Sunday, December 12, 2010

Step 1 - Understand the business

Always there is a gap between information security and business requirements.

Successful  information security program must add value to business. the value will be added only if the one responsible for implementing information security understand the business.

Successful information security program will protect the business core and will be linked to the business objectives.

To understand the business the following shall be done first
  1. Read and understand
    • The business vision and mission
    • The business strategy for the next  3 years or least the current year.
  2. Get a copy of the organizational chart with description of each department, business unit, sector etc
  3. Meet each one of the management team (i.e directors, executive managers, managers etc)
    • Collect information about the core of the business, why the organization exists
    • Develop org chart (if not exist) and list functions of each department
    • Who are the stakeholders.
    • Who are the decision makers.
    • What incidents have been happened before and what was the damage of each.
    • Know if any security concerns.
    • Understand what regulatory or standards must comply with.
  4. Meet the Internal Audit department manager
    • Collect previous audit report and identify issues related to security  
     The information has been collected will
    • Help you understand the business
    • Identify business priorities
    • Identify major risks that require attention and mitigation
    Next will discuss Information classification and Categorization.

    Friday, December 3, 2010

    SecurityTube Tools Wiki

    SecurityTube Tools is a collaboratively edited community wiki which aims to list all the security and hacking tools out there.
    280+ popular tools have been listed and categorized in a way that can be matached to most of  Peneteration testing methodologies.

    SecurityTube Tools

    Thursday, December 2, 2010

    Free Security Magazines

    To protect your busines information you have to understand the value of the infromation and you have to know what type of threats and how those threats work against valuebale information.

    The following magazine is a great source to keep you updated and aware of  latest and greatest threats and for free.

    I suggest to review each magazine quickly, identify important articles, print them and read an article every 2 days.

    December issue of Hakin9 magazine

    Another month of free education, can be downloaded from

    In December issue:
    • A brief analysis of the cyber security threat by Julian Evans
    • Cyber State-Bullying by Matthew Jonkman
    • The Spyware Within You by Rajat Khare
    • The Ear of Sauron by John Aycock
    • dasbot: controlling IRC via bash by Israel Torres
    • Knowing VoIP Part II – Getting deeper to the settings by Winston Santos
    • TDSS botnet – full disclosure. Part II by Andrey Rassokhin and Dmitry Oleksyuk
    • Search Engine Security and Privacy – Part 2 by Rebecca Wynn

    Thursday, November 18, 2010

    Penetration tests: 10 tips for a successful program

    Penetration tests: 10 tips for a successful program is an article sheds the light on some of the factors that  must be considered before conducting a penetration testing by internal team.

    Also it will help developing RFP and maximizing the value of the penetration testing conducted by external consultant.

    Introduction to penetration testing

    Penetration testing is a method to evaluate the security of network, systems, application and computers, It can be done using internal resources or external consultants.

    It is very important to be aware of different methodologies used to conduct Penetration testing as well definitions and terms, as an introduction, The following link can be useful

    Friday, November 12, 2010

    Where to start

    You are responsible for securing small or medium business organization?
    Too much security standards ?
    Too much consultants, meetings and presentations?
    Limited budget?
    Not enough resources?
    Frustrated ?
    Do not know where or how to start ?

    Soon will tell you how to start and where to start