A CISO need to understand the exact requirement before designing the BYOD domain in the organization. Keeping in mind the exact business need and value add which can be or intended to obtain using this technology.

(Read more:  5 easy ways to build your personal brand !)

Build of solution for BYOD is directly related to business requirement without any compromise to security of information or unauthorized access. Solutions should be designed basis of:-

Flexibility

• Depends on how flexible the solution is to incorporate the changing business needs and daily changing hardware / mobile devices models and landscapes.

Availability

• Solution should be high on availability to avoid any impact to business due to unavailability of service.

Controlled access

• There should be strict controls from information security perspective on device to avoid copy or storage of official data on personal devices. Official data and information should only be accessed using layered security parameters without any compromise to access control. All these controls should be managed centrally from a console for easy access monitoring and review.

Security of data residing

• Controls should be built to erase the data remotely incase the device is lost or stolen. Also provisions should be made to avoid any storage of official information on device, even for any offline activity.

Monitoring

• Maximum possible monitoring mechanism should be a feature of the solution to help in understanding the day to day operations issues, access logs and for better performance monitoring.

Scalability

• A scalable solution to handle growing business need.

(Read more:  Top 5 Big Data Vulnerability Classes)

The key parameters based on which a CISO should choose a vendor for the same: 

Vendor selection parameters should be the same basis of solution requirement in addition following should also be considered:-           

Infrastructure

• A robust infrastructure is essential to support for this domain.

Reliability

• Vendor reliability towards delivery, handling and management of services.

Financial stability

• Vendor should be financially stable with sufficient funding and infrastructure support.

Maturity of processes towards handling of customer information

• Maturity of systems and human resources with awareness towards information security to understand the criticality, importance of safe upkeep of customer information with built in controls for information security at every level.

IT Security certifications

• Beneficial for organization to have IT Security certifications which showcase the availability of processes and management support.

DR Infra availability

• As availability of infrastructure is critical to business, vendor should have workable DR solution and related infrastructure for uninterrupted system availability.

Industry reference / prior installations

• Reference or any prior installation experience is an added advantage to have comfort of understanding.

Watch more : Checklist: How to choose between different types of Application Security Testing Technologies?

Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist 

Questions and queries from vendor will be around the selection criteria for project and vendor as mentioned above to have clear understanding of vendor readiness and comfort about his infrastructure and service offerings. In addition, understanding of various solution designs and related alternatives should be a part of evaluation criteria for vendor checklist. Solution design is a critical part of this complete project with usage of latest available technology and integration of the same with available IT Infrastructure.

Top mistakes to avoid while selecting a vendor

While selecting a vendor the top most priority should be given to organizational business requirement and not to the selling or advantages showcased by vendor about his service offerings.  Hence we should not go by just the differentiating factor showcase by the vendor which separate his service offerings with other vendors rather more emphasis should be on the own business need and how a vendor can do the best through their service offerings. To avoid mistakes it is always better to have reference verification from the customers of the vendor to have a firsthand experience of the vendor offerings and support provisions. 

-Nitin Chauhan, Head IT Security - CISO, Ratnakar Bank Ltd. tells us How should a CISO define the requirement for solutions for BYOD Security.

There are so many Endpoint Security Products in the market and every solution has atleast one or more unique feature in their product. So, it’s a tough job for a CISO to choose one of them for his organization. However, a Best Fit Analysis would be best practice for each organization as per own business processes and Infrastructure.

Before the evaluation process one should identify and classify the critical and sensitive Data. Next, map them with different Business processes. Once this is done, the same should be linked with existing network diagram of the organization. This will help CISO to have clarity on overall data flow.

Based on the above analysis, CISO should prepare a generic checklist for vendors and give weighted score to each point. The Pugh Matrix helps to determine the potential solution in such evaluation.

(Read more:  5 Best Practices to secure your Big Data Implementation)

Following are a few topmost criterias:

1. Market presence
2. Respective industry experience
3. No. of installations in the region/country
4. Ease of implementation
5. Combination of techniques
   • VAPT
   • Patch Management
   • Application Control
   • Endpoint Control
   • Data Protection
   • Mobile Device Management
   • Others, if any
   • Performance
   • Consistency
   • Proactiveness
   • Usability
   • Upgradability
   • Flexibility
   • Support and service
   • Cost

- by Abdur Rafi, Corporate manager-IT, ABP Pvt. Ltd.

 More:  Want to become a speaker and address the security community?  Click here    

A brief on what BYOD is all about: 

For all multi national companies, improving productivity and employee work life balance is a choice between - either spend  a lot of money , provide them mobility or implement secure IT practices and adopt the BYOD policy. So, understanding the end point threats from various edge devices and preventing man in the middle attacks, phishing, device take over, data loss due to missing personal devices; enabling IP protection etc becomes paramount. It is not uncommon for many employees to use BOX, Google Docs, DROPBOX etc., to store company presentations, spread sheets, critical documents for their own ready reference when they need outside of their corporate network and this can be mitigated with enterprise cloud storage solutions that are integrated with single sing-on methodology. This would work both in side and outside the corporate  network and when employee leaves the company, it also enables to securely remove the data access to the ex-employee using proper identity management solutions. 

(Read more:  BYOD Security: From Defining the Requirements to Choosing a Vendor)

While doing so, it is paramount to understand the cloud solution vulnerabilities and its own end point threats. Implementing a security policy to manage these BYOD + Cloud Storage plus edge devices network access coupled with secure access policies is what constitutes our solution.

Any organization that needs to provide remote , always available secure work place environment to its employees and at the same time, wants to protect their IP and credibility needs to have this solution implemented.

Key Drivers for adoption are Ease of use, IT control and ability to integrate the solution into existing web of IT infrastructure are the key drivers. Total cost of ownership is also an important key factor. 

Compliance, regulations and standards that make the solution mandatory:

Many EU and North American compliance laws require the presence of this solution in one from or other.

-by Dr. Murali Krishna Nandigama, Director, Site Lead Engineering Environments, PayPal an eBay Inc company

(More:  Want to be an author? Nominations open for co-authors of CISO Handbook)    

Key advantages of using BYOD Security:

■ Extend corporate security policies to mobile devices

• Device password policy configuration
• Lock out after failed attempts
• Disallow previously used passwords

■ Easily disable lost or stolen devices to protect corporate assets

• Remote Locking
• Remote Profile remove
• Remote Wipe out

■ On-device encryption

• Encryption of PIM data and administrator specified files/folders
• Full disk encryption

■ Block rogue or non compliant devices from accessing corporate email

(Read more:   How Should a CISO choose the right Anti-Malware Technology?)

Organizations in the BFSI, Manufacture and any company selling product and having lot of sales staff on field needs such solution.Some of the top technology trends for the above domain are:

• BYOD – Bring your own device.
• Company and Personal Container.
• Risk Assessment of the entire MDM setup and policy.

Key drivers for adoption:

• Secure communications for external devices.
• Scalability, Manageability and Integration with existing system.
• Optimized navigation
• Mobile Expense Tracking and Management.
• Self-service portal – where users themselves can manage basic thing like password change, device wipe out etc.

(Read more:  Under the hood of Top 4 BYOD Security Technologies: Pros & Cons)

Compliance, regulations and standards that make the solution mandatory:

There is no such mandatory regulator in INDIA that drives this solution to implement within India but our site India there are. Standard are there and well define to implement this product which include the best Practice of company that deploy BYOD and the product company that implement the Mobile Device Management solution. Essential part is to do Third party Risk Assessment of the solution after 100% implementation  and before going Live.

-by Paresh Makwana, VP - Information Security Officer, DSP BLACKROCK INVESTMENT MANAGERS PVT LTD

More:  Want to share your insights? Click here to write an article at CISO Platform

Now this is a very subjective term as “Right” to each is quite different. More so, the subject “Information Security” by itself is quite a dynamic and an evolving term. Here, any measure stick with constant attributes may not provide a true insight for the choice of Technology. However, certain parameters of the selection process can be generalized for operational efficiency.

(Read more:  My Key Learning While Implementing Database Security)

Based on my experience I would recommend the following for any CISO to help choose the right Technology:

1. Understand Your Line of Business
2. Understand the Organization’s Core Competency
3. Understand Business Drivers
4. Understand How things work within your organization
5. Understand how to get things done within your organization
6. Get a Maturity Self-Assessment done for all domains of Information Security
7. Work closely with Technology and Business Teams to chalk out how you can transform Information Security weakness to business enablers
8. Get a Senior Management Buy In for your Information Security Roadmap
9. Prioritize Tool/Technology procurement and rollout
10. Track your progress and keep Management updated with the progress.

Once you have completed task mentioned in points 1 to 10 you many need to focus over tool and partner selection.
Here the process could be as follows:

1. Choose the technology domain you would want to address
2. Check to see if there exists a Gartner or Forrester report
3. Chalk down your wish list
4. Float your wish list via RFPs to all partners
5. Assess all partner responses against a predefined attribute set as follows:

(Read more:  Database Security Vendor Evaluation Guide)

Once done these steps would help you narrow down your choice. However, for the final decision you would need to make a choice by yourself and here are few questions that you should have clear answers for you to choose the right Technology and Partner:

1. Is the technology completely New or does the technology proposer have a demonstrative model in place?
2. Does the technology Partner have a support system in your geographical region?
3. Can the technology partner offer an Opex model along with Capex?
4. Pull out reference work to understand what can go wrong and how better you can manage technology and project issues.
5. Check to seek if you have in-house capabilities to manage the New Technology.
6. Check if Technology partner presents tool benefits by way of Business outcomes.

(Watch more : 3 causes of stress which we are unaware of !)

I trust, there is no substitute to experience. However, with sharing through common body of knowledge can make technology selection lucid and succinct.

I strongly recommend every Information Security professional to love their Job first.  Be spiritual – Meditation, Service and Knowledge are profound pillars. This will help one achieve clarity of thought and vision. Without these, no matter how religiously you follow best practices, task accomplishment may be a challenge.

-Sagar Karan, CISO, Fullerton India Credit Company Ltd. tells us How Should a CISO choose the right Anti-Malware Technology

We heavily rely on references while taking a decision on adoption of a new technology or a product. However, there is no dedicated analysis of product leadership purely based on customer recommendation. From CISO Platform technology Analyst team, we are happy to announce the concept note for CISO Index which shall rate products purely based on CISO/User satisfaction.

Why do we need a CISO/User satisfaction based product/technology rating framework?

1. CISOs or the users can provide the most meaningful verdict for a product
2. With the whole world getting social, community recommendation should play bigger role in decision making
3. Currently there is no globally acknowledged framework solely based on CISO/User Satisfaction

To exercise your vote and provide your rating: Click here 

Proposed "CISO Platform Index"

The CISO Platform Index shall use a transparent methodology to compare the players in software, hardware, or services market so that the CISOs can make well-informed decisions.

1. CISO Platform Index (CPI) - Index developed based on User Satisfaction Survey by CISOs who used the vendor product on different evaluation metrics.

(Read more:  5 Best Practices to secure your Big Data Implementation)

CISO Platform Index Methodology

The following steps will be executed for evaluating the vendors:

Step 1- Collection of CPI Data: The Customers/Users of a product shall be requested to rate each product on a scale of 1 to 10 for the following parameters.

1. Overall Rating
2. Features
3. ROI/Price
4. Ease of Implementation
5. Support

Step 2- Analysis of the Data:

• CPI Calculation for each product: The Weighted Mean score for each vendor collected from participants who have a current/prior usage experience of the vendor product will be known as CPI (CISO Platform Index). 
  
  We shall have the following weight age:

1. Features (30%),
2. Price/ROI (10%),
3. Ease of Implementation (30%)
4. Support (30%)

*Note: The Mean shall be achieved using various statistical tools eg. clustering techniques to rule out bad data 

Vendors shall be encouraged to come up with more references of their customers as this will help in analyzing them with more confidence. Also, we will be providing additional confidence rating to the vendors based on the number of references they provide. Any product with less than the cut-off number (10 references) for recommendation shall be eliminated from the analysis.

(Read more:   How Should a CISO choose the right Anti-Malware Technology?)

To exercise your vote and provide your rating: Click here 

Mathematical Analysis

1. We have defined a cut-off score of 7.0 mean on CISO Platform Index
2. The vendors which are scoring above the cut-off in CPI will be featured in the CPI report

CPI Report

The first draft shall be presented at the CISO Platform Annual Summit, 2014. It will formally be published in Decision Summit along with 5th Top 100 CISO Awards (4-5 June, 2015), Delhi.

To exercise your vote and provide your rating: Click here  

Click here to view the discussion forum OR provide your feedback .

More:  Want to become a speaker and address the security community?  Click here    

We all face difficulties in expressing our thoughts. Here are a few pointers which will help a person to write great articles in just 30 mins.

Step 1: Define the headline

When you write the articles ask yourself 3 questions:

1. Are you saying something new?
2. Are you saying something old but in a new way?
3. Are you saying something which will help others to save time, money or effort?

If any of the answer is yes, then you got a nice topic. Next you need to define the headline. Few good characteristics of a good headline are as follows:

• Should be less than tweet length. Ideally it should be less than 15 words.
• Should communicate a single clear message
• Ask a question which is compelling in nature (Why peer recommendation works while selecting a technology?)
• Have a number in your headline (5 easy ways for CISO to build personal brand)
• Write how to blogs (How to select you application security testing vendor?)

(Read more:  Checklist: How to choose between different types of Application Security Testing Technologies?)

Step 2: Write the subheads

After the headline is defined, write clearly the sub-heads of your blog. As an example for "5 easy ways for CISO to build a brand", the subheads are the ones which are marked in bold. In this blog the subheads are: Step 1: Define the headline; Step 2: Write the subheads etc

It is important that subheads are short and precise.

Step 3: Add content. (Short and sweet)

You can now write the introduction and the explanation for each of the subhead. You can also add some concluding remarks if essentials. The most important point is that people are busy, so shorter the better.

Few secrets to write blogs quickly

1. Re-use what you wrote earlier in various forms like ppt, research papers etc
2. Choose a topic about which you know well and not the ones that need research
3. Tell something that you experienced personally
4. Think for a few days during leisure and write during the weekend (or whenever you get time).

More:  Want to share your insights? Click here to write an article at CISO Platform

Post Topic Ideas:

Example Post Topics (using below "topic" & "sub-topic help text"):

• How should  a CISO choose technology & Solutions for SIEM?
• Top Resources for End Point Security
• What are the decision parameters / tips for choosing vendor in CASB
• Top 5 steps during the implementation of Deception Project
• Vendor Evaluation Checklist for Third Party Vendor Risk
• Which are the key drivers for adoption of DLP
• Compliance, regulations or standards that make TPRM mandatory
• Best Practices for IDS/IPS
• Current/Future trends in market for Application Security
• Which Cloud Security solution should you adopt and how should  a CISO choose?

Topic Domains:

• Artificial Intelligence
• Application/Database Security
• BYOD Security
• Cloud Security
• CASB
• DLP/Data Security
• DDOS / DOS Security
• Deception
• Encryption for Servers/Storage/Database
• End Point Security
• Identity and Access Management
• IDS/IPS
• IT GRC Management tools
• Machine Learning & IOT
• Shadow IT & Digital Footprint
• Secure email/Web Gateway, Content Filtering/UTM
• Security Information and Event Management (SIEM)
• Security Testing /Audit
• Strong Authentication
• Third Party Risk Management (TPRM)
• & more

Sub Topics & Help Text (for each "topic domain" above):

Summary:

Purpose: The purpose of this concept paper is to explain the requirement of a framework which is not only easy to interpret but also dynamic in understanding customer requirements when it comes to analyzing vendors. It also explains the concept of CPI (CISO Perception Index) and CRI (CISO Recommendation Index) and offer insights regarding their use as a framework for analyzing the IT Security sector.

Research: Research for this framework included a review of most of the existing frameworks along with an in-depth analysis of the IT Security sector.

Methodology: Business research methods such as Cluster analysis, graphical analysis and surveys using Likert scale have been used for collecting and analyzing the data mathematically.

Major Findings:

The major findings include -:

1. CPI (CISO Perception Index) and CRI (CISO Recommendation Index) for a vendor.
2. An overall analysis of the vendors by using CPI and CRI.
3. Carrying out in-depth analysis of the vendors based on the questions asked to the test sample.

 (Read more:  Top 5 Big Data Vulnerability Classes )

Do we need a new framework?

Yes, for following reasons:

• Existing frameworks are difficult to interpret.
• No exclusive framework to assess vendor on Product - Features, Pricing/ROI, Ease of Implementation/Use, Integration, Support, overall recommendation by CISOs and perception of CISOs.
• Some of existing frameworks take customer references from vendors to evaluate the product,at times this may lead to bias in vendor analysis.
• Not very useful in helping CISOs make buying decisions.

How can we overcome this gap?

CISO Platform took initiative to develop a framework that overcomes the gap with following attributes:

• Simple, Dynamic and Easy to interpret.
• Exclusively assess vendor on Product - Features, Pricing/ROI, Ease of Implementation/Use,Integration, Support and overall recommendation by CISOs.
• Along with customer’s references taken from vendors, other CISOs evaluation of the product has to be taken into consideration for methodology.

We call it “CISO Platform Index”, CISOs are the backbone for this framework and play very important role in evaluating the vendors.

(Read more:  How to write a great article in less than 30 mins )

Brief description about CISO Platform Index and Methodology

The CISO Platform Index uses a transparent methodology to compare the players in software,hardware, or services market so that the CISOs can make well-informed decisions. The CISO Platform Index offers two indexes to compare:

1. CISO Perception Index - Index developed based on the perception of CISOs about the vendor /Product on different evaluation metrics.
2. CISO Recommendation Index - Index developed based on the recommendation by CISOs who used the vendor product on different evaluation metrics.

Who are Participants in CISO Platform Index Process

CISO Index builds upon participation of 3 key players:

• CISO Platform Analyst - Manages the CISO Index process.
• Vendor - To provide detailed product /service information and customer references.
• CISOs - Evaluate vendor products by survey questionnaire.

Watch more : How MIT website got hacked despite having any vulnerability ?

Evaluation Method:

The following steps will be executed for evaluating the vendors-:

Step 1: Following 6 questions will be floated among CISOs and customer references provided by the vendors.

• How satisfied are you with features of this product?
• How satisfied are you with Return on Investment of this product?
• How easy is to implement this product without disturbing existing system?
• How well this product can integrate with existing system?
• How do you rate product support?
• Would you recommend this product to CISOs?

Step 2: CISOs and vendor referred customers will rate the vendor –product on likert scale of 7 for each question.

Sample Likert Scale:

Step 3: Initially, likert scale scores collected from CISO’s and vendor’s customer references will be divided into two buckets based on whether the participants have used the vendor product or not.

• The average likert score for each vendor collected from participants who haven’t used vendor product but are aware of its pros and cons will be known as CPI (CISO Perception Index).
• The average likert score for each vendor collected from participants who have a current/prior usage experience of the vendor product will be known as CRI (CISO Recommendation Index).

Vendors are encouraged to come up with more references of their customers as this will help in analyzing them with more confidence. Also, we will be providing an additional index points to the vendors based on the number of references they provide.

Mathematical Analysis

We will use clustering analysis (Agglomerative and K-mean method) for dividing out the vendors into different clusters based on: 1. CPI 2. CRI.

Following steps will be executed as part of mathematical analysis -:

1. We will carry out two kinds of analysis over them -:

• An overall analysis of the vendors by using CPI and CRI
• Carrying out in-depth analysis of the vendors based on each question asked.

2. The collected data will be initially analyzed using Agglomerative clustering .This method is promptly used for identifying the possible number of clusters present within the sample.

3. Once we have the number of clusters present within the sample, we will use this number as an input to another very popular clustering method called “K-Mean”.

4. K-Mean method helps in identifying the initial and final cluster centers within the sample based upon the questions asked.

5. K-Mean, further, helps in calculating inter-cluster distances and developing a correlation matrix between the available clusters to analyze how close these clusters are to each other.This will help in ranking these clusters.

6. The ANOVA table, which also comes as an output, tells us which of the 6 questions (variables) is/are significantly different across the clusters. Thus, it is used as a measure to identify which question bears more significance with respect to the end users.

7. In the end, we will pick the top two clusters and present it in our report. The top two clusterswill be termed as

• Champions
• Challengers

CPI Vs. CRI

Cluster Membership Table

CISO Recommendation Index for Companies  

More:  Want to become a speaker and address the security community?  Click here    

How important is your personal brand in professional success?

Nobody can deny that personal reputation is critical in the path of professional success. Definitely the most important factor is "who you are?" but it is equally important "how others perceive you?".

In today's world due to online tools it is lot easier to build your personal brand. Here are the top steps:

Step 1: Define your strategy

You need to answer a few questions. What do you love the most? What are you good at? Is there some gap in the industry which you can address? It is important that you work on your "strength that matters" i.e. the strengths which are aligned with some industry gaps. For example it is easier to do some good work in the emerging areas like Big Data, BYOD security than on mature fields like encryption provided you have the right skill sets. So, match the gaps and strengths.

Read more: Future Proofing - Protecting the "IT" Arena

Step 2: Execution

Following are some easy steps to build your brand.

1. Write Thought Leadership Articles

Write articles for on-line portals that relate to your area of expertise or industry. When you write the articles ask yourself 3 questions:

1. Are you saying something new?
2. Are you saying something old but in a new way?
3. Are you saying something which will help others to save time, money or effort?

If any of the answer is yes, then you got a nice topic. You can write guest articles at various places like Techcrunch, Forbes, CISO Platform etc. 

(Read more:  5 Best Practices to secure your Big Data Implementation)

2.Speak at Conferences/Webinars

There are various top industry conferences like Blackhat, RSA, Interop etc where there are call for speakers. Apply for those and get known as an industry thought leader. You can also participate as a guest speaker on CISO Platform online webinars.

3.Participate in Online Social Media

Participate in on-line forums / communities to share your expertise or passion and increase your visibility at the same time. You can use linkedin, twitter or more focused security platforms like CISO Platform . Twitter takes some time in terms of getting followers. Linkedin groups, CISO Platform are the places where you can get quicker visibility.

4. Nominate yourself for an Industry Award 

Nominate yourself for awards in your industry; winning an award will give you greater recognition across the industry. There are various industry awards which are specific to countries. Search for the industry award that is relevant to you.

5. Author a Book

Writing a book is a great way to establish your thought leadership. You can write your book on your own or work with a small group of co-authors you know. However it is important that you address a gap/need of the readers. You can be an author of CISO Handbook which is being written right now by a community of CISOs.

In today's online world you have better leverage than ever, to build your online brand. So just get started. Best of luck!

More:  Want to share your insights? Click here to write an article at CISO Platform

More:  Want to share your insights? Click here to write an article at CISO Platform

Why do we need a CISO Handbook?

• There is no single consolidated source of comprehensive and precise operational knowledge that a CISO would need.
• CISOs need to browse through a sea of information to find what is relevant to them.
• CISOs  feel the need to have more insights from their peers, and learn from each others experiences.

Vision of the CISO Handbook

The vision of CISO handbook is to provide consolidated, comprehensive and precise operational knowledge "By the CISO’s, For the CISO’s".

What “Lonely Planet” did for travelers, we aspire to do the same for the CISOs. We invite the CISO community to participate in realizing this dream.

As a part of the bigger goal of sharing knowledge we appeal to all CISOs to contribute generously towards this cause.

(Read more: Top Security Threats 2013)

How to Contribute?                

You can contribute to this book in the following way -:

1.      Click Here to Sign-in/sign-up.

2.      Once you sign in, visit the "CISO Handbook" tab on any page.

3.      Choose your domain and submit your content online. Or mail your content to cisohandbook@cisoplatform.com

More:  Join the community of 1400+ Chief Information Security Officers.  Click here

Our special webinar by CISO Platform and WebSense, was a great success with over 120 CISO's registering for the webinar.

Key Areas Covered

1. Which are the most commonly used data security controls?
2. What are the best practices for an effective Data Security Strategy?
3. Which are the Key challenges while implementing Data Security Strategy?
4. How should one choose a Data Security Vendor?
5. Understanding of technology architecture and solutions for data security

 (Read more: BYOD Security: What does “Information Security community of LinkedIn Survey” find out?)

Panelists:

• R. Venkatasubramanian, Director, Global Information Security, Cognizant
• Kalyanaraman Seshadri, Deputy general manager- global IT, HCL
• Maheswaran Shanugasunearam ,Manager - sales engineering, Websense
• Bikash Barai, CEO, iViZ

Presentation

 (Read more:  Technology/Solution Guide for Single Sign-On)

More:  Want to share your insights? Click here to write an article at CISO Platform

Jayantha Prabhu,CTO , Essar Group, talks to CISO Platform on the Top Security Trends that he feels, will define the future.

As I see it, broadly the following technologies will dictate the future of IT

• Cloud Computing technologies
• Mobility solutions
• Advanced analytics
• Social networking solutions/technologies

(Read more:  Top 5 Application Security Technology Trends)

As a CTO I need to focus on quite a bit but terms of top priorities I am concentrating on the following

• Virtualization and consolidation
• Mobility taking to the next level
• Social and Big Data solutions providing high end business values
• Sweating existing assets and protecting existing investments

How do you define “Big data” and what role do you think it would play in defining the future?

• Big Data as I said will prove vital going forward for several reasons. First and the foremost, I define Big Data as “the information that needs to be as wide-spread as possible to provide the best possible outcome – a accurate and meticulous one and that fulfills any business needs”.
• I have taken Big Data among the top 5 priorities within my focus area. This implies that I am well cautious about its capabilities and the impact it can create over deriving best possible business value. Means and ways to derive accurate results from ocean of data and how efficiently is that big data solution’s proficiency will dictate. I have already seen lots of solutions providers actually handling heaps of information, churning through various big data solutions and giving lots and lots of meaningful outputs. Any business will require such outputs based on the competitive edges they come across.

(Read more:  BYOD Security: The Art of detecting unauthorized devices in the network!)

To be at the top of edge in today’s cut-throat competitive environment is what every business will thrive for. This I think can be achieved through wise usage of big-data. Thus big-data will be driven more from a perspective of competitive edge of rendering value add based on your customer/client base. This is possible through big data solutions that can take stock of existing As-Is and also can derive predictable trends – any organization would want to edge out from their competitors.

• Yes indeed, we have already entered in the “BYOD era”. Evidently I can visualize number of examples wherein BYOD does drive business to a considerable extent. Although in my organization BYOD is a value add feature for a certain segment of employees, there are organization within which BYOD has overtaken the conventional PC based ecosystems and those business are experiencing the fruits expected from BYOD.
• Organizations don’t really now need to bother about the huge capex cost of investing in PC and related peripherals. Furthermore, due to significant improvements in mobility solutions
• BYOD also provides immense flexibility to static and dynamic user base wherein an organization need not provision PC/Laptops instead BYOD’s flexibility can ease of these constraints

(Watch more : 5 Implications of HTML 5 on Security)

• Data Security – the way data is managed is the first and foremost risk associated with BYOD.
• BYOD I believe should be adopted in stages and a detailed due diligence to be taken up before actually rolling out BYOD solutions.
• One must identify the applications and services that would be rendered over BYOD and then the backend infrastructure should be robust enough to sustain this services in a secured way.

Should a CTO strategize to adapt to all top security trendz or should he prioritize?How should he prioritize?

It has to be prioritized – beyond doubt. And this can be done through a cautious and planned approach.I personally have taken certain steps to achieve this.

• Develop a security architecture driven by vision, organize a structure of experts to it and give enough empowerment to achieve the objectives.
• This approach has also to be well incorporated with effective tracking mechanism
• Each and every security trends are not suitable for any single organization hence this body has to select and prioritize 1^st based on suitability, requirements and other compliances factors.

More:  Want to be an author? Nominations open for co-authors of CISO Handbook    

The Internet has plenty of crackers, known as  "black hats", who work to exploit computer systems.You also have white hats. When hackers are hired by companies to do penetration testing, it's legal and known as white hats. In this section we profile five of the most famous  and all time favourite "black hat" hackers!!!

Jonathan James: James  became the first juvenile to be 

sent to prison for hacking. He was sentenced at 16 years old. In an anonymous PBS interview, he professes, "I was just looking around, playing around. What was fun for me was a challenge to see what I could pull off".James's major intrusions targeted high-profile organizations. He installed a backdoor into a Defense Threat Reduction Agency server,which enabled him to view sensitive emails and capture employee usernames and passwords .

James also cracked into NASA computers, stealing software worth approximately $1.7 million. According to NASA, "The software supported the International Space Station's physical environment, including control of the temperature and humidity within the living space." NASA was forced to shut down its computer systems for three weeks,costing $41,000 to check and fix its systems. James explained that he downloaded the code to supplement his studies on C programming, but contended, "The code itself was crappy . . . certainly not worth $1.7 million like they claimed."

Given the extent of his intrusions, if James, also known as "c0mrade", had been an adult he likely would have served at least 10 years. Instead, he was banned from recreational computer use and was slated to serve a six-month sentence under house arrest with probation. However, he served six months in prison for violation of parole. He died on May 18, 2008, of a self-inflicted gunshot wound.

(Read more:  Changing Landscape of IT Security. How should a CISO prepare for the battle?)

Adrian Lamo: Lamo gained media attention  in his break-ins at major organizations like The New York Times and Microsoft. Dubbed the "homeless hacker," he used Internet connections at Kinko's, coffee shops and libraries to do his intrusions. In a profile article,"He hacks by day,Squats by night", Lamo reflects, "I have a laptop in Pittsburgh, a change of clothes in D.C. It kind of redefines the term multi-jurisdictional." In 2010, Lamo became embroiled in the Wiki Leaks scandal involving Bradley Manning, who was arrested after Lamo reported to federal authorities that Manning had leaked hundreds of sensitive U.S. government documents.

Lamo's intrusions consisted mainly of penetration testing, in which he found flaws in security, exploited them and then informed companies of their shortcomings. His hits include Yahoo!, Bank of America, Citigroup and Cingular.

When he broke into The New York Times' intranet, things got serious. He added his name to a list of experts and viewed personal information on contributors, including Social Security numbers. Lamo also hacked into The Times' LexisNexis account to conduct research on high-profile subject matter.

For his intrusion at The New York Times, Lamo was ordered to pay approximately $65,000 in restitution. He was also sentenced to six months of home confinement and two years of probation, which expired January 16, 2007. Lamo is currently working as an award-winning journalist and public speaker.

 (Read more: Top 5 things a CISO should evaluate to benchmark an IAM solution)

Kevin Mitnick: A self-proclaimed "hacker poster boy," Mitnick went through a highly publicized pursuit by authorities.The Department of Justice describes him as "the most wanted computer criminal in United States history." His exploits were detailed in two movies: Freedom Downtime and Takedown.

 At age 12, Mitnick used social engineering to bypass the punchcard system used in the Los Angeles bus system. Although there were numerous offenses, Mitnick was ultimately convicted for breaking into the Digital Equipment Corporation's computer network and stealing software.

Mitnick's mischief got serious when he went on a  "hacking spree"for two and a half years .The CNN article,"Legendary computer hacker released from prison", explains that "he hacked into computers, stole corporate secrets, scrambled phone networks and broke into the national defense warning system." He then hacked into computer expert and fellow hacker Tsutomu Shimomura's home computer, which led to his undoing.

Today, Mitnick has been able to move past his role as a black hat hacker and become a productive member of society. He is now a computer security consultant, author and speaker.

(Read more:  7 Steps to stress free management)

Kevin Poulsen: He worked for SRI International by day, and hacked at night. Also known as Dark Dante, Poulsen gained recognition for his hack of LA radio's KIIS-FM phone lines, guaranteeing that he would be the 102nd caller and win the prize of a Porsche 944 S2. Law enforcement dubbed him "the Hannibal Lecter of computer crime."

Authorities began to pursue Poulsen after he hacked into a federal investigation database. During this pursuit, he further drew the ire of the FBI by hacking into federal computers for wiretap information.

His hacking specialty, however, revolved around telephones. Poulsen also "reactivated old Yellow Page escort telephone numbers for an acquaintance who then ran a virtual escort agency." Later, when his photo came up on the show Unsolved Mysteries, 1-800 phone lines for the program crashed mysteriuosly. Ultimately, Poulsen was captured in a supermarket and served a sentence of five years.

Poulsen has reinvented himself as a journalist since his release from prison, and sought to distance himself from his criminal past.He became a senior editor for Wired News in June 2005. His most prominent article details his work on identifying 744 sex offenders with MySpace profiles.

(Watch more : South Asia's Cyber Security Landscape after the Snowden Revelations)

Robert Tappan Morris: Morris, son of former National Security Agency scientist Robert Morris, is best known for creating the Morris Worm,in 1988.considered as the first computer worm on the Internet and subsequently became  the first person convicted under the Computer Fraud and Abuse Act.

Morris wrote the code for the worm while he was a student at Cornell. He asserts that he intended to use it to see how large the Internet was. The worm, however, replicated itself excessively, slowing computers down so that they were no longer usable. It is not possible to know exactly how many computers were affected, but experts estimate an impact of 6,000 machines. He was sentenced to three years' probation, 400 hours of community service and a fined $10,500.

He went on to co-found the online store Viaweb, one of the first web-based applications, and later the funding firm Y Combinator - both with Paul Graham. He is currently working as a tenured professor in the department of Electrical Engineering and Computer Science  at the MIT.

Due to financial implications caused by several recent high-profile data leakage incidents,enterprises are facing increasing pressure for implementation of stringent norms pertaining to governance and compliance reporting. Today, adhering to governmental and contractual compliance requirements is required not only to continue the business, but also generate value. Failure to protect the organizations’ assets, especially critical data, may attract heavy penalties and often result in disciplinary action by the regulator.

Compliance and Government Regulations* :

•The Information Technology Rules, 2011 (four sets of rules have been introduced under the Information Technology Act, 2000) by the Indian Government addressing the industry’s concerns on data protection, creating a mandate for data protection and actions on cybercrime. Sensitive personal information of consumers, held in digital environment, is required to be protected through reasonable security practices by corporates. Moreover, the Act makes it mandatory
for the organization to protect data under contracts. There is a defined penalty for breach of confidentiality and privacy.

(Read more: Changing Landscape of IT Security.How should a CISO prepare for the battle?)

• The Reserve Bank of India’s guidelines on usage of information security to safeguard financial data have come into force in 2012, and swift implementation has been witnessed due to its fast-approaching deadline. Implementation of best practices is another reason behind the thought for investment in data security.

• Financial institutions came under SoX (Sarbanes-Oxley) and GLBA (Gramm-Leach-Bliley Act) and were scrutinized for their consistency and adherence to the norms. This mandates them to adhere to the regulation and implement data security.

• Healthcare facilities like hospitals and pharmaceutical houses are regulated by HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health) Act that mandate the use of security and privacy safeguards.Protected Health Information breach reporting has been a major move toward ensuring compliance and identifying incidents and breaches.

(Read more:  5 Best Practices to secure your Big Data Implementation)

**Not intended to be legal advice. Please consult a/your attorney for legal advice.

Click here for detailed findings -Presented by Frost & Sullivan in Association with Websense.

More:  Join the community of 1400+ Chief Information Security Officers.  Click here

Data explosion and advent of big data are phenomena, which are a result of economic development of
nations and increase in digital footprint of organizations.With more and more devices getting connected to the core business enterprise network, in order to serve the need of anytime-anywhere information access and growing traction of bring your own device (BYOD) in the corporate culture; all contributing to the era of ‘big data’.

Trends driving data explosion:

Proliferation of mobile devices accessing corporate data

As data is increasingly becoming an essential component of wireless communication, latest mobile devices such as smartphones, tablets, and other data-centric devices are making a foray into the business world in a big way.As per Frost & Sullivan estimates, smartphone and tablet PC penetration in India will register compound annual growth rates (CAGRs) from 24.8 percent in 2011 to 106.7 percent in 2017.

‘Big Data’ invasion

Today, companies are seemingly tapping large amounts of information about their customers,stakeholders and suppliers, and huge volumes of data are being generated every second.Needless to say, this advent of big data is pushing enterprises to invest in business intelligence and analytics like never before.

(Read more:  Bring out the "Thought Leader in You" ! Become our guest author)

‘Always On’ networks with seamless connectivity

Another big trend observed is the always-networked enterprise. Upsurge of wireless and networking capability in handhelds and portables has resulted in connectivity of workgroups to the main corporate network anytime and anywhere. Trend of extended office and workgroups has resulted in the need for ‘always access’ of data to-and-from the enterprise.

Adoption of cloud services

For the very ease of use, scalability, and lower total cost of ownership (TCO), cloud solutions are increasingly being adopted. From the obvious advantages of providing a more efficient and scalable way to store data, it is becoming a known fact that increased adoption of cloud computing will continue to stimulate astronomical growth in storage requirements resulting from a data explosion.

Globalization leading to cross-border data flow

Globalization is not a recent phenomenon, but has become a buzzword with the explosion of information taking place around us. As organizations become increasingly global, this translates into significant cross-border flow of data. Adhering to compliance regulations across geographies and safeguarding sensitive data from leakage has become a behemoth task.

(Read more:   Changing Landscape of IT Security. How should a CISO prepare for the battle?)

Need to secure corporate data

• Evolution of Sophisticated Threat Vector
• Introduction of New Technologies
• Governance, Risk, and Compliance
• Safeguarding from Insider Threats
• Safeguarding the Enterprise’s reputation and Sustaining Competitive Advantage

Click here for detailed findings -Presented by Frost & Sullivan in Association with Websense.

More:  Want to become a speaker and address the security community?  Click here    

Keeping current with the latest threat trends can improve the effectiveness of existing security solutions as it helps to identify and prioritize security gaps that may require new approaches and more innovative strategies.

Key Findings:

• Web Security - The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.

• The Social Web - Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.

• Mobile Security - A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.

(Read more: Bring out the "Thought Leader in You" ! Become our guest author)

• Email Security - Only 1 in 5 emails sent were legitimate, as spam increased to 76 percent of email traffic, and 92% of spam included links to potentially malicious content. Phishing threats delivered via email also grew.

• Malware Behavior - Forensic analysis identified that registry modification behavior in malware has declined to 7.7%. Once a key indicator of malicious behavior, malware has now become increasingly Internet-connected. Half of all malware that used the Internet for communications and downloaded additional malicious executables to extend their attack capabilities in the first 60 seconds.

• Data Theft - Key changes in data theft targets and methods took place last year. Reports of intellectual property (IP) theft increased, and theft of credit card numbers and other Personally Identifiable Information (PII) continued to grow. Hacking, malware and other cyberthreats continued to be common methods of attack. However, some of the largest thefts involved physical penetration of security as well, often by willful employees.

(Read more:  Top 5 things a CISO should evaluate to benchmark an IAM solution)

The report has been created by WebSense with the Threat Seeker Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes which applied over 10,000 different analytics.

Click here for detailed 2013 Threat Report findings.

More:  Want to be an author? Nominations open for co-authors of CISO Handbook    

Identity and Access Management is an integrated set of processes, policies and technologies to simplify and improve user account management,reduce administrative costs, strengthen security, protect confidential information from unauthorized users and make businesses more agile to the changing needs.

Which kind of organizations should adopt IAM and who can give it a miss?

Organizations across industry verticals shall adopt IAM as it has become the need of the hour.   These include banks, manufacturers, ITES, telecommunication companies, government etc. Ideally, organizations with more than 1000 users and having a heterogeneous IT landscape can adopt IAM. Requirements can vary from organization to organization. For each organization the IAM solution should be tailored to meet the specific requirements and at the same time be robust and scalable to cater to future needs.

(Read more:  5 Lessons from the LinkedIn Breach)

What are the biggest drivers for adopting IAM?

Risk Management

• Centralized enforcement of enterprise security policies
• Strong authentication for critical assets
• Policy driven access to corporate resources
• Quick revocation of accounts belonging to leavers

Operational Efficiency

• Automated provisioning, de-provisioning of accounts
• Reduced administration costs / Improved SLA’s
• Reduce help desk calls for password resets
• Standardized authentication, authorization framework

Compliance

• Compliance to regulatory requirements
• Centralized reporting
• Strong Access Governance

Business Enablement

• Improved user experience ( i.e Single Sign on to various Corporate Applications )
• Secure collaboration with partners
• Management of post M&A integration / Organizational Restructuring

Some of the barriers faced by organizations are:

• Cost -Cost can be a major barrier for many organizations with shrinking IT budgets.
• Complexity- IAM initiatives can be perceived as a complex exercise as it involves integrations with different enterprise applications and involves good amount of coordination between different business groups or departments. Sometimes existing processes may not be well understood or even documented. Organizations can feel the whole exercise of migrating from existing processes to new ones is a complex and daunting task. Even though complexities exist, with proper planning and IAM domain experience organizations can successfully implement IAM projects.
• Undervaluing benefits of IAM -Some organizations may not perceive an IAM implementation to be beneficial or a good case for ROI. IAM should not be looked only from the security perspective. IAM can reduce administrative costs significantly and enable the organization to comply with regulations in a cost effective manner.

Some of the potential challenges that organizations can face in the adoption of IAM are:

• Managing change -IAM brings in changes to existing processes and procedures. Though these changes are for the better organizations may face resistance internally in accepting changes. This makes it important that IAM initiatives have the backing of top management.
• Managing expectations -Before embarking on an IAM implementation the goals and objectives of an IAM project should be laid down and agreed upon by all key stakeholders.
• IAM product capability - The IAM solution may not be able to address some of the requirements due to limitations in the features its supports or lack of flexibility to customize. While selecting IAM products, due consideration should be given to the capability of products to meet the organization's immediate and future needs. For example, if one of the requirements is to have complex workflows, while evaluating an identity management product adequate consideration should be given in selecting one that features flexible and customizable workflow engine.
• Preliminary work - In most cases, preliminary work may be required before an IAM implementation project can start. Data cleansing can be one such activity. If an organization doesn’t do the initial ground work to identify any preparation work involved, the project effort estimation will not be accurate and can lead to schedule and budget overruns.
• Incomplete requirement - If requirements are not properly gathered and analyzed, the IAM projects may fail to meet the business objectives.
• Big bang approach - Trying to do everything in one go doesn’t work. IAM projects should be rolled out in phases.
• Lack of effective project management -IAM projects can be complex in nature. Without a proper focus on project management, IAM projects can be delayed and run into cost overruns.
• Lack of Skilled Implementation Consultants- IAM project implementations should be carried out by consultants with right business and technical skills. Projects which lack skilled resources may fail in capturing correct requirements, designing an effective solution and completing the project on time
• Scope Creep - Requirement changes in the middle of the project execution can lead to scope creep. Strong change management processes should be in place.

What are the top few steps during the implementation of a IAM project?

Top 10 predictions for 2013 and beyond - Gartner

Gartner's top predictions for 2013 focus on opportunities, economic risks and innovations that will force CIOs to move to the next generation of business-driven solutions."The priorities of CEOs must be dealt with by CIOs who exist in a still-turbulent economy and increasingly uncertain technology future,"as quoted by Gartner analyst.Key highlights are as follows:

By 2015, big data demand will reach 4.4 million jobs globally, but only 1/3rd of those jobs will be filled

The demand for big data is growing rapidly, and enterprises will need to reassess their competencies and skills to respond to this opportunity.The prediction talks about the demand supply gap and an important aspect of the challenge in filling these jobs lies in the fact that enterprises need people with new skills — data management, analytics and business expertise and nontraditional skills necessary for extracting the value of big data.

By 2014, market consolidation will displace up to 20 percent of the top 100 IT services providers

By 2014, low-cost cloud services will cannibalize up to 15 percent of top outsourcing players' revenue, and more than 20 percent of large IT outsourcers not investing enough in industrialization and value-added services will disappear through merger and acquisition. This will limit and endanger the typical offshore approach run by dedicated IT services providers and create low-cost options onshore or facilitate a globalized approach to staffing.CIOs should reevaluate the providers and types of providers used for IT services, with particular interest in cloud-enabled providers supporting information, mobile and social strategies.

(Read more: Bring out the "Thought Leader in You" ! Become our guest author)

By 2014, European Union directives protect jobs, reducing off-shoring by 20% through 2016

An upward trend in unemployment has continued in the European Union during the ongoing financial crisis. With little expectation of a short-term recovery, Gartner expects to see the European Union introducing directives before the end of 2014 to protect local jobs. The impact of this protectionist legislation would be a net reduction of off-shoring by 20 percent through 2016.This does not mean that organizations will abandon the use of global delivery models, but it will result in the rebalancing of where labor is located with such models.

Through 2015, 90% of enterprises will bypass broad-scale deployment of Windows 8

Windows 8 is Microsoft's attempt to bring the touch interface product to modernize its offering, and is going to push IT organizations to this new interface as quickly as possible. However Gartner predicts that enterprises will want to wait for more stability before proceeding and might only upgrade the devices that employees need to use while being mobile. While Microsoft as a technology company can make these changes at a more advanced pace, most enterprises and their trusted management vendors are not yet prepared for this change.

By Year-End 2014, three of the top five mobile handset vendors will be Chinese

Mobile phone penetration in emerging markets has resulted in a changing of the guard in terms of the leading vendors. The openness of Android creates new markets for OEMs that previously did not have the necessary software expertise and engineering capabilities.The result is that the traditional mobile phone players are getting squeezed but the Chinese vendors have the opportunity to leverage their strong position in the domestic Chinese market for entry-level smartphones and expand to other regions.CIO's should enter into mid term contracts and avoid long term contracts as the leading vendors would soon change.

(Read more:  Data Security: The Next Big Security Focus in India ?)

By 2017, 40 percent of enterprise contact information will have leaked into Facebook via employees' increased use of mobile device collaboration applications:

Facebook is one of the top applications installed on smartphones and tablets, and many organizations are concerned about the physical coexistence of consumer and enterprise applications on devices that interact with IT infrastructure. Gartner suggests permiting interlinking with Facebook and similar products, because those products provide a high degree of leveraging contacts and importantly to evaluate the underlying technologies that permit limited transfer of information between legitimate enterprise-controlled applications and consumer applications to control the transfer.

Through 2014,employee-owned devices will have malware at twice the rate of corporate-owned devices

Gartner believes that enterprises will adopt a "bring your own device" (BYOD) approach and suggests enterprises that adopt BYOD initiatives should establish clear policies that outline which employee-owned devices will be allowed and which will be banned. In the BYOD era, security professionals will need to diligently monitor vulnerability announcements and security incidents involving mobile devices and respond appropriately with policy updates.

Through 2014,software spending for proliferation of operational technology will increase by 25%

Now operational devices or objects, like a vending machine, medical device or even truck tyres are having software embedded in them, and sensors are being linked to the Internet to create and receive data streams. This machine-to-machine communication has the potential to trigger significant new software costs because of the amount of software/operating systems embedded within large numbers of operational devices and the people buying and paying for this are not experts in IT or software procurement, and may make expensive mistakes signing license agreements with hidden costs and risks.

(Watch more : Top Myths of IPV-6 Security)

By 2015, 40 percent of organizations will use gamification to transform business operations

Seventy percent of business transformation efforts fail due to lack of proper employee engagement. Here the term gamification refers to the primary mechanism that game designers use to keep players interested, to achieve the needed engagement for a successful,action oriented game. Companies apply Gamification techniques like feedback, measurement and incentives to addresses engagement, transparency of work, and connects employees actions to business outcomes.Gartner predicts by 2015, 40 percent of Global 1000 organizations will use gamification as the primary mechanism to transform business operations.

By 2016, wearable smart electronics in shoes, tattoos , accessories will emerge as a huge industry

Wearable smart electronics, such as fitness trackers, often come with data analysis applications or services that create useful insights for the wearer. Applications and services will create new value for consumers, especially when combined with personal preferences, location and social information. It also provides more-detailed information to retailers for targeting advertisements and promotions. CIOs must evaluate how the data from wearable electronics can be used to improve worker productivity, asset tracking and workflow.

Reference:

http://www.gartner.com/newsroom/id/2211115

(Read more:  Action List Before Adopting a Cloud Technology)

MIT got hacked.Anonymous defaced the MIT to protest against the case of “Aaron Swartz”.

Without getting into who really hacked or the “cause” behind the protest, I just wanted to dissect it as an interesting case of multi-stage attack which proves that just securing your application is not good enough.

Anatomy of the MIT Hack

Step 1: MIT Network Operations Center (NOC) person is sent an email with a malicious link containing a browser exploit.

Step 2: Victim opens the email, clicks the link and gets compromised

Step 3: Attacker steals the “Educause” credentials of the NOC person

Step 4: Attacker creates a cloudflare account with DNS entries pointing to their own servers.  Attacker also adds MX records such that mails are forwarded to their own servers.

Step 5: Attacker logs into the Educause domain control panel and changed the nameserver to point to the cloudflare account created before. Also they change the password of the domain control panel-Tweet This Blog

(Read more:  Bring out the "Thought Leader in You" ! Become our guest author )

Learning from the MIT hack

• Just securing the applications is not enough
• You need to look into complex possibilities of social engineering vectors
• Have a robust Emergency Response process-Tweet This Blog

-by Bikash Barai, http://www.ivizsecurity.com/blog/

(More:  Want to be an author? Nominations open for co-authors of CISO Handbook)