- Mobile banking risks & challenges by Mr. Sujith Christy
- Case study on financial sector fraud and forensic by Mr. M. Asokan
- Project management for IT projects by Dr. Madhu Fernando
- New media & digital culture by Mr. Conrad Dias
- Emerging card based threats in financial sector by Mr. Asanka Fernando
SITHIRA'S BLOGS
Recollection of thoughts, dreams and interest.
Monday, May 06, 2013
One Day Conference "Evolving Role of IT for Risk and Assurance Professionals " by ISACA Sri Lanka Chapter was a success..
Thursday, May 02, 2013
Micro Actyon
2009 brand new. Agent maintained. Only 18500 km done. Genuine mileage and only Actyon in town with low mileage. All parts are in original condition. Grand white, Full option, Triptronic, 4WD, Diesel, R/Key, CD, Multifunctional steering wheel, Reverse sensor, Black and teak interior, retractable mirrors. Vehicle in mint condition.
Google Glass Hacked...!
http://www.kitguru.net/channel/joseph-mcdonnell/google-glass-jailbroken-hacker-says-security-is-ineffective/#.UYDeGcIoFLc.facebook
Tuesday, March 13, 2012
Kia Picanto 2012
Kia Picanto is very stylish compact car which can easily accommodate 4 average size adults. This new design with the latest features capture the current market quickly. Very rarely we see a latest Picanto in Sri Lankan roads, but there are more than 180 car orders placed at the moment and will populate our roads with Kia Picanto 2012 model in few months time.
Sunday, November 20, 2011
Tuesday, October 25, 2011
Why penetration testing information should be destroyed?
Penetration testing is a sensitive testing mechanism against organizational assets. Penetration testing focuses on the current infrastructure of an organization network and its weaknesses. This test is able of identified most sensitive information security weaknesses of organizations’ network infrastructure. This sensitive information is very critical to organizations and protecting this from unwanted hands is utmost priority. When a penetration testing assignment is underway, it is important to reveal most of the business critical operations, information, critical assets, resource persons, etc to penetration testing team. On the other hand, during their penetration testing process, penetration-testing team can learn many hidden vulnerabilities, security weaknesses, and business process weaknesses and many more. These hidden weaknesses can create catastrophe event to organization without any notification, if goes to intruders or malicious users hands. Although the criticality of this information is very high, organization cannot do penetration testing with their internal teams. This is due to lack of experience, exposure, qualifications, equipments, knowledge of internal teams or lack of personal resource availability within the organization. Hence, organizations have to go for external resources by taking a slight risk. However, many of these risks can be covered via appropriate legal bindings, and selecting reputed, qualified, and professional team of penetration testers. Organizations must draft appropriate legal terms and bindings and get third parties abide by them to protect the organization that they may face in case of breach of confidentiality. In the normal practice and depending on the sensitivity of the information client organizations and third party penetration testing team can agree to destroy the information gathered during the penetration testing process. Furthermore, it should be noted, that client organization must specifically mention the information that they wanted the service provider (penetration testing team) to destroy and the period of time that the penetration testing team can retain confidential data before destroying. On the other hand, it should be clearly define the process to destroy, and confirmation of destroy, etc.
In case, if the external penetration testing team does not destroy the information, it is an unprofessional behavior of that origination or the team, and they might face legal charges or imprisonment depending on the case. Penetration testing team can be victims of, negligence of duties, breach of confidence, reputational damages, and legal actions. Since, the criticality of the information it is advised to destroy the collected information. For instance, if an attacker infiltrate penetration testing team member’s laptop where critical data is stored, attacker can extract very valuable first hand information from without much difficulty. This information can be used against the client organization to blackmail, threaten, attack, steal more information, and selling extracted information to third parties (hackers, competitors), etc.
It is imperative to select very reputed and professional team of penetration testers for your penetration testing projects. Below given are few ways to gauge the penetration testing vendor.
· Check whether the penetration testing is their core competencies. Some organizations provide this as a value added service and not master in the area.
· Check for the real world implementation and experience, rather than paper qualifications of testing team
· Evaluate vendors trustworthiness and competence
· Consider the cost versus frequency of penetration testing needed to conduct
· Find real penetration tester who are expert in the field and have practical experience in real environment, this is difficult to find but it will be worth the test
· Ask for references from vendor and verify their status
· Perform a thorough background check to identify the real nature of the vendor