What are virus hoaxes? And What is the difference between information security and computer security? Virus hoaxes are messages originally sent by one or more hackers describing some virus or worm that is extremely dangerous and urges the reader to take some action against their own computer and send the message on to everyone they know. This is social engineering in its purest form: the virus writer does nothing to your computer, they get you to do it. Just about every virus hoax has some combination these characteristics: it invokes the names of one or more large, reputable companies who have reported the virus, the virus is referred to as the "most destructive ever" with none of the top anti-virus vendors being able to stop it and it instructs the user to send the message to everyone they know. Valid virus reports are usually sent by the anti-virus vendors themselves as a public service and they will always provide links back to their sites so that the user can read th...
Posts
According to some security experts, Lizamoon is the most successful SQL injection attack ever witnessed. During its short lifespan it has already compromised hundreds of thousands of websites. While reports vary on the number of infected sites, some put the number over four million. But these sites aren’t even the real victims; they’re just pawns in a larger scareware plot to steal people’s money. It all starts when a line of java script is surreptitiously injected into a webpage’s code. The script redirects the website’s visitors to a rogue AV site that initiates what appears to be a comprehensive anti-malware scan on the victim’s computer. The scan finishes up rather quickly (certainly faster than any legitimate computer scan would take) and alerts victims that their computers have been infected with Trojans, worms, and other malware. The victims are then prompted with an option to “remove” the malware by downloading a “malware-removing” ...
As we become ever more dependent on our laptops, smartphones and various other means to surf the web, internet crime continues to increase at an alarming rate. There’s no doubt that this rise in cybercrime is linked to organized crime; criminal gangs worldwide exploit the anonymity of the internet to conduct illegal activity. However, a recent story by BBC News about “political hacktivists” demonstrates that criminals are not the only ones using illegal hacking techniques to achieve their goals. Hacktivism, in the broadest sense, refers to the use of digital tools for a political or social cause. The tactics of hacktivism include blocking access to websites, identity theft, virtual sit-ins, and website redirects. Hacktivism is as controversial as traditional activism; some believe that harmful cyberattacks represent a justifiable form of protest while others think that all types of protest should remain peaceful. In light of the abovementioned BBC News story, it seems t...
Cybercrime, like regular crime, appears in a variety of forms. There are direct violations, such as the unauthorized hacking of an account, and there are more subtle varieties, such as posing as a Facebook friend, that involve tricking victims into unwittingly handing over their sensitive information. The latter form of cybercriminal activity is known as “social engineering.” While the term is not specific to internet crime, it is often used in regard to cyberattacks because cyber crooks have mastered these techniques as a means to perform a host of unlawful online actions. In basic terms, social engineering is a way to manipulate people into divulging confidential data. The term, as it relates to computer crimes, was popularized by former hacker Kevin Mitnick , who discovered that it was much easier to trick a victim into unwittingly providing his password than to spend the time and effort to hack into an account. Mitnick, now a computer security consultant, was the most wa...
A zero-day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero-day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users. In order for the vendor to rectify the vulnerability, the software company must release a patch. Often patches are released on a regular basis, one example being Microsoft’s Patch Tuesday. On the second Tuesday of each month, Microsoft releases security fixes that resolve identified holes. If, however, a critical vulnerability is discovered, a patch may be released outside of schedule. Browsers are similarly ...
Strategic planning is an organization’s process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy. Generally, strategic planning deals, on the whole business, rather than just an isolated unit, with at least one of following three key questions: § “What do we do?” § “For whom do we do it?” § “How do we excel?” For example, the first and third questions are those that motivate an acquisition. Acquisitions are thus strategic choices. Typically, strategic choices look at 3 to 5 years, although some extend their vision to 20 years (long term). Because of the time horizon and the nature of the questions dealt, mishaps potentially occurring during the execution of a strategic plan are afflicted by significant uncertainties and may lie very remotely out of the control of management (war, geopolitical shocks, etc.). Those mishaps, in conjunction to their potential consequences are called “strateg...
Software Testing Software testing is the process of evaluation a software item to detect differences between given input and expected output. Also to assess the feature of A software item. Testing assesses the quality of the product. Software testing is a process that should be done during the development process. In other words software testing is a verification and validation process. Verification Verification is the process to make sure the product satisfies the conditions imposed at the start of the development phase. In other words, to make sure the product behaves the way we want it to. Validation Validation is the process to make sure the product satisfies the specified requirements at the end of the development phase. In other words, to make sure the product is built as per customer requirements. Basics of software testing There are two basics of software testing: blackbox testing and whitebox testing. Blackbox Testing Black box testing is a testing techniqu...
Developing an effective Risk Management Plan can help keep small issues from developing into emergencies. Different types of Risk Management Plans can deal with calculating the probability of an event, and how that event might impact you, what the risks are with certain ventures and how to mitigate the problems associated with those risks. Having a plan may help you deal with adverse situations when they arise and, hopefully, head them off before they arise. 1. Understand how Risk Management works. Risk is the effect (positive or negative) of an event or series of events that take place in one or several locations. It is computed from the probability of the event becoming an issue and the impact it would have (See Risk = Probability X Impact). Various factors should be identified in order to analyze risk, including: · Event: What could happen? · ...
The key difference is that information security is mainly relevant to personal information while cyber security is more universal, focusing on other concerns such as our national infrastructure. My feeling though … is that information security is actually a super-set of cyber security since anything in the cyber realm would involve information or information systems. As usual here is my pseudo-Venn diagram to enjoy. Then we have the official NIST definitions from IR 7298 Revision 2. They define cyber security and information security as follows (note there are two definitions for information security). Cybersecurity: The ability to protect or defend the use of cyberspace from cyber attacks. Information Security (1): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Information Security (2): ...
“….a careful examination of what, in your work, could cause harm to people, so that you can weigh up whether you have taken enough precautions or should do more to prevent harm….” Why do a risk assessment? A risk assessment will protect your workers and your business, as well as complying with law A person from your organisation needs to attend risk assessment training as it will ensure that this person is competent within your organisation and will gain abilities such as hazard identification, ability to categorise and evaluate risk(s). These abilities will allow a ‘suitable and sufficient’ risk assessment to be conducted within your own organisation. How to do a risk assessment There are no fixed rules on how a risk assessment should be carried out, but there are a few general principles that should be followed. Five steps to risk assessment can be followed to ensure that your risk assessment is carried out correctly, these five steps are: 1. ...