The Control Policy Group

Big companies have lobbies and receptionists. They may have many visitors during the day not to mention messengers from FedEx, DHL, TNT, Poczta etc.

A DHL courier recently visited the offices of a client to pick up a package.  He walked in, picked up 5 expensive mobile computers and notebooks, put them in the pouch and walked out.

In China and Taiwan – culturally – a white face is always trusted – but then again, maybe not. Here are 3 simple steps to improve your physical security that do not involve advanced technology.

Read more

Do you know how many of your employees are leaking sensitive information to their Webmail accounts?

Your IT department certainly has a well-maintained firewall. But – firewalls cannot prevent users from leaking price information or IP.

A comprehensive solution for preventing fraud and data loss starts with with Rapid data discovery and business threat modeling.

Call +48-22-398-3484 and start the 4 step Control Policy Process with a meeting with one of our senior consultants.

There is nothing like collecting real data and validating the effectiveness of your security countermeasures.

Most companies have good perimeter security – i.e. a firewall and an IDS or IPS. While many security people often view an IPS as the next generation of IDS; it’s important to understand the different roles of detection and prevention. Detection helps you understand what kind of attacks are being mounted (or potentially COULD be mounted on the network, and prevention (an IPS) is part of your access control  systems – a way of keeping the bad guys off your network.

However, in our experience the same companies with well-managed perimeter security do not know what’s happening inside their network.

Do you know what is happening inside your network?

Read the full article here  network surveillance.

What do hackers really want?

No question is more important for mounting  effective security countermeasures. The management, IT and security practitioners cannot expect to mitigate risk effectively without knowing the objectives and cost of potential attacks on their organization.

We all depend on transaction processing systems in order to run the business and make decisions, no matter how many employees we have. Whether you have a small business making wedding cakes or a global enterprise with 14,000 employees in 40 locations, you use information systems daily to buy, sell, pay and collect from customers.

The prevailing security model predicates defense in depth of transaction systems. The most common strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network.

Are any of these security countermeasures likely to be effective in the long-term? Can attacks on a business be neutralized with defensive means only? In other words, is there a “fire and forget” security solution for the business? The answer is clearly no.

A reactive network defense tool such as a firewall cannot protect exploitation of software defects and an application firewall is no replacement for in-depth understanding of company-specific source code or system configuration vulnerabilities.

Business Threat Modeling is a threat assessment process that employs a systematic risk analysis of business systems along with quantitative evaluation of how well removing defects reduces risk.

Business Threat Modeling is based on four basic tenets:

1. Risk analysis for production software

2. Quantitative evaluation and financial justification

3. Explicit communications between developers and security

4. Sustain continuous risk reduction

You can download the Business Threat Modeling methodology for free here

Comments are off for this post

Large installations such as casinos and airports are attractive targets for well-financed, highly motivated attackers. Thanks to a standard, vendor-neutral protocol, terrorists and criminal attackers no longer need drills, car bombs and Stinger missiles to attack the asset,

How did that happen?

Remote Monitoring is an essential part of the physical, perimeter and insider security used by airports, casinos and high-security installations such as nuclear power plants.

Unlike 10-15 years ago – remote monitoring is now performed using the standard TCP/IP networking protocol. A central Network Control Center (NCC) is sited on the corporate network, with IP connectivity to multiple remote devices (such as IP cameras), systems and networks, for surveillance, monitoring and control purposes.

By replacing an IP camera with a laptop computer -  an attacker can use  the IP surveillance  device end point as a back-door that enables  entry and exploitation of the entire corporate network.

The potential damage of such a back-door attack on a remote monitoring system is enormous.

Read more

The two biggest security issues today for a business both from an operational and regulatory perspective are fraud and data loss. An  insider, often colluding with an outsider, can cause large scale damage to the business by manipulating transactions.

Read this excellent post on Israeli Software

The two top categories of operational risk are Internal and External Fraud, but what IS “operational risk” exactly?

The best definition of operational risk comes from Basel II, which defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

Although originally designed for the banking system where regulatory safeguards are designed to  protect against large scale failure of the banking system and the economy; a systematic approach to operational risk management is important for any kind of organization

Read more

Many small to medium-sized enterprises (SME) have  risk and privacy compliance issues similar to big companies without the big budgets.

Control Policy Group’s  free risk and compliance automation tool provides an SME with an extremely cost-effective way of collecting data, analyzing risk, meeting compliance requirements and providing effective internal security to the business.

The Control Policy risk and compliance automation tool provides 4 key benefits for an SME (besides being free…): Read more

Most organizations separate the two functions: security functions typically inside the IT department and compliance usually reports to corporate finance or general management for large companies in a Chief compliance office.

We believe that security and compliance operations in a company are synergistic.Question is – How can you do it without committing political suicide in your company?

Read more

In a recent article published online at the JFK School of Government at Harvard – Malcolm Sparrow talked about how controlling risks, is a central challenge for government regulators charged with the task of reducing societal ills and preventing bad things from happening. Professor Sparrow notes there does not seem to be a well-established language for risk assessment.

We think it is interesting to analyze the causes for this situation

Read more