New ISO TR on Guidance on the audit of the governance of IT

In conjunction with the guidance contained in ISO/IEC 38500, ISO/IEC TR38502 ISO/IEC19011:2011: Guidelines for auditing management systems, there is a new technical report proposed on providing guidance on audits to assess whether an organization’s governance of IT is aligned with the principles for governance of IT in ISO/IEC 38500.

BSI is seeking public comments on this new TR URL:http://standardsproposals.bsigroup.com/Home/Proposal/3684

“The primary audience for the technical report is auditors undertaking audit assessment of an organization’s governance of IT. The outcomes of such assessments will inform members of governing bodies who are responsible for the governance of IT and are accountable for the effective, efficient and acceptable use of IT within the organization; and those responsible for defining and implementing the governance framework for IT.”

IT auditor has a responsibility to help the management board to oversees complex IT environment. A governance framework defines the organisation structure, role and responsibility and accountability is important.

No single prediction is perfect, so I look at four

As 2015 approaches, it is time for new year resolutions and wishes. For security industry, we are busy preparing for another eventful year!!

When preparing for our budget and project portfolios, it maybe useful to look at predictions from leading security vendors.  Cyber security is an intelligence game. Can Websense, Sophos, FireEye and TrendMicro predictions help us? I will write another post to provide my thoughts.

Legend : Orange cells are directly related to Smartphone. Red words are related to payment systems.

2015 Cyber Security Predictions

Websense Sophos FireEye TrendMicro
Healthcare will see a substantial increase of
data stealing attack campaigns
Exploit mitigations reduce the number of useful vulnerabilities Mobile and Web-based viruses remain a scourge, and hardly a week goes by without hearing of another data breach or a new malware. More cybercriminals will turn to darknets to share attack tools, stage attacks, and market stolen goods.
Attacks on the Internet of Things will focus on
business use cases, not consumer products
Internet of Things attacks move from
proof-of-concept to mainstream risks
Mobile ransomware will surge in popularity. Cryptolocker attained a measure of success this year, and so attention is expected to further turn to mobile in order for attackers to gain access to your phone and contacts. There will be bolder hacking attempts as cyber activity increases.
Credit card thieves will morph into
information dealers
Encryption becomes standard, but not everyone is happy about it Point-of-sale (PoS) attacks will also become a more popular method of stealing data and money — and PoS attacks will strike a broader group of victims with increasing frequency. An exploit kit that specifically targets Android users will surface.
Authentication consolidation on the phone
will trigger data-specific exploits, but not for
stealing data on the phone
More major flaws in widely-used software that had escaped notice by the security
industry over the past 15 years
 As retailers strengthen their defenses and more criminals get into the game, cyberattacks will spread to “middle layer” targets including payment processors and PoS management firms. Targeted attacks will become a norm.
New vulnerabilities will emerge from decades
old source code
Regulatory landscape forces greater
disclosure and liability, particularly
in Europe
Attacks on the enterprise supply chain will surge, as less mature or financially able companies become weak links in an ecosystem where only top firms can bolster their defenses to acceptable standards. Bugs in open source apps will continue to be exploited.
Email threats will take on a new level of
sophistication and evasiveness
Attackers increase focus on mobile
payment systems, but stick more to
traditional payment fraud for a while
Lack of adequate response could result in a major brand going out of business  New mobile payment methods will introduce new threats.
As companies increase access to cloud and
social media tools, command and control
instructions will increasingly be hosted on
legitimate sites
Global skills gap continues to increase, with
incident response and education a key focus
With such risks in the corporate realm, cyber insurance as an industry is expected to grow. We won’t see head-on IoE/IoT device attacks, but the data they process will tell another story.
There will be the new (or newly revealed)
players on the global cyber espionage/cyber war battlefield
Attack services and exploit kits arise for mobile (and other) platforms   More severe online banking and other financially motivated threats will surface.
  The gap between ICS/SCADA and real
world security only grows bigger
   
  Interesting rootkit and bot capabilities
may turn up new attack vectors
   

Cyber security info explosion

As a IT security guy, I used to read cyberattack and data breaches news, trying to learn from others missteps. However, in the past few months, it becomes impossible to keep up with those stories! There is a cyber security info explosion in mass media. Blogger, journalist, lawyers, bankers and even comedian started to comment on cyber security.

Just thinking, we may need a course to teach people how to (not to ) write about cyber attacks. Purely rely on fear factor is not helping.

There are secrets in our life and we trust the computer by using them as our password.

I really don’t like the opening story of this article but it is one of the most interesting story telling how software become part of our life and memory. Our love and hate with password will never end. Even in Sci-Fi world, Star Trek captain still needs a code to activate the auto-destruct system !

Read the stories about a mom discovered her son was gay when she researched on the password of the son’s password (“Lambda1969”) after he committed suicide, password may be serve as a will. Something the son believes that people will definitely found out after his death.

NYTimes : The Secret Life of Passwords

“Virtually all the people who revealed their passwords to me said they planned to stop using them. And yet they divulged them all the same.”

IBM to build Chinese cloud presence with help from Tencent

When cloud computing is now a mainstream product, does Tencent need IBM to build cloud ? My answer is NO since I saw the presentation on Openstack Summit in HK last year.

Gigaom

The great race by U.S. cloud companies to capture part of the huge Chinese market continued with Friday’s news that IBM is working with Tencent Cloud to provide cloud infrastructure and software-as-a-service capabilities for business in China. IBM SoftLayer opened a data center in Hong Kong in June.

This news revolves around IBM using Tencent cloud to provide business services; it does not at least yet involve IBM’s SoftLayer cloud arm, a spokesman said.

[company]IBM[/company] and [company]Tencent[/company], the company behind the popular WeChat mobile messaging app, signed a Memo of Understanding (MOU) to this effect. To participate in the Chinese market, U.S. companies have to partner with local vendors. Microsoft was the first provider down the chute. Azure went online in China in March via Microsoft’s collaboration with Via21net. [company]Amazon[/company] is working with China Net Center and SINNET to set up its new Beijing region slated to go live this year. (The AWS…

View original post 150 more words

Is an ad-based business model the original sin of the web — and if so, what do we do about it?

Is the lack of a transparent and convenient payment system for consuming content hinder Internet growth? There is a vicious circle the author did not mention. Ad-based business model fuels the creation of content specially fit for ads, both format and subject! User behaviour also adopt to bite size content. We are stuck but very few is searching for a way out.

Gigaom

Ethan Zuckerman, director of the Center for Civic Media at MIT and co-founder of the blog network Global Voices, argues in a fascinating post at The Atlantic that the “original sin” of the internet was that almost every web business defaulted to an advertising-based business model — and that this in turn led to the privacy-invading, data-collecting policies that are the foundation of companies like Facebook and Google. But is that true? And if so, what should we do about it?

Zuckerman says his thoughts around advertising and its effects were shaped in part by a presentation that developer Maciej Ceglowski gave at a conference in Germany earlier this year. Ceglowski is the founder of Pinboard, a site that allows users to bookmark and store webpages, and someone who has argued in the past that free, ad-supported services are bad for users, since they usually wind up having…

View original post 914 more words

Now even Germany’s postal service has an encrypted messaging app

Just installed this secure mobile message app. A few things to note:
-in Singapore AppStore
– need access to your phone address book to find others installed this app. I need to invite people to use this app!

Gigaom

Last year’s NSA revelations sparked a great deal of interest in secure messaging apps, from Threema to Telegram to TextSecure, particularly in German-speaking countries where people and businesses are highly sensitive about surveillance. Now you can add another one to the list – and this one comes from the German postal service itself.

Deutsche Post, known internationally as delivery firm DHL, launched a free messenger app called SIMSme on Wednesday, promising end-to-end encryption with passphrases left in the user’s hands. According to the firm, all data is stored on German servers as it passes between users, and is deleted as soon as messages are delivered.

The app is quite comprehensive, featuring group chat and location sharing. What’s more, those willing to pony up 89 euro cents ($1.19) can add a self-destruct function for very sensitive messages and photos, effectively making SIMSme a Snapchat alternative of sorts. The first million users…

View original post 202 more words

Data enabled decision making is not to play God.

Reading a law professor letter to NYTimes, I notice a line of thoughts encroached our society: Truth, fairness and objectivity are within reach with data analytics.  The author arguing against using data scores to calculate sentencing said

“Data-driven predictions grounded in legitimate factors might be about as accurate as current profiling schemes. There is no persuasive evidence that the current troubling variables add much predictive value, once criminal conduct is already taken into account. But even if they do improve accuracy, this gain doesn’t justify sacrificing fairness.” 

In turn, she tried to weight traditional and data driven methods, when justices and fairness are concerned. The underlying tone is that there is a correct sentencing and judges should pursue it whenever possible. 

Human hunt of fairness and objectivity goes astray. A correct sentencing doesn’t exist, no matter how we hard we try, how smart our algorithms become. Using data driven decision making tools should not let us to play God’s (or Gods’ ) role. 

If we accept data is not truth and we are not God, then the seemingly unfair situation “that people should be imprisoned longer because they are poor” is a fallacy. One way of the other, judges make decision based some references point, be it his/her visit to Disneyland or prison, be it the risk score of the convicted. There is no faultless human decision.