Sunday, August 31, 2014

How Trustworthy are Mobile Apps or Applications ?

   Have a look at the the permissions being asked by these Andriod Apps. What do you make out of these snapshots? Which App is more secure - not from the point of view of security for the App but security for the user who downloads and uses them. The one on the extreme left(first one) is likely to have more access to your device than the other two. The makers would argue that these permissions are required for the features and functionality of the App. The question here is who will decide how much permission is required and who will guarantee that these permissions would not be abused. The one on the extreme right-bottom is more trustworthy as it requires no special permissions. But how many of us really pay any attention to such details?
    Unlike the applications on a Desktop, with mobile apps it is difficult to find what they are really doing behind the scenes. The situation is compounded by the fact that the mobile devices contain enormous amount of personal, sensitive and financial data. The email apps are always online.The device is always connected to internet in most cases. The passwords and others credentials are just there begging to be stolen away.

   Personally i prefer to use my browser on my mobile to access the various web sites and web applications rather than download an App. Re-entering usernames and passwords every time you access an web application or a website should not bother you if your are worried about safety of your data and online identity.

    Having written what i wanted to convey, i would like to clarify that i am not aware that the above mentioned Apps are untrustworthy in anyway. I just picked them up for an illustration.

Friday, June 20, 2014

ISO 27001 : 2013 Changes


ISO 27001:2005
ISO 27001:2013
Annex A :has 133 controls
Annex A : has 114 controls

11 new controls
  • A.6.1.5 Information security in project management
  • A.12.6.2 Restrictions on software installation
  • A.14.2.1 Secure development policy
  • A.14.2.5 Secure system engineering principles
  • A.14.2.6 Secure development environment
  • A.14.2.8 System security testing
  • A.15.1.1 Information security policy for supplier relationships
  • A.15.1.3 Information and communication technology supply chain
  • A.16.1.4 Assessment of and decision on information security events
  • A.16.1.5 Response to information security incidents
  • A.17.2.1 Availability of information processing facilities

  • 2
    Annex A: 11 control objectives
    Annex A: 14 control objectives (A5 to A18)
    Five implementation sections
    ·         4-ISMS
    ·         5-Management  responsibility
    ·         6-Internal  ISMS  audits
    ·         7-Management review  of  the  ISMS
    ·         8-ISMS  improvement
    Seven implementation sections
    ·         4-Context
    ·         5-Leadership
    ·         6-Planning
    ·         7-Support
    ·         8-Operation
    ·         9-Evaluation
    ·         10-Improvement
    Non standard format
    Annex SL format(MS standard)
    Process based approach
    Non process based
    Structured around PDCA deming cycle
    No emphasis on PDCA cycle
    Separate class of ‘Preventive’ controls
    ‘Preventive’ controls removed
    Requires ‘Documents’ and ‘Records’
    Instead requires ‘Documented Information’

    Parts derived from ISO 31000:2009 Risk mgmt
    ‘control objectives and controls from Annex A shall be selected and implemented’
    ‘produce a “statement of applicability(SOA)” that contains the necessary controls’
    Has Annex A, B and C
    Has Annex A

    New important term ‘Risk owner’
    Emphasis on documentation of Internal Audits
    No need to document internal audit

    Friday, June 13, 2014

    Information security quotes for awareness

    • "Security has a group ownership                  --not individual ownership"....G.R
    • "Tech Savvy does not mean                  --security conscious"
    • "Technology cannot replace security good habits"
    • "Simple and elegant the solutions                   -- better is the security"
    • "Money can buy security products                   -- but not security" ....G.R
    • "Security is not a product                                -- it is a process... Bruce Schneier
    • "We will forgive the breach                            -- but not the silence" 
    • "If you want PRIVACY             -- then maintain private posture and not public posture" 
    • "High security means                -- right awareness"....G.R
    • "Best medicine for security diseases is  -- high dosage of awareness"....G.R
    •  "Technology is just a security enabler           -- not a security ensurer"  ....G.R 
    • "Trust can be absolute                        -- but Security cannot be absolute".......GR.
    • "Stop - Read and Click".........GR
    • "Technology alone may not protect you better
    •                                        --but  awareness about the correct usage of technology may protect you better"....G.R