Oct 30 2013

Integrating TOGAF and The Banking Industry Architecture Network (BIAN) Service Landscape Whitepaper

Today The Open Group released the updated whitepaper, Integrating the TOGAF® Standard with the BIAN Service Landscape. This release might be beneficial for those architects in the banking space that use or considering to use TOGAF in conjunction with BIAN.

For those not familiar with BIAN, it is a not-for-profit organization which seeks to accelerate the adoption of Service-Oriented Architecture (SOA) in the banking industry. It does so by promoting convergence
towards a common service landscape, and by providing semantic standards which makes it
easier and more cost-effective to integrate such services.

Mike The Architect Blog: TOGAF and BIAN Whitepaper

This whitepaper aims to support Enterprise Architects within the banking industry, reaping the synergies of two complementary industry frameworks:

  • TOGAF®, an Open Group Standard, is a proven Enterprise Architecture methodology and framework used by leading global organizations to improve business efficiency.
  • BIAN, the Banking Industry Architecture Network, delivers an overall framework and set of IT Service definitions and BIAN Business Scenarios specific to the banking industry, aimed at improving systems interoperability.

In the heart of the White Paper, both the TOGAF standard and BIAN are mapped to each other. The leverage of the BIAN deliverables in the context of the TOGAF Architecture Development Method (ADM) is further elaborated. For each step in an architecture development process, the integration of BIAN deliverables is described.

 

For more information

Oct 30 2013

Cisco Releases Security Advisory

Original release date: October 30, 2013

Cisco has released a security advisory to address multiple vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR). These vulnerabilities, which are independent of each other, could allow an unauthenticated remote attacker to cause a denial-of-service condition.  

Cisco has released software updates that address these vulnerabilities.

 

US-CERT encourages administrators of this software to review Cisco Security Advisory 20131030-ASR1000 and follow best practice security policies to determine if their organization is affected and the appropriate response.


This product is provided subject to this Notification and this Privacy & Use policy.


Oct 30 2013

How is the Canadian Government Doing on Protecting Personal Information in its Operations?

In the last two weeks, the out-going Privacy Commissioner of Canada, Jennifer Stoddart, has released three reports that provide insight on the current state of Canada’s federal government’s protection of personal information of Canadians in the course of departmental and agency operations.

Yesterday, the Privacy Commissioner tabled her Annual Report on the federal Privacy Act. The Privacy Act governs the collection, use and disclosure of personal information by approximately 250 federal government departments and agencies. The Annual Report is Commissioner Stoddart’s last report before the end of her mandate as Privacy Commissioner.

The Privacy Commissioner’s Annual Report disclosed:

  • Cross-border sharing of data between Canada and the US is expanding and being systematized. The Commissioner has raised concerns that this is a departure from previous practice in which information-sharing has occurred on a carefully considered case-by-case basis.
  • Record numbers of complaints were received by the Office of the Privacy Commissioner of Canada (OPC) from April 2012 to March 2013.
  • In total numbers, the OPC received 2,273 complaints. Even deducting the complaints from two major breaches at what was then known as Human Resources Development Canada and Justice Canada, the total number of complaints would have been a record high.
  • Data breaches are being reported in increasing numbers. 109 breaches were reported to the OPC in 2012-2013.

The Annual Report was accompanied by two other reports in recent weeks. Last week, the Office of the Privacy Commissioner (OPC) released a report on the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). Yesterday, the OPC issued a report on an audit of the Canada Revenue Agency (CRA).

The OPC’s report on the CRA audit appears to reveal an organization that has made significant strides in enhancing security but remains slow in responding to some of OPC’s recommendations. In particular, the OPC’s report reveals that:

  • There have been more than 50 cases in 2011 and 2012 of inappropriate access to taxpayer information. Some involved thousands of taxpayer files over an extended period of time.
  • Although the OPC recommended the appointment of a Chief Privacy Officer following a 2009 audit of the CRA (a position not required by the Privacy Act or Treasury Board guidelines), this position was not filled until April 2013. Moreover, the role of the Chief Privacy Officer still had not been fully defined to the satisfaction of the OPC.
  • CRA uses generic User IDs for some functions (that is, User IDs that are used by more than one person).
  • CRA does not always complete Privacy Impact Assessments and Threat and Risk Assessments.
  • CRA’s systems for detecting and preventing inappropriate employee access are inadequate.
  • CRA fails to report privacy breaches and inappropriate access to the Access to Information and Privacy Directorate.

In the FINTRAC Report, the OPC noted:

  • FINTRAC (which receives financial transaction reports on money laundering and terrorist financing) had holds approximately 165 million records.
  • Some of the reports do not clearly demonstrate any reasonable grounds for suspicion. Nevertheless, FINTRAC has retained these reports.
  • Although FINTRAC has accepted the OPC’s recommendations from a previous 2009 audit, it has made limited progress in addressing five issues. With one exception, all of the issues are related to over collection or failure to purge the retention of unnecessary information. The one exception involves the need to revise a consent form for entry into a dwelling to more clearly and transparently address the authority, purposes and uses of the information to be collected.

The Annual Report can found here. The CRA Report and the FINTRAC Report are available here and here.

Oct 30 2013

FoxOne Free OSINT Tool – Server Reconnaissance Scanner

FoxOne is a free OSINT tool, described by the author (th3j35t3r) as a Non-Invasive and Non-Detectable Server Reconnaissance Scanner. Bypassing API limitations and currently detecting 6500+ vulnerable server paths/files – without ever touching the target server. Very good for getting hold of intel on a given domain (example.com). The intel...

Read the full post at darknet.org.uk