Data Security

Data at Rest

  • Stored in database
  • file servers
  • secure environments (ex. CDE)
  • Backup Data (HDD, USB Data, Tape Drives, CD/DVDs)
  • Physical Data (paper forms, xerox copies)

Data in Transit

  • Web Services
  • HTTP, HTTPS, FTP, FTPS
  • Sensitive Data Sharing (encryption)
  • Hash comparison after downloading the files.

Personally Identifiable Information (PII)

Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.

NIST Special Publication 800-122[5] defines PII as “any information about an individual maintained by an agency, including

  1. ย any information that can be used to distinguish or trace an individual’s identity, such as name, AADHAR, social security number, date and place of birth, mother’s maiden name, or biometric records; and
  2. any other information that is linked or link-able to an individual, such as medical, educational, financial, and employment information.”

So, for example, a user’s IP address is not classed as PII on its own, but is classified as linked PII.

Refer – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

Social Engineering – Starting with the Flicks

At last I got some time for for my most beloved yet highly neglected blog. But I am gonna make it habit to pen down every night on this little world of mine.

So when I thought of resuming writing the first chord that hit me was Social Engineering. I know there are biggies who are constantly writing a post or two on this most powerful weapon but every person has his/her special gimmicks. Nope I am not gonna share those in the first post itself, let the wait be worth.

I would like to start with the flicks which amazingly portrayed Social Engineering Tantrums. The whole point behind giving a movie list in the beginning is simple just to cast a spell of this amazing Art of Deception. Watch them in any order but my favorites go like this.

Although Take Down is just one side of the coin but its a good flick, however if you really want to know what happened in the entire operation go and read The Art of Deception by none other than the man himself Kevin Mitnick.

A shorter version on what part I liked the most in these movies will be forthcoming in the update of this post.

Till then, Viva La Security & have a Security Perspective !!

catch-me-if-you-can

Compliance Audit: Curse of Necessity.

The title is bit confusing, isn’t it? But if you’ve worked as a Compliance Auditor then I’m sure that you feel my pain. If its first time when your organization is facing a compliance audit the pain is doubled. You’ve to perform Audit planning & preparation, Establish audit objectives, Perform the internal reviews, rectify mistakes and take necessary actions and much more..

In this series we will talk about different types of compliance like PCI-DSS, HIPPA, ISO 27001, SSAE 16, SAS 70, Safe Harbor and many more along with the details one should be aware of, processes to build up-implement-take follow up of, how to review them and much more.

If you are a Security Professional responsible for these implementations then the quest ends here cause I’d be sharing up ideas on how one should be performing security assessments for these audits and what areas are of higher significance. If you are willing to learn all compliance procedures then this is the Umbrella Corporation for you ๐Ÿ˜‰

Stay Tuned! Viva la Security!!

PS: All articles on this site are for educational purpose only. Author is neither responsible for any threat caused or offense being recorded. Imply your conscience before implementing or using any post.

Corporate Security: An Achilles heel with no panacea.

With the growth of IT Sector the challenges for organizations have increased as well. Long gone are the days when let alone the small scale IT companies even Mid sized company’s Information Security used to be handled by technical management(IT Director etc.). If today any organization wishes to cope up with the pace of Security Hackers and deliver secure products hiring of Security Professionals has become a must.

In order to achieve the satisfaction of building a secure organizational architecture various processes and norms are deployed such as policy implementations, Compliance Audits, Periodical Penetration testings, code security processes and much more.

In this series we’ll see what all are the challenges that are/could be faced by organizations and how they could be tackled including prevention, mitigation techniques along with the aforesaid items. I’ll also post how and what sort of action items are needed to be created by Security Professionals and Management of organizations to ensure a secure product and service delivery.

Stay Tuned. Viva la Security!

PS: All articles on this site are for educational purpose only. Author is neither responsible for any threat caused or offense being recorded. Imply your conscience before implementing or using any post.

Social Engineering: Beginning the Battle.

In the name of Lord Kevin Mitnick, the man who redefined Security.

You must be thinking that I’ve gone crazy but don’t think twice over it cause I feel it the same way. ๐Ÿ˜‰ My obsession with Kevin goes long back when he was the most renowned outlaw and people had started Free Kevin Movement. I am obsessed with how simple it was for him to perform Social Engineering and even more amused with the way he could coauthor the books The Art of Deception and The Art of Intrusion in which he could explain the tricks in even simpler manner.

For those of you who don’t know what is Social Engineering, I’d put it in his own words: “Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.”

Welcome to next generation Security Threat Handling. In this series we will see as much of cons that can take place and how we should be dealing them.

Stay Tuned. Via la Security!

PS: All articles on this site are for educational purpose only. Author is neither responsible for any threat caused or offense being recorded. Imply your conscience before implementing or using any post.