66
informationweek march 2013
www.informationweek.in
Edit
Will the future of security be without passwords? he goal posts in information security are constantly changing and what is considered safe today is most likely to be compromised tomorrow. Every known security mechanism designed to protect or authenticate users and transactions has been broken. Consider passwords first. Deloitte has predicted that in 2013, more than 90 percent of user-generated passwords — even those considered strong by IT departments, will be vulnerable to hacking. The firm says that a dedicated password-cracking machine employing readily available virtualization software and high-powered graphics processing units can crack any eight-character password in 5.5 hours. While two-factor authentication adds another layer of security, it has been susceptible to fraud. If a hacker succeeds in getting access to the user name and password, and in obtaining a fraudulent SIM card by reporting the SIM card as stolen, it has easy access to the one-time passwords that are generated by the bank. This method allows fraudsters to bypass the commonly used two-factor authentication in the form of mobile messages provided by banks. Even digital certificates, which guarantee the authenticity of a file signed by a firm, and provided by authorized certificate authorities, have been known to be compromised. This year, security researchers were alarmed to discover a banking Trojan that came with its own built-in digital certificate. The banking password sniffer was signed with a valid digital certificate. The CCSS (Common Computing Security Standards) forum reports 16 legitimate digital certificates that are associated with malware. In the face of sophisticated attacks, global firms are adding more layers of security. For example, recognizing that stolen passwords are put on sale on underground websites, Google’s security system does more than just check if a password is correct. The search engine giant uses more than 120 variables to detect fraud. Twitter recently announced that it will offer an SMS option as a second factor of user authentication. Globally, there have also been efforts to create a future where passwords will never have to be used. Google for example, is doing research on a slim USB key that proves the user’s validity when plugged into a computer. The FIDO Alliance, a consortium, which includes giants like PayPal and Lenovo, has launched a set of standards that will reduce reliance on passwords. This could be in the form of a security chip installed in a PC, or a fingerprint scanner. PayTango, a startup, has launched a solution, which links your cards to your fingerprints. If successful, PayTango can solve the hassle of carrying multiple cards. You could just walk out of your home, and pay for a transaction without carrying anything. Ultimately, even with the greatest advances in technology, humans are and will remain the weakest link in security. If organizations succeed in creating a robust security culture by spreading more awareness, the greatest of attacks can be prevented and foiled.
T
Globally, there have been efforts to create a future where passwords will never have to be used
u Srikanth RP is Executive Editor of InformationWeek India. srikanth.rp@ubm.com
6
informationweek june 2013
www.informationweek.in
contents Vo l u m e
2
|
I ss u e
0 8
|
J u n e
20 1 3
14 Cover Story How SoCloMo is changing the enterprise security landscape The enterprise mobility wave, coupled with emerging public cloud computing solutions and rise in the usage of social media consumption has knocked open the traditional, closed on-premise enterprise IT infrastructure and is making it vulnerable to different kinds of security threat vectors
20
22
Security awareness: How India’s leading CISOs are tackling the weakest link Human beings are and will always remain the weakest security link. Given this fact, how do CISOs ensure that employees are always clued on to security? InformationWeek’s Jasmine Kohli spoke to India’s leading CISOs who share their perspectives and experiences on some of the projects and measures undertaken by them to ensure a robust security culture
Cover Design : Deepjyoti Bhowmik
27
Manish Dave Group CISO, Essar Group
28
Ashish Chandra Mishra CISO, Tesco HSC
29
Colonel (Retd) AK Anand VP & CISO, NIIT Technologies
A peek into the personality of a CISO
30
Sesanka Pemmaraju CISO, Hitachi Consulting Software Services India
Leading Indian CISOs from across industry verticals reveal their personal sides and discuss their most challenging security initiatives, strategies they adopt for countering evolving threats and security projects in pipeline
32
Dr. Onkar Nath CISO, Central Bank of India
33
N D Kundu Assistant General Manager (IT Projects & Security), Bank of Baroda
34
Burgess Cooper CTSO, Vodafone India
How Big Data security analytics is set to transform the security landscape By using analytics to understand the big picture by analyzing and drawing connections between disparate sources of information, Big Data security analytics can completely transform the ecosystem of security
CISO Profiles
26 26
Sameer Ratolikar CTO, Bank of India
Do you Twitter? Follow us at http://www.twitter.com/iweekindia
8
informationweek june 2013
Find us on Facebook at http://www.facebook. com/informationweekindia
If you’re on LinkedIN, reach us at http://www.linkedin.com/ groups?gid=2249272
www.informationweek.in
THE BUSINESS VALUE OF TECHNOLOGY
interview 35 Dell Global CIO on how IT must adapt as business priorities change
40 interview ‘Cybercriminal activity in APAC set to grow exponentially’
Adriana Karaboutis Global CIO, Dell
Michael Sentonas VP & CTO, APAC, McAfee
interview 36
42 interview
Facebook CSO Joe Sullivan on protecting a billion people from spam, malware and hackers
‘Security should be the goal, not compliance’ Bikash Barai CEO, iViZ Security
Joe Sullivan Chief Security Officer, Facebook
opinion
EDITORIAL ������������������������������������������������������������� 6
44
Top 5 ground-zero challenges Indian CISOs face today
46 48 49
Best practices for IP protection
51 52
Stepping up SMB security
54
Certification for certification’s sake: Following the letter sans the spirit
55 56
Addressing the hacking dilemma Policy-driven network configuration management critical to security
global cio �������������������������������������������������������� 70
58
Policy formulation a must for secure enterprise mobility
down to business ������������������������������������������� 71
Big Data : The future of info security?
INDEX ���������������������������������������������������������������������10
news ��������������������������������������������������������������������� 12
6 Steps for a successful data security control implementation
How NFC-enabled phones can offer frictionless access control experience
feature ��������������������������������������������������������������60
event �������������������������������������������������������������������64
analyst angle ������������������������������������������������68
june 2013 i n f o r m at i o n w e e k 9
Imprint
VOLUME 2 No. 08 n June 2013
Managing Director : Joji George Printer & Publisher : Kailash Pandurang Shirodkar Associate Publisher & Director : Anees Ahmed Editor-in-Chief : Brian Pereira Executive Editor : Srikanth RP Principal Correspondents : Ayushman Baruah (Bengaluru) Jasmine Kohli (Mumbai) Senior Correspondent : Amrita Premrajan (New Delhi) Correspondent : Varun Haran Copy Editor : Shweta Nanda Design Art Director Senior Visualiser Senior Graphic Designer Graphic Designer
: : : :
Marketing Marketing Head
: Samta Datta
online Manager—Product Dev. & Mktg. Deputy Manager—Online Web Designer Sr. User Interface Designer
: : : :
Deepjyoti Bhowmik Yogesh Naik Shailesh Vaidya Jinal Chheda, Sameer Surve
Viraj Mehta Nilesh Mungekar Nitin Lahare Aditi Kanade
Operations Head—Finance Director—Operations & Administration
: Yogesh Mudras : Satyendra Mehra
Management Service
: Jagruti Kudalkar
Sales Mumbai Manager- Sales : Ranabir Das ranabir.das@ubm.com (M) +91 9820097606 Marvin Dalmeida marvin.dalmeida@ubm.com (M) +91 8898022365 Bengaluru Manager—Sales : Kangkan Mahanta kangkan.mahanta@ubm.com (M) +91 89712 32344 Sudhir K sudhir.k@ubm.com (M) +91 9740776749 Delhi Manager—Sales : Rajeev Chauhan rajeev.chauhan@ubm.com (M) +91 98118 20301 Sanjay Khandelwal sanjay.khandelwal@ubm.com (M) +91 9811764515 Production Production Manager
: Prakash (Sanjay) Adsul
Circulation & Logistics Deputy Manager
: Bajrang Shinde
Subscriptions & Database Senior Manager Database : Manoj Ambardekar manoj.ambardekar@ubm.com Assistant Manager : Deepanjali Chaurasia deepanjali.chaurasia@ubm.com
print online newsletters events research Head Office UBM India Pvt Ltd, 1st floor, 119, Sagar Tech Plaza A, Andheri-Kurla Road, Saki Naka Junction, Andheri (E), Mumbai 400072, India. Tel: 022 6769 2400; Fax: 022 6769 2426 International Associate Offices USA Huson International Media (West) Tiffany DeBie, Tiffany.debie@husonmedia.com Tel: +1 408 879 6666, Fax: +1 408 879 6669 (East) Dan Manioci, dan.manioci@husonmedia.com Tel: +1 212 268 3344, Fax: +1 212 268 3355
IBM Dell Seagate IBM VitalSmarts eScan Trendmicro Quick Heal Interop CloudConnect TFM&A NGO India ICSC FTS Emerson Microsoft
Adriana Karaboutis, Dell ............................................35 AK Anand, NIIT Technologies....................................29 Amit Pradhan, Cipla .....................................................46 Amit Saha, Infosys.........................................................16 Anand Naik, Symantec................................................15 Ashish Chandra Mishra, Tesco HSC .......................28 Bikash Barai, iViZ Security..........................................42 Burgess Cooper, Vodafone India ............................34 Dinesh Bareja, Open Security Alliance ................54
EMEA Huson International Media Gerry Rhoades Brown, gerry.rhoadesbrown@husonmedia.com Tel: +44 19325 64999, Fax: + 44 19325 64998
Diwakar Dayal, Cisco....................................................18
Japan Pacific Business (PBI) Shigenori Nagatomo, nagatomo-pbi@gol.com Tel: +81 3366 16138, Fax: +81 3366 16139
John Hines, Verizon .....................................................55
South Korea Young Media Young Baek, ymedia@chol.com Tel: +82 2227 34819; Fax : +82 2227 34866
Jagdish Mahapatra, McAfee......................................24 Joe Sullivan, Facebook................................................36
Kartik Shahani, RSA India...........................................24 Manish Dave, Essar Group ........................................27 Michael Sentonas, McAfee........................................40 N D Kundu, Bank of Baroda ......................................33 Neil Thacker, Websense...............................................49 Onkar Nath, Central Bank of India .........................32
Printed and Published by Kailash Pandurang Shirodkar on behalf of UBM India Pvt Ltd, 6th floor, 615-617, Sagar Tech Plaza A, Andheri-Kurla Road, Saki Naka Junction, Andheri (E), Mumbai 400072, India. Executive Editor: Srikanth RP Printed at Indigo Press (India) Pvt Ltd, Plot No 1c/716, Off Dadaji Konddeo Cross Road, Byculla (E), Mumbai 400027. RNI NO. MAH ENG/2011/39874
Ranjit Nambiar, HID Global........................................52 Robbie Upcroft, McAfee.............................................51 Sajan Paul, Juniper Networks .................................18 Sameer Ratolikar, Bank of India ..............................26 Sanjay Katkar, Quick Heal Technologies...............15 Sesanka Pemmaraju, Hitachi Consulting Software Services India...............................................30
ADVERTISERS’ INDEX Company name Page No.
Editorial index Person & Organization
Website Sales Contact
02 & 03 www.ibm.com ibm.com/systems/no_compromise/in 4 www.dell.co.in www.dell.co.in/domore 5 www.seagate.com www.seagate.com/goflexsatellite 7 www.ibm.com ibm.com/decisionmanagement/in 11 www.vitalsmartsindia.com info@vitalsmarts-India.com 13 www.escanav.com enterprise@escanav.com 19 www.trendmicro.co.in marketing_in@trendmicro.com 25 www.quickheal.com info@quickheal.co.in 31 www.interop.in salil.warior@ubm.com 38-39 www.cloudconnectevent.in salil.warior@ubm.com 47 www.tfmaindia.com.in salil.warior@ubm.com 53 www.india-ngo.org 59 www.icse.in anees.ahmed@ubm.com 67 http://fts.informationweek.in anees.ahmed@ubm.com 73 emersonnetworkpower.com marketing.india@emerson.com 74 www.windowsserver2012.in microsoft.in/readynow
Srinivas S Tadigadapa, Intel.......................................17 Srinivasa Boggaram, McAfee....................................16 Steve Durbin, Information Security Forum.........48 Sundar Ram, Oracle Corporation............................18 Sunil Lalwani, BlackBerry............................................58 V Balasubramanian, ManageEngine......................56 Vaidyanathan R Iyer, IBM ...........................................23
Important Every effort has been taken to avoid errors or omissions in this magazine. In spite of this, errors may creep in. Any mistake, error or discrepancy noted may be brought to our notice immediately. It is notified that neither the publisher, the editor or the seller will be responsible in respect of anything and the consequence of anything done or omitted to be done by any person in reliance upon the content herein. This disclaimer applies to all, whether subscriber to the magazine or not. For binding mistakes, misprints, missing pages, etc., the publisher’s liability is limited to replacement within one month of purchase. © All rights are reserved. No part of this magazine may be reproduced or copied in any form or by any means without the prior written permission of the publisher. All disputes are subject to the exclusive jurisdiction of competent courts and forums in Mumbai only. Whilst care is taken prior to acceptance of advertising copy, it is not possible to verify its contents. UBM India Pvt Ltd. cannot be held responsible for such contents, nor for any loss or damages incurred as a result of transactions with companies, associations or individuals advertising in its newspapers or publications. We therefore recommend that readers make necessary inquiries before sending any monies or entering into any agreements with advertisers or otherwise acting on an advertisement in any manner whatsoever.
10
informationweek june 2013
www.informationweek.in
News Tech Trends
Security
India can lead in the nexus of social, mobile and cloud India has the potential to lead the world in the adoption of the Nexus of Forces, which is the convergence and mutual reinforcement of social interaction, mobility, cloud and information, however for this to happen a number of technological and socioeconomic shifts must happen, according to Gartner, Inc. Transformation of this nature is expensive and time-consuming. The economic, demographic and social outlook for western economies suggests that, for the next few years, such changes will be difficult to achieve. At first glance, India seems to be well-placed to embrace these changes — it has virtually no legacy systems, and billions of dollars are being spent on developing new infrastructure. “While there are significant opportunities in India to lead in the Nexus of Forces, contrary forces are also at play. The uptake of social media remains quite low. There is a degree of ambivalence toward the use of social media for marketing by Indian retailers,” said Rakesh Kumar, Research VP, Gartner. “Although it’s easy to see how social media
could grow rapidly during the next few years, privacy concerns and the cultural fabric of the country may suggest otherwise. If the use of social media does not reach a substantial proportion of that young, affluent consumer base, then the benefits of the Nexus of Forces may not fully materialize.” A second factor is the skepticism toward the cloud. Indian IT users feel that the public cloud remains immature for enterprise use. The major concerns being security, data retention and the maturity of the offerings. “Many people feel that it would be difficult for public cloud operators to provide enterprise services that are lower than their internal costs. This view reflects the fact that most people still view the public cloud as a software as a service (SaaS) model, rather than infrastructure as a service (IaaS) or the platform as a service (PaaS) model. This carries complex financial and technical permutations in areas such as patch compatibility, testing of new applications and contract management,” Kumar said. — InformationWeek News Network
Check Point introduces security solutions for small businesses Check Point Software Technologies recently launched its 600 Appliances, designed to help protect small businesses against the latest cyberattacks. The 600 Appliances provide an affordable security solution with performance of 1.5 Gbps of firewall throughput and 37 security power units.The Check Point 600 Appliances are suitable for small offices of up to 100 employees and come in three models Check Point’s 600 Appliances come pre-loaded with enterprise-class capabilities, including firewall, VPN, intrusion prevention (IPS), anti-virus, anti-spam, application control, and URL filtering.
12
informationweek June 2013
Dorit Dor, VP - Products, Check Point, said, “With limited resources, small businesses are often not equipped to deal with expert cybercriminals. The 600 Appliances offer small businesses a comprehensive security solution.” “The SMB segment in India is in dire need of security solutions that are hassle-free and easy to manage, while providing the organization with comprehensive security. Check Point’s 600 appliances does just this and is competitively priced,” said Bhaskar Bakthavatsalu, Regional Director – India & SAARC, Check Point Software Technologies. — InformationWeek News Network
Sameer Ratolikar elevated from CISO to CTO of Bank of India
Sameer Ratolikar, till recently, the CISO for Bank of India, has been elevated from CISO to Chief Technology Officer of the bank. Sameer’s mandate is to lead strategic and operational planning for IT, develop uniform IT architecture, take strategic technology decisions, foster innovation, carry out technology research and technology life cycle management. Sameer has more than 20 years of experience in IT and information security. Well known for his expertise and knowledge in the security domain, he is on the panel of regulators and IBA on developing security standards for Indian banks. A pioneer in the industry to establish ZACHMAN framework, Sameer has also written a book, Information Security-Demystified for bank users and employees. — InformationWeek News Network
www.informationweek.in
Cover Story
How SoCloMo is changing the enterprise security landscape The enterprise mobility wave, coupled with emerging public cloud computing solutions and rise in the usage of social media consumption has knocked open the traditional, closed on-premise enterprise IT infrastructure and is making it vulnerable to different kinds of security threat vectors By Amrita Premrajan
I
magine the bygone era when neither smart mobile devices nor cloud computing were commonplace. Back then, typically a day in the life of an employee would begin at 9 am in the morning — when the employee logged on to his desktop and would end by 6 pm in the evening — when the employee logged out of his desktop and left the office. Till the employee reported back to the office next morning, he wouldn’t have access to official mails or any other work-related communication, unless he had a workstation installed at home. In those times for ensuring security, all that the CIOs had to do was focus on building a secure digital fortress around their in-house enterprise IT infrastructure, which included servers, network architecture and the employee PC stations all of which were on-premise and hence easy to monitor and control within the physical walls of the enterprise. Cut to today, when corporateowned Windows PCs stationed within office premises are no longer the only option for the employees as each of them owns one or more mobile computing device, which they carry everywhere. Owing to the ubiquity and affordability of mobile devices along with 2G and 3G connectivity, the employees no longer have to wait till they reach their office to login into their official mails. In fact, mobility coupled with SaaS solutions and social
14
informationweek june 2013
media enables them to not only read e-mails — both private and official — on their smart mobile devices but also allows them to access enterprise apps like corporate CRM while on the move and store the corporate data on their mobile computing devices. Social, cloud computing and mobility (SoCloMo) has broken open
the rigid limits of enterprise IT that was so far stationed within the four walls of the enterprise. Today, enterprise IT has evolved from a controlled, in-house environment where CIOs could easily keep their confidential information away from any unauthorized access to a scenario where CIOs are worried
www.informationweek.in
about the security of their corporate data that is distributed across cloud, mobile and social platforms, where enterprise IT neither has any visibility nor any control. If proper security layers are not built, SoCloMo can serve as a highly vulnerable entry point for cyber criminals, using which they can exploit the enterprise IT environment. “Leakage of corporate data via the usage of SoCloMo by the employees brings in huge opportunities for target attackers and Advanced Persistent Threat attackers to unleash their social engineering techniques and then make use of zero-day exploits. Apart from this, SoCloMo may also expose the company to security threats that range from phishing, identity thefts, cross-site scripting, authentication compromise, injection flaws and information leakages,” says Sanjay Katkar, Co-Founder and CTO, Quick Heal Technologies. Growing use of SoCloMo is necessitating a radical change in the manner CIOs traditionally approached threat vectors within an enterprise. CISOs/CIOs today devise fresh strategies to ensure security of corporate data as they are faced with the challenge to secure information across multiple devices and platforms. “New-generation CISOs/CIOs are facing huge security challenges due to rapid growth in the volume and variety of information across multiple devices, platforms and infrastructure, increased connectivity to third-parties, as well as pressures of evolving cyber-attacks,” says Anand Naik, Managing Director-Sales, India & SAARC, Symantec. Naik further informs that according to the industry reports,
New-generation CISOs are facing huge security challenges due to rapid growth in the volume and variety of information across multiple devices and platforms Anand Naik
Managing Director-Sales, India & SAARC, Symantec
CIOs globally are now spending more than one full day a week exclusively on IT security, that too during a period where organizations are already doing more with less. There is no doubt about the fact that the usage of SoCloMo offers a number of advantages to the enterprise. However, security issues with corporate data travelling through these channels, where IT doesn’t have any direct control, robs a CIO’s peace of mind. Let’s take a look at how each of these technologies is changing the enterprise security landscape.
Security risks in BYOD era
In today’s time enterprise mobility is bringing in unbelievable ROI for many Indian enterprises. Also, today’s web-savvy youth is actually looking at BYOD as a perk while choosing a particular job. Not to mention, the growing demand of the already employed staff to be given access to enterprise apps on their personal devices. Several benefits of enterprise mobility like increased employee productivity and better collaboration coupled with increasing employee demand is pressurizing the CIOs to open up the closed enterprise architecture. However, many CIOs are holding back from freely rolling out
Leakage of corporate data via the usage of SoCloMo by the employees brings in huge opportunities for target attackers and APT attackers Sanjay Katkar
Co-Founder and CTO, Quick Heal Technologies
BYOD, considering the security threats it brings in. There are many reports that prove that apprehensions that CIOs have are indeed not in vain. For example, according to Symantec’s Mobility Survey 2013, 72 percent of Indian businesses have faced mobility incidents in the past 12 months, causing revenue loss of 37 percent. Highlighting some of the key security threats that mobility introduces in the enterprise environment, Naik says, “The biggest nightmare associated with mobility is that the company data flows into a variety of mobile devices and applications, many of which are not built to meet enterprise standards. Supporting mobility while keeping data safe and secure is daunting and requires new approaches.” BYOD is thus clearly introducing security management issues for CIOs around access control, data protection and compliance, compelling them to re-think their security strategies. “The practice of unsecured and possibly non-compliant mobile devices easily coming inside the walls and leaving with business sensitive information, is forcing organizations to re-think how to best secure their business data,” adds Srinivasa Boggaram, Team Lead PreSales - India and SAARC, McAfee India.
Security concerns with cloud computing
Another important security issue, which has been changing the traditional security landscape of enterprises is the emergence of public cloud computing services where the corporate data pushed into the public cloud sits within the vendor’s servers and not within the enterprise’s server.
june 2013 i n f o r m at i o n w e e k 15
Cover Story This means that the enterprise IT doesn’t have any direct control over the company-owned data apart from the legal guidelines mentioned in the SLAs signed with the cloud solution provider. Amit Saha, Practice Engagement Manager, Enterprise Security & Risk Management Services, Cloud, Infosys asserts that CIOs are skeptical about public cloud services due to security concerns. Co-location of data with other cloud tenants, virtualization breaches, inability to enforce enterprise security controls, lack of security controls visibility, and difficulty in securing applications and interfaces are some of the key concerns CIOs perceive in relation to public cloud services, he says. Owing to the security concerns, Indian enterprises have largely been resorting to the public cloud services for hosting their non-critical applications. Another major security threat from cloud computing arises when an employee resorts to certain public cloud services without consulting the IT team. For example, take the case of a sales manager, who signs his department up for Salesforce without consulting IT or the marketing team or shares certain important launch materials with associated vendors via an unauthorized Dropbox account. In either case the employees has put sensitive information into the cloud without organizational oversight and in turn exposed the corporate data to vulnerabilities. Symantec’s ‘Avoiding the Hidden Costs of Cloud Survey 2013’ report, refers to such public cloud services and applications, which are not authorized by the government or by
Today, centralized security controls are increasingly becoming relevant to effectively address BYOD security threats Amit Saha, Practice Engagement Manager, Enterprise Security & Risk Management Services, Cloud, Infosys
the company’s IT system, as ‘rogue clouds’. According to the survey, such rogue clouds are prevalent in 90 percent of Indian organizations — both enterprises and SMBs — and can cause security breaches by means of exposure of information, account takeover issues, defacement of web properties, theft of information, etc. Elaborating on the security issues rogue clouds can lead to Symantec’s Naik says, “Many employees synchronize their devices with at least one public cloud-based service, as well as home computers. This can leave sensitive data stored in insecure locations; not to mention the risks associated with corporate e-mail being sent through personal accounts and file sharing services.”
Social Media linked security threats
Apart from BYOD and cloud computing, social media is one of the major challenges that CIOs grapple with, as accessing social media platforms is one of the most frequent activities that the employees do for business and for personal needs, they use a combination of IT-assigned and personally owned devices. Key threat associated with social media is that sometimes employees share confidential data unknowingly
The practice of unsecured mobile devices coming inside and leaving with critical info is forcing organizations to re-think their security strategies Srinivasa Boggaram
Team Lead PreSales - India and SAARC, McAfee India
16
informationweek june 2013
on social networking platforms, which pose a danger of targeted attacks to organizations. “Confidential corporate information can be inadvertently made public by negligent or unaware employees on social networking sites. The availability of private information on the public domain help cyber attackers craft targeted attacks. Spearphishing attacks leverage such data to craft personalized e-mails to targets specific individuals within the organization,” says Naik. Apart from this, in case an employee clicks on a malicious link on a social networking site, his system and credentials may get compromised with malware that could log keystrokes, take screenshots and steal information. “When an employee falls victim, he leaves the entire corporate network — and the data on it — vulnerable to exploits,” states Naik. This particular security risk becomes even more complex when one takes into consideration that many employees access social networks from personal devices, which may be less secure than corporate devices. The root of social mediarelated enterprise security threat is primarily the lack of awareness of the employees. Citing an example, Srinivas S Tadigadapa, Director of Enterprise Solutions Sales, Intel South Asia, explains, “An employee in his ignorance or sometime in his enthusiasm can post something, which can disclose the confidential information of the company. For example, a simple update saying “excited about the launch of game changing X product on Y date” or “frustrated with an issue with
www.informationweek.in
X product,” might disclose the information, which is still confidential and can result in heavy losses to the organization and to the employee.”
Managing SoCloMo security challenges
CIOs are fast realizing that if SoCloMo is not wrapped in the right kind of security solutions, it can lead to fresh enterprise threat vectors. So CIOs are now gearing up to fight the evolving cybercrime landscape by building a robust integrated security solutions approach. Let’s look at some of the security solutions that are making themselves relevant for the enterprises in fighting against security threats posed by SoCloMo.
intrusion prevention systems, internal firewalls, securing Wi-Fi etc. “On top of all, is the internal IT policy, which should be detailed and fool-proof to drive the initiative, guide effectively and prevent failure of specific tools,” he adds. Along with MDM, centralized security controls are emerging as popular solutions for enterprises to help them address BYOD security threats. “Centralized security controls such as secure API gateway and
a remote wipe of the enterprise controlled container, thus ensuring the security of corporate data. An example of this is BlackBerry’s Balance technology, which creates two logical partitions of the device: a corporate partition that is used by the employee to purely access enterprise apps and do official work and the personal partition, which is used by the employee for personal usage. Here only the corporate partition is controlled by IT and the employee is free to use the
To address SoCloMo-related threats, CIOs need to focus on designing a next-generation security architecture built on top of a multifunction platform, with deep network integration
Securing BYOD
To achieve productivity gains of BYOD without compromising on security, enterprises should build a robust policy before rolling out BYOD within the enterprise. Organizations should choose an appropriate unified Mobile Device Management (MDM) solution that can administer, control and provide visibility into a variety of employee devices such as multi-vendor desktops, laptops, smartphones, tablets, e-readers; diverse kinds of enterprise users (employees, contractors and visitors); and a variety of network segments (LAN, WLAN, WAN). Apart from MDM, there are many other security layers that organizations need to look at before rolling out BYOD. McAfee’s Boggaram elaborates that BYOD needs to be looked at from different dimensions like DLP, network access control, authentication system, internal
federation (supporting OAuth , OpenID, etc.) are today making themselves highly relevant to effectively address BYOD security threats and also integrate seamlessly with social media,” says Saha of Infosys. Apart from these solutions an interesting concept that is emerging in the context of BYOD is that of containerization of the user-owned device into two logical partitions — one that is controlled by the enterprise (which the employee uses for official purposes) and the other that is owned by the user (which he/ she uses for their personal purposes). The biggest advantage that this concept brings in is that the corporate data cannot be copied in any way to the personal container of the device. And in case the device is stolen or the employee leaves the organization, the IT team can conveniently administer
Sometimes employees in their ignorance or enthusiasm disclose company’s confidential info on social networking sites, which can result in heavy losses Srinivas S Tadigadapa
Director of Enterprise Solutions Sales, Intel South Asia
personal partition with privacy. A similar solution is being advocated by VMWare, called VMWare Horizon Workspace, which enables enterprises to securely provision and manage a corporate mobile workspace on employees’ Android smartphones, which would be in complete isolation from their personal environment.
Addressing cloud computing security risks
CIOs have been debating the data security risks associated with hosting enterprise data on a third-party server while availing cloud services. Of late, many cloud solution providers are trying to get security certifications to assure the security of their platforms to the users. “Cloud providers are starting to adopt security frameworks and certifications such as ISO27001, SAS 70, PCI certification, etc.,” says Saha of Infosys. Also, enterprises themselves are trying to make the whole transaction over the public cloud as secure as possible by deploying security solutions at their end. “Enterprises are looking at means to extend typical security controls such as firewalls, IDS/IPS, anti-virus, web filtering, privilege user
june 2013 i n f o r m at i o n w e e k 17
Cover Story management, integrated logging and event correlation, etc. into infrastructure of the cloud providers and ensure grounds-up security. In addition, (federated) identity and access management platforms are being integrated with cloud providers to ensure tighter control over access along with enterprises also integrating security controls such as data tokenization to secure sensitive data co-located at even the SaaS provider’s end,” adds Saha.
Combating social media threats
To battle social media-related threats, it is extremely important to caution employees from sharing any corporate data online and educating them to refrain from clicking on any malicious link when they are logged into social media. McAfee’s Boggaram says that companies should provide best practices to arm employees with the tools they need to be productive and safe. He also asserts on the importance of using technology that can block dangerous links and applications. “Robust solutions must be deployed to make sure that web gateway architecture protects users when they access web content and scans active elements in real time. Reporting web activity is also important to understand how organizations use the web, helping them to comply with regulations, identifying trends, isolating problems, documenting inappropriate web activity, and tailoring filtering settings to best enforce web usage policies,” he says. With evolving threats linked to SoCloMo becoming a reality amongst
CIOs need to evaluate solutions that offer a holistic security policy, where controls can be applied securely to a device and location agnostic network Diwakar Dayal
Lead- Security Business, Cisco India and SAARC
enterprises, CIOs also need to focus on designing a next-generation security architecture built on top of a multifunction platform, with deep network integration. CIOs need to adopt an integrated, adaptive, and collaborative security approach built into the concept of a self-defending network, which should remain active at all times. Stressing on the need for networkcentric approach, Diwakar Dayal, Lead- Security Business, Cisco India and SAARC says, “CIOs need to evaluate solutions that offer a holistic security policy, where controls can be applied securely to a device and location agnostic network. These controls should perform inconspicuously, minimize propagation of attacks and quickly respond to as-yet unknown attacks. These capabilities can reduce vulnerability of networks, minimize the impact of attacks, and improve overall infrastructure availability and reliability.” Resonating the same thought, Sajan Paul, Director, Systems Engineering, Juniper Networks says, “In order to guard today’s dynamic IT environments against the new threat paradigms, organizations need to manage networking and security in an integrated fashion, which requires broad integration across all networking and security functions.” In order to counter threats
To guard IT environments against the new threat paradigms, organizations need to manage networking and security in an integrated fashion Sajan Paul
Director, Systems Engineering, Juniper Networks
18
informationweek june 2013
posed by SoCloMO, Sundar Ram, Vice President, Technology Sales Consulting Oracle Corporation, Asia Pacific stresses on the importance of business support for IT security initiatives. “Data security only works if it is backed through executive support. The business needs to help determine what protection levels should be attached to data stored on cloud or accessed through personal devices or on social platforms. Often, business users are not familiar with the risks associated with data security. Beyond IT solutions, what is needed is a well-engaged and knowledgeable organization to help make security a reality,” he says. Today, SoCloMo is prevalent in enterprises across the globe and it would be absolutely impossible for the CIOs to resist these emerging trends from entering into their enterprise for too long. Sooner or later every enterprise will have to gear up its enterprise security architecture to accommodate SoCloMo, since the benefits that they can bring in to the business far outweighs the security hassles that the CIOs might be contemplating as of now. Looking at the heightened interest, security vendors, device manufacturers and even virtualization solution providers are coming out with interesting solutions that can help CIOs incorporate SoCloMo within the enterprise architecture. It is actually the right time for CIOs to look within their IT infrastructure and evaluate which solutions would enable their company to accommodate SoCloMo in the best possible way. u Amrita Premrajan
amrita.premrajan@ubm.com
www.informationweek.in
Cover Story
Security awareness: How India’s leading CISOs are tackling the weakest link Human beings are and will always remain the weakest security link. Given this fact, how do CISOs ensure that employees are always clued on to security? InformationWeek’s Jasmine Kohli spoke to India’s leading CISOs who share their perspectives and experiences on some of the projects and measures undertaken by them to ensure a robust security culture By Jasmine Kohli Developing a culture for security using innovative techniques
Generally, banks put focus on ‘technology’ ignoring most important link of the chain — their own employees. While the IT products are designed and developed for end users, unless employees are trained on cyber security aspects of products, the information security initiatives are not successful. Sameer Ratolikar For information security to CTO, Bank of India be successful in banks, focus on people is extremely important in addition to processes and technology. To create a robust information security culture among employees, we gave an innovative name to our campaign. This was called ‘Arranging our own house first.’ This is a unique strategically designed multipronged employee awareness initiative to ensure that all the employees of the bank are made aware and sensitized about the importance of information security and privacy, resulting into alignment with our business strategy of customer satisfaction, acquisition and enhancement in reputation. Being a multinational bank with presence across more than 18 countries, we are bound by local, as well as foreign regulatory and legal requirements. With this “problem statement,” we decided to develop a strategy to see that the above mentioned goal/objective is met , which should result into effective rollout and success of IT enabled products for our customers . We created this innovative campaign as we had reasons to believe that the average customer and the employee were not aware about the basic security policies. When ROI was calculated and analyzed, it was found out that employee awareness about products and security played a crucial role in maintaining/elevating the reputation of the bank as it made our customers happy. We also believed that customers needed to be made more aware about password-related frauds and other critical applications.
20
informationweek june 2013
At the outset, we deployed 2-3 information security and IT officers at regional offices to take care of their information security-related issues and conduct snap risk assessment of branches. We also conducted on-thespot awareness sessions at branch manager’s cabin. We prepared a standard and uniform presentation of 6-7 focused slides to enable a focused approach. We also made sure that information security posters/ handouts designed and printed exclusively for branch and regional offices were displayed in the workplace areas prominently — highlighting the do’s and don’ts of information security. After every training session, officers at the regional
www.informationweek.in
and branch level are expected to read the ‘Information Security Pledge’, which is followed by all staff members. Our other innovative approach, which is widely appreciated by DSCI, RBI auditors, Information Security Forum-UK and IDRBT is the “Information Security Portal.” The portal acts as a single window system for all security updates and requirements. Our bank’s security policies like acceptable usage policy, procedures, disaster recovery process, and guidelines for our foreign branches are available online. To attract more and more employees, we have created an online quiz module and opinion poll. The winners in this category are rewarded with attractive prizes. Additionally, message from our top management about security is available on the portal, which sets the tone for information security governance. The portal is continuously monitored and updated by a team of security managers. We have also tied up with six colleges across the country for conducting two days training programmes on information security and privacy. Attendees are advised on the importance of branch level security, RBI guidelines and basic business continuity practices. Periodically, the bank also conducts a cyber security week, which has proven to be extremely useful for generating awareness among employees. We have speeches on cyber crime from RBI, police department officials and industry experts. Last but not the least, we have published a basic handbook on information security. The book, written by me, covers basics on information security, which is applicable to all staff members. Security policies, procedures, IT act, RBI guidelines, worldwide cyber crime modus operandi, precautions while working on online banking, mobile banking etc is covered in this book. Today, with this strategy of “Arranging our own house first,” employees are more aware of basic security hygiene, do’s and don’ts, and password secrecy including the importance of protecting customer personal identifiable information. Today, as our employees are aware of security processes and its importance, they are able to better serve our customers, understand and help them resolve their complaints. We believe that we have truly achieved a perfect integration of people-processes and technology to achieve secure banking.
Analyzing employee behavior to gauge awareness
Ashish Chandra Mishra CISO, TESCO
We do not stop at building security awareness, but we also follow it up with employee behavior because the right awareness does not necessarily translate into the right behavior every time. The trend and number of incidents are closely
monitored by us, which are good indicators of the security hygiene of the company.
Security awareness for DLP
My team had explored various tools and technology available to prevent loss of confidential information and ran a DLP pilot for three months. During this trial period, we not only realized that there was a huge potential for data loss but that was happening almost every day — albeit most of it being Sesanka Pemmaraju unintended. CISO, Hitachi Consulting We started with an awareness program and gradually increased it to serious action for the violators. By the end of the trial period, we had dropped to zero incidents of data loss. Needless to say, we shared the information with our customers and prospects, and there has been unanimous approval and acknowledgement of the rich rewards this will bring to us. In fact a few of our customers have mentioned that none of our competitors have done something like this.
Raising level of awareness through series of initiatives
From an IS awareness point of view, we do a series of targeted initiatives that help in raising the overall level of security. From an information security handbook on security awareness to specific PowerPoint presentations for user awareness made available to all offices, we make sure that the user is aware of security Dr Onkar Nath issues and policies. We also CISO, Central Bank of India regularly conduct awareness sessions at the data center for all levels of staff and employees of vendors. To keep ourselves updated on the latest security terminologies and processes, conscious efforts are also made to nominate the staff for various security conferences and seminars. Information security posters are regularly released to generate awareness among staff and customers. Additionally, information security training is conducted at all our 12 training centers. To keep our staff aware and updated, we arrange several quiz competitions based on our information security policy. In the near future, we plan to release an e-magazine on contemporary information security events/incidents. We also plan to set up a library for our information security department. u Jasmine Kohli jasmine.kohli@ubm.com
june 2013 i n f o r m at i o n w e e k 21
Cover Story
How Big Data security analytics is set to transform the security landscape By using analytics to understand the big picture by analyzing and drawing connections between disparate sources of information, Big Data security analytics can completely transform the ecosystem of security By Srikanth RP
C
an Big Data transform the security landscape the same way as it is doing in other sectors such as healthcare, retail and education? Experts believe Big Data will have a transformative effect on security, due to the sheer volume and complexity of information that security analysts collect from a myriad number of tools and event management systems. Most information security departments have to grapple with huge amount of data collected from a variety of servers, workstations, firewalls, intrusion detection systems and anti-virus software. The findings of new American research from the Enterprise Strategy Group (ESG) sponsored by Symantec underline the challenges posed by the growing volume of data and the challenges posed to security researchers. More and more companies are collecting a lot more data than they used to two years ago, predominantly to detect advanced threats and for
22
informationweek june 2013
security incident analysis, as well as to make sure audits and compliance targets are met. ESG data indicates that large organizations are collecting more disparate data feeds, keeping this data online for longer periods of time, and using the data for more types of security analysis and investigations. In spite of all this, internal data collection and analysis is no longer enough. “Large organizations are collecting, processing, storing, and analyzing more and more data in order to address the threat landscape and keep up with changes to the IT infrastructure. As an example, ESG found that 76 percent of enterprises collect data on user activity, 75 percent collect firewall log data, and 74 percent collect data on physical security activity within their organizations,” points out Anand Naik, Managing Director - Sales, India & SAARC, Symantec. In this ‘sea’ of data, it is extremely challenging for security professionals to weed out real threats. Current security tools are not
equipped to detect and prevent sophisticated threats. “Current security solutions rely upon perimeter defense and focus largely on blocking attacks. Traditional security technologies lack the sophisticated capabilities and visibility required to detect and protect against such attacks. At best, they solve a single facet of the problem,” opines Vaidyanathan R Iyer, Business Unit Executive, Security Solutions, IBM India/SA. With the convergence of technologies like mobile, social and cloud, threats have accelerated to a different level with an exponential increase in volume and complexity. Mobile malware threats in particular, have risen to a new level. “With the use of many Android devices, many malicious applications have started dwelling in the mobile phone space. This is a huge concern for organizations when they see such devices accessing the corporate network,” says Amit Nath, Country Manager, India and SAARC, Trend Micro.
www.informationweek.in
This was also highlighted by security vendor, F-Secure, which recently warned that the number of mobile threats increased by nearly 50 percent during the first three months of 2013. Threats have also become more personalized and sophisticated, making their detection extremely difficult. “Each threat is more targeted than before, which means there are very few samples in the wild. This helps evade detection through the traditional fingerprinting method. These complex, multi-vector attacks present CISOs with the challenge of not only knowing what the malware is but all its characteristics, such as where did it get in from, is it still on the network, what is its objective? Finding such answers may be like looking for needles in haystacks, but in this world of compressed margins and efficiency savings it will be insight, not information that means power,” explains Naik of Symantec.
The importance of context
To prevent emerging threats, security tools have to go beyond prevention and piece together different sets of information drawn from different events. For example, today, it is essential for event collection programs to go beyond firewall and IDS events, and add context. “Identifying anomalous sequences of events at all layers of the stack is not enough. Understanding anomalous activity requires an understanding of the context — the “who, what and why”. For example, when valuable data is in play by a user who typically does not access that data and is using an unrecognized application on a mobile device that does not have
Traditional security technologies lack the capabilities to detect and protect against sophisticated attacks Vaidyanathan R Iyer
Business Unit Executive, Security Solutions, IBM India/SA
monitoring software on it and recently communicated with an external server that is known to host malware — that’s really important. But without context, it looks like a user ID is accessing a file. These contextual elements are constantly changing, and this requires a new approach for ensuring their collection,” states Srinivasa Boggaram, SE Team Lead - India, McAfee, emphasizing the importance of context in security. Big Data, hence, is both a challenge and opportunity. Boggaram of McAfee sums this up beautifully when he says, ”As security needs have evolved, so has the need for context, analytics and the time period for which data must be stored. That’s why security today is facing both a big security data challenge and opportunity. It is an opportunity if an organization can collect all this data, intelligently manage and analyze it, and leverage it for investigations. It is also a challenge as most traditional analytic tools today are unable to collect and manage all the contextual data required. The data load and the analytics pressure have grown beyond what these data management systems can handle.” Boggaram says that a traditional analytics tool can take into consideration only traditional context information, and other things like
Large organizations are storing and analyzing more and more data to address the threat landscape and keep up with changes to the IT infrastructure Anand Naik
Managing Director - Sales, India & SAARC, Symantec
network flow, user identity, locations etc. But this is not enough to understand what is going on. “It gets compelling when we add content. What data was moving? How were applications affected? What databases were targeted? This is where we get a strong understanding of not only what is going on, but what was exfiltrated from our environment. This is a grand concept for most analytic tools, but more is expected from our environment and bringing in dynamic content. Dynamic content is the ability to understand the changing world that is the threat landscape, the changing risk posture, which encompasses an organization’s IT environment.” Big Data security analytics can be useful in providing this context, by analyzing huge volumes of network traffic, understanding the relationship between multiple events and combining this information to prevent an attack from taking place. For example, seemingly innocent actions such as sending or accessing files at unknown times and from unknown locations and devices can be used to piece together the understanding of a threat. Agrees Kartik Shahani, Country Manager, RSA India, “The integration of proven Big Data platforms and analytic methods into security tools provides a significant advancement to how security is performed. Big Data security analytics for realtime risk management will provide continuous monitoring for situational awareness, rogue assets, configuration management, and vulnerability detection while asymmetric Big Data security analytics for risk management will be used for risk management planning, scoring, and investment
june 2013 i n f o r m at i o n w e e k 23
Cover Story decisions. Organizations can use asymmetric Big Data security analytics to develop risk scores that help them better focus resources, investments, and security priorities to where they are needed the most.” Big Data security analytics can provide CISOs with real-time security intelligence and situational awareness across all layers of the technology stack. This addresses a massive gap in the way security systems analyze threats today.
The opportunity in Big Data Security Analytics
Understanding the immense opportunity in Big Data security analytics, almost every vendor has launched a specific offering. IBM, for instance, launched a broad set of security software last year, to help holistically secure data and is among the first to offer data security solutions for Hadoop and other Big Data environments. Additionally, IBM InfoSphere Guardium provides real-time monitoring and automated compliance reporting for Hadoopbased systems such as InfoSphere BigInsights and Cloudera. With federated controls across data sources, clients can understand data and application access patterns help prevent data leakage and enforce data change controls. Built-in audit reporting can be used to generate compliance reports on a scheduled basis, distribute them to oversight teams for electronic sign-offs and escalation, and document the results of remediation activities. Organizations can also automate the detection of vulnerabilities and suggest prioritized remedial actions across heterogeneous infrastructures. In addition, IBM offers
Integration of proven Big Data platforms and analytic methods into security tools provides a significant advancement to how security is performed Kartik Shahani
Country Manager, RSA India
data masking to de-identify sensitive data as it moves into and out of Big Data systems. RSA’s Security Analytics platform leverages Big Data platforms and advanced analytic methods capable of identifying high-risk activities, advanced threat mitigation and meeting compliance objectives. Similarly, Symantec’s Data Insight, provides intelligence into ownership and usage of unstructured data, including files such as documents, presentations, spreadsheets and e-mails. The tool has the ability to track hundreds of TBs of data with millions of files/folders and billions of access events generated by high workloads. Understanding the importance of creating user awareness, vendors like McAfee are organizing more awareness campaigns and actively participating in industry forums.
Can India be a Big Data security analytics hub?
With a huge reservoir of talent, and proven expertise in outsourcing, India has the potential to become a Big Data security analytics hub by offering outsourced security analytics services. “India’s IT expertise and talent pool is one of the key reasons Symantec has such a large pool of talent. In fact, we have a Security Operations Center
As security needs have evolved, so has the need for context, analytics and the time period for which data must be stored
in Chennai, which offers real-time, comprehensive protection from known and emerging threats, enabling business and governments to minimize risk and strengthen their security posture,” states Naik of Symantec. Big Data security analysts are hard to find and hence, there is huge potential for outsourced services. “Knowledge-based services of this nature comes through experience, and there are only a few vendors who would be able to provide this through managed services. The resources with expertise are limited and therefore are difficult to find, expensive to maintain and difficult to retain by individual organizations,” states Shahani of RSA. Indian IT vendors are naturally keen to offer this as a service. “There is an increased interest by IT services customers to offer this as a service to their clients,” says Jagdish Mahapatra, Managing Director, McAfee India & SAARC.
Leveraging Big Data as an asset for security
Done correctly, Big Data platforms can give CISOs more visibility across thousands of scattered devices and networks. Using advanced algorithms, CISOs can better recognize behavioral anomalies that are cleverly hidden among hundreds of tasks that seem normal. They can also be used to identify fraudulent patterns or traits that are common to some parts of the business. These insights can transform the way the security landscape functions today — from reactive to proactive.
Srinivasa Boggaram
SE Team Lead - India, McAfee
24
informationweek june 2013
u Srikanth RP srikanth.rp@ubm.com
www.informationweek.in
CISO Profile
A peek into the personality of a CISO Leading Indian CISOs from across industry verticals reveal their personal sides and discuss their most challenging security initiatives, strategies they adopt for countering evolving threats and security projects in pipeline has been focused on developing and implementing upto-date security policies based on the business model and threats. Some of the security projects implemented by me include 2FA, data leakage prevention, Identity & Access management, GRC, SOC, and business continuity across major business units of the bank. I was also involved in achieving ISO 27001, PCI-DSS and BS25999 certifications for the bank. Which is the most challenging IT security initiative taken by you? What were the challenges and the learning from the deployment? I have undertaken many challenging IT initiatives for the bank. But, one that comes to my mind is financial inclusion, where business correspondents, who may not be your employees, access core banking through handheld devices. Here, identification, authentication and KYC is a great challenge. However, thanks to our processes and monitoring mechanism, the project turned out to be very successful and resulted into good revenue generation for the bank.
Sameer Ratolikar CTO, Bank of India Career Track
How long at the current company? I have over 20 years of experience in IT and information security. I have been working with Bank of India since October 2007.
Vision
Advice for future CISOs Be a proactive risk manager and business enabler. Have clear visibility over global threats and a firm grip over technology.
On The Job
How have you contributed to the IS posture of your company? (Security Policies, frameworks, compliances) I am a firm believer that success of information security lies in integration of people-processes and technology facilitated by information security strategies, governance and robust security architecture. My role at Bank of India
26
informationweek june 2013
What security initiatives have you lined up for this year? Security initiatives lined up for this year include GRC, enterprise mobility security and identity management. Please share your strategies for countering the emerging/ evolving threat environment. l Continual focus on spreading information security awareness l Ensuring policies and procedures are current and evolved based on threats and business model l Making sure proper security technologies are deployed in a defence-In-depth mode.
Personal
Leisure activities: Playing with my daughters, playing cricket and badminton, and trying different cuisines. Best book read recently: Breakout Nations By Ruchir Sharma and Complete Works Of Swami Vivekananda by Adwait Ashram. If I weren’t a CISO, I’d be‌ A Doctor
www.informationweek.in
Career Track
How long at the current company? I joined Essar Group in February 2010 as Head of IT Security and was instrumental in the complete makeover of the group’s security posture, which encouraged the leadership to elevate me to a strategic role of CISO. I have over 22 years of IT experience, including 11-plus years in information security domain. Prior to this, I have worked with Indian & MNC giants like Larsen & Toubro, and ABB Limited.
the business needs. I have also defined security policies for the group taking the business inputs along. Essar has been an early adopter for controls like DLP, desktop virtualization, WAN encryption and BYOD due to the hard work of teams that have contributed in analyzing the use and abuse case studies, Proof of Concepts and identifying risks beforehand.
Which is the most challenging IT security initiative taken by you? What were challenges and the learning from Most important career influencer the deployment? In early 2000, information security was at Desktop virtualization initiative has been a very nascent stage in India. When I was the most challenging security initiative entrusted with BS779 implementation as it is not just about a technology project, it didn’t seem very exciting to me deployment, but also about managing initially as I came from a core technical employee resistance to change. Initial background. However, gradually I Manish Dave resistance and challenges with migration developed a liking for information Group CISO, of some applications took quite a while security. Later, an appreciation mail Essar Group to resolve. Giving options of SHD, VDI from APJ Abdul Kalam on undertaking etc. also had its virtues/vices and first ISO 27001 implementation in India delays. Today, looking at the substantial performance marked an affirmative stamp on my conviction to pursue difference, users themselves are willing to migrate to information security as a career. virtual instances. Co-operation from business CIOs, CEOs and other core functions helped in a great way to achieve Decision I wish I could do over this mammoth task. If I had my way, I would’ve spent at least a couple of years of my career on shop floor or handling What security initiatives have you lined up for this core business functions. I feel that to understand year? business requirements, you need to be a part of the Some security initiatives in pipeline for this year are process. All security frameworks demand that application firewall, bot and malware detection, defining information security strategy should be aligned with sub-zones for DMZ, log analysis and monitoring etc. business strategy. Over years of interactions with Plugging business specific security threats are a priority. business and involvement in business-IT integration, there is a feeling of comfort but I wish I could do full Please share your strategies for countering the justice to this statement. emerging/ evolving threat environment. The threat landscape is changing every day. It would not Vision be wise to feel that one is ready for all the new threats. Advice for future CISOs l We tend to say ‘no’ to every business demand that Keeping abreast with the newer risks, technology, solutions; conducting periodic assessments; and plugging crosses path with infosec policies (and rightfully so). the gaps on a continuous basis is the best one can do. If we say ‘YES’ by giving a secured alternative we have done justice to our role. l Cost of control should not be more than the cost of Personal information asset. Leisure activities: I am fond of reading political thrillers. In spare time, I also watch TV programs that deal in human behavioral aspects. I like to travel and wish to visit seven On The Job wonders of the world. How have you contributed to the IS posture of your company? (Security Policies, frameworks, compliances) Best book read recently: The Last Man by Vince Flynn Although the business did not demand compliance to any standard, I mapped the existing controls to a Unknown talents (singing, painting etc.): More of a combination of COBIT, ITIL and ISO 27001. I did a gap bathroom singer so can’t be termed as ‘talent’! assessment internally and created a roadmap for three years based on the findings. Today, we are following the If I weren’t a CISO, I’d be… Damned !! same by the dot. So far it has turned out to be in line with
june 2013 i n f o r m at i o n w e e k 27
CISO Profile also follow it up with employee behaviour. The trend and number of incidents are closely monitored by us which are good indicators of the security hygiene of the company. As for compliance management, we have undertaken a comprehensive view of the information security posture in aligning our policies and procedures not only to the global data protection requirements but also local regulations, such as IT Act 2008, etc. We have established an extensive risk management and compliance framework, which covers all the risk aspects of information security, business continuity, safety, physical and environmental security, etc.
Ashish Chandra Mishra CISO, Tesco HSC Career Track
How long at the current company? I have been working with Tesco HSC since last three years. Most important career influencer I have been fortunate to have worked with many great people including my bosses, mentors and managers, who have greatly inspired me. Decision I wish I could do over I don’t think I would do over any decision, as every decision has enriched my career and life in general.
Vision
The next big thing for my industry will be...Personalization of customer experience through analytics and use of technology such as mobility in bringing the stores closer to customers. Advice for future CISOs CISOs should talk security in business language to overcome the biggest challenge that they face — securing management commitment and justifying return on security investment.
On The Job
How have you contributed to the IS posture of your company? (Security Policies, frameworks, compliances) My function at Tesco is primarily responsible for information security governance and business continuity oversight, among other things. One of the fundamental changes we have been able to bring at Tesco is to position information security as an enabler and management function rather than within another department such as IT. This has not only given us the much needed independence that is necessary for security governance but has also helped us bring about a paradigm shift in the security culture of the company. We do not stop at building security awareness, but we
28
informationweek june 2013
Which is the most challenging IT security initiative taken by you? What were challenges and the learning from the deployment? We implemented Data Leakage Prevention (DLP) technology recently. Since this was a very large project, spanning across multiple business units with different business requirements across various geographies, there were a number of technical challenges faced during the project duration. However, the biggest challenge was to ensure that the business teams understood the usability of the tool and therefore, provided the necessary information for data flow analysis. The key highlight of this project was that the implementation was done by a joint business and IT security team so the tool truly became by the business, for the business. The project has helped in better understanding and utilizing the capabilities of the tool in the way that it really helps the business, rather than handing down an IT implementation of the tool, which becomes underutilized due to lack of its business relevance. What security initiatives have you lined up for this year? One of the major initiatives planned for this year involves establishment of our new Security Operations Centre at HSC. This will include providing a host of essential detective and preventive IT security services to the Tesco Group. Please share your strategies for countering the emerging/ evolving threat environment. Keep ourselves updated on the ever-changing threat environment, which makes our job very tough and similar to scoring or saving goals against moving targets. Also, we try to leverage the immense knowledge already existing in the community of security professionals. The threat may present itself in one environment the first time, but chances are someone else would have also experienced the threat, who can help you with the lessons learnt.
Personal
Leisure activities: Adventure sports, off-roading with friends. Best book read recently: Inside Indian T20 by Ravi Ramu. Unknown talents (singing, painting etc.): Writing short stories. If I weren’t a CISO, I’d be… An author.
www.informationweek.in
l l l l
Colonel (Retd) AK Anand VP & CISO, NIIT Technologies Career Track
How long at the current company? I have been working with NIIT Technologies since past six and a half years. Most important career influencer Disaster Management Expert, Arjun Katoch, has been the biggest influencer in my career.
Vision
The next big thing for my industry will be... Cloud and mobile device security, and Advanced Persistent Threats will be the next big thing for my industry. Advice for future CISOs l Keep yourself up to date. l Keep it simple, sans the jargon, for the employees. l Involve the employees in your initiatives — they will carry it home for you. l Be approachable and available.
On The Job
How have you contributed to the IS posture of your company? (Security Policies, frameworks, compliances) The underpinning belief in my organization is that the people are the biggest factors for the success, or failure of information security in an enterprise. Therefore, the focus of my IS Team has always been to address this target group, more than the technical initiatives. The team believes that “Business” is the driving force of all our initiatives, and all IS decisions are based on the premise that the business has to be facilitated to deliver within the confines of good security practices. Some of the initiatives that have contributed to a mature IS posture in NIIT Technologies are: l Creation of dashboards for management reporting — enables status reporting of IS initiatives and implementations. It includes BC & DR dashboard, incident
management dashboard, internal and external audit dashboard, fire drill dashboard, IS test dashboard. Drafting framework for data privacy audits Formulating policy for Free and Open Source Software (FOSS) and guidelines for usage. Holding role-based information security test for all stakeholders annually. Providing information security tips and bulletin.
Which is the most challenging IT security initiative taken by you? What were challenges and the learning from the deployment? The deployment and implementation of a Free and Open Source Software Governance Tool was a challenging initiative that we undertook last year. Some of the challenges we faced while implementing the project were related to comprehending the complicated Open Source license structure. We also faced challenges in understanding legal implications of open source violations and comprehending the audit output/ reports. Post deployment of the initiative, there is better understanding of the Open Source community, and open source usage within the organization. The project has resulted in enhanced compliance and reduced risk in support and maintenance projects, where applications on-boarded for support from clients contained open source violations, which could be attributed to the organization. What security initiatives have you lined up for this year? Security initiatives lined up for this year include: l Automation of internal audit and reporting. l Dashboard reporting to senior management and board l Software asset management. l Deploying Windows encryption on all laptops, and desktops. l Table top business continuity exercises for all locations. l Free and Open Source audits. Please share your strategies for countering the emerging/ evolving threat environment. To counter the evolving threat environment we keep abreast of the emerging/ evolving threat landscape and interact with peer groups knowledge exchange. Apart from this, we educate the management and staff on the threat scenarios and work towards continual improvement and enhancement in the security posture.
Personal
Leisure activities: Reading, Golf. Best book read recently: Good to Great by Jim Collins. Unknown talents (singing, painting etc.): Pencil sketching and cooking. If I weren’t a CISO, I’d be… Still in uniform in the Indian Army.
june 2013 i n f o r m at i o n w e e k 29
CISO Profile
Sesanka Pemmaraju CISO, Hitachi Consulting Software Services India Career Track
How long at the current company? I have been working with Hitachi Consulting since last five years. Most important career influencer My EVP, Sanjay Jesrani who told me, “You cannot be a leader, and ask others to follow you, unless you know how to follow too,” twelve years ago has been the most important career influencer. Decision I wish I could do over After working with Hitachi Consulting for five years, I took a break from the company as I was a bit anxious about my career growth at that time. I should have waited for the changes needed to effect the necessary improvements that later opened avenues of opportunities. In retrospect, that wasn’t the best move for me, though the experience was a valuable lesson and helped me become a more effective manager. As a corrective measure, I have joined back the company and completed my second tenure of five years recently.
Vision
The next big thing for my industry will be... The next big thing in the IT industry would be network speed. Faster speeds promise to bring about a new era of Internet technologies we haven’t even considered yet, just as none of us with a 56k modem could have ever imagined a day when we could watch YouTube on our phones. Google’s new fiberoptic network can provide download speeds of up to 1 gigabit per second, about 200 times faster than the average Internet connection in the U.S. Most carriers are upgrading their networks to super-fast 4G-LTE technologies, and some are beginning to explore even faster LTE-Advanced networks.
by you? What were challenges and the learning from the deployment? Implementing Data Loss Prevention Tool is the most challenging initiative taken by me. One of the key business service offerings for Hitachi Consulting India is the outsourced product development work we carry out for our ISV customers. With an increasing variety of storage devices (USB, external HD, SD, mini-SD), and online storage (Dropbox, FreeDrive, Google Drive, Google Mail), there was an increasing concern among businesses and customers about preventing the loss of important IP and data. To resolve this issue, my team explored various tools and technology available to prevent loss of confidential information and ran a DLP pilot for three months. During this trial period, we not only realized that there was a huge potential for data loss but also that it was happening almost every day — albeit most of it being unintended. We started with an awareness program and gradually increased it to serious action for the violators. By the end of the trial period, we had dropped to zero incidents of data loss. The major challenge that we came across was from the user community. Most of the employees were resistant initially to have the DLP agent running as they knew that every packet that goes out of their official PC is going to be monitored. But during the awareness sessions, we educated them that only company and customer confidential data will be identified through certain rules written in the DLP console. What security initiatives have you lined up for this year? Security incidents lined up for this year include: l Acquiring HDD and Tapes degaussing equipment to ensure the data residing on archived HDDs and tapes is wiped out completely before the tapes are disposed. l Expanding ISO 27001certification scope to cover new development centers in India. l Implementing Mobile Device Management tools to mitigate risks involved in BYOD. Please share your strategies for countering the emerging/ evolving threat environment. Some of the strategies to counter the evolving threat environment include: l Implementing MDM tool to avoid threats and risks that arise due to allowing personal devices in corporate environment. l Extending coverage of DLP tool to protect data being copied from network shares and file servers.
Personal
Leisure activities: Going out with my wife and kids to a summer resort rejuvenates my energy levels.
Advice for future CISOs Watch out friends, we are in the information explosion era!
Best book read recently: Reverse Innovation by Vijay Govindarajan
On The Job
If I weren’t a CISO, I’d be… A musician as a I love playing keyboard, which I am still trying to learn.
Which is the most challenging IT security initiative taken
30
informationweek june 2013
www.informationweek.in
CISO Profile On The Job
How have you contributed to the IS posture of your company? (Security Policies, frameworks, compliances) To improve the IS posture within the bank, I was given the responsibility to establish an information security department. The department was completed in May 2011 for which L1, L2, and L3 documents were developed as per ISO 27001 standards. Further, Information Security Framework was developed and we initiated the process of ISO 27001 certification. As a part of the project, BS 25999 implementation process was also initiated and completed with BS 25999 certification from BSI. Most of the IT activities were made process dependent. Also, a robust change management process was put in place. Which is the most challenging IT security initiative taken by you? What were challenges and the learning from the deployment? The most challenging project taken by me was ISO 27001 Certification for DC/DRC for Central Bank of India. The certification was awarded by STQC and it was the first time when any bank in India received certificate from STQC, Govt. of India. I was also involved in the implementation of BS 25999 BCMS Certification standard for DC/DRC of the bank in a noticeable period of four months by BSI, as compared to the stipulated period of 10 months. I also undertook the project of the developing an IT Balanced Score Card for the IT department, which was developed and implemented the without support of vendors.
Dr. Onkar Nath CISO, Central Bank of India Career Track
How long at the current company? I have been working with the Central Bank of India for the last 30 years. I have an experience of approximately 10 years in banking management, 16 years in information technology and four years in Information Security. In the field of IT, I started my career as a Systems Analyst with Central Bank of India. After that, I worked as Core Faculty and IT-Head at SPBT College, Mumbai, India and was in-charge of Disaster Recovery Centre. Currently, I hold the position of Chief Information Security Officer.
Vision
The next big thing for my industry will be... Focus in the areas of fraud risk management and data leakage prevention will be the next big thing for my industry. Advice for future CISOs Think of business benefits rather than compliance.
32
informationweek june 2013
What security initiatives have you lined up for this year? Security initiatives lined up for this year include: l Data Leakage Prevention l Fraud Risk Management l Database Activity Monitoring l Setting up Intranet portal for information security l Release of eCapsule magazine for internal use. Please share your strategies for countering the emerging/evolving threat environment. Securing information through generating awareness.
Personal
Leisure activities: Visiting religious places. Best book read recently: Shiv Puran. Unknown talents (singing, painting etc.): Writing stories, fiction, poetry. If I weren’t a CISO, I’d be… An astronomer
www.informationweek.in
On The Job
How have you contributed to the IS posture of your company? (Security Policies, frameworks, compliances) Our focus at the Bank of Baroda has been on risk assessment and management. For ensuring a mature IS posture in the bank, I have been involved in the framing of security policy, and review of the same along with underlying procedures, guidelines, and processes. I have also undertaken security projects, such as achieving ISO 27001 compliance and implementing endpoint DLP, P-Synch, 2FA and FRMS for the bank. With focus on increasing security awareness among employees, we have been organizing various training sessions on a regular basis for end users to create the right environment of security. Apart from this, we have been undertaking comprehensive IS audits for all infrastructure and applications including quarterly Vulnerability Assessment and Penetration Testing (VAPT) for all web-based applications. Which is the most challenging IT security initiative taken by you? What were challenges and the learning from the deployment? Implementation of identity and access management for privileged and application users was quite challenging. It is a continuous process and all business units in the bank have contributed in making the project a success.
N D Kundu Assistant General Manager (IT Projects & Security), Bank of Baroda Career Track
How long at the current company? I have been working with Bank of Baroda since 1976. Most important career influencer K J Ghadiali who inspired me to join IT in 1989 and Mrs. Hoskote who motivated me to join CISA course have been instrumental in shaping my career.
Vision
The next big thing for my industry will be... Utilizing Big Data, cloud and social media to explore new business area for financial sector in India will be the next big thing for the industry. Advice for future CISOs CISOs should understand technology but be more inclined to business. They should work in co-ordination with respective business heads and the CTO and influence the organization to set achievable business goals with respect to security implementation.
What security initiatives have you lined up for this year? Security initiatives planned for this year include complete implementation of security operation centres with log analysis and co-relations, database access monitoring, achieving PCI-DSS compliance and certification under business continuity management (ISO 22301). Please share your strategies for countering the emerging/ evolving threat environment. To counter emerging threats, I focus on studying the recent threat perception including APTs and other vulnerabilities and taking appropriate action for implementing more in the alternate delivery channels.
Personal
Leisure activities: Reading, pleasure travelling and supporting educational activities. Best book read recently: I am another You by Priya Kumar. Unknown talents (singing, painting etc.): Origami. If I weren’t a CISO, I’d be‌ A CTO.
june 2013 i n f o r m at i o n w e e k 33
CISO Profile Vision The next big thing for my industry will be...Usage of Unified Security Intelligence across various technology and business process components will be the next big thing for my industry. Advice for future CISOs Being a CISO is a long and exciting journey, wherein one needs to reach beyond his expertise and successfully collaborate with other business and technology functions to enable security to play the role of a brand differentiator.
On The Job
How have you contributed to the IS posture of your company? (Security Policies, frameworks, compliances) To improve information security posture, I follow a multidomain, multi-level, defense in depth approach, which gets regularly reviewed by several internal and external auditing agencies. I also focus on benchmarking with prestigious security certifications like PCI DSS, ISO 27001, ITIL, etc
Personal
Leisure activities: When not implementing Infosec controls, I am involved in adventure sports like scuba diving, kayaking, trekking or mountain biking in the Himalayan Mountains.
Burgess Cooper CTSO, Vodafone India
Best book read recently: Execution - The discipline of getting things done by Larry Bossidy & Ram Charan.
Career Track
Unknown talents (singing, painting etc.): motor biking and martial arts. (In fact, Burgess Cooper holds the Limca Book of World Record for motor biking across four of the world’s highest pass (at heights greater than 18,000 feet) in the Indo China / Pakistan border nonstop for 24 hours. He is also a Black Belt (Shodan) in Karate-Do martial arts).
How long at the current company? I have been working with Vodafone India for the last six years. As VP & Chief Technology Security Officer, my responsibility is to ensure information security and compliance across all 23 circles in India. Prior to this, I was responsible for IT security for HSBC India (HSBC Bank as well as the HSBC Software Development Company in Pune). Most important career influencer Getting into Internet banking security in 2002.
If I weren’t a CISO, I’d be… An adventure sports instructor. u As told to Jasmine Kohli
RegisteR, Attend & Win! l Refer
your colleagues and you could win a 1 TB HARD DISK DRIVE*
l First
100 Onsite pre-registered visitors get Cloud Connect Santa Clara Conference Presentations*
Organised by
For registrations call us on +91 22 61727427 or visit http://bit.ly/18yzZeB. *Offer only for pre-registered business visitors
34
informationweek june 2013
www.informationweek.in
Interview
Dell Global CIO on how IT must adapt as business priorities change As Dell has made the transition from a traditional PC supplier to an end-to-end solutions firm, the role of its CIO too has changed. Srikanth RP had the privilege of meeting Adriana Karaboutis, Global CIO, Dell, who shares some fascinating insights into how IT must adapt as business priorities change What is your biggest challenge as a CIO? The biggest challenge as a Dell CIO is you don’t have the luxury of time — you have a CEO who has acquired 18 companies in the last 30 or so months, and you need to integrate all of that. You have to determine how to be agile, how to be fast, and how to integrate all of those acquisitions quickly so that we can hit the ground running. Your view on the impact on internal IT as Dell transformed itself from a PC supplier to a servicesled organization. We have always been a top supply chain company, and have world class systems that know how to design, fulfill and sell. For example, when we sell hardware, we can assign an SKU or an asset tag to the product. But, when you sell software or solutions, it requires digital fulfillment capabilities. You require subscription billing and software as-a-service capabilities. These are new things that the IT department needs to develop and drive. During this transformation, what were the big challenges for the IT function? The big challenge is prioritizing the right things. As you are continuing, you cannot stop running the business; you cannot stop having operational excellence. We had a good north star vision
of where we wanted to go and then carved the roadmap and the road to get to that north star. Having that plan and vision of alignment with the business kind of ensures success. One of the biggest challenges was in our software and services business. In our software business, it was the launch, and we had to assess whether we start from scratch and build the capabilities, whether we take our hardware base and modify, or whether we actually start with the base that one of the acquisitions had, and that’s actually what we did. You also have an extremely innovative initiative called reverse mentoring where interns advice the company. Can you tell us more about this? Reverse mentoring is a concept I picked up when I was in the auto industry, and evolved it myself. When you are trying to innovate, a lot of ideas come from the Gen Y coming in as interns. So, we look at them to do some reverse mentoring of our systems. For us, interns often offer a fresh perspective. Can you give us some examples where the reverse mentoring process has helped you take a relook at existing processes? One innovation that has come out of this initiative is our mergers and acquisi-
tions playbook, which has changed a lot with the tremendous amount of new capabilities suggested. Interns have also contributed to improvements to the helpdesk. They could take one look at our incident tickets and say what is the problem and bring in improvements to the whole process. As an organization, you have to be smart enough to look for that fresh thinking. You also use Salesforce Chatter internally to gauge user satisfaction. How does this help your IT team? While your system management tools may show that the systems are up 99.999 percent, you may actually find employees complaining on the internal social collaboration platform, Chatter, saying that the system is slow. Both are equally important. The clinical data may come from the trouble tickets being raised, while the pathological data is what my customers are writing about me. So, while my trouble tickets may say that the systems are in good shape, the customers may be writing on our social networking platform that the system is slow. The pathological data is critical for being a successful CIO. We have automated this aspect, so that we clearly know the systems or apps being affected. u Srikanth RP srikanth.rp@ubm.com
june 2013 i n f o r m at i o n w e e k 35
Interview
Facebook CSO Joe Sullivan on protecting a billion people from spam, malware and hackers Given the scale at which it operates, Facebook has an extremely challenging task to maintain security and privacy of its users. InformationWeek’s Srikanth RP spoke to Joe Sullivan, Chief Security Officer, Facebook, who shares his candid views on his biggest threats as a CSO, the common mistakes that people do on Facebook that lead to their accounts getting compromised, and how Facebook is relying on innovative approaches like crowdsourcing and sophisticated algorithms to weed out fake spam accounts and malware
I
t is said that if Facebook was a country, it would be the world’s third largest country in the world. Consider some more facts: Facebook has 1.11 billion users. 665 million users visit the site on a daily basis. Developers have created more than 10 million apps on Facebook; a mammoth 4.75 billion items are shared daily by users. Joe Sullivan, Chief Security Officer, Facebook shares how the social networking giant carries out the challenging task of maintaining the security and privacy of its users. Some edited excerpts: As one of the world’s most visited websites, what are the biggest threats for you as a CSO? Facebook has always been about trust, and when people log onto the site they need to feel secure throughout their experience. If users have a bad experience, they are much less likely to use the site or meaningfully engage. As such, security must be a priority and we need to invest heavily
36
informationweek june 2013
to provide the most trustworthy and secure experience possible. One of the threats that worries me the most is the risk of a compromised account that can hijack the implicit trust of any person’s network. No matter whether it’s a high-profile individual, major corporation or simply a person who shares family photos, whenever someone loses access to his account, everyone on that person’s network becomes aware of that fact. This undoubtedly undermines trust in the service. This is why we have built both self-service remediation tools like www.facebook. com/hacked and have hundreds of people across the company who work on security. Can you give us a brief overview of the volume and complexity of threats you handle everyday at Facebook? One metric that illustrates our scale, while it dates from 2011, is the fact that six hundred thousand times a day, someone tries to log into accounts using stolen credentials, but we catch these attempts and block
them. However, we try to expect and anticipate every possible attack on any given day. Due to our size, we face the same threats as seen everywhere else on the web, but we have developed partnerships, backend systems, and protocols to confront the full range of security challenges we face. How have threats changed over the years, and how has Facebook responded to these threats? We are constantly seeing the threatscape change and adapt to our security efforts. For example, during 2011 and through part of 2012, there were a number of Self-XSS spam circulating on the site where users would be tricked into copying and pasting Javascript into their browsers, which would cause spam to spread on their page. However, after we made several improvements to our internal systems and browser vendors instituted changes to their default configurations these threats have faded from the site,
www.informationweek.in
but now malicious browser extensions, which were absent a couple of years ago are becoming an emerging threat. In your view, what are some of the most common mistakes users do on Facebook that lead to their accounts being compromised? Never ever enter your password unless you are on the Facebook login page and have validated the URL in the address bar. Users all too often enter their password into a phishing site, e-mail or scam, which nullifies many of our security protocols since it’s harder to distinguish the account holder from a scammer if the scammer has the correct password. Never copy and paste code or scripts you do not understand, whether it’s Self-XSS or access token stealing, all too often we see people executing malicious code or sending hackers secret tokens simply because they believe that they can access special features or win a prize without understanding what they’re doing to their account. As a good rule of thumb, if it seems too good to be true, it probably is. Never use the same password for more than one site. One of the first thing a hacker tries when he has someone’s password from another site is to try these credentials on Facebook as we have over 1 billion users and many people reuse their password. If you’re reusing a password across multiple sites, you are as vulnerable as the weakest site’s security. Don’t fall victim and be sure to use strong unique passwords for every site. How much does Facebook rely on algorithms to weed out fake spam accounts or malware? How successful are algorithms? Where do algorithms stop and where do humans come in? We encourage people to report anyone they think is doing this, either through the report links we provide on the site or through the contact forms in our help center.
We process these reports through our User Operations Team, and this information helps inform our site integrity systems. These technical systems also flag and block potential fake accounts based on name and anomalous site activity. These technical systems parallel the work of our dedicated user operations team, investigating reports and taking action as necessary. We will take varying responses on accounts depending on our level of suspicion. This can span from Social Captcha, to asking for a phone number, to finally asking for a government ID. We use a combination of machine learning and anomaly detection to identify fake accounts. We can train new classifiers in hours and push new rules in minutes. This self-iterating automated infrastructure uses hundreds of features to classify accounts, content and activity with varying levels of confidence. We then use these statistics to present challenges to these users if we believe they may be suspicious Our site integrity infrastructure combines information from across all involved areas to analyze both short and long-term reputations, combine disparate information into one place, and review known malicious feature sets (example, posting a malicious URL to a stranger) Facebook’s SI infrastructure is robust enough to provide multiple functions, including Storage of SI data, detection, monitoring, alerting, investigation, ML classifiers, training pipeline, and read-time filtering. Beyond these short term measures, our long-term goal is to continually increase the difficulty in creating inauthentic accounts that are used for abusive purposes, infecting people with malware, and compromising user accounts. Can you give us some examples where you have successfully taken down hackers or cybercriminals, such as the group behind the Koobface worm?
Late last year the FBI announced the arrests of 10 individuals located throughout Eastern Europe, South America, New Zealand, the UK and US linked to the Yahos malware and the Butterfly botnet that infected more than 11 million computer systems and accounted for USD 850 million worldwide. While we had visibility on only a fraction of those 11 million systems, we were able to provide assistance to law enforcement to help identify the malware, and those responsible. From 2010 to October 2012, our security systems were detecting and remediating affected accounts, which gave us invaluable insights to the root cause that we were able to later share with the FBI. How do you see the role of crowdsourcing in enhancing security? How effective is an initiative like the Facebook Bug Bounty program? We launched the Bug Bounty program with the goal of finding people around the world who can help improve Facebook’s security. We are glad that there are people in the community who participate in these programs and contribute to everyone’s security. No matter the calibre and number of people we hire here at Facebook Security to help secure our product, we are constantly aware of the fact that there will always be more people out in the community who will be poking at our system anyway. As such, it makes perfect sense to incentivize these people to research constructively and responsibly. Your advice to CSOs. What must be their approach to tackle security on a day-to-day basis? I would tell any CSO to focus on being proactive and not simply look at the current threatscape. Truly great security involves building out the capability to not just respond to today’s attacks, but to prepare for tomorrow’s. u Srikanth RP srikanth.rp@ubm.com
june 2013 i n f o r m at i o n w e e k 37
Interview
‘Cybercriminal activity in APAC set to grow exponentially’ With 2013 already being called the year of the hack, what are your views on the prevailing security landscape in APAC and globally? That term is being used more and more as a result of such high profile security incidents around the world. We have seen millions of user accounts and passwords breached and global organizations publically disclosing they have been compromised, asking their users to reset their passwords. This year continues to see increased growth in targeted attacks that disrupt services and attacks that fraudulently obtain significant amounts of intellectual property. The worrying change in the last six months is the increased use of attacks that destroy infrastructure, the systems
they attack and the evidence of the attack. This makes it very hard for the organization that has been breached. Ransomeware is a significant problem that is growing around the world, but in Asia-Pacific it’s becoming a very concerning type of attack. What are the major trends that you see and how have they evolved? What are the key threat vectors this year and the implications for security? Some of the major security trends I believe are as follows: l Targeted attacks prompt a growing need for incident response plans: Cybercriminals will continue targeted attacks that proved successful at disrupting services and fraudulently
obtaining significant amounts of intellectual property. We are likely to see significant increase in targeted attacks and targeted malware. This type of attack is more difficult to protect against, especially when cybercriminals destroy evidence of the attack. Dealing with the clean-up distracts IT administrators who don’t immediately realize they have been hacked. It also adds to the difficulty in ensuring effective incident response as hackers attack hardware as they exit the network. Protecting against this trend will be a major challenge — particularly for enterprise and government organizations. l Ransomware will start to impact Asia-Pacific: Ransomware will be
With the threat landscape deteriorating globally, threats to enterprises in APAC will continue to grow exponentially, says Michael Sentonas, VP & CTO, APAC for McAfee. In an interview with Varun Haran of InformationWeek, Sentonas opines that attackers have begun targeting low hanging fruit in the region more and more. He sheds light on evolving threats, techniques and culture 40
informationweek june 2013
www.informationweek.in
prevalent in 2013. It is carried out by encrypting files on a victim’s computer, which can only be unlocked by paying the criminals a “fine”. To date, ransomware has been a bigger issue internationally and we have not experienced frequent occurrences in AsiaPacific, however this is changing. l Non-Windows attacks will continue to increase: NonWindows attacks will continue to increase in 2013. Android devices are now the highest selling mobile devices in the Asia-Pacific market and hackers will take advantage of that by developing mobile malware. Consumers aren’t the only ones at risk of mobile threats. Enterprises, particularly those embracing Bring Your Own Device policies (BYOD), are also at risk. The mobile malware growth rate is similar to that of Windows malware some time ago, which shows it is a genuine threat. l Signed malware will increase in prevalence Signed malware was prevalent in 2012 and this trend is likely to continue in over the coming 12 months. Signed malware is present when a hacker obtains a digital certificate from an organization and appends it to malware, allowing the malware to pass through an organisation’s operating system. Stuxnet is a high profile example of this threat. This type of threat will be harder to stop because it appears more legitimate. l IT managers will start embracing security process automation: The cyber security function remains one of the only IT functions that has not yet taken advantage of the speed, visibility and comprehensive capabilities provided by automation. With the increasing number, variety and complexity of the threats faced by organizations, many security technologies still require significant hands-on management. IT managers will need to embrace security automation in order to keep up with the threats they face.
In your experience, how are enterprises responding to these threats? Enterprises are responding to these threats differently depending on the vertical. Banks for example have some of the strongest security architectures and very talented staff to deal with these issues and minimize any impact. There are other verticals where security is treated somewhat less important and where there are significant issues. Security needs to be taken very seriously. You need to look at your security processes, architectures and technologies and assess if they can deal with the current threats and adjust accordingly. How have black-hat strategies and techniques evolved to leverage vulnerabilities/ opportunities provided by new tools, platforms and services? The economics of cyber attacks and the money there is to be made, continue to drive attackers. They evolve and learn new ways to carry out their campaigns and malicious attacks to make money, to access information they seek or to carry out their hacktivist goals. Whilst there is significant focus and discussion around the opportunity that new tools, platforms and services can bring to attackers, in most cases they do not need to leverage these new technologies, there are enough weaknesses in the current technologies. Traditional attack techniques ike SQL injection and the use of old malicious applications are still extremely successful. In a significant amount of the incident response work we do, attackers have penetrated networks with little in the way to stop them so they do not need to invent new ways to attack an average organization. Emphasis is beginning to be placed on detection over prevention as per several industry reports. Your thoughts on this cynical bent that security practitioners seem to be taking. I do not agree that more emphasis is being placed on advanced malware
detection rather than defense, but certainly the focus on advanced attacks has increased. You could argue that some of this is vendor driven, given the hype around APTs. There is a need for both, you need to prevent every attack possible, but you also need to focus on the reality that there are attackers who have the skills and the motivation to target you as an organization and you need to detect this type of advanced attack. Attribution is extremely important today, and I believe very misunderstood. You need to know who is attacking you, why they are attacking you and how they are doing it. How they are doing it allows you to focus on prevention but who and why is very important so you understand the motivation and how you can manage the issue. What is your opinion on the implications for security from ‘the Internet of Things’ phenomenon? The Internet of Things brings massive innovation and benefits that we can all enjoy and use positively. With this change and innovation does come a responsibility to look at security with a pragmatic view. We need to look at security in some very different ways. Traditionally security could be likened to the well-known game, Whack-AMole, the focus is looking for the next piece of malware and stopping it and doing this time and time again. Looking at the Internet of Things, dealing with malware is still very important, but so are other areas of security like trust and identity. Behaviour, for instance, becomes important, which may also be linked to identity. For example, is this machine doing what is expected, and is the person connecting to the machine trusted and is it really that person. Many aspects of security will remain the same, but there is also a need for new security architectures to be leveraged to ensure security and integrity. u Varun Haran varun.haran@ubm.com
june 2013 i n f o r m at i o n w e e k 41
Interview
‘Security should be the goal, not compliance’ What trends do you see emerging in the web application security space? Based on our experience while working with more than 300 customers for cloud based application security testing, following are the top few trends emerging in web application security: l Run Time Application Security Protection (RASP): Today, applications mostly rely on external protection like IPS (Intrusion Prevention Systems), WAF (Web Application Firewall) etc., and there is a great scope for a lot of these security features being built into the application so that it can protect itself during run time. Once RASP is inbuilt in the application itself, it would be more powerful than external devices, which have limited information of how the internal processes of the application work. l Collaborative Security Intelligence: By collaborative security, I mean collaboration or integration between different Application Security technologies like SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), WAF (Web Application Firewall), SIM (Security Incident Management), RASP (Run time Application Security Protection), etc. Someday the industry will see the transition from various information technologies to a single intelligent view of Collaborative Security Intelligence. l Hybrid Application Security Testing: By “Hybrid” I mean combining automation and manual testing in a manner “beyond what consultants do” so that we can achieve higher scalability, predictability and cost effectiveness. DAST and SAST both have their own limitations. Two of the major problems areas are false positives and business logic testing. Unlike network testing where you need
42
informationweek june 2013
to find known vulnerabilities in a known piece of code, application testing deals with unknown code. This makes the model of vulnerability detection more difficult to automate. So you get the best results from consultants or your in-house security experts. However, this model is non-scalable. There are more than a billion applications, which need testing and we do not have enough humans on earth to test them. The future is in the combination of automation and manual validation in “smart ways”. l Application-Security-as-a-Service: I believe in “as a Service” model for a very simple reason: We do not need technology for the sake of technology but to solve a problem i.e. it’s the solution/service that we need. With the growing focus on core competency, it makes more sense to procure services than acquire products. “Get it done” makes more sense than “Do It Yourself” (of course there are exceptions). l Integrating development and operations in a secure thread: It’s time now to look beyond Secure SDLC (Software Development Life Cycle). There was a time we saw a huge drive to integrate security with the SDLC and I believe the industry has made some decent progress. The future is to do the same in terms of security, development, and operations. The entire thread of design, development, testing through to the production, management, maintenance and operations should be tied seamlessly with security as the major focus. Which sectors according to you are more prone to application security threats? Any industry vertical, which uses online apps or even internal business apps, which if disrupted may cause loss
Sharing his views on the compliance versus security debate, Bikash Barai, CEO, iViZ Security, says organizations that only run after compliance focus more on proving their security to auditors; this is similar to studying for marks versus studying for real understanding of a subject. In a detailed interaction with Jasmine Kohli, he talks about emerging trends in the web application security space www.informationweek.in
of business are the most prominent targets for attackers. A few examples would be banking, financial, securities, online, retail, IT/ITES etc. How can organizations become secure from the perspective of application security? There is no perfect silver bullet. Being secure is as elusive as being happy. However, you can have an effective risk management process though you can never achieve 0 percent risk or 100 percent security. Here are some ways organizations can ensure better application security: #1: Classify your assets: One needs to classify organizational assets into various buckets as per business criticality. I remember in a recent conference, a speaker asked the audience (mostly large enterprise security heads): How many of you know the exact number of applications you have in your organization? Only one hand went up. Very few of the large organization security teams know the number of applications they have and the respective application owners. #2: Create a regular testing strategy: I strongly believe that application security testing is the most critical element towards securing our apps. Prevention strategies have been adopted quite late by the industry. So even though the wise say, “Prevention is better than cure,” we first need to cover the past mistakes. #3: Create an effective patching/ remediation process: Patching is more important than finding vulnerabilities. In our experience of conducting tests for more than 300 organizations, we found that this is an area which widely misses out in effectiveness. Creating an effective program to detect vulnerabilities, assign them for fixing, tracking them until they are closed is probably the most vital element. #4: Implement web application firewall for critical apps: It takes time to detect and fix vulnerabilities. Having a web application firewall is very essential for applications, which are classified as highly
critical. You can also think beyond and implement Security Incident Management (SIM). #5: Implement Secure SDLC: You need to have a secure SDLC. Having the big bang approach is quite tough. You may think of having a complete transformation. However, there is no harm in starting small. Just start with a minimal coding guideline and a minimal testing (at least automated) during every release. What are the different types of attack to which web applications are prone to? The web applications are prone to various types of application level attacks like Cross Site Scripting, SQL Injection, CSRF etc. We observed the business logic vulnerabilities as the most overlooked and have the highest business impact. Most of the organizations do not have the expertise/process to discover and eliminate business logic flaws. A few examples of business logic vulnerabilities are weak password recovery, abusing discount logic or coupons, denial of service using Business Logic, price manipulation, and OTP (One time Password) bypass. Applications can also be attacked by various other ways like attacking the network infrastructure, operating system, other connected apps/services, social engineering on human users etc. An iViZ study states that compliance and security are not synonymous. Can you tell us more about this? We conducted a study on the vulnerability data of web apps tested by us in 2012. In total more than 5,000 application vulnerability from 300+ customers has been considered as part of the sample data. As a part of the findings, we noticed a very low correlation between Security and Compliance (Correlation Coefficient: 0.2). The reasons are quite obvious, organizations that only run after compliance focus more on proving their security to auditors. It is more like studying for marks versus studying for real understanding of a subject. We need to realize that compliance is not the goal, real security is the goal.
What is taking ethical hacking to cloud all about? Today, everything is moving to the cloud and ethical hacking or formally penetration testing is no exception. iViZ Security, is an example of cloudbased application penetration testing service for web applications. Ethical hacking is considered mandatory by government regulations, compliances like PCI, SOX, HIPAA, ISO-27001 etc. Consultant-based penetration testing is not just costly, but also impossible to scale since there aren’t enough human on earth to test the 600 million online websites. According to you, which was the most intelligent fraud devised in the web apps space and what were the lessons learnt? It is difficult to find out the “most intelligent” one. One interesting attack which comes to my mind is the hacking of MIT Website. The website was hacked despite no vulnerability in the application itself. It is a great example of a multistage attack. This is how the attack was carried out: l MIT Network Operations Center (NOC) person is sent an e-mail with a malicious link containing a browser exploit. l Victim clicks the link and gets compromised. l Attacker steals the “Educause” credentials of the NOC person l Attacker creates a cloudflare account with DNS entries pointing to their own servers and adds MX records such that mails are forwarded to their own servers. l Attacker logs into the Educause domain control panel and changes the name server to point to the cloudflare account created before and changes the password of the domain control panel. Key learning from the hack was just securing the apps is not enough, one also needs to look into the complex possibilities of social engineering vectors and have a robust emergency response process. u Jasmine Kohli jasmine.kohli@ubm.com
june 2013 i n f o r m at i o n w e e k 43
Opinion
Top
5
ground-zero challenges Indian CISOs face today
W
e are living in an era where wars are no longer fought on the battlefield but in cyberspace. State sponsored attacks are becoming a common phenomenon, with industries, defense websites, government agencies and even nonprofit organizations being targeted. Cyber-attack on Iran’s nuclear plant and oil refineries, hacking of social networking portals like Facebook, Twitter & LinkedIn, defacing websites of political parties like Congress, BJP & Trinamool Congress, etc., are glaring examples of the magnitude of such attacks. CISOs meanwhile are having sleepless nights. It’s like a general trying to hold a fort with limited resources. In reality, CISOs are just waiting for the inevitable. Of the many challenges that a CISO faces, I have rated the following challenges as to top 5, based on my understanding of the subject and past experience.
1
Manish Dave
A look at the key challenges faced by CISOs in Indian organizations today, from reporting structure to senior management issues 44
informationweek june 2013
The Infosec hierarchy itself & role of CISO
CISO as a position has only been around for last decade. Previously, a CXO level person dedicated to information security was not needed as the threat landscape was miniscule and manageable. The role is still evolving 12 years on, and depending on the industry, the roles and responsibilities of CISO keep on changing, as do the reporting hierarchy. Most CISOs today report into an IT function (Group CIO, CTO etc.), which, in my opinion, defeats the purpose. We also find some CISOs reporting to CFOs, assurance heads or CEOs in some cases. Value is only derived when a CISO reports to the CRO (or Risk Committee). Ideally, the CISO role should be independent of IT and
audits. A CISO’s decisions cannot be biased, else the whole purpose of his/ her existence is defeated. What actually happens is that the reporting manager himself/ herself is from a different domain, and working in tandem becomes a challenge for a CISO. The expected CISO role is a mix of advisor, policy owner, risk manager, security control implementer and policy reviewer. In itself, this is contradictory, since organization where boundaries are clearly marked between technology, audit and information security are very rare.
2
Proving ROI for security investments
While presenting a business case for a security solution, a CISO is required to present a justification with cost-benefit analysis and TCO. Irrespective of the figure, the justification is always ‘Brand Protection’. Given the absence of organizations like NIST or DISA (that are vendor neutral, who publish standards, case studies and risk frameworks) in India, CISOs are left to resort to their own research, Gartner quadrants and vendor marketing material to push their case. More often than not, they are left dumbstruck for lack of historical data, when the board asks for ROI or metrics for effectiveness of the proposed investment. Incidents in the U.S. cannot be directly referred to in India, simply because the laws of the land are different. A privacy breach of personal information can get you millions of dollars in the U.S., whereas in India every bank, credit card or insurance company has your details including yearly household income. In such a contrasting scenario, how can you
www.informationweek.in
put a figure to information breaches? Most of the security proposals don’t see the light of day only because of our Indian mentality aptly shown in the Maruti advertisement: “Kitna Deti hai.”
3
Competence of security practice
In a non-BFSI organization, the information security team usually consists of less than 10 individuals, irrespective of the scale and spread of IT infrastructure. Usually the criteria for a person to be in a security team, is his/her competency in network or systems area. In some cases vendor or product specific competency is sought for. But what is completely missed out on is that if the person does not understand security conceptually, competency with tools, devices, appliances and applications are all moot. CISO himself/herself comes from either a core IT function or in case of BFSI, from finance and accounting. Very few CISOs have relevant experience, trainings, certifications to be worthy of becoming a CISO. In most of the non-BFSI industries, the IT security teams consist only of members that are competent in hardware and networking or specific security solutions, rarely having a team of application security experts. Often the application security is not a high priority and is assumed to be ‘fairly’ secured.
4
Policy exemption to Senior Management
Most of the time, the violation of policies is done by the top brass of any organization, intentionally or unintentionally. Often you hear that the CEO or director, who just returned from an overseas tour, is carrying a new gadget like iPad or an Android smartphone. Now he wants to use it in the office and so instructs the CIO to configure corporate e-mail and other business applications on the device. Since it is almost a
mandate, CIO/IT head struggles and somehow manages to fulfill the requirement (however unsecure it may be). Unrestricted Internet access, USB & CD/DVD writing privileges, video chat clients, just to name a few, are requests frequently received from senior management personnel. We implement all the security controls on the larger group of employees who may not even be privy to sensitive information, whereas it is the top management who has direct access (in most cases not monitored) to such information assets. Organizations can incur huge losses if a senior execute is poached by the competition. They already have all the data (that CISOs try to protect) that can do the damage.
5
Ever changing threat landscape & newer security controls
As against few years back, today we have appliances, applications and tools to defend against the newer threats. Organizations, vendors and customers sell and buy newer tools, appliances etc., in their haste to plug weaknesses. However, the technology or the solution itself is new and vendor community does not have certified personnel on their board. The solution is deployed and a ‘so-called’ knowledge transfer happens between vendor specialist and IT security team. Most times, the tool is configured improperly with a few features enabled or reporting mechanism is faulty. CISOs are forced to rely completely on the knowledge transferred to the local team (depending on what they understood). This leaves a huge gap where CISOs feel that since the tool is in place, they are secured whereas the ground reality couldn’t be further from the truth.
Ideally, the CISO role should be independent of IT and audits. A CISO’s decisions cannot be biased, else the whole purpose of his/ her existence is defeated
u Manish Dave is Group CISO, Essar Group
june 2013 i n f o r m at i o n w e e k 45
Opinion
Best practices for IP protection
T
he World Intellectual Property Organization(WIPO) has defined four primary types of intellectual property (IP) viz. patents, copyrights, trademarks, and trade secrets. These are distinct in nature from one another but have common consequences if these are lost, stolen, misused or made unavailable. Importance of protecting IP is different than protecting regular information assets. The industry today demands the IT teams to deliver services with BYOD, virtualization and cloud services. As these changes are being implemented across organizations, the CISOs and IS managers are posed with a lot of questions around securing their most valued asset, i.e. IP. The need of the hour is to build a scalable, integrated and flexible IT ecosystem that not only delivers as per the demands of business users, but also addresses the new paradigm of security requirements.
Formulating a strong IP strategy
To begin with, organizations must invest in a well-written Non Disclosure Agreement (NDA) with various entities like employees, contractors, and thirdparties. The NDA must specify obligation, liability and validity with respect to the confidentiality of the IP that any of these entities might have access to. During NDA discussions and signoffs, one must educate and appraise these entities of their responsibilities and obligation towards protecting IP. In addition, exit discussion must be carried out for every entity moving out. A self-attestation from these entities, stating that they do not have custody or access to any IP information during their exit will definitely bring a high level of deterrent control. They must also be encouraged to share information of their new organization in case it is a competition. One of the other significantly important subjects we tend to miss is the requirement of forensics capabilities.
46
informationweek june 2013
Basic forensic capabilities need to be developed within the organization. Advanced forensic capabilities for conducting a full-fledged investigation must be developed either in the organization or though arrangements with professional organizations. These play a major role during the time of fraud investigation, IP litigation, pre-litigation or even suspicion. However, the largest threat for an organization and the weakest link is always the people. Appropriate training and awareness should be provided to help them understand the importance of IP to the organization. When it comes to preventing and monitoring processes and people, organizations might need to depend on various technologies to help them address the risks.
Selecting the right technology
Data compartmentalization is the first and the foremost technology control that an organization should choose to deploy. Logical and physical segregation of networks, systems, infrastructure elements, locations etc., shall help focus on where IP is during Transit, Rest or Process (TRP). Looking at some specific technologies, Data Leakage Prevention (DLP) systems help in information being restricted to any physical or logical perimeter that the organization chooses to define. Digital Rights Management (DRM) and Information Rights Management (IRM) help organizations deploy security control in terms of monitoring, managing and performing activities on information when it leaves the perimeters of the organization. Whole disk encryptions (WDE) technology solutions are used to encrypt the endpoints be it on laptops, tablets, USBs, DVDs, tapes ore even SD type of memory cards. These solutions can help in protecting the data in case the device is lost or accessed by an unauthorized individual. Identity and access management (IDAM) tools remain on the top of the priority list of all technology
solutions to protect IP as these establish and manage the rightful access to the required data on a need-to-know basis. Immediate revocation of access to people leaving the organization, lock down of unused user accounts, strong protection during release and reset of privileged accounts can be achieved by these tools. At the end of the day, these are your doors to access the IP and other information assets in your organization. For key application and database being either IP themselves or by processing IP information, tools such as Web Application Firewall (WAF) and Database Access Monitoring (DAM) add multiple layers between your IP information and the users accessing it. These tools monitor, log, analyze, report and take action on various events. Additionally, zero-day protection, Advance Persistent Threat (APT) and defence in depth (DID) systems can not only provide the electronic vigilance inside your organization’s electronic ecosystems to detect anomalies and suspicious activities, but also help you in stopping these from occurring. Finally, it is imperative for the senior management to bring IP protection in their priority list. Management oversight and time-to-time input will ensure that all these controls are implemented properly and run effectively.
u Amit Pradhan, is CISO, Cipla
www.informationweek.in
Opinion
Big Data : The future of info security?
A
ccording to IBM, 90 percent of the data in the world today has been created in the last two years. From social media, mobile devices and digital sensors to e-mails, images and videos, these vast sources of data create a potential goldmine of valuable information about people and their activities. Whilst the promise of actionable insight from data is not new — business intelligence and other analysis capabilities have long been present in many organizations — what is new is the rate at which the data is growing, the way the data is changing and the demands being placed upon it.
Enter Big Data analytics
Solutions provided by Big Data analytics are those for which insights and answers arise from analysis of vast, complex or disparate data sources. This is a highly creative and iterative exercise and breaks away from the traditional methods. Retail and consumer industries have been early adopters, actively analyzing databases of customer transactions to determine buying patterns and trends.This enables a better understanding of customers and helps in figuring out the correct product mix, product placement and pricing. Newer analyses of social media (known as social media intelligence) and other sources enable companies to measure the emotional connection that customers feel toward a brand. This takes the analysis one stage further to allow understanding of the full range of emotions that go into making a buying decision.
How it helps in enhancing security
Big Data analytics enables organizations to process and analyze huge volumes of disparate and complex data — providing a step change from standard reporting and monitoring toward correlating and probing for insight into threats, risks and incidents. That
48
informationweek june 2013
resulting insight can lead to improved information security, greater organizational agility, better cyber resilience and decreased business impact. This capability is critical as the practice of reacting to incidents is replaced with the need to predict, understand and respond to complex events.
So why the delay?
However, there are challenges. Solving the Big Data problem often means something different for information security than it does for traditional business analytics. In many cases, Big Data solutions are not designed to be real-time. For security analytics, speed is critical because the faster an organization can discover a security incident, the more quickly it can respond — and that can mean the difference between a fast recovery, and a prolonged, public acknowledgement of a data breach. Unlike other areas of the business where a lack of real-time analysis doesn’t represent a major issue, in the information security world, the lack of real-time analysis of Big Data sets can make a massive difference to both data security and system availability. So while pressure has been mounting on organizations to embrace Big Data because of the enormous insights and competitive advantage it can provide, it hasn’t all been good news. Computers are increasingly crunching numbers to find answers previously thought unknowable. And here lies a further issue: poor quality information or untested models can send organizations off course. Big Data in the cloud — and let’s face it, a significant amount of data for this kind of analysis either originates from cloud-based systems or is stored in the cloud — is also creating a host of new, highly attractive targets for the cybercrime fraternity and it isn’t just about stealing data, it is also potentially about changing that data to result in the wrong analysis outcome. Organizations are also using Big Data analytics solutions for data mining, and many of the Big Data analytics implementations use cloud-based sys-
tems to store and process information. One of the issues with the data sets associated with the Big Data analytics is that they are an aggregation of information in an organization. Consequently, the personally identifiable information (PII) they contain can be highly detailed and should therefore be subject to the same assessments and protection as other cloud-based systems that contain PII, such as data masking and encryption. Yet more work for overstretched security departments. However, benefits of Big Data analytics in information security outweigh the challenges. For example, financial risk can be lowered by using Big Data analytics to detect fraudulent transactions, errors or evidence of noncompliance. Also, Big Data analysis can reduce information security risk by providing better attack detection, identification and intelligence. Big Data analytics may well be able to improve information security to the extent that we have seen in the retail and consumer markets if the same sophisticated analysis can be applied to relevant security data. The really good news for information security, is that Big Data analytics is only in its infancy and holds much more potential.
u Steve Durbin, is Global VP of the
Information Security Forum (ISF), a not-for-profit member organization providing opinions and guidance on all aspects of information security.
www.informationweek.in
Opinion
steps for a successful data security control implementation
T
context surrounding an event. While the additional information available with this second stage of deployment is significant, it should not be considered a data security control. Here’s why: Data Loss Prevention (DLP) is an advanced control. It protects confidentiality and integrity of your data. The value that a DLP solution offers is the advanced context, or the, “who, what, where and how,” of data storage, access and transmission. This full context is something that perimeter infrastructure defenses do not offer. Let’s take a look at why it’s time to move from infrastructure-only security to infrastructure and data security control. Below are six steps for a successful data security control implementation.
he only thing more challenging than seeing something in the dark is explaining what you can see to others. That’s how I characterize the often-difficult process of explaining the importance of data security to your executives and employees. Clearly communicating the challenges we face while protecting our organizational “crown jewels” is one of the biggest obstacles security professionals face. I’m often asked “How is infrastructure security different from data security?” The simplest answer: infrastructure security protects the availability of your IT systems, while data security protects the confidentiality and integrity of your information. Most companies have solid infrastructure security programs. They have traditional defenses: distributed denial of service (DDoS) attack mitigations, firewalls and intrusion prevention systems (IPS). In most scenarios, these defenses are owned by both network and security teams. Most security professionals consider this appropriate protection at the network level, but not adequate. Many are looking to implement the next breed of solutions to build out application layer protections and take a deeper dive into the TCP/IP protocols, which provide
A
Calculate the value of your data
Step one
Without a plan, this can be the most difficult part of the process. Data values can rise and fall as quickly as financial markets. The key to solving this problem is working with your executives and information owners. Determine a simple formula to estimate the value of your data. One of the best examples I’ve seen comes from research group, Securosis. Data value, frequency and audience
B
C
D E
Data
Value (10)
Frequency (5)
Audience (5)
Score
Card Data
10
3
2
PII
8 5
5
Financial IP
8
3
2
48
Trade Secrets
8
2
1
16
Sales Data
2
5
1
40
Customer Metrics
2
5
2
20
60 200
is quantified within a table (as shown below) and allotted a score. Examples of data types include card data, PII, IP, sales data and any other specific data you are required to protect. An overall score is then defined based on the type of data. By scoring the data types, you can prioritize the importance of the data. Including frequency and audience also helps determine the likelihood of data-loss and again assists when prioritizing where and when to apply an action.
Step two
Make your ROI case
To increase security spend, and roll-out new data security controls, you must demonstrate ROI. This means clearly quantifying the immense value that comes when you know where your data is, who is accessing it and how it’s being used. I strongly believe it’s critical to analyze, communicate and share the financial and organizational impact of stolen and lost data.
Step three
Monitor and log your data
Next, start monitoring who has access to the data and observe its movement around your network. Many organizations will turn to a DLP solution for this. The best DLP solutions have the ability to monitor the perimeter entry/exit points for data in motion and thoroughly monitor endpoints for data in use. The initial monitoring phase should not last longer than a few weeks after deployment, even after tuning your policies to remove false positives. A good solution should quickly provide clarity into common data movement trends. Just remember, don’t forget to monitor
june 2013 i n f o r m at i o n w e e k 49
Opinion every location where your data flows, including the often-overlooked printers, scanners, mobile devices and cloud services.
Step four
Apply data security controls
I often speak with organizations that are stuck in step three monitoring and logging mode. Identifying incidents as they happen, but they are still not confident in applying controls to stop data leaving the organization. This is a mistake. Gartner demonstrated some time ago that passive security controls were dead. The same goes for DLP used exclusively in a monitor-only deployment. It doesn’t demonstrate ROI to most businesses, especially if a significant loss or breach occurs, while you are “monitoring.” We must apply controls. First, revisit your most valuable data. Start amending the rules and policies to begin active protection of those crown jewels. I don’t recommend enabling all block rules immediately. In my experience, I have seen that a phased approach is the most efficient way of applying data security controls.
Find your data
Once you have a score associated with each data type, and the funding, the next stage is to locate the sensitive data on your network. Based on the scoring exercise iterated above, it’s always advisable to begin this process with the most valuable data. Focusing on your crown jewels minimizes the negative impact to your network. Unfortunately, standalone discovery and mining services are usually expensive and take a considerable time to run. Another option is relying on DLP solutions. Most leading DLP solutions offer a mechanism to discover, identify and fingerprint data in periodic sweeps. These sweeps can often take place daily, weekly and monthly. This process provides
Step five
50
informationweek june 2013
500 450 400 350 300
Monitor incidents
250
Blocked incidents
200 150 100 50 0 Oct-12
Nov-12
a marked increase in visibility and improve efficiency through identifying duplicate data and flagging it. Many organizations waste large amounts of money backing up and storing duplicated data. To a security officer, reducing the cost of this process is great additional justification for the purchase of a DLP solution.
Implement proactive Step six protection and up employee education
As user awareness becomes more prominent, the number of blocked incidents will stabilize and the number of monitored incidents will go down. Why? A typical end-user is much more aware prior to clicking on a link or sending an e-mail if he understands that these actions will result in a block and notification. As a result, information owners and security teams gain tremendous value through proactive protection, as well as a beneficial reduction in the IT team’s workload. The graph above shows proactive protection in action. The number of incidents steadily decreased when a 2,500 user enterprise activated blocked actions in October 2012. I may have made the previous steps sound easy to implement—they should be. A data security control strategy can add more value than any technical solution deployed within an organization.
Dec-12
It’s time now to move from infrastructureonly security to infrastructure and data security control
u Neil Thacker, is Security and Strategy Officer, Websense
www.informationweek.in
Opinion
Stepping up SMB security
I
ndia, which is home to about 4.88 crore SMBs is all set to become the largest SME nation globally, as stated by a 2013 study commissioned by Zinnov. Estimates suggest that 5 lakh SMBs in India have websites and 2 million SMBs are accessing the Internet. The technology advancements of SMBs need to be supplemented by IT security. However, SMBs are rarely protected to the same extent as large corporations but are subject to the same ever-changing threat landscape. Many smaller businesses often lack budget and expertise, and typically have liberal, rarely enforced policies for use of personal devices, in-office Wi-Fi access, installation of unauthorized apps, etc.
what are the possible dangers
Lost and stolen devices: Smartphones and tablets are often loaded with critical company data. These devices open numerous points of entry to the company’s network and data could be compromised when employees lose their devices. l Access to corporate data: Another threat is granting employees full access to the information. For example, the majority of employees may only need access to ‘read’ instead of the ability to edit and copy data. l Ransomware: Ransomware is where a cybercriminal accesses and encrypts files on a victim’s computer, which can only be unlocked by paying the “fine”. In these situations, criminals often pretend to be an authority figure to trick you into believing you have done something wrong and the fine is legitimate. The threats posed by ransomware can be reduced by tightening security policies and implementing a ‘defense in depth’ approach, such as encrypting PCs and servers and installing anti-virus software. l
Is there a single silver bullet?
In an ideal scenario, one security solution would answer the requirements of all SMBs. But unfortunately, with the rising sophistication of attacks, every SMB requires a custom security solution. No two businesses are the same and what needs to be protected within each business differs greatly. For example, if a small business operates primarily online and houses customer profiles and data on the web, the level of protection required will be greater than for a business with little online presence. I personally believe the best approach is to have a qualified security expert do audits to ensure you have a tailored security solution. For example, an IT security consultant can help the business owner set an annual security budget, which is dependent on various factors that will vary the costs, such as whether the business already has security in place, whether or not computers are installed, what sensitive data they have and how it is stored, to name a few. Determining a reasonable security budget will best be done through a security audit. From there, the business owner and an IT security consultant can determine what level of protection is needed and what services and products should be implemented. Best practices to be followed by SMBs for picking the right security software include: 1. Working with an experienced partner who can help conduct a security audit. 2. Being clear about the security needs. What are the most important assets that need to be protected? 3. Ensuring you have a solid training plan among your team to outline the dos and don’ts when using the corporate network. 4. Developing and sticking to strict guidelines and policies around protecting company data. 5. Thinking about defense in depth. Business owners shouldn’t only
think about setting up anti-virus, but should also consider protection for anti-malware and ransomware.
Managing BYOD risks
As soon as a computer or smartphone is connected to the business network, it becomes a risk by acting as a port of entry to the company’s data. That said, businesses shouldn’t be restrained by the BYOD model. Instead, there are a few steps business owners can take to protect their network. 1. Training: It’s important to educate employees on best practices with regards to accessing and managing corporate data on personally owned devices or when using specific apps. 2. Policies: Business owners should implement strict IT policies for BYOD on acceptable use of devices and apps. Business owners may also implement a policy where the company has the authority to wipe clean the device in case it is lost or stolen. Business owners should also be able to block the content from the network so employees can’t copy customer details and send it to their personal accounts. 3. Security: Making sure your policies and security software is up-to-date is important to protect against emerging threats.
u Robbie Upcroft is, is Sales Manager -
SMB & Distribution, McAfee Asia Pacific
june 2013 i n f o r m at i o n w e e k 51
Opinion
How NFC-enabled phones can offer frictionless access control experience
T
he industry faces several identity challenges, including providing as “frictionless” an experience for the user as possible. The term “frictionless” describes security solutions that don’t slow users down. For example, users increasingly resist the idea of carrying a dedicated security token for accessing computer resources. One way to provide frictionless access control experience is embedding credentials inside mobile devices, so that users are not required to carry separate cards, keys and tokens. For example, phones with Near Field Communications (NFC) capabilities can be used for a variety of physical and logical access control tasks, including entering buildings, logging onto the networks, and gaining access to apps and other systems. This access control model requires a new way to represent many different types of identity data, within a trustbased communications boundary. First, NFC phones must feature an embedded secure element to store a user’s encrypted keys and credentials. This can be a subscriber identity module (SIM) or Universal Integrated Circuit Card (UICC)-based secure element, or an addon device such as a microSD card that incorporates a secure element. There must also be an ecosystem of readers, locks and other hardware that can read and respond to the digital credentials stored on NFC-enabled handsets.
Turning NFC-enabled phones into secure credentials For physical access control, organizations can provision mobile access control credentials in one of two ways. The first is via the same type of Internet portal used to provision traditional plastic credentials (the mobile device will be connected to the network via a USB or Wi-Fi-enabled link). The second approach is over-the-air via a mobile network operator, similar to how
52
informationweek june 2013
smartphone users download apps and songs. Common access control trusted service managers (TSMs) will interface seamlessly to the mobile network operator (MNO), its TSM, and the NFC smartphones that receive the encrypted keys and credentials for storage in the phone’s secure element, SIM or microSD. For logical access control, a phone app will generate a ‘One Time Password’ (OTP) or, alternatively, OTPs will be sent to the phone via SMS. This not only improves convenience but also increases security by providing a second authentication factor (“something I have”). With this new model, identity management will move to the cloud in a way that facilitates frictionless user login (often from personal devices using the BYOD deployment model) for both Software as a Service (SaaS) and various internal enterprise apps. Using BYOD smartphones for access control apps requires proper planning and assessment, and an infrastructure that supports cloud-based provisioning of digital keys and credentials. Much of today’s discussion is focused on securing the platform, but as enterprises continue to move apps into the cloud and take advantage of the SaaS model, it will be critical to resolve challenges around provisioning and revoking user identities across multiple cloud-based apps, while also enabling secure, frictionless user login to those apps. Frictionless access control solutions will also need to support open standards to foster the availability of interoperable products and ensure that investments in today’s technologies can be leveraged in the future. Moving beyond a simple card emulation model for mobile access control, the next-generation of solutions will leverage the smartphone’s on-board intelligence to complete most of the tasks now performed by the access control system. As mobile access control adoption increases, it will help “pull” other
apps to NFC technology. The same phone used to enter the building will be used to log onto a network, access apps and other systems, and gain remote access to secure networks without needing an OTP token or key fob. Converged access control is more convenient than carrying separate credentials, and greatly improves security by enabling strong authentication on key systems and apps. It also reduces deployment and operational costs by enabling organizations to leverage their existing credential investment to seamlessly add logical access control for network log-on and create a fully interoperable, multi-layered security solution across company networks and systems. And it helps organizations meet regulatory requirements, enforce consistent policies, and drive audit logs while cutting costs by consolidating tasks. Despite the many benefits of mobile access control, it is unlikely to replace physical smart cards in the coming years. Instead, mobile access credentials inside NFC-enabled smartphones will co-exist with cards and badges so that organizations can implement a choice of smart cards, mobile devices or both within their physical access control system (PACS).
u Ranjit Nambiar, is Director, Identity
and Access Management, South Asia, HID Global
www.informationweek.in
Opinion
Certification for certification’s sake: Following the letter sans the spirit
Y
es, 27k seems to be the new kid on the block. Everyone wants one whether it is to prove one’s security or divert attention from the lack thereof. Let’s start with a few true stories. I get a call from a friendly IT Manager who wants to be ISO27001 certified ‘immediately’, as they have to bid for a contract and the certification is a prerequisite. When told this is not an off-the-shelf product, he says there must be ‘ways’ of getting the certificate and needs help. Eventually, he found some friendly agency that issued him a certificate for ` 95,000. A friend is the country head of an offshore data centre (ODC), for a US-based NASDAQ listed corporation. When asked whether they are ISO27k certified, he says that they did have some security stuff done a couple of years earlier but he’s not sure what. We walked around the office trying to locate the certificate. We found it in the data center — he was happy the company was 27k certified but could not tell me whether he was compliant or not. He did know that he had faced a few questions but that was it. A conversation witnessed by a friendly consultant while at the office of a certification body: IS manager: Hello, 27k certification ka kya bhav padhega? (What will a 27k certification cost?) Sales Manager at Certification body: Which 27k is for food safety? IS manager: No, no. 27k is for security. Sales Manager at Certification body: Oh wait let me check my list. The SM took an appointment to meet the ISM and they settled the deal for ` 40k. The IT Act and subsequent amendments, RBI and industry bodies recognize ISO27k certification as evidence of ‘reasonable security practices’ in an organization. This seems to have elevated the standard to the level of an Eleventh
54
informationweek june 2013
Commandment from God. God sayeth we doeth. Well, it is easy for God to say stuff, but unfortunately, this stuff is not easy to comply with for humans. Compliance might feel like penance, or an exercise in denial — something totally unacceptable in normal life or business. As a nation, we have an obsession for certifications. Degrees and certificates of all types are treasured — who cares about the value so long as it looks official and impressive enough to be framed and hung on the wall. As a result the organizations work to implement controls as per the standard with an eye on successful certification. In doing so, they overlook the fact that the standard was created as guidance for enabling good processes. It is a given fact that if you have managed and structured processes in place, aligned to the guidance provided by the ISO27k standards, you will breeze through the certification audit. Then there is the L-1 mentality — place the order with the lowest bidder. Purchasers get the feeling of having scaled Mount Everest on beating down a vendor’s price. The buyer must realize that there is no free lunch and can expect the vendor to deploy a low cost inexperienced consultant for the ISO implementation. Thus, effectiveness of the security implementation is suspect from the word go. Organization heads do not realize what they have lost when the ISO27k certification is just a paper chase. Controls are considered to be business roadblocks and nothing can be further from the truth because an effective ISO27k implementation gives manifold value in productivity, regulatory compliance, lower downtime and a number of other benefits. All this contributes to savings in resources, and as they say, money/effort saved is money earned.
derstand benefits from effective control implementation. For instance, someone did a risk-based IT asset inventory but they did not consider the role of the asset user and did not tie the inventory with asset lifecycle management. So now what you have is incomplete and will have a risk on hand at a number of times during the lifecycle during reassignment, repair, upgrading or retiring — no one will know if this is sensitive or not, in terms of what is moving in or out of the organization. Another area is compliance — effective implementation of ISO controls facilitates compliance with regulatory or policy requirements in the normal course of control design. Once operational, these controls ensure compliance taking care of eliminating major stress areas for any organization. Threat vectors are becoming more sophisticated and it is necessary to make sure that these risks are addressed in a continuous manner with the deployment of best practices and controls as recommended by the standard(s) or frameworks. The mantra should be “have effective controls, certification will automatically follow” rather than having a certification, which is not worth the paper it is printed on.
Establish perspective
u Dinesh Bareja, is an independent
A CXO needs to be clear about the certification’s objective and must un-
security analyst and CEO, Open Security Alliance
www.informationweek.in
Opinion
Addressing the hacking dilemma
C
orporate hacking can occur any time at any given endpoint making data vulnerable anywhere. Whether it’s from smartphones, laptops, tablets or desktops, accessing valuable information and putting critical data at risk is on the rise. According to Verizon’s Data Breach Investigations Report (DBIR) 2013, external attacks are largely responsible for data breaches, with 92 percent of them attributable to outsiders and 14 percent committed by insiders. This category includes organized crime, activist groups, former employees, lone hackers and even organizations sponsored by foreign governments. Of all the breaches Verizon investigated and analyzed, in terms of attack methods, hacking leads the pack in terms of breach occurrences. In fact, hacking was a factor in 52 percent of data breaches, wherein majority of the victim organizations were not really targets but just happened to be low hanging fruit at the time.
What are organizations dealing with?
Hackers are more or less like actors performing on a stage that could very well be ‘the Internet.’ Other major players on this platform could include cyber criminals with financial motives, phishers who leverage social tactics for personal gain and skimmers who use fraudulent methods to steal payment card data. Hacktivists in particular are less inclined towards financial gains and believe in sticking to an agenda. They could be compared to terrorists in the way they carry out attacks.
Aligning public image with corporate ethics
To be able to avert such attacks, organizations need to first understand that ensuring security is an ongoing effort and not a one-time fool-proof
solution that can be implemented permanently. Only then will they be able to address their security needs with effective security infrastructure components such as firewalls, intrusion detection sensors and antivirus systems that will need to be monitored on an ongoing basis. The first defense that organizations need to adopt is to survey the landscape of hacktivists. See which ones are targeting the organizations and if so, why? Management will need to ensure the corporate ethos does not need to be revisited and that the communication effort with employees, as well as other stakeholders actually reflects what the company believes in.
Protecting what matters most
If hackers are starting to collaborate more so than they have in the past, as a security community as a whole, organizations will need to start doing a better job in making sure that only the best practices are being adopted and that an early warning system is being instituted. Making key business-critical decisions about where to spend limited security dollars is the biggest challenge that any security leader currently faces. It is imperative that organizations think about exactly what assets need to be protected and what attributes of that asset in particular are worth protecting.
is that multiplicative strength can be achieved only when there is a united stand. It is only through united efforts that the community will be able to stand as one and which will convert into strength in security.
Innovation in technology allows information to flow freely
Successful companies will embrace new business trends in ways that benefit the business, while balancing additional risks. To achieve this balance, IT leaders will need to continue to track both advances in technology and changing business needs. Security risks must be continually assessed and security leaders will need to always be diligent about managing and mitigating risks. In the end, 100 percent security cannot be guaranteed, nor is it a reasonable expectation. Each company will need to sit down for an informed discussion about risks and costs involved in addressing security concerns and the level of restrictions required to be built into security policies. Security that initially resided in the backroom of IT will now take center stage in corporate boardrooms.
Strength in Unity is strength in security
It is the job of the organization to make it extremely expensive, hard, and rare for the bad guys. That means that there is an ability to drive cost high by working together. Employees can make checklists — and they should. Organizations can deploy data-centric applications — and they must. Companies can be intelligencedriven but one of the most important aspects that they must understand
u John Hines, is President, India and South East Asia, Verizon Enterprise Solutions
june 2013 i n f o r m at i o n w e e k 55
Opinion
Policy-driven network configuration management critical to security
E
V Balasubramanian
Let’s take a look at how organizations can ensure network security by adopting an automated approach to network configuration management
nterprises make huge investments on procuring network infrastructure and employ highly skilled professionals to manage and administer the network infrastructure. Typically, a few administrators manage a large infrastructure. The configurations of network devices are crucial from the standpoint of network security. The configurations contain sensitive information such as access credentials, SNMP settings, Access Control Lists (ACLs), etc. Attackers always look for easy holes in network devices like switches, routers, firewalls and other devices on the perimeter to gain illegal access to the network. Due to lack of processes, unknowingly, we tend to simplify the job of intruders. Business needs are in a constant state of flux and administrators are required to respond to the needs often by changing the configurations of network devices, which is a sensitive and time-consuming task. It requires specialized knowledge, familiarity with all types of devices from different vendors, awareness on the impact of changes, precision and accuracy. Unfortunately, most enterprises, big and small, rely on manual processes for network configuration management. Manual operations to carry out configuration changes are fraught with the risk of errors that result in network downtime. In addition, a trivial error in a configuration could have a devastating effect on network security giving room for hackers and malicious users. When the number of devices grows, administrators find it difficult to respond to the business priorities that require frequent configuration changes, compounding the possibility of errors.
Flaws in security settings Assume that a department in your organization requests a temporary relaxation in the ACL of a router in
56
informationweek june 2013
production to attend to an urgent business requirement. How do you handle this case? Normally, in most of the enterprises, such requests are immediately accepted and the change in ACL would be deployed. But, due to lack of processes, the change/ relaxation will not be rolled back even after the completion of the business requirement. The relaxation will be forgotten and will stay on forever inviting hackers to gain illegal access to the network. If the relaxations in security settings like in ACLs, SNMP community and routing protocols are not properly handled, intruders could easily gain access and expose confidential data, divert traffic to a fraudulent destination and even sabotage network operations. If you manage a large number of network devices, enforcing a manual process to take care of the security controls in device configurations will be cumbersome and error-prone.
Rapidly responding to security alerts
Network administrators working on production networks involving a large number of network devices would have often faced a situation similar to the one below: l The Cisco Product Security Incident Response Team (PSIRT) publishes an important security alert l Releases an advisory suggesting firmware upgrade of routers l The security issue on hand is quite serious, urgent and cannot be ignored l Impact assessment of devices suggests firmware upgrade of more than 1,500 routers to be done immediately Effectively managing risk is an important aspect of network security. But, manual process for reacting
www.informationweek.in
to security alerts is not only timeconsuming, but also error-prone. In the above example of rolling out firmware upgrade on 1,500 devices, even a fairly big team of network administrators will require several man days to accomplish the task manually, during which the network would remain largely vulnerable to attacks.
Access Controls
In multi-member work environments, network administrators often have to access and deploy configuration changes to devices in production. This requires collaboration among the administrators and consistency in rolling out configuration changes. As outlined above, most of the enterprises rely on manual processes for network configuration management. That means, all administrators get access to all the devices and deploy configuration changes as per their own style and preferences. In the absence of collaboration and consistency, manual approach to deploying configuration changes might lead to security vulnerabilities. In addition, allowing all administrators to roll-out configuration changes to live equipment would be disastrous. Especially, when someone who is not so familiar with various syntaxes attempts to carry out changes, it is always prudent to reserve such changes for review and approval by senior administrators. In other words, role-based controls are vital for allowing administrators to carry out changes. In the traditional, manual approach there is no way for such access controls and approvals.
End-of-Life Management
When a device vendor announces endof-life for a particular device model, it is highly important to assess the potential risks associated with using the device. For end-of-life (EOL) models, the vendor may not offer support — your router/switch may hang or witness performance deterioration. You may want to raise a support ticket, but the vendor might not be in a position to
help due to end-of-support. The device (say, a firewall) might face security vulnerability for which you cannot expect a patch from the vendor. And numerous other issues might crop in from time to time even if the device is working properly at present. So, network management experts always advocate replacing devices that have reached end-of-life status. In addition, the IT regulations that lay stress on network security, put a cap on using outdated models to ensure that the network remains in top shape. If a device that is working very well is categorized as end-of-life by the vendor, it would be prudent to de-link it from production and redeploy it for development or testing purposes. But, when you have so many devices, how do you track the maintenance details? How do you know a particular device had reached end-of-sale or end-of-life or end-of-support?
Policy-driven, Automated Approach: The Way Out
Automating the entire life cycle of network configuration management helps in minimizing risks and eliminates manual errors
The best solution to overcome these problems and ensure network security is to automate the entire life cycle of network configuration management. Network Change and Configuration Management (NCCM) software solutions help administrators to define policies containing standard security settings for device configurations. The security standards will comprehensively define the settings that are allowed, or not allowed, the traffic filtering settings, protocols and other vital controls, and the NCCM solution will check the configurations for compliance to the policy defined. Violations would be immediately escalated. Apart from helping in minimizing risks, eliminating manual errors and bolstering security, the automated approach helps save cost, time and resources, thereby enabling administrators to concentrate on other productive aspects of network management. u V Balasubramanian, is Marketing Manager (IT Security Solutions), ManageEngine
june 2013 i n f o r m at i o n w e e k 57
Opinion
Policy formulation a must for secure enterprise mobility
D
ata and transaction security is of utmost importance in this age of rapidly expanding and emerging Internet economy. Enterprises have begun considering mobility to provide mobile workplace for their employees. Enterprise mobility allows an executive to make timely decisions, while boosting productivity. However, the transition process towards being a mobile-enabled entity has its own challenges, the first hurdle being security, which is known to slow down decision making and execution.
Security: the need for it
Administrators normally find that putting together a security policy that restricts both users and attacks is time consuming and costly. Users also become disgruntled at the heavy security policies making their work difficult for no discernable reason, causing bad politics within the company. A common attitude amongst users is that if no secret work is being performed, why bother implementing security. Businesses need to determine the price they are willing to pay in order to protect data and other assets. The cost must be weighed against the cost of losing information and hardware and disrupting services. The idea is to find the correct balance. If the data needs minimal protection and the loss of that data is not going to cost the company, then the cost of protecting that data will be less. If the data is sensitive and needs maximum protection, then the opposite is normally true.
The threat vectors
What are the various security threats that are unique to mobile devices and what are the ways to mitigate it? Addressing mobile security
58
informationweek june 2013
issues requires both establishment of policies and implementation and enforcement of these policies via a combination of technological solutions. Enterprises can face challenging situations of security threats at multiple levels, mainly if enterprise data is compromised on the employee’s device and when the enterprise backend systems are publically made available for mobile devices to connect over the Internet. Usually several device management policies are already in place to ensure interests of the enterprise are secured. However, in case of devices provided by the enterprise, where a completely secure solution is intended, a lot of device features are blocked by the enterprise. This ensures security, however, user experience is compromised. Hence, employees prefer using personal devices for official use — BYOD. Nevertheless for BYOD, precautionary measures need to be taken to isolate personal data from enterprise data while the user has access to all the device features. When employees bring their own devices to work and use them to share files and data inside and outside the office, it is difficult for IT to maintain visibility and control.
taken based on whether you are managing only company-owned devices, employee-owned devices, or a combination of both. Once the core requirements of your mobility plan have been determined, you can move on to assembling the policies and tools that will allow you to secure and manage your mobile community. Emerging technologies that benefit the mobile workforce are a boon for enterprise productivity. Ensuring the security threats these technologies bring with them do not compromise critical corporate assets is about empowering IT departments and employees, with tools that address security concerns, yet give employees the access and usability they’ve come to expect. While the considerations addressed here are really just the tip of the iceberg, understanding your enterprise mobility audience and goals, along with informed planning of your mobility policies, will go a long way towards enabling a successful mobility pilot program and eventual full mobility rollout.
A policy for mobility
There are many aspects to consider when developing enterprise mobility policies from the ground up. The focus on mobile security and management needs a firm grasp of your company’s highlevel mobility goals. The applications and services that you provide for your users will largely depend on the problems you’re trying to solve or the efficiencies you’re attempting to achieve through mobility. Considerations must also be
u Sunil Lalwani, is MD – BlackBerry India
www.informationweek.in
Feature
How hackers
FooL your employees Attackers are taking aim at the weakest point in your network: human beings. Do you know how to protect your data? By Ericka Chickowski
P
op quiz time: Which endpoint vulnerability is a hacker most likely to exploit to gain access to your enterprise network resources? It’s not some unpatched Windows flaw or browser vulnerability. It actually isn’t any technology at all. Your most vulnerable endpoint is the technology user a few cubes over. People are nothing more than another operating system, says Lance Spitzner, Training Director for the Securing The Human Program at SANS Institute. “Computers store, process and transfer information, and people store, process and transfer information,” he says. “They’re another endpoint. But instead of buffer overflows, people suffer from insecure behaviors.” Hackers send phony messages crafted to look legitimate, and your employees click on the malicious attachments and links. The bad guys leave infected USB sticks in company parking lots that employees find and plug in just to see. Employees log on to compromised wireless networks to access corporate assets. There’s a huge number of insecure behaviors along with a great many ways hackers exploit them. Of course, your organization has
60
informationweek june 2013
anti-phishing technology to stop malicious messages from getting to users’ inboxes, as well as vulnerability management suites that secure all those flaws that hackers exploit. And you have plenty of anti-malware software. But these products aren’t perfect, nor are the deployments and practices around them. Well-designed phishing messages stream past filters. The bad guys look for previously undetected technological vulnerabilities they can exploit with the help of unsuspecting users. They regularly develop new malware variants that anti-malware engines fail to detect. And they come up with sneakier ways to hide malicious software in messages and on the web. In all these cases, the last line of defense is the employee who gets the malicious e-mail or lands on the infected website. If companies don’t address the vulnerable humans they employ, they’re setting themselves up for failure. Letting people fall into the mindset that the IT guys have this covered is what leads to a false sense of security, says Rohyt Belani, CEO of security training firm PhishMe. Most big companies that get breached inevitably are using anti-malware or
anti-phishing software, he says, “so either the technology providers are lying to their clients or they’re not 100 percent effective.” Penetration testers will tell you that most security failures come in the form of e-mail, and their most powerful hacking tool isn’t some lowlevel network exploit tool. “The most powerful pen test tool is Outlook,” SANS’s Spitzner says. Ninety-one percent of targeted attacks between February and September last year involved spearphishing tactics, according to Trend Micro, an Internet content security vendor. Those attacks have evolved way beyond the bank phishing attacks of yesteryear. Attackers now take time to make detailed plans, research targets and develop or buy malicious exploits that raise as little suspicion as possible. If they can slip their attack mechanism past the victim’s technical defenses, it can remain on the user’s machine long enough for the attacker to make forays into the network it’s connected to. Conversational phishing is the latest attack trend. The victim gets multiple e-mails “that make it look like there’s a human on the other end and that it’s part of an e-mail
www.informationweek.in
thread,” PhishMe’s Belani says. The attacker knows enough about the victim and his interests to convince him that, say, they had met at a busy convention such as RSA. From there, the attacker tells the victim about a blog post that he’d surely be interested in and attaches an infected version. The attacker even sends a follow-up message asking the user if he had a chance to look at the blog. “Now you’re subconsciously convinced that it’s a real human being so you open that document,” Belani says. “The bad guys have been doing that for at least the last six months.” And these attacks are becoming more sophisticated, says Mike Murray, Managing Partner for MAD Security, which does incident response and awareness training. In one instance about a year ago, a nation-state-level attacker went after an executive at one of MAD Security’s clients, as well as four other executives at other organizations. The attacker did extensive research, likely on LinkedIn, and knew that the five executives regularly worked together on projects, Murray says. Using that knowledge, the hacker crafted five different e-mails, each of which looked like an e-mail from one of the five colleagues to the rest of the group referencing a fictional meeting the recipient had missed. That message included a malicious attachment that was the supposed agenda for the fake meeting. Each e-mail had a made-up thread to make it appear there had
5
Security Training Essentials
l
l
l
l
l
Trainers should cover common hacker tricks. Discuss how social engineering works and what tricks to watch for. Everyone uses e-mail, so cover the basic do’s and don’ts. Password hygiene is another basic that everyone needs to understand. Go over secure data handling practices.
How the bad guys got in Which types of security breaches or espionage have occurred in your company in the past year? Malware (i.e., viruses, worms, botnets)
68% 78% Phishing
51% 46% Theft of computers or storage devices
28% 30% Web or software applications exploited
27% 28% Compromise of database, content or data management system
21% 19% Operating system vulnerabilities attacked
21% 31% Denial of service
18% 27% Physical break-in
9% 8%
2012
2011
Data: InformationWeek Strategic Security Survey of 183 business technology and security professionals at companies with 100 or more employees in March 2012 and 219 in March 2011 experiencing a security breach within the past year
been a flurry of responses back and forth among the rest of the group. “Tell me that you wouldn’t have opened that? If it was five people you work with normally?” Murray says. “Every single person I know would have opened that, me included.”
Social Engineers: Human Flaw Finders
Conversational phishing is just one of several social engineering tricks attackers use. On physical sites, they’ve dressed up as deliverymen to bluff their way into corporate buildings in order to plant key loggers, steal datastoring equipment and gather valuable intelligence. On the phone, they’ve posed as tech support people to fool users into spilling their corporate credentials. And online, attackers send spearphishing messages and flood search engines and social media with links to infected fake news articles. Using these tactics, they manipulate users to stumble into attacks and take advantage of users’ bad habits, such as reusing
passwords. If an attacker can get his hands on a user’s banking password through a phishing campaign or by compromising a bank’s user-name and password database, and then find out where that user works, he may have what he needs to log into the corporate network. Social engineers take full advantage of our proclivity to be complacent, SANS’s Spitzner says. People aren’t aware that they’re targets, and they unwittingly help attackers by putting very public clues about themselves online, he says. “It’s people putting bits and pieces here and there, not realizing that when the bad guys harvest all that information, they now have a complete picture,” Spitzner says. That picture lets attackers write e-mails full of cues that create a false sense of legitimacy. People with a dominant public profile on social media stand a 50 percent greater chance of being spearphished than the average corporate user, Trend Micro says. Attackers aren’t just conducting
june 2013 i n f o r m at i o n w e e k 61
Feature research on Facebook, LinkedIn and Twitter. They’re combing through target organizations’ websites seeking information they can use against employees, including partner announcements and logo lists boasting the company’s high-profile clients. “They have the time to do the research,” says Tim Rohrbaugh, Chief Information Security Officer at Intersections, an identity risk management services provider. “They can figure out relationships between departments and managers through social media. They’re reading filings, they’re sorting out those partner lists and they’re crafting messages that are very, very close to what a legitimate message would look like.” Even more troubling, features such as the Facebook Graph social search engine give hackers even more information to exploit, MAD Security’s Murray says. He predicts that in just a few years, attackers will develop automated workflows to mine social graphs that craft phishing messages with very little human intervention. On LinkedIn, it’s already possible to write a quick script that scrapes the service, grabs all the people a target knows and crafts phishing e-mails from them to you or you to them, he says.
The Great Education Debate
The security community doesn’t agree
on the best way to counter social engineering attacks. Some experts say the answer is more user-awareness training. Others argue that awareness training has failed. “I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere,” Bruce Schneier,
People with a dominant public profile on social media stand a 50 percent greater chance of being spearphished than the average corporate user Chief Security Technology Officer at BT, recently wrote. Users don’t have a clear understanding of the threats, Schneier says. Instead of designing systems that force them to learn more complex ways of looking at their computers and the threats around them, we should design ones that conform to the way they currently view the threats, protecting them where they are. It’s a heated debate that can upset people on opposing sides. For instance, one RSA conference presenter conducted a class on “how to patch stupidity,” Spitzner says. “He explained why people are stupid, how they’re stupid and how to fix stupid. It was a
Spearphishing dirty Work Most targeted spearphishing attacks use malicious attachments rather than webmail exploits or links to malicious websites.
Targeted emails without attachments
6%
94% Targeted emails with attachments Data: TrendMicro’s “Spear-Phishing Email: Most Favored APT Attack Bait” report, 2012
62
informationweek june 2013
very emotional talk for me, because how can you sit there and insult the very people who can end up helping us? That’s something I’m desperately trying to change.” MAD Security’s Murray offers another reason security pros have difficulty embracing the human element of defense: They’re not people
people. “Most of us were nerds. We got into hacking and all this geeky stuff because we didn’t like people,” he says. “We weren’t captain of the football team or the popular kids in school, so we get really uncomfortable when someone says ‘Security is a people problem. Go talk to your people.’”
Risk Mitigation And Early Detection
The truth is that no security tool, technical or otherwise, will eliminate 100 percent of the risks. But that doesn’t diminish tools’ power. Cutting back on risk is a key goal of awareness training. Phishing susceptibility rates can fall to 8 percent from 58 percent through regular immersive training, whereby users are forced to deal with simulations of real threats, PhishMe’s Belani says. With untrained employees, the attacker could send two e-mails and probably avoid detection, Belani says. “Now the attacker has to send more like 50 e-mails, and there’s a chance that the technology will actually catch that,” he says. And with sophisticated spearphishing and scamming, the goal isn’t prevention but early detection. “The faster you detect that really sophisticated attacker, the less time they have to really create a foothold and the more quickly you can get your organization into response mode and try to eradicate that infection,” Murray says.
www.informationweek.in
Take the executive conned by the fake e-mail chain from four colleagues. The saving grace was that soon after the attack, he suspected something smelled rotten about the e-mail thread and contacted his IT department. Fostering such a mentality can turn those so-called stupid users into smart ones, Spitzner says. “These are scientists, doctors, lawyers, accountants, researchers. They’re not stupid,” he says. “It’s just that we’ve never done a good job of educating them. When we teach them to detect and report, people become a detection system to improve organizational resilience.” Spitzner points to Mitre, a government contractor that develops the Common Vulnerabilities and Exposures list. Mitre has had great success with its own “human sensor awareness program.” Employees now detect about 10 percent of the advanced attacks after they’ve slipped by technology defenses. That percentage may not seem like much, but considering that these are employees from all walks of life sniffing out attacks that most security technologies couldn’t detect, it’s a meaningful boost. Companies don’t always fully assess the effectiveness of their anti-phishing programs, Spitzner says. They look for a
Most valuable security practices Identity or password management
50% End user security awareness training
49% Patch management
42% Log analysis, security information management, vulnerability analysis or research
8% Virus or worm detection and analysis
35% Incident response
26% Monitoring employee behavior
15% Researching new threats
13% Written responses to audit items
4% Data: InformationWeek 2012 Strategic Security Survey of 946 business technology and security professionals at companies with 100 or more employees, March 2012
Employees generally take such programs when they’re hired and then annually thereafter to satisfy regulatory requirements. But without patience, creativity and consistent messaging, these programs will fail. You want to take advantage of teachable moments when people have just been burned, Rohrbaugh says. “Those are the times when you can make an evangelist for the security department,” he says.
Turning “clueless” employees into effective human sensors takes patience, creativity and consistent messaging, elements missing from most security training programs drop in the number of people who fall victim to phishing, but they don’t count the dramatic increase in the number of phishing e-mails employees report.
Marketing Security
Turning “clueless” employees into effective human sensors takes patience, creativity and consistent messaging, elements missing from most security training programs.
But don’t wait around for bad things to happen. Institute incremental training that teaches employees how to spot phishing messages, the fundamentals of handling data securely, the basics of good password hygiene, and enough background on threats to persuade them to pay attention. “We learn best through immersion and experience,” Belani says. “So let’s immerse people in the experience but
do it in a controlled manner. When we’re sending them a simulated phish, it’s not like, ‘Ah, got you, stupid!’ We tell them: Anyone can fall for this. We’re here to handhold.” Whichever method you use, it should be bite-sized and regular enough to make a difference. One word of caution: Message users with warnings and simulated phish e-mail too often, and you risk losing their interest. And whatever you do, make the message interesting. The very term “security training” sets the tone for snooze-worthy content, Murray says. It’s why both he and Belani advocate that we take a page from marketers. “We’re not training our users. We’re marketing to them,” Murray says. “Marketers attempt to change the behavior of users with respect to how they buy things. We are trying to get them to ‘buy’ security. … In this case, my product is: Don’t click on that link.” At the end of the day, whether you call it security marketing, behavioral modification or security awareness training, the goal is the same: Find ways to help users stop being so easy to fool. Source: DarkReading
june 2013 i n f o r m at i o n w e e k 63
Event
Security thought leaders converge to discuss emerging threats
T
he 4th annual India Computer Security Conference (ICSC), held at the Leela, Kovalam in Kerala, between May 8 and 11 saw participation from eminent corporate information security leaders, who met up for three days to share ideas, address leading issues and network. The theme of this year’s conference revolved around challenges in dealing with tighter regulatory mandates, even tighter budgets, scarcity of competent manpower and the veritable galaxy of emerging security threats that are assaulting Indian enterprises today. The conference, which was organized by UBM is presently in its 4th successful year and continues to see increasing participation from security leaders and practitioners from the Indian information security domain. This year’s event was graced by Janardhana Swamy, Member of Parliament from the Chitradurga Lok Sabha Constituency, Karnataka and Dr A S Ramashastri, CGM DIT, Reserve Bank of India as keynote speakers. Capt. (retd.) Felix Mohan, Global CISO and CIO (Bangladesh & Sri Lanka) at Bharti Airtel delivered the keynote
64
informationweek june 2013
on the second day. (Excerpts from the keynotes follow this report) Spread over three days, the event boasted knowledge sessions and panel discussions covering a wide gamut of topics within the information security domain, particularly relevant to India. The first day saw a panel discussion on ‘Organized cybercrime in India: Ground zero reality.’ An exploration into organized cybercrime in the country in the context of the rise in sophisticated cybercrime globally in 2011-12, the panel was moderated by Dayananda Bannikal, IPS, IGP – Economic Offences Wing; CID, Karnataka Police. Panelists included Dr. Onkar Nath, CISO, Central Bank of India; Subramanian V, CISO, IDBI; Nabankur Sen, CISO, Axis Bank; and Sunder Krishnan, CRO, Reliance Life Insurance. The second day saw several knowledge sessions including a session on ‘Embracing mobility in today’s enterprise environment,’ presented by Pradeep Eledath, Vice President, Safe++ Technology Services and a session on ‘Intellectual Property Protection: Best practices,’ presented by Amit Pradhan, CISO, Cipla. A workshop on ‘Corporate governance and risk management,’ was
also conducted by Sundar Ramaswamy, Director - Management Consulting, KPMG India. Panel discussions on the second day included a power packed panel on ‘The convergence of compliances and certifications - The way forward,’ which looked at the broad range of compliances, certifications and framework that enterprises are aligning themselves with today, and the inevitable convergence and consolidation that must follow. The panel discussion was moderated by Rajesh Thapar, GEVP & CISO, Yes Bank and saw participation from Felix Mohan of Bharti Airtel; Burgess Cooper, CISO, Vodafone; AR Vijay, Vice President & Global Information Security Leader, Genpact; Sunil Varkey, CISO and Head -IRMC, Wipro; Rahul Sharma, Consultant, DSCI; and Paul Niranjan Babu Gollamudi, Principal Systems Engineer, Symantec, as panelists. This session in particular saw a lot of participation and appreciation from the audience. The second panel discussion for day two was titled ‘Is BYOD relevant for Indian enterprises in the long run?’ An exploration into the hype that has
www.informationweek.in
(L-R) Ruchin Kumar, Security Evangelist, SafeNet; Ashish Chandra Mishra, CISO, Tesco HSC; Siddharth Vishwanath, ED, PricewaterhouseCoopers; Gopakumar Panicker, CISO, Shoppers Stop; and Satish Warrier, AVP IS- Corporate Audit & Assurance, Godrej Group
existed around this catch-phrase for the past couple of years, the panel proposed to explore the long term significance and implications of BYOD to the Indian enterprise. This discussion was moderated by Subrahmanya Boda, GM – IT Security & Governance (CISO), GMR Group and panelists included Satish Warrier, AVP Information Security - Corporate Audit & Assurance, Godrej Group; Pankaj Aggarwal, ex-CISO, Aircel; Satish Das, CSO & VP - Security Practice and Business Continuity, Cognizant Technologies; Sunder Krishnan, CRO,
(L-R) Sunil Varkey, CISO, Wipro; Burgess Cooper, CISO, Vodafone; Paul Niranjan Babu Gollamudi, Principal Systems Engineer, Symantec; Rajesh Thapar, GEVP & CISO, Yes Bank; Felix Mohan, Global CISO and CIO (Bangladesh & Sri Lanka), Bharti Airtel; AR Vijay, VP & Global Information Security Leader, Genpact; Rahul Sharma, Consultant, DSCI
Reliance Life Insurance; and Alison Higgins-Miller, Vice President - Asia Pacific, Websense. The panel made several pertinent observations on the nitty-gritties around BYOD in the Indian enterprise and was well received. The third and final day of the conference saw one session on ‘Demystifying the myths of cloud security,’ delivered by Nabankur Sen, CISO, Axis Bank and a fourth panel on ‘Information security and social media: Retail concerns.’ This panel looked at the security concerns around social media marketing explosion and
explored the inherent risks of leveraging social media and its implications. This panel was moderated by Siddharth Vishwanath, Executive Director, PricewaterhouseCoopers, and the panelists included Ashish Chandra Mishra, CISO, Tesco HSC; Gopakumar Panicker, CISO, Shoppers Stop; Satish Warrier of Godrej Industries; and Ruchin Kumar, Security Evangelist, SafeNet. All sessions will be available on demand on the ICSC website (www.icsc.in) shortly. Excerpts from the keynotes follow:
Government’s role in evolving security landscape
T
he 4th Annual ICSC was kicked off by a captivating keynote address on the role the government has to play in the evolving security landscape. The keynote was delivered by Janardhana Swamy, MP representing the Chitradurga LokSabha Constituency in Karnataka who is a rare combination of a technologist turned politician. During his keynote Swami highlighting about certain gaping holes in
Janardhana Swamy, MP from the Chitradurga Lok Sabha Constituency, Karnataka
the Indian political scenario, said that most of the long-term projects such as national security and defense are today not getting highest priority from the government since it takes more than 5 years for these to actualize and start showing results. Hence, the ruling government generally has a tendency to ignore such important but long-term projects and in turn focus on short-term goals that would keep the voters happy till the next election. To put security back into government’s radar, Swami put the onus on the security technology solution providers who according to him, need to change the preconceived notion that the government isn’t approachable. “I urge the security industry and the government to come together and have an open dialogue with each other in order to understand the difficulties and challenges that the security industry is facing, the changes that need to be
brought in the polices and the laws that need to be enacted in the parliament in such a way that the industry gets to do its job, and the end user gets what he wants,” he said. Swami highlighting the lack of focus on R&D in the security arena said, “Nowadays serious R&D is not being done since amongst the security technology solution providers, achieving quick revenue and returns in a particular quarter gets importance, while the much needed serious research is ignored. I think this is where government should step in and fund groups who should carry out research in interest of the nation and mankind.” The keynote sparked off a lot of interest amongst the delegates as being a technocrat, Swami genuinely understood the challenges that the security industry is facing and was quite vocal about how and where government can step in to support them.
june 2013 i n f o r m at i o n w e e k 65
Event
It’s time for CISOs to move from reactive to preventive security
T
he second keynote of Day one was delivered by Dr A S Ramasastri, Chief General Manager-in-Charge, DIT, RBI who elaborated on some interesting pointers on the role of CISO within an organization. One of the first things he explained in his session was that the job of securing the enterprise IT should ideally not be entrusted to a CIO or physical security officer but to an information security specialist who has the rare knack of sensing what is going wrong and spot any abnormality in the processes, almost immediately. He elaborated that CISOs need to understand that cyber attackers today are resorting to innovative ways and the security threat landscape is constantly evolving. He said that in order to tackle these challenges there is a need to now move from the traditional methodology of resorting to reactive methods after
a security breach has happened to various preventive methods that have the intelligence to sense well in advance any attempts to breach enterprise security and shoot out alerts to the CISO before the hackers can do too much damage to the systems. “Today many new technologies like fuzzy logic, artificial intelligence are evolving which can do pattern recognition and throw an alert to the CISO whenever there is any exception,” he said. On the basic steps CISOs should take to ensure enterprise security, Dr. Ramasastri advised, “Prepare good polices and operational guidelines. Make them available to all and create awareness amongst customers, facility managers, technology professionals and internal users about the same. Build processes to monitor and observe exceptions in real-time basis.”
Dr A S Ramasastri, Chief General Manager-in-Charge, DIT, RBI
He advised that the CISOs can’t afford to get complacent at any point of time and that they need to be alert and updated always, to confront any impending security breach. He said that they need to take all possible steps to fence the enterprise IT into a secure digital fortress, which is guarded under the watchful eyes of CISOs.
CISOs need to step up as business enablers
T
he second day of ICSC was kickstarted by Felix Mohan, Senior VP & Global CISO, Airtel with a topical keynote on how the emerging trends of social media, cloud computing, mobility and Big Data — famously called as the Nexus of Forces by Gartner — are fast rendering the traditional enterprise security technologies absolutely obsolete and are necessitating the CISOs to resort to far
Felix Mohan, Global CISO and CIO (Bangladesh & Sri Lanka) at Bharti Airtel
66
informationweek june 2013
more sophisticated security solutions. During the keynote Felix highlighted that CISOs need to evolve from their traditional role because today the Nexus of Forces is pushing the CISOs to act as business enablers accountable to the company’s profitability. Elaborating on this he said, “For the enterprises to obtain competitive advantage from these disruptive forces, the business require CISOs to upgrade their mental attitude from locking down things to managing risks. Business wants the CISOs to say yes to the Nexus of Forces and facilitate the adoption of these by solving the security puzzle, so that the business can benefit from it.” Sharing pointers on the key areas CISOs should be focusing on, to tackle these emerging issues, Felix said, “In the current environment, there are no perimeters and the apps are spread all over. Hence, CISOs should focus in building identity as the perimeter
and creating a layer and an infrastructure within enterprise that ensures that controls such as next-generation firewalls and networking devices are all identity aware. Also, CISOs should look at federation as another key focus area, since federation layer is the important secure link between external network and internal network.” Urging the CISOs to focus on infusing context into security decisions he added, “Contextual awareness — be it location or time — is extremely important as context determines the level of trust, which can be accorded to a particular activity and the trust level determines how much of security needs to be there.” He opined that considering the widened spectrum of security risks there is a pressing need for the CISOs to adopt security models that are based on adaptive intelligence and are context aware.
www.informationweek.in
Analyst Angle
Server virtualization: Top 5 security concerns
S
Eric Ahlm
Let’s take a look at how server virtualization can impact network security
http://www.on the web Your 7-step guide for a highly effective VDI environment Read article
68
informationweek june 2013
erver virtualization is a mature technology, providing a foundation for cloud computing and cost-effective, greener data center projects. It is safe to say that server virtualization is well on its way to becoming mainstream and enterprises will continue to seek ways to expand their server virtualization practices. It is important to understand the trends that not only drive virtualization itself, but how they can impact network security.
1
Virtual servers can create security blind spots
A key benefit of server virtualization is the layer of hardware abstraction it creates between x86 hardware and the operating system. The list of benefits this brings to server administrators is quite measurable and has a significant business impact. A by-product of this layer of abstraction created by server virtualization is that the networking layer is now also virtualized. Virtual network interfaces are created on each virtual host that plugs into a virtual switch controlled by the hypervisor. The challenge is that not all network security controls have visibility into the virtual network that resides in the hypervisor. This can create blind spots in security controls that are monitoring only the physical network. Attacks that happen on the virtual switch will go undetected until they happen on a physical network with security controls. Any security control that depends on detecting information of interest from the network is ineffective in the virtual switch unless the control itself resides or can see the data traffic in the virtual network.
Inserting non-virtual network security into virtual network can “break the cloud�
2
Using non-virtualized network security controls certainly is a viable method to add security to a virtual server environment. The challenge arises when the insertion of nonvirtual network security controls adds an additional cost burden to server consolidation, slows business agility or otherwise inhibits the business from benefiting from server virtualization. A key business driver for server virtualization is physical server reduction. A crucial metric for server reduction is the density of virtual servers to physical server hardware. The denser, the better the cost savings, and therefore, the business will always drive for consolidating more servers together. This presents a problem for security teams when servers with different zones of trust are asked to share the same virtual environment. Although not new, as virtualization and server consolidation continue to become mainstream, security providers will be expected to align technologies toward business goals of cost savings.
3
Security restrictions against server consolidation
Server virtualization benefits are so big for a business that continuing to work outside that model could lead to career suicide for enterprise security managers and is a situation they are likely to attempt to avoid. Gartner believes enterprise security teams are expected to enable the cost reduction, rapid deployment and server agility for as many virtual server assets as possible. Security technology providers should understand the dire situation their buying centres are facing
www.informationweek.in
and address those concerns in product messaging. For example, when marketing a virtual security technology, highlight the capabilities it can bring the business equal to the security functionality it has. This will better align with IT security managers who are in the role of server virtualization enablement.
4
Security transportability for virtual servers
Organizations seek the benefit of being able to use third-party infrastructure-as-a-service (IaaS) providers to further drive down server costs. The business benefits for doing this can be exceptionally strong, such as an online retailer only needing peak server capacity for a few months of the year to handle holiday shopping. Although this is not a new concept and is one that businesses consume today, server-specific security restrictions such as PCI can keep certain servers from participating in this model and keep the business from getting the most out of these cost-saving options. Security technology providers need to address the business concern for security continuity and transportability between IaaS providers. This would allow organizations to move more assets to IaaS providers otherwise restricted by security concerns. An ideal scenario for enterprise security teams is to set the security or compliance requirements once for a virtual server, and know that security continuity happens in any environment that can enforce their policy needs. A model such as this presents an opportunity for security technology providers to once again extend the benefits of virtualization to assets in an organization otherwise restricted because of security concerns.
Vulnerability in the hypervisor can compromise network security
5
Using a virtual switch creates a new risk vector, with trust now dependent on the vendor that is providing the virtual switch fabric.
Simply put, vulnerability in the hypervisor could bypass all network security that resides in it. A similar risk exists with the concept of the virtual environment’s “super admin� that could override virtual network access controls without impediment. Due to these massive risks, security controls that ensure the integrity of the hypervisor are essential for network security that resides in the virtual network. For security technology providers, this means that security controls should include capabilities to continuously monitor the hypervisor, or partnerships should be formed with those that can continuously monitor. Many security teams will take the view that monitoring should come from a thirdparty (not the virtualization vendor itself ) and provide some capabilities for being out of band to the attack plane. At some point in the not-so-distant future, the number of virtual switch ports will greatly outnumber the number of physical network ports. This means virtual switches will have a larger footprint in the enterprise than the physical network. Network security TSPs must plan for this eventuality and ensure their market relevance to their customer base, adopting larger and larger virtual networks. A VM instance of a physical security appliance is of some value; however, it does not equal virtual network security. Virtualizing a security appliance can allow some benefits, such as server appliance reduction, rapid customer product evaluations or quicker sales cycles (because of rapid product evaluations), but these might not be the big benefits most customers are seeking. Security TSPs need to ensure they are enabling the core virtualization benefits their customers are seeking, and that the role their security technology plays in the value statement is easy to understand.
As virtualization and server consolidation continue to become mainstream, security providers will be expected to align technologies toward business goals of cost savings
u Eric Ahlm is Research Director, Gartner
june 2013 i n f o r m at i o n w e e k 69
Global CIO
Have you really started a mobile strategy?
Y
Chris Murphy
An app isn’t a strategy
LOGS Chris Murphy blogs at InformationWeek. Check out his blogs at:
70
informationweek jnune 2013
ou probably have an app. But do you really have a mobile strategy for how those apps fit into your business model? Is there a plan for keeping the creative energy focused on your apps so customers drool instead of mock? How are you building the inhouse skills and collaboration to meet expectations that get higher with every smartphone and mobile game that’s launched? Are you giving employees mobile capabilities that make them anywhere near as efficient running their business lives as their personal lives? “The mobile experience at any company is driven by the first person who claimed it,” said Gaston Legorburu, Chief Creative Officer for SapientNitro, speaking at the Wells Fargo Tech Transformation Summit held recently. Often it’s marketing or customer service that grabs that lead role. Or it’s pretty much everyone. “In a lot of organizations, you have 27 mobile apps with different corporate sponsors with no cohesive strategy,” Legorburu said. I heard several other things at the summit that got me thinking about how companies need a new sense of urgency in embracing mobile computing for their customers and employees. Salesforce.com Co-founder Parker Harris talked about how the vendor is now thinking mobile first, and even phone first, when developing new features. It struck me that Salesforce — whose customer base of sales and market pros is among the most mobile at any company — is only now putting mobile at its center, even if it’s ahead of most other enterprise software vendors. Another person who got me thinking about mobile was BigMachines CEO David Bonnette. BigMachines software helps salespeople configure, price and quote deals. By setting price parameters, the software can help salespeople close deals with less back-and-forth for approvals with managers. And it can help prevent salespeople from offering
would-be customers deals that are too good to be true — or profitable. Bonnette cited a customer that put BigMachines on its tablets to let salespeople close deals while the prospect’s still in front of them. The point Bonnette left unsaid: Are companies doing enough to take advantage of that mobile-accessible data?
Mobile State Of Mind
More companies need Walgreens’ “mobile first” mindset, which doesn’t actually mean always making mobile projects the first priority. Walgreens has gone through what I’ll characterize as the “throw an app against the wall” strategy. It wouldn’t put things so harshly, but CTO Abhi Dhar says that when the drugstore chain first started working on mobile apps, it focused, like most companies, on cost-effectiveness, since Walgreens didn’t have in-house mobile talent. As a result, those apps underwhelmed. So, Walgreens set a goal: Every mobile app it develops will earn at least four stars in Apple’s app store. It moved one of its most senior e-commerce pros to oversee mobile. It put everyone working on mobile — engineering, customer experience, product development, marketing, finance — in one space. So Walgreens evolved to what Dhar calls a “mobile first” approach to development. That doesn’t mean Walgreens always develops the mobile app before a web app, but it’s an expectation that teams at Walgreens consider mobile possibilities at the first step of any initiative, whether online or in-store. Walgreens still has far to go. You can’t use a mobile to easily tell Walgreens you’ve arrived at a store and are open to getting a coupon, or open to seeing updates on new products. But it has the mobile-first mentality that just might make such advances possible. u Chris Murphy is Editor of
InformationWeek. Write to Chris at cjmurphy@techweb.com
www.informationweek.in
Down to Business
HP’s Hinshaw at center of 5-year turnaround plan
T
Rob Preston
As the leader of both IT and operations, John Hinshaw is uniquely positioned to get HP back on track
LOGS Rob Preston blogs at InformationWeek. Check out his blogs at:
alk about jumping from the frying pan into the fire. John Hinshaw joined Hewlett-Packard few months ago just as his former employer, Boeing, was struggling to get its flagship Dreamliner 787 off the ground and HP was flailing under its third CEO in a year. Things are starting to look up for the Dreamliner, which recently resumed commercial service, with a domestic Ethiopian Airlines flight, following years of delays culminating with the grounding in January of the entire 50-aircraft 787 fleet because of battery problems. At HP, meantime, the five-yearturnaround plan initiated by CEO Meg Whitman last year has entered its second year, as financial results start to show signs of progress even if board turnover continues to distract the world’s largest (USD 120 billion in fiscal 2012 revenue) IT vendor. Under Whitman’s turnaround plan, 2012 was about diagnosing problems and shoring up HP’s process and infrastructure foundation. This year is about fixing those problems and rebuilding, before HP heads into the recovery and expansion parts of its strategy in fiscal 2014 and beyond. At the center of HP’s turnaround plan is Whitman’s very first executive hire, Hinshaw. As executive VP of technology & operations, he oversees six broad areas encompassing 50,000 employees and contractors: the IT organization (now led by former Kimberly-Clark CIO Ramon Baez and the four business unit CIOs who report to Baez and to their business unit heads); shared services (such as payroll and marketing collateral); real estate (including data and operations centers); security (virtual and physical); sales operations (process
and compensation); and global procurement. Hinshaw says his operations responsibilities are a natural fit with his IT oversight, and he sees CIOs at other companies moving in this direction so that “IT-business alignment” is more of a starting point than an end goal. Expansion of the CIO role now tends to start at the “CIO-plus” level, he says: CIO plus procurement, for instance, or CIO plus shared services. He thinks it will go even broader. Beyond aligning internally with business units, CIOs must start meeting more with end customers, Hinshaw insists. He estimates that he now spends 30 percent to 40 percent of his time doing just that, in his role as tech vendor as well as IT leader, though he concedes that he spent only about 10 percent of his time during his fourand-a-half years at Boeing meeting with its airline and government customers. “Today’s CIO must be out with customers as much as possible,” Hinshaw says. “They must make the time.” In terms of HP’s internal IT, former CIO Randy Mott, now at General Motors, laid a “good foundation,” Hinshaw says, by consolidating 85 company data centers to six, and 6,000 applications to about 1,200, while requiring a rigorous cost-benefit analysis of every new IT project. But Hinshaw says that strategy focused too much on streamlining systems and not enough on improving system capabilities. And those cost-benefit analyses, he says, focused too much on internal goals, such as cutting the time it takes to deliver an IT project, and not enough on business goals, such as helping the sales team shorten the time it takes to turn around a quote for a customer.
june 2013 i n f o r m at i o n w e e k 71
Down to Business Along those lines, Hinshaw oversaw what he calls the largestever deployment of Salesforce.com software-as-a-service, rationalizing the tools and processes for 30,000 sales reps worldwide. He maintains that only 7 percent of HP’s salespeople gave the company’s previous on-premises Siebel CRM software a satisfactory rating, while 70 percent give the new Salesforce. com system and process a thumbsup. Granted, that’s another internal metric, but he says the improved satisfaction among HP’s sales team will lead to faster product delivery times and improved customer service. SaaS is now the default software model at HP, Hinshaw says, owing mostly to the speed with which it can be deployed at large scale (HP’s 30,000 seats were live in 18 months), its cost flexibility and the relative ease of upgrading. HP’s sales team, for instance, will get a Salesforce. com upgrade four or five times a year, compared with every 18 to 24 months with the Siebel software. Elsewhere, HP will complete a 330,000-seat deployment of Workday’s HR SaaS by the end of this year, a system that will get upgraded four times a year. HP’s use of DocuSignSaaS for paperless management of contracts already has cut the time it takes the company to sign up a new distributor from about five weeks to four days, Hinshaw estimates. HP’s also using FieldglassSaaS to size up service vendors vying for HP’s business and then procure services. And HP is evaluating BigMachinesSaaS to accelerate its quote-to-cash process, as well as SaaS providers for billing and travel/ expense management. As for the company’s global deployment of on-premises SAP software, which HP calls the largest on the planet, Hinshaw says MRP/ERP in the cloud at “HP scale” isn’t quite ready for prime time. But he thinks it will be in three to five years. HP is also a voracious user of its own tech products — and an unabashed self-promoter of that
72
informationweek june 2013
usage. In the area of Big Data, for instance, it says it’s using its own Vertica product to analyze clickstream data to better understand shopping behavior and patterns on HP.com. It’s also using Vertica to identify and group common sequences that lead to product warranty events, in an attempt to reduce warranty costs. Apart from this, it’s using its Autonomy software to prioritize its high volume of end-ofquarter orders according to profit margin and other factors so that the most profitable and important orders don’t spill into the next quarter. Besides Big Data, the other three technology megatrends in
calendars. “It really speeds our decisionmaking,” Hinshaw says. HP has also formed a group called the “bureaucracy busters,” whose 20 dedicated people from HR, IT, finance and shared services have started crowdsourcing ideas submitted by employees for improving the way the company conducts business. It’s a start. Hinshaw says customers want to see three main things from HP right now: stability and a consistent strategy (which it has had for 18 months); renewed product innovation (there are signs, but the jury’s still out); and “one HP face” as they buy from multiple company
Hinshaw says his operations responsibilities are a natural fit with his IT oversight, and he sees CIOs at other companies moving in this direction HP’s current world are cloud, security and mobility. But it’s not promoting itself as the be-all-andend-all in each segment — it’s more rounded in security and Big Data, for instance, than it is in mobile and cloud. As for breakthrough innovations, Hinshaw called out HP’s Moonshot ARM servers and 3Par StoreOnce Backup systems. The company’s turnaround goes much deeper than products. It’s a hugely complex undertaking that requires turning a bureaucratic, culturally hidebound behemoth into a growth-oriented innovator worthy of its two legendary founders. Hinshaw says the culture was “confused” when he joined the company. Among the steps HP is taking to promote an entrepreneurial culture: All offices at the Palo Alto, Calif., headquarters, including those of the top execs, are now cubicles, encouraging co-workers to stop by or shout over a wall rather than plod through endless e-mail strings or secure time on each other’s
units (Hinshaw’s role across the organization is helping to grease those skids). Even longer term, what HP also needs to build is an identity. Under the Mark Hurd regime, it was mostly about cost cutting and efficiency. Under the short-lived Leo Apotheker era, it was about exiting the PC and mobile device businesses (Whitman later pulled back) to focus on higher-margin software and services. Whitman, who Hinshaw calls “the hardestworking boss I ever had” and someone “who can fly at 100,000 feet as well as 500,” seems content with maintaining HP’s product diversity while emphasizing speed, agility and customer focus. The company’s laying the groundwork, but the heavy lifting is far from over.
u Rob Preston is VP and Editor-in-Chief of InformationWeek. You can write to Rob at rpreston@techweb.com.
www.informationweek.in