• Encryption Technology is a process of protecting your sensitive data by converting it into encoded information which could be read only with a key. Endpoint Encryption technology ensures data privacy by encrypting data stored on your endpoints—including PCs, Macintoshes, DVDs, and USB drives, which can easily be lost or stolen.
• Here are Top Endpoint Encryption Technology Vendors:

• Endpoint Protection – CylancePROTECT. Cylance. Ransomware, advanced threats, fileless malware and malicious documents are no match for the power of artificial intelligence. CylancePROTECT® redefines what endpoint encryption technology can and should do for your organization. Using artificial intelligence and machine learning to identify malware before it can execute, CylancePROTECT prevents advanced threats that traditional AV can’t. Click here to know more

• ESET Endpoint Encryption takes advantage of the optimized setup that speeds up the time to adoption for admins. The client side requires minimal user interaction, increasing user compliance and the security of your company data. It’s Simple and powerful encryption tool for organizations of all size. It can Safely encrypt hard drives, removable media, files and email with FIPS 140-2 Validated 256 bit AES encryption for assured security. It has Hybrid-cloud based management server for full remote control of endpoint encryption technology keys and security policy. ESET Endpoint Encryption powered by DESlock allows you to easily enforce endpoint encryption technology across the entire organization, while keeping productivity high. Click here to know more

• McAfee Endpoint Encryption (formerly called SafeBoot Encryption) is a tool that provides Full-Disk Encryption (FDE) on Microsoft Windows computers. IT is a comprehensive encryption program that offers disk-level encryption with powerful flexibility and automatic protection for mobile devices. It uses state-of-the-art encryption algorithms, typically an AES/Rijndael block cipher depending on the release, and several layers of encryption allows for better security without performance degradation. Click here to know more

• Kaspersky Endpoint Security for Business Advanced includes all of the functionality delivered by Kaspersky Endpoint Security for Business Select… plus additional technologies that do even more to protect your business. It delivers Next Gen protection against known & unknown threats and reduces your exposure to attacks – by hardening endpoints. This product helps prevent loss or theft of confidential business data and eliminates vulnerabilities – to reduce attack entry points. It saves time – by automating OS & software deployment tasks and Streamlines security management – with one unified console. Click here to know more

• Sophos SafeGuard encrypts content as soon as it’s created. And with the encryption always on, you can enjoy seamless secure collaboration. Synchronized Encryption proactively protects your data by continuously validating the user, application, and security integrity of a device before allowing access to encrypted data. It Provides centrally-managed, full disk encryption using Windows BitLocker and Mac FileVault, taking advantage of the technology built into the operating systems. Seamlessly manage keys and recovery functions from the SafeGuard Management Center. Click here to know more

• Symantec Endpoint Encryption combines strong full-disk and removable media encryption with centralized management to protect sensitive information and ensure regulatory compliance, including devices encrypted with BitLocker, FileVault 2 or OPAL compliant self-encrypting drives. In addition to protecting laptops, desktops and Windows tablets, Endpoint Encryption supports various types of removable media including USB drives, external hard drives, and CD/DVD/Blu-ray media. With Symantec, removable media users can access their data on any Windows or Mac system, even if encryption isn’t installed on the machine. Click here to know more

• Trend Micro™ Endpoint Encryption encrypts data on a wide range of devices — both PCs and Macs, laptops and desktops, USB drives, and other removable media. This solution combines enterprise-wide full disk, file/folder, and removable media encryption to prevent unauthorized access and use of private information. A single, well-integrated management console allows you to manage your users holistically—using the same console for endpoint protection and other Trend Micro security products. Deploying Trend Micro Endpoint Encryption helps ensure that your data will continue to be protected as your mobile computing devices and organizational needs change.

• Explore in-depth Use Cases of Next-Gen Security Information and Event Management (SIEM) – Part 3 of 3 series.

What will you learn:

• Tools and techniques – understanding the taxonomy
• Top use cases for the SOC
• Attack surfaces
  • Insider threat
  • Credential theft
  • Endpoint compromise
  • Application attack
• Monitoring / Building / SWIFT Fraud
• Analytics and hunting playbooks for SWIFT

About Speaker:

Shomiron Das Gupta

Shomiron is a highly experienced Intrusion Analyst, and has been building threat detection systems for more than a decade. He founded NETMONASTERY (NM) at the end of 2002, and set out to deliver quality attack detection products and services to its customers. Today NM serves the largest customers in the financial, telecom, media and e-commerce markets with its geographical reach and presence spanning the globe.

• We have completed our selection of the final list of Top Indian Cyber Security Vendors to look out for in 2018 from all the vendors nationwide. Believe me this was not easy & we don’t claim this is exhaustive list as it probably will never be. But still we gave our best to give you the top guns who are uniquely innovative.
• Let’s have a look at the top Indian Cyber Security Vendors 

• Appknox is an Indian cyber security company that aims at helping businesses and developers make their mobile applications more secure. Using our cloud-based security solution, businesses can conduct regular and quick security audits, know what security loopholes exist in their apps and also fix them with the suggestions we provide. Thei security experts are working continuously to out-think and outsmart unethical hackers that exploit different cyber channels to provide a safe operating environment for businesses. they have worked with companies around the globe in various spaces like banking, e-commerce, mobile wallets, healthcare, BYOD, and 3rd party apps in an effort to build a safe and secure mobile ecosystem. To know more:https://www.firecompass.com/security/vendors/appknox

• HaltDos is an award-winning network security company. It is an off-spring of AKS Information Technology Services Pvt. Ltd. AKS IT is CERT-IN empanelled Auditing organization providing Web and Mobile application security auditing, Network Security auditing and Industrial Control System Auditing. HaltDos cloud proxy is India’s first comprehensive DDoS mitigation solution that ‘Detects, Mitigates & Monitors’​ web applications on a continuous basis to protect from hackers. They have over a decade long experience in providing security solutions to 4000+ customers across the world. They bring this expertise and our 24x7x365 support to provide the most comprehensive security solutions as a service (SaaS). HaltDos in partnership with Amazon Web Services (AWS) provides cloud based DDoS mitigation solution in all AWS regions across the world. To know more: https://www.firecompass.com/security/vendors/halt-dos-pvt-ltd-

• Indusface is an award-winning application security leader protecting 900+ global customers with our unique Total Application Security platform that detects, protects, and monitors applications. Our Total Application Security solution is available On-Premise, As A Service and through the AWS Marketplace. Mentioned in the Gartner Magic Quadrants for Application Security Testing and Web Application Firewall, Indusface has won major startup awards in the last 12 months including the NASSCOM-DSCI ‘Security Product Company’ Award, iSpirit’s ‘InTech50 Most Innovative Products from India’ and AWS ‘Regional Innovation Partner: Technology Award’. In the past few years, Indusface has also won several other awards like Deloitte Technology Fast 50 India and 500 Asia, NASSCOM Emerge 50, Red Herring Top 100 Asia and InTech50. To know more: https://www.firecompass.com/security/vendors/indusface

• Innefu is an Information Security R&D startup, providing cutting edge Information Security & Data Analytics solutions. We count among our clients the biggest corporate entity in the country apart from some of the most sensitive and critical organizations in Government of India. With more than 100+ customers using our Information Security and Data Analytics solutions, the company has become a leading player in the space of Artificial Intelligence for Data Analytics and Multifactor Authentication. To know more: https://www.firecompass.com/security/vendors/innefu

• Instasafe Technologies is a leading Cloud based Security-as-a-Service solution provider delivering comprehensive and uncompromising protection to mobile and remote workers enabling them to safely and securely access enterprise apps, email and web from anywhere on any network. Unlike appliance based solutions Instasafe offers a hardware free, zero configuration, self-service style, fully redundant Security-as-Service which could be deployed in minutes with comprehensive reporting. To know more: https://www.firecompass.com/security/vendors/instasafe

• Khika is a next generation SIEM which combines the real time alerting and dashboarding of conventional SIEM with the power of big data to enable historical correlation and search to identify and contain such threats. Khika SIEM is an Indian cyber security vendor which consumes the logs generated by your active directory, firewall, antivirus, web application firewall, web proxy, applications etc. to give you intelligence on security threats, compliance gaps and policy violations, infrastructure troubleshooting, user behaviors and more. This enables you to have a single platform for your security analytics and improves the security posture.

• Kratikal is an end to end Indian cyber security solutions provider. It is the trusted partner for enterprises and individuals, seeking to protect their brand, business and dignity from baffling cyber attacks. They have been involved in design, implementation of information security management system since the time, standards were adopted by industry. They approach IT security, cyber crime and penetration testing use cases from enterprise risk management perspective. Kratikal provide a complete suite of manual and automated security testing services as well as security auditings like PCI DSS, HIPAA and ISO 27000 series. To know more :https://www.firecompass.com/security/vendors/kratikal-tech-pvt-ltd

• DNIF, a product of NETMONASTERY offers solutions to the world’s most challenging cybersecurity problems. Recognized by Gartner and used by some of the well-known global companies like PwC, Vodafone and Tata, this next generation analytics platform combines Security and Big Data Analytics to provide real-time threat detection and analytics to the most critical data assets on the Internet. With over a decade of experience in threat detection systems, DNIF has one of the fastest query response times and bridges the gap between searching, processing, analyzing and visualizing data thereby enabling companies with better SOC (Security Operations Center) management. To know more: https://www.firecompass.com/security/dnif-product-of-netmonastery/

• Seqrite is a world-class Enterprise Security brand defined by innovation and simplicity. Their solutions are a combination of intelligence, analysis of applications and state-of-the-art technology, and are designed to provide better protection for our customers. Seqrite is backed by Quick Heal’s cutting-edge expertise of producing cyber security solutions for over two decades. Their products help secure the networks used by millions of customers in more than 80 countries.

• ShieldSquare is one of the pioneers in bot mitigation and bot management space. They provide a real-time bot mitigation solution that protects enterprises by detecting and responding to automated attacks generated by scripts (bots). Their solution can be integrated into diverse technology infrastructures within minutes. We have been instrumental in raising the industry bar for highest accuracy, lowest latency, and zero false-positives. ShieldSquare processes billions of page requests every month. To know more: https://www.firecompass.com/security/vendors/shieldsquare

• Smokescreen was founded in 2015 to create the next generation of Indian cyber security detection and response systems. Our proprietary ILLUSIONBLACK platform detects, deflects and defeats advanced hackers in a manner that is false-positive free, and easy to implement. It effectively handles multiple avenues of attack and the limited response capabilities that most companies have. This deception based ‘active defense’ philosophy is the result of decades of experience securing the most highly targeted organizations in the world against advanced threats , and has proved its effectiveness time and again in the real world. To know more : https://www.firecompass.com/security/vendors/smokescreen

• Recently, you might have heard in news about COSMOS Bank, a 112-year old cooperative bank in India and the second largest in the country being hacked and crores were siphoned off. The bank lost INR 940 million (94 Crores) due to this breach on 11th & 13th August.
• As per reports, the fraudulent transactions were carried out on August 11 and August 13 and the malware attack by the hackers originated in Canada, Cosmos Bank chairman Milind Kale told. In the first attack on August 11, using stolen card details, approximately Rs 78 crore was withdrawn in transactions in 28 countries. This included around 12,000 Visa card transactions. On the same day, approximately, Rs 2.5 crore was withdrawn through 2,800 debit card transactions in India at various locations. On August 13, the hackers transferred Rs 13.94 crore into an account in the Hang Seng Bank in Hong Kong by initiating a SWIFT transaction.”In two days, hackers withdrew a total Rs 78 crore from various ATMs in 28 countries, including Canada, Hong Kong and a few ATMs in India, and another Rs 2.5 crore were taken out within India,” he said. It was observed that unusual repeated transactions were taking place through Visa and Rupay cards used at various ATMs for nearly two hours .

• This report gives you an understanding of the COSMOS hack, how it happened, a detailed technical analysis, learning from it & more

What Will You Find In The Report ?

• Learn the hack fundamentals & how the breach happened ?
• A detailed technical analysis of the breach
• Top 7 key learnings from it

• Lets have a look at the Cyber security Trends as well as attacks in 2018 so far:

1.AI-powered attacks

• In February, a study from teams at the University of Oxford and University of Cambridge warned that AI could be used as a tool to hack into drones and autonomous vehicles, and turn them into potential weapons.
• “Autonomous cars like Google’s (Waymo) are already using deep learning, can already raid obstacles in the real world,” Caspi said, “so raiding traditional anti-malware system in cyber domain is possible.”
• Another study, by U.S. cyber security software giant Symantec, said that 978 million people across 20 countries were affected by cybercrime last year. Victims of cybercrime lost a total of $172 billion — an average of $142 per person — as a result, researchers said.

2.Big & bad Data Breaches

• The year of 2017 has been already marked with many historic big and bad breaches. Lets look at the major cyber security breaches in the 2018 so far, according to the Wired:

Russian Grid Hacking

US Universities

Rampant Data Exposures

Under Armour

3.Ransomware and IoT

• The way things are, IoT (Internet of Things) ransomware isn’t standing out as truly newsworthy. This is reasonable, as most IoT gadgets don’t regularly store profitable information. Regardless of whether an IoT gadget were to be tainted, and the information it holds were to be scrambled, it’s far-fetched anybody would try to pay the payoff. That, as well as creating ransomware for IoT gadgets would not be practical as the potential number of casualties would be significantly less.
• Be that as it may, we should even now be exceptionally mindful so as not to think little of the potential harm IoT ransomware could cause. For instance, programmers may target basic frameworks, for example, control matrices. Should the casualty neglect to the compensation the payment inside a brief timeframe, the assailants may close down the network. Then again, they may target processing plant lines, brilliant autos and home machines, for example, shrewd coolers, keen stoves and the sky is the limit from there.

4.GDPR Fines

• The General Data Protection Regulation (GDPR), which will come into effect on 25 May 2018, offers a number of important changes to the current Data Protection Directive. These include; increased territorial scope, stricter consent laws and elevated rights for data subjects to name a few.
• Fines for non-compliance reach up to €20m, or 4% of annual worldwide turnover — whichever is greater. According to a recent Forrester report, “80% of companies will fail to comply with GDPR”. Interestingly, the report claims that 50% of these companies will actually choose not to comply, as they claim that the cost of compliance outweighs the risks.

5.Nation-Sponsored Cyber attacks:

•  “I’m really worried about nation-states fighting their proxy wars using cyber,” says Art Coviello, the former RSA executive chairman who’s now a venture partner at Rally Ventures, an investment firm in Silicon Valley.
• “Unfortunately, you are going to see a big investment in cyber weaponry, certainly in the United States,” Coviello says. “We’re living in the biggest digital glass house on the planet with the greatest attack surface. So in our case, the best defense is the most powerful offense. We need to discourage attackers. But I worry that we will be in a never ending cyber arms race.”
• staff should be adequately prepared to spot potential assaults. Governments ought to abstain from acquiring innovation from untrusted sources. For instance, the U.S. government as of late prohibited the utilization of Kaspersky programming in government offices because of worries about the Russian government’s potential impact on the organization.
• At long last, it is critical that countries cooperate and share any data they have about potential state-supported dangers.

READ MORE >>  Top 8 Ways To Handle Leaked Credentials Incidents

The year of 2017 has been already marked with many historic big and bad data breaches. Lets look at the major cyber security breaches in the 2018 so far:

Aadhaar

• In January, correspondents with the Tribune News Service in India paid 500 rupees for login certifications to an administration being offered by mysterious venders over WhatsApp. Utilizing the administration, the correspondents could enter any Aadhaar number, a 12-digit remarkable identifier relegated to each Indian native. Doing as such would recover various kinds of data on the questioned native put away by UIDAI (Unique Identification Authority of India). Those bits of information included name, address, photograph, telephone number and email address. An extra installment of 300 rupees to the dealers yielded access to programming through which anybody could print an ID card for any Aadhaar number. The information break is accepted to have bargained the individual data of each of the 1.1 billion natives enrolled in India.

Facebook

• A political information firm called Cambridge Analytica gathered the individual data of 50 million Facebook clients by means of an application that scratched insights about individuals’ identities, interpersonal organizations, and commitment on the stage. In spite of Cambridge Analytica’s case that it just had data on 30 million clients, Facebook decided the first gauge was in truth low. In April, the organization advised 87 million individuals from its stage that their information had been shared. Lamentably, with Facebook applications confronting more investigation, it shows up the Cambridge Analytica outrage may simply be a hint of a greater challenge. On June 27, security scientist Inti De Ceukelaire uncovered another application called Nametests.com had openly uncovered data of in excess of 120 million clients.

COSMOS Bank

• Recently, you might have heard in news about COSMOS Bank, a 112-year old cooperative bank in India and the second largest in the country being hacked and crores were siphoned off. The bank lost INR 940 million (94 Crores) due to this breach on 11th & 13th August. As per reports, the fraudulent transactions were carried out on August 11 and August 13 and the malware attack by the hackers originated in Canada, Cosmos Bank chairman Milind Kale told. In the first attack on August 11, using stolen card details, approximately Rs 78 crore was withdrawn in transactions in 28 countries. This included around 12,000 Visa card transactions. On the same day, approximately, Rs 2.5 crore was withdrawn through 2,800 debit card transactions in India at various locations. On August 13, the hackers transferred Rs 13.94 crore into an account in the Hang Seng Bank in Hong Kong by initiating a SWIFT transaction.”In two days, hackers withdrew a total Rs 78 crore from various ATMs in 28 countries, including Canada, Hong Kong and a few ATMs in India, and another Rs 2.5 crore were taken out within India,” he said. It was observed that unusual repeated transactions were taking place through Visa and Rupay cards used at various ATMs for nearly two hours.

Panera

• On April 2, security specialist Dylan Houlihan contacted investigative data security columnist Brian Krebs and informed him regarding an issue he had answered to Panera Bread back in August 2017. The shortcoming brought about Panerabread.com releasing clients’ records in plaintext — information which could then be scratched and filed utilizing mechanized apparatuses. Houlihan endeavored to report the bug to Panera Bread, yet disclosed to Krebs his reports had been expelled. The security specialist checked the weakness consistently from that point for eight months until at last unveiling it to Krebs, who distributed the subtle elements on his blog. Panera Bread took its site briefly disconnected after production of Krebs’ report. Regardless of the organization at first making light of the seriousness of the break and demonstrating less than 10,000 clients had been influenced, the genuine number is accepted to be as high as 37 million.

Security services of a network are often outsourced to an outside or third party service provider. Such an outsourced security service is called Managed Security Services (MSS) and the service provider provider is called Managed Security Service Provider (MSSP).

Do let me know if you want us to add or modify above information.

Check out the Managed Security Services (MSS) market within FireCompass to get more information on these markets.

We created "CISO Platform 100" with the vision to recognise those who are making a difference to the world of security. Top 100 Influencers on an average have over 68170 followers on twitter in which some of the Top Influencers have over 3,81,304 followers. Top 100 influencers are divided into 8 categories – CISO, Ethical Hackers, Innovator, Author, Appsec , Academia & Media/Analyst.

As a part of our CISO Platform 100 (Global) initiative, we are happy to announce Top 100 Information Security Influencers to follow in 2020. Here are some interesting information & how you can leverage this initiative:

CISO Platform 100 (Global):

• Find the Influencers you want to follow from 8 Categories (CISO, Media & Analysts, Ethical Hackers etc). Click here to view the list
• Recommend an influencer whom we might have missed: We have chosen 82 and look forward to remaining 18 nominations and nominations for next year. Now you can suggest us names. 

BTW, Nominations for CISO Platform 100 (India) is now open for 2019: Click Here to Nominate

Digital Risk Protection ( DRP ) is a term possibly popularized or coined by Forrester to describe the market of tools and technologies to protect from the risks posed by externally facing digital assets. As per Forrester: “Most buyers (77%) are purchasing DRP tools as net-new solutions for their organizations (as opposed to replacing an existing capability). They’re adding DRP to their existing security technology stacks to better tackle digital risk activities — namely, to improve their external digital risk visibility and to streamline the ensuing remediation.” Here are the Critical Capabilities For Digital Risk Protection.

>> Download the Complete Report

Report Includes:

• Digital Attack Surface Mapping
• Shadow IT Monitoring
• Vulnerability Monitoring
• Data Breach Monitoring
• Third Party Risk Monitoring
• Brand Risk Monitoring

>> Download the Complete Report

A report by Frost & Sullivan found that more than 80% of survey respondents admit to using non-approved applications in their jobs.If you don’t know what to protect, then you cannot protect.

Creating an asset inventory is the first step of any cyber security management function. However due rapid digitization, cloud adoption, IoT adoption and agile disperse teams, 3rd party integrations etc cyber security organizations no longer have a control as well as visibility of assets. Several high profile breaches like that of NASA breach was caused due to Shadow IT. Other examples include British Airways, Marriott Data Breach, Equifax Breach …etc

>> Download the Complete Report

Not having real time view of your dynamic attack surface and the risks it is introducing, leaves an organization in the dark and serves as a low hanging fruit for attackers to use this exposed information to fuel their malicious attacks.

Report Includes:

• Why Your Expanding Attack Surface Poses A Risk For Cyber Security?
• Some Analyst Statistics
• Key CISO Challenges
• How Hackers Leverage Your Attack Surface (Few Examples)
• Use Cases For Mapping & Securing Your Attack Surface
• How To Address The Threat Created By Unknown Attack Surface

>> Download the Complete Report

Advanced Threat Protection (ATP) is used to protect against sophisticated, highly skilled, well funded and motivated threat actor . The solution uncovers advance threats across Endpoints, Network, Email and Cloud. These solutions are used to detect advanced persistent threats that existing controls are not able to detect or are simply not capable of doing it.
Advance threat protection is not about a single security solution, It is about a combination of security controls, best practices/procedures, security awareness and continuous monitoring. It is more of a program based approach than a single solution. Although we understand Advance threat protection has a broad scope, here in this category we have focused on tools/solutions those employs both signature based and signature-less methods (Advance Sandboxes, Behavioral analytics, Advance correlation/machine learning, Deception technique etc. ) to detect advance threats by analyzing Web, and Network traffics. Here we call them Network Advance Threat Protection solution.

Do let me know if you want us to add or modify any of the listed key use cases.

Check out the Network Advanced Threat Protection market within FireCompass to get more information on these markets.

An emerging technology, Endpoint Detection and Response (EDR) constitutes a set of tools and solutions that enterprises use to detect, investigate and mitigate suspicious activities on hosts and endpoints. The term was originally called as Endpoint Threat Detection and Response (ETDR) but it is more popular as EDR.

Do let me know if you want us to add or modify above information.

Check out the Endpoint Detection and Response (EDR) market within FireCompass to get more information on these markets.

Threat Intelligence Program is a set of people, process and technology which enables you to proactively Identify, collect, enrich and analyze threat information, strategic and tactical, so that your organization is ever ready to defend and respond to any kind of cyber attacks. Threat intelligence as applied in conventional security is  any information that helps you tune your security defenses, build an effective response program for any contingency and also if required take preemptive measures to neutralize any looming threats. Key characteristics of any threat intelligence is that they should be timely, actionable and relevant to your organization. Threat intelligence gives out information about the attackers, their motivations, their tactics, techniques and procedure. This information and other contextual information when correlated gives out a better picture of the threats, vulnerabilities, and their impact. Threat intelligence helps you prioritize risk against your organizations and also helps in preparing a security roadmap for future security investments.

Do let me know if you want us to add or modify above information.

Check out the Threat Intelligence (TI) market within CISO Platform to get more information on these markets.

A common question is why should we get a third party penetration testing company? Why not choose a team from your current technical group to handle the network security test? For one, security audits like traditional financial audits are better done by outside companies with no bias and partiality to anyone or anything within your organization. Another reason to hire a security testing company is that one may find it difficult to hire and retain Penetration Testers. Following tips will help to choose penetration testing vendor.

# Tip 1: Evaluate technology achievements of the vendor

Good indicators of vendor’s technology competency are:

• Does the vendor have proprietary tools and technology?
• Is the vendor known and respected in security research community?
• Has the vendor published original technology research in the Penetration testing or Vulnerability Research domain?
• Is the vendor involved in vulnerability disclosures in known products/applications?

(Read more:  5 Best Practices to secure your Big Data Implementation)

# Tip 2: Focus on the vendor’s real knowledge and not just on certifications

If you focus too much on individual certification, you will end up eliminating many good top-notch penetration testers. As an industry, penetration testing has not reached consensus on a meaningful certification framework. So, while large companies encourage individuals to get certifications, this over-emphasis is one the reasons why strong penetration testers are attracted to specialized penetration testing company because they place value on individual skills over industry certifications.

Tip# 3: Evaluate the company’s trustworthiness and dependability

You would be allowing them access to your system, customer information, sensitive company research, insider memoranda and other confidential matters. You will also let them into the backbone of your company’s operations. You would need to be sure that they can be trusted with the data you have. You can look at their previous list of clients and their overall reputation. Talk to competitors and friends alike and ask for recommendations on which penetration testing company to consider and call. More importantly talk to your potential vendor and ask a lot of questions. These might be hypothetical or real questions regarding their systems. You can gauge their level of competence through their responses.

• How is data stored? Do they keep it in laptops?
• What is the security policy of the organization?
• What is the hiring process?
• What are the insurance processes?
• What are the indemnity and liability clauses?

(Read more:   Changing landscape of IT security)

Tip# 4: Consider Cost vs. Frequency advantage

Gartner recommends “Penetration Testing carried our regularly is the only way to be one step ahead of hackers”. However with the conventional manual approach this is too costly. Different testing companies levy different fees on their security audits. It is best for you to lay down what kind of penetration testing you need and get quotes from specific companies. Organizations without scalable technology to provide recurrent scanning are normally 30-40 times more costly than organizations that do have a similar feature. It is not enough to conduct one in-depth test a year! You need to find a healthy balance between in-frequent high quality tests and frequent low quality tests.

• Will you be able to test during every release cycle or during every change within your budget?

Tip# 5: Seek penetration testers (Specialists) and not Generalists

There are many penetration testing companies who can be impressive in discussing attack vectors, the associated impacts, root causes, and remediation. They may also have their favorite case studies and illustrate each type of vulnerability in common speak. But they may not have the real expertise in front of the keyboard. The simple question which may help you to identify them is: “How specialized is the penetration testing company? Do they deliver this particular service 30% of the time or 60% or 100%?” Good penetration testers are a rare breed. When it comes to testing your network or application, you need a great penetration tester and not a great boutique firm.

(Watch more : Attacks on Smart TV and Connected Smart Devices)

Tip# 6: Check the “Process” along with Pen Tester’s resume

It is true that the man is more important than the machine in case of Penetration Testing. So checking out the resume of the individual is important but the process of testing is also very critical. Check out some of the following:

• Do the vendor use any defined process, checklist or methodology?
• How do they remove false positive?
• How many classes of testing is covered? What is the percentage coverage?
• How are the complex multi-stage attacks covered?
• Which tools are used?
• What is the exploitation process? How do they ensure that it is safe?
• What is the turnaround time?

Tip# 7: Flexibility and Turn Around time

You need to check how flexible is the vendor to meet your flexibility requirement in terms of testing during the favourable hours as per your need. Sometime your business may need testing during the business off hours.

• Can the vendor support off business hour testing?
• How much time in advance do you need to notify for a test?
• What is the turnaround time for each test? Does that meet your business need?

Tip# 8: Can the vendor scale up to meet your peak demands?

You need to check what could be your peak requirement. If you have 10 applications and all of them need tests to be conducted together, can your vendor test all of them in parallel?

• What is the peak testing capacity of the vendor?
• Can their infrastructure and team support the peak requirement of yours?
• How many people do they have? How many are kept free to meet elastic or on-demand needs?

Adapted from the original blog written at https://www.cisoplatform.com/profiles/blogs/how-to-choose-your-security-penetration-testing-vendor

>> Compare Top AST Products

Capital One data breach affected over 106 million people, 140,000 Social Security numbers, 80,000 bank account numbers,1,000,000 Social Insurance Numbers ... The breach had taken place about 4 months back however it took some time before the breach was realised, in-fact it took an external tip for Capital One to realise something had happened.

The legal case built was quite interesting. Before I share the legal case link heres a short summary just in-case you dont know all the deatils of the breach.

Short Synopsys Of What Happened:

• Paige Thompson copied and downloaded 700 different S3 buckets 
• Paige was able to access a server that had a misconfigured firewall
• She accessed EC2 Instance in the server through an opening in the firewalls
• Since the Server's IAM Role permitted the access to S3 of 700+ Buckets, she could access them
• Now she just ran the "List Buckets" command and the "Sync" command from the AWS CLI

>>Here is a link to the legal case that has been built: Legal Case Link

Learnings From The Breach:

This breach might cost Capital One $150 Millions and on top of that the loss of brand/face ... 

• Audit your security regularly
• Monitor misconfigured infrastructure like "open S3 buckets"...etc

This is a summary of the panel discussion at Security Symposium & Cyber Sentinel Award by Infocon global. The panel discussion was moderated by Jitendra Chauhan (Head of Engineering at FireCompass) along with Balaram (CISO, Manthan), Ananth Kumar Ms (Head-IT Assurance & Security, Janalaxmi Financial Services), Sumanth Naropanth and Ramakrishna Roy.

What is Shadow IT? How will you define it?

• What is the definition? Projection based on Gartner and Forester
  • Gartner Report Says Shadow IT Will Result in 1/3 of Security Breaches. They predict that “by 2020, one third of successful attacks experienced by enterprises will be on their shadow IT resources.”
  • When business unit IT digital services are invisible to the IT department that is not sanctioned by centralized IT it is termed as shadow IT.
• Different Types
  • External Digital Footprint
    • Apis
    • Share drives
    • Cloud services
    • 3rd party assets and data collection
    • Ability to share information
    • Open source libraries

  • Internal organisation

  • Grey area
    • Skype
    • Open source libraries
    • Design esponaige

>> Want to See Your Organization's Shadow IT

Why is Shadow IT is a problem from various perspectives such compliance, security, business operations etc.?

• Compliance such as GDPR, SOX, PCI
• Business Implications and implications to CXOs
• Organisational Security Perspective
• Skype traffic
• What are the few examples of breaches because of Shadow IT?
  • Amex Breach [Nov 2018] - Details on 700k customer data exposed
    • What was exposed?
      • 3M Records,
      • 700000 unencrypted PII such as Name, Emails, Phone Numbers etc.
    • How did it Happen?
      • Misconfigured MongoDB instance (managed by a Marketing Subcontractor), which was indexed by search engines like Shodan.
  • HSBC Breach [Nov 2018]
    • What was exposed?
      • 1M+ Customers exposed,
      • PII - DOB, Communication Details, Transactions, A/C Numbers & Balance
    • How did it Happen?
      • Credential Stuffing, Due to Password Reuse
  • British Airways [Sep 2018] - Click Here for more data on why the hack happened
    • What was exposed?
      • 380000 Transaction Records
      • Personal and Financial Data such as credit cards
    • How did it Happen?
      • 3rd Party System compromised, infected with malicious javascript that ultimately targeted BA end users.
  • Equifax Breach (Click Here for detailed breach settlement information - $700m)
  • Microsoft Subdomain Takeover
  • Dunkins Donut

Summary,

• None of the attack vectors involved 0 days, but mostly misconfigured assets, open buckets, leaked password reuse, 3rd Party related trust misuse
• Reward and reprimind

How is the Shadow IT really created?

• Key business drivers
• Getting things done as fast as possible
• Cloud it is easy
• Agility
• 3rd party vendors
• Lack of monitoring
• Examples of departments [Marketing, Engineering]

How to detect Shadow IT?

• Detection Cycle

  • Discovery visibility
  • Data flow monitoring and anomaly detection
  • Create Asset Inventory
  • Prioritise and Assign Risks
  • Validate Risks [Red Teaming]
  • Manage and Monitor
    • Continuous Monitoring of Attack Surface and Risks
    • Continuous Remediation of Risks

  Incidents response of shadow it?

How to prevent Shadow IT?

• Be more open on the policy perspective. Embrace Shadow IT Drivers by creating policies
• Awareness Drive ( cxo and employees)
• Continous Monitoring and threat intelligence
• How to deal with employees who do not listen to you and inform Security Team?

>> Want to See Your Organization's Shadow IT

The Marriott fine of $ 124 Million comes right after a record fine of $230 million imposed by ICO on Monday following the British Airways Data Breach. The ICO's investigation found that the British Airways breach exposed personal data for 500,000 customers. It involved attackers installing malicious code on British Airways's site that rerouted customers to a phishing site that stole their personal details and payment card details.

>>Click Here To Learn More About the British Airway Hack & How To Prevent

The Marriott data breach persisted for 4 long years before being discovered and exposed approximately 339 million customer records globally. The breach exposed information like names, phone numbers, email addresses, encrypted payment card information and more. 

>>Click Here To Learn More About the Marriott Hack & How To Prevent

U.K. Information Commissioner Elizabeth Denham said British Airways failed to put appropriate safeguards in place to protect customer data. "That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

What Are the Losses?

• $ 230 million imposed by ICO on British Airways
• $ 124 million imposed by ICO on Marriott
• When Marriott breach was announced, the share price dropped by 8.7%
• Affected members could also sue for compensation
• Reputation Loss and loss of trust in customers (this would hit business indirectly)

How Can Your Organization Prevent This?

• Implement GDPR compliance policies and procedures and get it audited by a trust worthy security entity
• Scan your digital attack footprint, keep a complete log of your assets, monitor and secure them
• Organizations Need To Constantly Monitor All Their Data
• Have a good cyber security training and awareness program implemented to have your employees aware of the security challenges and misuse
• Frequent (periodic) vulnerability assessment and penetration testing of your organization’s digital assets is necessary
• Breaches are unavoidable. A proper incident response program that ensures your customer’s sensitive data is not harmed and reduces business down time is a win-win

The cloud adoption is everywhere.. everyone is doing it, but that doesn’t mean they’re doing it right. CompTIA reported recently that 90 percent of companies are using cloud computing in some form. 

The CISO Platform Playbook Round Table discussion happened with 34-40 CISOs across metros along with VMware. The discussion was driven by Bikash Barai and the inputs from the discussion have been put together (CISO names are not provided based on privacy guidelines). 

The below challenges and its resolution seems daunting however taking up one at a time and following a 90 day roadmap or a 180 day roadmap is a small way to start.

Challenges In Modern Cloud Environment

Gartner Says "No less than 90% of organizations will adopt hybrid infrastructure management capabilities by 2020. For hybrid-cloud architectures, concerns remain about data protection, security, and compliance.

• Visibility & Control/Visibility across multi cloud environment
  •  As customers start using the public clouds for eg  Azure, AWS, and Google along with private clouds such as OpenStack—complexity and risk grows exponentially. This makes it very challenging for companies to view and control the distributed systems that make up the infrastructure. 
• Managing security of hybrid cloud/ Data Security
  • Security is in itself challenging, but hybrid cloud increases the complexity. You need to protect both "data at rest" and "data in motion".
• Compliance & Governance/ International standards and cooperation
  • One of the biggest challenges is that many companies are still manually checking to see that they are compliant and meeting custom or regulatory security baselines for security compliance and auditing requirements. This is a complex, and error-prone process - companies need to automate the scanning and remediation of security controls using open-source tooling. 
  • Despite a common theme, different countries have developed data protection regimes that sometimes conflict with each other. As a result, cloud providers and cloud users operating in multiple regions struggle to meet compliance requirements. In many cases, the laws of different countries might apply concurrently, in accordance with the following:
    • The location of the cloud provider
    • The location of the cloud user
    • The location of the data subject
    • The location of the servers
    • The legal jurisdiction of the contract between parties, which may be different than the locations of any of the parties involved
    • Any treaties or other legal frameworks between those various locations

• Shadow Cloud: Different teams may procure cloud instances without informing the central security team. If you don't know what to protect then you cannot protect it.
  
  
• Micro-segmentation / Isolation
  • Micro-segmentation is the ability to put a wrapper around the access control for each component of an application. It helps administrators to control and set granular policies to protect the application environment. 
• Zero Trust
  • Zero Trust (ZT), introduced by analyst firm Forrester Research, is an alternative architecture for IT security which simply means that we cannot trust the perimeter to keep the bad guys out, and is designed to address lateral threat movement within the network by using micro-segmentation and granular rule enforcement, based on user, data and location. 
• Strict SLA and governance / responsibility for managing security
  • Regulatory compliance is now accepted as a data security essential for several business sectors however applying such data protection legislation to the cloud can become a nightmare. Sarbanes-Oxley in the United States and the Data Protection Act in the UK requires companies to retain responsibility for their data at all times, and that legal jurisdiction component will also include a cloud provider if it handles enterprise data.
• How to stay ahead
  • To stay ahead the key is in establishing a close relationship of emerging technologies with cloud computing, including Big Data, Internet of Things, and mobile computing.

• Privacy
  
  • Under the Privacy and Security Guidelines of the Organization for Economic Cooperation and Development (OECD), the data controller (typically the entity who has the primary relationship with the individual) is prohibited from collecting and processing personal data unless some of the criterias are met. These laws define numerous obligations, such as confidentiality and security for the entities that access personal data. When entrusting a third party to process data on its behalf (a data processor), a data controller remains responsible for the collection and processing of that data. The data controller is required to ensure that such third parties take adequate security measures to safeguard the data.

• Immutable Architecture
  • Auto-scaling and containers, work best when you run instances launched dynamically based on an image. Those instances can be shut down when no longer needed for capacity without breaking an application stack. This is core to the elasticity of compute in the cloud. Thus, you no longer patch or make other changes to a running workload, and since that wouldn’t change the image, therefore, new instances would be out of sync with whatever manual changes you make on what is running. These are called virtual machines immutable.

Some Other Challenges:

• How to be up to date with New Trends In Security Architecture
• Knowing Adaptive Security Policy
• Creating Seamless policy deployments/Policy Orchestration
• Security as a Code
• Automated Security Baselining

Sample Cloud Security Road Map - 90 Days Plan

• Understanding business + priorities and stakeholders + team + budget + roadmap
• Asset Inventory – Foot-printing and shadow IT discovery
• Asset Classification
• Study of current contracts and SLAs (Exit clause..)
• Cloud security gap assessment + Roadmap
  • Identify, Protection, Detection, Response, Recovery
  • Compliance
• Access Control review
• BCP and DR review

Sample Road Map -180 Days Plan

• Key Metrics and Dashboard
• Cloud security architecture review and testing
• Remediations
• Reducing attack surface
• BCP Test
• Table-top Drill for BCP/DR and Crisis management
• Security automations opportunities
• Cloud security policy

Reference:

https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL-feb2-18.pdf

All Rights Reserved @ CISO Platform. Reproduction of this in any form without prior written permission is not allowed. The information herein has been obtained from sources that we believed were reliable. The opinions expressed herein are personal and might change. CISO Platform disclaims all warranties as to the accuracy, completeness or adequacy of such information.

We created "CISO Platform 100" with the vision to recognise those who are making a difference to the world of security. Top 100 Influencers on an average have over 68170 followers on twitter in which some of the Top Influencers have over 3,81,304 followers. Top 100 influencers are divided into 4 categories – CISO, Tech Leaders, Ethical Hackers and Media/Analyst. 

As a part of our CISO Platform 100 (Global) initiative, we are happy to announce Top 100 Information Security Influencers to follow in 2019 . Here are some interesting information & how you can leverage this initiative: 

CISO Platform 100 (Global):

• Find the Influencers you want to follow from 4 Categories (CISO, Media & Analysts, Tech Leaders etc). Click here to view the list
• Recommend an influencer whom we might have missed: We have chosen 92 and look forward to remaining 8 nominations and nominations for next year. Now you can suggest us names.  Click here to view the list and click on nominate to suggest peer/friend

BTW, Nominations for CISO Platform 100 (India) is now open for 2019: Click Here to Nominate

There is a steep rise in interest from the Board & CEO of an organization to understand the security posture of their company. Partly because of the increasing pressure from the government regulators, stakeholders & discussions on the potential risk of individual liability for corporate directors who do not take appropriate responsibility for oversight of cybersecurity.

However there is a huge disconnect between the security professionals in terms of what they think the Board want and the reality. 

Top 3 Things CISOs Should Avoid In A Board Presentation:

1> Board Does Not Want Deep Technical Details/ Acronyms in Your Presentation

Board members are not cybersecurity security experts and does not necessarily understand the technical jargons or security acronyms. The board does not need technical details like the architecture you are using ...etc. Explaining by way of business examples or what the board can relate to is important. You need to show how your efforts of security the organisation align to the business strategy of the organisation.

2> Board Does Not Want FUD: Fear, Uncertainty, and Doubt

Exaggerating the cyber security risks or giving examples of terrible hacks that have happened in other organisations will not help. Surely you can explain the relevant incidents that have happened in the recent past or the changes to regulations and threat landscape. Along with this you need to show your strategy to comply with these changes and the steps you are taking to mitigate risks in the changing threat landscape. 

( Read More: Information Security Metrics and Dashboard for the CEO / Board)

3> Board Does Not Want To Know The Problems (They Need The Problems & Solutions)

Board wants to understand the risks & how they can be mitigated. Along with the most significant security risks you need to highlight the ways to address or mitigate those cyber security risks. As security cannot be measured on absolute terms, a good way is to start with where you are, explain the "State of Security in comparison with competition" and where you would like to reach.