Information Security Blog

New Good Practices Guidance, New NIST Hash Algorithm, New Security-Savvy Employees (Not)

New Good Practices Guidance, New NIST Hash Algorithm, New Security-Savvy Employees (Not)

8 Flares

8 Flares


×

These ISO 27001 links are part of a weekly series, Ethical Hacker Roundup, featuring recent information security and cyber security related articles that we’ve read over and thought worth sharing.

These articles were emailed to us, shared on Twitter @pivotpointsec and our Google+ page, and read in RSS subscriptions this week.

Information Security Forum Announces “Standard of Good Practice 2012”

The nonprofit Information Security Forum (ISF), widely recognized as a leading authority on cybersecurity and information risk management, just published a major update to its Standard of Good Practice for Information Security for IT security professionals. Dubbed “the industry’s most business-focused, all-in-one guide to information security assurance,” the annually updated reference encompasses four main ISMS categories: governance, security requirements, control frameworks and security monitoring and improvement.

Organizations worldwide use “The Standard” and related tools and services from ISF to manage the risk associated with new technology adoption, improve resilience and competitiveness, build confidence in their ability to meet legal/regulatory challenges, and prepare for and manage cybersecurity incidents. The document is available at no cost to ISF members and can be purchased by non-members.

NIST Picks Winner in Secure Hash Algorithm (SHA-3) Competition

The National Institute of Standards and Technology (NIST) announced on October 2 that it has chosen a winner in its five-year competition to select a new cryptographic hash algorithm – one of today’s fundamental information security tools.

According to the NIST press release: “The winning algorithm, Keccak (pronounced “catch-ack”) was created by Guido Bertoni, Joan Daemem and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors. The team’s entry beat out 63 other submissions that NIST received after its open call for candidate algorithms in 2007, when it was thought that SHA-2, the standard secure hash algorithm, might be threatened. Keccak will now become NIST’s SHA-3 hash algorithm.

nist-hash-algorithm-security-savvy

Source: NIST.gov

Hash algorithms are widely used for digital signatures, message authentication and other cryptographic applications that verify the authenticity of digital documents. They create a “digital fingerprint” (called a digest) of the hashed content. Any change to the content, however small, causes a change in the digest. Likewise, the hash algorithm makes it extremely difficult for a cyber forger to create a different file with the same digest.

NIST chose the Keccak algorithm for its elegant design and ability to run well on many different computing devices, including the growing number of sensors, home appliances and other embedded devices that now connect to computer networks but are not full-fledged computers. Keccak had higher performance in hardware implementations than SHA-2 or any of the other finalists in the competition. Further, its design is entirely different from SHA-2, so it is less likely to be vulnerable to attacks that might compromise the SHA-2 algorithm.

Among its many other potential uses, SHA-3 “provides an essential insurance policy” in the event SHA-2 is ever cracked. Officially, NIST considers SHA-2 to be “secure and suitable for general use” despite attacks that compromised similar but simpler hash algorithms (SHA-1 and MD5) in 2005 and 2006.

Authentication and encryption of key information assets in transit and in storage is not only essential to securing transactions, but is also a vital part of Payment Card Industry (PCI) compliance and a robust Information Security Management System (ISMS) framework in general.

Need A Cybersecurity Professional on Your IT Team? Good Luck Finding One…

According to a recent study by Forrester Consulting, which was commissioned by IBM, 63% of companies have understaffed IT departments, and more than 50% are unable to find experienced cybercrime-fighters to help them maintain IT security.

With threats rapidly morphing and new attacks emerging literally daily, and cloud computing, social media, mobile devices and other vulnerabilities compounding the challenges, IT departments are looking to be proactive rather than reactive. And that takes experience and expertise, as well as the bandwidth to get off the treadmill of daily responsibilities. Yet according to the Forrester survey, “many organizations are struggling to find the skills to take this [a proactive IT security posture] on.”

Likewise, skilled security professionals are in heavy demand and expensive to hire and keep, especially with today’s tight IT budgets. In another recent study by Deloitte, many banks and other financial institutions are challenged to be more proactive around information security due to cost constraints.

Against this backdrop, the use of third-party security experts and “Security-as-a-Service” offerings are increasingly seen as a viable and reasonable response to the situation.

ISO 27001 Consulting

It is the ability to certify the operation of an Information Security Management System (ISMS) that makes 27001 unique and makes it ideal to be used as a form of independent attestation to the design and operation of an Information Security program. Pivot Point Security can help your business achieve ISO 27001 certification. See how we can help.

0


Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Is ISO 27001 Right for (Y)our Organization?

iso-27001-webinar

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Five Best Practices for SIEM

siem-whitepaper

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Stop Wasting Money on Penetration Testing

penetration-testing-whitepaper

Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

About the Author:

Marketing at Pivot Point Security

Add a Comment

8 Flares Twitter 6 Facebook 1 Google+ 1 Pin It Share 0 LinkedIn 0 Reddit 0 StumbleUpon 0 Email -- 8 Flares ×