Tag Archive for: Framework

Zero Trust Framework: A Guide to Implementation

/in


Implementing a Zero Trust framework across an organization requires leading with a “never trust and always verify” mindset to secure your data and resources. Over the years, organizations have increasingly implemented Zero Trust frameworks into their environment because technological advancements and modern-day workforce changes such as SAS applications, cloud-based data centers, mobile devices, remote workforce, and much more, have caused the network perimeter to become challenging to define.

Implementing a Zero Trust security model suggests that enterprises cannot automatically trust any endpoint originating inside or outside its perimeter; therefore, strict privileges, user access, and authentication is required at every level for applications, devices, and users. Depending on your operation, business objectives, and the type of legacy systems you use, there is not a one-size-fits-all solution. Zero Trust can be challenging to implement and even counterproductive in some environments.

Ultimately, it will take time, resources, and team buy-in to create a cohesive and reliable strategy. Before you create a detailed roadmap, first gauge your security maturity with this Forrester assessment to help guide your projects and initiatives.

Where to Start When Implementing a Zero Trust Framework

Where do you begin with your Zero Trust strategy? Forrester’s report, A Practical Guide to a Zero Trust Implementation, explores five components from its Zero Trust Extended (ZTX) framework for you to focus on when developing your strategy, including:

Let’s take a look at each of these areas more in more detail to understand the practical building blocks of a successful Zero Trust implementation.

Zero Trust for People

Humans are often the weakest link in security practices, falling victim to phishing attacks or making mistakes due to bad password management. It’s critical to align your strategy with the people across your entire organization by investing in identity and access management (IAM) throughout your on-premises or cloud environment. With data being accessed by consumers, employees, and third parties, organizations need to develop a process for consistent monitoring of…

Source…

GravityBox gets updated to support the Xposed Framework on Android 11

/in


If you have ever used the Xposed Framework before, you probably already know about GravityBox. In case you’re unaware, GravityBox is an all-in-one Android customization toolkit that lets you modify the lockscreen, the navigation bar, the status bar, the display, the actions of software and hardware buttons, and much more. It took a long time for the popular module to be updated with support for Android 11, but after an immense amount of work, XDA Senior Recognized Developer C3C076 recently made it happen.

With the debut of GravityBox 11.0.0-beta-1, one of the single biggest tweak boxes available for Xposed has now become compatible with the latest iteration of Android. Keep in mind that the official version of the Xposed Framework, maintained by XDA Senior Recognized Developer rovo89, has not seen a new release since early 2018, which is why users need to set up Riru and EdXposed Manager via Magisk before installing the module.

The feature highlights for the initial beta of GravityBox 11 include:

  • Lockscreen tweaks
  • QuickSettings tile management with additional tiles
  • Statusbar tweaks
  • Navigation bar tweaks
  • Pie controls
  • Power tweaks
  • Display tweaks
  • Phone tweaks
  • Media tweaks
  • Hardware/navigation key actions
  • GravityBox Actions – interface for 3rd party apps
  • Notification control (per-app notification LED/sounds/vibrations)
  • Fingerprint launcher
  • Advanced tuning of Framework and System UI parameters

Download GravityBox for Android 11

According to the developer, the module has been developed and tested on the Google Pixel 3a running Android 11. While the current build of GravityBox is quite complete for a beta release, it is worth mentioning that both this and the Riru-EdXposed Magisk module for Android 11 itself are in their early stages. As a consequence, some functionality might not work or there might be unexpected errors. For now, we suggest you flash the module with caution and remember to make a backup.

Source…

China Bolsters Foreign Direct Investment FDI Review Framework

/in


Saturday, January 23, 2021

The People’s Republic of China (PRC or China) established a foreign investment security review in 2011 that focused exclusively on the merger and acquisition of domestic companies by foreign investors in a notice issued by the State Council (the 2011 Notice)1. On December 19, 2020, the National Development and Reform Committee (NDRC) and the Ministry of Commerce (MOFCOM) jointly released the Measures on Foreign Investment Security Review (the Measures) that expand the scope of such reviews. The Measures have taken effect from January 18, 2021, and will be enforced by a “working mechanism” to be jointly established by NDRC and MOFCOM (the Working Mechanism).

Here, we take a closer look at the key sections of the Measures:

Foreign Investment Subject to National Security Review

The Measures cover almost all direct or indirect investment activities by foreign investors in China, including greenfield investments and joint ventures. The complete list of covered investments are:

  • Establishment of new projects and new entities by foreign investors

  • Acquisition of equity or assets of domestic companies by a foreign investor

  • Other forms of investment made by a foreign investor in China

The last point is exceptionally vague. Under the 2011 Notice and the relevant rules applicable in free trade zones, “other forms of investment” is interpreted to include structures such as control through agreements (or the so-called VIE structure), nominee shareholding, trust arrangement, offshore transaction, leasing and subscription of convertible bond.

Industries Subject to National Security Review

In addition to the forms of investment, the Measures significantly expand the list of industries in which foreign investment will be subject to national security review. These include “critical cultural products and services, critical information technology and internet products and services, and critical financial services”.

The Measures divide the industries subject to national security review into two categories: (i) military-related industries regardless of the element of…

Source…

Operationalize the NIST Cybersecurity Framework Without Pulling All Your Hair Out (Part 2 of 3)

/in


This is the Part 2 of a 3-part blog on how to use the NIST cybersecurity framework without getting bogged down and lost in the minutia of the specification documents. Part 1 can be found here, and we recommend you read this piece first if you have not already done so.

Let’s recall the 5 core functions of NIST.

NIST Cybersecurity Framework
NIST Cybersecurity Framework

In Part 1 of this blog, we discussed the Identify function and how it is foundational to the NIST cybersecurity Framework. We saw how implementing Identify enables clear communication and decision-making within the cybersecurity team and in the board room.

We also discussed what you need to do in order to gain increased maturity in your implementation of Identify. We defined some KPIs that you can use everyday to track progress in the maturity level of your Identify capabilities.

In this 2nd part, we will discuss how to implement the Protect and Detect functions of the NIST cybersecurity framework.

PROTECT

“The key to protecting the enterprise is to be proactive in managing your vulnerabilities and risk items.”

Your 1st line of defense against cyberattacks consists of the following elements:

  • Firewalls, IPSes, WAFs
  • VPN and BeyondCorp
  • Endpoint security
  • Continuous vulnerability management

Firewalls allow you to implement a set of rules that restrict outside access to your internal network resources. In the old days all you needed to worry about was firewalls at the connection points between your various sites and the Internet. Today, you also need to worry about deploying and appropriately configuring firewalls at your cloud-based data centers (e.g., AWS VPCs), and for each mobile endpoint.

Intrusion Protection Systems (IPSes) inspect network traffic and block malicious network traffic, and may be deployed in addition to Firewalls or as part of a consolidated product. Web Application Firewalls are specialized systems designed to protect your public web-based applications.

Firewalls, IPSes and WAFs help you “lock down” access to your distributed enterprise. In order to support authorized users to securely access your network, Virtual Private Network (VPN) systems can be implemented. Some organizations, e.g., Google, have moved away from VPNs by…

Source…