Security

GAISP is based on a solid consensus-building process that is central to the success of this approach. Principles at all levels are developed by information security practitioners who fully understand the underlying issues of the
documented practices and their application in the real world. Then, these principles will be reviewed and vetted by
skilled information security experts and authorities who will ensure that each principle is:

• Accurate, complete, and consistent
• Compliant with its stated objective
• Technically reasonable
• Well-presented, grammatically and editorially correct
• Conforms to applicable standards and guideline

Generally Accepted System Security Principles incorporate the consensus, at a particular time, as to the principles, standards, conventions, and mechanisms that information security practitioners should employ, that information processing products should provide, and that information owners should acknowledge to ensure the security of information and information systems.

GASSP relates to physical, technical, and administrative information security and encompasses pervasive, broad functional, and detailed security principles. GASSP nomenclature considers the terms policy, rules, procedures, and practices to relate to the organizational implementation of security. Information technology (IT) changes rapidly, and GASSP are expected to evolve accordingly. Consensus regarding accepted information security principles is achieved first within the GASSP Committee followed by international IT community review.

GAAP versus GASSP?

Six Apart, a company who makes the blogging tools islaunching a free, semi-open-source filter for blog comment spam, named TypePad AntiSpam. TypePad AntiSpam is the same antispam technology that's currently built into TypePad, but the company is making it available to all who want it, with no charge and no usage restrictions. The service is in semi-beta: "The code is not beta but the (open source framework around it) is," Six Apart CEO Chris Alden also said.

Feature:
- Use it for free. TypePad AntiSpam beta is free for any type of use, personal and commercial, regardless of how many comments you receive. Plugins are available for Movable Type and WordPress.
- Help make it better. Whenever you report unwanted comments, the TypePad AntiSpam engine learns from you, so that it can make even smarter and more effective decisions about spam in the future.

Since the massive implementation of information technology, the need of proper end point security become one of the critical discussion in the company about how manage end point security effectively.

End Point Security Definition:

• A strategy in which security software is distributed to end-user devices but centrally managed [searchsecurity.techtarget.com]
• An information security concept that basically means that each device (end-point) is responsible for its own security [wikipedia.com]
• An individual computer system or device that acts as a network client and serves as a workstation or personal computing device[endpointsecurity.org]

Example of  End Point Devices:
Laptop, PCs, Handhelds, specialized equipment such as inventory scanners and point-of-sale terminals

Download Page
filename: winscp415.exe
size: 1.3MB
website: winscp.net

WinSCP is a SFTP client and FTP client for Windows. Its main function is the secure file transfer between a local and a remote computer. It uses Secure Shell (SSH) and supports, in addition to Secure FTP, also legacy SCP protocol.

Development of WinSCP started around May 2000 and continues. Originally it was hosted by the University of Economics in Prague, where its author worked at the time. Since July 16, 2003 it is licensed under GPL and hosted on SourceForge.net.

WinSCP is based on the implementation of the SSH protocol from PuTTY and FTP protocol from FileZilla.

WinSCP is also available as a plugin for two file managers, FAR and Altap Salamander.

Internet Explorer 7.0 vs. Safari 3.0 vs. Firefox 3.0 Comparison in security perspective

Below top 10 Security Tools, and mostly available for free that you can download for your own purpose. Whether you are an IT Security Consultant, IT Auditor or even just newbie who interested in Security. This tools is must be used for your daily security activity. This list generated from very popular website sectools.org who provide top 100 best Security Tools and others reference such as junauza.com

1. Nessus: Premier UNIX vulnerability assessment tool
2. Wireshark : Sniffing the glue that holds the Internet together
3. Snort : Everyone's favorite open source IDS
4. Netcat : The network Swiss army knife
5. Metasploit Framework : Hack the Planet
6. Hping2 : A network probing utility like ping on steroids
7. Kismet : A powerful wireless sniffer
8. Tcpdump : The classic sniffer for network monitoring and data acquisition
9. Cain and Abel : The top password recovery tool for Windows
10. John the Ripper : A powerful, flexible, and fast multi-platform password hash cracker

Also another 10 top reference

1. John the Ripper, John the Ripper is a free password cracking software tool initially developed for the UNIX operating system
2. Nmap, Nmap is my favorite network security scanner. It is used to discover computers and services on a computer network, thus creating a "map" of the network
3. Nessus, Nessus is a comprehensive vulnerability scanning software. Its goal is to detect potential vulnerabilities on the tested systems

Common Criteria Tools is an internationally approved set of security standards for Apple computer/infrastructure which provides a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a products ability to meet security standards, Common Criteria gives customers more confidence in the security of Information Technology products and leads to more informed decisions.

Security-conscious customers, such as the U.S. Federal Government, are requiring Common Criteria certification as a determining factor in purchasing decisions. Since the requirements for certification are clearly established, vendors can target very specific security needs while providing broad product offerings.

The top five internal security threats from ITsecurity.com

1. Your Employees Are Selling You Out, Part 1
Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization in an effort to gain unauthorized access to confidential data. While not exactly a new phenomenon, attacks are becoming increasingly sophisticated, according to Paul Stamp, a Forrester Research senior analyst.

“A phishing attack used to be a request from the deposed governor of Nigeria,” says Stamp. “These days, a phishing attack is almost indistinguishable from the real thing.”

The result: unwitting employees disclosing confidential information, from passwords to financial data, to ill-intentioned intruders. Unable to identify fraudulent websites and counterfeit email messages, these internal workers are essentially opening a company’s closed doors to criminals.

2. Laptops on the Loose
Accidentally bequeathing your forgotten laptop to a hotel’s cleaning staff is more than an inconvenience. According to software security firm Symantec, the theft or loss of a computer or other data-storage medium made up 54 percent of all identity theft-related data breaches in the second half of 2006.

But that’s not all. The theft or loss of a laptop can cost a company big bucks. The 2006 CSI/FBI Computer Crime and Security survey reveals that laptops and the theft of proprietary information are the third and fourth-greatest sources of respondents’ financial losses. Nevertheless, a startling 47 percent of respondents detected laptop/mobile theft last year.

3. Unintentional Access and Disgruntled Ex-Employees
One of the many perks of working for a company is the access one gains to multiple computer systems, from e-mail messaging to

Real Privacy Management (RPM) software that offers continuous, two-factor user authentication and data encryption based on a patented, real-time algorithm that limits the opportunity for intrasession hack attacks and threats.

Why it’s worth watching: Authenticating users has become a security best practice, but once is not enough. Methods such as public-key infrastructure (PKI) authenticate the user at first logon but leave the session open to hacker attacks thereafter. By performing continuous mutual authentication and encryption during every transmission between client and server, 2Factor reduces the potential for data theft and fraud by closing the window of opportunity for hackers.

How the company got its start: After working in cryptography for many years, founder and chief scientist Paul McGough saw the need for a simpler, more nimble and more effective alternative to PKI and other security technologies. The company claims RPM is based on provable mathematics, is as much as 100 times faster than PKI, and can be deployed quickly and easily in any type of software, chip or device.