and what is not. It assesses the risks your company faces, and how you plan to mitigate them. It indicates how often the program will be re-evaluated and updated, and when you will assess compliance with the program. The key components of a good security program are outlined in the following sections.

  1. Designated security officer

For most security regulations and standards, having a Designated Security Officer (DSO) is not optional — it’s a requirement. Your security officer is the one responsible for coordinating and executing your security program. The officer is your internal check and balance. This person or role should report to someone outside of the IT organization to maintain independence.

  1. Risk assessment

This component identifies and assesses the risks that your security program intends to manage. This is perhaps the most important section because it makes you think about the risks your organization faces so that you can then decide on appropriate, cost-effective ways to manage them. Remember that we can only minimize, not eliminate, risk, so this assessment helps us to prioritize them and choose cost-effective countermeasures. The risks that are covered in your assessment might include one or more of the following:

  • Physical loss of data. You may lose immediate access to your data for reasons ranging from floods to loss of electric power. You may also lose access to your data for more subtle reasons: the second disk failure, for example, while your RAID array recovers from the first.
  • Unauthorized access to your own data and client or customer data. Remember, if you have confidential information from clients or customers, you’re often contractually obliged to protect that data as if it were your own.
  • Interception of data in transit. Risks include data transmitted between company sites, or between the company and employees, partners, and contractors at home or other locations.
  • Your data in someone else’s hands. Do you share your data with third parties, including contractors, partners, or your sales channel? What protects your data while it is in their hands?
  • Data corruption. Intentional corruption might modify data so that it favors an external party: think Trojan horses or keystroke loggers on PCs. Unintentional corruption might be due to a software error that overwrites valid data.
  1. Policies and Procedures

Preparing your risk assessment hopefully gave you lots to worry about. The policies and procedures component is the place where you get to decide what to do about them. Areas that your program should cover include the following:

  • Physical security documents how you will protect all three C-I-A aspects of your data from unauthorized physical access.
  • Authentication, authorization, and accountability establishes procedures for issuing and revoking accounts. It specifies how users authenticate, password creation and aging requirements, and audit trail maintenance.
  • Security awareness makes sure that all users have a copy of your acceptable use policy and know their responsibilities; it also makes sure that your IT employees are engaged in implementing your IT-specific policies.
  • Risk assessment states how often you will reassess the potential threats to your IT security and update your security program.
  • Incident response defines how you will respond to security threats, including potential (such as unauthorized port scanning) and actual incidents (where security has been compromised). We discussed the importance of having an incident-handling guide in the Q1 2006 issue of The Barking Seal.
  • Virus protection outlines how you protect against viruses. This might include maintaining workstation-based products and scanning email, Web content, and file transfers for malicious content.
  • Business continuity planning includes how you will respond to various man-made and natural disaster scenarios. This includes setting up appropriate backup sites, systems, and data, as well as keeping them up-to-date and ready to take over within the recovery time you have defined.
  • Relationships with vendors and partners defines who these organizations are, what kind of data you might exchange with them, and what provisions must be in your contracts to protect your data. This is an often-overlooked aspect of data security because your IT organization probably has not had a lot of interaction with your legal organization over vendor contracts. You may need to take measures such as evaluating your partners’ ability to safeguard your data and insisting on having reasonable security practices in place.
  1. Organizational security awareness

The security community generally agrees that the weakest link in most organizations’ security is the human factor, not technology. And even though it is the weakest link, it is often overlooked in security programs. Don’t overlook it in yours.

Every employee needs to be aware of his or her roles and responsibilities when it comes to security. Even those who don’t even touch a computer in their daily work need to be involved because they could still be targeted by social-engineering attacks designed to compromise your physical security. In its Information Security Handbook, publication 80-100, the National Institute of Standards and Technology (NIST) describes the importance of making all levels of your organization aware and educated on their roles and responsibilities when it comes to security (Figure 2). All users need to have security awareness training, while those involved with IT systems need to have more role-specific training. Your IT organization, which implements a continuous cycle of assessing, acquiring, and operating security-related hardware and software, needs even a higher level of involvement, taking direction from your own security specialists and those you hire as consultants.

elements of a good security program

  1. Regulatory standards compliance

In addition to complying with your own security program, your company may also need to comply with one or more standards defined by external parties. This component of your security plan defines what those standards are and how you will comply. Regulatory standards that might affect you include HIPAA (for patient information), PCI (for credit card processing), FISMA (for governmental agencies and contractors, see The Barking Seal Q4 2006), Sarbanes-Oxley, and Gramm-Leach- Bliley (for corporate financial management).

  1. Audit compliance plan

This component of your security program dictates how often you will audit your IT security and assess its compliance with your security program. As we discussed in the Q2 2008 issue of The Barking Seal, there are aspects of your security that you will want to audit on a frequency ranging from daily to annually. Periodic security assessments are important for finding out whether your security has already been breached. They help you to stay on top of new security threats with the right technology and staff training. And they help you make smart investments by helping you to prioritize and focus on the high-impact items on your list.

A security program is never “done.” As Figure 2 illustrates, your IT organization is always in the process of iterating through the program’s life cycle for all areas that it defines. You assess risks, make plans for mitigating them, implement solutions, monitor to be sure they are working as expected, and use that information as feedback for your next assessment phase. Likewise, your security program document has this life cycle built into it, as it specifies how often you will re-assess the risks you face and update the program accordingly.

Getting on the right footing

It doesn’t matter whether your security program is five pages (as are some we’ve produced for clients) or 200 pages long (such as the NIST document cited above). The important thing is that you have a security program and that you use it to address your company’s security in an organized, comprehensive, and holistic way. You can adapt the above elements to create a security program for your organization, or, if you need help, give us a email at info@e-spincorp.com or you can visit to our website  at www.e-spincorp.com

Everyone needs to have a security program because it helps you maintain your focus on IT security. It helps you identify and stay in compliance with the regulations that affect how you manage your data. It keeps you on the right footing with your clients and your customers so that you meet both your legal and contractual obligations. Its life cycle process ensures that security is continuously adapting to your organization and the ever-changing IT environment we live in. And, of course, it’s the right thing to do because protecting your data’s security is the same as protecting your most important asset.

Read Full Post »

For those who was not able to attend to the E-SPIN McAfee Data Loss Prevention Technical Overview training,

please refer to the attached video above.

Enjoy it and stay tune.

For further information, please contact us or visit to our website on http://www.e-spincorp.com

Read Full Post »

For those who was not able to attend to the E-SPIN Titania TEC Technical Overview training,

please refer to the attached video above.

Enjoy it and stay tune.

For further information, please contact us or visit to our website on http://www.e-spincorp.com

Read Full Post »

For those who was not able to attend to the E-SPIN Titania TEC Product Overview training,

please refer to the attached video above.

Enjoy it and stay tune for E-SPIN Titania TEC Technical Overview training.

Read Full Post »

Military Level Compliance Auditing

Paws Studio is the compliance auditing tool for workstations and servers which enables organizations to produce intelligent compliance reports.  It includes pre-defined policies for industry standards such as PCI, NERC, STIG and NSA and is fully automatable & customizable.
Titania’s latest release includes exciting new features which solve many of the issues associated with STIG (Security Technical Implementation Guide) audits

The STIG Converter has been inspired by feedback from our military customers. Organisations wanting to check their workstations and servers against the STIG compliance policy can now self-update the STIG definition file within Paws Studio using only the XCCDF & OVAL documents. Our programming team provides regular updates to the pre-defined policies, but this option gives organisations the security of knowing they are checking against the most up to date information possible.

The Manual Checking function has been updated so that reports are now able to produce a fuller view of compliance policies. Manual checks allow you to include the physical security aspects of compliance rather than just being able to assess registry checks against your compliance requirements. Now you can add a title, description and fix for physical security issues which are included in compliance policies, such as locking doors and disposing of documents. These will then appear in your compliance report, providing the organisation with a more thorough overview of your compliance status.

Plus you can still benefit from the classic features of the software:

With Paws Studio you can:

1.       Perform compliance audits through either remote network auditing or manual access to the audit data in secure environments
2.       Produce advanced and easy to action reports with comprehensive summaries
3.       Audit against pre-defined policies such as PCI, NSA, STIG and NERC
4.       Define your own customised policy to suit your organisation
5.       Write it into your current processes as it is fully scriptable

Feel free to contact E-SPIN and discuss on your audit compliance requirement.

Read Full Post »

Cybersecurity

In year of 2013, will absolutely reinforce the fact that traditional security measures are no longer effective in thwarting advanced cyberattacks. “Organizations and security providers need to evolve toward more proactive real-time defenses that stop advanced threats and data theft.”

Here are the top trends they should be paying attention to.

  • Active cyber defence measures-There will be an increased use of active cyber defence measures, especially in Government. For example, organisations under Distributed Denial of Service (DDOS) attack might take offensive measures against the attacker such as automatically shutting down a connection.Active defence takes on another level of sophistication within an IT organisation by dint of the fact that the company will have to have the rigor and structure in place to implement processes that will automatically shut down threats based on pre-defined business rules.Although products to protect against cyber attack have been available for years to automatically block or shut down traffic based on certain characteristics, organisations have been reluctant to use this capability.
  • Actionable Intelligence and The Insider Threat Enterprises such as financial services organisations will put greater emphasis on actionable information to help them identify who their attackers are.Expect to see more eCrimes perpetrated by insiders. This will lead to a greater use of behavioural analysis systems that sit on the network learning what is normal behaviour and what are anomalies.The Insider Threat should also prompt more intelligent use of physical access control.
  • Cloud-based Botnets — The ability to create vast, virtual computing resources will further convince cyber criminals to look for ways to co-opt cloud-based infrastructure for their own ends. One possible example is for attackers to use stolen credit card information to purchase cloud computing resources and create dangerous clusters of temporary virtual attack systems.
  • Search History Poisoning — Cyber criminals will continue to manipulate search engine algorithms and other automated mechanisms that control what information is presented to Internet users. Moving beyond typical search-engine poisoning, researchers believe that manipulating users’ search histories may be a next step in ways that attackers use legitimate resources for illegitimate gains.

Read Full Post »

What is SQL Injection?

sqlinjection

The most common type of hack attack seen these days, however, involves SQL injection. Attackers including hacktivists favor SQL injection attacks because they allow attackers to “inject” their own commands into databases.

When databases aren’t configured to properly screen inputs for signs of attack, attackers have an easy-to-use, remote technique for obtaining any information stored by the database. The specially crafted user data tricks the application into executing unintended commands or changing data.

SQL Injection allows an attacker to create, read, update, alter, or delete data stored in the back-end database. In its most common form, a SQL Injection attack gives access to sensitive information such as social security numbers, credit card number or other financial data.

What is a SQL Injection Attack?

A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server.

There are four main categories of SQL Injection attacks against databases

  1. SQL Manipulation: manipulation is process of modifying the SQL statements by using various operations such as UNION .Another way for implementing SQL Injection using SQL Manipulation method is by changing the where clause of the SQL statement to get different results.
  2. Code Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only possible when multiple SQL statements per database request are supported.
  3. Function Call Injection: Function call injection is process of inserting various database function calls into a vulnerable SQL statement. These function calls could be making operating system calls or manipulate data in the database.
  4. Buffer Overflows: Buffer overflow is caused by using function call injection. For most of the commercial and open source databases, patches are available. This type of attack is possible when the server is un-patched

How to prevent SQL injection attacks?

An attacker uses SQL injection to manipulate a site’s Web-based interfaces and force the database to execute undesirable SQL code, enabling data manipulation and spreading malware. Organizations must not only build defenses and practice secure coding best practices, but also develop an in-depth understanding of how SQL injection attacks work and how the threat has evolved — the earlier SQL injection attacks didn’t have the vulnerability detection capabilities of contemporary attacks — as well as learn how to find, isolate and address webpages infected with malware on a website.

Defending Against SQL Injection Attacks

The good news is that there actually is a lot that web site owners can do to defend against SQL injection attacks. Although there is no such thing as a 100 percent guarantee in network security, formidable obstacles can be placed in the path of SQL injection attempts.

1. Comprehensive data sanitation.

Web sites must filter all user input. Ideally, user data should be filtered for context. For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address, phone numbers should be filtered to allow only the characters allowed in a phone number, and so on.

2. Use a web application firewall.

A popular example is the free, open source module ModSecurity which is available for Apache, Microsoft IIS, and nginx web servers. ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests. Its SQL injection defenses can catch most attempts to sneak SQL through web channels.

3. Limit database privileges by context.

Create multiple database user accounts with the minimum levels of privilege for their usage environment. For example, the code behind a login page should query the database using an account limited only to the relevant  credentials table. This way, a breach through this channel cannot be leveraged to compromise the entire database.

4. Avoid constructing SQL queries with user input. 

Even data sanitation routines can be flawed. Ideally, using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries.

Any one of these defenses significantly reduces the chances of a successful SQL injection attack. Implementing all four is a best practice that will provide an extremely high degree of protection. Despite its widespread use, your web site does not have to be SQL injection’s next victim.

Read Full Post »

Retina CS enables IT Security professionals to centrally manage organization-wide IT security – physical, virtual, mobile and cloud – from a single, web-based console. It is the only unified vulnerability and compliance management solution that integrates security risk discovery, prioritization, remediation, and reporting, which dramatically decreases the time and effort required to manage IT security. 

Retina Insight: Get actionable reporting, analytics, and trending across the vulnerability lifecycle via this powerful reporting engine, included with Retina CS at no additional cost.

– Configuration Compliance: A Retina CS Add-on Module: Simplify how you audit and report on common industry configuration guidelines and best practices.

– Regulatory Reporting: A Retina CS Add-on Module: Choose from Regulatory Reporting packs to automate how you navigate through the increasingly complex regulatory landscape.

– Patch Management: A Retina CS Add-on Module: Close the loop on vulnerabilities by providing integrated, automated, agent-less patching from a single console

Retina CS Dashboard

E- EYE SOLUTION SUITE

1. Retina Network Security Scanner

Identify known and zero-day vulnerabilities using the industry’s most mature and effective vulnerability scanning technology.

2. Retina.GOV
Rely on integrated end-to-end vulnerability and compliance management designed specifically for Government departments and agencies.

3. Retina Web Security Scanner

Rapidly and accurately scan large, complex websites and web applications to assess web-based vulnerabilities.

ADDITIONAL SECURITY PRODUCTS

1. Blink Endpoint Protection

Augment existing security products with integrated multi-layered endpoint protection in a single, lightweight client.

2. Iris Network Traffic Analyzer

See analysis and integrated forensics reporting on network security traffic.

3. SecureIIS Web Server Security

Ensure protection for Windows IIS Servers by preventing known exploits, zero day attacks, and other harmful web server traffic.

Retina CS from eEye provides a lot of functionality – beyond just vulnerability scanning – in an easy-to-use format. It is a great value for almost any environment.

As a sole Retina Solution distributor in the Asia-Pac region, Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may required for your operation or project needs.

Read Full Post »

retinanetworksecurityscanner

Here are the reasons on why you should use Retina Network Security Scanner :

1.Department or enterprise-wide vulnerability assessment

Retina scales to meet the requirements of any size organization and supports scanning in distributed environments using software or appliances.

2. Compliance with industry or federal regulations
Retina helps companies comply with Payment Card Industry (PCI), Federal Desktop Core Configuration (FDCC), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley (SOX), Gramm-Leach-Bliley Act, Federal Information Security Management (FISM) Act, European Union Data Directive, and others by providing customizable security policies and extensible reports.

3. Identify security risks and eliminate business interruptions
Less sophisticated scanners can crash a server or device as a result of their scanning methods that include running partial or full exploit code. Retina does not run any type of exploit code to conduct a scan and can accurately identify vulnerabilities without compromising a host.

4. Asset and risk identification
Retina can accurately detect and classify all assets within an environment and determine rogue, wireless, and virtual devices connected to the infrastructure. Vulnerability assessment determines which devices pose the greatest risk to the environment from malware to hackers to unauthorized computing devices.

Retina Key Features

  • Reliable, Non-Intrusive Scanning Technology

Most scanners rely on exploit code to test network vulnerabilities, which frequently crashes servers, devices, or even networks in the process. Retina tests without using exploit code and harming your devices and network.

  • Comprehensive and Current Database

The most advanced, comprehensive database available. Critical vulnerabilities are updated within 48 hours of public disclosure. This is three times faster than the leading competition.

  • Superior Research Team

No security vendor can match the expertise of the eEye Research Team. Over the last 10 years, eEye has discovered more critical vulnerabilities than any other research group.

  • Extensive Third-Party Integration Support

Retina’s open architecture allows for integration with third-party applications such as event managers, security information managers, network management systems, call centers and many framework based solutions

  • Best Practice Approach to Vulnerability Assessment

Retina guides users through the logical steps of discovering assets, auditing known vulnerabilities and configuration issues, recommending remediation actions and reporting on the entire vulnerability management process using industry accepted best practices.

  • Unrestricted Asset Discovery

Retina allows for the discovery of a network’s entire infrastructure without restrictions or separate licensing. At a glance, administrators can determine the number and type of hosts on the network and build policies and groups for vulnerability assessment based on the results.

  • Flexible Remediation Reporting

Within the workflow or Retina, users can create targeted reports to identify specific vulnerabilities for remediation by risk, vulnerability, host or even export the data to common file formats for inclusion in other reports and management systems.

  • Wizard Based Customizable Audits

Custom audits help ensure corporate policies with regard to anti-virus installations, file sharing programs, instant messaging,and third party applications are being correctly identified and mitigated.

  • Granular Job Scheduling and Job Duration Support

Administrators can schedule and run multiple scan jobs against multiple targets and groups (business groups, subnets, for example) for scanning at one time, and control when a job must terminate (scan windows) in order not to impact business
requirements like change control windows.

  • Adaptive High-Speed Scanning

Recognized as the fastest security scanner available, Retina can scan an entire Class C network in approximately 15 minutes. Retina scans every machine on your network, all types of operating systems, network devices and third-party or custom applications with extreme accuracy and speed.

Other eEye Solutions

RETINA ENTERPRISE
Do you need to centrally manage and report on distributed network
scanning and vulnerability assessment initiatives?

APPLIANCES
Do you want a turnkey appliance solution or to setup and license
servers on their own?

BLINK ENTERPRISE
Do you want an agent-based vulnerability assessment solution
in lieu of a network-based scanner?

Interested to know more on Retina Product Suites??Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may required for your operation or project needs.

Read Full Post »

Older Posts »