Daily Learning - Day 62

By -
Date: 26th July 2017

Follow Hashtag: #SKC100DaysofLearning

Topic: Security Testing

Webinar Notes:  Create a custom security strategy for your organisation by PluralSight


Access the Risk:

  1. STRIDE
  2. DREAD
  3. Third Party Assessments

Prioritize the Risk:
1. Penetration and Vulnerability

  • OWASP


2. Indepedent Certification

3. Training & Awareness

  • Basic training is important for members in organisation.
  • Basic security courses needs to be provided to team members as awareness.

4. Focus

  • As organisation, OPS Team should be developed as a team to focus only on security.
  • And aligns with company culture, business strategy. [CSO - Chief Security Officer]
  • Is your Executive team focus on security.

Frameworks:

  • ISO 
  • NIST
  • ITIL
  • TOGAF - Total Group Architecture Foundation 
  • SABSA


Security Risk Score:

  • Risk Management & Oversight
  • Security Monitoring
  • Threat & Vulnerability Management
  • Security Controls
This helps to focus on a Security Road Map. Continue to evaluate and make adjustments to plan.

BEST LAID PLANS:
Things to look for in your systems:

1. Changes to state events

  •  CPU Usage
  •  Disk Space
  •  Network Utilisation
  •  Log events and size


2.  Customer Support Issues

  • Have basic training on customer issues and whom they need to redirect the issues to


3. Malicious Traffic

4. Acceptable Use Violations

5. Intrusion Detection Systems

INCIDENT RESPONSE PLAN

1. IDENTIFY THE TEAM

  • Information Security Team
  • Legal 
  • Support
  • Communications /Marketing Team

2.  INFOSEC INVESTIGATION/RESPONSE PLAN

  • Detection and Discovery
  • Analysis and Assessment
  • Risk Mitigation Strategy
  • Escalation Process, Communication within the team/rest of team.


3. Communication Process

  • What Constitutes a breach that requires external communication
  • Who should be Notified - Customers/Public
  • Who communicates Externally 
  • What channels to communicate by
  • Communications


4. Maintain Incident Response Records

  • What 
  • When
  • Where
  • Who detected, escalated and responded


Finally Some Advice:

  • Disclose Early, Leverage Social Media
  • Protect Accounts Immediately
  • Be clear, Honest, Lead with the Facts
  • Be Specific.
  • Explain what actually happened
  • Keep Customers Updated.
  • Apologise


References:
1. SSCP : Jason Helmick
2. Web security & OWASP - Troy hunt
3. Enterprise Security: Policies, Practices & Procedures - Dale Meredith
4. Tesla Security Vulnerability Reporting Policy
5. Owasp.org

Location: Mysuru, Karnataka, India

Popular Posts

JMeter Producing Error: Windows RegCreateKeyEx(...) returned error code 5

By -
After running JMeter.bat on Command Line, Problem java.util.prefs.WindowsPreferences <init> WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs at root 0x80000002. Windows RegCreateKeyEx(...) returned error code 5. Cause Environment Resolving the problem The error occurs because java.util.prefs.WindowsPreferences is trying to save information in HKEY_LOCAL_MACHINE\Software\JavaSoft\Prefs instead of under HKEY_CURRENT_USER\Software\JavaSoft\Prefs. Windows 7 64-bit The work around is to Open JMeter.bat file as the administrator and so it creates the key HKEY_LOCAL_MACHINE\Software\JavaSoft\Prefs.
Read more

Understanding about Contract Testing

By -
Image
Yesterday Morning (9th May 2020), I had good discussion with  Sundaresan  Krishnaswami on " Contract Testing ". I thank  Sundaresan   for his time and sharing his knowledge. It started with an example: The Owner provides the house or Place of Residence to the Tenants. "Rent Agreement" is provided for the house and It contains agreement to use the house. The house comes with like kitchen, living room, bed room, fans, geysers etc.. It also contains who resides and what is the contractual period, obligation (money) etc.. Here, Owner is the Server and Tenant is Client.                                         Client-Server Architecture. Illustrating the same in the E-Commerce Context: In Some Development Companies, There can be two teams developing the Payments and Orders APIs. In B2B or B2C Ecommerce applications, we place an order using web browser through payment methods and Order is created. Order is successful only when Payment is successful. In general, Payments te
Read more