Saturday, December 8, 2018

Free Network Performance Test tool - Iperf

According to wikipedia Iperf "is a commonly used network testing tool that can create TCP and UDP data streams and measure the throughput of a network that is carrying them. Iperf is a modern tool for network performance measurement written in C++."

This tool has to configure server side and client side to complete a test. It can test from client side to server side , also can test from both direction.

1. Download iperf 3 

The main download site is from https://iperf.fr/iperf-download.php.

2. Start it as server

Running command 'iperf -s' from command line as iperf server (ip address 100.99.136.66).
C:\Tools>iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 8.00 KByte (default)
------------------------------------------------------------
[188] local 100.99.136.66 port 5001 connected with 100.94.200.14 port 48410
[ ID] Interval       Transfer     Bandwidth
[188]  0.0-10.0 sec   121 MBytes   101 Mbits/sec

Friday, December 7, 2018

Understanding GDPR from Security Professional's Perspective

One of the most recent and wide-ranging laws impacting the security profession globally is the European Union's General Data Protection Regulation, or GDPR. As of May 25, 2018, the GDPR is a legal and enforceable act of the European Union.

In this post, we will detail the key findings as a security professional how to work to satisfy the requirements of GDPR.



General Data Protection RegulationGDPR


Chapter 11  2  3  4
Chapter 25  6  7  8  9  10  11
Chapter 312  13  14  15  16  17  18  19  20  21  22  23
Chapter 424  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43
Chapter 544  45  46  47  48  49  50
Chapter 651  52  53  54  55  56  57  58  59
Chapter 760  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76
Chapter 877  78  79  80  81  82  83  84
Chapter 985  86  87  88  89  90  91
Chapter 1092  93
Chapter 1194  95  96  97  98  99

Gartner Magic Quadrant for Identity Governance and Administration (2018,2017,2016,2015,2013)

IGA (Identify Governance and Administration) is a central component of Identity and Access Management (IAM) designed to “manage digital identity and access rights across multiple systems and applications.”  Identity Governance and Administration solutions achieve this by aggregating and correlating identity and permissions data found throughout an enterprise’s digital ecosystem, and then utilizing that data to perform its core functions.

Gartner considers IGA’s core functions to include access requests, access certification, auditing, reporting and analytics, workflow management, entitlement management, and identity life cycle management.  Gartner evaluates IGA (Identity Governance and Administration) vendors based on the completeness of their vision and their ability to execute on their vision and roadmap.


2018
Comparing to 2017, both One Identity and Saviynt come into Leaders quadrant from Challengers. Six vendors are in Leaders quadrant:
  • Oracle since 2013
  • IBM since 2014
  • SailPoint since 2013
  • One Identity
  • CA Technologies
  • Saviynt


Gartner Magic Quadrant for Access Management (2018, 2017, 2016, 2015 )


Today’s businesses require secure 24/7 access to their cloud applications and data, and require more than Web Single Sign-On to propel their business forward. The world has changed, allowing an almost infinite number of identities and accounts on different platforms and devices including cloud, mobile, social, and personal networks. Having an identity and access management strategy in place is more important than ever.

2018 (Second Year)
CA becomes into Visionaries from Leaders. Micro Focus falls into Visionaries from Challengers. Five Leaders in 2018:
  • Microsoft
  • OKTA
  • IBM
  • Oracle
  • Ping Identity

Tuesday, December 4, 2018

Cyber Security Frameworks and Integrated with TOGAF

When cyber security professionals talking about related frameworks, it always comes to two which is ISO and NIST. There are lots of confusions  between them and also between Frameworks and Security architecture methodology. Here is some discussion for those topics I collected from online which I believe at certain points, it clarified some of my confusions.

======================================================================
A Cyber Security Framework is a risk-based compilation of guidelines designed to help organizations assess current capabilities and draft a prioritized road map toward improved cyber security practices. (From Arnab Chattopadhaya 's Enterprise Security Architecture)

Well Known Cyber Security Frameworks
• Sherwood Applied Business Security Architecture (SABSA)
• ISO/IEC 27001 & 27002 (formerly ISO 17799)
• ISO/IEC 31000
• NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
• NIST SP 800-39: Risk Management Framework
Essential security and risk concepts and their position in the TOGAF ADM (Source: TOGAF Security Guide)

From DevOps to DevSecOps


What is DevOps:
DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market. (from AWS)


Prior to 2010,

  • Structured Development methodologies
  • Clent-server
  • Waterfall Model


Now,

  • Moved from structured development methodologies to object-oriented paradigm
  • Moved from client-server to service-oriented architecture
  • Moved from the waterfall model to agile methods

Continuous Integration and Continuous Delivery (CI/CD) relies on the automation of routine work.

Agile and DevOps

Sunday, December 2, 2018

Enterprise Security Architecture Resources

Enterprise Security Architecture (ESA) is a relatively new concept to most business & IT stakeholders. However it is gaining an increase in adoption due to the need by the CISO’s of enterprises to strategically address information security debt and meet the increasing burden of Privacy related compliance. This post is going to collect some useful online resources which started to explore a creative method to build a mature enterprise security architecture.

IT vs Information Security vs Cyber Security vs Business Continuity vs Risk Management

IT vs Information Security vs Cyber Security vs Business Continuity vs Risk Management
From: 9 steps to Cyber Security


Saturday, December 1, 2018

Gartner Magic Quadrant for Security Awareness Computer-Based Training (2018,2017,2016,2015,2014)

IT research and advisory firm Gartner, Inc. has evaluated different vendors in the Magic Quadrant for Security Awareness Computer-Based Training (CBT). Gartner’s evaluation criteria includes market understanding, marketing strategy, sales strategy, product strategy and offering, business model, vertical/industry and geographic strategy, and innovation.

What is security awareness computer-based training?
End-user-focused security education and training is a rapidly growing market. Demand is fueled by the needs of security and risk management leaders to help influence the security behaviors of people. People impact security outcomes much more than any technology, policy or process. Interactive computer-based training (CBT) is a central component of a comprehensive security education and behavior management program. It is a mechanism for the delivery of a learning experience through computing devices, such as laptop computers, tablets, smartphones and Internet of Things (IoT) devices. The focus and structure of the content delivered by CBT vary, as do the duration of individual CBT modules and the type of computing endpoints supported. The market for CBT for security awareness is characterized by vendor portfolios that include ready-to-use, interactive software modules. These modules are available as internet-based services or on-premises deployments.