2013, InfoSec and Risk - Cyber Security Informer

First American Financial Pays Farcical $500K Fine

Krebs on Security

JUNE 18, 2021

Under First American’s documented vulnerability remediation policies, the data leak was classified as a security weakness with a “level 3” severity, which placed it in the “medium risk” category and required remediation within 45 days. “The [employee] did not request a waiver or risk acceptance from the CISO.”

Insurance

Insurance Risk Financial Services CISO

Announcing the public availability of the Cisco Cloud Controls Framework (CCF)

Cisco Security

MAY 5, 2022

A strategic compliance and risk management approach is as essential to the success of an organization as its product strategy. ISO IEC 27001:2013 – Information technology — Security techniques — Information security management systems — Requirements. Infosec Registered Assessors Program (IRAP December 2020).

Marketing

Marketing InfoSec Risk Technology

How Are Computers Compromised (2020 Edition)

Adam Shostack

MAY 20, 2020

For others, such as the first, there’s a risk that journalists are going to say ‘really, we only know how 15% of incidents start?’ For example, I believe that patch management is way harder than you’d believe if you read infosec twitter, but so what? ’ (I would be surprised if it’s that high.).

InfoSec

InfoSec Government Phishing Engineering

How Are Computers Compromised (2020 Edition)

Adam Shostack

JANUARY 2, 2025

For others, such as the first, there's a risk that journalists are going to say 'really, we only know how 15% of incidents start?' (I For example, I believe that patch management is way harder than you'd believe if you read infosec twitter, but so what? I would be surprised if it's that high.) That would be exciting and actionable.

InfoSec

InfoSec Government Phishing Engineering

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

Troy Hunt

JANUARY 10, 2018

Just as in my post on NatWest last month , that entry point must be as secure as possible or else everything else behind there gets put at risk. By recognising this, they also must accept that the interception may occur on that first request - the insecure one - and that subsequently leaves a very real risk in their implementation.

Hacking

Hacking Government Encryption InfoSec

Business Must Change: InfoSec in 2019

The Falcon's View

JANUARY 3, 2019

Consider, if you will, that fundamentally we in infosec want people to make better decisions. That's right, it's infosec. Those are the Three Ways of DevOps as introduced within The Phoenix Project way back in 2013. 3) InfoSec Bifurcation: Functional vs. Strategic. Truly, that's at the core of much that we do.

InfoSec

InfoSec Engineering Digital transformation CISO

ISO/IEC 27002 update

Notice Bored

FEBRUARY 20, 2022

Aside from restructuring and generally updating the controls from the 2013 second edition, the committee (finally!) Monitoring activities (8.16) - 'anomalies' on IT networks, systems and apps should be detected and responded to, to mitigate the associated risks. The fine details, however, do matter in practice.

IoT

IoT Information Security Risk Technology

The dreaded Statement of Applicability

Notice Bored

JUNE 5, 2022

b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen; NOTE Organizations can design controls as required, or identify them from any source. Justification for including a control is its effect on modifying information security risk. Subclause 6.1.3 Subclause 6.1.3

Risk

Risk Information Security Accountability InfoSec

Transition arrangements for ISO/IEC 27001

Notice Bored

FEBRUARY 24, 2022

Last week's release of a completely restructured ISO/IEC 27002:2022 has naturally prompted a rash of questions from anxious ISO27k users around the world about the implications for ISO/IEC 27001:2013, particularly on the certification aspects since '27002:2022 no longer aligns with '27001:2013 Annex A.

Information Security

Information Security Risk IoT InfoSec

News on ISO/IEC 27002

Notice Bored

MAY 23, 2021

The most significant thing to report is that the project to revise the 3 rd (2013) edition of ISO/IEC 27002 appears on-track to reach final draft stage soon and will hopefully be approved this year, then published soon after (during 2022, I guess).

IoT

IoT InfoSec Risk

Security Compliance & Data Privacy Regulations

eSecurity Planet

AUGUST 9, 2022

See the Top Governance, Risk and Compliance (GRC) Tools. M]uch of InfoSec management falls back on employee training and avoiding employee error – particularly with respect to phishing , spear phishing, and encryption lapses.”. Compliance Comes Down to Risk Management. Consequently, these are all elements of risk management.

Data privacy

Data privacy Encryption Data breaches Insurance

Top Breach and Attack Simulation (BAS) Vendors

eSecurity Planet

MAY 5, 2021

BAS offers more than just pen testing and red team insights, going further in recommending and prioritizing fixes to maximize security resources and minimize cyber risk. AttackIQ calls San Diego, California, home and started as an automated validation platform in 2013. FireEye’s Mandiant. Picus Security. SafeBreach. DXC Technology.

Penetration Testing

Penetration Testing Risk Technology Marketing

NBlog Sept 24 - status of ISO27001 Annex A

Notice Bored

SEPTEMBER 23, 2020

One of the recurrent (zombie) threads on the ISO27k Forum concerns the status of ISO/IEC 27001:2013 Annex A. To kick off, I’ll emphasise the critical distinction between two key terms: Mandatory requirements are formally described in the main body of ISO/IEC 27001:2013. Clause 6.1.3

Risk

Risk Information Security Accountability InfoSec

NBlog Aug 26 - ISMS templates

Notice Bored

AUGUST 25, 2020

Systematically checking through ISO/IEC 27001:2013 for all the documentation requirements is an interesting exercise. Some documents are identified explicitly in the standard and are clearly mandatory, while many others are only noted in passing, often in ambiguous terms or merely alluded-to.

Risk

Risk Information Security Cybersecurity InfoSec

NBlog Aug 23 - ISMS comms plan

Notice Bored

AUGUST 23, 2020

Yesterday I started preparing an ISMS communications plan to satisfy ISO/IEC 27001 :2013 clause 7.4, with a little help from the Web. Naturally I started out with the standard itself.

Information Security

Information Security Security Awareness Security Performance Risk

The Hacker Mind: Hacking Social Media

ForAllSecure

JUNE 2, 2021

With more than 600K followers on YouTube, LiveOverflow is one of infosec’s first social media influencers. In a moment you hear from someone who’s been publishing high quality infosec content on YouTube for the last six years and now has over half a million subscribers. How did he get started and what’s next?

Media

Media Hacking InfoSec Marketing

The Hacker Mind: Hacking Social Media

ForAllSecure

JUNE 2, 2021

With more than 600K followers on YouTube, LiveOverflow is one of infosec’s first social media influencers. In a moment you hear from someone who’s been publishing high quality infosec content on YouTube for the last six years and now has over half a million subscribers. How did he get started and what’s next?

Media

Media Hacking InfoSec Marketing

Top Cybersecurity Accounts to Follow on Twitter

eSecurity Planet

DECEMBER 3, 2021

How to screen for natural infosec talent: Ask for a worst case scenario for any common situation. Haddix continues to provide his insights while serving as the Head of Security and Risk Management for Ubisoft. Street is an industry-respected speaker and analyst and currently is the VP of InfoSec for SphereNY.

Accountability

Accountability Cybersecurity Penetration Testing InfoSec

Lab Walkthrough?—?Moodle SpellChecker Path Authenticated RCE [CVE-2021–21809]

Pentester Academy

MARCH 23, 2023

or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science! Technical difficulty: Beginner Introduction In 2021, a high-risk vulnerability was found in Moodle. This module was tested against Moodle version 3.11.2, References 1.

Authentication

Authentication Mobile Passwords Penetration Testing

The Hacker Mind Podcast: The Right To Repair

ForAllSecure

FEBRUARY 10, 2021

To answer these questions, Paul Roberts, Editor-in-Chief of the Security Ledger, has founded securepairs.org , a group of infosec experts who are volunteering their free time to fight for the digital right to repair in local legislation. Back then Paul was writing infosec stories for IDG and I was doing the same at ZDNet.

InfoSec

InfoSec Manufacturing Technology Software

The Hacker Mind Podcast: The Right To Repair

ForAllSecure

FEBRUARY 10, 2021

To answer these questions, Paul Roberts, Editor-in-Chief of the Security Ledger, has founded securepairs.org , a group of infosec experts who are volunteering their free time to fight for the digital right to repair in local legislation. Back then Paul was writing infosec stories for IDG and I was doing the same at ZDNet.

InfoSec

InfoSec Manufacturing Technology Software

Cyber Security Informer

First American Financial Pays Farcical $500K Fine

Announcing the public availability of the Cisco Cloud Controls Framework (CCF)

Trending Sources

How Are Computers Compromised (2020 Edition)

How Are Computers Compromised (2020 Edition)

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

Business Must Change: InfoSec in 2019

ISO/IEC 27002 update

The dreaded Statement of Applicability

Transition arrangements for ISO/IEC 27001

News on ISO/IEC 27002

Security Compliance & Data Privacy Regulations

Top Breach and Attack Simulation (BAS) Vendors

NBlog Sept 24 - status of ISO27001 Annex A

NBlog Aug 26 - ISMS templates

NBlog Aug 23 - ISMS comms plan

The Hacker Mind: Hacking Social Media

The Hacker Mind: Hacking Social Media

Top Cybersecurity Accounts to Follow on Twitter

Lab Walkthrough?—?Moodle SpellChecker Path Authenticated RCE [CVE-2021–21809]

The Hacker Mind Podcast: The Right To Repair

The Hacker Mind Podcast: The Right To Repair

Stay Connected