ISM Info

ISM Info



Security Maturity Model Questionnaire

Security Maturity Model Questionnaire


Underprepared • Implement security processes with formal guidelines across all departments • Automate cybersecurity processes wherever possible • Conduct periodic reviews to fine tune security operations In Transition • Assess suppliers and contractors to ensure they fulfil information security assurances • Align business needs with security requirements to avoid competing objectives and ensure the entire organisation pursues the same goal • Implement incident response and management procedures that enable users to take immediate action Security Leaders • Automate as many cybersecurity processes as possible • Integrate threat intelligence into automated processes to help tools find threats that slipped through network defences • Align business and security needs to achieve cloud adoption and other digital transformation business objectives


Organisation Culture

  1. No dedicated security role with responsibilities either in the IT or other risk/compliance departments
  2. Information security is addressed within the organisation with at least employee responsible for it
  3. A CISO exists and sets security strategy for the organisation
  4. Information security is implemented throughout customer facing, operations, and support functions
  5. Suppliers and subcontractors are assessed to ensure they fulfil security assurances

Technology and Controls

  1. Standard network security tools are used (main objective = preventing network breaches)
  2. Standard network security tools are used to gain visibility of which data assets are being secured (main objective = detecting threats)
  3. Security processes are semi-automated to defend against threats; Static “normal” network behaviour and context are created to understand the status of risk profiles at a single point in time
  4. Advanced tools are used to anticipate and prepare for unknown threats
  5. The majority of security processes are automated; Leveraging threat intelligence is a business objective; Adaptive network behaviour and context are created to understand the real-time status of risk profiles

Security Operations

  1. Security practices are implemented without formal guidelines
  2. Security practices are embedded in formal guidelines to be used by IT and information security teams Guidelines and security processes are established in all IT, customer facing, operations, and support functions; Incident response procedures are defined
  3. Periodic reviews are conducted to fine-tune security operations, and incident response procedures are implemented
  4. Continuous tests of security operations are conducted, including automated incident response and management with technical, customer facing functions, operations, and support staff


  1. No dedicated security role with responsibilities either in the IT or other risk/compliance departments
  2. Information security is addressed within the organisation with at least employee responsible for it IT and information security teams are aware of AND carry out security practices as defined by formal guidelines; Training is received to ensure both teams are kept up to date
  3. Technical, customer facing functions, operations, and support staff receive training and education to keep up to date on information security risks
  4. Technical, customer facing functions, operations, and support staff regularly participate in incident response activities


Cloud Adoption

  1. No organisation-wide cloud strategy
  2. Cloud infrastructure is fully automated Cloud strategy set by IT and business units (but without security inputs) to re-set business processes to achieve desired outcomes
  3. Cloud strategy set by IT, business units and security Have optimised internal processes as a result of cloud and automated controls are enabled to allow for distributed clouds






ReactNative vs. Apache Cordova

ReactNative vs. Apache Cordova

Many of you may already be familiar with Apache Cordova as an open-source project that enables web developers to build mobile apps with full access to native APIs and offline support. In a Cordova app, the entire UI executes inside a full-screen WebView where you can leverage the same HTML, CSS and JS frameworks found on the web. But, since the UI is rendered in the WebView, it can be difficult if not impossible to achieve a truly native look and feel.

ReactNative apps are also written with JavaScript – or, more specifically, they are written with the React/JSX framework. But, rather than run in a Webview like Cordova, code runs in a JavaScript engine that’s bundled with the app. ReactNative then invokes native UI components (e.g. UITabBar on iOS and Drawer on Android) via JavaScript. This means that you can create native experiences that aren’t possible with Cordova.

That said, Apache Cordova is presently a more mature and stable technology that lets you write a common UI layer using web technologies, whereas ReactNative is much newer and still requires you to write distinct UI layers. If your app requires native UI and you enjoy the excitement of a rapidly evolving JavaScript platform, then ReactNative might be an option to consider.

Open Source Threat Detection and Response

Open Source Threat Detection and Response


DDoS Attack Types

DDoS Attack Types

  1. Volumetric attacks, which are believed to comprise more than 50 percent of attacks launched, are focused on filling up a victim’s network bandwidth. Among the most common volumetric attacks are User Datagram Protocol (UDP) flood attacks, where an attacker sends a large number of UDP packets to random ports on a remote host. UDP floods accounted for approximately 75 percent of DDoS attacks in the last quarter of 2015, according to the Versign DDoS Trends Report. A common form of UDP flood attack relies on reflection and amplification. UDP is a connectionless protocol (that is, it doesn’t require that the two ends of a conversation establish a connection before exchanging data). An attacker can therefore forge UDP packets with fake source addresses, and use those packets to generate reply traffic. By setting the source of the UDP packets to be the IP address of the intended victim, and then sending those packets to various servers for UDP-based applications, the attacker will cause the servers to send reply traffic to the forged source IP address–the victim. This reply traffic is the “reflection” part of the attack. It’s a lot like calling every pizza place in your county, and ordering a lot of pizzas to be delivered to someone you really don’t like. The “amplification” part comes in when you understand that many UDP services generate replies that are much larger than the initial request size. For instance, the Domain Name Service (DNS) has a bandwidth amplification factor of 28 to 54 (the reply to a DNS request can be between 28 and 54 times larger than the request). The Network Time Protocol (NTP) has a bandwidth amplification factor of 556. By combining reflection (the server sends reply traffic to a spoofed source address) with amplification (the reply traffic is a lot larger than the initial request), attackers can do a lot of damage to a victim with very little effort on their part. A number of UDP-based applications and services can be used to generate amplification and reflection attacks, including DNS, NTP, Simple Service Discovery Protocol (SSDP), and Simple Network Management Protocol (SNMP).
  2. Protocol attacks (sometimes also called state-exhaustion attacks) target a weakness in how a protocol operates. A well-known protocol attack is the SYN flood, which targets the three-way handshake mechanism in TCP. When a server receives a SYN packet, this is a signal to the server that another machine wants to open a TCP connection. The server will allocate some of its resources to this half-open connection, and send a SYN ACK packet back to the initiating machine. Under normal circumstances, the initiator will then send an ACK packet to the server, the three-way handshake is complete, and the machines will then exchange data. In a SYN flood attack, an attacker sends a rapid succession of TCP SYN requests–typically from spoofed source IP addresses–to open a connection to a network server. The server sends SYN ACK packets back to the source addresses, which never reply with an ACK. The server keeps the half-open TCP connections around, using up resources, until the server is no longer able to accept any new connections.
  3. Application attacks target weaknesses in how an application works. One well-known application attack is Slowloris, which targets web servers. In a Slowloris attack, the attacker sends HTTP requests to a web server without ever completing the requests. Periodically (and slowly–hence the name), the attacker will send additional headers, thus keeping the request “alive” but not finished. Similar to a SYN flood, this forces the web server to maintain open connections for these partially completed HTTP requests, eventually preventing it from accepting any new connections.