Tag: security

ISO 27001

ISO 27001 Annex : A.15 Supplier Relationships

info savvy

ISO 27001 Annex : A.15 Supplier Relationships in this article explaining Information Security in Supplier Relationships, and there policies .

A.15.1  Information Security in Supplier Relationships

It’s objective is ensuring the security of assets accessible to suppliers of the organization.

A.15.1.1  Information Security Policy for Supplier Relationships

Control- The supplier should be agreed with and documented information security requirements related to the risk mitigation of access by suppliers to organizational assets.

“The company becomes more safe and happy if it has better Stakeholders.”

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Implementation Guidance – In order to specifically address supplier access to information from the organization, the organization must identify and require security information controls in its policy. These checks should address the organization’s processing and procedures as well as the processes and procedures to be abided by the organization, including the following points: 

  1. Identification and reporting of supplier forms, e.g. IT services, logistics services, financial services, IT infrastructure components, which are accessible to the organization;
  2. standardized supplier relationship management framework and lifecycle;
  3. define the types of access to information allowed by distinct types of suppliers and monitor and control the access;
  4. Minimum information protection standards for any category of information and method of access to provide the basis for each supplier agreement based on the business needs and requirements and risk profile of the organization;
  5. Processes and procedure for monitoring compliance, including third-party evaluation and product validation, with defined information security standards for any type of supplier and type of access;
  6. Controls for accuracy and completeness of information and transmission received by any party to ensure the quality of information;
  7. the types of obligations applicable for providers to protect information of the organization;
  8. handling of customer control events and contingencies, including company and customer responsibilities;
  9. Resilience and, if necessary, recovery and contingency plans to ensure the availability by all parties of information or processing;
  10. Training in awareness of applicable policies, processes and procedures for the organization staff involved in acquisitions;
  11. Training in awareness of how the organization’s staff interacts with supplier staff on appropriate rules of engagement and behavior based on provider type and level of supplier access to the system and information of the organization;
  12. Conditions to document the security of information and control requirements in an agreement signed by both parties;
  13. Management and maintenance of the information security during the transition phase of the required information changes, information processing, and everything else that needs transfer.

Read More : https://info-savvy.com/iso-27001-annex-a-15-supplier-relationships/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

Cyber-security

The fall of security questions or password reset question

info savvy

The fall of security questions or password reset question based on this topic article is written basically security this very important from anywhere and any field also for maintaining security we create the password but some time it happens to forgot  password at that time there should be some questions to maintain security zone once asked question would be right then and then only that particular user can create a new password.

I think we’ve reached some extent during which organizations and individuals need their security inquiries to produce more formidable hurdles for would-be hackers. The challenge for organizations is to not make the safety questions so difficult that users are unable to recollect their answers later.

To be useful, a far better security question should:

  • Be fairly easy to recollect , even years later.
  • Contain thousands of possible answers, so it isn’t easily guessed.
  • Not be a subject frequently found on social media.
  • Have a solution that never changes

There could also be times once you forget your password. you’ll recover it by answering secret questions that you simply found out yourself. you’ll add up to 3 secret questions. one among these questions are going to be presented if you click the Forgot Password? Suppose you forgot the solution to a specific question, system will ask another one among your secret questions. After you answer the key question, you’ll receive e-mail notification of your new password. It is recommended that you simply found out the key questions in order that you’ll reset your own password.

“Security Can Protect Your Business”

There are some questions with answers related to security question and why it is need, password reset question is secure or not such type of thing explained.

1. What is security question and answer?

A security question is sort of shared secret used as an authenticator. it’s commonly employed by banks, cable companies and wireless providers as an additional security layer. Financial institutions have used inquiries to authenticate customers since a minimum of the first 20th century.

2. Why can we ask security questions?

Security questions can add an additional layer of certainty to your authentication process. Security questions are an alternate way of identifying your customers once they have forgotten their password, entered the incorrect credentials too repeatedly , or tried to log in from an unfamiliar device or location.

Also Read :- Top cyber security certifications of 2020 in India

3. What is purpose of security?

The purpose of security is to stay you, your family, and your properties safe from burglaries, theft and other crimes. Private residential security guards make sure the safety of all the residents living within the community they serve.

4. Why is security so important?

Information security performs four important roles: Protects the organisation’s ability to function. Enables the safe operation of applications implemented on the organisation’s IT systems. Protects the info the organisation collects and uses.

5. What is a password reset question?

Password recovery questions, more commonly called security questions (or secret questions and answers), are wont to verify you because the legitimate owner of a web account when you’ve forgotten your password or are otherwise trying to recover a web account.

Related Product :- Certified Ethical Hacker | CEH Certification

the problem with all security questions, regardless of how difficult they’re , is that they are intended to be simpler to use than passwords because the question itself is meant to trigger your memory. To combat the more simplistic nature of security questions administrators often ask, end users might consider protecting themselves further by providing random answers that can’t be researched or guessed. In effect, we are suggesting that your answers be more random in order that they act more sort of a password.

Read More : https://info-savvy.com/the-fall-of-security-questions-or-password-reset-question/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

ISO 27001

ISO 27001 Annex : A.14.1.3 Protecting Application Services Transactions

info savvy

Control- ISO 27001 Annex : A.14.1.3 Protecting Application Services Transactions in order to avoid incomplete transmission, misrouting, unauthorized messaging modification, unauthorized dissemination, unauthorized message replication, or replay, information concerning application service transactions should be covered.

Implementation Guidance – The following should include information security considerations for application service transactions:

  1. The use by each party involved in the transaction of electronic signatures;
  2. All transaction aspects, i.e. making sure:
  • All parties’ information about the user’s secret authentication is valid and verified;
  • The transaction is kept secret;
  • Privacy is maintained with respect to all participating parties;

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

  1. The route of contact between all parties concerned is encrypted;
  2. The contact protocols used by all parties concerned are ensured;
  3. ensuring that transaction information is stored outside a publicly accessible environment e.g. on a storage platform on an organization intranet and that it is not retained and exposed on an internet-accessible storage medium;
  4. The protection is incorporated and implemented in the entire end-to-end certificate/signature management process when a trusted authority is used (e.g. for the purpose of issuing and retaining digital signatures or digital certificates).

Other Information – The size of the controls taken must be proportionate to the risk level of each application service transaction.
Transactions in the jurisdiction from which the transaction is produced, processed, completed, or deposited that need to comply with applicable laws and regulations.

Also Read : ISO 27001 Annex : A.14.1.2 Securing Application Services on Public Networks

A well-known ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certificate that mainly covers information security clauses and their implementation, i.e., controls which should be implemented by the organization to preserve the CIA triad, Confidentiality, Integrity, and Availability to maintain their critical, sensitive information in a secure manner.  Infosavvy, an institute in Mumbai conducts training and certification for multiple domains in Information Security which includes IRCA CQI ISO 27001:2013 Lead Auditor (LA)ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy will help you to understand and recognize the full scope of your organization’s security checks to protect your organization’s activities and information equipment (assets) from attacks, and also to illustrate the Controls for Protecting Application Service Transactions. We have trainers with extensive expertise and experience to ensure the efficient handling of the security of information. Consequently, the applicant will gain the necessary skills for the ISMS audit by using commonly agreed audit concepts, procedures and techniques.

Read More : https://info-savvy.com/iso-27001-annex-a-14-1-3-protecting-application-services-transactions/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

CEH

8 Most Common Types of Hacker Motivations

info savvy

Hacker Motivations

8 Most Common Types of Hacker Motivations “Hacker Motivations” is a loose term and has totally different meanings. Usually the term “Hacker Motivations ” is somebody who breaks into PC networks for the happiness. He gets from challenge of doing it or with another intention like stealing information for cash or with political Hacker motivations. Hacker Motivations are classified to differing kinds. a number of them are list below.This observes will either be ethical or unethical. The activity wherever one breaks into the system however doesn’t violate its security and credentials is call ethical Hacking. Ethical hackers aim to bring into administrator’s notice, vulnerabilities and voids within the system thereby, improvising the robustness and security. They’re strictly tech-geeks with immaculate programming skills and hands-on information on each computer hardware and software system. On the opposite hand, there are people that will though break into systems, get access to secured accounts. However their actions are sometimes unauthoriz whereas they create a backdoor entry into your system. These people are known as ‘crackers’. They try and crack passwords, security codes, etc exploitation various hacking software’s that are already offer. Such software’s are meant to interrupt the code exploitation a lot of trials programmed into it by different hackers. Hackers usually fall into one of the following categories, according to their activities 8 Most Common Types of Hacker Motivations:

Also Read:-Types of attacks on a system

Black Hats:

Black hats are individuals who use their extraordinary computing skills for illegal or malicious functions. This class of hacker is usually involve criminal activities. They’re additionally call crackers. They’re usually refer to as crackers. Black Hat Hackers will gain the unauthorized access of your system and destroy your important information. The strategy of offensive they use common hacking practices they need learned earlier. They ‘rethought-about to be as criminals and may be simply known owing to their malicious actions.

White Hats:

White hats or penetration testers are individuals who use their hacking skills for defensive functions. These days, nearly each organization has security analysts who are experience hacking countermeasures. Which may secure its network and data systems against malicious attacks. they need permission from the system owner. White hat hackers are one who is allow certified hackers who work for the govt. And organizations by activity penetration testing and characteristic loopholes in their cyber security. They additionally make sure the protection from the malicious cyber crimes. They work below the foundations and rules provided by the govt., that’s why they’re known as ethical hackers or Cyber security specialists.

Gray Hats:

Gray hats are the individuals who work each offensively and defensively at numerous times. Grey hats fall between white and black hats. Grey hats may help hackers find numerous vulnerabilities of a system or network at a similar time. Help vendors to enhance product by checking limitations and creating them more secure. Grey hat hacker’s fall somewhere within the class between white hat and black hat hackers. They’re not legally approve hackers. They work with each smart and bad intention; they’ll use their skills for private gain. It all depends upon the hacker. If a grey hat hacker uses his ability for his personal gains, he/she is consider as black hat hackers.

Suicide Hackers:

Suicide hacker’s are people who aim to bring down important infrastructure for a “cause” and aren’t disturb regarding facing jail terms or the other quite penalty.They are kind of like suicide bombers, who sacrifice their life for an attack and are so not involve with the results of their actions.

Script Kiddies:

script kiddies are unskilled hackers who compromise systems by running scripts, tools.. And software developed by real hackers. They sometimes target the number of attacks instead of the standard of the attacks that they initiate. A Script Kiddies is essentially a hacker amateur who doesn’t have a lot of information to program tools to breaks into pc networks. He usually use downloaded hacking tools from net written by alternative hackers/security specialists.

Related Product:-Certified Ethical Hacker | CEH Certification

Cyber Terrorists:

Cyber terrorists are individuals with a large range of skills, intend by religious or political views to make fear of large-scale disruption of PC networks. These hackers, usually motivated by non secular or political views, commit to produce fear and chaos by disrupting essential infrastructures. Cyber terrorists are far and away the foremost dangerous, with a large range of skills and goals. Cyber Terrorists final motivation is to unfold fear, terror and commit murder.

Read More : https://www.info-savvy.com/8-most-common-types-of-hackers-motivations/

————————————————————————————————

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Information security

Top 9 Challenges IT Leaders Will Face In 2020 Now

info savvy

Challenges IT Leaders With 2020 underway, digital transformation remains considerably attention for business leaders — but what about the processes getting used to hit those targets? According to Stephanie Over by at The Enterprise Project, DX preparation is ongoing, but full culture change is on the horizon for 2020.

The gig economy

It’s few secret that both the gig economy and telecommuting are exploding. Thereupon comes the difficulty of data and IP security. While the benefits of distributed teams include flexibility and quick-pivoting, the aforementioned Gartner report warns that “A growing remote workforce, in both a work-from-home and co-work-space model will unintentionally expose the organization to vulnerabilities in data privacy and therefore the security of tip .”  Another gig economy concern?  Finding the proper talent.

Data privacy

The specific requirements of the GDPR and therefore the California Consumer Privacy Act (CCPA) got to be addressed by various segments within organizations, at the danger of stiff penalties. Innovative vendors will continue performing on unique solutions and features to satisfy these needs. If you want to know in detail join our GDPR & PDP Training.

Security

According to Jake Olcott, vice chairman of security ratings for Bit Sight, “Zero-day vulnerabilities receive the foremost attention from the media, but in 2020, hackers won’t bother with these highly publicized attacks.” Instead, simple strategies are going to be at work, like gaining access to a network through a vendor. Another concern is that the rise on ransomware, with some experts suggesting organizations will need to create a new role entirely, dedicated to combating this new cyber security threat.

Skills gap

According to John Ferron, CEO at Resolve Systems, the talents gap in it’ll cause organizations to seem to automation for solutions. “As we look to 2020, IT teams should expect to see increasing specialise in intelligent automation and AIOps to assist them truly do more with less by automating repetitive tasks and processes and enabling each IT leaders to manage increasingly more infrastructure on a per-person basis.”

Culture Change

More important than a reliance on technology, with reference to digital transformation? A change of mindset within the organization. “In the coming year, business leaders will got to understand that the digital transformation doesn’t end but instead becomes a part of how business leaders solve challenges,” says Geoff Web, vice chairman of strategy at software company PROS.

New security threats

Headline-grabbing recent events may spark surprising new security threats, says Rick Grinnell, founder and managing partner of Glasswing Ventures.
“The government shutdown helped contribute to an excellent cyber threat to the U.S. government, critical infrastructure and other public and personal organizations,” Grinnell says. “With the shutdown, many of the safety professionals watching for threats at a national level weren’t on duty, creating a much bigger hole for attackers. Time will tell if a month of lowered defenses will have deeper repercussions in 2019 and beyond.”

Multi-cloud security

When exploring new cloud-based services, CIOs now got to ask about security across multiple platforms, says Laurent Gil, security product strategy architect at Oracle Cloud Infrastructure.
“Traditionally, multi-cloud leads the enterprise to manage many various , often incompatible and inconsistent security systems,” Gil says. “We think that selecting cross-cloud, cloud-agnostic security platforms is now fundamental in ensuring consistency, and most significantly completeness of securing enterprise-wide assets no matter where these assets live .”

Innovation and digital transformation

According to Gartner data, about two-thirds of business leaders think their companies got to speed up their digital transformation or face losing ground to competitors.
Most companies will continue on an equivalent path until they’re forced to do otherwise, says Merrick Olives, managing partner at cloud consulting company Candid Partners.
“Tying IT spend to strategic business capabilities and answering the question ‘How will this make us more competitive?’ is important ,” Olives says. “Value stream-based funding models as against project-based funding are getting more and simpler at tying board-level objectives to budgetary influences. the value structures and process efficiencies of legacy vs. a nimble digital capability are much different — nimble is less expensive and far more efficient.”

Finding new revenue streams

Ian Murray, vice chairman of telecom expense management software firm Tangoe, says that while the business landscape is ever evolving, the essential premise of creating a profit is that the same.
“The process to finding and exploiting revenue opportunities hasn’t fundamentally changed find a problem that we will solve that’s common, prevalent which people can pay to solve,” Murray says.
What has changed is that the emphasis on direct revenue generation landing within the CIO’s lap, says Mike Fuhrman, chief product officer of hybrid IT infrastructure provider Peak 10 + ViaWest.
“Maybe I’m old school, but I don’t think the CIO should be worried about directly generating revenue,” Fuhrman says. “I’m beginning to see this pop up more and more among my peers. to remain relevant as a CIO, many are working to try and productize themselves.

Read more:-https://www.info-savvy.com/understand-the-background-of-top-9-challenges-it-leaders-will-face-in-2020-now/

————————————————————————————————————————-This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Uncategorized

What is Information Warfare?& there categories

info savvy

The term information warfare or InfoWae refers to the use of information and communication technologies (ICT) for competitive advantages over an opponent. Examples of information warfare weapons include viruses, worms, Trojan horses, logic bombs, trap doors, nano machines and microbes, electronic jamming, and penetration exploits and tools.
The use of data in warfare to realize operational objectives has forever been associate integral.

Arm of military warfare, be it within the kinds of covert intelligence or open domestic info. However, with the rise in speed and reach of data,any interesting conflict are instantly thrust into the consciousness of the international community, and subjected to scrutiny, debates, and opinions which is able to form the portrayal of the parties concerned within the conflict. Moreover, historically weaker adversaries will leverage on low-cost and without delay out there info technology like social media platforms and video hosting websites, to wield disproportionate influence over domestic and international lots to consistently undermine the legitimacy and morality of the military and additionally mobilize native populations to get up against the offensive military. Hence, fastidiously crafted multifarious info operations, as a vital part of associate degree overall military strategy, can become associate more and more important operational and strategic imperative for winning the battle of perceptions, securing operational battle-space, and achieving strategic finish in current conflicts.
Abstract
What makes warfare within the modern era a departure from the past is that info as warfare has become as necessary as information in warfare. data is not any longer simply a method to spice up the effectiveness of deadly technologies, however exposes the chance of non-lethal attacks which will incapacitate, defeat, deter or hale associate resister. the data age has conjointly expanded the domains of warfare – on the field, within the marketplace, and against the infrastructure of recent society – and its purveyors –individuals and personal teams additionally to national militarizes. however despite these variations, the logic of warfare remains identical – sequencing and coordination attacks to realize lower order technical or ‘cyber’ goals, that are a part of a broader campaign to realize higher order political, material and/or symbolic goals. Moreover, despite the leveling have an effect on of data technology, states and state-sponsored teams can retain sure benefits in waging warfare as a result of a capability for sustained attack still needs A level of organization, intelligence concerning the target, and property unlikely to be possessed by the lone individual.

Martin Libicki has divided information, warfare into the following categories;
Command and control warfare (C2 warfare): In the computer security industry, C2 warfare refers to the impact an attacker possesses over a compromised system or network that they control.
Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. According to Libicki, “intelligence-based warfare” is a warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battle space.
Electronic warfare: According to Libicki, electronic warfare uses radio electronic and cryptographic techniques to degrade communication. Radio electronic techniques attack the physical means of sending information, whereas cryptographic techniques use bits and bytes to disrupt the means of sending information.
Psychological warfare: Psychological warfare is the use of various techniques such as propaganda a -id terror to demoralize one’s adversary in an attempt to succeed in the battle.
Hacker warfare: According to Libicki, the purpose of this type of warfare can vary from shutdown of systems, data errors, theft of information, and theft of services, system monitoring, false messaging, and access to data. Hackers generally use viruses, logic bombs, Trojan horses, and sniffers to perform these attacks.
Economic warfare: According to Libicki, economic information warfare can affect the economy of a business or nation by blocking the flow of information. This could be especially devastating to organizations that do a lot of business in the digital world.
Cyber warfare: Libicki defines cyber warfare as the use of information systems against the virtual personas of individuals or groups. Jt is the broadest of all information warfare and includes information terrorism, semantic attacks (similar to Hacker warfare, but instead of harming a system, it takes the system over and the system will be perceived as operating correctly), and simulate-warfare (simulated war, for example, acquiring weapons for mere demonstration rather than actual use).
Each form of the information warfare, mentioned above, consists of both defensive and offensive strategies.
Defensive Information Warfare: Involves all strategies and actions to defend against attacks on ICT assets.
Offensive Information Warfare: Involves attacks against ICT assets of an opponent.