Recently my Twitter account was hacked. That teaches me to use simple passwords. This account was quite old and unused for a while. When i started to use it again it got a bit more visibility and was take over. I got it recovered quite quickly, but cleaning-up takes a while.
Just a few minor tips:
- Do not re-use passwords (this was my luck, i never do. Multi-level protection password managers help me here).
- Check past likes you have not made yourself and look “off-beat” – do this FREQUENTLY.
- Many services provide “recent user activity/logon” info (sometimes difficult for me, since i use VPN’s of many types with different countries as target).
- Verify profile changes and email notifications regarding your accounts (never click on those email links, always go to the page directly to take action).
- Change password periodically (every year, when using 2factor?).
- Use multi factor authentication (with few trusted devices) where possible.
Simple chart with classification of different InfoSec threats.
- poisoning (arp,dns)
- Social engineering,
- Social network attacks,
- SQl inject,
- code injection,
- path traversal,
- buffer overflow,
- Replay attacks,
- Session Hijacking,
- Brute force,
- Rainbow(hash) tables,
- Shoulder surfing
- Heuristic commits
- Secure boot,
- threat Scanning
During the validation of control activities you should attempt to make security easier on users and more difficult for attackers.
Activities to verify may include (not limited to):
- Prevention (2FA, least privilege, reduce deniability, …)
- Delay (strong encryption, layering, …)
- Detect (monitor, detect change, audit, automate, …)
- Compliance (implementation of corporate policy and standards, including configuration best practices)
- Recover (verify the ability to reset to the last known good state)
NOTE: validation of control activities is not considered an audit. Auditors should also be evaluated by watching the watcher & comply with segregation of duties. Example: auditors should NOT define the governing policy or have the ability to implement change.
You should care! Due care is the conduct of a person in a particular situation. If due care negligence is tested, each due care juror (auditor/tester) has to determine what is “reasonable” in the given situation. Do train people in good choice vs bad choice.
Continually ensure that threats and vulnerabilities are known and acted upon.
- Assets are identified and protected.
- Controls are in-place.
- Regulations are followed and evaluated.
- Who did it?
- Do we have Non-repudiation?
- What are legal consequences?
- How shall we secure the systems?
- Who is accountable?
- integrity and assurance,
- audit trails & logs,
- design, governance and policy,
- RACI matrix..
*standards should include [internal] Minimal Security Baseline (MSB) with influences of vendor best practices, external standards, directives, etc.
Q. is the Classical CIA triad still valid as a base for our information systems?
A. Sure, below are some examples for information systems that mainly require – but are not limited to:
- Confidentiality for Personal data systems (ex: PII, HR info),
- Integrity for Financial critical systems (ex: reporting, projections),
- Availability for Business critical systems (ex: production, assembly).
It’s alive! Welcome to the SEcurity Content COmmunity (SECCO), a place to share and comment on: IT security – related topics.
SECCO is the interactive section of the CIA³ site (pronounced: CIA cubed). CIA³ is a more modern version of the more classical security concepts known as the CIA triad. CIA³ does however cover: Confidentiality, Integrity, Availability, Accountability, and Assurance.