Security Awareness and Collaboration

Published: 2015-09-06
Last Updated: 2015-09-06 17:03:36 UTC
by Tony Carothers (Version: 1)
0 comment(s)

On a quiet, rainy Sunday I would like to talk about NIST 800-12, “An Introduction to Computer Security”.  I am sharing this to help raise awareness, as much for our regular supporters, but also for those around us who may not fully grok the whole of a computer security program.  Specifically today, I am speaking to the role of auditors and compliance in a security program.

 

I recently had the opportunity to explore the job market due to a lack of funding at my previous engagement (an expression that is often heard in security, as security personnel are most often viewed as overhead).  During this time, I had the opportunity to interview with a growing company, a startup that apparently was well funded, based on their recent expansion and growth.  The interview took an hour, but was actually over 15 minutes into the interview when one executive  asked the perilous question:

 

“Which is more important, compliance or security?”

 

Given the context in which the question was asked, it sent chills that, mentally, sent me running.  It was very apparent in the question that the individual saw these as two distinct efforts, completely unrelated in their application.  Compliance, and any infosec audit function, should exist to aid the overall security effort, not hinder or lead.  When Compliance becomes the lead or priority, then it is not so good.  Metrics over actual Security is bad.  Very bad.  And that’s the feeling I had there.

 

OTOH, when organizations truly understand the roles and responsibilities required for an effective security program, good things happen.  When you have a scenario where security and compliance do work closely together, great things can be accomplished.  Often times it is a matter of working with the auditor so they understand your challenges, and they can often raise those to levels that need to hear actual risk and vulnerabilities.  NIST 800-12 talks about the security program, as a whole, and the components that are often required to actually implement a continuous improvement environment.  I am not advocating sharing it all with everybody, but rather understand what is there in order to share the relevant parts with our peers and colleagues.   I believe we all agree that knowledge is power, and that Security and all its complexities are often misunderstood throughout the enterprise.

 

Let’s change that.

tony d0t carothers --gmail

Keywords:
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives