@entitworld
@enterpriseitworld
@enterpriseitworld
R S 1 9 9 | PA G E S 5 6 | V O LU M E 0 1 | I S S U E 0 2
2nd Edition
A Special Supplement on Cyber Security
A JOURNAL ON INTERNET SECURITY
16 NOV 2018
BY
& FOR THE CIOs. BY THE CIOs.
Infoquest is a journal of Internet Security and mouthpiece of Infosec Foundation. Infosec Foundation is a multi-disciplinary and multi-user based initiative for increasing awareness and sharing best practices
BY
&
3
FOR THE CIOs. BY THE CIOs.
EDITORIAL
FOR THE CIOs. BY THE CIOs.
Publisher: Sanjib Mohapatra Chief Editor: Sanjay Mohapatra Senior Editor: Chitresh Sehgal Associate Editor: Deepak Singh Designer: Ajay Arya Assistant Designer: Rahul Arya
SUSHOBHAN MUKHERJEE,
Web Designer: Vijay Bakshi
CHAIRMAN OF INFOSEC FOUNDATION AND CO-FOUNDER AND CEO OF PRIME INFOSERV LLP
Technical Writer: Manas Ranjan Lead Visualizer: DPR Choudhary
Infoquest – a Journal on Information Security, started as an inclusive, broad-based journal on Information security by Infosec Foundation three years back as a print-journal. In an age when mortality rates of print journals are high and it is nice to look back and see that Infoquest has passed three years mark since its inception. It has not only survived but thrived and thanks to the partnership with Enterprise IT World, Infoquest has travelled four corners of India during July-August 2018 when Infosec Foundation, in partnership with Enterprise IT world gathered friends, readers, contributors in the four-city CISO Symposium (BangaloreDelhi-Mumbai-Calcutta). This tour has brought Infoquest in the hands of many influential people of the country in addition to providing us the impetus to continue the journey. This issue of Infoquest which will see the light of the day in the 3rd International Infosec Summit on 16th Nov 2018 at The Park, Calcutta has the privilege of marshaling past experience on all its constituent making process – contribution, thematic relevance, content, scope and presentation. The whole content can be divided into four segments, namely a) Offensive and Defensive strategies developed at the ever active battle ground of cyber security b) Technological aid and challenges c) Informatory material as how all these impact citizens and users d) Critical look into our armoury – cognitive, intellectual, technological and social. As a foretaste, we hear the mysterious, almost occult like environment of Dark Web and its allure and danger and we are also informed of some of the “cognitive vulnerabilities” that we may be putting into our advanced tools. There are some domain experts who are talking of the implications of Information Security on diverse businesses. There are some futuristic scenarios being discussed which may be something like sci-fi. If our brain can be considered an Information processing device and if we have the capabilities of accessing that “device”, it can be reasonably argued that hacking can be considered “brain-jacking.” Any editor’s job is finally a job of reasonable and enlightened art of emphasis and de-emphasis. We have followed a methodology in selecting contributions that appeared to us broader and more focus on building awareness on the theme not only for the technical expert or subject expert but for lay yet curious readers. I thank all the contributors – those whose work got published and also those whose work we could not include in this issue for some of our methodological policy constraint. Thanks to Infosec Foundation and Enterprise IT world for being the patrons, our sponsors, our editorial team members with a special mention of Mr. Sudipta Biswas, and good luck at critical moments. Any published material, unless addressed to some non-sentinel beings, owe its existence and reason to exist to its readers. Our team hopes that our readers will find our efforts useful, relevant and worthy of continuing attention and support. Sincerely yours,
EDITORIAL BOARD
01 02 03
Sudipta Biswas Pritam Bhattacharya Sanjay Mohapatra
04 05 06
Social Media Manager: Ravish MARKETING Marketing Manager: Nidhi Shail nidhi@accentinfomedia.com SALES CONTACTS Delhi 6/102, Kaushalya Park, Hauz Khas New Delhi-110016 Phone: 91-11-41055458 E-mail: info@accentinfomedia.com EDITORIAL OFFICE Delhi: 6/103, (GF) Kaushalya Park, New Delhi-110016, Phone: 91-11-41657670 / 46151993 info@accentinfomedia.com Printed, Published and Owned by Sanjib Mohapatra Place of Publication: 6/103, (GF) Kaushalya Park, Hauz Khas New Delhi-110016
Phone: 91-11-46151993 / 41055458
Printed at Karan Printers, F-29/2, 1st floor, Okhla Industrial Area, Phase-2, New Delhi 110020, India. All rights reserved. No part of this publication can be reproduced without the prior written permission from the publisher. Subscription: Rs.200 (12 issues) All payments favouring: Accent Info Media Pvt. Ltd.
Sanjib Mohapatra Chitresh Sehgal Sushobhan Mukherjee
BY
4
&
CONTENTS
03
The Journey
19
Building Security Framework for Enterprise
06
A peep inside the public IT mesh
22
evolution of the Security Operations Center – 2.0 & beyond
33
35
45
47
Cloud Security – Challenges and Controls!
demystifying Cyber War Games
Cyber Security, Alphabet Soup and Hype: Musings of a curious non-expert
Demystifying ISO
08
Data Integrity and Compliance
25
Smart Procurement in current business organizations:
37
BrainJacking – A New Cyber Security Threat
49
Information Lifecycle Management (ILM)
11 Cognitive Biases in Information Security Causes, Examples and Mitigation
15
Building a Culture of Strong Cyber Hygiene with Swachh Online Practices
27
30
39
41
Phishing + Ransomware = A Modern Day Threat
LibSSH Vulnerability
51
Insights of SIEM
Let’s make way for DevSecOps
Sensitive Data Protection Using Advanced Masking Technology
FOR THE CIOs. BY THE CIOs.
17
Why Cyber Range Training and Simulation is Key for Effective Security Operations
32 Routing Security with Filtering is most important & sensitive factor to avoid Cyber Crime or any fraudulent.
43
The Dark Net: Epicenter of all your Cyber Security Threats.
BY
&
5
FOR THE CIOs. BY THE CIOs.
THE JOURNEY
SUSHOBHAN MUKHERJEE,
CHAIRMAN, INFOSEC FOUNDATION & CEO OF PRIME INFOSERV LLP
I
t is wonderful to see Infoquest continuing its journey since 2016. In line with the vision of Infosec Foundation, Infoquest’s focus was to generate mass-awareness about Information Security and to bring inter-disciplinary sharing of minds and best practices, which we not only felt to be a necessity but also a market-gap. Infoquest is playing the role of a mouthpiece and a printmedia way to reach readers and interested institutions on pan-India basis. Thanks to our partner Enterprise IT world, we hope that we shall continue to reach readers in pan-India basis and will venture further in the globe. From 2016 till date, we have conducted International Summits in India, Bangladesh and in the UK. Quite recently, we have completed 4-city tour of India under the aegis of CISO Symposium where some of the best minds converged and we also recognized some of the CISOs around the country for
their commendable work and hope to inspire next generation of professionals in this area. 3rd International Infosec Summit- scheduled on 16th Nov 2018 at the Park is designed to have dimensional changes with regards to previous two Summits and it will have broader coverage in terms of Speakers, Domains, depth, footfall and engagements. In brief, Infosec Foundation’s core objectives are: l Building an ecosystem to create awareness, discuss best practices, report and share emerging and emergent threats, share knowledge and expertise. l Bringing a paradigm shift in thinking about Information security – from re-active thinking to accept these risks as heirloom of our age l Educating enterprises and end-users so that they come out of the mental trap of “H-W-S-W-S” syndrome [Hardware-Software-Solution] and consider the challenges in a broader perspective l To publish, run and promote a magazine that will promote and help a consistent and regular initiative l Conducting Infocon in many cities worldwide through a collaborative and resource sharing model l Aiding to create attitude and capacity in facing the most dangerous threats – threats that we have not heard yet! We are taking many initiatives so far like awareness campaigns through mass media, training/workshops/seminars for youth and elderly people through local police stations/clubs. Our team was instrumental in interlocking with all different stakeholders (like law enforcement agencies, government, Banking & NBFC, Healthcare, Telecom, Energy & Utilities, Manufacturers, Providers, users) and had many initiatives to breach the GAP between demand and supply. We have already have five chapters in five global citties and started influencing cross pollinations of cyber knowledge and wisdom. Cyber Helpline and Cyber Friend Mobile App are on it’s way to kick-off. With the support from government and connections through academia we are all set to rise and build next generations of cyber army. Stay tuned with our regular activities, join end, engage and ride the thrilling journey towards your digital future. Sushobhan Mukherjee has 20 years of experience in IT consulting, process and corporate relationship. A cyber security practitioner and design architect since his stint with all major telecom /IT operators like Tata, Airtel, Sify in India. For last eight years, he has been an entrepreneur and institution builder. He is the Co-founder and CEO of Prime Infoserv LLP, one of the leading Technology Integrator and Infosec consulting ecosystem in India working with Indian and global brands. Besides he is the chairman for Infosec Foundation, a non-profit initiative to cyber awareness across the globe. He took the message and mission of Infosec Foundation in India, Bangladesh, Africa and UK. He is committed to the cause of Information security and will continue this campaign of defense, offense and pro-active and preemptive protection with your co-operation and support.
BY
6
&
FOR THE CIOs. BY THE CIOs.
A PEEP INSIDE THE PUBLIC IT MESH
M SANJAY KUMAR DAS,
DY. SECY, DEPARTMENT OF IT & ELECTRONICS, GOVT. OF WEST BENGAL.
AUTHOR’S BIO
He is a WB Civil Services batch of ‘96, did his Masters in Physics from Calcutta University, qualified in his Masters in Business Administration from ICFAI, an LLM from Kakatiya university, also holds a PG Diploma in Cyber Law and Intellectual Property Rights from the Indian Law Institute, is also a Post Graduate Diploma in Rural Development & Educational Technology, served the Intelligence Bureau for 4 years, is also a Diploma in Training & Development from the Indian Society for Training & Development (ISTD) which makes him a Trainer of Trainers, can speak 5 other Languages apart from his mother tongue, and is currently serving as the Dy. Secy, Department of IT & Electronics, Govt. of West Bengal.
ostly in the government domain when aspects of security pertaining to public establishments under the aegis of government is discussed, run and overseen by administrators including bureaucrats, technocrats and consultants on hire; the ominous threats looming over the information technology infrastructure from outside the perimeter are
primarily considered. Mythological stories spread over ages and continents are replete with examples of security compromise emanating out of one’s own backyard. Touché! That allegory has hardly lost its sheen and would most likely continue and devastate many more establishments. As readers are well versed with those episodes, a reference to one of the modern day ‘bestsellers’ might be an interesting way to bring home the point. In ‘Japantown’ by Barry Lancet; a burgeoning IT based corporation headquartered at Tokyo had built a virtually impregnable firewall to protect itself from incursion. Even then their systems continued to be compromised. It was later found that a minuscule IoT device was responsible for collating and transmitting vitals, ‘piggy-backing’ data-efflux. A few months back, Government of India decided to not allow access to its Employees’ Provident Fund (EPF) database from their Common Service Centers (CSCs) until they undergo security audit and made compliant to established standards. Besides humongous IT infrastructure created by the Government of India through its various Ministries and agencies working under their aegis; most State Governments possess State Level Data Centers. Besides there are numerous local, sectional, regional and departmental data-centers of various types, size, category, et al, either self-managed or outsourced. The tentacles of IT assets and infrastructure go down to village level in the form of ‘CSC; Sahaj; Tathya-Mitra-Kendra; Bank-mitra’, among scores of others. Today, IT infrastructure existing in a Gram Panchayat might look like a page taken from a science fiction of 90s. A Gram Panchayat office overseeing 14-16 villages and a populace of around 20,000, typically boasts of an IT infrastructure comprising 10 desktops, 1 laptop, LAN connecting all assets and one CPU acting as a local server interfaced with State Wide Area Network (SWAN). No doubt, a primary internet connectivity with Wi-Fi router and a couple of redundant connections from available ISPs will also be there. This jamboree creates an IT mesh wherein individual machine having compliance may mutually nullify collective security compliance owing to unavailability of security administrator. Server level external firewalls are rare while individual machine-specific Antivirus (AV) protection is more common, even with an expired license. To get a tentative picture of IT assets at Block and District level, multiply a Gram Panchayat with a factor of 7 and 20
BY
&
FOR THE CIOs. BY THE CIOs.
respectively. This gigantic physical IT infrastructure existing today in a public service bandwagon is often found to possess common lapses owing to personnel and knowledge level incompetency. Therefore, it makes a heady mix when gets coupled with bureaucratic complacence. Like an ostrich, critical knowledge gap existing in an administrative hierarchy often leads to brushing off every incident of cyber-crime occurring in its backyard. It does not require a rocket-scientist to identify possible security breach out of inherent and intrinsic compromise existing in this ‘hotchpotch’ called ‘IT assets.’ Administrative machinery generally responds to needs complying with allegory ‘to feed a baby when it cries.’ Manuals are hardly consulted when IT infrastructure is procured and the IT mesh is expanded. Expenses and electricity load are calculated yet security compliance stands aside as an orphan. The public data is safe owing to mainly two reasons. One - it has little resale value unless cut, shaped and polished by means of data-analytics; Two – Disaster Recovery (DR) site or not, government machinery tends to keep ominous copies of each data at multiple location. A legacy of the British. Hence, a duplicate-file-finder often finds multiple copies of each and every data ever created. Unique data has value (as it can be made unavailable through a Denial of service attack) and therefore public data is value-less yet safe. Once every public service delivery system is placed online and only their digital footprint is kept; public data in digital domain would attract far more attempts of incursion. Technological challenges to safeguard these data would become costly than what’s at present. It may even force government to levy ‘cess’ in order to protect and preserve public data. Only technological intervention can address the lack of last mile coverage in public service delivery across a nation consisting of a potent and thinking populace who now sway to digital mood-swings. Recent trend shows that more and more techno-geeks of Silicon Valley of the USA are trying to raise their kids away from digital world. Obviously, they want to instill values into their children after they had invented ways to destroy the humanity while earning loads of green-bucks. Whereas, India desperately requires affordable yet cutting edge IT infrastructure to weed out corruption, and thereby ensuring food and wage security. India needs technology for better livelihood of her inhabitants. When more and more e-Governance initiatives would prove fruitful in covering last mile and reaching the doorstep of the neediest (with security) for a dignified existence, efforts ought to be afoot to thwart every such attempt of stealing digital records of individuals, institutions as well as governments. Erasing one from digital records and passing off with another to defraud will create existential crises. How to prove one’s identity when it’s stolen and modified erasing every digital footprint? Blockchain technology might provide the answer until its hash-key is broken to create duplicate blocks. But, the answer lies in ensuring (a) data security and (b) data fidelity. The first one could be achieved through creation and management
7
of data-centers managed in a collaborative manner. For example, data pertaining to issuance of death and birth certificate is processed on e-District and transmitted over SSDG yet stored in the SDC. While data pertaining to one’s bank is kept with Data Centre of that particular bank with a reference of its existence with the Data Centre of the Reserve Bank of India. Though Disaster Recovery (DR) site is maintained by each of the Public and Private sector bank, in the event of a critical cyber-crime; the compromise of its entire system could in turn paralyze its interface with other financial institutions. It would therefore devastate the lives of millions. Similarly, public eWallets viz. Paytm, PayZapp, PayU, PhonePe, MPesa, Mobikwik et al have their respective Data Centers as well as DR sites beyond the clutches of government establishment. When both ends of a cyber-thoroughfare is compromised, it becomes unusable making its residents shelter-less and vulnerable. When digital livelihood forces both the initiated and the uninitiated to utilize online mode for financial transactions, information avalanche occurs. It often leads to exposure of sensitive information on digital domains and security compromise creeps in unnoticed. A number of movies both Indie and Hollywood genre have been delving on theft of identity over the last decade. This is a real and present danger. In cases of such theft, government must come in handy and rescue the incumbent - through ‘data fidelity.’ Therefore, the second objective of ‘data fidelity’ is possible only when DR site of each and every public service, be it government or private, is kept in a Data Centre run under the aegis of the elected local Government by a Government-Industry collaboration. Is it possible financially? Yes, it is. The collaborative SPV (Special Project Vehicle) involving various IT and ITeS private entities could easily raise enough resource to set up and run Data Centers based on demand. The Local Self Government Viz. Municipal Corporation and Zilla Parishads would oversee this collaborative SPV. These Data Centers will house the DR site for each of the privately run citizen-centric services (running on webportals and/or mobile applications). In case, the original Data Centre of a private service provider is compromised, the DR site hosted in this SPV managed DC run under aegis of the local self-government could provide independent backup and validate the veracity of its citizens to prevent identity theft. Regular audit and compliance of IT infrastructure spread over the entire length and breadth of our motherland is another prime necessity. Our country is interspaced with inherent diversity and outside interference. Hence a safe as well as secured eco-system for IT driven e-Services is also a common minimum necessity from rich to poor. Audit and compliance to ensure security of the public IT mesh is possible when government shows character, and invests public money to create cyber-awareness alike ‘Swachh Bharat.’ This effort should start at toddler’s level and needs to reach its burgeoning geriatric populace. Similarly, fidelity of public data is possible only when government possesses the capability to validate and authenticate a netizen to preempt destruction of one’s social existence.
BY
8
&
FOR THE CIOs. BY THE CIOs.
DATA INTEGRITY AND COMPLIANCE
BACKGROUND
ANIL CHIPLUNKAR,
AUTHOR’S BIO
Lead Auditor ISO27001 (IRCA accredited), Certified Fraud Examiner (CFE), Certified Information Security Manager (CISM), Certified Forensic Accounting Professional (CFAP), Certified Anti-Money Laundering Expert (CAME), Associate of Business Resiliency Certificate Consortium International (ABRCCI) Summary Profile Anil has 33+ years of experience in Information Systems and has been working in information security space for last 20+ years. Successfully managed and delivered consulting projects for implementing Information Security Management System (ISMS), Business Continuity Management System (BCMS), Governance and Compliance reviews for several clients. Was involved in formulating Security Strategies, Governance framework, Policies & Procedures; Information Security Audits and IS Risk Assessment as well as improved information security architecture covering information technology, physical and environmental security, logical access controls, security in information systems development process, etc. Performed digital fraud investigations and advisory services to various organizations from verticals like BFSI, IT/ITES, Manufacturing and Pharmaceuticals etc. for fraud risk management. Worked across Asia Pacific, Middle East Countries: India, Nepal, Sri Lanka, Hong Kong, Singapore, Japan, Korea, Taiwan, Indonesia, Malaysia, Philippines, Thailand, Saudi Arabia, Jordan, Oman, Bahrain and Australia.
In the last decade, Data Integrity has become a strategic imperative for most organizations, yet many have failed to put in proper systems, processes and oversight. The warning letters issued by US FDA, in last couple of years, 90-95% of issued warning letters sited data integrity as a cause of the warning. The FDA has gone as far as setting up base in countries like India and put multiple organizations on restrictions due to data integrity issues. The ramifications for failing to comply with data integrity compliance are severe – multiple companies have been banned to export to countries and have lost their license to export. What complicates things further is that data integrity issues span the entire organization from development, clinical, lab and manufacturing to GCP, GVP etc. Furthermore, the pressure to get product out the door can compromise the system and lead to practices and decisions that can lead to data that is not trustworthy. This has led regulatory agencies to put in place rules and guidance (ISP and GAMP) that ensure that the product safe for patients and business processes are in place to eliminate data integrity issues. Many organizations are reassessing their data integrity programs yet they are big projects that take a long time and are driven internally with conflicting priorities. Organizations struggle to find the right resources and do not want to pay the money for the programs. For organizations who have proper data integrity systems and process in place, they are still vulnerable during regulatory audits because, in spite of their processes being documented and followed, they cannot prove i.e. have documentation when inspectors come in that the data is accurate. To prove that the data is right, organizations can conduct a risk assessment yet it is expensive to fix issues that arise and they must be prepared to have budget allocated to mitigate any gaps that are identified. Not only do organizations need proper technology and security in place, but also they need to ensure that they have control and monitor all of their processes that could find where a data integrity issue may arise.
DATA INTEGRITY ‘Data Integrity’ is an essential element of a company’s quality system, especially in the life science industry. According to guidance provided by US FDA, UK MHRA and WHO, data integrity relates to the accuracy, completeness, and consistency of data. The requirements for maintaining data integrity traditionally existed in various regulatory guidelines and best practices, while data integrity was required whether the data was in
BY
&
9
FOR THE CIOs. BY THE CIOs.
paper form or electronic form. Today’s business environments are diverse in nature where one may contain a standalone machine and an independent business process where others would contain multiple complex machines and interdependent business processes. Maintaining data integrity in such a broad range of scenarios has become a challenging task. The parameters which need to be considered to maintain ‘data integrity’ are Attributable, Legible, Contemporaneous, Original or True Copy, and Accurate (ALCOA+), where the ‘+’ sign indicates additional attributes to be considered which are ‘Complete, Consistent, Enduring, and Available’.
REGULATIONS FOR DATA INTEGRITY Today, regulatory inspections from organizations such as the US FDA, UK MHRA etc. focus on the detailed controls necessary for data integrity. As per pharmaceuticalonline.com, there is increase in number of drug GMP warning letters year-on-year and if last 3 years data is seen, then the numbers are moved from 42 in FY2015 to 102 in FY2016 to 114 in FY2017. Therefore, aside from good data governance practices there are increasing regulatory pressures to maintain data integrity. As stated by Dr. Siegfried Schmitt, on IVT Network (Oct 2014), “Data integrity is a prerequisite for the regulated healthcare industry as decisions and assumptions on product quality and compliance with the applicable regulatory requirements are made based on data. Drug and medical device manufacturers or service providers, healthcare organizations, regulators and other government organizations, and users (patients and healthcare professionals) rely on data. Breaches in data integrity can have negative consequences and may lead to patient injury, or even death.” Dr. Ajaz S. Hussain, Advisor, EY and Former Deputy Director, Office of Pharmaceutical Science, US Food and Drug Administration (US FDA) (July 2015) added, “Integrity of data is the foundation on which we make decisions on quality, safety and efficacy. Recording of
data and information with accuracy protects life; without it, we cannot differentiate between counterfeit and authentic medicines. At the end, any lapse in the assurance of data integrity is a serious deviation from expected practices and can have adverse repercussions.”
DATA INTEGRITY WITHIN DIFFERENT REGULATIONS: The table below mentions the sections, clauses / sub-clauses from different regulations, which points to the ‘data integrity requirements’. Some of the other acts including the recently enacted EU GDPR (European Union – General Data Protection Regulation – Article 32 – Security of Processing), Philippines Data Protection Act and other such acts have incorporated ‘data integrity’ as one of the many requirements. Going forward, there will more acts / regulations that will have ‘data integrity’ as one of the important requirements.
MOVING TOWARDS ACHIEVING THE ‘DATA INTEGRITY’ As the Data Integrity is pervasive, widespread, and has serious implications to a company’s operations and patient safety, it must become a strategic imperative at the highest levels for an organization. The top management should have overall control and monitoring of all the processes that could possibly have a data integrity issue. It is required to allocate adequate resources like the budget, time, people, tools etc. Oftentimes, outsourcing Data Integrity and Compliance initiatives to functional experts is an effective and cost-efficient way of implementing this oversight so employees can focus on getting safe and effective products delivered to the market. Many companies are turning to outsourcing organizations that specialize in Data Integrity and Validation have a unique blend of regulatory, technology, scientific and process knowledge to oversee and deliver ‘quality data integrity initiatives’.
APPENDIX
BY
10
&
Authority
FOR THE CIOs. BY THE CIOs.
Description
US FDA
211.68 - backup data are exact and complete, and secure from alteration, inadvertent erasures, or loss 212.110(b) - data be stored to prevent deterioration or loss 211.100 and 211.160 - certain activities be documented at the time of performance and that laboratory controls be scientifically sound 211.180 - true copies or other accurate reproductions of the original records 211.188, 211.194, and 212.60(g) - complete information, complete data derived from all tests, complete record of all data, and complete records of all tests performed
UK MHRA
2015 – Guidance Data Integrity: The extent to which all data are complete, consistent and accurate throughout the data lifecycle. Data integrity arrangements must ensure that the accuracy, completeness, content and meaning of data is retained throughout the data lifecycle.
HIPAA
General Rule – Section 164.306 Ensure the confidentiality, integrity, and availability of all electronic protected health information (EPHI) the covered entity creates, receives, maintains, or transmits Protect against any reasonably anticipated threats or hazards to the security or integrity of such information Section 1173 (d)(2) Reasonable and appropriate administrative, physical, and technical safeguards must be maintained to ensure the integrity of this medical-related data
WHO
Annexure 5 – Guidance on good data and record management practices Defines the following terms: Data Governance: The totality of arrangements to ensure that data, irrespective of the format in which they are generated, are recorded, processed, retained and used to ensure a complete, consistent and accurate record throughout the data life cycle. Data Integrity: Data integrity is the degree to which data are complete, consistent, accurate, trustworthy and reliable and that these characteristics of the data are maintained throughout the data life cycle. The data should be collected and maintained in a secure manner, such that they are attributable, legible, 172WHO Technical Report Series No. 996, 2016 WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report contemporaneously recorded, original or a true copy and accurate. Assuring data integrity requires appropriate quality and risk management systems, including adherence to sound scientific principles and good documentation practices.
ALCOA+: as defined by WHO in Annexure 5 – Guidance on good data and record management practices Attributable - Attributable means information is captured in the record so that it is uniquely identified as executed by the originator of the data (e.g. a person, computer system). Legible - The terms legible and traceable and permanent refer to the requirements that data are readable, understandable and allow a clear picture of the sequencing of steps or events in the record so that all GxP activities conducted can be fully reconstructed by persons reviewing these records at any point during the records retention period set by the applicable GxP. Contemporaneous- Contemporaneous data are data recorded at the time they are generated or observed Original - Original data includes the first or source capture of data or
information and all subsequent data required to fully reconstruct the conduct of the GxP activity Accurate - The term “accurate” means data are correct, truthful, valid and reliable. Following terms are not defined explicitly but can be interpreted as below: Complete – The completeness of data means that the data is collected / recorded from all actions like metadata, audit trails, raw data etc. Consistent – Data should be collected using a process which will ensure the repeatable and comparable results Enduring – Should ensure that the media on which the data is stored last long till the ‘required / defined data retention period’ Available - Readily accessible in human readable form for review throughout the retention period for the record
BY
&
11
FOR THE CIOs. BY THE CIOs.
COGNITIVE BIASES IN INFORMATION SECURITY CAUSES, EXAMPLES AND MITIGATION INTRODUCTION
VESELIN MONEV,
INFORMATION SECURITY AND COMPLIANCE PRACTITIONER.
AUTHOR’S BIO
Veselin Monev is information security and compliance practitioner. He has over 5 years of information security experience in the academics and the private sector and more than 4 years of IT practice. In 2015 he received a master degree in Cybersecurity from the New Bulgarian University. He is author of several academic articles and co-author of an academic book for cybersecurity metrics.
One of the components of a mature information security program is the human factor. Typically, the emphasis is on maintaining a security awareness program and mitigating risks caused by human mistakes and lack of knowledge of security. Security awareness is necessary but also only one aspect of the human factor. Another challenge for security professionals is finding actionable arguments to support their analysis and recommendations on information security issues in their organizations. The key word here is “actionable”. Their experience shows that professional analysis, argumentation techniques and even supporting evidence combined may be insufficient for properly addressing some of the identified problems. Although a number of difficulties can be noted as causes for insufficient or inadequate actions on information security matters, like deficiency of budget, time or human resources, management ignorance and so forth, the picture would be incomplete if the psychological phenomenon of cognitive biases are excluded. The cognitive biases are inherent characteristics of the human nature and this way part of everyone’s thinking. A bias is an error in thinking when people are processing and interpreting information and thus influencing the way they see and think about the world. Unfortunately, these biases lead to poor decisions and incorrect judgments. This article correlates researches on the biased thinking with examples from the InfoSec industry. The first part of the article explains several important (and non-exhaustive) determinants for cognitive biases and then exemplifies them with realistic sample situations that an InfoSec specialist might encounter. The second part proposes several ideas on how organizations can deal with the biases so that their occurrences and impact are reduced. The author wants to emphasize the need for further exploration of the potency of these ideas in the real world and their role for a possible mitigation strategy. In addition, the reader is encouraged to learn about the types of cognitive biases – a topic not directly discussed here.
DETERMINANTS1 FOR COGNITIVE BIASES AND EXAMPLES
The Misperception and Misinterpretation of Data or Events People deal with data on an everyday basis. The common approach is to analyze the data by converting it into something more useful – information – and from there to continue the conversion into knowledge and then wisdom2. This complex processing chain may be impacted by the misperception or misinterpretation of random data or events. As an example, a data leakage prevention (DLP) analyst, tasked to inspect the DLP reports for irregularities, may suspect random events as real attacks on a network. In
BY
12
this instance, the “random” data could be misinterpreted. One should understand that human’s nature is inclined to look for patterns where such do not always exist3. In a second example, a typical computer user could erroneously conclude that his computer troubles are caused by malware. However, an experienced IT support specialist could identify a different cause for the symptoms of the issue and quickly rule out the malware scenario as a cause. Judgment by Representativeness Representativeness can be thought to have the reflexive tendency to assess the similarity of outcomes, instances, and categories on relatively salient and even superficial features, and then use these assessments of similarity as a basis of judgment. Judgment by representativeness is often valid and helpful because objects, instances, and categories that go together usually do in fact share a resemblance. However, the over application of representativeness is what leads to biased conclusions. Many would likely recall personal experiences when a person, who belongs to a particular group, is attributed qualities, considered typical for that group. For instance, some IT experts perceive the members of their information security team as very strict security and compliance enforcers, but in reality not all of them may have this profile. The stereotypical over-generalizations like “All the IT experts…”, “All the auditors…”, “All the consultants from that company…” often follow imprecise and even incorrect qualifications (negative or positive). The simplification can and in some instances will be misleading. Misperceptions of Random Dispersions If the information security professional analyses statistical data from a certain security tool, he may notice patterns, which could lead him to the conclusion that specific events occur more frequently at specific time frames5. For instance, if a particular type of security incident occurred for four consecutive months, each time in the last seven days of the month, this could indicate that there is a pattern. These incidents could be correlated with other known events and assumptions can be made about the underlying cause, but a definite conclusion should not be drawn without additional investigation. Solidifying the Misperceptions with Causal Theories6 Once a person has (mis)identified a random pattern as a “real” phenomenon, it is likely going to be integrated into his pre-existing beliefs7.These beliefs, furthermore, serve to bias the person’s evaluation of new information in such a way that the initial belief becomes solidly entrenched. For example, if a person participated as the auditee during an audit several years ago where he was supposed to provide to the auditor some of the IT security procedures, the same person could afterward develop false expectations about the requirements in other standards or for another type of organizations. This person could be convinced that he is well aware of all the auditing practices, but in reality, he could be lacking essential knowledge on the specifics of other security standards and types of audits (e.g., see the difference between SOC 2, type I and type II audits). Misunderstanding instances of statistical regression The statistics teach that when two variables are related, but imperfectly so, then extreme values on one of the variables tend to be matched by less extreme values on the other. For instance, a company’s financially disastrous years tend to be followed by more profitable ones; Student’s
&
FOR THE CIOs. BY THE CIOs.
high scores on an exam (over 97%) tend to develop less regressive scores in the next exam. If people are asked to predict the next result after an extreme value, they often tend not to consider the statistical regression and make non-regressive or only minimally regressive predictions (they predict a similar value).8 A second problem is the tendency of people to fail to recognize statistical regression when it occurs and instead “explain” the observed phenomenon with complicated and even superfluous theories. This is called the regression fallacy. For example, a lesser performance that follows an exceptional one is attributed to slacking off; A slight improvement of the security incident rate is attributed to the latest policy update; Company’s management may hold their IT Security Officer accountable for the decrease of the server compliance level after an excellent patching and hardening activity three months ago. Misinterpretation of Incomplete and Unrepresentative Data (Assuming Too Much from Too Little) The Excessive Impact of Confirmatory Information The beliefs people hold are primarily supported by positive types of evidence. In addition, a lot of the evidence is necessary for the beliefs to be true but they are not always sufficient to warrant the same. If one fails to recognize that a particular belief rests on deficient evidence, the belief becomes an “illusion of validity9” and is seen not as a matter of opinion or values but as a logical conclusion from the objective evidence that any rational person would take. The most likely reason for the excessive influence of confirmatory information is that it is easier to deal with it cognitively, compared to non-confirmatory information. Information systems audits are good examples of searching for confirmatory evidence10. In an audit, unless a statistical methodology11 is utilized for controls testing, the evidence for the effectiveness of the controls become open for interpretation and the auditor’s intention to perform “reasonable assurance” on the controls becomes as ambiguous as it sounds. Auditors would usually ask about the existence of policies, procedures and mostly look for positive evidence. There may be even instances of auditors who ignore non-supportive evidence and ask the auditee for a supportive one. They shouldn’t, but they might do so. In another example, if the security specialist in a small company has a number of responsibilities for the entire information security management system (ISMS), there will probably be many opportunities for him to prove his skills but also to make mistakes. If the company’s CEO favors the employee, he may look for achievements that indicate his professionalism. If the CEO doesn’t favor him, the focus may be on the person’s past mistakes, which considered alone, would indicate incompetence. In this last case, the past successes are often ignored. The Problem of Hidden or Absent Data In some cases, essential data could simply be absent. This makes it difficult to compare good and bad courses of action. In such situations, people could erroneously conclude that their evaluation criteria are adequate. For instance, the decision to increase the password complexity level and to lower the expiration period for the accounts of a particular business critical application is an accepted good security practice. However, if only this general best practice is taken into account, the expectations of the change could be overly optimistic.
BY
&
13
FOR THE CIOs. BY THE CIOs.
The reason for this is that a lot of missing information cannot be considered: it is nearly impossible to anticipate all the indirect consequences of such a change, like users starting to write down their passwords. If they do this, the risk for password compromise will most likely increase and the change will have the opposite effect. In another example, the organization’s leadership decides to outsource certain IT security functions to a third-party provider instead of modernizing the existing capabilities. This will likely improve the overall capabilities, but there will be very limited information if that course of action is the best decision because the other course of action will not be pursued and tested. A third example can be given on the subject of risk assessment. People often think that if a certain risk has never materialized, then the likelihood for its occurrence in future is very low12. However, if a risk specialist thoroughly analyses the existing information on the risk, he may conclude that the likelihood is much higher. Self-fulfilling Prophecies A peculiar case of the hidden data problem arises whenever our expectations lead us to act in ways that fundamentally change the world we observe. When this happens, we often accept what we see at face value, with little consideration of how things might have been different if we had acted differently. For example, if a senior manager believes that a member of the security team performs unsatisfactory, the last one will find it difficult to disprove him; If the CIO thinks the CISO behaves unfriendly, the last one could find it difficult to change his perception. Even the absence of friendliness could be erroneously construed as unfriendliness. In such situations, the perceiver’s expectations can cause the other person to behave in such a way that certain behaviors by the target person cannot be observed, making what is observed a biased and misleading indicator of what the person is like. Furthermore, if we do not like a person, we generally try to avoid him and give him little opportunity to change our expectations. Seeing What We Expect to See The Biased Evaluation of Ambiguous and Inconsistent Data “I’ll see it when I believe it.” People are inclined to see what they expect to see, and that is consistent with their pre-existing beliefs. Information that is consistent with our pre-existing beliefs is often accepted at face value, whereas evidence that contradicts it is critically scrutinized and discounted. Our beliefs may thus be less responsive than they should to the implications of new information. For instance, if a cybersecurity consultant is tasked to serve a client who is generally not satisfied with the IT services of the same company, the client may tend to scrutinize any piece of information the consultant provides to him and look for confirmations that the security consultancy services are at the same, unsatisfactory level as the IT services. Ambiguous Information If a decision is based on ambiguous information, we tend to perceive
it in a way that fits our preconceptions. Why, for instance, would a newly hired Information Security Officer ask questions around in his organization? Is he not aware of his duties or is he incapable of doing his job? Is he asking questions because there is a lack of pre-existing documentation left from his predecessor? Or is this what someone in this position is supposed to do? Or maybe because the ISMS can be effectively maintained only with the support and collaboration with the different roles in the organization? The answer could be related to one of these questions, a combination of them or there could be a completely different explanation. Depending on the preconceptions of each employee interacting with the new Information Security Officer, they could make premature and erroneous conclusions about his capabilities. Unambiguous Information We tend to consider unambiguous information, which fits our beliefs, as true. However, we usually do not ignore it when it does not meet our expectations. Instead, we try to scrutinize it and look for additional information. To exemplify this, imagine a CIO who is convinced that the employees should not be occupied with information security training and instead technical controls should be preferred. Then, if he is confronted with studies, which provide evidence about the benefits of persistent security awareness training, he may tend to scrutinize them and challenge the significance of the results. He may also accept with much less scrutiny other studies, which point out the benefits of technical controls over security awareness.
MITIGATION OF COGNITIVE BIASES15 The list of determinants for cognitive biases can be extended. In any event, recognizing the problem is only the first issue. The second and more difficult challenge is to take adequate actions to mitigate the effects of the biases. As far as organizations are concerned, the author suggests the creation of an entire programmer within the organization, which aims to mitigate the effects of erroneous beliefs and improve employees’ analytical capabilities. Depending on the characteristics of the organization, the system could be integrated into the existing training/educational programmer. The approach could focus on the following: l Promoting the learning and self-improvement as a life-long process. People who embrace continuous learning and improvement will have more potential to detect their own cognitive biases and correct their erroneous beliefs. They will also be in a better position to respond on biased arguments of others. l Promoting the benefits of scientific methods and techniques to create and test new theories with greater certainty. In addition to that, the knowledge on using scientific methods helps the people develop a mindset for structural thinking and distinguishes the critics from the closed-minded. l Promoting and teaching argumentation techniques to improve the interpersonal skills of the employees. l Trained and motivated individuals should teach the actual
BY
14
techniques. The following ideas can be considered when creating such a programmer. l When evaluating something, the various outcomes should be specified in advance. This increases the likelihood to objectively assess the performance of processes, projects, systems and people. l Differentiating between generating an idea and testing it. Often, people easily create ideas, but the process of proving if they work in practice is much more complicated. l Organizing training sessions to teach employees about logical constructs and avoiding biases. l Distinguishing between secondhand and firsthand information and learning about the risks involved in relying on the first one. l The benefits of using precise wording to describe and explain things and the perceived risks involved when using metaphors. l The need to focus on both – the person and the individual situation, to limit distortions in the perception. l The need to understand the false consensus effect that is defined as the tendency for people’s own beliefs, values, and habits to bias their estimates of how widely others share such views and habits. l The need to understand the distortions caused by the self-interest and how the organization can refocus employees’ attention to serve better its interest. l Exploring the benefits of measurement methods. l Learning about the benefits of focusing on both – the amount and kind of information. l Learning about the tendency of positive self-assessments and the inclination of people to protect their beliefs. l Promoting tolerance, which can be defined as the assumption that all people make mistakes. Learning about the tendency of people to remember their successes but forget their failures. l Mastering learning techniques. l Learning how to give and receive feedback. Often people hold back their own reservations and disbelief when they disagree with what someone is saying. Biased feedback leads to an inability to adequately evaluate alternative strategies. l Learning how the human brain functions from a neurobiological perspective.
CONCLUSION In a summary, this article first exemplified some determinants of cognitive biases in the context of information security and then provided some ideas on how to mitigate the implications of biased thinking in the organizations. The author believes that a better understanding and awareness of the cognitive biases will be novel for the concept of the “human factor” in the information security industry. Most importantly, the awareness of cognitive biases could provide a new perspective when designing security processes and improve communication and decision-making of individuals. As a result of that, the already existing set of analytical and argumentation techniques of the information security professionals could be innovatively
&
FOR THE CIOs. BY THE CIOs.
upgraded to an advanced level. Such an upgrade could improve the overall performance of the staff, especially if it encompasses the entire organization.
REFERENCES The determinants of cognitive biases and their definitions are discussed in the book of T. Gilovich, “How we know what isn’t so”, The Free Press, 1991. l This is known as DIKW. See L. Hayden, “IT Security Metrics”, page 57-58, Mc. Graw-Hill, 2010. l The tendency of people to see patterns is discussed by M. Shermer, “How We Believe”, 2nd edition, section “The pattern-seeking animal”, Owl books, 2003. l This is related to the cognitive bias known as the Representativeness Heuristic. See A. Tversky and D. Kahneman, “Judgment under Uncertainty: Heuristics and Biases”, pages. 1124-1131, Science, New Series, Vol. 185, No. 4157, 1974. l This phenomenon is also known as Clustering Illusion. It is well known among financial investors who could become overly confident when the price of a stock goes up for a couple of days in a row. See “Think again! Your guide to the cognitive biases that lead to bad investing behaviors and the ten things you can do about them”. l The Illusion of Causality is a very well-known phenomenon among scientific researchers. See “Illusions of causality: how they bias our everyday thinking and how they could be reduced”, Front. Psychol., 02 July 2015. l It is also thought that pre-existing beliefs are the trigger for new beliefs. See “A cognitive account of belief: a tentative roadmap”, Front. Psychol., 13 February 2015. l See D. Levitin, “Foundations of Cognitive Psychology”, pages 591-592, A Bradford Book, 2002. l The term is used by H. J. Einhorn & R. M. Hogarth in “Confidence in judgment: Persistence of the illusion of validity.” Psychological Review, Vol 85 No 5 395-416, 1978. l See B. L. Luippold, S. Perreault and J. Wainberg, “AUDITORS’ PITFALL: FIVE WAYS TO OVERCOME CONFIRMATION BIAS”, 04.06.2015. l See “Practice Advisory 2320-3: Audit Sampling”, The Institute of Internal Auditors, May 2013. l See section Biases of imaginability of reference 4. l See C. Ackerman, Self-Fulfilling Prophecy in Psychology: 10 Examples and Definition, May 2018. l See L. Yariv, “I’ll See It When I Believe it? A Simple Model of Cognitive Consistency”, Cowles Foundation Discussion Paper No. 1352, 2002. l The application of methods to remove or reduce bias from judgment and decision making is called debiasing. Multiple other techniques for mitigating the effects of cognitive biases are discussed in this article – “Debiasing”, 2018 l
BY
&
15
FOR THE CIOs. BY THE CIOs.
BUILDING A CULTURE OF STRONG CYBER HYGIENE WITH SWACHH ONLINE PRACTICES now do some or all of their work from home. Employees increasingly demand flexible and seamless enterprise access, making mobility a top global priority in order to attract talent and provide competitive advantages. While this trend gives employees increased access to the network without tying them to a cubicle, it also introduces new security risks to the organization. As mobility and digital transformation demands have made business networks more accessible than ever, cyberattacks are also becoming more frequent and sophisticated, taking advantage of the expanded attack surface. As a result, employees can unwittingly cause severe damage to a business due to a lack of cybersecurity awareness. A compromised device or an unreliable remote connection can leave your network vulnerable. To minimize risk as work and home, especially as connectivity and digital resources become more intertwined, organizations need to promote security hygiene best practices that will minimize risk, data leakage, and non-compliance while still allowing for operational flexibility and efficiency.
BUILDING A CULTURE OF STRONG CYBER HYGIENE As we use our own devices to remotely connect to the corporate network, we must all play a role in helping to keep the network secure. Here are a few strategies that everyone can practice to promote top-notch cyber hygiene.
USE SECURE ACCESS POINTS & CREATE A WORK NETWORK RAJESH MAURYA,
REGIONAL VICE PRESIDENT, INDIA & SAARC, FORTINET.
A
s mobility and digital transformation demands have made business networks more accessible than ever, cyberattacks are also becoming more frequent and sophisticated, taking advantage of the expanded attack surface. When on the job at a corporate office, a healthcare organization, or an academic institution or government agency, or even when you are working from a local coffee shop, restaurant, or home office, your organization’s online safety and security is a responsibility shared by all. However, as mobile computing—especially using personal devices—becomes more common, the potential for network compromise is increasing. Think about this: around the world, 20 percent of employees
When remotely connecting to your corporate network, cyber hygiene best practices recommend using a secure access point. One way to minimize the risks of connecting to your work network over public Wi-Fi is to use a virtual private network (VPN). VPNs allow you to extend your private network across the public Wi-Fi using an encrypted virtual point-to-point connection which enables and maintains secure access to corporate resources. However, it is still critical to remember that if either end of that VPN is compromised, like the unadvertised Wi-Fi access point at your local coffee shop, then VPN cannot prevent things like man-in-the-middle attacks. This is why it is also imperative that you ensure the integrity of any access point you connect to. While public Wi-Fi connections are often harmless, it only takes one malicious connection for a cybercriminal to intercept all of your browsing data as you move across sites and accounts. Another best practice is to create a secure network for business transactions in your home office. Most businesses have two separate networks– one that only employees can access and one for guests. This same protocol is easy to replicate at home. Most home routers allow for the creation of multiple networks, such as a home and a guest connection. Adding a password protected network for work connections means that your corporate resources will never share the same connection as your gaming systems, home laptops,
BY
16 your children’s smart devices. By keeping your home devices separated from the network on which you access sensitive work data, compromised devices or applications cannot be used as a point of vulnerability to attack the corporate network.
UPDATE REGULARLY Installing updates across devices, applications, and operating systems on a regular basis is an integral step to achieving strong cyber hygiene. Though it’s easy to ignore updates when you need to meet a deadline or help a customer, failure to keep your devices updated can drastically simplify the process for cybercriminals seeking to corrupt your device. One of the most effective—and easiest—ways to avoid that tendency is to simply add patching and updating to your work schedule. It’s hard to fit something in if it’s not on your calendar for the day. If you don’t schedule it like you do other tasks and meetings, it’s easy to push it to another day. Regularly applying updates and patches ensures that the operating system and applications you are using are protected against known vulnerabilities. One recent attack that demonstrates the importance of these updates is WannaCry, which leveraged known Microsoft vulnerabilities—for which patches were readily available—to distribute ransomware. Had the targeted organizations and remote end users simply administered updates and patches to their devices they would have been far less susceptible to this attack. In this same vein, it’s also important to ensure all of the programs and applications that run within the business network are still supported by the publisher, and that you retire or replace those that are not.
STRONG ACCESS MANAGEMENT Access management is a simple but very effective cyber hygiene best practice. You should be using strong passwords and two-factor authentication across all devices and accounts. Passwords should be complex, incorporating numbers and special characters. And try to avoid reusing passwords across accounts – especially on devices and applications that are used to access sensitive business information. This is because if your account is breached on one site, and your information is leaked, credential stuffing and brute force attacks can use this leaked information to target other accounts. The biggest challenge for this sort of password strategy is simply remembering or keeping track of them. Because of this, many of the stronger passwords are actually easier to guess. Instead, use acronyms or phrases to help with remembering passwords. And as the number of passwords you need to remember increases, consider employing management software to help you keep track of them. Strong passwords augmented with two-factor authentication is even better, ensuring that only authorized people can access business-critical systems and sensitive data. Recent advances in biometrics, such as fingerprint scanners and facial recognition software, provide similar multi-factor authentication. Additionally, use segmentation, network admission control, and role-based access controls to limit the users and devices that can access high-value, sensitive information.
PRACTICE SAFE EMAIL USE The most popular attack vector still being leveraged by cybercriminals today is email. Because of its iniquitous use, it remains the easiest way to distribute malware to unsuspecting users. Though there are many ways cybercriminals leverage email for malicious activities, ultimately, they largely rely on tricking recipients into clicking on malicious
&
FOR THE CIOs. BY THE CIOs.
links and attachments, often by impersonating another employee or someone they know. Some of the most popular email scams are phishing and spear phishing. Phishing attacks include links to websites that look legitimate, such as a bank, business, or government office, which then ask users to log in—thereby stealing credentials or infecting the device with malware. Spear phishing increases the effectiveness of such attacks by impersonating an employee or trusted user before requesting login information, sensitive employee data, money transfers, or simply asking them to open an infected attachment or click on a malicious link. To combat such threats, you must be vigilant when responding to emails, especially those with links and attachments. Never click on a link or attachment from an unknown sender. And even if an email seems to come from a trusted source, be sure to look closely at the email address or website URL they refer you to. Often, names or URLs will have misspellings, which indicate an attack. Even if things look normal, stop and ask yourself if this looks or sounds like something this person would send to you or ask you to do. Most of the time, links are only provided after a request has been made, or as part of a larger or longer conversation. Unexpected requests are ALWAYS suspect, and may warrant directly contacting the sender to not only verify the request, but if it is legitimate, to also suggest that they use a different process besides distributing unannounced attachments and links.
INSTALL ANTI-MALWARE While anti-malware software cannot stop unknown attacks, the vast majority of attacks and exploits reuse attacks that have been previously successful. Installing anti-malware/anti-virus software across all your devices and networks provides protection in the event of a successful phishing scam or an attempt to exploit a known vulnerability. In addition, look for tools that provide sandboxing functionality, whether as part of an installed security package or as a cloud-based service, to also detect Zero-Day and other unknown threats.
HAVE A CYBER RESPONSE PLAN IN PLACE AND UNDERSTAND THE DETAILS All businesses, regardless of size, should have an incident response and recovery plan in place to minimize downtime in the event of an attack. Make sure you and all other employees are aware of this plan so there are no questions about the next steps during an attack. This includes having a hotline prominently displayed so employees know who to contact if they suspect there has been a breach. You also need to ensure that this hotline is either manned 24/7 or that an after-hours number is readily available. Waiting to learn about a breach until after your support team arrives for work may be too late. Having a streamlined plan combined with a staff that are all on the same page will allow you and your business to quickly stop an attack from spreading throughout the network, reduce dwell time, minimize the exfiltration of data, and get everyone back online faster. Cybersecurity is no longer the sole responsibility of the IT and security teams. As employees interact with and rely on technology every day, often from remote locations, they all play an integral role in the security of the organization. In order to ensure security and compliance, especially as trends such as digital transformation and mobility continue to expand, each individual employee must understand and practice cyber hygiene. By being aware of common attack vectors and utilizing the tips provided above, your users can help stop the spread of malware and keep your business running smoothly.
BY
&
17
FOR THE CIOs. BY THE CIOs.
WHY CYBER RANGE TRAINING AND SIMULATION IS KEY FOR EFFECTIVE SECURITY OPERATIONS
T
ADI DAR,
CEO AT CYBERBIT.
AUTHOR’S BIO
Adi Dar, CEO and founder of Cyberbit, is an experienced cybersecurity leader and chief executive who has repeatedly led the development and launch of successful products and services in highly competitive markets. Prior to founding Cyberbit Dar was CEO of ELOP (Israel’s largest Electro Optics company and a global leader in this market), where he led the company’s growth to over $500M annual revenues and 1800 employees. During this period, Dar also served as an Executive VP at Elbit Systems, Israel’s largest defense company as well as a chairman and board member in numerous companies in the USA, UK, Singapore, Belgium, India and Israel. Prior to ELOP, he was the VP of Business Development and Sales at ELOP. Before that, he founded the Intelligence and Cyber division at Elbit and managed it for 2 years. Before joining Elbit Systems, Dar was the vice president of business development and sales at Elron Telesoft Ltd.
he cybersecurity scene has never been so dynamic and complex. The number of attacks and their complexity has grown drastically, and the amount of security solutions collecting endless amounts of alerts and events have raised drastically. A recent Ovum survey sponsored by McAfee, found that 37 percent of respondents in the financial sector had to deal with over 200,000 daily security alerts, and many institutions deploy between 100-200 disparate security solutions. New threats and attack vectors emerge, spanning across a converged attack surface of IT and OT networks, as well as IoT devices. Attacks have become timesensitive, requiring SOCs to detect and respond within seconds to minutes, and challenging the SOC’s ability to perform effectively. We have seen this new reality once again in the recent attack on the Cosmos Bank in India last month, where over $15M were stolen via ATM hacking. Topping this, new regulatory guidelines are being introduced, requiring strict procedures and comprehensive reporting processes. In parallel, our overall ability to recruit, train and retain our cybersecurity experts has been dropping continuously over the last years. These trends will remain with us and in many cases increase in the foreseen future, making the jobs of our CISOs ever more challenging. Forward thinking CISOs now understand that rushing to spend their growing budgets to purchase the latest tools, hoping that the new technology will finally improve their security posture, will not resolve their strategic, and, in many cases, existential problems. They are beginning to acknowledge that their teams are not professionally equipped to face the new generation threats, not because of the lack of products or technologies, but because they don’t really know how to operate them effectively. Most of them have never trained effectively, either as individuals or as a team, never faced a multi-stage attack, and have never used their technologies in a real-life attack scenario, requiring them to respond to an evolving attack within minutes. Today, responding to incidents requires using several disparate tools, and an entire team to work on them in tandem, collecting the pieces of the puzzle, assembling them into an attack timeline and responding to the attack. This kind of team work requires multiple SOC team members and external teams to work in a highly orchestrated fashion. Forensic analysts, tier one and tier two analysts, and external teams like IT, fraud, and risk management, must all be tightly aligned. This level of coordination is very difficult to achieve and
BY
18
requires well-defined procedures, as well as intensive rehearsals and training. And yet, we are not taking training as seriously as we should. Would any of us agree to board a plane where the crew learned how to operate an emergency procedure over a PowerPoint presentation? Obviously not. Would an elite military unit be dropped into a battle without having gone through numerous dry-runs over months, rehearsing all potential scenarios and using their entire arsenal of weapons? The answer is, again, NO. So, why do we believe that this approach might work for cyber security practitioners? We’ve repeatedly learned that the human factor is the number one parameter determining the success of complex hands-on tasks. Hence, investing in our cyber experts and in our SOC teams, both as individuals, as well as a unified team, is THE key to an effective SOC. In the case of cybersecurity, this challenge is amplified. The shortage in cybersecurity professionals is at a critical state and will only continue to grow, forcing cybersecurity leaders to hire unexperienced team members to fill in open positions. Security analysts, often junior and barely trained, are expected to master dozens of security products in increasing numbers, defending against threats they have never experienced before. How many of you, or your SOC operators, have ever experienced an advanced threat infiltrating and spreading through an IT network? These tools are hard to configure and use. As a result, at the moment of truth – the team fails to deliver. No wonder that according to the SANS 2018 SOC Survey, lack of skilled staff was the most common reason respondents felt was hampering SOC capabilities.
ADDRESSING THE GAP Traditional IT security training is largely ineffective, because it relies on sterile, mostly theoretical training. It is often conducted on the job by SOC team members rather than by professional instructors. To get our security teams prepared to face today’s multi-dimensional IT and OT security challenges, we must place them in a technology-driven environment that mirrors their own, facing real-life threats. In other words: hyper-realistic simulation. Just as you would never send a pilot to combat before simulating emergency scenarios and potential combat situations, we should not send our cyber defenders to the field before enabling them to experience potential attacks and practicing response within a simulated environment. A flight simulator replicates the actual combat zone, from realistic weather conditions, aircraft instruments to enemy aircraft attacks. This realism maximizes the impact of the training session. Similarly, the way to maximize the effectiveness of security training is by providing a virtual replica of your actual “warzone” resulting in a true-to-life
&
FOR THE CIOs. BY THE CIOs.
experience. Security teams should use the actual security tools they use at work, and should experience their familiar network setup, and traffic. Threats should be simulated accurately, including advanced, evolving threats, targeted malware and ransomware. The potential of simulation-based training, as compared to traditional training, is substantial. Organizations can not only train people but also test processes and technologies in a safe environment. Furthermore, security teams can train as individuals or as a group, to improve their teamwork. With the help of simulation, your team can experience high-fidelity threat scenarios while training, and improve their capabilities, rather that encountering these threats for the first time during the actual attack. This results in a dramatic improvement in their performance.
THE CYBER RANGE This rationale is the driver behind the concept of a cyber-cyber A cyber range is a powerful tool for CISOs and SOC managers to accurately simulate their network and security tools within a dynamic IT, or OT environment. A high quality cyber range offers a rich catalog of simulated incident scenarios, in varying levels of difficulty, which security managers can choose from to train their teams. This opens up numerous new opportunities, se of which include: l An environment for team training, where security staff can improve their communication and teamwork, both of which are critical elements of an efficient incident response team, and impossible to practice using conventional training systems. l A means of training the entire organization in a breach scenario and the related business dilemmas, beyond incident response, including potential business executive decisions. Consider a ransomware scenario where executives are required to decide whether to pay the ransom, negotiate, or mitigate. l A test-bed for potential products where they can be tested in a safe and controlled environment. l A training environment for newly introduced products enabling team members to master new technologies and dramatically improve their performance and skills. I am confident that in the coming years cyber ranges, and simulationbased training, will become the gold standard for training, assessing, certifying, and maintaining the skill levels of cybersecurity practitioners, just as it has become the standard for air crew training. This approach will disrupt cybersecurity training as we know it by finally addressing challenges such as security tool and alert fatigue and will enable security leaders to build a new generation of better cyber defenders. I believe this approach is essential within this dynamic and virtual dimension and I am thrilled to see this approach gradually becoming a mandatory component of every higher education, enterprise, government and service provider cybersecurity training program.
BY
&
19
FOR THE CIOs. BY THE CIOs.
BUILDING SECURITY FRAMEWORK FOR ENTERPRISE
M
SUDIPTA BISWAS,
VICE PRESIDENT & CISO, PRIME INFOSERV LLP
AUTHOR’S BIO
A Graduate Engineer with 32 years’ industry experience in the domain of Information Technology & Information Security. His past assignments were in Companies like GEC & BHEL. He is an expert in Information System Security Domain With Deep Exposure in Governance, Compliance, Procedures & Strategies. His Knowledge Covers a wide spectrum with a holistic view on people, process and technology, focusing on Information security, data protection, privacy, incident management and audits. He is certified ISO 27001 Lead Auditor, Ethical Hacker, CIISA & CISP, an active member of DSCI, Kolkata Chapter & NASSCOM & Core Committee member of Infosec Foundation.
ajor Milestones of Building a Security Framework for any Enterprise is Risk Assessment, Risk Analysis, Risk Treatment & Compliance. The initial baseline assessment is an abbreviated version of a full-blown “Risk or security assessment/analysis.” The assessment is only as good as the honesty and knowledge of the people who answer the questions and the experience and knowledge of the persons interpreting the answers. For example, just because an Organization has policies, does not mean that the policies are being followed or even enforced. It is still necessary to assess at a more detailed level by testing a policy to see if people are in compliance with it. After the report is complete, an Organization must deal with the number one issue to a successful security program: Management commitment. Each organization will find the level of Management commitment very different. It may be easy to get the needed buy-in because of an incident causing financial loss, or it may be difficult because Management does not understand all the risks, as the baseline report points out. Presenting them in a Business context will help management understand. In either case, be prepared by understanding management’s business expectations and use the sample questions as indicated in Annexure 1 to educate management to the security concerns. Until security matters as much to management as the bottom line, the users will not make security policies, guidelines and procedures a priority. As the security program grows, it will be equally important to have management’s buy-in throughout all levels of the organization – from executives to line managers. Annexure 1: Baseline assessment of company security status. l Are company policies defined to address business use of company resources, covering such things as explicit and appropriate e-mail privacy or Internet usage policy? Are they enforced consistently, if at all? policy? Are they enforced consistently, if at all? patches to prevent exposure to known hacking vulnerabilities? Do you know which vulnerabilities can be exploited to access your system? l Is your company able to detect a computer crime, and can you gather evidence that can prove to the court, media, or stockholders how the crime was perpetrated and who committed the crime? l Does your company allow remote access from home or wireless? Are employees working only from the corporate office? What methods do
BY
20 employees use to access the network? Have they created any methods you are not aware of, such as remote control or modems on a desktop? l What is sent across the company network? Do the transmissions include vital or confidential information? l Is there a definition of “incident”? Has an incident response plan been created to handle critical incidents? Does management want to have ability to criminally prosecute on incidents, making it necessary for evidence to stand up in the legal system? l Are all users authenticated and authorized to use the company network? l Are all of the entry points into the company known and documented? Does that include the ones that exist because of technology, such as modems, personal Internet connections, extranet connectivity, and any others? Security will be cast in the same light as insurance. Security, like insurance, minimizes what one has at risk. A company spends money to have security, because it is not willing to accept the risk associated with all of the vulnerabilities that put the business at risk. Security does not increase business profitability unless a company can show that its security provides an advantage over its competition. For most companies, security does not generate revenue. It is a cost of doing business. Security will be viewed as an expense, but must be seen as necessary cost of doing business. With the huge dependency today on data, it is no longer an issue of whether a company can afford to provide security measures, but whether the company can afford not to. Next step is budget to back the efforts of the security program, which includes appropriate salaries to hire security professionals or the necessary security consultants who can assist in continuing management education, technology evaluation, procuring tools, forming policies & procedures and can help to complete the building of the security infrastructure. The budget should be provided for a team that will coordinate & implement a successful Security project. The team will build the corporate security framework or plan and present it to management for continued commitment and potential additional budget needs. A security awareness program begins to take shape at this point, simply to keep management informed of security architecture and funding needs. This communication could be formal or informal. Making it more formal will make the process of keeping management informed, consistent and timely. The security awareness program is key milestone for building a robust Security Framework & is required throughout the security programs lifecycle, regardless of whether the process is made formal or not. The security awareness program may find it necessary to illustrate examples to management of recent incidents and legislation or regulations to help understand the importance and justify continued budgetary and administrative support for security. The plan should include prioritization of activities to build the perfect security Programme. Depending on the organization, it may be necessary to use formal assessment to help prioritize actions, build support (management commitment using the security awareness program), or to identify additions or changes to the framework.Enterprise wide risk assessments can be very labor intensive. It is very important to set expectations and a goal for the assessment. This can be difficult, especially if no other assessments have ever been done. However, it is extremely essential to strike a balance between Risk Assessment and business need for Risk treatment / mitigation. It may so happen that Management may like to accept some of the risks considering its impact on their Business. There is a
&
FOR THE CIOs. BY THE CIOs.
common saying in Security Parlance “ How much is too much “. Assessments come in many forms: from the formal enterprise wide assessment that covers the entire corporation and its processing environment to smaller targeted assessments of selected platforms. For example, penetration tests or vulnerability scans can be performed against the company’s external access points to find exposures to unauthorized entry. Another example might be an analysis of host operating systems to determine their status and whether they are missing security patches or are improperly configured. A formal corporate risk assessment could arguably be identified as the Number one requirement to build a security program. How can a company identify what needs to be done, where the framework is incomplete, what to prioritize, what is missing from policy, essentially what to tell management, without one? It is true that each element in the infrastructure and the risks that pertain to them will affect other elements, and each risk will in turn affect how the complete framework should be managed. However, many companies do not have the luxury of time, money, or commitment to get into an enterprise wide risk assessment. Smaller targeted assessments with a specific goal in mind can be pursued first to get a security process off the ground. Smaller, less formal assessments can identify gaps in basic security components such as application development, servers, or the network. The simple assessment can help identify basic best practices that are missing but, as a matter of due diligence, should be followed. This gives the plan a place to start without needing the more complex formal or enterprise wide assessment first. In such a situation, the more formal complete enterprise wide risk assessment can be prioritized for a later date.
LAW AND ORDER: POLICIES, PROCEDURES, STANDARDS, AND GUIDELINES Every world needs some form of law and order. Corporate security policy provides the backbone, the roadmap or recipe for this Security Framework. It defines where a company is and where it wants to go. It establishes baselines to which business processing must adhere to. The baselines are the prescribed security controls specified for each component (hardware/ software) in the data processing environment in order to achieve a reasonable and consistent level of security throughout the organization. Guidelines are documented in such places as the Common Criteria, Policy and procedures are living documents that change constantly as technology evolves or as business needs change. There are differing layers of policy. The higherlevel policy should be reasonably generic and cover such items as “It is the policy of Company X that all computer systems will maintain virus scanning tools with up-to-date virus signatures.” This is a management statement of direction. At a lower level are more technical statements or standards that spell out the specific virus scanning software on which the company has standardized. This is the company virus scanning standard. Procedures are the step-by-step actions to support policy and will identify the specifics of how to maintain the virus signatures or use the standard virus tool. These lower-level policies must be maintained and must evolve, always having the support of management and company commitment for consistent enforcement. Higher-level policy is less likely to change but, nonetheless, must be regularly reviewed and even tested to see if it is still applicable to the organization’s business model. Policy, just like program code, should have version control, with old versions
BY
&
21
FOR THE CIOs. BY THE CIOs.
archived for future reference, management review, and authorizations (sign-off) for implementation. These are the essential components of basic change management.
COMPLIANCE: Compliance play a Vital Role in maintaining security framework. Availability of robust Security Policies, Procedures & Guidelines does not ensure they are being followed to prevent any security pit fall. Even availability of best of the breed Security Tools & solutions does not mean that they have been configured properly, patched and maintained at regular interval. Hence Information systems should be regularly checked for compliance with security implementation standards. Technical compliance checking involves the examination of operational systems to ensure that hardware and software controls have been correctly implemented. This type of compliance checking requires specialist technical personnel & should be performed manually supported by appropriate software tools, if necessary. Compliance checking, for example, Penetration testing which should be carried out by independent experts specifically trained for this purpose. This can be useful in detecting vulnerabilities in the system and for checking how effective the controls are in preventing unauthorized access due to these vulnerabilities. Compliance with legal requirements should be ensured to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. Hence the design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements.
CRITICAL SUCCESS FACTORS Experience shows that the following factors are often critical to the successful implementation of information security within an organization: l Security policy, objectives and activities that reflect business objectives; l Visible support and commitment from Management; l A good understanding of the security requirements, risk assessment and risk management; l Distribution of guidance on information security policy , procedure and standards to all employees and contractors; l Providing appropriate Training and Education l A comprehensive and balanced system of measurement to evaluate performance in information security management and feedback suggestions for improvement.
SUMMARY Learn from the mistakes of others. You will not live long enough to make all of them yourself. One needs to learn from past mistakes. Not patching or performing maintenance on hardware and software leaves them vulnerable to the same unauthorized access. Known vulnerabilities are a primary cause of unauthorized access and jeopardize the stability of the processing environment. There are eight layers of vulnerability. These layers fit neatly into physical, technical, and administrative layers. Detail vulnerabilities can be found in each layers of the OSI Reference Model: physical, data link, network, transport, session, presentation, and application, plus
the toughest to control layer of vulnerability, the user, who is probably the greatest exposure. Creating a perfect security environment requires attention to all of the layers that make up a business-processing model. Each layer can introduce unique vulnerabilities. The complete solution is not just about technology. Administration, Management, Policies and process are all important parts of the security solution. Understanding the overall security process can help build a comprehensive security framework. It will have management’s commitment, an adequate budget, and a roadmap called policy with a security awareness program that educates, communicates, and ties everything together by providing feedback to the User as well as management to keep the cycle of security flowing.
THE PERFECT SECURITY WORLD: (1) Baseline Assessment (2) Baseline Security Report (3) Management Commitment (4) Security Budget (5) Security Team (6) Corporate Security Framework or Plan (7) Formal Risk Assessment (8) Corporate Security Policy (9) Basic Security Standards, Procedures, and Baselines (10) Perimeter Security (11) Incident Handling (12) Management Reporting (13) Security Technologies (14) Maintenance (15) Security Awareness Program (16) Security Audit.
BY
22
&
FOR THE CIOs. BY THE CIOs.
EVOLUTION OF THE SECURITY OPERATIONS CENTER – 2.0 & BEYOND
N
KRISHNAN JAGANNATHAN,
EXECUTIVE CONSULTANT, CYBERSECURITY WITH IBM ASIA PACIFIC ON THEIR SECURITY TIGER TEAM.
AUTHOR’S BIO
Krishnan has spent many years in Cyber-security advising Governments and Regulators on their approach to Cybersecurity and Advised them on Policy. This has also included engaging senior management at strategic clients engaging to plan investment drops to line up with improved security posture. Prior to IBM, Krishnan began his career with Hewlett Packard strengthening policy and security management for Stock Exchanges and Banks as they opened up for business over the net. Moving on to Sun Microsystems, Krishnan rode the next few years on the emerging e-business wave working on Identrus B2B payments & championing WS Federation. Krishnan spent many years with Microsoft managing the Hosting and private cloud business while providing key guidance to Azure business as it established itself.
etwork Centric Operations (NCO, to borrow a Defense term) drove the phenomenon of global business also whelping the 24x7 norm of non-stop business. This, as we all see it, is now being transformed and churned by new catalysts such as the GenX/Z user & rampant digitalization. Government, despite all the bureaucratic legacy has also had to match this need in order to remain meaningful and to be seen to provide meaningful G2C services & reach. However, throughout this journey, Functionality has been King and the focus of business has generally remained there along with the intent to invest – as the visible accoutrements such as the ribbon-cutting and confetti accompany this element. The Internet governed by its multi-stakeholder model has glowingly served as the near-perfect vascular system for this NCO model. Near perfect since its loosely coupled protocols have worked beautifully, as have its distributed governance models driven by its initial design outcomes. We will be side-stepping Internet Governance and its balkanization to keep to the scope of the current discussion. However, the key denominator sustaining this complex global organism is the elephant in the room - Business Resilience founded on Cyber-Resilience. Cyber-Resilience is in-turn founded on the principles of Detect-Analyze and Respond. It is an irony that cybersecurity founded on information security has only relatively recently shaken off of ITs shackles and aligned with business, however the organizational and budget alignments are still quite confused in most organizations. Without security, all Digitalization is a mere spin of the Russian roulette. This must be recognized and more importantly internalized throughout the organization from the strategic decision makers to the operational level. The Security Operations Center (hereafter SOC) is where security and Cybersecurity reside. Designated security experts have a control-room view of the business network and assets across all business lines. This is necessary as security attacks are known to transcend logical frontiers as in malicious accesses from the IT to the OT networks to wreak havoc. SOCs have evolved from a near-NoC with plain investment in Network Security through to SoC 1.0 with investments made in some layers of security, for instance a security intelligence platform or the brain with say a DAM & an Identity management platform with no attention paid to integration with the brain. This results in alerts not being correlated and therefore a pile of activity across multiple platforms keeping the SoC staff stretched with transactions. Also in this phase, Security teams which were mostly drawn from Network staff ensured security investments were largely directed to Network and perimeter security whereas the channel of threat had side-stepped to take advantage of bona-fide channels. Security thus was grossly miscarried. It is surprising most organizations still persist with this
BY
&
FOR THE CIOs. BY THE CIOs.
23
Figure 1 Global Submarine cable Map - courtesy Tele geography
Figure 3 SoC Evolution
approach – seemingly awaiting the big exploit. The transformation to SoC 2.0 has been driven by the rise in advanced threats both multi-vector and persistent and asynchronous with Indicators of Compromise being obscured over time with the Modus Operandi morphing anticipating the detect and respond behavior. Malware - mobile or otherwise & Botnets are the delivery channel for such attacks. The long life of Botnets, their seemingly fluctuating behavior over time and growth and how they themselves morph is a key focus area of threat intelligence. SoC2.0 is founded on Intelligence, Integration of all security telemetry and Information from the Wild or Threat Intelligence. Over and above all, it relies on network flow analysis along with other anomaly detection mechanisms. Layer-7 analysis provides the necessary insights to detect
low and slow attacks and other covert threats. The key to the wonted success of the 2.0 model has been the focus on Threat Research with a Look- ahead focus. Fundamental to this is the principle of the Social SoC through Information Sharing and Analysis whether sectoral or National. Add to this the key principle of know yourselves and know your enemies or Total Situational Awareness. This translates to preevent preparedness through vulnerability management, configuration management and dynamic risk management & post event review and learning through Incident Response & Deep-Forensics; accompanied by tuning of the installed security intelligence rule-sets & mobilizing counter-measures. Turning to how 2.0 has been executed in implementation & operations in the field: given all subsystems have the necessary
BY
24
&
SoC 0.1 to 1.0
SoC2.0
NextGen Soc
FOR THE CIOs. BY THE CIOs.
Post-facto response Designed Proactive potential never fully realized
Proactive assist & Predictive
Figure 5 SoC evolution Figure 4 What Sun Tzu thought, Shivaji put into practice
Figure 6 Cognitive assist
capabilities mentioned above, the key gaps have been around dearth of tacit experience in operations and lack of necessary interaction between business and security to evolve and put in place rule-sets that will pick up threat alerts stemming from specific vulnerabilities in the business process not to mention the systems in question. Add to this, bridging the lack of standardized Incident Response procedures and recovery mechanisms which a large proportion organizations assume they possess. The Next-Gen SoC or the cognitive SoC tries to address some of these major lacunae foursquare. As in the case of SoC 2.0 the execution may not end up being 100% in every case but the success factor is likely to go up with learning systems. The approach is based on mitigating the dearth of tacit experience at the point of security decision making with Cognitive Assist. A system in the cloud ingests relevant security information across the security universe across all domains of available information under the direction of data scientists and security research experts – creating a universe of threat information readily accessible. This knowledge graph learns and grows every second to be the ultimate ready reckoner. IBMs Watson for Cybersecurity is successful example of such an engine. As seen in the figure below, local
observables map to this knowledge graph; revealing connections to malicious nodes such as Malware which the security manager with his limited knowledge or experience would not have picked up. Also, these short-cuts the long drawn triage cycles and while making threat research more accurate. The cognitive assist is also provided to end-point security systems which advice on mala-fide content on end-points securing the domain more effectively. The Next Gen SoC is incomplete with other key Force Multipliers such as 3rd party integration apps which allow the security manager to orchestrate and automate security actions on other systems from a single pane of glass. The Next Gen SoC also has the important capability to do advanced sense-making & behavior based anomaly detection across users and other entities while also pointing to misconfiguration in security intelligence rules - while being able to sense connections to sources having been disconnected or dropped – thus allowing for a level of self-healing. The Next Gen SoC in tandem with analysis across other domains of data leading to Cyber Fusion. Cyber Fusion, based on the principle of No-DataLeft-Behind will help realize the state of Strategic Awareness.
BY
&
25
FOR THE CIOs. BY THE CIOs.
SMART PROCUREMENT IN CURRENT BUSINESS ORGANIZATIONS:
I
BISWAJIT CHATTERJEE,
SR. MANAGER-CENTRAL IT PROCUREMENT, SREI GROUP.
AUTHOR’S BIO
Mr. Chatterjee is an experienced IT Procurement Professional with a demonstrated success history of working for more than 12 years in the banking and financial services industry.
n today’s business world, the organizations face an array of challenges whose scope and complexity can make them intractable. One of the key issues that that challenges the business operations is driving the procurement operations with “Cost only” mind-set. Smart procurement, among many other things, asks the management of an organization to prioritize “Value” based engagements with vendors and suppliers. This not only offers a sustainable business relationship to both the parties in an engagement, it also offers supply diversity to the buying organizations. One way of establishing the value based engagement is giving small and medium-sized enterprises (SMEs) equal opportunity to bid for contracts This will encourage these companies to be innovative and flexible to gain advantage over the traditional “big names” in the supply domain and in turn the sourcing organizations reaps benefits of the better value propositions for them. This can be further achieved by having as holistic approach towards Holistic Vendor Management. Key issue vendor management: Its’ needless to mention that Vendor Management is a key area of operation of the Procurement Organization. The vendor management discipline focuses on best practices for managing vendors in four key areas: (1) contracts, (2) performance, (3) relationships and (4) risk. It will not be exaggeration to mention that good vendor management can actually make or break a relationship between the vender and the client. Successful Vendor management prompts vendors to deliver products and services at the optimal level of quality and risk, at the required time and place, and at the best price. In most cases vendor management is left to a single individual who could be a part the Procurement Organization. In practical scenarios this approach may lead to myopic perception of the actual vendor performances. In ideal scenario vendor management should be done by a cross functional team which should include different service recipients and the representation from the Procurement function to achieve a 360-degree perception of the vendor’s deliverables. This practice should be followed for the vendor/ service providers who can be categorized as the Essential Service Providers for the organization. Vendor Management to CIOs: as CIOs are responsible for the overall efficient and effective use of third parties to deliver business outcomes, few issues are crucial to address at the outset: l They must recognize that IT’s commitment to the business is essential to ensuring that the use of external third-party vendors delivers solutions that bring favorable business outcomes. To achieve synergy on the approach
BY
26
&
AN ION NT
MEASURE AND IMPROVE
EV
CU
S
DEVELOP GOVERNANCE
IEW
ME
TR
DO
EN
STRATEGIZE AND PLAN
ND
DR
PE
EP
DE
OR
IN
TIN
G
FOR THE CIOs. BY THE CIOs.
EXECUTE
OVERSIGHT AND ACCOUNTABILITY to vendor management, they must reach out to their counterparts in other business functions like Marketing, Sales, HR and Operations across the organization. l They must invest in vendor management skills using an evolving approach as vendor management methods grow in sophistication. They also must clearly assign and define roles and responsibilities to address ownership and overlaps with other departments, such as procurement. l They must regularly assess short- and long-term financial, operational and compliance risk in the vendor portfolio. This helps the organization to avoid being blindsided by a vendor’s financial, business continuity and/or performance failures.
VENDOR MANAGEMENT: KEYS TO MAKE IT A SUCCESS: Strategize and Plan: It is critical to define the structure, roles/ responsibilities and resources to put a formal vendor management discipline in place and drive the right behaviors (product or service
elements) to IT or business outcomes for all the collective third-party relationships. Develop Governance: Establishing an optimal process for making decisions and assigning decision rights related to vendor management is another key issue. There needs to be an Agreement on the authority and flow for decision making. Also important is setting up and implementing a feedback mechanism. Execute: Ensuring optimal management of the vendor contract life cycle and the commercial parts of the vendor relationship is a core component of vendor management function. Other responsibilities include managing and improving vendor performance, and monitoring and mitigating vendor risks. Measure and Improve: It is well understood that which cannot be measured, cannot be improved. Using assessment and industry data to track vendor management operations and success is therefore one of key aspects of vendor management. Responsibilities include managing and improving vendor performance, and monitoring and mitigating vendor risks.
BY
&
27
FOR THE CIOs. BY THE CIOs.
PHISHING + RANSOMWARE = A MODERN DAY THREAT
N
ABHIRUP GUHA,
INFORMATION SECURITY CONSULTANT, ABP PVT. LTD. HEAD OF TRAINING AND PENETRATION TESTER, INFO SECURITY SOLUTION KOLKATA. ASSOCIATED CYBER FORENSIC TRAINER, CENTRAL DETECTIVE TRAINING SCHOOL.
AUTHOR’S BIO
Mr. Chatterjee is an experienced IT Procurement Professional with a demonstrated success history of working for more than 12 years in the banking and financial services industry.
ow a day, li2ke our security devices, even attacks are also becoming hybrid, which means one attack will never come alone, but it will take help of another technique to hide itself from known security products. When we worry about the possibility of our latest cars and gadgets getting hacked we cannot ignore that favorite attack vector used by cyber criminals – email. As part of technological progression, we have shifted from the world of annoying spam emails to the even scarier world of targeted advanced threats. Attackers don’t want to collect a few bucks for every thousand users they could reach through email; they are targeting even bigger fish now i.e. ransomware. Phishing attacks have now been with us for well over two decades. But it’s only more recently that they have proven to be the most efficient means of launching a ransomware attack. The majority of ransomware attacks enter via email, luring employees to click on a link or execute a file. Ransomware is a form of malware that targets your critical data and systems for the purpose of extortion. Some of the known ransomware such as Crypto locker and Locky are used to find and lock valuable files on targeted machines. To regain access, the victims will not have a choice other than forking over the ransom money or reinstall the system which eventually results in loss of data if not backed up. Ransomware attacks targets sensitive data that have financial values. For an example, recently I saw an incident where a mail came, containing a suspicious purchase order: Upon opening the purchase order “ZIP” file and extracting the HTML inside it in a SANDBOX, a phishing page greets us: The “OPEN” button was not taking us to any google drive document, instead it takes us to “http://www.teklokso.com/udlaf7/” which is a knows PHISHING and MALWARE distribution site Upon analyzing the files and POST / GET packets I found multiple malware droppers which are generating from the HTML file. While checking their internal structure, it was found out that most of them are having identification hash values same as the latest variant of LOCKEY ransomware. So beware of these kind of legitimate looking mails, because all it takes is just a click to completely corrupt every bit of your digital data stored in your system or even worse, it can cripple your entire corporate network.
BY
28
&
FOR THE CIOs. BY THE CIOs.
BY
&
HOW TO BE SAFE FROM RANSOMWARE ATTACK Don’t store important data only on my PC. Have at least 2 backups of your data: on an external hard drive and in the cloud – Dropbox/Google Drive/etc. l Operating system and the software should always be up to date, including the latest security updates. l For daily use, don’t use an administrator account on your computer. Use a guest account with limited privileges. l Turn off macros in the Microsoft Office suite – Word, Excel, l l
29
FOR THE CIOs. BY THE CIOs.
PowerPoint, etc if not required often. l Adjust your browser’s security and privacy settings for increased protection. l Never open spam emails or emails from unknown senders. l Never download attachments from spam emails or suspicious emails. l Use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner. l Consider a specialized tool for ANTI-RANSOMWARE protection.
BY
30
&
FOR THE CIOs. BY THE CIOs.
LET’S MAKE WAY FOR DEVSECOPS
D
ADITYA KHULLAR,
AUTHOR’S BIO
With nearly nine years of experience in network and information security, Aditya Khullar holds a unique blend of visionary leadership with expertise to lead strategic planning, direct multi-functional operations, and re-structuring business models. Prior to his stint at Paytm, Khullar worked for various global firms and projects such as Aricent Technologies, HCL Infosystems, Bank of America and Interglobe Enterprises. In his present role, Khullar leads the technical aspects for cyber security verticals in Paytm and its subsidiaries.
evSecOps, or the blending of an enterprise’s applications development with systems operations teams with collaboration of security has become a trendy IT topic. The new operating model is often employed in conjunction with Agile software development methods and leverages the scalability of cloud computing -- all in the interest of making companies nimbler and competitive. Today CIO’s/CISO’s should revise DevOps to include Security module from beginning. Investing in firewalls and perimeter defense isn’t bad per se but with high profile breaches due to exploits such as Heartbleed, Poodle, Bash etc. which left organizations with black eyes, it’s clear that simply guarding the borders is not enough. By adding security to a DevOps program, CIO’s/CISO’s and their teams will be forced to think about security in a more granular way -- at the start of the software development process, rather than as an afterthought. DevSecOps can then be termed as its development, security and operations operating as a dynamic force to create solutions which are security eccentric with focus on a secure infrastructure. Integrating security into DevOps to deliver “DevSecOps” requires changing mindsets, processes and technology. One must adhere to the collaborative, agile nature of DevOps to be seamless and transparent in the development process, making the Sec in DevSecOps silent. Below are the key prerequisites which organizations should inculcate to build on DevSecOps model: l Adapt the Security Testing Tools and Processes to the Developers, Not the Other Way Around. l Quit Trying to Eliminate All Vulnerabilities During Development. l Focus should be on Identifying and Removing the Known Zero-Day/ Critical Vulnerabilities. l Don’t Expect to Use Traditional DAST/SAST Without Changes l All Developers should be trained on the Basics of Secure Coding. l Adopt a Security Champion Model and Implement a Simple Security Requirements Gathering Tool l Eliminate the Use of Known Vulnerable Components at the Source l Secure and Apply Operational Discipline to Automation Scripts l Implement Strong Version Control on All Code and Components l Adopt an Immutable Infrastructure Mindset
BY
&
FOR THE CIOs. BY THE CIOs.
To start and build the DevSecOps model, one should be varying that with the rise of DevOps most security teams try to minimize risk by limiting the speed of change. Though minimizing risk is a valid goal, the method fails to address the requirements of extremely fast-moving, technology-dependent businesses. If security teams are going to be a core component of DevSecOps, they must impress upon development and operations that they can bring a series of tests and quality conditions to bear on production code pushes without slowing the process. If security parameters and metrics are incorporated into development and test qualifications, then the chance for security to be involved in the processes for DevOps will be much higher. Few of the challenges which may get incurred during implementation are: 1. DevOps tools and processes are great for staying innovative within tight release timelines but the risks of slack security remain real, immediate, and extremely costly. This makes DevOps outfit under pressure to implement stronger and smarter security measures. 2. While many security people have a good understanding of how to find application vulnerabilities and exploit them but they often don’t understand how software development teams work, especially in Agile/DevOps organizations. This leads to inefficiencies and a flawed program. Incorporating security people into the development lifecycle can be challenging. One major challenge besides the above pointers is that until now security teams are considered as gatekeepers. They come into picture at the end of a product lifecycle. Considering this how can security teams align themselves with the developers keeping in scope that the tools both teams use are different? The answer to which is pretty simple: Security teams should always act as “Facilitators” rather than being termed as “Gate keepers/Toll barriers”. Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering “DevSecOps.” The following steps can be used to align seamlessly security with Devops:
31
l Security Controls Must Be Programmable and Automated Wherever Possible. l Use IAM and Role-Based Access Control to Provide Separation of Duties. l Implement a Simple Risk and Threat Model for All Applications. l Scan Custom Code, Applications and APIs. l Scan for OSS Issues in Development. l Scan for Vulnerabilities and Correct Configuration in Development. l Treat Scripts/Recipes/Templates/Layers as Sensitive Code. l Measure System Integrity and Ensure Correct Configuration at Load. l Use Whitelisting on Production Systems, Including ContainerBased Implementations. l If Containers Are Used, Acknowledge and Address the Security Limitations. Though DevSecOps is getting popular by the day, there are certain projects which aren’t suitable for DevSecOps. The following conditions can make a DevSecOps (Agile method) unnecessary for an application/project: l Initiation and planning are quick & inexpensive relative to implementation, and yield an accurate, stable solution definition and plan l The cost and timeline to implement the plan are clearly known and predictable. l The cost and timeline are well within any limits or constraints. Some of the tools which can be utilized to streamline the framework are WAZUH (OSSEC), ELK, and VERACODE etc. In the end, I shall like to conclude by saying that DevSecOps is a must have in enterprise app development and strategic for everyone in software. Organizations everywhere are now transforming their development from waterfall-native to DevOps-native tools and processes which means aggressively moving to Agile and DevOps practices to speed delivery of new applications.
BY
32
&
FOR THE CIOs. BY THE CIOs.
ROUTING SECURITY WITH FILTERING IS MOST IMPORTANT & SENSITIVE FACTOR TO AVOID CYBER CRIME OR ANY FRAUDULENT.
N ARIJIT DASGUPTA
IT HEAD RUPA & CO. LTD.
ow every day we are passing with some incidents damaging the routing system. Route hacking, leaks, IP / Mac ID spoofing, with various destructive activities are leading to DDoS attacks, traffic investigation, reputational damage, and more. These events are being executed globally in scale, with an operator’s end routing issues cascading and impacting others. • Network operators define proper routing policies and implement a system that ensures authentications of their own commitments and from their Internet users to adjacent networks with prefix and AS-path granularity. • After applying due diligence by Network operator when checking the correctness of its Internet user’s announcements, specifically that the Internet user legitimately holds the ASN and the address space it announces. Most essential is to secure and ensuring the authenticity of the inbound routing advertisements, particularly from service users networks, through the use of explicit prefix-level filters or equivalent topology / mechanisms. Secondarily, AS-path filters might be used to require that the Internet user network be explicit about which Autonomous Systems (ASs) are downstream of that Internet user. Alternately, AS-path filters that block announcements by Internet users of AS with which the provider has a settlement-free relationship can prevent some types of routing “leaks / hacking”. Using of Internet Routing Registries (IRRs) towards enabling the users to register routing objects. Maintaining the Resource Public Key Infrastructure (RPKI) to enable Internet users to create Route Origin Authorizations (ROAs)
AUTHOR’S BIO
Heading Information Technology in Rupa & Company Limited for last 5 plus years. Practicing digital transformation and emerging technology for more than 12 years out of 25 years of my professional carriers. Creating a business friendly IT environment is always being a challenge while IT drives business instead of being driven by the business. Establishing an IT environment in the organization with ample flexibilities to cope up with the frequent business process re-engineering & transformations would be the only KEY area of strategic business growth which can be achieved by a well-defined IT Strategy & Roadmap. Working with the Market Leaders - Creating Excellence in the Organization through strong Processes of SAP implementations. Always adopting the newest art of Team Building, Delivery, Innovative Operations of IT, Leadership & Project Management, Digital Transformation and adopting advanced technology of SAP. Efficiently have done couple of improvisation along with the technological transformation like introduction of Private cloud, adoption with new technologies: SAP - HANA, SuSe, Virtualization with VMware products such as: vSphere, vCenter, vCorp, etc. Bagged one end to end SAP, HANA migration experience.
BY
&
33
FOR THE CIOs. BY THE CIOs.
CLOUD SECURITY – CHALLENGES AND CONTROLS!
C
loud computing is the delivery of computing services— servers, storage, databases, networking, software, analytics and more—over the Internet (“the cloud”). Companies offering these computing services are called cloud providers and typically charge for cloud computing services based on usage, similar to how you are billed for water or electricity at home. Cloud computing security is the set of control-based technologies and policies designed to adhere to regulatory compliance rules and protect information, data applications and infrastructure associated with cloud computing use.
WHY CLOUD SECURITY IS A CONCERN?
RAVINDER ARORA
HEAD INFORMATION SECURITY – IRIS SOFTWARE
Because of the cloud’s very nature as a shared resource, identity management, privacy and access control are of particular concern. With more organizations using cloud computing and associated cloud providers for data operations, proper security in these and other potentially vulnerable areas have become a priority for organizations contracting with a cloud computing provider. Cloud is a boon to new generation technology. But if it fails to ensure proper security protection, cloud services could ultimately result in higher cost & potential loss of business thus eliminating all the potential benefits of cloud technology. So the aim of the cloud security & its researchers to help enterprise information technology and decision makers to analyze the security implications of cloud computing in their business. When a customer moves toward cloud computing, they have a clear understanding of potential security & risk associated with cloud computing. The growth and implementation of the cloud in many organizations has opened a whole new set of issues in account hijacking. Attackers now have the ability to use your (or your employees’) login information to remotely access sensitive data stored on the cloud; additionally, attackers can falsify and manipulate information through hijacked credentials. Other methods of hijacking include scripting bugs and reused passwords, which allow attackers to easily and often without detection steal credentials. In April 2010 Amazon faced a cross-site scripting bug that targeted customer credentials as well. Phishing, keylogging, and buffer overflow all present similar threats. However, the most notable new threat – known as the Man in Cloud Attack – involves the theft of user tokens which cloud platforms use to verify individual devices without requiring logins during each update and sync.
BY
34
&
FOR THE CIOs. BY THE CIOs.
AUTHOR’S BIO
Winner of TOP100 CISO, Innovative CIO, Info-Sec Maestros Award - Head Information Security, Speaker, Trainer, Birthday – 28th June, Work Experience – 15 years, Past Employment – Account Security Officer, HP, Information Security Specialist, GENPACT Technology Expertise – Application Development, Business Intelligence, Disaster Recovery & Business Continuity, Datacenter Management, IT Operations Management, IT Asset & Infrastructure Management, IT compliance and Risk Management Business & Management Expertise – Project & Program Management, Training and Education, Vendor Management, Budgeting & Financial Management, Risk and Compliance Management, Favorite Book – Who moved my cheese by Spencer Johnson, Management Mantra – Leaders don’t create followers, they create more leaders Contribution to the Indian IT Industry – Member of Data Security Council of India - DSCI is a focal body on data protection in India, setup as an independent Self-Regulatory. Member of National Skill Development Mission - The National Skill Development Mission was approved by the Union Cabinet on 01.07.2015, and officially launched by the Hon’ble Prime Minister on 15.07.2015 on the occasion of World Youth Skills Day. The Mission has been developed to create convergence across sectors and States in terms of skill training activities Awards and Recognition • Best CISO 100 Award in year 2014, 15, 16, 2017 from CISO Platform • INFOSEC MAESTRO Award by Dr. Sanjay Bahl (CERT India Director) in year 2017, 2018 • Innovative CIO award year 2017
How to secure data in cloud!
BACKUP DATA LOCALLY One of the most important things to consider while managing data is to ensure that you have backups for your data. It is always good to have electronic copies of your data so you can continue accessing them even if the original gets lost or corrupted. You can either choose to back them up in some other cloud storage or manually back up in an external storage device. To be on the safer side, it would be great if you could do both since the latter will come in handy in times of poor or no internet connectivity.
AVOID STORING SENSITIVE INFORMATION Let’s be honest. There is no such thing as actual privacy on the internet, and the rise in the number of identity thefts is standing proof of it. So it is always advisable to avoid storing information such as passwords, credit/debit card details etc. on the cloud. Sensitive information could also be intellectual property such as patents and copyrights. Even if we take every possible precaution to protect them, these kind of information can land in another individual/company’s data management system somehow, which in turn can lead to potential data leakage.
USE CLOUD SERVICES THAT ENCRYPT DATA To enjoy better privacy, always look for cloud storage services that offer local encryption for your data. This provides double security as the files will have to be decrypted to gain access. This method protects
your data even from service providers and administrators. Taking a few preventive measures like this around data encryption can make your most sensitive information tightly secure.
ENCRYPT YOUR DATA Before you upload your files onto the cloud, it is always beneficial to encrypt your data, even if the cloud storage automatically encrypts them. There are many third-party encryption tools that will apply passwords and encryption to files once you are done editing them so that they are encrypted before uploading.
INSTALL ANTI-VIRUS SOFTWARE All the above security measures could be taken to secure your data, but sometimes the problem is not cloud security but the system you have logged in from. Hackers can easily access your account if there is no proper protection in place for your system. In such cases you are exposing yourself to viruses that provide penetration points.
MAKE PASSWORDS STRONGER This might be something you have heard over and over again. But still, it is very important to provide stronger passwords to prevent your files from being hacked. Apart from creating a strong and unique password, it is also important to change them frequently, and not share it with anyone. Most login pages these days have additional identification questions to confirm the authorized user.
BY
&
35
FOR THE CIOs. BY THE CIOs.
CYBER SECURITY, ALPHABET SOUP AND HYPE: MUSINGS OF A CURIOUS NON-EXPERT AUTHOR’S BIO
Winner of TOP100 CISO, Innovative CIO, Info-Sec Maestros Award - Head Information Security, Speaker, Trainer, Birthday – 28th June, Work Experience – 15 years, Past Employment – Account Security Officer, HP, Information Security Specialist, GENPACT Technology Expertise – Application Development, Business Intelligence, Disaster Recovery & Business Continuity, Datacenter Management, IT Operations Management, IT Asset & Infrastructure Management, IT compliance and Risk Management.
THE RATIONALE OF THE ARTICLE
PRITAM BHATTACHARYA,
CHIEF COMMUNICATION OFFICER OF INFOSEC FOUNDATION AND CHAIRMAN, FREELANCE FOUNDATION.
We can easily agree to the fact that most of us are not experts of cyber security but we also understand that cyber security affects us. So, we are in a very strange position – we are not experts in an area and most of us don’t want to be but we are bombarded everyday with the information that you may not be interested in cyber security or becoming an expert but “experts” in the area in the form of mala-fide hackers are interested in you – your data, your bank account, your ATM pin etc. I was thinking that we have been living with electricity for some hundred years and a live electric wire or carelessness can be fatal. How did we live with this new invention that touched our lives and most of our devices? The answer: following certain basic rules. One of the most effective rule was: do not ever handle a live wire. Or do not handle a wire which is directly connected to power source. I would like to argue that we can handle cyber security issues, from the stand-point of an end-user by following the same rules as we have been doing for electricity. Nothing more or nothing less.
DO I NEED TO UNDERSTAND ALL THE ALPHABET SOUPS? As an end-user, I do not think you need to. Most of the things on which our life depends is not “understood by us at expert level”. Take language: most of us will not claim that we are great authors or master of languages but we do pretty well with language, i.e. communicating and even learning how to in new situations. Take driving – one can drive all through his life without understanding in an expert level as how a car works. It appears that soon we need not “do” the
BY
36
driving at all as driverless cars are on the horizon. But we do wonderfully well by agreeing onto certain basic rules and it has worked wonderfully well. Every area of your life you look, you shall find one wonderful feature: the basic and functional work does not need you to be an expert. Final one: no parents ever learnt genetic engineering to create a baby. Had this been so, no life would have been there in the planet. To conclude: do not be afraid of these alphabet soups. As an enduser, these are “expert-speak” and they have a vested interest to speak this way. Follow certain basic rules and you will be fine. Internet or as we know it grew up like a “stupid network”. It was a stupid network because its predecessor, circuit switched network for telephones were immaculately planned from starting point (A) to starting point (B). Every nation state was conscious of its national security and design incorporated that philosophy. Hence the design itself was providing most of the security of the network. Internet was built on a design philosophy where a node knew little about its immediate vicinity, nor was it designed with security as one of the major objective. This enabled Internet to grow faster, scale quicker, remain device independent and borderless. Some price must be paid in some way for other for any design philosophy – security was a trade-off and it remained. This is now manifesting in the form of a crisis. Experts have the less incentive to emphasize this as otherwise most of the “offerings” can be also considered patch-work. It is building “walled gardens” in open and boundless steppes. Now most of the protection solutions can be only strengthening the walls but the steppes remain. Hence, there will be always a chance of “walls being bridged” or people inside the garden telling outsider in the steppes some vulnerabilities of the wall. This is the “insider threat”. Previously, the inhabitants of the walled gardens had to face human actors of the steppes trying to breach the walls. However, a new entity arrived in the steppes, launched by the same humans – smart machines. These are AI, MT abbreviations you hear. Those who are inside the walled garden also deployed these machines and the fight continued. One interesting thing in this development is that fear sells more than normalcy and companies are trying to bring to the market products and services faster than their competitors and what is better than to provide the new release with a mystical chant like feel.
HYPE
&
FOR THE CIOs. BY THE CIOs.
The closest understanding of “hype” in this context is the same effect of “mystical chant”. This is a legal and permissible way of making one accept something in spite of significant cognitive dissonance. We are vulnerable to hype. This is no ordinary thing. When we have exposure to something repetitive, our brain finds pleasure in being in a zone of “comfort” and releases chemicals, so we are told and we find a pleasing sensation. The same research says that the same thing happens when we find face-book likes. Let us look this from the angle of someone who wants to sell something. If that brain release chemical theory is correct (be critical of all theories till the last moment of your life), then what is the best way to make your product or service sell is to repeat these 360 degrees to the prospect and his/her peers. The man must see the same ad in his mobile, in the bill board, in the newspaper, in the mall, in the driving direction ad, in the Home Controller device – everywhere and so will be his peers. Soon, in spite of all irritation a familiarity will set in and brain will be programmed to like it. Or accept it even if in fact, this does not connect you or you do not need to buy or even think of it.
CONCLUSION Here are 7 points which I think summarizes the essential of what is being tried to communicate: l As an end-user, you need to follow some basic rules just like you do for electricity and driving and you will be fine. No problem. l The great fear mongering and doomsday prophets have subtle to gross vested interest. l Hype is not a natural thing – it is designed, deployed, manipulated and controlled. Just like you hear some music suddenly becoming popular and blazing from everywhere (even though it did not sound great to you at the first listening) is an example of “hype” as how music industry sells music nowadays. l You need not be an expert to remain safe. You just have to have common sense. Human nature is the most unchangeable thing in all the sea of change. l Try to see all doomsday stories in proper perspective and scale. These are designed to create sense of fear and then suspend your skepticism and critical inquiry l Be aware but more important, be sufficiently critical l Just like man is mortal, similarly, with the design architecture of our present Internet and human nature operating, cyber security is needed and as for an individual like you, see No. 1
BY
&
37
FOR THE CIOs. BY THE CIOs.
BRAINJACKING – A NEW CYBER SECURITY THREAT KINJAL KANTI GHOSH AUTHOR’S BIO
Being in the IT and ITes industry for the last 20 years, especially in the e-governance sector, after completing higher studies in Economics, in this long career worked with various esteemed organizations like IIT KGP and CDAC. Being functional in designing many e-governance project with different state government, mainly worked in the wide spectrum of Data likely mining, designing optimization and security. Was functional in different projects like AFC/PC system of Kolkata Metrorail, Billing System of Power Dept., govt. of West BengalLand Records Dept. of Bihar and West Bengal, Data Base Management system of Steel industry of GOI.
W
e live in an interconnected age where wirelessly controlled computing devices make almost every aspect of our lives easier, but they also make us vulnerable to cyber-security attacks. Today, nearly everything can be hacked, from cars to lightbulbs. But perhaps the most concerning threat is the one posed by implanted medical devices. Experts have demonstrated the ease with which security on pacemakers and insulin pumps can be breached, potentially resulting in lethal consequences. In a recent paper that I and several of my colleagues at Oxford Functional Neurosurgery wrote, we discussed a new frontier of security threat: brain implants. Unauthorized control of brain implants, or “brainjacking”, has been discussed in science fiction for decades but with advances in implant technology it is now starting to become possible.
DEEP BRAIN STIMULATION The most common type of brain implant is the deep brain stimulation (DBS) system. It consists of implanted electrodes positioned deep inside the brain connected to wires running under the skin, which carry signals from an implanted stimulator. The stimulator consists of a battery, a small processor, and a wireless communication antenna that allows doctors to program it. In essence, it functions much like a cardiac pacemaker, with the main distinc-
tion being that it directly interfaces with the brain. DBS is a fantastic tool for treating a wide range of disorders. It is most widely used to treat Parkinson’s disease, often with dramatic results (see video below), but it is also used to treat dystonia (muscle spasms), essential tremor and severe chronic pain. It is also being trialed for conditions such as depression and Tourette’s syndrome. Targeting different brain regions with different stimulation parameters gives neurosurgeons increasingly precise control over the human brain, allowing them to alleviate distressing symptoms. However, this precise control of the brain, coupled with the wireless control of stimulators, also opens an opportunity for malicious attackers to go beyond the more straightforward harms that could come with controlling insulin pumps or cardiac implants, into a realm of deeply troubling attacks.
REMOTE CONTROL Examples of possible attacks include altering stimulation settings so that patients with chronic pain are caused even greater pain than they would experience without stimulation. Or a Parkinson’s patient could have their ability to move inhibited. A sophisticated attacker could potentially even induce behavioral changes such as hyper sexuality or pathological gambling, or even exert a limited form of control over the patient’s behavior by stimulating parts of the brain involved with reward learning in order to reinforce certain actions. Although these hacks would be difficult to achieve as they would require a high level of technological competence and the ability to monitor the victim, a sufficiently determined attacker could manage it. There are proposed solutions to making implants more resistant to cyber-attacks, but makers of these devices are in a difficult position when trying to implement security features. There’s a tradeoff between designing a system with perfect security and a system that is actually usable in the real world. Implants are heavily constrained by physical size and battery capacity, making many designs unfeasible. These devices must be easily accessible to medical staff in an emergency, meaning that some form of “back-door” control is almost a necessity. New and exciting features, such as being able to control implants using a smartphone or over the internet, have to be balanced against the increased risk that such features can provide. Brain implants are becoming more common. As they get
BY
38
&
FOR THE CIOs. BY THE CIOs.
approved for treating more diseases, become cheaper, and get more features, increasing numbers of patients will be implanted with them. This is a good thing overall but, just as a more complex and interconnected internet resulted in greater cyber-security risks, more advanced and widespread brain implants will pose tempting targets to criminals. Consider what a terrorist could do with access to a politician’s mind or how coercive blackmail would be if someone could alter how you act and think. These are scenarios that are unlikely to remain purely in the realm of science fiction for much longer. It’s important to note that there’s no evidence to suggest that any of these implants has been subjected to such a cyber-attack in the real world, nor that patients with them currently implanted should be afraid. Still, this is an issue that device makers, regulators, scientists, engineers and clinicians all need to consider before they become a reality. The future of neurological implants is bright, but even a single high-profile incident could irreparably damage public confidence in the safety of these devices, so the risk of brain jacking should be taken seriously before it’s too late. Courtesy: Oxford University
BY
&
39
FOR THE CIOs. BY THE CIOs.
LIBSSH VULNERABILITY
H
istorically, Secured Socket Shell (SSH - Latest Version 2) is found to be secured than Telnet due to encryption. But hackers are constantly trying to exploit common ports and trying to get into the Network / Servers. LibSSH Vulnerability is one of the classic examples where hackers can get into the Servers / Network devices via SSH bypassing the authentication – sounds interesting and scary right? Let’s get into technical aspect of it.
WHAT IS LIBSSH VULNERABILITY? It is a critical vulnerability that was discovered in 2014 on Version 0.6 and had in fixed in 0.7.6 and 0.8.4 but got re discovered by Peter Winter-Smith of NCC on Oct this year. This is a vulnerability of the SSH Library and application which is using SSH Library with that bug, may be compromised. In SSH Communication, SSH Client sends SSH2_MSG_USERAUTH_REQUEST to the server and then supplies Credential (User name and password). After successful authentication, Server replies the client with SSH2_MSG_USERAUTH_SUCCESS which establishes successful SSH Connections. But in case of this vulnerability, hacker’s SSH Client directly send SSH2_MSG_ USERAUTH_SUCCESS to the server and connection is getting established without authentication. Server becomes wide open and compromised to the hackers.
SUDIP SINHA,
TECHNICAL MANAGER, CHFI GLOBAL NETWORK SERVICES, LINDE GLOBAL
AUTHOR’S BIO
WHAT CAN BE IMPACTED? Public Servers / Network Security devices which is using SSH Library with the operating bug can be impacted. Wide span IoT (Internet of Things) devices / Cloud Servers can be impacted. Further research is ongoing to identify the services impacted. Network Security devices which are within Intranet can be affected by
Professional Experience: -19 years’ experience in IT Network Security Infrastructure Management. Working in Global MNC since 2006 for Network Architecture Designing, Solution Deployment, Capacity Management, Network integration for Mergers and acquisitions (M&A). Professional Qualification: • ISO/IEC 27001:2013 Lead Auditor and Lead Implementer. • CSA Certified Professional (CCSK). • BSI Certified Cloud Security Star Auditor, GDPR Lead Implementer. • EC Council Certified CEH, CHFI, ECSA/LPT, Disaster Recovery Professional. • Cisco Certified Routing, Switching Specialist, IPT and Security Solution Specialist. • Software Engineering from Ramakrishna Mission Shilpamandira, Belur Math. Educational Qualification: • Undergoing PhD in Management from Seacom Skills
University • Doctorate in Management Studies with IT Specialization from ISBM. • Master in Telecom Management from ICFAI. • Master in Computer Application from IGNOU. • B.Sc. From University of Calcutta. Membership: • IEEE, ISTD, Kolkata. Hobby: -Photography, Practicing NLP (Neuro Linguistic Programming) for Performance Enhancement. Skills: • Routing / Switching • Remote Access / AAA • DNS, IPAM • NW Readiness Analysis • Project Management • DR and BCM • Provider Management • CX Enhancement • Security Hardening
BY
40
&
FOR THE CIOs. BY THE CIOs.
Further Reading: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181019-libssh
Insider attack. Hacker can read / change the configuration of the device.
HOW TO CHECK THE VERSION OF THE SSH LIBRARY? nmap with the -sV switch will help to understand the SSH library being used. Applications may be using embedded SSH and different port can be used other than TCP/22, in that case product documentation should be referred.
FURTHER INVESTIGATION: Vendors Like Cisco, F5, Red Hats etc. are doing further investiga-
tion to identify the products line which may be affected due to LibSSH Authentication bypass vulnerability. Further advisory will be available for fixing.
VULNERABILITY MITIGATION: Once Advisory directives will be available, IT teams should mitigate the vulnerability by patch upgrade where applicable at immediate basis to address the critical weakness. As interim period SSH access can be restricted through access control list, firewall ruleset etc. to narrow down threat landscape of insider attack.
BY
&
41
FOR THE CIOs. BY THE CIOs.
SENSITIVE DATA PROTECTION USING ADVANCED MASKING
TECHNOLOGY
INTRODUCTION Data Masking is the method of anonymizing sensitive data to create a realistic looking dummy of the real data, thus preserving its original format. Simply speaking, it is the process of creating a structurally similar but unidentifiable version of any sensitive data to avert risks of illegitimate access. The main purpose of data masking is to replace the sensitive data with a credibly similar fake data for cases where the real data is not required and also the recipient does not need to know whether it’s the live data or fake. The most common application areas include Software testing, protection of Personally Identifiable Information (PII), Payment Card Industry Data Security Standard (PCI DSS) compliance, Health Insurance Portability and Accountability Act (HIPAA) compliance, Role Based Access Control (RBAC) solutions, Research & Development works, End user training and education purposes, etc.
MYTHS ABOUT DATA MASKING
REETWIKA BANERJEE
(MBA IN CYBER SECURITY CLOUD SECURITY AUDITOR, ISO 31000 RISK ASSESSOR ISO 27001 LI, PIMS WITH GDPR LI, PCI DSS LI)
AUTHOR’S BIO
Reetwika Banerjee is a professional Cyber Security Advocate, presently associated with a North American media giant as their Enterprise Data Privacy Consultant. She is also an internationally awarded author. Her latest book ‘Cyber Security at your Fingertips’ was released worldwide in August 2018. You may write to Reetwika at: reetwikab@gmail.com.
There are some very common myths about Data Masking which must be clarified before we get into the details of this upcoming technology. l “Data Masking and Data Obfuscation are different.” – No, they are necessarily one and the same, just alternatively used commercial terminologies by different solution service providers. l “Once masked, the cooked data can be reverted to original values.” – Data Masking is strictly a unidirectional process. Once masked, it cannot be reverted to original form and that differentiates it from data encryption. l “Data Masking and Data Encryption are same and can be alternatively used.” – Obviously not. Both are entirely different technologies and have different application prerequisites. There is no analogous concept of key management in data masking since it is a unidirectional process flow. Also, unlike cipher text, in case of data masking, the original format of the source data is preserved in output. There can be non-unique results for different inputs too which is not the case in encryption.
DATA MASKING PROCESS OVERVIEW
Sensitive Data Discovery: Sensitive data may reside in different forms scattered across the environment. So, data masking essentially starts with the identification of these sensitive information and their respective locations in the entire ecosystem which is technically termed as data discovery. Different hi-tech tools are available in the market which can be integrated with the masking solutions; some even come with a bundled discovery offering along with the masking tool. Configure Masking Routines: The next step in the process is to configure the complexity of masking routines based on the sensitivity of identified data. Generally, all masking solutions offer three types of routines to choose from – Light masking (bug fixing type), Medium masking (for internal development of test databases)
BY
42
and Thorough masking (for cloud hosted or outsourced databases). Define Masking Algorithms: Once the masking complexity is finalized, the next step is to define the respective masking algorithms based on the type and format of identified data. One can choose from an array of default algorithms or customize them as per need. Some common examples of masking algorithms are given below: l Substitution Algorithm: It is used mostly for masking of ‘First Name’ and ‘Last Name’ types of data where a name is replaced by another similar dummy name. Ex: ‘Reetwika’ is substituted by ‘Sunamika’. l Shuffling Algorithm: This kind of algorithm is typically selected for ‘City’, ‘Designation’ etc. types of secondary information where the attributes are juggled randomly among all the values available in the same database. Ex: All instances of ‘Reetwika’ and ‘Sunamika’ are interchanged. l Variance Algorithm: It is generally used to mask specific types of numerical values like ‘Date of Birth’, ‘Employee ID’ etc.) applying a mathematical variance formula. Ex: 01-01-1990 is popped as 11-03-1995 where all three DD-MM-YYYY entities have been modified using a simple incremental logic. l Null Algorithm: This one is most frequently used to protect Payment Card Information (PCI) like ‘Credit Card No’, ‘Bank Account No’ etc. where specific characters are replaced by X or 0, hence called null algorithm. Ex: Masked output of ‘1234-5678-9012-3456’ looks like ‘1234-XXXX-XXXX-3456’. l Truncation Algorithm: In this kind of algorithm, some parts of the input are removed or truncated to protect the data sensitivity. It is typically used for financial data like ‘Salary’, ‘Mobile No’ etc. Ex: ‘9087654321’ is truncated as ‘90876’ in the output. l Replacement Algorithm: It is used for masking sensitive data like ‘Salary Currency’ or Symbols where the original value is replaced with a character. Ex: $ is replaced by £, α is replaced by β etc. l Encryption: This is a very special instance of masking wherein hashing algorithms are used to mask extremely sensitive information like client invoices, tender quotes, estimates, trade secrets, accounting books etc. Execute Masking Job and Publish Results: After configuring the masking routine and algorithms, the job definition stage is over. Now the only task left is to execute the program and publish
&
FOR THE CIOs. BY THE CIOs.
results. For first time users, it is always a good practice to validate the masking output for accuracy before going live. Three types of synchronizations must be carried out for verification purposes as described below: l Column Level Synchronization: While masking a database column containing sensitive information, it should be validated that all the values in Column X are masked uniformly. For ex: If ‘First Name’ column is chosen, all the rows must be masked the same way. l Table Level Synchronization: While masking a relational database containing heterogeneous types of sensitive information in different columns, it should always be validated that all changes in Column X should also reflect in the related columns linked to X in the same table. For ex: If ‘First Name’ column is linked to ‘Employee Name’ in a table, then any change in the former should reflect in the latter. l Table-To-Table Synchronization: In the above relational database with multiple schemas, all entities must be masked as per the relationships already established. For ex: Changes in Table X & Y should also reflect in all the other related tables in the entire schema.
TYPES OF DATA MASKING Depending on the type of user requirements, masking can be done in two different ways – in place (Static Data Masking) or on the fly (Dynamic Data Masking). Static Data Masking (SDM): In this kind of masking, a staging database is required in addition to source (Ex: Production) database containing sensitive information and target (Ex: Test) database which contain the masked output. It is the staging server which serves as a platform where the masking actually happens. A clone of the source database is first extracted and loaded onto the staging database; and the masking rules are applied therein. The transformed (masked) output is then pushed into the target database. Depending on the total data volume, it may take considerable amount of time for a masking job to complete. The below schematic explains the static masking process. Dynamic Data Masking (DDM): No staging database is required in dynamic data masking. The masking rules are directly applied while transferring sensitive data on the fly from source (Ex: Production) database to the target (Ex: Test) database which contains the final masked output; thus making the process little complex but faster than the earlier. The below schematic explains the dynamic masking process.
CONCLUSION Most of the data masking solutions available in the market can perform only static masking, except a few market leaders like IBM, Informatics and Oracle which also offer dynamic masking either in the same bundle or as a separately licensed product. While masking technology has its own pros and cons over other contemporary data protection technologies, undoubtedly its distinguished state of the art features has opened advanced avenues of data privacy and protection to the world of cyber security. And in the years to come, more applications of data masking would definitely be witnessed, might be in a much larger spectrum than present day.
BY
&
43
FOR THE CIOs. BY THE CIOs.
THE DARK NET: EPICENTER OF ALL YOUR CYBER SECURITY THREATS.
K UTPAL CHAKRABORTY,
nowing the strengths of your enemy before facing it in the battlefield is always an advantage. It will not only help framing your battle strategy but also help you to prepare yourself for the damage it’s going to make during the battle and the after effects. Exactly the same applies while dealing with cyber security and threats. In this age of cyber warfare, the key to victory is building a “Creative Defense Strategy” with latest defense mechanisms using Artificial Intelligence and Machine Learning rather than relying completely on the conventional ineffective methods. Historically cyber security, for some reason, has always been ignored or has never been able to take the center stage for consideration in many enterprises; which it should have been honestly. Many big and small enterprises, government and non-government agencies and even financial institutions has knowingly or unknowingly disregarded it at some point and has paid huge cost and consequences not only on the financial font but also in terms of the reputational losses which probably is much severe than any financial losses in today’s business world. Today, since the head to toe of your enterprise is connected to the external world through internet and the hearts, lungs and kidneys of your enterprise systems are residing on the cloud; you should seriously consider cyber security as one of the prime focus areas for your enterprise. And even as an individual or an ordinary citizen, the time has arrived that we all should understand the importance of cyber security and aware of the threats are being primarily originating from. Although cybercriminal can operate from any parts of the world and can belong to any blacklisted or whitelisted countries but you will be surprised to know that the majority of the devastating cyber-attacks that happened in the past are well organized, well researched, well strategized and well conducted originating from a single epicenter. And astonishingly the masterminds of most of those attacks in the past had been operated from a strange world just next to you; called “The Dark Net”, that many of you probably are not even aware of. Physically and digitally the “Dark Net”, sometimes referred as “Dark Web” is located deep underneath the “Deep Web” which is essentially not indexed by any of the search engines like the popular Google, Bing, Yahoo search etc. Okay, let me take a step back and explain what is “Surface Web”, “Deep Web” and the “Dark Web” for those readers who are probably scratching their heads. If you consider the entire internet as an iceberg, only the tip of which above the surface of the water is just about 10% of the entire iceberg is the
BY
44
&
FOR THE CIOs. BY THE CIOs.
AUTHOR’S BIO
Utpal Chakraborty is an eminent Data Scientist and AI researcher having 21 years of experience, including working as a Principal Architect in L&T Infotech, IBM, Capgemini and other MNCs in his past assignments. At the moment he is the Head of Artificial Intelligence at YES BANK. Utpal is a well-known speaker and writer on Artificial Intelligence, IoT, Agile & Lean speaking at conferences around the world. His recent research on machine learning titled “Layered Approximation for Deep Neural Networks” has been appreciated in different conferences, institutions and universities. He has also demonstrated few completely out-of-the-box hybridized Agile & Lean implementations in different industries which has been appreciated by Agile & Lean communities worldwide.
“Surface Web”. Your search engine operates only within this tiny area where we common people has access into. The rest 90% under the water comes under “Deep Web” which is not accessible to your search engines that contains humongous amount of data and information from different government and non-government agencies, enterprises, military data, data from research agencies, academia & universities etc. Arguably a small portion of this Deep Web, probably around 5%, very deep down at the extreme bottom of the iceberg is the “Dark Web” where all these criminal masterminds — hackers, killers, mafias, drugs dealers, terrorists etc. operates from. These groups of people with a very different ideology and social mental orientation from the mainstream call themselves “Crypto Anarchists”, is a form of cyber-spatial realization of anarchism. They safeguard the boundary of their Dark World with as tight as a crypto wall that your normal browser cannot penetrate into. But apart from this physical boundary there is also a thick boundary of ideology and beliefs that distinct the Crypto Anarchists from the rest of the mainstream world. Dark Net is not just a different place in the internet, rather the foundation of the Dark Net is established on a different ideology, thought process and different personalities that operate in it all together. Although these anarchists are considered as criminals by the governments of different countries but they don’t consider themselves against the humanity. They claim that “for the real growth of humanity, there should always be a tough competition of good and bad minds and thus humanity can reach its real excellence”. They also believe privacy and anonymity is fundamental to human because it allows free human action according to their own will. Eternally human is made to use their own brain and mind and make their own decisions. It could be
good or bad; they choose it and deal with their own consequences. These Crypto Anarchists strongly believe that if human minds have to develop under the pressure of strict regulations and guidelines; it will squeeze or suppress the human ability, development and the human evolution. In short “Free Human Actions” what these anarchists advocate. But their definition of “Free Human Action” is probably autocratic which does not hold good for a healthy society or a nation or even for the whole world. The idea of the Crypto Anarchy was to run a parallel system, a parallel economy and a parallel world which is completely contrast to the mainstream world with anonymity, absolute privacy and unrestricted human actions constituting alike dark-minded individuals. But soon turned into a big marketplace and operating ground for all types of criminal activities. The actual darker side of the Dark Net, the notoriety for which it’s known for is just as close to Hell. Sorry for using such harsh words but honestly I didn’t find anything better. Soon it has become the marketplace for all types of illegal arms and ammunitions, illegal drugs, illegitimate items like stolen credit cards, passports, visas, fake green cards, driving licenses etc. Characterized by hackers for hire, professional killers for hire, political activists for hire and even extremists of different parts of the world operate from the Dark Net. But the most worrying fact is, it has become the playground for the most dangerous Cyber Criminals which we all should be aware from our cyber security and safety point of view. Cybercrime today is an organized crime and a huge business outcome associated with it for the criminals and probably the most terrifying threat to humanity in future after the nuclear warfare. So knowing the threat, its probable magnitude and assessing your security systems that are supposed to combat such threats will always give you an upper hand.
BY
&
45
FOR THE CIOs. BY THE CIOs.
DEMYSTIFYING CYBER WAR GAMES
N
JAYDEEP PALANA
AUTHOR’S BIO
Cyber Security enthusiast with 15+ years of experience in strategizing, implementing, managing Cyber Security for various verticals including Retail, Hospitality, Manufacturing, Supply Chain. Specialization in Security Architecture, Risk Management, Consulting and Security Reviews for Hybrid Cloud Deployments, SaaS, ecommerce, B2B EDI, Web services, API integrations, ePayments, etc. Experience in Design, Architecture and Managing Information Security Operations. Managing Perimeter Security, SOC, Application Security, Endpoint Security for a large enterprise. 15+ years of industry experience with a Bachelor’s Degree in Commerce from Calcutta University.
ations want to ensure that their defense forces are trained and prepared to deal with combat situations, organizations want to ensure that their fire safety measures protect their people and assets in case of a fire. That’s the reason why so much of resources are spent by nations and organizations on drills or simulations. A military war gaming or military exercise is undertaken by a country, sometimes two countries together to help ensure readiness of forces in simulated combat environment. It generally involves training for military operations, testing the effectiveness of combat strategies and tactics without the actual combat. It also helps training the forces in a war like environment. “There’s no harm in hoping for the best as long as you’re prepared for the worst.” – Stephen King, Different Seasons Cyber War Games, are conducted to ascertain the preparedness of an organization’s security controls and responses when under attack. It also helps to practically train team members on incident detection and response techniques. Cyber War Gaming is a very effective way to assess and enhance the overall security posture of an organization (unlike stereotype VA-PT’s and compliance audits). Ideally, all key stakeholders should be involved in Cyber War Gaming exercises (Legal, HR, Communications, etc.). However, since Cyber Security is largely perceived to be the job of IT Teams alone, I will be touching only the IT related aspects of this topic. Technically, Cyber War Games involve two teams with totally different objectives, they are called Red Team and Blue Team. Cyber War Gaming is often thought to be designed only for SOC, but it is indeed, for entire cyber security organization. Red Team is responsible for simulating real world attacks. Red team members use adversarial techniques, tactics and tools such as recon, infrastructure and application penetration, identification and exploitation of insecure configurations, lateral movement, malware implants, privilege escalation, phishing, identity thefts, social engineering, physical security and surveillance hacks, etc. Red Teamers need to have excellent knowhow on a vast range of technologies, adaptive attitude, creativity, dynamism, very good understanding of networks, systems, architectures, etc. Their job starts with recon and finding sweet spots, exploiting them, elevating privileges and laterally moving inside the organization’s network until they get their hands on key assets and information. Organizations that do not have adequate Red Teaming skills can hire 3rd party experts. Red Teaming requires penetration testing skills, but it is inappropriate to think that good penetration testers necessarily make good Red Teamers. Blue Team’s job is to detect and respond to the attacks. Blue Teamers are expected to be good at knowing how adversaries think, what techniques they employ, how to detect early signs of attacks, assess the business impact and initiate the response. These guys are usually from the defending background. However, resources with Red Team skills and prior experience make excellent Blue teamers. The issue is that people on the Red side don’t want to be on the other side. The result is acute shortage of good quality blue teamers in the
BY
46
industry. Blue team usually consists of internal resources from SOC, Endpoint Security, Network and Application Security, Incident Response teams, etc. They are not supposed to know when the Red Team would strike. Their job is to be ready at all times to defend the infrastructure, applications, users and assets. Their activities involve early detection, containment, remediation, recovery, etc. Blue Teamers must be skilled firstly to understand how attacks work. Other skills include thorough understanding of network and security architecture, key IT assets, hands on experience in preventive and detective controls, knowledge of traffic analysis, cyber kill chain, operating system security, malware analysis, and malware analysis, scripting, baselines (business as usual), etc. Knowing what constitutes an attack like situation is the key to trigger appropriate response. When both Red and Blue Teams work together, they are known as Purple Teams. After the field activity is over, both Teams should interact and discuss the findings, lessons learnt, initiating corrective actions to strengthen the overall security posture from people, processes and technology perspective. Such activities should be repeated periodically. Cyber War Gaming (if you are serious about it) is not as simple as it sounds and involves great deal of planning, coordination and execution. However, given the benefits it provides to organizations and the damage that successful attacks can cost to businesses, every enterprise should take up Cyber War Gaming on regular basis. Unfortunately, not all enterprises take up Cyber War Gaming and key reasons include: • Dearth of knowledge or awareness on the subject • Paucity of resources or sponsorship (infrastructure, logistics and people) for full scale Cyber War Games • Complexities involved in planning and execution • Fear of adverse impact on production network and applications Cyber Range can really help organizations who want to test resilience of their Cyber Security controls in real threat environment, at affordable costs and without touching production infrastructure Cyber Range simulates an organization’s network, assets, applications, security tools, etc. in a production like environment (in parts or full). There are many use cases of Cyber Range, however my favorite is its ability to provide an environment for practically testing resilience of an organization’s defense capabilities (people, processes and technology). The infrastructure in a Cyber Range is usually a combination of physical and virtual components. Internet side of a Cyber Range helps simulate production like traffic as well as malicious traffic towards an organization’s (simulated) infrastructure, applications, assets, etc. Cyber Ranges have battery of attacks/threats harvested from real world. It
&
FOR THE CIOs. BY THE CIOs.
generates volumetric and complex attacks using a combination of various tools, scripts, etc. A good Cyber Range usually has a wide range of attacks – reconnaissance, brute force, DDoS, malware samples, Botnet command and controls, phishing campaigns, application attacks, etc. Since the environment is simulated, one can do full scale testing without having to worry about the impact. CISO’s can ascertain what degree of volumes and complexity the tools and people can withstand and what more is needed to enhance the overall security posture whether it is introducing more tools / controls, fine-tuning configurations, adding resources, etc. Another benefit of Cyber Range is real world exposure and training environment for cyber security teams. This in turn prepares them for effective incident response. There are instructors to train your resources, coordinators who help in planning simulations, provide hand-holding throughout the exercise, explain you in the end what went all wrong and what should have been done.
BUSINESS CASE FOR CYBER RANGE: In-spite of benefits stated above, not many organizations use Cyber Ranges either because of lack of maturity or simply struggling to make a business case to get funds:
CYBER RANGE, IN MY VIEW IS THE “MOST EFFECTIVE WAY” FOR CISO’S TO: Assess resilience of organization’s cyber security controls Review Security Posture (impact based) of infrastructure and assets exposed to Internet Determine thresholds that if breached, can have the specific applications (sometimes entire organization) out of business Provide real world, hands on training and experience in detecting and responding to modern threats Find out extent of cyber security awareness among employees Measure effectiveness of the overall Cyber Security Framework and Incident Response Plan (if there is one)
OTHER USE CASES OF CYBER RANGE INCLUDE: Application performance testing under high volumes / loads Cost effective environment to test impact of changes (major upgrades, security patches, etc.) for critical applications before applying them in production Hands-on labs to assess and train new recruits in cyber security team When organizations do not test effectiveness of cyber security apparatus and prepare by simulating adverse situations, things may not work as desired when incidents happen. Tools may fail to do their jobs, teams may not be able to effectively respond due to lack of experience, ad-hoc firefighting and poor coordination may make things worse. The impact in some cases can be irreversible. CISO’s should present business case for Cyber War Gaming to key stakeholders, get their buy in, perform cost benefit analysis of conducting such exercises either in their own environment or using a Cyber Range. Disclaimer: These are my personal views and in no way represent views of the organization I am employed with/ have worked for in the past. The post is based my experience and reading and don’t represent views of any individuals or organizations in particular. Looking forward to learn from your comments, criticism, suggestions.
BY
&
47
FOR THE CIOs. BY THE CIOs.
DEMYSTIFYING ISO
T
he full form of ISO is International Organization for Standardization. The International Organization for Standardization is an independent, non-governmental organization. More than 160 member countries are involving in the International Organization and more than twenty thousand standards have been set covering everything from manufactured products and technology, agriculture and healthcare.
WHY THIS NOMENCLATURE –
PAHARI ROY,
QUALITY MANAGER ISO PRIME INFOSERV LLP
Standards are published in three different languages, English, French and Russian. The abbreviation of the different languages is, for English – (IOS) ‘International Organization for Standardization’, for French – (OIN) Organisation international de normalization, Russian – (MOS) “Mezhdunarodnaya organizatsiya po standartizatsii”. To avoiding the assortment of abbreviations the abbreviation ISO is used around the world to denote the organization into the different national languages of members. It is a word, ISO derived from the Greek isos, meaning “equal,” which is the root for the prefix iso- that occurs in a host of terms, such as isometric (of equal measure or dimensions) and isonomy (equality of laws, or of people before the law). Whatever the country, the short form of the organization’s name is always ISO. The International organization established on 23 February 1947. The organization promotes worldwide proprietary, industrial and commercial standards. The head office of this organization is situated on Geneva, Switzerland and works in all over the world. International Organization for Standardization creates and publishes new standards. Some of the most popular ISO standards are as follows, ISO 9001:2015 ISO 14001:2015 ISO 45001:2018 ISO 27001:2013 ISO 9001:2015 – Quality Management System The ISO 9001 family of standard represents an international consensus of good quality management practice. A quality management system (QMS) is a set of policies, processes and procedures required for planning and execution (production development / service) in the core business area of an organization. (i.e. areas that can impact the organization’s ability to meet customer requirements.
THE PRINCIPLES OF QMS ARE, l l l l l l l
Customer focus, Leadership Involvement of people Process approach System approach to management Continual Improvement Factual approach to decision making
BY
48
&
FOR THE CIOs. BY THE CIOs.
KEY BENEFITS FOR ADOPTING QUALITY MANAGEMENT SYSTEM CERTIFICATION QMS certification enhances customer satisfaction by meeting customer requirements l QMS certification enhances function efficiency of an organization l QMS implementations helps to manage the resources effectively l Once QMS certificate is obtained, it creates path to improve the processes continually l QMS certification is Today’s passport of an organization to achieve its business goals effectively. l Difference between ISO 9001:2008 and ISO 9001:2015 The first three clauses in ISO 9001:2015 are largely the same as those in ISO 9001:2008, but there are considerable differences between ISO 9001:2008 and ISO 9001:2015 from the fourth clause onwards. The last seven clauses are now arranged according to the PDCA cycle (Plan, Do, Check, Act). The following figure shows this. Clauses 4, 5, 6 and 7 of ISO 9001:2015 come under PLAN, clause 8 comes under DO, clause 9 comes under CHECK and clause 10 is covered by ACT. With this new arrangement, the new ISO 9001:2015 strives to give additional momentum to the continuous and systematic improvement of processes within organizations. l
ISO 9001:2015 HAS TEN CLAUSES INSTEAD OF EIGHT ISO 9001:2015 has ten clauses instead of eight. The following table shows the relationship of the ISO 9001:2008 clauses to those in the new ISO 9001:2015. ISO 9001:2008
ISO 9001:2015
0. Introduction
0. Introduction
1. Scope
1. Scope
2. Normative reference
2. Normative reference
3. Terms and definitions
3. Terms and definitions
4. Quality management system
4. Context of the organisation
5. Management responsibility
5. Leadership 6. Planning
6. Resource management
7. Support
7. Product realisation
8. Operation
8. Measurement, analysis and improvement
9. Performance evaluation 10. Improvement
BY
&
49
FOR THE CIOs. BY THE CIOs.
INFORMATION LIFECYCLE MANAGEMENT (ILM) stored in the firm, analysis of data movement shows that as data ages, its frequency of access falls sharply. Data access tends to occur within a few days of data creation; after one or two weeks the data is rarely accessed; after 90 days the data is almost never accessed. Thu s a simplified data lifecycle can be described as Active, Less Active, Historical, and Archive. Alternatively, the information lifecycle can be described as categories of file and data activities: creation, file distribution and transformation, file classification, storage and archiving. Figure below illustrates lifecycle definitions by data access and by data activity
THE REASON/FACTORS BEHIND THE CONCEPT OF ILM ARE: growth of data used in our daily work unstructured growth of data l Population of irrelevant data l Limitation in relational database management system performance l Access to information and its security l No effective method for classification of data l Difficulty in accessing productivity of system, application and database l l
SOURAV DAS
I
n today’s dynamic world we cannot think a moment without any information being handled. It is a part of every communication that we make every now and then, which increases its importance every moment. This raises the question of its management. Information Lifecycle Management is such a process of managing information. According to the Storage Networking Industry Association’s (SNIA) Data Management Forum, Information Lifecycle Management is an end-to-end concept, comprised of the practices, policies, processes and tools used to align the business value of information with the most cost effective and flexible IT infrastructure needed to provide it.2 Conceptually ILM can be thought of as “a process for managing information through its lifecycle, from conception until disposal, in a manner that optimizes storage and access at the lowest cost.” Operationally, ILM can be defined as the application layer assigning value to data, and the data management layer assigning data to different storage resources according to the data’s access and protection requirements.
DEFINITION OF INFORMATION LIFECYCLE In terms of how information is accessed, transformed, moved around and
A WRITE UP ON INFORMATION LIFE CYCLE MANAGEMENT The drivers behind the implementation of includes exploding information growth in all formats of data, legal requirement and regulatory compliance, Web 2.0 collaboration, search across the enterprise (including stored data), content generated by enterprise applications, paper and electronic
THE MAIN DRIVERS OF IMPLEMENTING ILM INCLUDE: Enterprise Data Growth: In terms volume of enterprise data, it is growing at a rate of 45% a year (in terms of data volume). l Growth in Unstructured Data: A rough estimate is that 80% of all enterprise data is unstructured. According to a study ¼ of an enterprise data lies outside the corporate and business unit data centers. l Relational DBMS Performance. While processing power doubles and disk prices half every 18 months, no such scalability model applies to data management software. l Information Access and Security: Data growth is also taxing the volume of information that firms can effectively use and secure. Various applications/systems are deployed into supply chains and other integrated business processes, data use, access and security demands increase the need for continual improvement in storage software and management control. l
BY
50
&
FOR THE CIOs. BY THE CIOs.
AUTHOR’S BIO
Sourav is an alumnus of the Indian Institute of Technology (IIT), Kharagpur and the Indian Institute of Management (IIM), Lucknow, and has about a couple of decades of experience in various Global MNCs & Indian Conglomerates, including Reliance Industries Limited, Linde Group, Pricewaterhouse Coopers (PwC), IBM Global Services, Atos Origin, ITC Infotech, Essar Group and presently the Aditya Birla Group. With a background in Chemical Engineering and a Master in Business Administration specializing in Systems, Sourav started his career in the Petroleum & Petrochemicals industry, before moving on to core IT, where his career spanned from Functional Consulting, Project & Program Management, Delivery Management, Solution Architecting and Account Management. Finally, transitioning in to the IT supplier industry to the consumer industry, Sourav has led several key Business Transformation initiatives, and handled stakeholders across the Globe primarily in markets in Asia-Pac, Europe & North America. Sourav’s strong Project & Service management DNA stems from the PMP training & ITIL v3.0 Certification, also, Sourav is a Data Security Council of India’s certified Privacy Lead Assessor. Sourav has very strong domain expertise in Manufacturing, Mining, Telecom, Automotive & FMCG verticals, and has worked out of several countries including USA, UAE, Thailand, South Africa & India. Currently, Sourav is heading the IT function in the Mining Business at Aditya Birla Group, as the CIO for Iron Ore Mining, Contract Coal Mining and Ferro Alloys Manufacturing businesses, since Dec 2015. Additionally, since mid-2018, he is also the CISO for the business. Additionally, in honorary capacity, he is also in the Council of the Kolkata Chapter of the CIO Club as well as Governing body of the Info Sec Foundation. On the personal side, Sourav is married and the couple is blessed with a boy.
Data Classification: It is estimated that less than 10% of all enterprise information is classified or ranked according to value. The company also estimates that the amount of classified data will grow by 50% a year. But even if the percentage of classified data is growing, the growth of all information in the enterprise is growing much faster. Therefore, the percentage of classified data as a percentage of the growth of unstructured information is less than 1. Unless data classification methods improve dramatically and are deployed effectively, the ratio will worsen. l Maximizing Productivity: As organizations continue to add realtime systems, applications and databases, the Total Cost of Ownership or TCO of enterprise storage systems continue to escalate. Viewed from a storage system perspective, the impact of this investment on firm productivity is not well known. Companies implement ILM by implementing data warehousing, business intelligence initiatives, by responding to specific legal directives, data retention and security projects, data mining, email archiving and customer record management. Data warehousing or business intelligence (BI) efforts required relatively large sponsorship networks and executive level commitments of time and stewardship across the full planning and project lifecycle. Three principal business value objectives of implementing ILM are: l supporting the business in improving performance, especially in customer facing activities and improving customer relationships and interaction. l improving performance of IT through better alignment of data and information services with business needs, including lowering costs, improving quality, and improving the performance of information access, search and storage. l strengthening the foundation (people, systems, records) for ensuring compliance (“decreasing the business risks and costs of compliance”). Different project activities to implement ILM could be Regulatory Compliance, Records Management, Deep Archiving, CRM tool to capture, input and centralize all disparate client information, HSM (hierarchical storage management) which allows data movement from the most expensive disk storage platforms to expire and be moved off to less expensive forms of data storage, re-architecting our BURA (Backup, Restore and Archiving) system in order to improve data availability and storage efficiency. l
A WRITE UP ON INFORMATION LIFE CYCLE MANAGEMENT
Challenge that could be faced while implementing the ILM are: l High cost and complexity of storage management l Lack of systems, processes, procedures and standards to protect buyers’ investment. l Required upfront investment in data application and storage hardware l Lack of management understanding of risks and rewards l Difficulty to manage implementation as there is no complete solution l Unwillingness to change existing system But some people see these challenges as potential benefits to be achieved. The benefits that we can get from ILM are: l Increased control over data l Minimizing business risk through regulatory compliance l Reducing cost by removing redundancies in data storage l Controlling storage growth l Control on critical company datasheets l Ability to manage information within a business value chain l Opportunity to create consistent, repeatable, efficient business process for data management l Long term cost savings An organization has to show its maturing and should change itself and its systems to reap the benefits of the ILM. To summarize the understanding of ILM in terms of what to and how to do we should: Focus on Information Value and the Processes Used to Extract Value. Focus as Much on Discarding Information as Storing it. Initiate ILM Through Policy and People, Not Technology. Recognize that the Primary Drivers of ILM Are Compliance, Legal Discovery, Risk Management and Data Retention. Recognize that Application-Specific ILM Implementations Can Disrupt Enterprise-Wide Initiatives. Implement Storage Best Practices. Define Lifecycle Classification and Data Movement Processes. Ref: Society for information management advanced practices council
BY
&
51
FOR THE CIOs. BY THE CIOs.
INSIGHTS OF SIEM
S
ecurity Information and Event Management (SIEM) is a software solution and service to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. In other word SIEM can be viewed as a noise filter for raw electric, giving pure green electric as output.
OVERVIEW
The backbone principle of every SIEM system is to aggregate data from multiple sources. Then it looks for common attributes from that same data, linking data into meaningful information. This data correlation is the part of Security Event Management of the solution. This is mainly done by implementing different rule sets into the SIEM. These SIEM solutions are equipped with alerting feature which displays the correlated event data into a Dashboard or it can be send via different channels like email, popup notification etc.
HISTORY AND GROWTH
SOUMADEEP CHAKRABORTY,
SR. EXECUTIVE ENGINEER PRIME INFOSERV LLP
AUTHOR’S BIO
With nearly nine years of experience in network and information security, Aditya Khullar holds a unique blend of visionary leadership with expertise to lead strategic planning, direct multi-functional operations, and re-structuring business models. Prior to his stint at Paytm, Khullar worked for various global firms and projects such as Aricent Technologies, HCL Infosystems, Bank of America and Interglobe Enterprises. In his present role, Khullar leads the technical aspects for cyber security verticals in Paytm and its subsidiaries.
Security information and event management system is present almost for a decade. At the earlier stages IPS and IDS events were overwhelming information to work with. It was an urgent need to correlate with all of these events. Thus came the Security Event Management the earlier representation of the SIEM solution. Over the time it became more of an information platform. Where security information logs from different sources like firewall, servers are aggregated to help in making security decisions. SIEM started making compliance automation. Payment Card Industry created Data Security Standard where log analysis became a mandatory factor for data security. Another important aspect of security requirement was data forensic. As new technologies were emerging, security forensic became a necessity. SIEM solution was a readymade choice because of its log aggregation capability. Thus SIEM was becoming more mature on the field of security. Today’s modern generation SIEM solution is equipped with much more information and skill sets to live update about the security threats to the security personnel. First of all, a SOC team of an organisation is bombarded with tens of thousands of events per second to work with. These data needed to be sensible to them for making a decision. Modern SIEM solutions can handle high speed real time events aggregation and correlation. Best of all the SIEM has been improved visually, means one can segregate false threats from true threats by looking at the SIEM dashboard. Network flow data collection is also a part of new generation of SIEM. It provides added information on a correlated data. So the security team can identify the threat generation source for forensic purpose. SIEM has the power to do real time packet capturing of the dataflow as per demand. These feature makes SIEM the best friend of a cyber-threat hunter.
BY
52
Sensible report generation within a time line was older generation SIEM solution issue. Modern generation SIEMs are equipped with reporting compliance templates and many standard templates. Also further improvements have been made on this feature. These ease the process of report generation.
SIEM AND VULNERABILITY ASSESSMENT If SIEM is the National Security Agency equivalent of IT security – with a vast infrastructure of listening posts all over the world monitoring events – then Vulnerability Assessments are more like the smart special agent who can prevent problems from happening in the first place. Modern SIEMs work side by side with vulnerability assessment manager. This collaboration gives the SIEM the missing link of backdoor information of an organization. One of the benefits of handshaking between SIEM and vulnerability manager is that – it can prevent the resource-heavy SIEM system from giving frequent and false alarms, most often when it’s too late. Moreover, the vulnerability assessment results will contribute to feeding the SIEM with valuable information. The benefits of SIEM implementation IT environments are growing ever more distributed, complex and difficult to manage, making the role of security information and event management (SIEM) technology more important than ever. Here’s why. Compliance Almost every business is bound by some sort of regulation, such as
&
FOR THE CIOs. BY THE CIOs.
PCI-DSS, HIPAA and Sarbanes-Oxley (SOX). Attaining and maintaining compliance with these regulations is a daunting task. SIEM technologies can address compliance requirements both directly and indirectly. Virtually every regulatory mandate requires some form of log management to maintain an audit trail of activity. SIEMs provide a mechanism to rapidly and easily deploy a log collection infrastructure that directly supports this requirement, and allows both instant access to recent log data, as well as archival and retrieval of older log data. Alerting and correlation capabilities also satisfy routine log data review requirements, an otherwise tedious and daunting task when done manually. In addition, SIEM reporting capabilities provide audit support to verify that certain requirements are being met. Most SIEM vendors supply packaged reports that directly map to specific compliance regulations. These can be run with minimal configuration, and will aggregate and generate reports from across the enterprise to meet audit requirements.
OPERATIONS SUPPORT The size and complexity of today’s enterprises is growing exponentially, along with the number of IT personnel to support them. Operations are often split among different groups such as the Network Operations Centre (NOC), the Security Operations Centre (SOC), the server team, desktop team, etc., each with their own tools to monitor and respond to events. This makes information sharing and collaboration difficult when problems occur. A SIEM can pull data from disparate systems into a single pane of glass, allowing for efficient cross-team collaboration in extremely large enterprises.
BY
&
53
FOR THE CIOs. BY THE CIOs.
ZERO-DAY THREAT DETECTION New attack vectors and vulnerabilities are discovered every day. Firewalls, IDS/IPS and AV solutions all look for malicious activity at various points within the IT infrastructure, from the perimeter to endpoints. However, many of these solutions are not equipped to detect zero-day attacks. A SIEM can detect activity associated with an attack rather than the attack itself. For instance, a well-crafted spear-phishing attack using a zero-day exploit has a high likelihood of making it through spam filters, firewalls and antivirus software, and being opened by a target user. A SIEM can be configured to detect activity surrounding such an attack. For example, a PDF exploit generally causes the Adobe Reader process to crash. Shortly thereafter, a new process will launch that either listens for an incoming network connection or initiates an outbound connection to the attacker. Many SIEMs offer enhanced endpoint monitoring capabilities that keep track of processes starting and stopping and network connections opening and closing. By correlating process activity and network connections from host machines a SIEM can detect attacks, without ever having to inspect packets or payloads. While IDS/IPS and AV do what they do well, a SIEM provides a safety net that can catch malicious activities that slip through traditional defenses.
ADVANCED PERSISTENT THREATS APTs have been in the news a lot, with many experts claiming they were responsible for the high-profile breaches at RSA, Lockheed Martin and others. An APT is generally defined as a sophisticated attack that targets a specific piece of data or infrastructure, using a combination of attack vectors and methods, simple or advanced, to elude detection. In response, many organizations have implemented a defense in depth strategy around their critical assets using firewalls and IDS/IPS at the perimeter, two-factor authentication, internal firewalls, network segmentation, HIDS, AV, etc. All of these devices generate a huge amount of data, which is difficult to monitor. A security team cannot realistically have eight dashboards open and correlate events among several components fast enough to keep up with the packets traversing the network. SIEM technologies bring all of these controls together into a single engine, capable of continuous real-time monitoring and correlation across the breadth and depth of the enterprise. But what if an attack is not detected by the SIEM? After a host is compromised, the attacker must still locate the target data and extract it. Some SIEM correlation engines are able to monitor for a threshold of unique values. For example, a rule that looks for a certain number of unsuccessful access attempts on port 445 (or ports 137, 138 and 139 if NetBIOS is used) from the same host within a short time frame would identify a scan for shared folders. A similar rule looking for standard database ports would indicate a scan for databases listening on the network. Through the integration of whitelisting with SIEM, it becomes trivial to identify which hosts and accounts are attempting to access data that they shouldn’t be accessing. Meanwhile, implementing File Integrity Monitoring with a SIEM can correlate data being accessed with outbound network traffic from the same host to detect data leak-
age. If a FIM event shows that the critical data was accessed along with a thumb drive being plugged into the same host that was accessing the critical data, an alarm can be generated to notify security personnel of a potential breach.
FORENSICS A forensics investigation can be a long, drawn-out process. Not only must a forensics analyst interpret log data to determine what actually happened, the analyst must preserve the data in a way that makes it admissible in a court of law. By storing and protecting historical logs, and providing tools to quickly navigate and correlate the data, SIEM technologies allow for rapid, thorough and court-admissible forensics investigations. Since log data represents the digital fingerprints of all activity that occurs across IT infrastructures, it can be mined to detect security, operations and regulatory compliance problems. Consequently, SIEM technology, with its ability to automate log monitoring, correlation, pattern recognition, alerting and forensic investigations, is emerging as a central nervous system for gathering and generating IT intelligence. Points to be noted before going for a SIEM solution SIEM platforms have matured and offer greater capabilities in security event detection, scalability and management. But unless we understand what data and policies a compliance department needs, what threats the security team is really worried about and what resources an operations team can devote to the SIEM, it is impossible to gauge whether a vendor can meet the needs.
FINDING OUT WHAT YOUR ORGANIZATION NEEDS FROM SIEM In practice, the proper approach involves little more than asking how to address the use cases we care about. Some questions to ask include: l If it’s compliance, what specific summary, detailed and verification reports do you need? l Who is responsible for policy setting, implementation and review? l What data needs to be collected for each of the reports? l If something goes wrong, who does the analysis and what tools will they need? l Is separation of duties required, and if so, what model do you want to follow? l Be sure to gather the list of key stakeholders and have them help with planning and requirements definitions. l What compliance requirements must be met, and what reports are needed? l What risks need to be detected, and what information and tools will the security operations team need to do its job? l How to reduce the time spent with system deployment and administration? l Who will deploy the product? l Who is responsible for implementing policies? l What is the timeframe for rollout? Keep in mind this is where it gets personal; we are asking for both requirements and commitments from the team. We need to get as
BY
54
specific as possible in each case, and we’ll need to fully document what must be accomplished and who will do the work. Finally, get some consensus as to the features that are critical, needed and nice to have. If this sounds like a lot of work, it is. There are a lot of moving parts to security information and event management as it’s used to monitor a vast number of disparate applications and devices, and must make sense of all these events in one common platform. It’s important to mention this because setting expectations in regard to what SIEM features are most important will sway ones buying decision. Prioritizing requirements is important because one may have to pick and choose between different platforms based upon the features and deployment options of each product. And when it comes to deployment, establishing priorities is critical in managing expectations; rolling out a SIEM platform takes time, with new capabilities rolled out over the course of many months, and all stakeholders will want their stuff first. Enterprises must also consider how this project will be budgeted. It’s a tough question, but now that everyone has added their two cents on what the product needs to do, one need to understand who pays for the product and who budgets their resources to deploy and manage it over time. One may find that if resources are lacking, one reduces the total number of features to be rolled out or scale back expectations. If no one has the resources to manage the SIEM platform, be realistic and place these on the “nice-to-have” list. Establishing requirements is a little easier if one have an existing SIEM platform in place. In this case, one can catalog what one has and then ask the stakeholders what’s missing.
&
This will provide a pretty good overview of what’s needed, and most people who use the incumbent system will have some sort of wish list (or list of things that make them really angry) that they’ll be more than happy to share. Then ask senior management what sort of long-term improvements or changes they want in the IT environment, especially those around evolving business lines that will need support. Between the three lists (what one has, what’s deficient and what will be needed in the future), one is in pretty good shape to move on to mapping requirements to features. As a final thought, if one is considering augmentation or replacement of an existing system, then be honest with oneself about what the incumbent platform does well and what it does not. Replacement is a costly, time-intensive process. It should be undertaken only if the current system is a complete failure and one’s research has proven that a replacement system exists that won’t fail just as miserably as the last one. Many companies augment existing log management systems with a specialized SIEM to accomplish compliance reporting or security management. We’ve witnessed successful SIEM replacements, but it requires a lot of time, planning and investment to pull it off.
LAST BUT NOT LEAST IT pros will need to manage modern SIEM tools, and how it will be a combination of pattern matching and human interaction that will the key to its success. For all its capabilities, SIEM is no “set it and forget it” technology -- enterprise must have on staff the people with statistical and math skills to make sense of the big data collected.
FOR THE CIOs. BY THE CIOs.
BROUGHT BY
30th NOV 2018 LE MERIDIAN, GURUGRAM
MEGA TECH SUMMIT AND AWARDS 2018
THEME : MISSION TRANSFORMATION 4.0
Everything you need to know to stop ransomware.
67% of Indian organizations were hit by ransomware in the last year.*
91% were running up-to-
date endpoint security at the time of the attack.*
Protect against Ransomware with CryptoGuard The proven CryptoGuard capabilities in Sophos Intercept X block ransomware as soon as it starts trying to encrypt your files, returning data to its original state.
“Intercept X stopped all ransomware attacks we tested against it in seconds.” - ®ESG Labs “Since deploying Intercept X we’ve had zero ransomware infections.” - ®Flexible Business Systems For more details visit www.sophos.com/intercept-x Tel: +91 79 66216838 Email: indiamarketing@sophos.com *The State of Endpoint Security Today survey was conducted by Vanson Bourne, an independent specialist in market research. This survey interviewed 2,700 IT decision makers in 10 countries out of which, 300 respondents were from India, based in Delhi, Mumbai, Hyderabad, Bangalore, Kolkata and Chennai.