Best Practices

15 Best Practices You Want to Hear to Reduce Data Breaches

15 Best Practices You Want to Hear to Reduce Data Breaches

Almost every day we probably get to know about data breaches. Protecting your data from threats and accidental compromises is a critical concern no matter what business you’re in. Client information, payment information, personal files, bank account details - all of this information can be hard to replace and potentially dangerous if it falls into the wrong hands.

The” Privacy Rights Clearinghouse” has maintained an easily searchable database of breaches from 2005 till present, allowing us to easily track the rise and fall of data breaches. Below shows year-over-year trends of breach data from 2013 through 2015:

Organization must adopt following basic best practices to reduce data breaches :

CIS benchmarks and system hardening

CIS benchmarks and system hardening

These days system hardening is one area Infosec professionals give more importance. But how will we evaluate that our system configurations are good enough.  This is where CIS security benchmarks can help you. CIS (Center of Internet Security) is an independent organization that constantly reviews system configuration setting across multiple vendors.

CIS benchmarks division was formed in October 2000, and it is a not for profit consortium of users, security consultants, and vendors of security software (members).   They focused on enhancing the cyber security readiness and response of public and private sector entities. Through consensus, the CIS Security Benchmarks division provides frameworks to help organizations bolster their security.

According to CIS website, they define the program as below

Strategies for Release-Based Security Testing

Change is the only constant in life. Everything, including the applications, are changing. If we juxtapose decade old page of an application with the recent one, it will be too easy to find the changes. From a simple static html page, we are now in a world of dynamic applications with variety of add-ons, flash players and plugins. 

Consider that an application has been tested properly and all the security issues have been fixed, so it has become a secured application. However, later the application may become vulnerable when a new functionality is added. It becomes imperative to assess this functionality too. This signifies the importance of release based security testing where every release is subjected to security assessment.

Approach to an efficient Vulnerability Management Program

Approach to an efficient Vulnerability Management Program

Operational challenges are always associated with a vulnerability management program. However to tackle with the new trend of complexity in IT infrastructure, security professionals are putting immense effort to transform vulnerability management into an effective risk reduction solution. Tuning the same into full efficacy can be highly significant and provide great return in investment if implemented carefully and adjusted regularly. The Organization need to modify traditional pattern and adopt the required-modern approach of vulnerability management. Following approaches will lead to acquire the best solution.

Third Party Tiering Since One Size Does Not Fit All

Managing third party risk is a critical challenge facing Information Security leaders today. High-profile data breaches are reported regularly in the media. Regulators are increasing the focus on requirements for identifying and managing risk for third parties, particularly for financial services and retail corporations. In line with added scrutiny on cybersecurity and data breach practices, boards of directors are more frequently raising questions about the state of controls for critical third parties.

Establishing a third party risk management program means tackling several problems, such as the sheer number of third parties to assess. Using a disciplined approach and best practices such as third party tiering can help to reduce the problem to a more manageable size.

What is third party tiering?

Digital Evidence - Is it protected in your network

Digital Data to Digital Evidence
“Digital Evidence is not just a piece of information it’s a trace of an incident happened”
If you are working on or maintaining a digital device network be cautious, because you are working on a digital evidence and not just the digital data, but what is this digital data and digital evidence and how is it different?
 
Any information that is stored and transmitted in binary format is your Digital Data. Identifying such information and following the methods to submit that information as a supporting data in the court of law / to the management makes it important Digital Evidence. 
 

Vulnerability Management - Step 0

Vulnerability Management - Step 0

Compliance is critical, necessary and not evil. Every organization wants to meet the compliance requirements and doing risk assessments, vulnerability management are key to achieve critical requirements.

Most of the times the organizations just see Vulnerability Management as another checkbox in pursue of compliance and forget or ignore many different aspects or they don’t have concrete foundations to carry out a well drilled and oiled Vulnerability Management process and the process complicates or fails mid-way.  Our job is to make the process as smooth as possible and sometimes it is better to start at step 0.

Computer Security Day - Everyone is Responsible

Computer Security Day

Now days we cannot imagine our life without using a computer. Even though it makes our life simple but it equally has the capability to destroy it because of security concerns. To raise awareness amongst people every year November 30th is celebrated as computer security day in whole world. It was started in 1988 to prompt everyone of the importance of securing their networks, computers and data. Can it help an organization to reduce threat? Yes, as human is the weakest link of an organization, we can raise security awareness amongst employee to minimize risk to some extent. Information security is the responsibility of every employee of an organization irrespective of their designation. We can assist organizations in strengthening their information security by conducting some of activity on that day like,

AJAX (JSON) Security Guidelines

Ajax JSON security guidelines

Client Side (Javascript)

  1. Use .innerText instead of .innerHtml
  2. Don't use eval
  3. Canonicalize data to consumer (read: encode before use)
  4. Don't rely on client logic for security
  5. Don't rely on client business logic
  6. Avoid writing serialization code
  7. Avoid building XML dynamically
  8. Never transmit secrets to the client
  9. Don't perform encryption in client side code
  10. Don't perform security impacting logic on client side

Server Side

Pages

Subscribe to RSS - Best Practices