FREE WITH YOUR COPY OF CHIEF TECHNOLOGY OFFICER FORUM
CARVING
ENTERPRISE
STANDARDS
Business objectives point to some INFORMATION SECURITY concerns, while regulatory compliance necessitates others. Security standards facilitate both and fill the gap. PAGE 05
OPINION
IN-PERSON
IN-SHORT
Stuxnet
Servicing
India Develops its
PAGE 07
PAGE 04
PAGE 03
Hits India CSO FORUM A 9.9 Media Publication 21 OCTOBER 2010
20
Surveillance
own OS
IN-SHORT Next Generation Information Security with eScan 11
ILLUSTRATIONS BY PHOTOS.COM
E
Stuxnet ‘a Game Changer’ for Malware Defence THE STUXNET malware is a game changer for critipened, but what is clear is that the malware has caused a great deal of concern and inconvenience. cal information infrastructure protection, warns India, Indonesia and Iran have recorded the most ENISA (European Network and Information incidents of the worm, according to analysis of Security Agency). It is also expected that a similar infected IP addresses by security firms. attack of malware capable of sabotaging industrial Incidents of infection were first recorded in control systems as Stuxnet may occur in future. Malaysia, but the appearance of the malware in The worm, whose primary method of entry into Iran has been the focus of comment and attensystems is infected USBs, essentially ignores vultion. Plant officials at the controversial Bushehr nerable Windows boxes but aggressively attacks nuclear plant in Iran have admitted industrial control (SCADA) systems that the malware has infected laptops. from Siemens, establishing a rootkit as However government ministers, while well as a backdoor connection to two blaming the attack on nuclear spies, (now disconnected) command and conhad downplayed the impact of the trol servers in Malaysia and Denmark. attack and denied it has anything to do PLC controllers of SCADA systems infected with the worm might be proThe average with a recently announced two-month delay in bringing the reactor online. grammed to establish destructive over/ of serious The fact that perpetrators activated under pressure conditions by running vulnerabilipumps at different frequencies, for ties in large such an attack tool can be considered example. There's no evidence either enterprise. as the 'first strike' against major industrial resources. way as to whether this has actually hap-
Data Briefing
13.42
SOURCE: WHITE HAT SECURITY
2
CSO FORUM 21 OCTOBER 2010
Scan, one of the leading Security solution providers and the world's first realtime anti-virus and content security solution developer, announced the launch of eScan 11; the next generation information security solution. eScan 11 aims to provide zero-day protection to computers from objectionable content and security threats, such as viruses, spyware, adware, keyloggers, rootkits, botnets, hackers, spam, and phishing Web sites. While it raises the quality bar on securing information assets, it is also powered by technologies that keep the computer's memory and resource usage to the least. eScan 11 comes with a easy to use Graphical User Interface (GUI) that has been designed to meet the requirements of both novice and expert users. Beneath the trendy and classy interface that is the first of its kind amongst security software, eScan 11 is power-driven by multiple detection engines that ensure complete security to computer users even from the next generation threats.
IN-SHORT
PHOTO BY PHOTOS.COM
India to Develop its Own Operating System DR V K SARASWAT, Scientific Adviser to the Defence Minister, said the DRDO has just set up a software development centre each in Bangalore and Delhi, with the mandate to develop such a system. This "national effort" would be spearheaded by the Defence Research and Development Organisation (DRDO) in partnership
with software companies in and around Bangalore, Hyderabad and Delhi as also academic institutions like Indian Institute of Science Bangalore and IIT Chennai, among others. "There are many gaps in our software areas; particularly we don't have our own operating system," said Saraswat, also
Director General of DRDO and Secretary, Defence R & D. India currently uses operating systems developed by western countries. "So, in today's world where you have tremendous requirements of security on whatever you do economy, banking and defence, it's essential that you need to have an operating system," he said. Referring to reports of cyber attacks in recent times and "susceptibility" of internet, he noted instances of "data taken away by adversaries". "We have to protect it (data)," Saraswat said, adding, "Only way to protect it is to have a home-grown system, the complete architecture...source code is with you and then nobody knows what's that." He said DRDO is putting in place a dedicated team of 50 software professionals in the Bangalore and Delhi software development centres to accomplish the task. Saraswat also said the DRDO has put in place a "complete framework" on the proposed commercial arm, which is currently in the process of securing necessary government approvals and is expected to be operational next year. He said this arm would customise and provide to the civil population the spin-offs of defence technologies through select industry partners, which would be production agencies.
Smartphones, Twitter, Facebook Face Emerging Cyber Threats GROWING sophistication of botnets, pervasive mobile devices and social networking, and threats to physical systems could be the key cyber threat issues in 2011. According to the latest cyber threat report from Georgia Tech Information Security Center (GTISC), traditional forms of security such as signature-based antivirus become ineffective as malware numbers continue to climb. "Cyber criminals now have automated tools capable of releasing very large volumes of malware with extreme variety and sophisticated features," said Wenke Lee, a professor at the Georgia Tech College of Computing. According to McAfee, the first six months of 2010 was the most active half-year ever for total malware production. Today, automated analysis technologies are being used to keep up with this volume, but according to Lee, they lack the precision needed to decipher purposely compressed, encrypted and obfuscated malware. Earlier this year, organisations including Google, Adobe and a few dozen others in the commercial sector acknowledged that they had been the
victims of a highly targeted attack known as Aurora. One way to combat the explosion of malware samples is through the use of a scalable, transparent (meaning the attackers cannot detect it) and automated analysis system to obtain actionable malware intelligence and leverage the intelligence in meaningful ways. With more than 100 million accounts on Twitter and more than 500 million on Facebook, attackers are taking advantage of the social networking craze as a new medium for launching insidious attacks.Only about 30 percent of Twitter accounts are genuine users who actively use the service on a regular basis. In another study over the past four months, an average of 130 instances of malware were found every day simply by searching for content on popular, "trending" topics via Twitter, Google, Yahoo and Bing. In addition not trusting unknown users or suspicious links on social networking sites, public would protect themselves by using services such as URL filtering and malicious JavaScript detection.
CSO FORUM 21 OCTOBER 2010
3
IN-PERSON “By adapting
intelligent video technology, CISOs can achieve enhanced
surveillance
with minimal data
storage costs.�
Servicing Surveillance IP cameras offer intelligent video applications or video analytics, which have transformed the function of surveillance cameras from mere passive to intelligent surveillance explains Prakash Prabhu, Country Manager, Axis Communications. He spoke to Dominic K What is the state of surveillance and physical security market in India and SAARC region? Surveillance market in India is about 30 percent of the entire security industry, predominantly consisting of analog-based installations. There is however a steep shift from analog to IP-based surveillance. Across the globe, surveillance has been used to gather intelligence on criminal and
4
CSO FORUM 21 OCTOBER 2010
terrorist activity and helped deter untoward incidents. However, an interesting aspect is that surveillance is slowly moving out of the realm of pure physical security. With network video and remote monitoring capabilities, we can now also react to environmental threats, fire hazards and chemical and nuclear contamination with the right blend of technology. Also, with the advent of embedded applications in
PRAKASH PRABHU
Country Manager, Axis Communications, India
security products, surveillance is now emerging as a tool for gathering business intelligence and other applications. The second shift observed is on being reactive surveillance to proactive surveillance with more adaptive intelligence built inside the cameras. Surveillance is also used for end-to-end visibility for production process controlling, especially in nuclear and chemical industries avoiding dangers of potential contamination for direct human contact thus providing a safe working environment. Current IP-based surveillance market in India is approximately valued at USD 50-60 million and is expected to grow at 45 percent Y-O-Y for the next 4-5 years. Adoption of better compression techniques, multi platform integration and HDTV for improved image quality has helped surveillance video to be used for alternative applications beyond security. What is state of surveillance as a service in India? With the increase in nuclear families and urban living, there is a growing need for security of residential properties. It is also useful for schools, hospitals, remote education and service providers who would want to attract multiple subscribers from middle to a long term period. Given the busy lifestyles, people will seek the convenience of surveillance as a service rather than having to directly purchase the product and upgrade when necessary. Therefore, we foresee surveillance services gaining popularity in India. From a large scale perspective, surveillance as a service models haven’t been launched yet in India, connectivity, revenue and support models being the major bottleneck. We are in talks with connectivity providers who will be looking at the commercial viability prior to launching these services.
CARVING
ENTERPRISE
STANDARDS
Business objectives point to some INFORMATION SECURITY concerns, while regulatory compliance necessitates others. Security standards facilitate both and fill the gap.By Dominic K
ILLUSTRATIONS BY JOFFY JOSE
W
hen organisations create an architecture for securing their information security resources, they look at various security standards for guidance. They provide a benchmark against which an organisation can assess its information security implementation. These standards help companies assess risk and aid them in compliance. Industry specific standards such as PCI-DSS provide guidelines based on the nuances applicable to different verticals. Lets discuss these applications in detail.
Measuring Risk Every enterprise follows a methodology for risk management and measurement. The acceptable risk level is defined by the security council or the corporate risk management group who analyses it, based on several factors that determine their enterprise risk. It is derived from all aspects such as threats, vulnerabilities, probability, impact analysis and their own perception of the threat. Whether a particular set of information security and risk criterion can be used not only depend on their applicability but on the effort and costs associated with its use too.
These can be different in specific cases, but standard values can be helpful for assessment in typical scenarios. Standards help the corporate team define these. Deepak Rout, CISO, Uninor says “Security paradigm can be mapped both by risk management as well incident management with equal justice, risks and incidents. It represents two sides of the same coin.” He further adds “Either we identify risks and mitigate them before they materialise into incidents or we learn from the incidents and prevent their recurrence thereby avoiding such risks in future.”
CSO FORUM 21 OCTOBER 2010
5
COVER STORY
The fundamental step is to regularly carry out information risk assessment and impact analysis, this will calculate the Recovery Point Objective (RPO). The result of this exercise will give enterprise almost all the risks related to CIA and its implication if it materialises. Based on this, the CISO should discuss with business owners, top management and asset owners to define what would be the acceptable level of a risk.
Industry Specific Standards Infotech Enterprises based in Hyderabad is global engineering company with more than 8000 associates working with clients across 30 countries. These clients are in an assortment of businesses including aerospace, automotive, heavy equipment & machinery, offshore & marine, energy, hi-tech, consumer, medical devices, rail, utilities and telecom. With such varied interests, the pressure on the security enterprise is immense. To ensure a water tight security infrastructure, the organisation looks towards standards for guidance. “We follow standard framework such as ISO 27001 and ITIL. As an organisation Standard Operating Procedures (SOP’s) are made mandatory across our enterprise. Every individual client has their own specific demand, needs, practices and controls and the same is to be carefully aligned.” Says BLV Rao, CISO, Infotech Enterprises. The company customises the standards according to its needs across verticals. These are subsets of the global framework implementation for technology controls and are specific to unique customer needs. The implementation varies from encryption, log analysis policies, monitoring, region specific regulation and compliance.
Compliance Successful management of information security processes in the enterprise requires control over an assortment of documentation for compliance and regulatory demands. Efficiently managing the documentation is not easy and usually requires a systematic approach. Information security standards aid CISOs in streamlining the risk, regulatory and compliance demands. Stressing the need for standards to aid compliance, Burgess Cooper, AVP, Information Security, Vodafone Essar, says, “The
6
CSO FORUM 21 OCTOBER 2010
KEY
CHALLENGES An ever-increasing reliance on IT based information systems, which are becoming more complex and integrated A significant increase in the number and scale of threats to applications, computers and networks, which are in turn often based on rapidly changing technology Continual discovery of vulnerabilities in existing and new technology, which if exploited can have significant business implications Organisations’ requirements for improved effectiveness and productivity of systems and staff, while reducing costs Increased focus on the need to comply with increasing legal and regulatory requirements (such as the SarbanesOxley Act, Basel II and Privacy or Data Protection legislation) The growing drive to meet major information security-related standards, such as ISO/IEC 27002, ITIL, PCI-DSS, COBIT A general lack of awareness and key skills, expertise and other resources in many important areas of the organisation.
compliance standards are focused and depend on the risks associated with the industry / company / country viz. DPA, Safe harbour etc). For instance, PCI-DSS is applicable for merchants and those dealing with credit card information such as BFSI / BPOs etc.” He adds, “Compliance for the sake of compliance will not help at all. Compliance means putting the right systems and processes in place and the ability to respond faster during any crisis. It’s also worthy to note that most of the compliance will have around 40-50 percent of parameters and aspects common among them viz. logical access control, physical security etc. A unified compliance framework that will handle mandatory and obligatory compliance needs will make the security processes much easier and efficient for the enterprise.”
Future of Standards So what does the future hold on security standards? Some of the standards that CISOs and the Indian industry need to watch out for are ISO 38500 for IT governance, ISO 31000 for risk management and ISO 27005 for security risk management standard. ISO/IEC 38500:2008 or ISO 38500 standard draws upon a number of sources, which defines six principles (establish responsibilities, plan to best support the organisation, acquire validly, ensure performance when required, ensure conformance with rules, ensure respect for human factors). It is intended to provide guiding principles to any organisation, regardless of size or sector. It provides guiding principles for directors of any organisation (including owners, board members, directors, partners, senior executives) on the effective, efficient, and acceptable use of information technology within their organisations. Sameer J Ratolikar, CISO, Bank of India suggests that CISOs should have rationale in implementing any standard. If securing processes for some critical department is the objective then ISO 27002 should be the way, to protect card holder information opt for PCI-DSS. Similarly for call centers and helpdesks setting up ITIL will add value. Finally to the know value of IT investment, dashboard of IT project implementation opting COBIT is the way out. “All the standards are not same. ISO talks about plain vanilla information security. PCI-DSS for credit and debit card information, COBIT for IT governance while ITIL focuses on service delivery and service support,” he says. The point is either ways following one or multiple standards as such does not take an enterprise towards zero risk or incident. It is in practicing correct risk and incident management processes and procedures irrespective of the standard used that add and contribute to the enterprise brand value. While it may be true that some standards may improve compliance and risk levels but it is the effectiveness of implementation with continuous and relentless review and improvements that will finally lead to control various incidents and threats.
OPINION BY DOMINIC K dominic.k@9dot9.in
THE AUTHOR IS Associate Editor, CSO Forum
Stuxnet Hits India IT IS a fact that cyber criminals (black hats) are usually very quick to release exploits when new vulnerabilities are discovered. This always gives them the necessary leverage and advantage over others to play and earn as much as possible before a patch or solution to the same is released. This is also because many enterprise users fail to update their software on a regular basis and this only encourages them. The extensive media coverage afforded to Stuxnet has only served as an advertisement for the vulnerabilities used by various cyber criminal groups, though the source and the author to the same is still largely speculative and debated. Kaspersky's early-October review is billed as showing that the onset of autumn has brought with it advances in the Sality virus and an increase in the number of adware programmes on the Web. The IT security vendor says that the new variant of the Sality virus – known as Sality-bh was found to be particularly widespread on users' computers. Sality-bh is a newcomer to the charts, and rose to 11th position, and is being spread using the Trojan-Dropper.Win32. Sality.cx, which uses vulnerability in Windows LNK files. Kaspersky report states that this is the first detected zero-day vulnerabil-
ity to be used by the now infamous Stuxnet worm. This same vulnerability, the vendor goes on to say, was exploited by Trojan-Dropper.Win32. Sality.r back in August. Furthermore, the geographical distribution of the droppers in question, mirrors that of the Stuxnet worm, both of them appeared most often in India, followed by Vietnam and then Russia. In addition, a total of seven AdWare .Win32 malware apps made it into this month's top 20 ranking. So what does Kaspersky think of the Stuxnet virus? According to the report, because the malware is highly specialised, it didn't make the top 20 over the last month. The media discussed Stuxnet extensively in recent editorials and columns, although the worm was first identified as far back as early July. The worm exploits four different zero-day vulnerabilities; it also used two valid certificates belonging to Realtek and JMicron. However, the most important feature of Stuxnet is its payload, and this is why the worm received so much attention. The main purpose of this piece of malware is not to send spam or steal confidential user data: it's designed to gain control over industrial systems called Supervisory Control and Data Acquisition (SCADA) Debkafile's intelligence sources
It is interesting to note that 10 percent of Stuxnet attacks globally are in India, which ranks at number three behind Iran and Indonesia.
report that dozens of Russian nuclear engineers, technicians and contractors were observed to hurriedly departing Iran for home since local intelligence authorities began rounding up their compatriots as suspects of planting the Stuxnet malworm into their nuclear program. Among them are the Russian personnel who built Iran's first nuclear reactor at Bushehr which Tehran admits has been damaged by the virus. One of the Russian nuclear staffers, questioned in Moscow Sunday, Oct. 3 by Western sources, confirmed that many of his Russian colleagues had decided to leave with their families after team members were detained for questioning at the beginning of last week. He refused to give his name because he and his colleagues intend to return to Iran if the trouble blows over and the detainees are quickly released after questioning. Moslehi, the intelligence chief, did not mention Stuxnet in his statement, but said his ministry has "absolute control over the virtual networks and will foil all acts of sabotage." Ralph Langner, who was among the first to identify and study Stuxnet, told CNN last week that it would have required insider information to deliver.
CSO FORUM 21 OCTOBER 2010
7
OPINION SAI CHINTALA
THE AUTHOR IS Vice President, Technical Services, Applabs.
Security Testing: A Need, Not a Want DESPITE the widespread economic recession, CIOs, CISOs, and IT managers have not moved their eyes from security measures, as the changing security threat landscape has put immense pressure on organisations to evaluate the risks of security breaches in their environments. The enterprise budgetary pressures have not put a tap on the security spending and now in the new normal organisations look at increasing their spending on various security measures. Today, consumerisation of IT has become the major cause of concern for various enterprises be it big or small. The advent of new technologies like social networking sites, blogs, wikis etc. and the rising use of smartphones in organisations are the greatest security concerns for IT decision makers. Cloud computing and data center virtualization though come after consumerization pose greater threat in terms of security, reliability, and manageability. A survey by market research firm Forrester has shown that around 40 percent of small and medium businesses (SMBs) view smartphones as their cause of security concern, while 34 percent are worried about Web 2.0, followed by cloud computing (32%) and data center virtualisation (30%).
8
CSO FORUM 21 OCTOBER 2010
Despite spending several years and millions of dollars on traditional defenses such as firewalls and intrusion detection or prevention systems, many organisations are still struggling to protect their assets from cyber criminals, which is evident from the recent security incidents and breaches. The Symantec’s 2010 State of Enterprise Security report shows that 75 percent of organisations have experienced a cyber attack costing businesses an average of USD 2 million annually. The crisis in the online security could not keep industry bodies and regulators quiet for longer time. Organisations started witnessing pressures from regulators to ensure their networks are secure to protect themselves and their customers from potential threats. In order to tackle the issues the online world presents and ensure security in this environment, there emerged the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is specifically designed to protect customer account information of credit/debit card holders. Every company that accepts credit card payments, process credit card transactions, stores credit card data or accesses personal and sensitive data of customers is man-
Security code reviews uncover the potential security risks early in the software life cycle by finding the flaws at the source-code level.
dated to comply with the PCI DSS. The current breed of applications, mandatory rules by the regulators, increased sophistication of attacks, and the short comings of traditional defenses have made security testing a need for organisations. Of late, security testing has assumed huge significance and became an integral part of the enterprise testing strategy due to the awareness of various ways an application can be compromised as well as the inability of latest technologies to dodge the cyber criminals. Security testing services address the numerous mission-critical information security challenges faced by enterprises around the world. There are various security testing services such as PCI Compliance Services, Web Application Penetration Testing, Product Security Testing, Security Code Reviews, and Network Security Assessment. In an organisation, high-quality planning is required from top management all the way through to IT functions in order to comply with the requirements of the PCI DSS and consequently verify that they have been met. The DSS contains several specifically assessable requirements that cover nearly every aspect of security.