A REAL STORY 
Alarming results were announced after a recent survey conducted by the Ponemon Institute Research and Juniper Networks. The result is related to what we have seen in the media recently, hackers are almost always successful in their efforts to invade a site, and stopping them is no easy task.The news shows that 90% of companies suffered some kind of attack in the last 12 months. Over 77% have suffered attacks had actually internal problems due to the success of hackers in the invasion. 
Respondents reported having a very low confidence in their ability to prevent attacks. Many believe that simply are not prepared.53% believe they will also face some kind of attack in the next 12 months.Attacks on websites are often using classic vulnerabilities as "SQL Injection and Cross Site Scripting (XSS). 'What are the biggest barriers to implementing an effective security strategy?Almost half (48%) of companies surveyed said they found safety procedures too complex to implement. Another 48% also mentioned the lack of resources. Companies are looking at the cost of safety procedures and practices complex and analyzing them as expensive to implement.Thus check the possibilities are cheaper.Vulnerability scanners are becoming an ever more effective in detecting faults and take corrective action with reduced cost.As for the consequences of these attacks, companies are seeing that the theft of information and business interruption losses are more severe. With so much money being lost in violations, companies need to invest more money in more preventative security measures even with reduced cost."What we see is that in today's environment, systems" hacked "is almost a statistical certainty.
"A real fact. He warned that there would be an invasion sites in the corporation, but no one took action.On several occasions the analyst SI informed the IT developments that had vulnerabilities in web sites of the corporation. He analyzed, identified, reported and pointed out that should be considered for settlement, however was not granted.Months passed and patch updates were installed, new devices were placed to improve perimeter security, however the application was not a single line of code updated for protection, only lines to improve customer service and streamline the business. How many of you have heard this story.
When this occurs, IT loses itself, along with the corporation, she takes the blame for failing to observe safety guidelines and parameters in its internal development.A notification of security is proactive rather than an invasion and consequent graffiti site developed, Be it outsourced or internal development, the role of SI is also possible to analyze vulnerabilities and liable.An example worthy hit occurred on one occasion, when an analysis done on a Brazilian site in the U.S.. The analysis showed more vulnerability on the site than holes in Swiss cheese. A notice sent to holders of the site in this country warned that the problem for biggest surprise was resolved in just over two weeks. Impressive concern and best for the Corporation as the situation was resolved in a timely manner.The same situation occurred in the corporation with a website only available in Brazil has not had the same attention and resolution of vulnerabilities. Guess what happened to this site?La was a graffiti Brazilian to traditional modes of usual invaders.

Access Control.

I never imagined how big of a problem when a corporation has no control over the access control. I leave aside the physical control for another opportunity. At this time I will talk a little about Access Control.We live in a globalized world where converge within the IT Access Control to see that if there is investment in controls, fraud and other threats actually happen.Evaluating closely, few companies are in full growth they realize the need and true value to the control accounts and passwords of its employees, in addition to other controls, such as web usage, firewalls, file servers, applications and many others. .. It is a fact that companies in UP should prepare for a dark future if you do not have their appropriate controls, even if they are manual. The major market players are there, prepared to a high price for La to meet this demand for SSO (Single Sign On) and IDM (Identity Manager), manager identities. In fact, few companies to invest in automation due to its high investment. When then we have a small but growing the most striking fact is a function of cost versus benefit. This is why the Small Midsize companies, still opt for their manual control and minimizing the risks often with a good tone.A well defined policy guidelines to joining processes and bound, but can help to small businesses currently make use of its manual controls specific to the ACCESS CONTROL. It is true that one day at a time when the company took shape and became a big corporation does not have doubts that automation will be needed because the number of applications grows with the company.Specific projects related to Information Security Access Control to split today is a troubled sea of ​​growing businesses. Owners of their vision should be no doubt while criticizing not only healthy for themselves and for the healing of threats. Not that we can eliminate threats, but minimize them to a risk at least not so onerous.The vision 5W1H is old but will live for many years questioning the assets of a corporation. Measures and countermeasures should be evaluated.Unprecedented access to back office systems through the Web have reduced costs but hidden threats if no control privileges. We must enforce access policies to users, proxies and Web Services that perform operations on behalf of users who really are true.When the environment becomes large and distributed is a sign that the corporation is leaving the small and medium enterprises to become something huge and observance of appropriate controls is required. Escape from the automation is a matter of time. It is necessary to evaluate policies inhibition of threats based on risk. It's like Projects, no monitoring and control, your project danced .....

ANONYMOUS SAYS

http://www.bbc.co.uk/news/world-us-canada-16993488

people management

Do You have the employees, contractors, temporary right for your area?In the area of ​​IT and IS it is almost complete compatibility between the person and the technology used by your corporation. The hiring is hard to fit you personality, certifications and experience coupled with the confidence provided by the applicant for a position in IT or IS.Much of the interaction between employees, years in the same corporation can take them to be friends or enemies of eternal hell. The relations in corporations can get to the wedding. How many of you readers have not started dating industry to work alongside, or even married a work that met the same corporation?In fact, they are common situations that occur every day around the world, but when it becomes the enemy that lives next door, how to proceed in such a situation?When you have such a situation, your best bet is to ignore the fact, make use of political and / or seek understanding or search for another corporation.There are situations in which the constraint is the main event. In this situation, the best thing is to go get other companies where this would be a lesser incidence.Ha true "wheel" formed to remove a manager who's main goal is control of the area. True political coup order is the "POWER"."Fortunately, all ends well for those who live well."There are cases where such facts can not be solved alone and attitudes should be taken where the problem is resolved in the best way always watching the best for the corporation.The "political power" will exist in any corporation and there will always be the "malicious" facing up against the well-intentioned. The worst behavior is that it uses the so-called "hardcore" to take the blow to his fellow man.A manager will always have problems in managing people, he is the owner of a professional area with two or ten thousand. The facts go unnoticed to those in a large number of employees and that is why areas of the subdivisions are headed to minimize these impacts and others.Technology is not very different from treating people of their assets. When this manager has a problem into an asset, the impact can cause other chain. The important thing is to treat it in discussion groups to improve service and focus on the solution as quickly as possible.The People Management is more complicated than its assets, no doubt, treat people is an art different from the treatment of assets, but their similarities are in search of solutions.The good manager is one that keeps your staff in control, measuring techniques and personal skills, making these alignment to achieve the objectives of the area, and the corporation's own staff.When there is a malware, viruses and / or other problem affecting our assets, we have to eliminate them. When we have people have to deal with the behavior, the situation and when all attempts failed to eliminate them from the area still may not be a solution.The search for the best team, the best staff for better management role is one in which the managers involved add up all the qualities and defects and hangs in the balance of "Ideality Business."

UNIVERSITY - SECURITY AND QUALITY

The quality of the IT environment provide our customers for their education institution is sufficient to serve its students, teachers and contractors?

Institutions of Higher Education,  have been driven to invest in IT. Many higher education institutions provide Internet access to students in order to research, training and application in items related to the courses offered. But this availability is rampant and constantly dangerous when it comes to information security related to it.

Advances in IT investments to Universities when there are significant administrative integration coupled with the awareness of managers of the institution in terms of improving the IT environment, making structural changes, cultural and work processes and improve information security.

In academics, Racing teaching, research and extension has been observed with respect to investment shy Information Security, leaving a large gap in this area in their applications.

Make changes are needed to put them in a satisfactory level of safety.

A proper diagnosis can suggest the best use of Universities their environment and provide them a broad view of what is and what is needed to meet current demand. The item quality, as a rule, with the implementation of ISO9000 can respond and improve many existing procedures and other important form also needed. Then leave for Information Security standards with other allies, today there are flaws that can be controlled or even cease to exist.

In fact, many do not care about security on the Web Just because something is important to us, does not mean he is (or should be) important for all others.

I have examined some sites in consultancy work and the thing is really ugly when it comes to safety on the web. On the development side, it does what it can count up to code analyzer and when we see the security perimeter is also possible to assess how quickly businesses are going in the opposite direction of safety. There raises the question: when will the time is right to spend money on security?

As with any capital investment or operating expenses, application security is a choice;

Like an internal policy of access to their respective punishments can coerce a more secure access, combine preventive, reactive and proactive to form an item of comprehensive security information elsewhere in the Universities is extremely important;

The quest for quality assurance in education is quite unique.

The misunderstanding of ISO9000 among academics is very clear and often have a mistaken view about the standard of quality. The pursuit of accreditation standards of education, shows the intention of strengthening the reputation of the Universities

"Teaching is a creative art, it is emotion and commitment. As one could reduce it to a set of

Standards and procedures? "

To meet the requirement the standard must be presented so that there is flexibility for the Academic and persuasion.

The ISO9000 in Universities should be seen as a matter of organizational culture and attitude.

Therefore, ISO 9000 can become a viable alternative, a means of building procedures to develop a better education. Think about it!.

SECURITY OFFICER - THIS IS THE GUY......

Do not think that managing an area of ​​Information Security is an irrelevant fact and conditional. Unlike what many think, the poor suffer SI Manager in relation to other areas trying to do their best work in research and audit. Yes, SI has also audits. The manager lives in this area pointing out the problems and trying to solve them as best as possible. Unfortunately, and especially the IT department forces him to wake up (agreements) to meet them promptly and quickly. The fact is that cater to IT means to reconcile the conflicting non-participation, ie, a conflict of interest can cause a bad image to the security area if our Information Manager itself does not take into account their political image. Sounds complicated, is not ... No .... The ability of the right manager in this area leads to the highest level of the organization, leading him to be respected by other areas.
This guy is tired of seeing situations where the word "stopgap" in the dictionary of IT and therefore it does not exist in the dictionary of the SI.
For this and other reasons that the area, in my humble opinion, should be isolated from the IT and in many cases responding to another Board. Cases in which the SI is under the jurisdiction of the final conflict ends in IT Management disturbing this area as well as the work related to it.
I have seen cases in which sparks between the IS and Management Boards were instrumental in the relationship between the areas. An Information Security Manager in addition to very patient must have a hip enough to get rid of these troublesome conflicts of interest and the power to know that your area is so great that even though Manager will be considered as "the Almighty". Do not make this phrase your motto in the Corporation, because then you'll be overpowering other areas and other managers. Humility and knowledge will be your weapons against the existing conflicts. Politically act with determination, because they know that their ability and understanding of all the parties will do better.
The world of Information Security Management in racing is to know without being hit forcing achieve improvements in processes and consequently better results Corporation.
Thinking about yourself is not thinking about YOU. When this occurs the corporation will lose. Hitting others with harsh words also will not make the winner between areas. Be tough with someone who was hard on you will do the same to the Manager which caused it.
The Information Security Manager will always be the guy that makes for its area, other areas and the corporation. The word "Envy" maybe here is very strong but have a sure thing my dear reader tiespecialistas;
"Do or Do Not, There Is No Try" for an Information Security Manager

CRACKER X HACKER - original in http://www.tiespecialistas.com.br/2011/08/cracker-x-hacker/

In my last article I explained to you what I mean about hackers and crackers, different as they are in good and bad. Some people questioned me about the two words here and spend a little history and comments.

"CRACKER ... wafer is not and has no taste, an invasion occurs only when there is that we learn of what tastes.

The bitter taste of all that building was destroyed. "

In the Wikipedia definition is as follows:

Cracker is a term used to describe someone who practices the breaking (or cracking) of a security system, illegally or unethically. This term was coined in 1985 by hackers against journalistic use of the term hacker. Use of this reflects the strong revolt against theft and vandalism committed by cracking.

In other words.

He who does the security breach on a system.

In the Wiki also talk about the controversy of the term, but it follows a bit of opinion. Using both neologisms reflects a strong revulsion against the theft and vandalism on the net. 'The neologism "cracker" in this sense may have been influenced by the slang term "cracker," which in Shakespearean English meant an unpleasant person and in modern colloquial American English survives as a synonym for evil delicate called "white trash."
While it is expected that any real hacker has done some raids, with undeniable skill of their techniques, the term "cracker" falls into oblivion and raises "HACKER" the position of the dark side of the Force.
Thus, there is far less overlap between hacker and cracker than regular reader misled by sensationalistic journalism might expect. Crackers tend to gather in small groups, very close and secret but well known in the media due to its disclosure. Though crackers often like to describe themselves as hackers. An easy way to distinguish and detect the difference between hackers and crackers is that crackers use names that hide their identities. Hackers never do this because they rarely use noms de guerre in everything they do, and when they do is to show rather than conceal.
Changing the subject a bit, has anyone thought to ask if the attacks are one more reason to hasten the DIGITAL LAW OF CRIMES IN BRAZIL??
In fact the very attackers know it or ever think about that.
"Hacker" is the malicious security cracker.
It is good just for a story as interesting as this. We would be forever writing it is extremely culture and history is something we can call "NO MATTER THE END BUT THE ACTS"
Whether for the WELL ... Are in the history of information security,
Whether for BAD ... Are in the history of information security,
They are nothing more than history and leverage the IT upgrades in its entirety.

Below the names of some hackers / crackers famous, only to remember .. click to see links

Jonathan James

Adrian Lamo

Kevin Mitnick

Kevin Poulsen

Robert Tappan Morris

hacker attacks in Brazil

There are about two to three years I was with Mr Julio Semeghini and Dr Renato  Opice Blum in a debate on computer crime law by Decision Report.

In this debate were also Cristine Hoepers CERT.BR the other guests, follows a link to verify a portion of the transmission; http://www.youtube.com/watch?v=wjXF50ZWKcM&feature=player_embedded

Even then, in 2009, the project was of long standing waiting for approvals, (PL 84/99) seems to have no right and no end date.

With so many rodeos to put it into practice, once approved as amended and the "strikethrough" PLS 84 attacks and that more attacks will happen and these digital crimes even if they identified their attackers can not be punished because they still do not have a law that defines this type of crime.

I'm no lawyer, but I believe there is no fitness for Computer Crime still in Brazil. It seems that only the Decree Law 2.848/40 has something to define but not all of the offense. The fact is that the short memory of Brazilian politicians do not remember the attack in January 2011 complaining about the government Dilma, whose group Fatal Error Crew took the incident and claiming that the attack in June with the same group allied with Brazil Lulzsec

Other interesting dates were 2005 and 2007, when strange blackouts left more than 4 million people in the dark. Dates were also possible causes Hacker ...

And so we left behind even in Laws, as countries such as Chile and Argentina already have a Digital Law.

Forming groups and foundations such as the hackers hacking group Lulzsec Brazil, Anonymous, etc ... will be greater and greater number attacks committed;

There will always be attackers and defenders. When new holes are conquered, sites and more sites have attempted intrusions and / or invasion.

Governmental units are apparent when attacked, but what happens to the sites of small and medium enterprises?.

These are in constant attacks but not much media for this, only when a large bank or a large company is the target, then yes ....

For hackers, train invasion is easy when you have such sites to test, approve

and put into production in just over one hour.

The same tools used for safety and good of an organization, is also used by hackers, and most of the time, with greater dexterity.

It is worth mentioning here that several hackers memorable names such as Kevin Mitinik, but I believe his record as a hunter was the best hacker in his time and his name is Tsutomu Shimomura whose side was good. There is a word that hacker turned to bad programming. Hacker has always been and always will be the subject of raids, but at other times, this word was deemed knowledgeable in the improvement of our environment and that in this new era fading to the dark side of the Force Word Cracker better define an invasion but this is a topic for another story here in the IT specialists (www.tiespecialistas.com.br).

A TRUE STORY

Alarming results were announced after a recent survey by the Ponemon Institute Research and Juniper Networks. The result is related to what we have seen in the media recently, hackers are almost always successful in their efforts to invade a site, and stop them is no easy task. The news shows that 90% of companies suffered some type of attack in the last 12 months. Over 77% who had actually suffered attacks internal problems due to the success of hackers in the raid. Respondents reported a very low trust in their ability to prevent attacks. Many believe that simply are not prepared. 53% believe they will also face some sort of attack in the next 12 months. Attacks on websites are often using classic vulnerabilities as "SQL Injection and Cross Site Scripting (XSS). " What are the biggest barriers to implementing an effective security strategy?
Almost half (48%) of companies surveyed said they found the security procedures too complex to implement. Another 48% mentioned the lack of resources. Companies are looking at the costs of security procedures and practices and complex, analyzing them as expensive to implement. Thus check the possibilities are cheaper. Vulnerability scanners are becoming an ever more effective in detecting faults and take corrective measures at a reduced cost. As for the consequences of these attacks, companies are seeing that the data theft and business interruption losses are more severe. With so much money being lost in breaches, companies need to invest more money in more preventative security measures even at reduced cost. "What you see is that in today's environment, systems" hacked "is almost a statistical certainty."
A fact
He warned that there would be an invasion of the sites of the corporation, but no one took action.
For several times the analyst said the SI had vulnerabilities in the IT development of corporate web sites. He analyzed, identified, reported and noted that should be considered for settlement, but was not granted.
Months passed and patch updates were installed, new devices were placed to improve perimeter security, however the application had not a single line of code updated for protection, only lines to improve customer service and streamline the business.
How many of you have heard this story?
When this occurs, the IT loses itself, along with the corporation, she takes the blame for failing to observe safety guidelines and parameters in its internal development.
A notification of security is proactive rather than an invasion and subsequent tagging of the site developed, whether outsourced or internal development, the role of SI is also possible to analyze vulnerabilities and liabilities.
An important example of success occurred on one occasion, when an analysis done on a Brazilian website in the U.S.. The analysis demonstrated vulnerabilities in the site more than holes in Swiss cheese. A notice sent to holders of the site in the country warned that the problem for biggest surprise was resolved in just over two weeks. Impressive concern and better for the Corporation as the situation was resolved in a timely manner.
The same situation occurred in the enterprise with a site available only in Brazil did not have the same attention and resolution of vulnerabilities. Guess what happened with this site?
La graffiti was a Brazilian to traditional modes of common invaders.

Segurança em T,I.

Assegurar que seus dados estejam protegidos é mais que necessário nos dias de hoje. Validar informações, monitorar e adequar a niveis de segurança aceitaveis é nosso papel em ajuda-los.