--Originally published at Information Security Class

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. According to the 2013 Microsoft Computing Safety Index, released in February 2014, the annual worldwide impact of phishing could be as high as US$5 billion.

In June 2013, security firm Kaspersky Lab estimated that 37.3m people had encountered phishing attacks in the last year. Symantec, meanwhile, estimates that phishing accounted for one in 392 emails per day in 2013. Phishing is all about convincing you to divulge information that could help criminals steal your money and/or install malware on your computer, potentially also selling your passwords on to others.

It works by impersonating communications from companies that you trust: banks, online payment firms like PayPal, social networks, online retailers and other technology companies, as well as government bodies (tax authorities, for example). According to Symantec, 71% of phishing attacks in 2013 were related to financial organizations.

A lot of phishing attacks are done without you ever seeing them, thanks to the spam filters used by companies and webmail providers. But for those that make it through to your inbox, there are some common-sense tips to ensure you don’t fall victim.

If it looks wrong, it probably is wrong

Phishing often looks, well, fishy. Typos can be a sign that an email is dodgy – yes, The Guardian may be on thin ice with this point, but typos in an email from your bank really are a red flag – as are all-capitals in the email’s subject and a few too many exclamation marks.

Check the email address carefully

If you often get emails from a particular company, they’ll usually come Continue reading "Phishing" →

--Originally published at Information Security Class

In my last blog I wrote about why the internet can be a really insecure place and that if you are not careful, your personal information can be compromised. That is why now I am writing what can we do to increase our security while we browse the web. Here I listed some things that will improve your internet security:

1 Encryption

Encryption used to be the sole province of geeks, but a lot has changed in recent years. In particular, various publicly available tools have taken the rocket science out of encrypting email and files. GPG for Mail, for example, is an open source plug-in for the Apple Mail program that makes it easy to encrypt, decrypt, sign and verify emails using the OpenPGP standard. And for protecting files, Apple’s MacOS operating system come with a new filesystem called APFS that lets you encrypt the hard drive of your computer. Those running Microsoft Windows have a similar function.

2 Web browsing

Since browsing is probably what internet users do most, it’s worth taking browser security and privacy seriously. If you’re unhappy that your clickstream (the log of the sites you visit) is in effect public property as far as the security services are concerned, you might consider using freely available tools such as Tor Browser to obscure your clickstream.

3 Wireless services

Have Bluetooth off by default in all your mobile devices. Only switch it on when you explicitly need to use it. Similarly, beware of using open wifi in public places. At the very minimum, make sure that any site you interact with uses HTTPS rather than unencrypted HTTP connections.

4 Personal security

It is recommended to use a password-management app like LastPass or 1Password, this applications not only provide safe passwords for you to use, but also encrypt all your information. This apps Continue reading "What can we do to browse the internet safely?" →

--Originally published at Seguridad Informática

Risk IT

Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management. In business today, risk plays a critical role. Almost every business decision requires executives and managers to balance risk and reward.

Risk IT is a framework based on a set of guiding principles for effective management of IT risk. The framework complements COBIT, a comprehensive framework for the governance and control of business-driven, IT-based solutions and services.

While COBIT provides a set of controls to mitigate IT risk, Risk IT provides a framework for enterprises to identify, govern and manage IT risk. Enterprises who have adopted COBIT as their IT governance framework can use Risk IT to enhance risk management.

COBIT provides the means of risk management and Risk IT provides the ends.

COBIT Control Objectives for Information and Related Technology.

It is a framework that it is meant to be a supportive tool for managers and allows bridging the crucial gap between technical issues, business risks and control requirements.

Today, COBIT is used globally by all managers who are responsible for the IT business processes. COBIT ensures quality, control and reliability of information systems in organization, which is also the most important aspect of every modern business.

Some of the components of COBIT include:

• Framework: IT helps organizing the objectives of IT governance and bringing in the best practices in IT processes and domains, while linking business requirements.
• Process Descriptions: It is a reference model and also acts as a common language for every individual of the organization.
• Control Objectives: This provides a complete list of requirements that has been considered by the management for effective IT business control.
• Maturity Models: Accesses the maturity and the capability of every process while addressing Continue reading "IT Risk Management Frameworks" →

--Originally published at Information Security A01229898

Welcome everyone, on this blog I will speak a little of what I’m learning on my Information Security class.

--Originally published at Information Security Class

In today’s day and age I would say that this question is relevant and important. When I think back to my past views about the Internet 14 years ago, topics such as “Internet and Web Security” were unknown names to me.

A decade ago the main purpose of the Internet was purely focussed on email communication and web browsing activities. Commercial, critical or even complex transactions were rarely performed on the Internet.

User interactions through web applications were possible at the time; however in most cases it was very simple and “unsafe”. Security concepts or even safety precaution measurements in corporate environments were ignored and were hardly implemented in any web application solutions.

Have you ever had any concerns about your privacy or security issues a decade ago? E.g. when sending an email with sensitive information to someone or filling sensitive information in a web form on the internet? How safe did you feel when browsing the web?

It is quite interesting that such concerns were not felt at that time. Yet much has changed now.

Internet and web security measurements in private or corporate environments are being taking more seriously than a decade before. Many efforts have been made by corporate organizations and educational institutes to make the internet more transparent and much safer.

At the same time billions of harmful malwares, worms, bots and malicious codes have been developed and distributed over the web. Some of them have survived until now as they have been coded with “intelligence” such as being able to act independently based on sophisticated algorithms.

Without security measurements no administrator in the world would be able to detect intrusions or even be smart enough to block a hidden attack on his corporate network. Data theft runs at milliseconds and you even won’t be Continue reading "How safe is the Internet in reality?" →