The network security industry recommends that an organization periodically perform risk modeling,assessment, and risk management to anticipate and take pro-active measures against threats.

(Read more:  Top 5 Application Security Technology Trends )

While this is a noble venture, a recent Internet search for “risk assessment” resulted in the return of over 38 million responses, with many of these risk-modeling processes including methods to calculate the cost of risk mitigation compared to the cost of recovery, in the
event the risk occurs and various ways to determine the return on investment (ROI) within the risk assessment and mitigation process. Some of these solutions are so convoluted and abstract as to be almost unworkable.

What is needed is a simple-to-operate risk modeling and assessment process and checklist.

>> Download the Report & Checklist

(Want to become a speaker and address the security community?  Click here)

IBM COMPLIMENTARY SECURITY HEALTH SCAN!

Over the past year, the IT security space has had numerous mainstream headlines. From the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, both consumers and corporations were inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in 2011—continued their upward trajectory.

(Read more:  5 easy ways to build your personal brand !)

• At the mid-year of 2012, we predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case.
  (Read more:  How to write a great article in less than 30 mins )

• While talk of sophisticated attacks and widespread distributed denial-of-service (DDoS) attempts made the year’s headlines, a large percentage of breaches relied on tried and true techniques such as SQL injection. What continues to be clear is that attackers, regardless of operational sophistication,will pursue a path-of-least-resistance approach to reach their objectives.
  >> Download the Complete Report

• Integration of mobile devices into the enterprise continues to be a challenge. In the previous report,we looked at some of the pitfalls and perils of implementing BYOD programs without strict formulations of policy and governance to support the use of these devices. That said, recent developments have indicated that while these dangers still exist,we believe mobile devices should be more secure than traditional user computing devices by 2014.

• While this prediction may seem far fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives. In this report, we explore how security executives are advocating the separation of personas or roles on employee-owned devices. We also discuss some secure software mobile application development initiatives that are taking place today.
  (Watch more : 3 causes of stress which we are unaware of !)

• The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose. Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems.They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems. Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.

>> Download the Complete Report

• As we reported in the mid-year, spam volume remained nearly flat in 2012, with India claiming the top country of origin for spam distribution, but the nature of spam is changing. Broadly targeted phishing scams, as well as more personalized spear-phishing efforts continue to fool end users with crafty social-engineering email messages that look like legitimate businesses. Also, fake banking alerts and package delivery service emails have been effective as attackers refine their messages to look like the authentic messages that customers might normally receive. Whether the target is individuals or the enterprise, once again, we remind readers that many breaches were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.

• Web applications are still topping the chart of most disclosed vulnerabilities, rising 14% in 2012 over the 2011 end of year numbers. As reported earlier in the mid-year report, cross-site scripting (XSS) dominated the web vulnerability disclosures at 53% of all publicly released vulnerabilities. Although SQL injection attack methods remain as a top attack technique, the actual disclosures of new SQL injection vulnerabilities remain lower than the 2010 peak we recorded.
  
  

  More:  Want to share your insights? Click here to write an article at CISO Platform

• Social media has changed our lives with new ways to connect, personally and professionally. From this constant availability of information about individuals, attackers can readily access data to use in their activities. Now, more than ever, individual employees who share personal details in their social profiles can be targeted for attacks.

>> Download the Complete Report

IBM COMPLIMENTARY SECURITY HEALTH SCAN!

Breaches are daily.And we all know that every device is compromised, to what extent remains mystery!
The security experts believe that being ready for the battle can make the journey smoother. Learn the optimal plan to reduce the risks and know what to do in-case of a breach.(Read more:  5 Best Practices to secure your Big Data Implementation )

What's in the Report? 

• What’s happening across the threat landscape?
• What kinds of attacks are being launched?
• How many of those attacks result in incidents requiring investigation?
• Top security breach cases-Why and How?
• Top 10 Checklist to Control & Mitigate Risk

( Read more: How Should a CISO choose the right Anti-Malware Technology? )

>> Download the Complete Report

How was this Report Made?

This report is based on the cyber security event data IBM collected between 1 April 2012 and 31 March 2013 in
the course of monitoring client security devices as well as data derived from responding to and performing forensics on cyber security incidents.Since the client profiles can differ significantly across industries and company size, IBM has normalized the data for this report to describe an average client organization as having between 1,000 and 5,000 employees, with approximately 500 security devices deployed within its network.

( Watch more : South Asia's Cyber Security Landscape after the Snowden Revelations )

Why read the Report?

• Know-Where we go wrong in perception?
• Know-How to get optimized security based on the organisation?
• Know-What vulnerabilities we cannot foresee?
• Know-How to react in-case of a breach
• Know-How security scans can help?
  
• Keep-A top-down checklist of all you need
  (More: Have you nominated yourself for Top 100 CISO Awards?  Click here to nominate)

>> Download the Complete Report

Overview on Cloud Security

Cloud adoption is an inevitable choice in today’s dynamic environment, yet many organizations are hesitant to fully leverage the benefits of the cloud, considering concerns regarding data loss and unauthorized access .

Today Cloud Services are broadly offered in three medium popularly known as IAAS(Infrastructure as a Service) , PAAS ( Platform as a Service) & SAAS(Software as a Service ). Over the past several years, concern over cloud computing security, and its impact on regulatory compliance, has consistently ranked as the most common reason for avoiding further use of this style of computing. Improving attack resistance, enhancing reliability and increasing the risk transparency remain crucial to widespread enterprise use of cloud computing. Perhaps somewhat surprisingly, the cloud delivery model is being used to deliver a growing number of security-critical tasks. For example, several different forms of secure delivery platforms, used to share highly proprietary or regulated data, are based on public cloud models. A growing variety of security services are also being delivered from the cloud, some intended to improve the robustness of the enterprise, and some intended to improve the attack resistance of other cloud-based services.

(Read more:  Top 5 Application Security Technology Trends )

Various Popular Cloud Security Solutions available

• Cloud Based Secure Web Gateway
• Cloud Based Application Security Testing
• Cloud Based Multitenant SOC (SEIM) services
• Cloud Based Secure Email Gateway
• Cloud Based MDM Solutions
• IAM as a Service

Type of organizations needing such solution

Businesses of all sizes can leverage the cloud to increase innovation and collaboration and focus on their core competency rather than worrying about Infrastructure and Application stack. For small and mid-sized businesses, cloud computing allows time-constrained IT teams to operate more efficiently . For large enterprises, the cloud provides the ability to scale up or down to respond quickly to changing market conditions .

(Read more:  5 easy ways to build your personal brand !)

Key drivers for adoption

• Scalability : To scale up and down as per Requirement
• Reliability : Strict SLA’s
• Availability :Redundant Infrastructure
• Ease of Implementation
• Increased ROI
• Reduced TCO
• Enhanced Security Controls
• Published Compliance Guidelines

Compliance, regulations and standards that make the solution mandatory

Various Standards & Compliance such PCI DSS, ISO 27001 , SAS 70 etc.. does mandate Organizations for enhanced Security controls  , The recent and ongoing introduction of standards for cloud security practice and assessment represents the most significant development in dealing with concerns about cloud security. The Cloud Security Alliance an international organization with both end-user and vendor participation, represents the most active effort on the part of IT and security specialists to improve the state of the art of cloud computing risk management, the CSA document "Security Guidance for Critical Areas of Focus in Cloud Computing" is arguably the definitive framework of risk issues that need to be specifically addressed in the cloud computing context.

(Watch more : 5 Implications of HTML 5 on Security)

Top technology trends for the above domain

Considering the various benefits which comes with Cloud adoption these solutions will continue to move up in coming years , a clear trend is visible for enterprises to migrate from In-house to Cloud for all of their non mission critical services /applications , as also predicted by Gartner independent study of Cloud Security , Ironically the biggest beneficiary are the Cloud solutions in the area of Security assessment and assurance i.e Cloud Based Application Security, IAM,MDM, SEIM solutions .

-By Saurabh Kaushik, Head IT Security, Lupin Ltd.

More:  Join the community of 1400+ Chief Information Security Officers.  Click here

By ROHIT KACHROO,  CISO, INDIABULLS tells about

Top steps during the implementation of a Privacy related project

Identification of information and other assets for protecting privacy is the first concern which any organization should address   for any new client project going onboard. Once confidential assets are identified, their owner should be identified who takes full ownership and responsibility for maintaining privacy and who can respond to the situations where urgent attention is required, such as business continuity incidents. One should maintain records of users of these assets with their requirement and nature of use is documented in standard form and reviewed on periodic basis. Once information audience is identified, storage location and processes of maintaining these assets need to be established. Physical access control on information storage location should be implemented to prevent unauthorized assess. Owners of these assets manage access of users on these assets by allowing only authorized users to access and provisioning access on ‘need to know’ basis only. Periodic review of access on these assets should be performed to check on unauthorized access. If required, deploy solutions for monitoring of these information assets for tracking information on real time basis, whether data is stored on servers, transmitted on network or processed in applications. In addition to these controls, risk assessment on these information assets to identify potential threats and vulnerabilities which can expose these data for unauthorized access and use or which can lead to breach of privacy. Result of risk assessment of these information assets shows the area to work and improve on, so that one can act proactively to mitigate risk which can result in privacy breach.

Which are the top implementation mistakes or learning?

Common mistake in implementation phase of project is controlling privilege access on supporting IT infrastructure which can lead to breach of privacy. Information is stored on centralized servers and accessed by a lot of end user systems, and managing privileged access on this critical IT equipment is very crucial. Once data or other assets are identified for maintaining privacy, identifying their audience is equally important who are going to access and use these assets on daily basis. Managing access on these platforms for number of users according to their roles and responsibilities is again an important but not looked into in very serious way. Another control which is generally missed is review of logical access on these information assets on predefined period. Ignoring access review on information can lead at some point of time to unauthorized access on critical data. If access review process is not in place, employees whose role has changed or moved in another process or left the organization may still have their access live and active on those platforms, which gives them access to information for which they are not authorized any more. A lot of information security breach incidents are identified in industries due to this issue.

 Another issue which is missed or not taken seriously by many organizations is retention of client’s confidential information. Implementation of processes for maintaining the information throughout information life cycle and secure disposal of information when not required any more is often missed in contracts with clients and in real handling of projects.

Which are the top challenges faced during such implementation?

One of the main challenges faced during implementation of new projects and addressing privacy is managing access on data for only authorized users based on their current roles and responsibilities and managing access as their roles are changed. On IT infrastructure level, network is segregated for maintaining data on dedicated network by creating VLAN (Virtual LAN). By maintaining data on separate VLAN requires extra attention for accessibility and availability issues, which requires additional man power for maintenance work. If data is being transmitted then in this case implementation of encryption is another control which needs to be in place to maintain confidentiality. To protect data at rest, device encryption should also be implemented. But as additional privacy measures increases extra burden on accessibility hence balance should be maintained while going for controls like encryption of data in transmission and encryption of data at rest. This can also impact availability of critical resources when required. Hence balance between Confidentiality, Integrity and Availability of information assets should be addressed by defining criticality of data and its impact if compromised. We implement controls based on priority and severity of risk identified which helps us to work on the high risk area on priority basis. Another challenge which is very critical to address is being compliant with the applicable laws and regulatory requirements of concerned project.  Addressing legality and other regulatory requirements is something which cannot be overlooked.

Denial-of-Service (DoS) attacks have existed since the early days of computing and have evolved into complex and overwhelming security challenges. Organizations have had to worry not just about DoS attacks, but Distributed DoS attacks (DDoS), and more recently, Distributed Reflector DoS (DRDoS) attacks. Additionally the size, complexity, and sophistication of DDoS attacks are increasing at alarming rates.

In general distributed denial-of-service (DDoS) attacks target network infrastructures or computer services resources. The primary goal of DDoS attacks is to deny legitimate users access to a particular computer or network resources, which results in service degradation, loss of reputation, and irretrievable data loss. DDoS attacks are aimed at organizations of all sizes and types that have an online presence, including businesses, government agencies, academic institutions, and even individuals. DDoS has evolved from random hacker exploits to organized criminal activities that often involve botnets, which are large groups of compromised host computers controlled by a central commander.

Ultimate goal of security is to maintain three basic characteristics viz. Confidentiality, Integrity and Availability and Primary goal of DDoS defense is maintaining Availability of applications, services, data, and infrastructure in the face of attacks against availability i.e., DDoS attacks

Organizations must look at a security-in-depth approach in order to fully prepare for attacks.

( Read more:  Technology/Solution Guide for Single Sign-On )

Few pointers that the DDoS solution should incorporate:

• Notification and alerting mechanism
• Filtering technology that excludes only unwanted traffic
• Scalability to handle all-size threats
• A distributed model to create and maintain redundancy
• Ability to stop both volumetric and application-layer DDoS attacks
• A logging/correlation system to collect detailed attack data
• True “distributed” DoS attack detection rather than rather than simple point-based detection.
• Multiple methods of threat detection and mitigation that ranges from statistical anomaly detection and threshold-based flood detection to fingerprint-based detection based
• Blocks attack traffic at the edge of the Internet by source IP and location, and controls access to content based on user and session details.
• Should be able to easily identify legitimate search engine Web crawlers
• Should always-On Integrated with Cloud Scrubbing
• Should be CDN and Proxy-Aware
• Should provide Global Threat Intelligence Feed
• Most important 24*7*365 support

Organizations needing such solution

Distributed Denial of Service (DDoS) attacks are bringing mission-critical systems and business operations to a halt, losing revenue opportunities, decreasing productivity and damaging business reputations. Over the past few years, DDoS attacks have grown in frequency and are conducted for a specific purpose such as extortion, market manipulation and cyber terrorism.

Regulatory fines are sometimes less damaging than the repercussions of brand damage. In addition to the financial losses incurred in fines and legal costs to fight lawsuits and pay out huge settlements, companies pay again in the loss of customers and plunging market shares.

( Read more:  Action List Before Adopting a Cloud Technology )

In the recent some of DDoS attack sophistication is evidenced like

•  Reconnaissance: Attackers probing banks and then customizing attacks to the target
•  Multiple concurrent targets
•  Targeting customer servers with HTTP/S, repeated GETs/POSTs against no-existent URIs
•  More frequent attack against ISP authoritative DNS Servers
•  Attacking directly ISP/MSSP network infrastructure
•  Increasing bot turnover

So organizations like All Banks, Financial & Government Sectors, Ecommerce, Online Trading, Private and Public Internet Data Centers, Web/Email/DNS hosting Providers, Internet Service Providers, Managed Security Service Providers, Cloud Service Providers etc. which has an online presence and want to protect business operations and/or brand reputation need a DDoS solution.

Key drivers for adoption

DDoS is an attack on service availability. The goal of the attacker is to prevent the enterprise/data center from functioning— whether that be transacting ecommerce; delivering email, voice or DNS services; providing Web site access; or offering other business-critical services. The business impact of an attack is a function of the length of time that services are unavailable and the value of those services.

Undoubtedly, the number-one driver for the DDoS prevention market is the attacks themselves. Most major vendors operate threat labs and publish regular reports on threats, and the threat landscape is getting bigger, more complex, and scarier at an alarming rate. From the September ’12 US bank attacks to the Iranian elections, Wikileaks, and the Anonymous army attacking are few DDoS attacks that have been big news for the last two years. The rise of botnets and easy-to-use tools (like LOIC) for launching attacks means that there are more DDoS attacks pushing greater volumes of traffic, initiated by a wider variety of attackers than ever before. There is no indication that the pace of innovation in the creation of attacks and the ingenuity that drives the distribution of those threats will ever slow down, and so prevention solutions need to continue to evolve as well.

So the key drivers for adoption of DDoS Solution are maintaining Availability & Uptime, Avoiding Loss of Revenue, incurred Operational Expenses (OPEX), and Negative Publicity or Reputational damage.

( Watch more : An approach to present IT Risk as Business Risk )

Compliance, regulations and standards that make the solution mandatory

The primary effect of DDoS attacks on corporations is service disruption—business downtime leading to customer dissatisfaction and loss of credibility and possibly revenue. The service provider network can be overwhelmed, impacting the ability to deliver connectivity. Even worse, collateral damage can be inflicted on other elements of the network that were not the original target of the attack, but overwhelmed in the process of the attack.

With the growing regulations placed upon corporations, the connectivity required to access data is critical. Any compromise on the ability to exchange data could violate regulations. More regulations are appearing and they imply that corporations and service providers should proactively manage security threats.

In the absence of regulations or compliance, many companies may not choose to invest in security solutions for their valuable data; many vertical markets are affected by regulations (such as healthcare and finance), and there are other regulations that impact broader groups of organizations (PCI, SOX, or GLBA in the US). Even non-regulated industries can face compliance issues that impact security spending, as many companies are required to demonstrate a certain level of security for business licensing or insurance purposes; regardless, the threat of repercussions for not being compliant drives many organizations around the globe to invest in network security.

In India, it is mandatory for financial institutions which offer products/services via the Internet to have a demonstrable DDoS mitigation solution. RBI guideline mandates for Banks providing internet banking service to implement network/security devices for reasonable preventive/detective capability or consider incorporating DoS attack protection in their ISP selection process.  Any organization having online presence and planning to get certified on ISO 27001, 20000 etc. standards should also consider DDoS protection since BCP/DR planning is must for such standards.

Top technology trends for the DDOS domain

As we all know DDoS attacks are now part of the advanced threat landscape, with attack types varying by size, vector and desired outcome and If we are not successful at blocking these attacks, confidential information may be accessed or stolen, valuable services may not be available to employees or customers, revenue may be lost and our company’s brand & reputation may be hurt or damaged. So the recent DDoS attack trend observed is larger, more overwhelming, and smaller, yet disproportionally disruptive and more complex application-layer attacks.

Now a days Attacks are focused Multi-Stage & Multi-Vector DDoS like:

• GET and POST app layer attacks on HTTP and HTTP/S
• DNS query app-layer attack, mainly against ISP authoritative DNS servers
• Floods on UDP, TCP SYN floods on TCP/53 against ISP authoritative DNS servers & target organization Web properties

Characteristics of these attack campaign results to:

• Relatively high bps/pps/cps/tps rates per individual attack source
• Attacks on multiple targeted organizations in same vertical
• Real-time monitoring of effectiveness
• Some agility in modifying attack vectors when mitigated
• Revert to using conventional botnet for SYN-floods, etc. when main attack methodologies are successfully mitigated

-By Yadvendra Awasthi,CISO, NetMagic Solutions Pvt Ltd. 

More:  Want to share your insights? Click here to write an article at CISO Platform

http://www.cisoplatform.com/page/build-vs-buy-forrester-s-security-risk-practice-playbook

Why Read This Report
This report outlines a sourcing strategy and Forrester’s decision support solution for security and risk (S&R) executives working to build a high-performance security program and organization. We designed this report to help you make the decision to build or buy your security services. Interest in outsourcing security services is on the rise. In fact, according to our Forrsights Security Survey, from 2010 to 2011, there was a 14% increase in the level of interest in implementing security using third parties. At the same time, managed security service providers (MSSPs) report revenue growth in excess of 30%. To make an informed business decision, CISOs must assess and compare services that MSSPs could deliver with the services that the CISO could deliver with internal staff. Outsourcing appropriate security services to MSSPs can sometimes provide better security while also freeing up scarce resources to focus on what really matters.

( Read more:  CISO Guide for Denial-of-Service (DoS) Security)

Table Of Contents

• CISO s Turn To Managed Services To Address Continuing Challenges
• Build A Security Services Catalog Before You Outsource
• Identify Possible Managed Services With The Security Sourcing Model
• CISOs Must Still Proceed With Caution When Sourcing Security Services
• Don’t Go It Alone: Partner With Sourcing And Vendor Management
• WHAT IT MEANS
• The Monkey Test
• Supplemental Material

More:  Want to be an author? Nominations open for co-authors of CISO Handbook    

>> Download the Complimentary Forrester Report

IBM COMPLIMENTARY SECURITY HEALTH SCAN!

Top steps during the implementation of a Cloud Security project

As security is an important aspect of any project it is necessary to align security plan with business goals. There are a perspective series of steps that may be taken to secure the cloud environment. Foremost it’s a pre requisite that effective governance, risk and compliance processes should be in place. People, role and identity management is also required to be ensured such that cloud environment is controlled and managed.  Then there should be audits for operational and business processes to assess effectiveness in enforcing the corporate, industry or government requirements and policies. Moreover, proper privacy policies should be enforced and the audit program should cover all aspects of the privacy policies. In addition to, security controls are required on physical infrastructure and facilities with a central management system. Further Cloud SLAs should include security terms and the security requirements should also be considered in the exit processes.

( Read more:  APT Secrets that Vendors Don't Tell )

Top implementation mistakes or learning while implementing projects related to the above domain?

Choosing the right cloud flavor and avoiding cutting common security corners are keys to successful cloud rollouts. There are various aspects that should be kept in mind while going for cloud implementations. A lot of what’s appealing about cloud computing is the convenience of it; but then at what point does making your data solution convenient for its users start to put the security at risk? So don’t ignore security for convenience. Another mistake that people do is failing to see the underlying meaning in the big picture. If you’re securing a cloud data system, you can’t just look at everything as a whole- you need to dig deep, look close, and comb your way through the system’s security in order to ensure that there’s no possible way anyone could easily break in. Also, implement everything before you get things up and running. Implementing governance and security later is just asking for trouble. It should not be assumed that users know what they are doing. Users should be educated about various aspects of cloud security and they should be responsible with what they do, but they shouldn’t have to manage the system. The cloud transition should be planned precisely; enterprises should know what they are getting into and how to execute it to get there. Also there should be a response plan in place so that there is a fair idea as to how the business will respond in case there is a security threat.

( Watch more : How MIT website got hacked despite having any vulnerability ?)

Top challenges faced during such implementation

Cloud opens up a new world of opportunities for businesses, but mixed in with these opportunities are numerous security challenges that need to be considered and addressed prior to committing to a cloud computing strategy.  Cloud computing security challenges are broadly related to the domains of Data Protection, User authentication and Disaster and Data Breach. First and foremost, there is a challenge in securing your data both at rest and in transit. Another challenge is to limit access to data and monitor who accesses the data. As with all cloud computing security challenges, it's the responsibility of the customer to ensure that the cloud provider has taken all necessary security measures to protect the customer's data and the access to that data. Eventually, it’s a no brainer that the cloud will serve as a single centralized repository for a company's mission-critical data; so the risks of having that data compromised due to a data breach or temporarily made unavailable due to a natural disaster are real concerns.  So, the contingency planning is also a challenge in which the company has to consider various scenarios. For instance, can the data be easily retrieved and migrated to a new service provider or to a non-cloud strategy if this happens?  And what happens to the data and the ability to access that data if the provider gets acquired by another company? While there are real benefits to using cloud computing, including some key security advantages, there are just as many if not more security challenges that prevent customers from committing to a cloud computing strategy.

- By Dinesh Kumar Chawla, CISO, Telecommunications Consultants India Ltd.

More:  Join the community of 1400+ Chief Information Security Officers.  Click here

Digital rights management solutions are for copyright protection  of digital media.The function of DRM solutions is to prevent unauthorized redistribution of digital media post sale and restrict the ways in which consumers can copy content.

( Read more:  How to choose your Security / Penetration Testing Vendor? )

DRM solutions were developed in response to the rapid increase in online piracy of digital contents through peer-to-peer networks and applications. DRM solutions embed a lock (code) that prevents copying, specifies a time period in which the content can be accessed or limits the number of devices the media can be installed on, etc.

Type of organization needing such solution

Computing hardware manufacturers, publishers, copyright holders, Media and broadcast companies, internet (gaming and music) industries, and individuals with the intent to control the use of digital content and devices after sale.

( Read more:  Can your SMART TV get hacked? )

Key drivers for adoption

• Trusted software / technology / methodology.
• Vulnerabilities in the solution.
• Compatibility and Cost.

Compliance, regulations and standards that make the solution mandatory

No, there are no, regulations and standards that make the solution mandatory

Top technology trends for the above domain

• Limited install activations
• Persistent online authentication
• Software tampering
• Metadata
• Watermarks

- By Pratap Kumar Singh, President - IT, Ibibo Web Private Ltd.

Firstly the CISO has to work with the CIO and the business to understand the business need to implement this and then clearly articulate associated risk exposure to the firm and its stakeholders.

A detailed due diligence has to be completed following which the risk posture and risk mitigation guidance has to be provided. Subsequently a corporate policy along with the mitigating controls has to be implemented and training imparted to the relevant business users.

( Read more:  Top 5 Application Security Technology Trends)

Key parameters based on which a CISO should choose a vendor

Apart from the standard vendor due diligence one has to ensure the following –

• Review security awareness & preparedness of the vendor (including staff) and real world deployment of the same from Cloud services perspective

• Does the vendor meet all relevant Security and Compliance related industry standards?

• Does the vendor have a strong DR program (Implemented & Tested) to maintain the continuity of services and has a DR site geographically at a safe distance?

• Overall location of the vendor hosting center/facility from a threat exposure perspective (external & internal influencers)

• Does the vendor offer “Try Me” program before getting into contract?

( Read More: Top 6 'Cloud Security' talks from RSA Conference 2016 (USA))

Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist

• How does the vendor address Security issues like  Data protection in motion, Encryption Key management, Data management/storage, Access Controls?

• Does the vendor offer Right to Audit

• Does the vendor have a DR site? How far is it from the hosting site?

( Watch more : Checklist: How to choose between different types of Application Security Testing Technologies?)

Top mistakes to avoid while selecting a vendor

• Not doing a due diligence on the vendor & services offered e.g. speaking to service provider’s customers

• Not understanding Cloud’s intrinsic security issues and the standards involved

• Not involving the multiple service providers in selection process. It is important that service providers with proven track record in the area are invited

-By  Rajesh R Nair, Vice President, Credit Suisse

( More:  Want to become a speaker and address the security community?  Click here  ) 

Top technologies / solutions available for the Single Sign-On are :

1.Common Standard Solutions:

• The Generic Security Service Application Program Interface GSS-API.
• OSF Distributed Computing Environment DCE.
• Pluggable Authentication Modules PAM

 2.Broker-Based SSO Solutions: having one server for central authentication & user account management.                  

• Kerberos: Trusted Kerberos server acts as a broker, centrally authenticates the users and gives them an electronic identity based on the specified credentials.                                                               

• Sesame: Secure European System for Applications in a Multi-vendor Environment is the European equivalent to Kerberos.

• IBM KryptoKnight: It is an equivalent to Kerberos designed by IBM.

3.Agent-Based SSO Solutions: There is an agent program automatically identifying the user for different applications.

4.Token-Based SSO Solutions: The Security Dynamics SecurID is a physical token that generates time dependent one-time passwords for the user thus providing two-factor authentication.

5.Agent and Broker-Based SSO Solutions: When the agent-based solution is combined with a broker-based solution both the central management of the broker-based solutions and the flexibility of agent-based solutions can be used.

6.Gateway-Based SSO Solutions: The gateway remembers the identities of the clients and can thus grant access to all the required services without further authentication requests.

( Read more:  5 easy ways to build your personal brand !)

Pros - Cons of the different type of available technology / Solutions

1.Broker-based SSO

Implementability: The main problem with broker-based solutions such as Kerberos needing the end applications to be modified, or "kerberized" to accept the tickets.

Administration: The central administration is the major strength in broker-based solutions. One central database is easy to manage.

Security: A broker-based solution can be designed to be secure, but the actual level of security depends on the implementation. The authentication in Kerberos is only based on passwords, thus making the system vulnerable to password guessing.  Sesame has mainly the same strengths and weaknesses as Kerberos does, namely the vulnerability to password guessing, and the single-point-of-failure of the Authentication Server. The improvements in cryptography in the KryptoKnight should have made it more secure than Kerberos.

Usage: All the different approaches to Single Sign-On can be designed in such a way that most of the work by the user can be done automatically. Whenever the system has a central component, such as in broker-based solutions, the component is a single-point-of-failure which reduces usage. If that component is down, no-one can log in.

2.Agent-based SSO

Implementation: It makes the migration easier as the software vendor supplies different agents that are designed to communicate with the legacy applications.

Administration: It makes administration harder as there are not just the rights of the users to worry about but also the rights of the agents.

Security: An agent that authenticates itself with strong cryptography should be secure. The problem is that an agent which is "loaded" with identities can possibly be used wrong or replaced by malicious software.

Usage: Approaches such as the SSH Agent that has to specifically be loaded with identities is a hard concept to learn. Also all the concepts of public-key cryptography might be hard to grasp.

( Read more:  How to write a great article in less than 30 mins )

3.Token-based SSO

 Administration: The current token-Based solutions such as WebID increase to administrative workload as one more component is added to the system.

 Security: The SecurID hardware token increases the security of authentication. Less data is available on whether the software tokens can be cracked.

4.Gateway-based SSO

Implementation: In certain environments a gateway is easy to install and configure. The only problem might be the client software for the applications and the gateway client software which need to reside on the same computer.

Administration: The gateway has central user database and thus should be as easy to manage as a broker-based solution. Problems arise though if several gateways are used and the databases cannot be synchronized automatically.

Security: A cryptographic server should be secure but it can be attacked against. It is possible to attack the underlying operating system. As the gateway sits in the place of a firewall, attacks used against firewalls, such as SYN-flooding, might work here, too. It is thus recommended to protect the gateway with a separate firewall.

 Usage: The gateway is a central component that affects the availability and the usage of the system as in a broker-based approach.

( Watch more : 5 Implications of HTML 5 on Security )

5.Agent and Broker-based SSO

Implementation: The purpose of the agents is to remove to need to modify the systems like in pure broker- based approaches.

Administration: The administration of an agent and broker -based solution should be even easier that the one of a pure broker-based solution. This is because even the native databases can be administered automatically through administration agents.

Security: The agent approach should add security as the agents can authenticate themselves without sending passwords, encrypted or not, across the network.

Usage: The solution has a central component that affects the availability and the usage of the system as in a pure broker-based approach.

More:  Want to share your insights? Click here to write an article at CISO Platform

Choose the right technology

Following factors needs to be considered in order to choose the right technology for the SSO.

(1) Smooth functioning & efficient use of the computing resources. Signing-on should really mean acquiring an electronic identity.

(2) Secure and convenient mapping from the physical world to the electronic and logical world.

(3) The intended electronic identity should be given to only that individual it belongs to.

(4) The identification method should not cause extra work by going through the identification process, possibly multiple times.

(5) The system needs to be so reliable that the identity can be proven anytime, anywhere.

(6) As the computing environment has to be administered in some way, the administration should not cause extra work or security holes.

(7) The administration procedures should fit the power structures and policies of the surrounding organization.

(8) When a Single Sign-On system is taken into use, the migration should be easy. All the users should learn to use the system instantly.

(9) The methods of authentication and usage can be distributed and installed throughout the organization without extra effort.

(10) There should be no down-time which would affect normal working. All the applications should instantly accept the new method without any modifications.

- By Vikram Patil, Centre Head-IT Infrastructure, L & T Infotech Ltd.

ISO 27001 certification in brief

• ISO 27001 formally specifies a management system that is intended to bring information security under explicit management control.
• Being a formal specification means that it mandates specific requirements.
• Organizations that have adopted ISO 27001 are therefore formally audited and certified to be compliant with the standard.
• The standard contains 11 domains like Security Policy, Asset Management, Physical Security, Access control, HR Security to name a few.

( Read more:  Top 5 Big Data Vulnerability Classes)

Type of organizations which should adopt ISO 27001

Any Organization which has information assets may want to adopt the standard. There is no such criterion of adoption. If the organization believes that it has information susceptible to vulnerability resulting into a significant risk to business may want to adopt the standard

Key drivers for adoption

A company may want to adopt ISO 27001 for the following reasons:

• It is suitable for protecting critical and sensitive information
• It provides a holistic, risk-based approach to secure information and compliance
• Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers
• Demonstrates security status according to internationally accepted criteria
• Creates a market differentiation due to prestige, image and external goodwill
• If a company is certified once, it is accepted globally.

(Watch more : 3 causes of stress which we are unaware of !)

Key benefits of ISO 27001

• It acts as the extension of the current quality system to include security
• It provides an opportunity to identify and manage risks to key information and systems assets
• Provides confidence and assurance to trading partners and clients;
• Allows an independent review and assurance to you on information security practices

- By Niranjan Bal, CISO and PMO, Hindalco Industries Ltd.

More:  Want to be an author? Nominations open for co-authors of CISO Handbook

Requirement for solutions related to Database security

A CISO should define the requirement for solutions related to Database security by first understanding the business and threat environment and decide on the most applicable threats and security parameters while balancing performance of application and security.

( Read more:  5 Best Practices to secure your Big Data Implementation)

The solution requirements should address fundamental security issues viz. Availability, Authenticity, Integrity and Confidentiality. While defining the requirement, one needs to decide what are the information that need to be protected from the fundamental security issues and accordingly select the relevant databases for which security solutions need to be identified. A comprehensive risk assessment needs to be carried out to define the potential security threats holistically in terms of internal or external, intentional or accidental, physical or logical etc. Once the threats are identified, one needs to define the criticality of each threat from business impact perspective post which analyze various vulnerabilities or points/modes of failure. Further analysis to be done to assess probability of occurrence based on the current protection controls already in place and what are the current detection capabilities. Based on this analysis, one needs to arrive the risk priority rating which will actually become the basis for the requirements criteria for database security.

Besides looking at risk based approach, it’s equally critical that one needs to understand and identify if there are any requirements from statutory, regulatory and contractual compliance perspective (eg. PCI standards - Encryption, DAM-Database Activity Monitoring)

Key parameters based on which a CISO should choose a vendor for the same

• Expertise & capability in providing comprehensive solutions for database security
• Ability in understanding customer business requirement of database security and providing relevant optimized security solution
• Maturity of technical products/solutions offered by vendors

• Well defined roadmap for next 2-3 years with proven track record of delivering product enhancement and support

• Capability to provide after sales support locally

( Watch more : Attacks on Smart TV and Connected Smart Devices )

Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist

• What will be the impact or overhead of the solution on application performance, administration/operations and user experience?

• Where all places the solutions implemented and running successfully and for how long?

• What kind of security testing or assessment the products/solutions have undergone and if they can share the latest reports

• What are the mechanisms through which they identify the vulnerabilities in their products and their turnaround time for releasing the patches / fixes?

• Is product supported and certified by the principle vendor of database?

Top mistakes to avoid while selecting a vendor

• Going for 3^rd party solutions for requirements where the same can be achieved through database inbuilt solutions. This will unnecessarily increase the cost and overhead

• Going for a leading player based on product features without understanding their capability to support locally. Sometimes the product may be very good, but if they are not implemented properly or not well supported or lack of strong local support / system integration partners

• Select vendors / solutions that meet your business requirement of database security rather than going by rich feature list of vendors’ product/solution. This will sometimes become overkill not only from cost perspective but also overhead on performance of database/application

Selecting vendor without checking the compatibility of their solution with the database vendor. This will sometimes lead into issues before or after implementation. This aspect needs to be thoroughly checked and evaluated before selecting vendor.

- By A.Raja Vijay Kumar, VP & Global Information Security Leader, Genpact

Top steps during the implementation of a project related to Database Security

1.As most of the times, application developers or persons implementing the applications also work as database administrators, it is important that database administration is handled by different persons in the team. For bigger projects, you should have a separate database team. This helps on most of the occasions to have better control on database management and related changes.

2.To prepare a check-list of database security which is very critical for the success of any implementation. Some of the critical issues, which require attention, are as follows:

• to have strong password policy and users with proper roles
• all default database users, passwords, roles & settings should be disabled
• enabling of auditing of database
• secured remote log-in settings   
• implementation of latest security patches

3.Database design and also, the design of the entire application & system infrastructure should be given priority while initiating any project with large & critical database. 

( Read more:   How Should a CISO choose the right Anti-Malware Technology?)

Top implementation mistakes or learning while implementing projects related to the above domain

Some of the critical areas, which are ignored, are as follows:

1. Access controls are not properly defined during the initial stage and the same continues in the future in production environment
2. Vulnerability assessment and compliance are given low priority during implementation stage and hence, it becomes a critical issue at a later stage
3. Always it is better to have a separate UAT area for the database, so that the production area is never compromised or impacted during testing/ changes/ etc.
4. It is always advisable to have a documented change management process in place for any database related changes
5. Database monitoring and auditing should be given due importance as these steps will be helpful in the long run
6. Before going live with critical projects, it is advisable to have a database vulnerability assessment carried out and all major observations are plugged in

(Read more:  Under the hood of Top 4 BYOD Security Technologies: Pros & Cons)

Top challenges faced during such implementation

a. Database encryption and secured communication channel for database access

b. Due to time constraint, most of the times database are not properly deployed and this comes up after going live

c. Segregation of duties between database administrator & power users

Watch more : South Asia's Cyber Security Landscape after the Snowden Revelations

Top parameters based on which the success of a project should be measured

a. Performance of the application on various aspects and less number of database deployment issues

b. Less number of changes at database level after going live

c. flexibility in terms of new requirements and changes as required in the application, which depends on the database design & deployment

- By Subhojit Roy, Head - IT, SBI Funds Management

More:  Join the community of 1400+ Chief Information Security Officers.  Click here

Top technologies / solutions available for Database Security include the following:

1. Encryption controls.
2. Integrity controls.
3. Data Leakage Prevention (DLP) solutions
4. Access Controls
5. Auditing Controls
6. Backup Solutions.

(Read more:  BYOD Security: From Defining the Requirements to Choosing a Vendor)

Pros - Cons of the different type of available technology / Solutions

• Encryption& Integrity Controls:

Pros:

Ensures confidentiality and integrity of data.

Cons:

Could be a bottleneck for data availability.

Could be an overhead for DB administration.

• Data Leakage Prevention (DLP) solutions

Pros:

Facilitates controlled movement of data.

Cons:

Not matured enough to handle large databases.

Generates lots of false positives.

(Read more:  My Key Learning While Implementing Database Security)

• Access Controls

Pros:

Provides role based access.

Authentication mechanism.

Cons:

Excessive privilege to single person.

Abuse of privilege by authorized person.

Privilege elevation.

Sharing of credentials.

• Auditing Controls

Pros:

Helps in database activity monitoring.

Cons:

Too many logs difficult to handle.

Backup & retention of the logs add on to the cost.

• Backup Solutions

Pros:

Provides assurance regarding availability of data.

Tiered backup ensures cost effective solution.

Cons:

Large databases require huge backup infrastructure adding to maintenance and administrative cost.

(Watch more : Top Myths of IPV-6 Security)

Choosing the right technology

 CISO should perform a risk & cost-benefit analysis before choosing any technology for database security. Most of the solutions would not be very cost-effective. It should also be ensured that availability of the data is not hampered through implementation of any controls. Further, the license cost and the administrative costpost implementation should be checked for any database security solution. 

-By Priyadarshi Patnaik, Manager-IT, Maruthi Suzuki India Limited

More:  Want to become a speaker and address the security community?  Click here    

Top technologies / solutions available for Application Security

Applications can be broadly classified into three categories viz. Thick client applications (Client/Server), Web Applications (Access over Internet or Intranet) and Mobile Applications. Thick client applications are increasing becoming obsolete.

(Read more:  Database Security Vendor Evaluation Guide)

Today most of the client server applications are web and mobile enabled, thus exposing them to wild Internet. So, Applications security has assumed paramount importance from the following viewpoints:

• Access to applications and web services (Access controls and Identity & Access Management)
• Availability of applications based on the criticality of the application to the organization’s normal business operations. So, it is important to protect Web applications from malicious attacks on the web applications. Most of the organizations have realized that the security posture of these mission critical applications are to be constantly reviewed and vulnerabilities are fixed based on the risk posed by the vulnerabilities. So, we are increasingly seeing the customers are requesting for Vulnerability Assessment & Penetration Testing on periodical basis. (Vulnerability Assessment & Penetration Testing are key service requirements for web applications security)

(Read more:  Technology/Solution Guide for Single Sign-On)

• Web Application firewalls combined with Threat Intelligence are being increasing deployed to perform deep packet inspection of network traffic and address risk associated malicious network traffic  
• In recent days, the clients are increasingly performing source code security review to address the security vulnerabilities during development stage itself. So, there is an increasing need of low cost source code analysis tools. Currently, adopting the Source Code security review with automated tools are prohibitively expensive for small size projects. Static Code Analyzers with low cost and less false positive rates are the need of the hour to address most the security vulnerabilities during the development stage of a solution or product.
• For mobile applications security, most of the clients are looking at performing mobile application penetration testing and source code security review through automated tools and expert analysis.

Pros - Cons of the different type of available technology / Solutions

Identity & Access Management Solutions: While it streamlines provisioning access to applications and revoking access in a seamless fashion, rollout is a long drawn affair. Each organization and structure is unique in its own way. It requires commitment, dedicated focus of top management for ensuring the successful rollout of the IAM solutions and integration of heterogeneous applications into IAM solutions. Usually these are very expensive solutions and requires large budgets. Requires very experienced domain experts in IAM solutions implementations and involvement of business.

(Watch more : Latest Attacks Vectors and Threats on Aircrafts and Unmanned Arial Vehicles)

Vulnerability Assessment & Penetration Testing (VAPT): Provides the benefit constant assessment of security posture of mission critical applications and helps in addressing the risks associated ever evolving threats. VAPT is considered by many organizations can effectively help them identify the threats and associated risks and prioritize their remediation based on the risk levels.

Source Code Security Analysis: Very effective is properly done.

Web application firewalls and Threat Intelligence: Effective in address malicious network traffic. While rollout timelines are small, very expensive solutions. Suitable where the solutions do not have appropriate support to fix vulnerabilities at application level and tactical need.

More:  Want to share your insights? Click here to write an article at CISO Platform

Choosing the right technology

Following are the major areas that CISOs should focus when selecting the right product/solution

• Out of the box features supported by the products and ability integrate with SIEM solutions to help generating real-time or near real-time security alerts on security incidents or attempts of exploitation
• Easy to deploy, configure, administer and maintain. Complexity of the security solutions reduces the effectiveness and adoption
• Last is the cost. It should justify the risks the product can address and mitigate.
• Support and future roadmap

-By N.Nataraj, CIO , Hexaware Technologies Pvt. Ltd. 

Top steps during the implementation of a project related to Anti Spam Security

• Incorporation of spam detectors to block malicious/ fraudulent e-mails
• Installation of filters for automatic detection/ deletion of malicious software
• Deployment of software for blocking outgoing delivery of sensitive information to malicious parties
• Implementation of standard anti-virus, filtering, and anti-spam software solutions
• Formulation of corporate policies for e-mail content
• Providing a way for customers to validate e-mails
• Implementing strong authentication at Web sites
• Regular monitoring of Internet for potential phishing Web sites

(Read more:  Action List Before Adopting a Cloud Technology)

Top implementation mistakes or learning while implementing projects related to the domain

• Usage of just one email account
• Keeping spammed-out accounts for a very long time
• Not closing the browser after logging out
• Forgetting to delete browser cache, history, and passwords
• Using insecure email accounts to send and receive sensitive corporate information
• Forgetting the telephone option
• Not using the Blind Carbon Copy (BCC) option
• Being trigger happy with the "Reply All" button
• Spamming as a result of forwarding email
• Failing to back up emails
• Mobile access: Presuming a backup exists
• Thinking that an erased email is gone forever
•  Believing that an individual has won the lottery … and other scam titles
•  Not recognizing phishing attacks in email content.
• Sending personal and financial information via email.
• Unsubscribing to newsletters you never subscribed to
• Trusting a friend's email
• Deleting spam instead of blacklisting it
• Disabling the email spam filter
• Failing to scan all email attachments
• Sharing your account information with others
• Using simple and easy-to-guess passwords
• Failing to encrypt your important emails.
• Not encrypting your wireless connection
• Failing to use digital signatures

(Read more:  CISO Guide for Denial-of-Service (DoS) Security)

Top challenges faced during such implementation

• Which identity should be used and how does it relate to spamming behaviors? An author can create bad content, but the identity from the field of that content might not be the actual author, even if that field is validated. The message might have originated on a compromised machine and used the identity associated with it, unless known to the owner of the machine. Also the operator of the mail-sending network might have nothing to do with creating content, but it might be reasonable to hold the operator accountable for aggregate traffic problems.
• How is the identity validated (authenticated)? What entity iBls doing the validation? How does it relate to the identity being validated? And why is it trusted? Can the validation mechanism, itself, be tricked?
• How is an identity being determined to be a spammer or non-spammer? What entity is vouching for the quality of that identity and why is the vouching entity trusted?

(Watch more : An approach to present IT Risk as Business Risk )

Top parameters based on which the success of a project should be measured

• Content based filtering
• Body-based filtering
• Origin-based filtering
• Blocking

- By Murali Menon, Chief Security Officer, Atos India Pvt Ltd.

More:  Want to share your insights? Click here to write an article at CISO Platform

There are many technologies /solutions available to control Spam. There is no one technology which is complete solution by itself. With most anti-spam solutions, the key challenge is trying to balance false negatives (missed spams) vs false positives (rejecting good email). This is critical for a successful anti-spam deployment. Each approach has its own associated costs in time and effort.

Spam filtering can be done at the gateway or the client level.  There are options of using outsourced or in-house deployments of anti-spam technology.

The Outsourced deployments are either hosted third party solutions or based on open sourced technology. These are typically low cost solutions, less customizable having few features and are ideal for SMB segment.

For large organizations anti-spam deployment are generally in-house. These deployments are based on either hardware appliance or software based solutions.

(Read more:  Can your SMART TV get hacked?)

Most of the anti-spam solutions will be using a combination of the below technologies to control spam.

• Detecting spam based on keywords or by statistical means.
• Checking the repository of black listed domain names, proxy servers and open relays.
• Addition of Ham passwords in email content
• Check sum based content filtering
• DNS based Blacklisting
• Integrity check by analyzing the mail header.
• Grey listing of incoming mails from unknown senders.
• Greeting delay- a deliberate pause introduced by an SMTP server before it sends the SMTP greeting banner to the client.
• Hybrid Filtering- Assigns numerical scores for each spam test and take appropriate action accordingly.
• Pattern Detection - This technology monitors a large database of messages worldwide to detect spam patterns.
• Spam trapping- Embed dummy email ids in HTML source code to identify spam mails.
• Honeypots- It imitates MTA and TCP/IP proxy servers as open mail relays & open proxy servers to find spam and blacklist the sending DNS.

(Read more:  How to choose your Security / Penetration Testing Vendor?)

Pros and Cons of the different types of available technology / Solutions

• No single anti-spam technology is complete in itself. There are pros and cons of each approach.
• Outsourced  solutions are less expensive, easy to maintain but are low on features and difficult to customize. More over the emails get routed to third party filtering engines outside the organization domain. This may pose a security risk in certain cases.
• In-house deployments of anti-spam technologiesare either based on Hardware appliance or software solution with each having its pros and cons.
• The hardware appliance technology has certain advantages of being robust, easily maintainable and can be configured to best meet the customer needs.The spams can be filtered before they reach the mailing infrastructure.
• The disadvantage is that it is costly and the spam would still reach the appliance consuming bandwidth.
• The software based anti-spam solutions are less expensive, require no hardware infrastructure as most of them can be installed directly on the mail server.
• The disadvantage is that the mail is not checked until it is at your mail server. This also requires a higher level of maintenance.
• Many organizations also use open sourceanti-spam engines. It has advantages of cost but is less customizable, low on features and difficult to get support.
• One needs to carefully understand the pros and cons of anti-spam technology and options before selecting and implementing the same.

(Watch more : How MIT website got hacked despite having any vulnerability ?)

Choosing the right technology

CISO has to understand the challenges of his working environment in absolute detail before selecting the anti-spam technology for his enterprise. Each technology has its pros and cons which need to be understood and then only a proper selection of technology should be made.

It is also desirable that CISO should understand the intricaciesof technologies on offer and confirm the results from other deployments.  CISO should select technology which is Proven, Secure, Accurate, Easy to manage, Flexible and Cost effective.

CISO should be clear about his deployment strategy and should have clear answers to the following options

• Gateway Vs Client side deployments,
•  Outsource VsIn-housedeployments and
• Hardware appliance Vs Software anti-spam solutions

CISO must have a vision whether he would deploy anti-spam technology alone or bundle this with other security products like anti-virus and content filtering. This will have a bearing on the selection of right technology.

It is also important that the impact of the selected technology should be understood and discussed with the business stakeholders for getting their buy-in.

- By Vipin Kumar, Group CIO, Escorts Ltd.

More:  Want to be an author? Nominations open for co-authors of CISO Handbook    

Spam in general can be understood as unsolicited email received in large volume. These emails eat up productive time of user/employees of the organization and very important to control it before delivering to users’ mail boxes. A large percentage of total emails received at organization’s gateway is spam which may create various types of security issues like identity theft, virus, malicious code, etc.

(Read more:  APT Secrets that Vendors Don't Tell)

To overcome this problem there are various anti-spam software provided either individual tool or combined in entire security suite of software. This is also true that simply deploying tool/software one time is not sufficient while it is important to upgrade it regularly and define correct polices along with continuous enhancement/upgrade  in policies defined for keywords filters, spam protection rules, mail security rules, define/update black & white list of sender’s email/domain. Further protected mechanism can be adopted by the organization to subscribe cloud based mail hosting and subscribe for clean email where cloud service provider can deploy and manage highly effective anti-spam tools in much larger way being big and exclusive service provider and have fleet of administrator to monitor and update it in much responsive manner.

Type of organizations needing Anti-spam solution

Anti-Spam solution is needed by all the organizations who manages/maintains email servers environment in-house either fully managed or partial managed. In fact for end point (employees workstations) security protection perspective it is required to have end point security tool covering anti-spam considering end-users are not only using their company’s specific domain based emails but also using personal external provider emails access which may also contains spam.

(Read more:  Top 5 Application Security Technology Trends)

Key drivers for adoption

• Protecting unsolicited emails
• Protecting virus and malicious code which may cause to damage data.
• Productivity improvement by saving time for not getting unsolicited emails with the help of anti-spam tool/policies.

Top technology trends for the Anti-Spam Security

1. Constantly updating of spam database for latest spam by the anti-spam tools provider companies and the same to be updated at customer place those who are using their anti-spam tool.
2. Anti-spam tool developer Company’s research lab may be working on incorporating algorithm or mechanism which do not block genuine mail and block only spam mails (based on false positive or false negative rules) so that it does not hamper organization/user productivity and make anti-spam tool more intelligent. Going forward simply detecting spam based on keywords may not be sufficient because a mail can’t be considered as spam just by containing keyword listed in filter list while there are other aspects like invalid email id or blacklisted domain, etc. to declare spam mail. I am sure that anti-spam tool developer companies may be trying to enhance algorithm which covers these aspects and tool become more sophisticated to fight spam intelligently.
   

   (Watch more : An approach to present IT Risk as Business Risk)

3. There are many popular techniques used to protect spam and configured with the help of anti-spam tools in the organization. As per my understanding, following is list of most popular techniques used to protect spam. In future, technology trend shall be further strengthening rules/algorithm under these techniques alongwith developing new techniques by security software provider companies.

• List of DNS blacklisted sites
• Checking words: false positives
• Checksum based filtering
• Country based filtering
• Enforcing RFC standards
• Greylisting (temporary rejection of incoming messages)
• HELO/EHLO checking
• Outbound spam protection
• Pattern detection
• Rule/policy based filtering also termed as content filtering
• Bayesian or statistical content filtering

 - By Rajeev Mittal, Head IT/IS, Piaggio Vehicles

Top technologies / solutions available for BYOD Security:

Task for companies who utilize BYOD is to develop a policy that defines exactly what sensitive company information needs to be protected and which employees should have access to this information, and then to educate all employees on this policy.

Technologies for security of BYOD :

1.     VDI- One popular software-based security method gaining steam in BYOD environments is the Virtual Hosted Desktop (VHD). VHD (sometimes known as Virtual Desktop Infrastructure or VDI) creates a complete desktop image that includes an operating system, all applications and settings. The hosted desktop can be accessed from any compatible machine, and processing and storage take place on a central server. With enough network bandwidth and powerful hardware, this type of virtualized environment can combine acceptable performance with high-levels of security.

• Containerization is way to address VHD's issues by placing native applications inside a safe zone on a device. A virtual machine manager (VMM) abstracts the container from the client hardware, boosting performance and reducing server strain by allowing client-side execution - while still improving security by isolating the container from certain functions, such as wireless network connections, USB ports or device cameras. Some virtual containers contain an entire operating system and productivity application suite, while others are purpose-built, single-function virtual devices that provide services like compliance monitoring or highly secure applications.

• Chipset-level security technologies allow MDM to reach underneath a managed device's operating system, performing remote wipes and pre-boot virus scans, regardless of the device's status. By providing access below the operating system, this technology allows administrators to correct problems by loading software patches and virus definitions, and its integrated support for Public Key Infrastructure (PKI) allows IT to use the devices themselves to authenticate users, removing the need for third-party software tokens or hardware-based authentication devices. Intel Anti-Theft technology extends security features such as remote, OS-independent device locking and unlocking to processors.

(Read more:  5 Best Practices to secure your Big Data Implementation)

2.     NAC- Use Network Access Control (NAC) technology that allows employees to use their personal devices on the network while providing the security and access control required by the enterprise. The approach combines granular access policies, automated enforcement, and complete visibility into every device and user on the network. Leverage software and hardware solutions to lock down and manage devices while simultaneously securing the data itself. Wireless networks have to be built for secure BYOD access and the way to do that is incorporating NAC for mobile devices

3.     Data loss prevention- Deploying these engines enables administrators to keep track of data traffic and immediately block suspicious users or activity. For example, the source noted that traffic with "xxx-xx-xxx" in its string might be obstructed, as it could suggest that a social security number is being transmitted.

DLP tools can apply a use policy for information as it is created, whether it is a file, email or application. This means that data in rest, in use or in transit can be logged, reported tagged and encrypted at any stage, ensuring the prevention of unauthorized activity. As more firms allow employees the freedom to access the corporate database from a personal device, DLP technologies will be imperative to maintain secure data management.

(Read more:  How to write a great article in less than 30 mins)

4.     Mobile Device Management (MDM)

MDM products are probably the ones that most immediately come to mind when people talk about mobility and BYOD. However in my view they are very limited in their ability to address the problems that we face in these areas. MDM products typically use an agent on the device that communicates with a back-end management application. Policies are defined within the management application and then the agent enforces those policies, monitors the devices’ compliance with those policies and may trigger actions based on the level of compliance ranging from notifying an administrator through to disabling the device. Typically these applications can also remotely lock or wipe devices, and track location. MDM apps can usually deploy applications to mobile devices. In addition they often include a form of app store for user selected apps.

Pros - Cons of the different type of available technology / Solutions:

VDI

 Pros

• VDI and application streaming help address BYOD problems because they run applications and Windows desktops on back-end servers, rather than on endpoint devices.
• Devices communicate with servers that host the OS and applications, so the resources sent to the devices are compliant and secure. This way, devices receive the apps and data users need to work. All users need is a client on their devices to open the connection to the VDI server.
• Using VDI and BYOD together can free administrators from managing hardware.

(Watch more : 5 Implications of HTML 5 on Security)

Cons

• Mobile devices don't always meet the hardware requirements it takes to run virtual desktops.
• Despite the fact that VDI makes device management easier for IT and increases productivity in theory, virtualization challenges can make it hard for users to get work done. Trying to use VDI on touch screens can be a nightmare.
• To use a remote desktop, tablet users need keyboards and mice the same way they would if they were sitting at their computers.

NAC

Pros

• Control the Role of the User- we like to call this Role Based Access Control today. It simply means the network needs to recognize the identity of the user, and only allow them access to the resources that are necessary by applying the appropriate User Role. For example: a campus wireless network with NAC would have a Student, Faculty, and Guest role. Each with the specific set of privileges appropriate for them.
• Enforce Policies- This is called “integrity checking” or “endpoint compliance”. Does the machine connecting to the network have anti-virus? Does the machine connecting have the latest updates? These are some of the policies controlled by traditional access control.

   Cons

• These devices are highly vulnerable through Common Vulnerability and Exposure "holes" and most likely are infected with eavesdropping software.
• In addition to WIFI connectivity, they may be operating on cellular networks, at the same time, thereby leaving a gaping hole of risk in the area of data theft and leakage
• They may contain corporate resources 'in-transit's such as customer records, contact lists, spreadsheets, documents, presentations, etc. which could be at risk of theft by malware eavesdropping and data theft or if the equipment is lost or stolen.

DLP

Pro

• DLP prevents either an accidental disclosure or an employee overtly sending data out to someone outside the company.
• Real-time monitoring-visibility into the risk of accessing or sending sensitive data from mobile devices
• Active enforcement- Prevent the loss or misuse of sensitive data in real-time.

Con

• Poorly implemented rules can negatively impact the user experience of BYOD.

More:  Join the community of 1400+ Chief Information Security Officers.  Click here

MDM

Pros

• ·Extensive policy enforcement.
• ·Additional controls are usually included.
• ·Provide one platform for managing all smartphones and tablet devices.

Cons

• ·No separation of personal from work data.
• ·Additional cost.

Likely to be superseded by changes in the hardware/OS space.

-by Harikesh Mishra, CISO, JIL Information Technology limited