Tag: Application

ISO 27001

ISO 27001 Annex : A.14.1.3 Protecting Application Services Transactions

info savvy

Control- ISO 27001 Annex : A.14.1.3 Protecting Application Services Transactions in order to avoid incomplete transmission, misrouting, unauthorized messaging modification, unauthorized dissemination, unauthorized message replication, or replay, information concerning application service transactions should be covered.

Implementation Guidance – The following should include information security considerations for application service transactions:

  1. The use by each party involved in the transaction of electronic signatures;
  2. All transaction aspects, i.e. making sure:
  • All parties’ information about the user’s secret authentication is valid and verified;
  • The transaction is kept secret;
  • Privacy is maintained with respect to all participating parties;

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

  1. The route of contact between all parties concerned is encrypted;
  2. The contact protocols used by all parties concerned are ensured;
  3. ensuring that transaction information is stored outside a publicly accessible environment e.g. on a storage platform on an organization intranet and that it is not retained and exposed on an internet-accessible storage medium;
  4. The protection is incorporated and implemented in the entire end-to-end certificate/signature management process when a trusted authority is used (e.g. for the purpose of issuing and retaining digital signatures or digital certificates).

Other Information – The size of the controls taken must be proportionate to the risk level of each application service transaction.
Transactions in the jurisdiction from which the transaction is produced, processed, completed, or deposited that need to comply with applicable laws and regulations.

Also Read : ISO 27001 Annex : A.14.1.2 Securing Application Services on Public Networks

A well-known ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certificate that mainly covers information security clauses and their implementation, i.e., controls which should be implemented by the organization to preserve the CIA triad, Confidentiality, Integrity, and Availability to maintain their critical, sensitive information in a secure manner.  Infosavvy, an institute in Mumbai conducts training and certification for multiple domains in Information Security which includes IRCA CQI ISO 27001:2013 Lead Auditor (LA)ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy will help you to understand and recognize the full scope of your organization’s security checks to protect your organization’s activities and information equipment (assets) from attacks, and also to illustrate the Controls for Protecting Application Service Transactions. We have trainers with extensive expertise and experience to ensure the efficient handling of the security of information. Consequently, the applicant will gain the necessary skills for the ISMS audit by using commonly agreed audit concepts, procedures and techniques.

Read More : https://info-savvy.com/iso-27001-annex-a-14-1-3-protecting-application-services-transactions/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

Uncategorized

Types of Vulnerability Assessment

info savvy

Given below are the different types of vulnerability assessments:

Active Assessment:-
Active assessments are a type of vulnerability assessment that uses network scanners to scan the network to identify the hosts, services, and vulnerabilities present in that network. Active network scanners have the capability to reduce the intrusiveness of the checks they perform.

Passive Assessment:-
Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the users who are a recently using the network.

External Assessment:-
External assessment assesses the network from a hacker’s point of view to find out what exploits and vulnerabilities are accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks external to the organization. it determines how secure the external network and firewall are.

The following are some of the possible steps in performing an external assessment:

  • Determine the set of rules for firewall and router configurations for the external network
  • Check whether external server devices and network devices are mapped identify open ports and related services on the external network
  • Examine patch levels on the server and external network devices Review detection systems such as IDS, firewalls, and application-layer protection systems
  • Get information on DNS zones
  • Scan the external network through a variety of proprietary tools available or the Internet
  • Examine web applications si.ch as e-commerce arc shopping cart software for vulnerability  

Internal Assessment:-

An internal assessment involves scrutinizing the internal network to find exploits and vulnerabilities.
The following are some of the possible steps in performing an internal assessment:

  • Specify the open ports aria related services on network devices, servers, and systems 
  •   Check for router configurations and tire wall rule sets 
  • List the internal vulnerabilities of the operating system and server   
  • Scan for Trojans that may be present in the internal environment 
  • Check the patch levels on the organization’s internal network devices, servers, and systems   
  • Check for the existence of malware, spyware, and virus activity and document them 
  • Evaluate the physical security 
  • Identify and review the remote management process and events 
  • Assess the file-sharing mechanisms if or example, NFS and SMB/CIFS shares) 0 Examine the antivirus implementation and events.

Host-based Assessment:-
Host-based assessments are a type of security check that involves carrying out a configuration-level check through the command line. These assessments check the security of a particular network or server. Host-based scanners assess systems to identify vulnerabilities such as incorrect registry and file permissions, as well as software configuration errors. Host-based assessment can use many commercial and open-source scanning tools.

Network Assessments:-
vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Network assessment professionals use firewall and network scanners such as Nessus. These scanners find open ports, recognize the services running on those parts, and find vulnerabilities associated with these services. These assessments help organizations determine how vulnerable systems are to Internet and Intranet attacks. and how an attacker can gain access to important information. 

A typical network assessment conducts the following tests on a network:

  • Checks the network topologies for inappropriate firewall configuration 
  • Examines the router filtering rules   
  • Identities inappropriately configured database servers 
  • Tests individual services and protocols such as HTTP, SNMP, and FTP 
  • Reviews HTML source code for unnecessary information 
  • Performs bounds checking on variables

Application Assessments:-
An application assessment focuses on transactional web applications, traditional client-server applications, and hybrid systems. It analyzes all elements of an application infrastructure, including deployment and communication within the client and server. This type of assessment tests the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities. Security professionals use both commercial and open-source tools to perform such, assessments.

Wireless Network Assessments:-
Wireless network assessment determines the vulnerabilities in an organization’s wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use the weak and outdated security mechanisms and are open for attack. Wireless network assessments try to attack wireless authentication mechanisms and get unauthorized access.
 This type of assessment tests wireless networks and identifies rogue wireless networks that may exist within an organization’s perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access once they get access to the wireless network.

  • identify open ports and related services on the external network   
  • Examine patch levels on the server and external network devices   
  • Review detection systems such as IDS, firewalls, and application-layer protection systems   
  • Get information on DNS zones 
  • Scan the external network through a variety of proprietary tools available or the Internet 
  • Examine web applications si.ch as e-commerce arc shopping cart software for vulnerability