Електронно обучение по Системи за управление на информационната сигурност (ISO 27001) и услугите (ISO 20000-1)

СПИСЪК 
НА ОСНОВНИТЕ КУРСОВЕ ЗА ЕЛЕКТРОННО ОБУЧЕНИЕ 
ПО СИСТЕМИ ЗА УПРАВЛЕНИЕ НА 
ИНФОРМАЦИОННАТА СИГУРНОСТ И УСЛУГИТЕ

1. Подход и методология за изграждане на Система за управление на информационната сигурност (СУИС) в съответствие с изискванията на ISO 27001:2013 и препоръките на ISO 27002:2013.

Целта на курса е да подготви обучаемите, самостоятелно да изградят, поддържат и развиват Система за управление на информационната сигурност (СУИС), отговаряща на изискванията на ISO 27001:2013 и препоръките на ISO 27002:2013.

2.Подход за изграждане и поддръжка на Система за управление на услугите (СУУ) в съответствие с изискванията на ISO 20000-1:2011 и препоръките на ISO 20000-2;2012.

Курса има за цел да подготви обучаемите за самостоятелно разработване, внедряване и поддръжка на Система за управление на услугите (СУУ), отговаряща на изискванията / препоръките на международните стандарти:
- ISO 20000-1:2011 - Информационни технологии — Управление на услуги —Част 1: Изисквания към системите за управление на услуги
- ISO 20000-2:2012 - Информационни технологии. Управление на услуги - Част 2: Кодекс за добра практика при управление на услуги

3. Мерки за противодействие на заплахите към информационната сигурност, предизвикани от злонамерени, „вътрешни хора”.

Курса е предназначен за специалисти в областта на информационната сигурност и мениджъри на средно управленско ниво. В курса са разгледани основните практики за противодействие на злонамерени "вътрешни хора", създаващи рискове за информационната сигурност и бизнеса на съответната организация.
За целите на този Курс за обучение, под злонамерени „вътрешни хора” или злонамерен „вътрешен човек” се разбира настоящ или бивш служител, контрактор или бизнес партньор, който отговаря на следните основни критерии:
- има или е имал упълномощен достъп до мрежа (и), системи или данни / информация на организацията;
- умишлено превишава или умишлено използва този упълномощен достъп по начин, който нарушава конфиденциалността, интегритета и / или наличността / достъпността на данни / информация или на информационните системи на организацията, като цяло.

4. Методология за разработване на документалната част на Система за управление на информационната сигурност (СУИС), в съответствие с изискванията на ISO 27001:2013

Курса за обучение е предназначен да подготви обучаемите, самостоятелно да разработят, внедрят и поддържат документалната част на СУИС,  в съответствие с изискванията на ISO 27001:2013 и препоръките на ISO 27002:2013.
По време на курса се разглеждат последователността за изграждане на документалната част на СУИС, инструментариума за нейното създаване и голямо количество документи от различен тип - политики, процедури, инструкции, методики, планове и др.
Методологията е прилагана многократно от организации, които са изградили и сертифицирали СУИС, за степен на съответствие с изискванията на ISO 27001.

5. Методология за разработване на документалната част на Система за управление на услугите (СУУ), в съответствие с изискванията на ISO 20000-1:2011

Курса за обучение е предназначен да подготви обучаемите,  самостоятелно да разработят, внедрят и поддържат документалната част на СУУ, в съответствие с изискванията на ISO 20000-1:2011 и препоръките на ISO 20000-2:2012.
По време на курса се разглеждат последователността за изграждане на документалната част на СУУ  и голямо количество документи от различен тип - политики, процедури, планове и др.
Методологията отчита наличието или липсата на изградени в организацията системи за управление на качеството (СУК) и/или на информационната сигурност (СУИС) при определяне обхвата на документалната част на СУУ.

Контакти за въпроси и допълнителна информация:

infosecservicebg@gmail.com

+359 886 655 315 – Пламен Каменов

http://infosecservicebg.wix.com/study-security

Седем "брутални" кибер атаки

Top 7 brutal cyber attacks

Monday, September 07, 2015
The Hacker News
Author: Khyati Jain

Part 1

If you believe that your organization is not at real risk of cyber attack, then you are absolutely wrong.

Incidents of massive data breaches, advanced cyber attacks coming from China, groups like Syrian Electronic Army, Hacking Point of Sale machines at retailers such as Target have splashed across the news in the last one year.

Whether a Government Agency or Private Company, Small or a Large Tech Company....

...It’s no secret that No one is Immune to Cyber Attacks.

This article is the first in a two-part series from The Hacker News, listing first four out of  Top 7 Brutal Cyber Attacks.

And here we go...

#1 "Hacking Team" Data Breach

Hacking Team, the controversial spyware company, recently been hacked by some unidentified hackers that exposed over 400 gigabytes of its internal sensitive data on the Internet.

Milan (Italy) based IT firm ‘Hacking Team’ sells intrusion and surveillance software solutions to Governments and Law Enforcement agencies worldwide.

Hacking Team is infamous for its commercial surveillance tool named as Remote Control System (RCS), which is capable of spying activities and remotely accessing target system’s microphone and camera.

However, sometimes even Hackers get Hacked! So same happened with Hacking Team when hackers not only defaced Hacking Team’s own Twitter account but also leaked:
• Executive Emails
• Source codes for Hacking and Spyware Tools
• Zero-day exploits, including for Flash, Internet Explorer
• Government client list with date of purchase and amount paid
…Marking the attack as one of the biggest cyber attacks on any Company.

#2 Ashley Madison Data Breach

TIP: No website can guarantee privacy of your identity, Credit card details, personal photos or any other information. [Read more]

Two months ago, Toronto-based Ashley Madison website, popular as an online Married Dating portal for extramarital affairs with the tagline "Life is Short. Have an Affair," was hacked by ‘The Impact Team’.

Hackers allegedly gained access to millions of its customers information database and posted 10GB of personal data for its tens of Millions of customers, including their names and email addresses.

Frequently followed by another leak, where hackers released another 20GB of company's internal data, including personal e-mails from the CEO of Ashley Madison parent company Avid Life, Noel Biderman, along with the source code for its website and mobile apps.

The breach came just two months after an attack on another scandalous site, Adult Friend Finder where again millions of people’s very personal data were left exposed on the Internet.

The Ashley Madison and Adult Friend Finder hacking cases raise serious questions about what these dating websites are doing to ensure the security of their users' personal information.

#3 The Sony Pictures Hack

Remember last year when you were able to download and watch unreleased movies of Sony PicturesEntertainment?

Annie, Mr. Turner, Still Alice, To Write Love On Her Arms, and Brad Pitt's "Fury”...

...were leaked online on torrent websites, following a massive cyber attack on Sony Pictures last year by theGuardians of Peace (GOP) hacking group.

The hack wasn’t limited to unreleased movies — the unknown hackers leaked about 200 gigabytes of confidential data belonging to Sony Pictures from movie scripts to sensitive employees data, celebrity's' phone numbers and their travel aliases, making it the most severe hack in the History.

The massive cyber attack on the company was in response to the release of "The Interview" — a controversial North Korean-baiting film, where hackers threatened 9/11 Type attack at Theaters showing this movie.

As a result, Sony had to shut down its services for weeks. However, it struggled to solve the issue by pulling “The Interview” from theaters and eventually putting it up on Netflix.

But, things have not changed much for Sony. This was the second time Sony was targeted, and the intensity of the attack was such that even after taking the best measures, a subsequent amount of the company’s data was leaked to WikiLeaks.

#4 'Fappening' and 'Snappening'

When a surge of Nude Photos of Celebrities were leaked and went viral in August of 2014, the Internet had a meltdown.

Unknown Hacker was able to break into third-party applications connected to services like Facebook, Twitter, Instagram and Apple’s iCloud that led to a major incident known as “The Fappening”.

The Fappening mainly attacked female celebrities and leaked very private photographs of them, includingJennifer Lawrence, Kim Kardashian, Kirsten Dunst, Avril Lavigne and many others.

Within a month of “The Fappening,” another similar incident called “The Snappening” happened that leaked more than 100,000 nude videos and images of the Snapchat users.

In The Fappening, the Naked Pictures were allegedly retrieved due to a “brute force” security flaw in Apple’s iCloud file storage service. However, Apple denied it.

In case of The Snappening, Snapchat’s servers were not breached. Instead, the nude pictures of users were compromised due to third-party apps used to send and receive Snaps.

However, both the incidents marked as the biggest hacks of one of its kind.


Part II 

In Part I of this two-part series from The Hacker News, the First Four list of Top Brutal Cyber Attacks shows that whoever you are, Security can never be perfect.

As attackers employ innovative hacking techniques and zero-day exploits, the demand for increased threat protection grows.

In this article, I have listed another three cyber attacks, as following:

#5 Car Hacking

Driving a car is a network’s game now!

'Everything is hackable,' but is your car also vulnerable to Hackers?

General Motors’ OnStar application and cars like Jeep Cherokee, Cadillac Escalade, Toyota Prius, Dodge Viper, Audi A8 and many more come equipped with more advanced technology features.
These cars are now part of the technology very well known as the “Internet of Things”.

Recently two Security researchers, Chris Valasek and Charlie Miller demonstrated that Jeep Cherokee could be hacked wirelessly over the internet to hijack its steering, brakes, and transmission.

The OnStar application is an inbuilt unit attached to the interior, rearview mirror of the car with features such as remotely unlocking cars and starting the engines.

Similarly, Jeep manufactured Jeep Cherokee’s latest model is the fourth generation car fully equipped with the latest technology advancements.

In the recent incidents, Jeep Cherokee, as well as OnStar's application, were hacked leaving the cars as the slaves of the hackers and prone to accidents.

A security flaw in the car's entertainment system was compromised by two white hat hackers: Charlie Miller and Chris Valasek. The flaw allowed the hackers to inject malware into the system for remote control from miles away.

The hackers were able to turn up the music volume to the maximum and start the windshield wipers remotely while they were ‘10 miles away’.

An outrageous act they did was cutting off the transmission and disconnected the brakes that led the car crash into a ditch.

Reports say that both Jeep Cherokee and Escalade have an inherent security flaw. This is such:

The cars' apps, Bluetooth and telematics connecting the car to a cellular network like OnStar are on the same network as the engine controls, brakes, steerings and tire pressure monitor system.

Miller and Valasek said a car’s networked system could be an easy gateway for the hackers to come in with just the use of their mobile phones and a laptop.

What they need to do is just know the car’s IP address, and they can break into its system through a wireless internet connection.

#6 Data Breach at US Government Office of Personnel Management

United States Office of Personnel Management (US OPM) is an independent agency of the United States that works to recruit, retain and honor a world-class workforce for the American people.

The US OPM became a victim of a cyber attack twice that led to a data breach, compromising personal information of some 21.5 million related to current and former federal workers.

Hackers accessed sensitive data of US government officials that could be used for identity theft and cyber-espionage.

The stolen data included Social Security Numbers, employment history, residency and educational history, criminal and financial history, fingerprints, information about health, personal and business acquaintances.

Some stolen records also include findings from interviews conducted by background investigators that discussed sexual assaults and drug, mental health treatments and alcohol addictions.

Investigations reveal that China-based hackers were behind the data breaches at the Office of Personnel Management (OPM).

#7 Anthem Data Breach

Anthem Insurance Inc., previously known as WellPoint Inc, was a victim of a massive cyber attack in February.

Back in February, Cyber attackers executed a very sophisticated attack to gain unauthorized access to the company’s IT systems that had database of some 80 million people and obtained personal identifiable information (PII) relating to its consumers and employees.

The information accessed included:
• Names,
• Birthdays,
• Social security numbers,
• Email addresses
• Employment information, including income data
The hackers gained access to Anthem's data by stealing the network credentials of at least five of its employees with high-level IT access.

The path may have been "Phishing", in which a fraudulent e-mail could have been used to trick employees into revealing their network ID and password, or into unknowingly downloading software code that gives the hackers long-term access to Anthem’s IT environment.

The company informed millions of its affected customers of the massive data breach that potentially exposed the personal information of its former as well as current customers.

Anthem appointed Mandiant, world’s leading cyber security organization, to evaluate the scenario and provide necessary solutions.


This is just the beginning...

These are just seven; there are many more! And it could reach you too.

The power of the cyberspace and the criminals hovering over it should not be underrated.

Chucking such happenings where your personal data is at risk and being irrational is not the solution rather it is the beginning of activities that will bother you big time in the future.

The cyberspace is like a dope that is capable of psychoactive effects. A proactive thinking and approach will take you ahead of the people on the other end.

Take the time to ponder over the incidents and respond wisely is all we have to say!