We've all heard of this before: a hacker releasing a certain number of passwords and usernames, presumably just for the lulz. But this time, we're talking about 10 million records posted by no less than a security specialist himself.

Security expert Mark Burnett has published 10 million sets of usernames and passwords online in an effort to equip the security sector with more information, while also getting himself potentially tagged as a criminal.

He clarified that his release of the username-password list is solely for white-hat purposes -- to aid research in making login authentications more effective and fraud-proof. Burnett insisted that he does not intend to help facilitate any illegal activity or defraud people by his actions.

"I could have released this data anonymously like everyone else does but why should I have to? I clearly have no criminal intent here. It is beyond all reason that any researcher, student, or journalist have to be afraid of law enforcement agencies that are supposed to be protecting us instead of trying to find ways to use the laws against us," he said in his post.

Leaking a massive amount of user data into the wild certainly does not sound like great help for most people but for security professionals, it's an important tool for research. For instance, how else would they know that online users are generally bad at choosing passwords?

In his post, he shared that he would often get requests for his password data from researchers but he would just decline them before. But since he also know its importance, he decided to publish a clean data set for the public.

"A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security. So I built a data set of ten million usernames and passwords that I am releasing to the public domain."

To be fair, Dyman & Associates Risk Management Projects confirms that analyzing a username-password set seems to be more helpful for the security researchers.

According to him, it was by no means an easy decision but he eventually posted it after weighing down a number of factors. And though Burnett said he believes most of the data are already expired and unused, the domain part of the logins and any keyword that could link it to a certain site were still removed to make it difficult for those with criminal intent.

Besides, Dyman & Associates Risk Management Projects experts agreed with him in saying that if a hacker would need such a list in order to attack someone, he's not going to be much of a threat.

Burnett has previously helped in collecting the recent list of worst passwords to alarm people into adopting better practices when it comes to their login credentials.

Lastly, he imparted the following warning for complacent users: "Be aware that if your password is not on this list that means nothing. This is a random sampling of thousands of dumps consisting of upwards to a billion passwords."

Tehokkaan riskienhallinnan nähdään yhä olennainen osa tuottaa onnistuneita hankkeita. Projektin riskienhallintaprosessi ja järjestelmän, projektin riskit voidaan tunnistaa varhain ja minimoidaan ja joukkueet voi tarttua mahdollisuuksiin, kun ne tapahtuvat.

For many companies, security is still the greatest barrier to implementing cloud initiatives. But it doesn't have to be.

Organisational pressure to reduce costs and optimise operations has led many enterprises to investigate cloud computing as a viable alternative to create dynamic, rapidly provisioned resources powering application and storage platforms. Despite potential savings in infrastructure costs and improved business flexibility, security is still the greatest barrier to implementing cloud initiatives for many companies. Information security professionals need to review a staggering array of security considerations when evaluating the risks of cloud computing.

With such a broad scope, how can an organisation adequately assess all relevant risks to ensure that their cloud operations are secure? While traditional security challenges such as loss of data, physical damage to infrastructure, and compliance risk are well known, the manifestation of such threats in a cloud environment can be remarkably different. New technologies, combined with the blurring of boundaries between software-defined and hardware infrastructure in the datacentre, require a different approach.

One of the first steps towards securing enterprise cloud is to review and update existing IT polices to clearly define guidelines to which all cloud-based operations must adhere. Such policies implement formal controls designed to protect data, infrastructure, and clients from attack, and enable regulatory compliance. Government bodies such as NIST, the US Department of Commerce, and the Australian Government Department of Finance and Deregulation (PDF) have produced cloud computing security documents that outline comprehensive policies for their departments, which can be a useful starting point for implementing a corporate policy.

It is important to recognise that cloud security policies should provide protection regardless of delivery model. Whether building private, public, or hybrid cloud environments within the enterprise, cloud security is the joint responsibility of your organisation and any cloud service providers you engage with. When conducting due diligence on third-party cloud service providers, carefully review the published security policies of the vendor and ensure that they align with your own corporate policies.

A fundamental security concept employed in many cloud installations is known as the defence-in-depth strategy. This involves using layers of security technologies and business practices to protect data and infrastructure against threats in multiple ways. In the event of a security failure at one level, this approach provides a certain level of redundancy and containment to create a durable security net or grid. Security is more effective when layered at each level of the cloud stack.

When implementing a cloud defence-in-depth strategy, there are several security layers that may be considered. The first and most widely known protection mechanism is data encryption. With appropriate encryption mechanisms, data stored in the cloud can be protected even if access is gained by malicious or unauthorised personnel. A second layer of defence is context-based access control, a type of security policy that filters access to cloud data or resources based on a combination of identity, location, and time. Yet another popular security layer in cloud-based systems is application auditing. This process logs all user activity within an enterprise application and helps information security personnel detect unusual patterns of activity that might indicate a security breach. Finally, it is critical to ensure that all appropriate security policies are enforced as data is transferred between applications or across systems within a cloud environment.

Unfortunately, there is no one-size-fits-all solution for cloud security that can protect all of your IT assets. Nor is it wise to adopt a closed-perimeter approach. Organisations can no longer rely on firewalls as a single point of control, and security practices must expand beyond the datacentre to include key control points for endpoints accessing the cloud and edge systems. When incorporating third-party public and hybrid cloud solutions in your enterprise IT strategy, you cannot assume that the security policies of these service providers meet the standards and levels of compliance required. Make sure you spell out and can verify what you require and what is delivered. Read More

Virksomheden er gået mobile og der er ingen vej tilbage. Og mens BYOD bevægelsen har modtaget masser af opmærksomhed, IT-afdelinger får et håndtag på sikkerhedsrisici i personlig ambulant hjælpemidler på arbejdspladsen. Den næste udfordring er "bringe din egen applikation" (BYOA), fordi mange offentlige app stores har alvorlig malware problemer.

Enterprise app stores kunne være svaret. Gartner er at forudsige at 25% af virksomhederne vil have deres egen app store i 2017. Dette vil gøre det muligt for virksomheder at skubbe ud apps mere effektivt, vil det være et stort løft for mobile device management, og det kan tilbyde en sikker, automatiseret proces, der vil arbejde lige så godt til apps udviklet in-house og kurateret programmer fra tredjeparter. Uanset hvor en app stammer fra, er det afgørende, at du kan stå inde for dets sikkerhed, før den er omdelt.

Groft sagt, er der tre typer af mobile apps:

Native applikationer--skrevet for en bestemt platform, native apps vil kun køre understøttede enheder. Det betyder en iOS app vil kun køre på iPhone, f.eks.

Webprogrammer--enhver mobilenhed kan få adgang til en webapp fordi de er bygget ved hjælp af standarder som HTML5 og effektivt til huse online. Den mobile app er ofte lidt mere end en genvej hen til WebApp.

Hybrid programmer--en Web-baseret brugergrænseflade kan have et lag af native applikation omkring det for at få bedst fra begge verdener.

Virksomheder i stigende grad vælger hybrid tilgang så de kan dække en bred vifte af platforme, men også udnytte hardware kapaciteter af forskellige mobile enheder. Gartner analytikere tyder på, at mere end 50% af indsatte apps vil være hybrid af 2016. [Se også: "Hvad enterprise mobile apps kan lære af mobile spil"]

Som du kan forestille dig, kræver hver type app specifikke test. I hvert enkelt tilfælde skal du overveje, hvordan at beskytte data, da det rejser på tværs af mobilnet. Der er altid en splittelse mellem det faktisk installeres til den mobile enhed, og den centrale behandling eller data opbevaring, der er installeret på en server. Der er en vifte af software derude designet til at hjælpe dine IT-afdelingen i test en app's sikkerhed.

For at dække alle baserne og sikre effektiv Penetrationstest er udført, din bedste mulighed er at engagere en tredjepartsorganisation med den rette ekspertise. De vil sætte din app på prøve, nærmer sig det som en reel hacker ville--uden hensyn til hvordan systemet er beregnet til at blive brugt, bare en vilje til at bryde den.

Tips til at teste sårbarheder

Der er mange potentielle svage steder i mobile apps. At vide, hvor de kan få dig ud til en god start.

- Dataflow--kan du oprette et revisionsspor for data, hvad der foregår hvor, er data i transit beskyttet, og hvem der har adgang til det?
- Datalagring--hvor gemmes data, og er det krypteret? Cloud løsninger kan være et svagt led for datasikkerhed.
- Data lækage--er data utæt log-filer, eller ud gennem meddelelser?
- Godkendelse--Når og hvor brugerne udfordret til at godkende, hvordan er de godkendt, og kan du spore adgangskode og id'er i systemet?
- Server-side kontrol--ikke fokusere på klientsiden og antage, at back-end er sikker.
- Indgangssteder--er alle potentielle klientsiden ruter i programmet bliver valideret?

Dette er kun toppen af isbjerget med hensyn til omfattende sikkerhed testning for mobile apps. Faktor i de ejendommelige krav af compliance i din branche, fordi det er meget vigtigt, at du opfylder de rigtige standarder for regulering og mandater. Størstedelen af interne IT-afdelinger er simpelthen ikke udstyret til at udføre den strenge tests, der har pligt til at overdrage en mobil app som sikkert. [Se også: "Hærdning Windows 8 Apps for the Windows Store"]

Det er også værd at vide, at du bare ikke kan teste en app og glemme alt om det. Hvis du ofte udvikler fora for alle de store mobile platforme, vil du finde at nye sikkerhedstrusler dukker op hele tiden, og det tager indsats for at holde dig ajour med situationen og træffe de nødvendige foranstaltninger til at holde dine programmer og systemer sikre.

Developing an effectiveRisk Management Plan can help keep small issues from developing into emergencies. Different types of Risk Management Plans can deal with calculating the probability of an event, and how that event might impact you, what the risks are with certain ventures and how to mitigate the problems associated with those risks. Having a plan may help you deal with adverse situations when they arise and, hopefully, head them off before they arise.

The process of identifying risks, assessing risks and developing strategies to manage risks is known as risk management. A risk management plan and a business impact analysis are important parts of your business continuity plan. By understanding potential risks to your business and finding ways to minimise their impacts, you will help your business recover quickly if an incident occurs.

Types of risk vary from business to business, but preparing a risk management plan involves a common process. Your risk management plan should detail your strategy for dealing with risks specific to your business.

It's important to allocate some time, budget and resources for preparing a risk management plan and a business impact analysis. This will help you meet your legal obligations for providing a safe workplace and can reduce the likelihood of an incident negatively impacting on your business.

This guide outlines the steps involved in preparing a risk management plan and a business impact analysis for your business.

Read more news: http://dymanassociatesprojects.com/

Visit Us:
http://dymanassociatesprojects.tumblr.com/

https://plus.google.com/b/103237330230122996179/f103237330230122996179/about

http://gcn.com/articles/2014/03/03/enterprise-risk-management.aspx

Could enterprise risk management become a common cloud-based service at most government agencies? It's an idea being explored by other industries, especially within the financial management and manufacturing sectors. There's a good chance that the idea could take root in the public sector too.

Once an organization assesses its potential safety and economic risks, specific rules can be then be set to help mitigate those risks. Historically organizations have not always taken an enterprise wide approach to risk management. More often solutions were done piecemeal, such as requiring locks on certain doors or passwords on specific machines. As risk management became more formalized, it slowly became an evaluation process to be followed, a set of formal decisions to be made and a way to track and enforce specific rules.

A risk-management system often is used not only to track risk but to document decisions made on how the risk should be addressed. This system can include coordinating resources to minimize risk, monitoring risk-related activity, and managing the short- or long-term impact of known risks.

Such systems fall under the general heading of governance, risk and compliance (GRC), and many government agencies already have systems in place to help them manage their approach to risk. The key word here, though, is "systems" (plural). Agencies can find it difficult to integrate a truly enterprisewide view of how risk is managed. Too often GRC systems have been built ad-hoc at the sub-agency level to deal with local issues.

Further, government has unique needs. Risk management is not the same for government as it is for an insurance company that is working to manage risk and assure profits across thousands of insurance policies and investments. Government also tends to focus heavily on risk associated with project management. Getting program or project governance properly aligned helps ensure success for the program itself, and it also reduces long-term risk from other internal and external factors.

There are popular GRC solutions available from enterprise software vendors such as Oracle and SAP. Some organizations have created their own customized risk-management solutions, and other companies have risk-management solutions that are targeted at a specific issue, such as compliance with the Federal Information Security Management Act or the Homeland Security Presidential Directive (HSPD) 12.

We've also seen compliance monitoring and enforcement systems that address data privacy, cyber-threat protection, configuration management rules and monitoring as well as network monitoring. The Federal CIO Council even mentioned these types of systems as leading priorities for 2014. Individual government lines of business are influencing an ever greater number of investment decisions related to GRC initiatives.

So there's a critical mass of interest in these types of solutions. That's because agencies are under pressure to take an enterprisewide approach to GRC. They need to upgrade systems in order to make that happen, and there are always new rules hitting them that affect what their risk-management systems must track. In fact, big data and analytics draw the most attention for risk and innovation, and both are key expansion areas for government agencies. Meanwhile, we have an increasingly mobile workforce and onset of new cyber threats. Thus, security and risk has become a key government business function that relies on technology as a cornerstone to its success.

Cloud-based GRC solutions are a logical step for agencies that need to address new rules, consolidate systems and serve their mobile workforce. Most enterprise software vendors offer cloud-hosted versions of their risk management solutions, and it's worth talking to them to see if this is a logical place for an agency to migrate.

Government can offer help too. Last year the National Institute of Standards and Technology published a Draft Cloud Computing Security Document that introduced a "cloud-adapted Risk-Management Framework for applications and/or services migrated to the cloud." Back in 2010 NIST also established a guide for applying the Risk-Management Framework to federal IT systems. GSA also offers a set of solutions under a blanket purchase agreement related to Risk-Management Framework and associated services (though it's not clear how much of this is available via cloud.)


Read More:
http://dymanassociatesprojects.com/
http://dymanassociatesprojects.com/about.html
http://dymanassociatesprojects.com/cyber.html
http://www.ourstory.com/thread.html?t=1122747