Skip to content
Shadow Cipher

Creating a Company Culture for Security

Security Goals

If your copmany handles credit card payments, then you have to follow the PCI DSS, or Payment Card Industry Data Security Standard

  1. Build and maintain a secure network and systems
  2. Protect cardholder data
  3. maintain a vulnerability management program.
  4. implement strong access control measures.
  5. Regularly monitor and test networks.
  6. Maintain an information security policy.

Measuring and Assessing Risk

Security is all about determining risks or exposure; understanding the likelihood of attacks; and designing defenses around these risk to minimize the impact of an attack.

  • Security risk assessment starts with threat modeling.

  • High value data usually includes account information, like usernames and passwords. Typically, any kind of user data is considered high value, especially if payment processing is involved.

  • Vulnerability Scanner
    A computer program designed to access computers, computer systems, netwrk or applications for weaknesses

  • Nessus

  • OpenVAS

  • Qualys

  • penetrating Testing
    The practice of attempting to break into a system or network to verify the systems in place.

Privacy Policy

Privacy policy oversee the access and use of sensitive data

  • It’s a good practice to apply the principle of least priviledge here, by not allowing access to this type of data by default

  • Any access that doesn’t hace a corresponding request shoild be flagged as a high-priority potential breach that needs to be investigated as soon as possible

  • Data-handling policies should cover the details of how different data is classified.

  • Once different data classes are denied, you should create guidelines around how to handle these different types of data.

User Habits

You can build the world’s best security systems, but they won’t protect you if the users are going to be practicing unsafe security

  • You should never upload confidential information onto a third-party service that hasn’t been evaluated by your company.

  • It’s important to make sure employees use new and unqiue passwords, and don’t reuse them from other services.

  • A much greater risk in the workplace that users should be educated on is credential theft from phishing emails.

  • If someone entered their password into a phising site, or even suspects they did, it’s important to change their password as soon as possible.

Third-Party Security

If you have subpar security, you’re undermining your security defenses by potentially opening a new evenue of attack.

  • If you can, ask for a third-party security assessment report.

  • VASQ - Vendor security Assessment Questionaries

Security Training

  • Helping others keep security in mind will help decrease the security burderns you’ll have an IT support Specialist.

  • If not, you absolutely should be!

  • You also need yo justify why these are good behaviors to adopt.

Incident Reporting and Analysis

  • The very first step of handling an incident is to detect it in the first place

  • The next step is to analyze it and determine the effects and scope of damage

  • Once the scope of the incident is determined, the next step is containment

  • If an account was compromised, change the password immediately. If the owner is unable to change the password righjt away, then lock the account.

  • severity includes factors like what and how many systems were compromised, and how the breach affects business functions.

  • the impact of an incident is also an important issue to consider.

  • Data exfiltration The unathorization transfer of data from a computer

  • Recoverability
    How complicated and time-consuming the recovery effort will be

incident Response and Recovery

  • Update firewall rules and ACLs if an exposures was discovered in the course of the investigation

  • create new definitions and rules for intrusion detection systems that can watch for the signs of the same attack again.

Mobile security and Privacy