NIST has recently released the final publication of the "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach".

This NIST special publication (NIST Special Publication 800-37, Revision 1) can be downloaded from csrc.nist.gov website.

As per this guide, the Certification and Accreditation process of the federal government information systems transformed into a Risk Management Framework that stresses security from an information system’s initial design phase through implementation and daily operations

It places equal emphasis both on defining the correct set of security controls and on implementing them in a robust continuous monitoring process.

This is similar to the various Secure Software Development processes such as MS SDL and OWASP CLASP.

The guide can be downloaded from here

Three risk associations, Airmic, Alarm, and the IRM, have collaborated to publish a free guide to ISO 31000 titled "A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000".

The guide is organized in two parts each containing four chapters with two appendices. The document is neatly organized and is useful for organizations implementing/ following ISO 31000

The full guide is available here

The Cloud Security Alliance (CSA) and HP have published new research findings that detail the potential threats surrounding the use of cloud services.

This seems to be a serious effort to bring up the security concerns related to the cloud.This 14 page report identifies 7 threats namely

1. Abuse and Nefarious Use of Cloud Computing
2. Insecure Interfaces and APIs
3. Malicious Insiders
4. Shared Technology Issues
5. Data Loss or Leakage
6. Account or Service Hijacking
7. Unknown Risk Profile

The full report is available here

In the recent days, we have seen many emails claiming to be from your bank and asking you to provide the user name, password, ATM Number PIN etc... First of all let me emphasize the fact that these are fake emails. Banks or any other responsible companies will never ask for these details of yours for any reason.

Let me reiterate that never ever respond to such emails. Do not click on the links in these emails as this will lead to fake sites. Entering your online banking username and password to these fake sites will make an attacker to take control of your account and withdraw all the money you have in your account. This scam is normally known as Phishing

I will post another post on the phishing later. In this post, I would like to emphasize the money mule scam which is the hidden side of the phishing.

Extract from Wikipedia about money mules

"Money mule is a person who transfers money and reships high value goods that have been fraudulently obtained in one country, usually via the internet, to another country, usually where the perpetrator of the fraud lives.
The need for money mules arises because while a criminal in a developing country can obtain the credit card numbers, bank account numbers, passwords and other financial details of a victim living in the first world via the internet through techniques such as malware and phishing, turning those details into money usable in the criminal's own country can be difficult. Many businesses will refuse to transfer money or ship goods to certain countries where there is a high likelihood that the transaction is fraudulent. The criminal therefore recruits a money mule in the victim's country who will receive money transfers and merchandise and resend them to the criminal in return for a commission"

There are various stages where people are recruited as money mules

Data leakage is a key threat which could give sleepless nights for any business executive and is definitely on the top priority of the CISO's and information security managers.

I have looked into the DLP scenario's and various solutions. I have not found a single solution which covers more than 75% of the DLP, may be my expectations are higher.Many of my vendor's used to tell me that I will have to use multiple solutions, still the reach did not go beyond 90%

The following are the areas I need protection, can anyone suggest solutions?

• Removable Media - I have zeroed down to a product from Checkpoint for the endpoint security, which gives fairly good protection from data leakage through endpoints. I have not (yet) found a mechanism for automating the installation and reporting of the same on all the client machines. I expected a mechanism similar to the one in most, if not all, of the anti-virus solutions
• Internet - The Secure computing webwasher is a pretty good tool, a key solution I liked is the possibility of stoping the internet uploads, by user, groups and some other parameters. This may be the same in the competing products. I have tested another product named webmarshal, which did not have this feature. Now in Internet, how do we stop posting to a text area, such as a blog? can someone do text analysis and stop the content being posted?
  
• EMail - I have seen many tools with text analysis capabilities with options to block and quarantine the messages, what about data which is altered? Can the system still read the logic? For example an excel sheet where the numbers are replaced with alphabets like acbd for 1324.
• What about corporate web mails? Many of the companies allow access to the corporate email through a webmail server such as in MS Exchange (Outlook web access). One can save data including large files in a draft email and download it from home. How can this be protected?
• What about the mobile computing devices such as laptops, Blackberry etc? If they connect to networks outside the corporate network, how much impact will the corporate policies have on these devices?

I think, there are many opportunities for those who wants to take data out. The present solutions does a great job in terms of data leakage, however; in my opinion fail to protect from stealing data.