Sunday, December 4, 2011

Club Penguin data loss

Club Penguin is an online gaming site that offers a virtual gaming world for kids. It also offers the players an option to kind of social network, which  made it very popular among the kids.

Dataloss DB recently published a data loss involving this gaming site, where 309 usernames, e-mail addresses, passwords and IP dumped on the pastebin site by hacker(s).

The links to the dataloss db and the pastebin sites are below. If your kids have accounts in Club Penguin, I highly recommend changing the passwords immediately.

Saturday, December 3, 2011

InfoSec - Weekly Roundup

  • Mandiant released a new version of their popular memory analysis tool, Redline. Redline accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis. Read the related blog post below

  • NSRL database is being updated. "The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations. Link for the NSRL database is below.

  • FTC recently reported that Facebook has agreed to settle charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established. Check the below link from FTC for more information.

  • The big risk item people are talking about is the Carrier IQ key logging software installed on many phones, which allows the carriers to gather many details of you browsing habits. More information is available at the below links.

Sunday, October 30, 2011

Impact of malware - Scientific American magazine article

Scientific American magazine published an article on the impact of malware and what we can do about it.

Here are some of the comments from the article.

"We don’t actually know how to scan for malware. We can’t stop it, because we can’t find it. We can’t always recognize it even if we are looking right at it."
"Like a thriller character who discovers he doesn’t know whom to trust, cybersecurity experts start running through the options."

This is a very interesting article and if nothing else, it helps spread awareness. I have reported in my blog multiple times how the main stream media is covering the new way of attacks and privacy issues. Now, other types of media started covering these issues as well. The more aware general Internet users about these issues, better prepared they would be.

The article link is below:

Wednesday, October 26, 2011

Vulnerable web applications

One of the readers asked about vulnerable web applications pre configured for research and testing purpose. Here is the list I have used in the past:

Saturday, October 8, 2011

Consumer reports - Companies to spend $130 billion on cybersecurity in 2011

A recent new item in Consumer Reports caught my eye.

"U.S. companies will spend more than $130 billion dealing with data breaches this year, according to a study by the cybersecurity research firm the Ponemon Institute."

Over the last few years, there has been a steady increase in cyber attacks and breaches. Organizations have started to admit the fact that they are being attacked on a regular basis. Newspapers carry regular news items that show how vulnerable organizations and individuals are to such attacks.

So, apart from the people who did the bad thing, who else benefits from this?

Obviously, it benefits a whole group of people who helps these companies and individuals do the clean-up work. From the people specializing in the corporate communications, people involved in providing legal advice, people involved in forensic investigations, people involved in fighting these cases in court, and people involved in making sure that such incidents don't happen again.

Now, for folks looking for jobs and looking to enter these fields, it is a great opportunity to master these skills.

Some of the hot skills, companies in US and other parts of the world looking for are:

  • E-Discovery
  • Forensic investigation
  • Incident Response
  • Malware Analysis
  • Incident Monitoring
  • Security Operations

Monday, September 26, 2011

Risk Management - two new standards

ISO 27005:2011

The newly released international information security risk management standard, is now available for everyone.

ISO 27005:2011 supports the general concepts specified in ISO/IEC 27001, it is designed to assist the satisfactory implementation of information security based on a risk management approach.
The standard is now fully aligned with the International Standard for risk management, ISO 31000. ISO 31000 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization, generally known as enterprise risk management.

ISO 27005:2011 ISRM, can be downloaded from the IT Governance web site. .

NIST Special Publication 800-30

NIST relesed a draft guide for conducting risk assessments.

"The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action to take
in response to identified risks. In particular, this document provides practitioners with practical
guidance for carrying out each of the three steps in the risk assessment process (i.e., prepare for the assessment, conduct the assessment, and maintain the assessment) and how risk assessments and other organizational risk management processes complement and inform each other."

This standard is in a public comment stage, all are welcome to comment on this standard.

The standard can be downloaded from the below NIST web site.


Thursday, September 1, 2011

New PCI Document - Identifying and Detecting Security Breaches

PCI council has published a new document titiled "Identifying and Detecting Security Breaches". The topics include:

  • Common Vulnerabilities and Malware
  • Signs of an Incident
  • How to Detect a Security Incident
  • Implementing and Reviewing Logs
  • Logs and PCI DSS Compliance
  • Basics of Incident Management
  • Top Challenges
  • Visa’s “What To Do If Compromised” Procedures

The document link is below:

Tuesday, August 30, 2011

Google Code University - Learn Application Security fundamentals

Google Code University publishes many online materials, where you can learn about programming and application security. You can find topics in the area of programming languages, web programming, web security, databases, Linux, etc. 

They have also released many tools in this area, the latest being web application named Gruyere. This is similar to OWASP WebGoat or Mutillidae.

The tool shows  how web application vulnerabilities can be exploited and how to defend against these attacks. Some of the vulnerabilities that you will be exposed to include Cross-site scripting (XSS), Cross-Site Request Forgery (XSRF), Cookie Manipulation, Cross Site Script Inclusion (XSSI), Path Traversal, Denial of Service, Configuration Vulnerabilities, and specific vulnerabilities affecting AJAX. 

It is a great tool to learn application security.


Google Code University :

Monday, August 29, 2011

A Guide to Facebook Security

Last week Facebook released a document titled "A Guide to Facebook Security".

It is a must read for every facebook user. It lists some essential tools that helps protect your account against various threats.

Some of the items detailed in the document include:
  • How to protect your account
  • How to avoid the scammers
  • How to enable advanced security settings
  • How to recover a hacked account
  • How to stop imposters
Here are the top tips to protect your accounts.

  • Only Friend people you know.
  • Create a good password and use it only for Facebook.
  • Don’t share your password.
  • Change your password on a regular basis.
  • Share your personal information only with people and companies that need it.
  • Log into Facebook only ONCE each session. If it looks like Facebook is asking you to log in a second time, skip the links and directly type into your browser address bar.
  • Use a one-time password when using someone else’s computer.
  • Log out of Facebook after using someone else’s computer.
  • Use secure browsing whenever possible.
  • Only download Apps from sites you trust.
  • Keep your anti-virus software updated.
  • Keep your browser and other applications up to date.
  • Don’t paste script (code) in your browser address bar.
  • Use browser add-ons like Web of Trust and Firefox’s NoScript to keep your account from being hijacked.
  • Beware of “goofy” posts from anyone—even Friends. If it looks like something your Friend wouldn’t post, don’t click on it.
  • Scammers might hack your Friends’ accounts and send links from their accounts. Beware of enticing links coming from your Friends.

The document link is below:

Saturday, June 18, 2011

PCI - Information supplement on virtualization

PCI Council has released a new information supplement on virtualization. This is definitive guide for organizations looking to implement virtualization in their card holder data environment. Some of the highlights from the document:

There are four simple principles associated with the use of virtualization in cardholder data
a. If virtualization technologies are used in a cardholder data environment, PCI DSS
requirements apply to those virtualization technologies.
b. Virtualization technology introduces new risks that may not be relevant to other technologies,
and that must be assessed when adopting virtualization in cardholder data environments.
c. Implementations of virtual technologies can vary greatly, and entities will need to perform a
thorough discovery to identify and document the unique characteristics of their particular
virtualized implementation, including all interactions with payment transaction processes and
payment card data.
d. There is no one-size-fits-all method or solution to configure virtualized environments to meet
PCI DSS requirements. Specific controls and procedures will vary for each environment,
according to how virtualization is used and implemented.

The document lists the general recommendations as follows:

General Recommendations

  • Evaluate risks associated with virtual technologies
  • Understand impact of virtualization to scope of the CDE
  • Restrict physical access
  • Implement defense in depth
  • Isolate security functions
  • Enforce least privilege and separation of duties
  • Evaluate hypervisor technologies
  • Harden the hypervisor
  • Harden virtual machines and other components
  • Define appropriate use of management tools
  • Recognize the dynamic nature of VM’s
  • Evaluate virtualized network security features
  • Clearly define all hosted virtual services
  • Understand the technology

The document can be downloaded from here.

Another wave of attacks and breaches

Back in April, I wrote about a wave of attacks and breaches (you can read it here). This month we are seeing a whole new wave of attacks and breaches, some of which include Citigroup, Sony, IMF, Lockheed Martin, etc.

2011 definitely brought many high profile breaches, one interesting development is that, these breaches not only benefit the adversaries but people who are involved in the investigations as well. WSJ reports that an “industry of experts”—from lawyers to forensic investigators—have emerged to help companies deal with the painful job of informing customers that their data has been hacked.

We also started to see the re-emergence of so called hacking groups. Some of the new groups such as Anonymous and LulzSec, are reported to be active participants. This is definitely a concern for information security practitioners as suddenly we have a much stronger and a determined opponent to deal with. 

US lawmakers are getting busy as well. Congresswoman Mary Bono Mac, Chairman of the House Subcommittee on Commerce, Manufacturing and Trade,early this week released a discussion draft of the Secure and Fortify Data Act (SAFE Data Act), which establishes uniform national standards for data security and data breach notification. A key feature of the SAFE Data Act requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and scope of the breach assessed.  The FTC would also be given the authority to levy civil penalties if companies or entities fail to respond in a timely and responsible manner. 

So, what can we as corporate information security professionals do? As I have mentioned in this blog many times, there is nothing new to be done here, follow the simple steps and go back to the basics - identify what and where your sensitive data is, apply minimum controls to thwart simple attacks, monitor the sensitive information, both at the asset level and network level and finally keep up with the new threats and learn how to defend against these new threats.

Sophistication of information threats are only going to increase, adversaries looking to steal sensitive information are only going to increase, and the market for such sensitive information are only going to increase. Better preparation and bringing in capabilities to defend, and recover from these attacks should be primary concern for information security departments. Many organizations concentrate on a compliance and check-list centric methodology, which will only lead to more such attacks and breaches. The time has come for organizations to develop capabilities and talent within the organization.

States and local governments also have a bigger role to play. Organizations need help from government agencies in the form of intelligence and investigations, and more importantly working with foreign governments in identifying and containing the threats and threat agents. Announcement such as this from NSA is promising and they should start developing tools and processes to share intelligence with private sector as well.

Sunday, May 29, 2011

lsof command for incident responders

As an incident response personnel, if you were to choose a single command that you can run on *nix systems, which one would you choose? My pick would be the "lsof" command.

Here are some of the useful options of this command.

lsof /var/log/messages  - to see the process, process ID, and the user who initiated this process and holds the file

lsof -c syslogd - to see all files open for this process with the path, size, and inode

lsof -u root - to see all processes and files that run under root

lsof -an -i - to show all connections, with the process, Process ID, and the user who initiated the process

lsof -an -i -r 2 - puts this in repeat mode and it repeats the command every t seconds

lsof -an -i @ - shows all connections for a single IP

lsof -i -a -u root - to see all network connections for a particular user

lsof -i :6106 - to find what process is listening on a given port and who's connecting to it

lsof -i -U - to list all open files, processes and connections

Sunday, May 15, 2011

Cyber criminals target mobile platforms

According to a the new Cisco report, cyber criminals are shifting their focus away from Windows based PCs to smart phones, tablets, and mobile platforms. Apple's platforms are also gaining popularity with the criminals. Cisco attributes this shift to the fact that "PC vendors are building better security into their products, and they are moving faster than ever to provide updates, alert users to potential flaws, and make patches available to users. This means it is becoming increasingly time-consuming and resource-intensive to find ways to exploit platforms that once were so lucrative-in particular, the Microsoft Windows platform."

The complete report is available here.

As more and more corporate executives start using smart phones and tablets, this poses new challenges for the information security professionals. People don't realize what personal information and other data  are being extracted from their mobile phones by the various applications installed on them. A recent Wall Street Journal Investigation found that many of these smart phones share personal data widely and regularly.

Many financial and retail institutions started offering transactions through these devices, PayPal alone expects to process more $700 million mobile payments. Along with this jump in mobile usage, we now have more vulnerabilities in the mobile applications as well. Most of these vulnerabilities have been basic lapses such as storing authentication data in plain text, storing credit card and CVV numbers, etc. These vulnerabilities indicate that organizations are rushing into both development and release of such applications without implementing proper controls.

New Microsoft SDL (and malware analysis) tool

Microsoft released a new SDL tool to check the presence of attack vectors introduced by a program. Some of the attack vectors it checks include open sockets, services running by default, weak ACLs, dynamic web pages, ActiveX enabled, and enabled guest accounts. Based on the presence of these attack vectors, it identifies the changes and reports them.

Some of things we can do with the tool include,
  • Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
  • IT Professionals to assess the aggregate Attack Surface change by the installation of an organization's line of business applications
  • IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
But, in my opinion, the most use of the tool would be in malware analysis and incident response. The tool allows you to take snapshots of a system, which would be the baseline and compare it with another snapshot, enabling you to detect changes such as additional files, registry keys, services, ActiveX controls, listening ports, access control lists, and other parameters.  It enables the investigator to see the effect of a malware or other legitimate programs on a system.

The tool can be downloaded from here.

Wednesday, April 20, 2011

Underground Economies - McAfee and SAIC report

A new report labeled "Underground Economies", where McAfee and SAIC collaborated to investigate perceptions around intellectual capital of companies has been published. The report surveyed over 1,000 senior IT decision makers across the world, getting their opinion on where they thought their valuable data was, their attitude to outsourcing control of it, and questions around how it was protected and the risk of it being "misplaced".

Some of the highlights of the report are:

  • Employees' adherence (or lack of) to security procedures is considered to be a greater challenge to organizations' information security than the fact that there are multiple systems within the organization, or the insecurity of supply chain partner systems
  • Around half of organizations are looking to increase their IT security spending in regard to hardware upgrades, software upgrades and external hosting of data and other services
  • More than a quarter of organizations assess the threats or risks posed to their data twice a year or less often
  • Securing mobile devices continues to pose a challenge to businesses
  • Cloud based services may represent a new target not only for data theft, but also for cheap infrastructure or resources within criminal enterprises
  • One in ten organizations will only report breaches/losses that they are legally obliged to, and no more

Some emerging trends that are changing the ways companies are defying sophisticated attacks and insider leaks are:

  • Deep Packet Inspection
  • Human Behavior Based Network Security
  • Insider Threat Tools
  • Advanced Forensics
  • Advanced Malware Analysis

The complete report is here. (Registration required)

Public comments requested

This is an opportunity for information security practitioners to participate in policy formulation.

National Cyber Security Policy - India

Department of Information Technology (DIT), Ministry of Communications & IT, has prepared a draft discussion document on ‘National Cyber Security Policy’. The discussion document is prepared for public consultation in order to facilitate creation of secure computing environment and enable adequate trust and confidence in electronic transactions and also to guide stake holders’ actions for protection of cyber space.

The document has been posted on DIT web site for seeking public comments and can be downloaded from here.

Comments/feedback on this document should reach by 15th May 2011 to CERT-In, on email id ‘grai at’

NIST document SP 800-53

NIST is updating the most widely refered document, SP 800-53 and this is your chance provide any inputs on this very important document. Many of the state, federal and country specific regulations refer this document or modify the document along with this.

The Revision 3 is available from the NIST web site here.
You can send your comments to NIST by emailing them at sec-cert at by April 29, 2011.

Sunday, April 10, 2011

Breaches and attack methods

In the previous post I listed some of the high profile attacks and breaches, let's look at some of the attack methods used in some of these and other recent attacks. This information was taken from the Web Hacking Incident Database 


SQL injection continues to be at the top and over the last year or so, we have started seeing more denial of service type of attacks

Top Application Weaknesses

Input validation is the major weakness we see in the applications. Proper input validation is one of the major checks prescribed by many standards such as OWASP and SANS.

Top Outcomes

Leakage of information is a direct outcome of the SQL injection and in many cases it results in monitory loss and loss of reputation and business. The other major outcome is the downtime, which directly impacts the business bottom-line and it is something the business person will understand.

This is a nice way to categorize the incidents and organizations should come up with a list of incidents within their organization and present it to the senior management and Board as part of the metrics to show them the impact.

Saturday, April 9, 2011

March - The month of attacks and breaches

March was full of major attacks and breaches, here are some of them:

These attacks show that adversaries continue to find ways to exploit systems, applications and networks and organizations need to rethink their strategies to defend against it. These attacks also show that the adversaries are continuing to look to extract sensitive information or disrupt the systems for their own gain.

Many organizations suddenly started to realize that even they have some important data that is valuable to the attackers. They now realize that how easy it is for the attackers to take the data. They now realize that their investment in information security (both process and people wise) is just not enough. They now realize that the management commitment to information security is not enough. They now realize that they need to do more.

Organizations should go back to basic and start with identifying critical data, where it is stored, who owns them, who has access, what are the risks, what security mechanisms are in place and how to improve that. Organizations should concentrate more on preventive techniques and implement strong monitoring mechanisms as additional controls.

Organizations must also realize that if we don’t start doing it now, we will be forced to do it through more regulations by the government and other entities.

Ok, so that was in March, how does April look? Not good, there are two reports of high profile intrusions already.

Sunday, March 13, 2011

Bangalore Cyber Security Summit 2011

The Department of IT, BT and S & T, is organizing the second edition of Bangalore Cyber Security Summit 2011’ on 17th & 18th March, 2011, at NIMHANS Convention Centre, Hosur Road, Bangalore.

The objective of the conference is to enhance the knowledge of law enforcement agencies and other stakeholders to combat cyber crimes. The second edition of the Bangalore Cyber Security Summit is intended to focus attention on the issue of Cyber Security and extend the deliberations of the previous year regarding the threat of Cyber Wars and the challenges of integrating law, technology and human factors involved in Cyber Security.

Agenda and registration information is available on the website

Saturday, March 12, 2011

White House is proposing a big increase in cybersecurity research - report

Computerworld reports that the White House is proposing a big increase in cybersecurity research and development in next year's budget to improve, in part, its ability to reduce the risk of insider threats and ensure the safety of control systems such as those used at power plants.

The report further adds, Philip Coyle, associate director for national security, said at the budget briefing on Monday that the administration is proposing "considerable growth" in cybersecurity research. When all the cybersecurity spending plans across the board are added together, cybersecurity research and development spending will increase 35% to $548 million next year, he said.

This is good news overall for the security industry and information security job market in particular.

OWASP Appsec Tutorial project

OWASP started a new educational project called Appsec Tutorial Series.

The OWASP Appsec Tutorial Series breaks down security concepts in a easily accessible, friendly way. Each video will be 5-10 minutes long and highlights a different security concept, tool or methodology.

So far, they have posted two videos, you can check them out here.

Sunday, March 6, 2011

Do business leaders care about information risk?

One of the complaints that we hear from information risk practitioners is that the management does not show enough support and concern for the program.

There is no doubt that good management comittment makes the program successful and management's efforts lead to making information security and risk management as a culture within the organization. But, at the same time as information risk professionals, it is absolutely essential that one understand the business. In order to build a program that suits the business requirement, one should understand the business processes, business objectives, key stakeholders, key customers, other business interests, legal and regulatory requirements, etc.

So, do we have any evidence of enough management concern towards information risk?

In a recent interview, Ram Charan, the acclaimed advisor to many CEOs world over was asked,

What are the challenges and problems CEOs are coming to you with post the financial crisis?

This varies from business to business, economy to economy. I will give you what is generally on the minds of the leaders. One is enterprise risk, that’s because uncertainty has increased. There is more regulation and more volatility in the financial system. So they all have to think about risk and how to mitigate it. Two, corporate governance and succession have become important items.

This is definitely good news as information risk plays important roles in both corporate governance and enterprise risk.

Saturday, February 12, 2011

DSCI-KPMG Survey on State of Data Security and Privacy in the Indian Banking Industry

Posting the DSCI (Data Security Council Of India) announcement on this.

DSCI, on February 4, 2011, released the results of “DSCI-KPMG Survey on State of Data Security and Privacy in the Indian Banking Industry”. The Survey Report, released by Shri. G. Gopalakrishna, Executive Director, Reserve Bank of India, at an event held in Mumbai, aims to establish a ground for dealing with the security and privacy concerns and offers insight to Banking industry in better equipping themselves for data protection.

The need for such a survey and the understanding of security issues at the banks was highlighted with the enthusiastic response which the survey received from the public, private and international Banks.

Some of the key findings of the Survey Report include:

· Customer awareness on information security along with insecure customer end points is one of the most significant challenges faced by the banks

· External threats and the increasing usage of online & mobile channels along with regulatory requirements are driving banks in India to invest in information security

· Managing security is more challenging in online banking and phone (IVR) banking as compared to other service delivery channels

· Banks drive inputs from international standards such as ISO 27001 to establish their security function

· Absence of collaboration and synergy between Security and Fraud Management functions leaves a significant gap in banks’ effort to curb financial frauds

Please follow the following link to access the full Survey Report

Friday, February 11, 2011

New NIST documents on Cloud Computing

NIST issued two new draft documents on cloud computing for public comment, including the first set of guidelines for managing security and privacy issues in cloud computing. The agency also has set up a new NIST Cloud Computing Collaboration site on the Web to enable two-way communication among the cloud community and NIST cloud research working groups.

Here are the two documents:

  1. NIST Definition of Cloud Computing (NIST Special Publication (SP) 800-145). SP 800-145 may be downloaded for review from here.
  2. Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) provides an overview of the security and privacy challenges for public cloud computing and presents recommendations that organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment. These recommendations are divided into the following areas:
  • Governance
  • Compliance
  • Trust
  • Architecture
  • Identity & Access Management
  • Software Isolation
  • Data Protection
  • Availability
  • Incident Response

Public comments are requested on this publication as well. SP 800-144 may be downloaded for review from here.

To learn more on Cloud Computing, risks and vendor selection, head over to my three part essay, here, here and here.

SANS India 2011 in Bangalore

SANS is coming back to India from 14-19 February with three courses. Here is the course line up:

I will be attending the FOR610 (GREM) course.

1. SEC 401: Security Essentials Bootcamp Style (GSEC) taught by SANS Certified Instructor Jim Herbeck

2. SEC 560: Network Penetration Testing and Ethical Hacking (GPEN) taught by SANS Certified Instructor, Bryce Galbraith

3. FOR 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques (GREM) taught by SANS Certified Instructor Hal Pomeranz

Details are here.

Saturday, February 5, 2011

Mandiant's M-Trends report is out.

Mandiant released its annual M-Trends report detailing APT related incidents that they handled in 2011. The report provides first-hand accounts of real intrusions that illustrate trends in attack methodologies; technology used to accomplish the attacks; and the types of data that have been stolen.

If you are not familiar with what APT is, refer my earlier blog post on APT.

The report is available here.

Friday, January 28, 2011

Data Privacy Day

Many countries celebrate today as the Data Privacy Day. In India, DSCI organized a chapter meeting to start a dialogue among the group members on the various privacy issues affecting our nation and the  best ways to combat those.

Here is what Dr. Kamlesh Bajaj, the CEO of DSCI had to say on this occasion,

"With the increased digitization of personal information, Privacy has emerged as an important agenda for individuals, businesses and governments worldwide. Though a fairly matured and much debated concept in the western world, Privacy is beginning to gain relevance in India, esp. with the roll out of UID project.   To build on this beginning and reflect a comprehensive & thorough understanding of Privacy at national level discussions and policy making, it is critical to educate the organizations, government departments and more importantly the ‘vulnerable’ individuals who provide their personal information for availing business and government services."

Friday, January 21, 2011

2010 Top Ten Web Hacking Techniques

Jeremiah Grossman has published the 2010 Top Ten Web Hacking Techniques. It is an annual report that showcases the best hacking techniques published in the year.

It is an opportunity for the information security professionals to understand the new techniques and how to defend against them.

My personal favorite is the evercookie, which creates a persistent cookies in a browser.

Sunday, January 9, 2011

New set of Information Security Principles

The Information Security Forum (ISF),(ISC)² and ISACA recently released a set of 12  principles to help individuals support business objectives, defend their organizations, and promote responsible security behavior.

These 12 principles are outlined under three main categories – support the business, defend the business, and promote responsible security behavior. 

The principles are below: