Micromanage vs. Empower

 

Compliance (Why & How)

Compliance in business is a critical component of ensuring that organizations operate within the boundaries of laws, regulations, and ethical standards. It involves adhering to statutory and regulatory laws, rules, and standards applicable to a business, thereby safeguarding the organization from legal and financial liabilities. This article explores the importance of compliance, the consequences of non-compliance, and how businesses can effectively implement compliance programs.

Why Compliance is Important

Compliance is essential for several reasons:

1. Legal Protection: Adhering to compliance requirements helps organizations avoid fines, penalties, and lawsuits. Non-compliance can lead to severe legal repercussions, including financial losses and damage to the company's reputation
2. Reputation Management: Companies that consistently comply with regulations are seen as trustworthy and reliable. This can enhance their reputation among customers, partners, and investors, leading to increased business opportunities

Endpoint Attacks and Countermeasures

Endpoint security is a critical aspect of safeguarding information systems. An endpoint refers to any device that connects to a network, such as laptops, desktops, mobile devices, or servers. These endpoints are often targeted by attackers due to their accessibility and the critical data they hold. This article outlines the basic concepts of endpoint attacks, the tactics and tools used by attackers, and countermeasures to protect against these threats.

1. User-Initiated Actions

Attack Tactics: Attackers exploit user trust and curiosity through phishing emails, social engineering, and malicious downloads. They impersonate legitimate entities to lure users into clicking malicious links or attachments, leading to malware installation or data breaches.

Countermeasures:

• Implement robust email filtering and anti-phishing solutions.
• Educate users on security best practices.
• Use security software that scans downloads for malicious content.
• Restrict administrative privileges to minimize damage from user-initiated actions.

บริษัท เจไอบี คอมพิวเตอร์ กรุ๊ป จำกัด ถูกปรับเป็นเงิน 7 ล้านบาท

บริษัท เจไอบี คอมพิวเตอร์ กรุ๊ป จำกัด ถูกคณะกรรมการผู้เชี่ยวชาญ คณะที่ 2 (เรื่องร้องเรียนเกี่ยวกับเทคโนโลยีดิจิทัล และอื่น ๆ) มีคำสั่งตัดสินให้รับโทษปรับทางปกครองภายใต้พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) ปรับเป็นเงิน 7 ล้านบาท เนื่องจากข้อมูลส่วนบุคคลของลูกค้ารั่วไหล

การส่งหรือโอนข้อมูลส่วนบุคคลไปยังต่างประเทศ (PII Cross-border Transfer)

"การส่งและรับข้อมูลส่วนบุคคลในลักษณะที่เป็นเพียงสื่อกลาง (intermediary) ในการส่งผ่านข้อมูล (data transit) ระหว่างระบบคอบผิวเตอร์หรือระบบเครือข่าย หรือการเก็บพักขัอมูล (data storage) ในรูปแบบชั่วคราวหรือถาวรที่ไม่มีบุคคลภายนอกเข้าถึงข้อมูลส่วนบุคคลนั้น ไม่ถือว่าเป็นการส่งหรือโอนข้อมูลส่วนบุคคล"

--

สำนักงานคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล (PDPC)

IAAA: Identification, Authentication, Authorization, and Accountability

Identification involves something unique to the user, such as a name, username, ID number, or Social Security number. It establishes who the individual claims to be.

Authentication ensures that the person is who they claim to be, typically involving multifactor authentication (MFA), which combines:

• Type 1: Something you know (password, passphrase, PIN).
• Type 2: Something you have (ID, smart card, token, one-time password).
• Type 3: Something you are (biometrics like fingerprints, iris scans, facial geometry).

Authorization determines what the authenticated user can access, using various models:

• DAC (Discretionary Access Control): Users grant rights to objects.
• MAC (Mandatory Access Control): Strict, least-privilege access, common in military/intelligence sectors.
• RBAC (Role-Based Access Control): Access based on user roles, common in the private sector.
• ABAC (Attribute-Based Access Control): Access based on attributes of the user.

Accountability involves tracing actions to users to ensure non-repudiation, often facilitated through auditing.

เกณฑ์การแชร์ข้อมูลภัยคุกคามทางไซเบอร์ (Traffic Light Protocol : TLP) เวอร์ชัน 2.0

---

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยไซเบอร์ด้านสาธารณสุข (HealthCERT)

เว็บไซต์ข่าวสาร : cyber.moph.go.th

Authentication Factors (ปัจจัยของการตรวจสอบสิทธิ์)

Authentication is a critical aspect of information security, aiming to verify the identity of users accessing systems and data. The most common authentication mechanisms are categorized into several factors, including "Something You Know," "Something You Have," and "Something You Are." These factors can be used individually or combined to enhance security. 

Here is a detailed explanation of each factor:

1. Something You Know (สิ่งที่คุณทราบ)

This factor refers to information that the user knows, such as a password, PIN, or answer to a security question. It is the most common form of authentication but also the most vulnerable to attacks such as phishing, social engineering, and brute force attacks.

Script kiddie, Shadow IT, Hacktivism, White-hat (Definition & Impact)

Script Kiddie

Definition and Characteristics:

A script kiddie is an individual who uses existing computer scripts or codes to hack into computers, networks, or websites, without understanding the underlying concepts or mechanisms. These individuals typically lack the advanced knowledge or skills of professional hackers and rely on pre-written tools and scripts to carry out their activities. The term is often used pejoratively to describe amateur hackers who pose a security threat due to their lack of expertise and understanding of the potential consequences of their actions.

Data Security, Data Privacy, and Data Protection

" Data Security, Data Privacy, and Data Protection is one topic

Data privacy cannot exist without data security. Data security cannot be achieved without first determining what needs to be kept private and secure. "