What Is Bad USB?

The phenomenon of using the USB for malicious intent can be termed as Bad USB. USB Thumb Drives are the last considerations of malicious intent. However, if manipulated, they can takeover almost everything.

Some interesting demonstrations have been done at Black Hat conference by 2 highly regarded security researchers.

( Listen To Karsten's Talk: Bad USB On Accessories That Turn Evil )

Possible Ways To Mitigate Bad USB Threats

• Whitelisting USB devices
• Block Critical Device Classes, Block USB Completely
• Scan Peripheral Firmware For Malware
• Use Code Signing For Firmware Updates
• Disable Firmware Updates In Hardware

Limitations In Bad USB Mitigation Strategies

• Whitelisting USB devices
  • Unique Serial No. may not be available in some USBs
  • Operating Systems don't support any USB Whitelisting
• Block Critical Device Classes, Block USB Completely
  • Ease Of Use will override
  • USB usability is highly reduced if basic classes are blocked
    (Basic classes can be used for compromise)
• Scan Peripheral Firmware For Malware
  • Very challenging, Malicious firmwares can spoof a legitimate one
• Use Code Signing For Firmware Updates
  • Unauthorized updates still have a high chance eg. implementation error
  • Challenges in implementing secure cryptography on microcontrollers
  • Challenges in implementing for all devices
• Disable Firmware Updates In Hardware
  • Most effective, however this may be available only for new devices

Threat

• Present Security Solutions cannot detect malicious intent of USB
• It can be used for spying,data theft,data tampering,almost anything-it can take control etc.
• Security has to be built in before commercializing the product-no response yet on that!
• Post Derbycon Hacker Conference 2 researchers have made some attack codes public-this puts millions of us at risk

( Read More: Top IT Security Conferences In The World )

References

1. Extracts have been taken from 'Bad USB On Accessories That Turn Evil' Talk by Karsten Nohl during Annual Summit, 2014. Click Here For Full Talk

2.http://securityaffairs.co/wordpress/27211/hacking/hackers-can-exploit-usb-devices-trigger-undetectable-attacks.html

3.http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

4.http://www.zdnet.com/article/badusb-big-bad-usb-security-problems-ahead/

The intent of using IT Governance Risk Compliance (IT GRC) tools and capabilities is to report and manage IT Risks. We will study the critical platform capabilities for IT GRC Tools.

Critical Platform Capabilities In IT GRC Solution

• IT Risk Management
• IT Asset Management
• Policy Management
• Social Media Risk Management
• IT Vendor Risk Management
• 3rd party Vendor Integrations
• Incident tracking & management
• Customizable Reports and Dashboards
• Customizable Workflows
• Security Monitoring & Overview
• Disaster Recovery & Business continuity management
• IT GRC Elements Mapping / Cross Mapping and Interlinks between modules
• Integration with Enterprise IT – SSO (with RBAC), DBMS, HRMS etc.
• Survey creation & distribution (with or without access to GRC platform)
• Pre-packaged content (Policies, Controls, Procedures, Risk Register, Metrics (KRIs, Security etc.) Assessment Questionnaire etc.)
• Integration with Cloud and BYOD

The major areas under consideration should be the IT Risk Mapping, Ability To Track Risk and Estimate it, Presenting of the data in Dashboard/Reports.

( Read More: Free Resources For Kickstarting Your IT-GRC Program )

Few Questions to assess an IT GRC Vendor

• Do they have Proof Of Concept support? Timeline?
• What are the added costs?
• Scope of expansion of IT GRC Product? Can the vendor support expand into Enterprise and Legal GRC?
• What is the feedback of real users? Ask your colleagues
• What are the supported OS,Cloud and Mobile?
• What are the liabilities they entail? Have the contract well checked for adverse situations. 

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

Reference

1. Extracts have been taken from IT GRC Workshop, Decision Summit, Delhi 2015 by Ravi Mishra

Governance, Risk and Compliance is sometimes a managerial step or a mandatory step to adhere with regulations & maintain compliant systems. It widely helps in Risk Management.

Some of the major components of IT GRC are:

1. IT Policy Management
2. IT Risk Management
3. Compliance Management
4. Threat & Vulnerability Management
5. Vendor Risk Management
6. Incident Management

1. IT Policy Management

An administrative method to simplify management by defining and enabling rules(policies) for various apprehensive situations. This is done keeping in mind the organization's goals & belief

• Policy Life Cycle Management
• Policy Creation
• Establish Linkages
• Alerts & Notification
• Manage Exceptions
• Metrics & Dashboard Reporting

2. IT Risk Management

This includes all risk associated with owning IT assets. In larger scales, for an organization, all the data stored is part of this.

• Risk Identification
• Risk Assessment Scheduling
• Aggregate Data
• Risk Assessment & Evaluation
• Issue / Action Tracking
• Metrics & Dashboard Reporting

( Read More: Checklist: Skillset required for an Incident Management Person )

3. IT Compliance Management

A proper framework in place can save money, time and energy. The framework should be set up once and your organization should be compliant while it should be able to notify on the new compliance requirements and licenses

• Regulatory Alerts, Rule Mapping
• Federation
• Surveys, Assessment
• Testing
• Certification & Filing
• Issue / Action Tracking
• Metrics & Dashboard Reporting

4. Threat & Vulnerability Management

This is a continuous process to manage all the assets owned by the organization. Prioritization is key as it directly estimates loss.

• Create Asset Repository
• Prioritize Assets
• Threat & Vulnerability Assessment
• Analysis & Prioritization
• Closed Loop Issue Management
• Metrics & Dashboard Reporting

5. Vendor Risk Management

This refers to all third party vendor risk. Vendor selection should be preceded by checking their risk scenario.

• Vendor Information Management
• Vendor Risk Assessment
• Vendor Compliance Management
• Closed Loop Remediation
• Metrics & Dashboard Reporting

6. Incident Management

This is constant monitoring, tracking analysis and reporting to make sure incidents are at bay. In case there is a breach, policies should be in place to tackle them.

• Aggregate & Track Incidents
• Incident & Issue Analysis
• Integrate with 3rd Party Solutions
• Resource Management & Collaboration
• Closed Loop Monitoring
• Metrics & Dashboard Reporting

( Read More: Critical Platform Capabilities For IT GRC Solution )

Reference-

1.Extracts have been taken from IT GRC Workshop, Decision Summit, Delhi 2015 by Ravi Mishra

2.http://whatis.techtarget.com/definition/policy-based-management

3.http://www.techopedia.com/definition/25836/it-risk-management

Free/Opensource Tools -

• IT GRC Asset Management
  Some functions can be used for technical controls to policy enforcement
  OTRS http://www.otrs.com/en/
  Redmine http://www.redmine.org/
  Mantis http://www.mantisbt.org/
• IT GRC Risk Management-
  GLPI http://www.glpi-project.org/spip.php
• IT GRC integration with cloud
  GRC Stack from Cloud Security Alliance https://cloudsecurityalliance.org/research/grc-stack/
• IT GRC Process Management
  Pack from Microsoft - http://www.microsoft.com/en-in/download/details.aspx

( Read More: Checklist To Evaluate SIEM Vendors )

More Free Tools:

• The Open Risk & Compliance Framework and Tool - http://www.somap.org/orico/default.html
• OpenFISMA - http://openfisma.org/ (FISMA, NIST RMF)
• Binary Risk Analysis - http://binary.protect.io/app/index.html
• PTA Professional Edition Risk Assessment tool (partially free) - http://www.ptatechnologies.com/

Content Resources

• Common Controls Hub (UCF) - https://commoncontrolshub.com/ (Limited Free, Paid Content)
• Cloud Security Alliance –Consensus Assessments Initiative Questionnaire (CAIQ) https://downloads.cloudsecurityalliance.org/initiatives/cai/caiq-v3.0.1.zip
• Center for Internet Security (CIS) - https://benchmarks.cisecurity.org/
• CIS Security Metrics - https://benchmarks.cisecurity.org/downloads/browse/?category=metrics
• Policy Templates from SANS - https://www.sans.org/security-resources/policies/
• Unified Compliance Framework – http://unifiedcompliance.com/- Through GRC vendors
• Shared Assessments – SIG Questionnaire - https://sharedassessments.org/
• HITRUST CSF (Healthcare) - https://hitrustalliance.net/
• Information Shield (Security Policies) - http://www.informationshield.com

( Read More: Bad USB Defense Strategies )

Reference-

1.Extracts have been taken from IT GRC Workshop, Decision Summit, Delhi 2015 by Ravi Mishra

2.http://searchcompliance.techtarget.com/tip/The-free-GRC-tools-every-compliance-professional-should-know-about

To select the best IT GRC tools/solution for you, you need a checklist of all Use Cases for your organization. Prioritization of that followed by weighing the implementation ease can help you choose the best IT GRC solution. Here are few Use Cases to help.

Some IT GRC Use Cases:

Information Security

• Threat & Vulnerability mgm
• Establishing ISMS
• Configuration of Compliance to Security Baseline
• Security Intelligence
• Integration: CMDB,VA,SIEM,DLP etc.
• Content: MITRE,NIST,CIS etc.

Risk

• Implementing Risk Frameworks- ISO,NIST,COBIT,FAIR
• Integrated Risk mgm-Security, IT Operation, BCM
• Standardizing Risk Calculations & Analysis
• Vendor/3rd Party Risk Assessments
• Risk Analytics
• Content-SIG,CAIQ

Compliance

• Policy mgm-Defining,Acceptance,Training etc.
• Regulations-PCI,FDIC,NERC,HIPAA
• Linking Policies to Control Objectives
• Harmonized Controls
• Control Monitoring & Testing
• IT Audits
• Content-UCF

Incident Handling

• Issue mgm & remediation
• Incident mgm
• Remediation Workflow
• Notifications & Escalations
• Integration with Security Incidents & Help Desk

Reference-

1. Extracts have been taken from IT GRC Session Decision Summit, 2015 by Ravi Mishra

Reference

1.Incident Response by Leighton R. Johnson

General

When did we do our last data inventory check?

Secure Development 

Do we follow secure SDLC? Is security looked into from the scratch?

What is the cycle of application testing?

What are the most major security vulnerabilities/flaws existing and what how can we implement them?

Where does our organization's security stand compared to our competitors? Benchmarking!

Security Program-How to Measure, Monitor? What is Response Time, Response Plan, Disaster Recovery Plan?

What are the Training programs and plans? How can we measure its effectiveness?

Cloud Security-

What kind of data can be accessed over our clouds and how are they segregated in terms of access?

How do we monitor and detect malicious/unauthorized activities over our cloud platforms?

How are the cloud data accesses managed?

How are the vendor risks associated with cloud handled?

Network Security-

How secure are our networks? What is protected and unprotected over it?

Can we track any unusual activity, if not which are the ones? How sensitive are the remaining?

Can it prevent data leaks, document loss and detect the exact activity and user of the activity?

Do we have security policies in place for incidents and how aware are the employees of the policies?

*check for some network threat reports

3) How Does Our Cybersecurity Program Apply Industry Standards and Best Practices?

4) How Many and What Types of Cyber Incidents Do We Detect In a Normal Week? What is the Threshold for Notifying Our Executive Leadership?

https://www.trustwave.com/Resources/Trustwave-Blog/10-Questions-for-Your-CISO/

http://www.cioupdate.com/research/article.php/3923086/The-Top-10-Security-Questions-Your-CEO-Should-Ask.htm

https://www.skyhighnetworks.com/cloud-security-blog/dont-get-snowdened-5-questions-every-ceo-should-ask-their-cio-ciso/

http://www.cso.com.au/article/571432/ten-things-every-ceo-should-ask-about-security-their-organisation/

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

---------------------------------------------------------------------------------------

1. Do you understand our wider business strategy?
2. Have you aligned our cyber security approach to our organizational strategy?
3. What are the gaps?
4. How are you evolving our cyber security approach to match the changing risk landscape?

http://www.ey.com/GL/en/Services/Advisory/Cyber-security---Steps-you-should-take-now

---------------------------------------------------

1. Are you documenting your relationships with third-party vendors and are third party vendors being required to incorporate security controls?

2. Do we have an in-depth, comprehensive and relevant policies and procedures documentation to encourage company-wide buy in, support and increased awareness?

3. Should a security incident occur, do we have a team in place to assist at all levels?

4. What security training is or should be offered for all employees?

5. How are you protecting our organization from threats to our systems and facilities?

6. Is there a risk management group that gathers regularly to discuss physical and local security issues?

7. Is there an inventory of all IT assets? Is there a schedule for the decommissioning of old systems?

8. Is security built into our IT and application development lifecycles?

9. How is our wireless network structured?

10. What security investments should we consider? Are we an early adopter or is this a widespread practice?

https://www.trustwave.com/Resources/Trustwave-Blog/10-Questions-for-Your-CISO/

------------------------------------------------------

1. Who is accountable for protecting our critical information? 

2. How do we define our key security objectives to ensure they remain relevant?

3. How do we evaluate the effectiveness of our security program?

4. How do we monitor our systems and prevent breaches?

5. What is our plan for responding to a security breach?

6. How do we train employees to view security as their responsibility?

7. How do we take advantage of cloud computing and still protect our information assets?

8. Are we spending our money on the right things?

9. How can we ensure that we comply with regulatory requirements and industry standards in the most cost-effective, efficient manner?

10. How do we meet expectations regarding data privacy?

http://www.cioupdate.com/research/article.php/3923086/The-Top-10-Security-Questions-Your-CEO-Should-Ask.htm

----------------------------------------------------------

1. Can we identify unusual user or network activity to cloud services

2. Can we track who accesses what cloud-hosted data and when?

3. How are we protecting against insider attacks at the cloud service providers?

4. How do we know unprotected sensitive data is not leaving the corporate network?

5. Can we reduce surface area of attack by limiting access based on device and geography?

https://www.skyhighnetworks.com/cloud-security-blog/dont-get-snowdened-5-questions-every-ceo-should-ask-their-cio-ciso/

-------------------------------------------------

1. When did we last do a data inventory?

2. Can you give me the what, where, who, and why for all our data assets?

3. How are we protecting the systems that store our sensitive data?

4. How is the efficacy of our security systems being measured?

5. Can you show me your risk assessment for our various data assets?

6. Can you show me any security or network reports?

7. Do we have an incident response and disaster recovery plan?

8. Have all our employees received security awareness training?

9. Do we have a software and hardware asset lifecycle?

10. Who’s ultimately accountable for your organisation’s information security?

http://www.cso.com.au/article/571432/ten-things-every-ceo-should-ask-about-security-their-organisation/

--------------------------------------

1) How Is Our Executive Leadership Informed About the Current Level and Business Impact of Cyber Risks to Our Company?

2) What Is the Current Level and Business Impact of Cyber Risks to Our Company? What Is Our Plan to Address Identified Risks?

3) How Does Our Cybersecurity Program Apply Industry Standards and Best Practices?

4) How Many and What Types of Cyber Incidents Do We Detect In a Normal Week? What is the Threshold for Notifying Our Executive Leadership?

5) How Comprehensive Is Our Cyber Incident Response Plan? How Often Is It Tested?

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

Incident Response is pretty much the same, however the first few hours can be vital and only high priority actions can save the situation. Since this is a Security Breach, it is of highest priority and must be treated at highest escalation level.

Checklist To Respond To A Security Breach (first 24 hours)

1. Contain/Isolate Data Loss

Containment is a fundamental step to Incident Response to limit the loss to a minimum by barring the Attacks. Do whatever it takes like isolate the system, bring it down (if necessary), check the status of other critical systems. Isolate the affected assets and try to resume operations asap.

2. Quickly assess the business impact

Assess the impact immediately. This is critical while reporting to the stake holder as well as create an appropriate strategy for response.

3. Notify the Incident Response Team & Forensic Team

Since it is of highest escalation level, the Incident Response Team must be immediately notified. Following steps will be taken with their advice.

( Read more: Security Metrics and Dashboard for the CEO / Board )

4. Notify legal advisory team & communication team

Advisory Team includes the Legal, Auditing Teams who can advise on how to recover best and the legal complications. All actions taken, including that of forensic team must be consulted with the Advisory Team.

Communication Team will communicate with the external world-employees,media,customers etc. about the Security Breach only if deemed necessary. Alerting employees can help reduce chaos and uninformed customer interactions.

5. Guard the Incident site for forensic proof protection

Documenting the scenario as it is found is absolute necessary. Systems must run as during the incident discovery, no change of state should take place. Also, outsiders including other employees must be prevented from entering the area. Only authorized persons (Forensic Experts/Incident Response Team) must be allowed. First few minutes can be critical to preserve data to track attacks eg. Volatile data.

6. Document and Interview People, Log Review

Document all details of Response Efforts and Breach Discovery. Also, retrieve data as much as possible from the resources available by interviewing the people concerned. Often Network admins and engineers might have a few anomalies to point out.

Logs are the second resource. Detailed review to check for all anomalies like unauthorized access can be a great indicator of scope of damage, assets involved etc.

7. Notify Customers if necessary

In case the data loss is customer data and sensitive in nature eg. Personally Identifiable Information, the customers must be informed in allocated time. This should be only after consulting Directors, Legal Advisers etc.

8. Notify the CEO if it is a critical breach

In case the data loss is customer data and sensitive in nature eg. Personally Identifiable Information, the CEO should be informed. Make sure to also put together a quick note on how the organization is planning to respond to the breach including the current impact and future impact on business. 

( Read more: Security Technology Implementation Report- Annual CISO Survey )

Post 24 Hours: Ask yourself..

• Has complete recovery happened?
  
• Why did the breach happen?
  
• What are the preventive measures for future?
  
• Are all the customers safe now?
  
• What are the current drawbacks in your Incident Response?

More:  Join the community of 3000+ Chief Information Security Officers.  Click here

Download A Detailed Incident Management Plan :

This is a community contribution. You can download the detailed Incident Management Plan ? You can download it here

Here's a list of World's Best and Most Popular IT Security Conferences. Details such as Tentative Time, Pass Price and Locations are mentioned so you can plan your Calendar.

Top IT Security Conferences In The World:

1. Black Hat

Claims to be the most technical and relevant global IT security conference in the world. Black Hat USA believes in providing a vendor neutral environment for latest information technology research and development and trends.

• Participation fees: $1800- $2600
• When & Where:
  • Black Hat USA 2015 : August 1-6, 2015, Mandalay Bay | Las Vegas, NV
  • Black Hat Europe 2015 : November 10-13, 2015, Amsterdam RAI | The Netherlands
  • Black Hat Asia 2016 : March 29 - April 1, 2016, Marina Bay Sands 10 Bayfront Avenue | Singapore
• Number of Attendees: About 7500
• Website: https://www.blackhat.com/

( Read More: How To Benchmark A Web Application Security Scanner? )

2. RSAC:

This IT Security Conference claims to attract the highest number of attendees approx. 30,000. However according to RSA “the real value of the Conference lies not in their size, but in the valuable content they provide and their commitment to finding new industry voices and new ways for the community to feel inspired and engaged”.

• Participation fees: $1900 approx. (Delegate pass)
• When & Where:
  • RSA USA - April 20 - 24, 2015, | Moscone Center | San Francisco, CA
  • RSA Conference Asia Pacific & Japan Singapore | 22 – 24 July, 2015, | Marina Bay Sands
  • RSA Conference Abu Dhabi | 4 – 5 November, 2015 | Emirates Palace Abu Dhabi
• Number of Attendees: 30000
• Website: https://www.rsaconference.com/

3. DEFCON:

Started in 1993, Defcon is one of the oldest and also one of the largest hacker IT Security conferences.Last year saw a record number of attendees.

• Participation fees: $1900 approx. (Delegate pass)
• When & Where:
  • DEF CON 23 – August 6-9, 2015, Paris/Bally's in Las Vegas
• Number of Attendees: 14,500
• Website: https://www.defcon.org/index.html

4. Infosecurity Europe:

Infosecurity Europe claims to be the biggest and the most attended IT security conference in Europe. Infosecurity Europe 2015 seems to be Europe's largest information security industry gathering.

• When & Where:
  • Infosecurity Europe 2015- (02-04) June 2015 | Olympia-London-UK
• Number of Attendees: 15,000+
• Website: http://www.infosecurityeurope.com/

5. InfoSec World

Organized by MIS Training Institute, they seem to have a diverse range of speakers that attracts attendees to the IT Security Conference.

• Participation fees: Max $3995
• When & Where:
  • InfoSec World 2015- (23-25) March 2015 | Disney’s Contemporary Resort -Orlando - FL
• Number of Attendees: 1300 +
• Website: http://www.infosec-world.com/

( Read More: 4 Areas Where Artificial Intelligence Fails In Automated Penetration Testing )

6. ShmooCon:

Organized by The Shmoo Group, ShmooCon is an American hacker IT Security Conference. It has three days for demonstrating with technology exploits, inventive software, hardware solutions and open discussions of critical Information Security issues. Costs are relatively low.

• Participation fees: $150 general admission ticket
• When & Where:
  • ShmooCon 2015- (16-18) January 2015 | Washington Hilton Hotel- Washington -USA
• Number of Attendees: 1500+
• Website: https://www.shmoocon.org/

7. SANS Summits:

Organized by SANS Institute, it is a 2-Day IT Security Conference hosted with focus on the current Information Security Concerns. Some segments include -User Panels, Debates, Vendor Demos and short talks by industry experts.

• Participation fees: 1299 USD- 5350 USD
• When & Where:
  • Digital Forensics & Incident Response Summit - Austin, TX Jul 7, 2015 - Jul 14,2015
• Number of Attendees:
• Website: https://www.sans.org/summit/

8. Gartner Security & Risk Management Summit

Gartner's conference hosts the its IT Security Conference which focuses on work of 1200 Research Analysts. The Summit includes six in depth programs including current issues on IT security and risk management.

• Participation fees: US $2,995
• When & Where:
  • Gartner Security & Risk Management Summit : 8 – 11 June 2015 | National Harbor, MD (Washington, D.C. area)
• Number of Attendees:
• Website: http://www.gartner.com/technology/summits/na/security/

( Read More: Comprehensive Salary Guide For Cyber Security Professionals: First Time Ever In India )

9. APPSEC USA

A software IT Security Conference for developers, auditors, risk managers, technologists, and entrepreneurs gathering with the world’s top practitioners to share the latest research and practices in the field of security. Two-days of training followed by two-days of world-class speakers. This is an excellent platform for developers, security experts and technologists to discuss cutting edge approaches to secure web applications. AppSec USA is also one of the largest sources of funding to help advance all of the free, open source OWASP projects the security world rely upon.

• Participation fees: $300 - $1500
• When & Where:
  • OWASP APPSECUSA 2015 - September 22-25 – San Francisco
• Number of Attendees:
• Website: https://2015.appsecusa.org/

10. SACON - Security Architecture Conference

Focused on Security Architecture, you could find deep technical session & strategic sessions on Security Architecture, SecDevOps, Threat Modelling, SOC, Incident Response, IoT Security and More. It brings IT Security Professionals and architects together. It strives at understanding and incorporating security at the architectural level. Also offers some great discount schemes, use the pre-registration for these.

• Participation fees: $250 - $500
• When & Where:
  • SACON 2017 - November  – Bangalore, India
• Number of Attendees: 300+ to 500+
• Website: sacon.io

Of course we have our very own community events which we have to mention.

CISO Platform Annual Summit/ Decision Summit

CISO Platform Annual Summit and Decision Summit are two of the largest IT Security Conference in India/Asia which is exclusively for Senior Security executives/Decision makers. Typically there are over 50+ sessions and 80+ speakers from 8 different countries sharing their insights and experiences with the CISO’s working to secure businesses of all sizes in various innovative ways.

• Content Focus
  • Vendor Evaluation and Bench marking Tools
  • Security Management Tools and Frameworks
  • Metrics and Dashboard for Security Management and Decisions
  • Professional Development Checklists and Frameworks

• Participation fees: 200 to 400 USD
• When & Where:
  • CISO Platform Annual Summit- November 19 to November 20, 2015 Mumbai.
  • CISO Platform Decision Summit- June, 2015 Mumbai.
• Number of Attendees: 200+
• Website:
• http://www.cisoplatform.com/events/ciso-platform-annual-summit-2015
• http://www.cisoplatform.com/events/ciso-platform-decision-summit-2015

Calendar of Events

What are Your Favorite IT Security Conferences? Share with us in comments below.

Convincing the board to spend on the security initiatives has always been challenging. The ROI being very complex, the information security world is often overlooked. Here's a template to help structure the IT security content for the Board.

Key Considerations while presenting to the Board

Less is more. Board doesn't want the technical details.

We might want to fill up the presentation with a lot of metrics and data but the board wants the most critical ones which they can understand and relate to. E.g. They might not be interested in knowing about patching status or the number of incidents that you handled. 

Board speaks different language

Understanding the language of the board is very important. Use technical jargon as sparingly as possible. Change your language and examples to something that the non security audience can easily relate to.

Board is worried about how good the security is....minus the technicalities

That's a hard problem to answer. Security cannot be measured on absolute terms. However you got to explain it in simple way. You also need to assure how ready you are in terms of handling any critical incident

Be cautious: Verify your assumptions

Al lot of times we assume that the board might be interested in certain things. Most of the time people guess it wrong. It is a good idea to assume but definitely verify and take feedback

List of To-Do before the Board Meeting:

• Understand what the Board wants
• Understand the level of understanding of each individual in the board
• Align your security strategy to the Business Goals
• Be Clear on 'How Secure The Organization Is?'
• Consider sending papers before hand to the members for a better understanding
• Real Life example simulations can be easier to communicate with
• Represent numbers or other complex stuff graphically which gives an idea of trend
• Always be ready with the synopsis of all the security projects running and the most vital ones needing approval
• Create a story board where the problem statement is well defined and the action taken highlights its fatality
• Engage the board, get their views and keep your plan flexible
• Compute the security philosophy in simple numbers eg. If scenario 1 happens, Loss=$1million
• References to stats and competing organizations can help with the budgets

CISO Platform Recommended Board Level Metrics

Here is a comprehensive checklist to Evaluate SIEM Vendors. We highly appreciate this community contribution.
by Sunil Soni, CISO, Punjab National Bank

Vendor Selection Framework For Integration Of Threat Intelligence With SIEM

Key Selection Criteria (Minimum):

Financial/business stability

• Its legal status in India
• Condition of financial health
• Mode of presence in India (directly or through subsidiary or a Joint venture)
• Is it an OEM (Original Equipment Manufacturer) or their authorized Representative in India
• Financial turnover for last three years
• Turn over from Information Security Business during last two years
• Is there a legal action pending against them for any cause in any legal jurisdiction?
• A minimum of 5 years of experience in Information Security Business (Including consulting, actual implementation and support thereafter)?
• Availability of skilled staff to support proposed solution (CISA/CISSP/CISM and PMP)
• Have they implemented at least one SIEM solution on the proposed solution, if not then on earlier versions of SIEM solution?
• Unsatisfactory record in completion of any of the earlier contracts with the Bank ?
• Have experience in implementation of enterprise-wide SOC?

( Read More: 5 Reasons Why You Should Consider Evaluating Security Information & Event Management (SIEM) Solution )

>> Compare Top SIEM Vendors: Click Here

Key Selection Criteria (Technical):

A. Capability

• Capability to meet 24*7*365 support requirement
• Availability of their DR Site?
• Ability to handle any critical issue within least possible time?
• The capability to monitor all kind of incidents?

B. Technical Criteria

• Their ability to provide legal support
• Capability to provide technical support on a continuous basis.
• Their capability to scan all website of the Bank for malicious activities and its reporting using online dashboard
• Ability to provide training to bank's staff
• Capability to meet SLA as defined in RFP?

C. Tie-up arrangement with Service provider & Technical groups

• How many Major leading browser developers (minimum 5), it has contact?
• How many (Internet Service Providers) ISPs (Minimum 500). It has contact?
• With how many ISPs (foreign countries) they have tie up with. (minimum 20 countries )
• Is SI / OEM member of Anti Phishing Work Group / Data Security council?
• Ability to provide training on SOC to at least 30 bank's official every 3 months
• "Do they have Experience in Anti Phishing, Anti Pharming and anti Trojan services  (minimum 3 years)"

D. Validation of Customer Credentials

• Provide number of customers using proposed / offered Anti Phishing services (minimum 5)
• Provide number of phishing, pharming and Trojan incidents closed during last 1 year.
• Provide number of Banking customers using proposed / offered malware scanning services.
• Their readiness to adhere to secured flow of data from vendor to the client?
• Their readiness to  provide undertaking to abide by security policy of the bank?
• Ability to monitor the performance on a regular basis.

E. Responsiveness

• How soon an incident can be closed by them?
• How soon advisory service is provided by them on critical vulnerability?

( Read More: Comprehensive Salary Guide For Cyber Security Professionals: First Time Ever In India )

F. Communication

• What is the native language spoken in the company? How many international languages, it is  able to communicate ?(minimum 9 languages should be supported)

G. Legal Service

• Ability to provide legal support in the form of communication with CERT/Cyber Crime (with special permission from the Bank). 

H. Advisory Service

• Ability to provide advisory service for online threats.
• Ability to provide advisory service for intelligence alerts.
• Ability to share article & white paper .
• Ability to provide regular alerts on critical vulnerabilities.
• Ability to provide advisory service for tools and other methods used by the fraudster against the Bank

I. DashBoard

• Ability to provide display of high and low level reports
• Ability to provide regular update of incidents
• Ability to customized reports/ option to process adhoc queries
• Capacity to download extracted data
• Availability of screen shots of all phishing related incidents
• Facility of case management with the flexibility to include comments from both the parties.
• Ability to provide role based authentication to the dashboard .
• Display of ongoing compliance status

J. Forensic Ability

• Capability to provide forensics analysis
• Ability to provide data for investigation purposes
• Ability of extracting critical data
• Ability to providing  critical information as per the nature of the incident
• Ability to provide comprehensive analysis of incidents or data

K. Background Checking of Staff

• Provide background of character & qualification of  proposed staff

L. Legal & Regulatory Compliance

• Status of  compliance on income tax law and employment regulation
• Status of complaine on  labour law i.e. minimum monthly pay salary, deduction, etc.

( Read More: Checklist To Evaluate A Cloud Based WAF Vendor )

>> Compare Top SIEM Vendors: Click Here

M. Capabilities of the Threat Intelligence Solution

• Tapping Geo-location hopping vis-à-vis time zone
• Ability to do device mapping (Screen resolution, Version of OS, Base Lining SDK)
• Device identification vis-à-vis device mapping
• Fraudlent devices to have an increased risk level
• Global Information harvesting i.e. IP Reputaton, Web Reputation, Detail with respect to Drop zones, infection point, C & C servers controlling end points
• Frequency of updation of rule in EFN (e-fraud network)
• Services (Manuals or automated through scripts)
• Blacklist feeds (General & specific to institution) & its frequency
• Ability to check for web & mobile (SDK kit- Rogue mobile apps & ability to bring them down and Anti Rogue Apps
• Checking of market campaign

N. Application Interface (API) Challenge

• Issue / ability with API & its upgradation with SIEM dashboard
• Ability to create a unified view

O. Solution Evaluation

• To verify the working of offered solution at a live site (Cross check with the limited countries)
• To validate technical adequacy of the offered configuration through a benchmark test. (Each  shortlisted vendor at his cost)
• To get a bench marking test conducted, research/testing finding & report evaluated

How do you evaluate SIEM Vendors? Share with us in the comments below or write your own article here 

Technical Skills:

Major Areas Of Focus:

• Incident Response
• Computer Forensics
• Network Security
• Secure Architecture

( Read More: CISO Platform Top IT Security Influencers (Part 1) )

Conceptual (Understand How-It-Works):

• Fundamental security concepts- CIA Triad(Confidentiality,Integrity,Availability),Authentication vs Authorization vs Access control, Non-Repudiation etc.
• Working Principles & Protocols of Internet- TCP/IP, IPV4, IPV6 etc.
• Security Domains- MDM, IDS/IPS, Database, DLP etc.
• Transport Layer- SMTP, MIME etc.
• Social Engineering tactics

• **Network security (Protocols, Configurations, Infrastructure, Vulnerabilities)- MIM, Spoofing, Firewall, Routers, Public Data networks etc.
• **Coding Practices- Secure coding, Malicious code, Buffer Overflows,Cross-site scripting etc.
• ** Coding Languages- C, Java, Perl, Shell, Awk etc.
• **Encryption (Processes & Algorithms)- Digital Signature & Certificate, Hash Algorithms & Encrypted Hash, AES, DH Key Exchange, PGP, DES & Triple DES, Blowfish, Twofish, Serpent

** - Preferably expertise level understanding and HandsOn in these areas, however basics must be tested first.

Expertise & handsOn:

• Internet protocols - DNS, TLS, IPSEC, HTTP, TCP, UDP etc.
• OS - Windows,UNIX/Linux etc.
• File system - Zfs, NTFS, FAT etc.
• Encryption - PGP, symmetric/asymmetric, ECB/CBC operations, AES etc.
• DLP - network vs endpoint DLP, Vontu, Websense, Verdasys etc.
• eDiscovery & Digital Forensics Concepts/Technologies - Encase, FTK etc.
• Threat or Risk Modelling - STRIDE, DREAD, FAIR etc.
• Pentesting Fundamentals
• Technical expertise - Windows, Linux, Solaris, AIX, OS400, Apple, Databases, Routers/Firewalls

Computer Forensics:

• Process- Data Extraction, Data Imaging, Data Preservation & Data Handling
  - Methodology for proper copy of storage devices that can be used as evidence
  - Tools like FTK, AccessData
• Popular tools- FTK, Access Data,Caine,EnCase etc.
• Techniques- Cross Drive Analysis(CDA), File Carving or Carving, Live Analysis, Steganalysis or Steganography Tools, Volatile Data Analysis

( Read More: Pre-launch Preview: State of Security Technology Adoption in Enterprises - Annual Report 2015 )

Added Certification

• CISSP
• ENCE(Encase Certified Examiner),
• CCE, GCFE(GIAC Certified Forensic Examiner ),
• GCFA(GIAC Certified Forensic Analyst),
• GREM(GIAC Reverse Engineering Malware),
• GCIA(GIAC Certified Intrusion Analyst),
• GCIH(GIAC Certified Incident Handler),
• CHFI, QSA, EnCE,
• CCE(Certified Computer Examiner),
• ACE(AccessData Certified Examiner),
• CISM

Personal Skills:

1. Good Management abilities
2. Stress Handling Capability
3. Impromptu action taker
4. Good Reasoning abilities
5. Process defining abilities
6. Good Communication skills
7. Team worker 

Notes

1. Test scenarios.Hand over test scenarios to the recruit, the process of resolving the problem will demonstrate - logical thinking, spontaneity, knowledge, forensic basics. This can be also done in idle teams as an exercise.

2. Learner.Since information security changes every day, the personnel should be open to learning and eager to demonstrate them. Educational courses made can also be useful for other members outside CIRT.

3. Think of hiring a hacker. Big companies are hiring hackers full-time to hack their systems, this enables faster resolving the easiest hackable points, moreover the hacker thinks like a hacker!

4. Domain experts of certain fields can be a good choice like- applications, network, mail and database.

5. Consider outsourcing this effort to a consultancy which results in lower costs as you don't need a team waiting for incidents to take place, rather treat only when affected. However, this must be preceded by references and study.

6. A Legal Advisor can be of umpteen help, in assisting of gathering information, recommendations and remediation when an incident/breech takes places

(Read more: CISO Guide for Denial-of-Service (DoS) Security)

Reference:

https://en.wikipedia.org/wiki/Computer_forensics

https://en.wikipedia.org/wiki/Information_security

http://ptgmedia.pearsoncmg.com/images/1578702569/samplechapter/1578702569.pdf

https://msisac.cisecurity.org/resources/guides/documents/Incident-Response-Guide.pdf

http://www.cert.org/incident-management/csirt-development/csirt-staffing.cfm

http://www.bankinfosecurity.in/incident-response-5-critical-skills-a-4214/op-1

The Future of Techs look so promising that we may live in Sci-Fis super soon. So, I thought of covering some mind blowing concepts, some of which may have also taken shape:

• Google Automated Cars
  This is a very popular project and the interesting things are these are Driver Less cars with extreme accuracy. It could look into a future of reduced accidents and human errors.
  
  
• MIT Squishy Robots (like Terminator 2)
  Notice the Robots in Terminator being able to change form to get through smaller spaces? MIT is working on phase changing robot, which can change form, it will be able to aid in Medical fields by going into the human body and finding survivors in a Rubble after natural calamities, and many more.
  
  
• Mind Controlling Aircrafts-No Pilot Planes
  A little scary but the Pilot is driving it with his mind. The pilot's brain waves will transform into commands for the flight. The tests gave very accurate flying results
  
  
• Rain Or Lightening on Demand
  University of Arizona worked on a way to shoot a Lazer Beam into the clouds to create electrical activity, the lightening is yet to happen though
  
  
• Invisibility Cloak
  A very common phenomenon in Sci-Fi, it is almost workable. One such way is to make the materials reflect light in such a manner, it turns invisible to the viewer.
  
  
• Watson-plays game Jeopardy, takes automated customer call etc.
  IBM Watson replicates the power of human learning i.e. cognitive learning. The best part is it can gobble up all the information available unlike humans helping us with deeper insights. It can takes automated calls and play Jeopardy.
  
  
• Artificial Brain
  Google's Brain didn't need teaching, with high volumes to videos given to it, wit high levels of accuracy recognized human faces and body parts. Amazingly it could detect the overwhelming cats too!
  
  

• Real Time Language Translation
  Skype allows one to communicate with someone who speaks a different language. Eliminates language barriers, already available in few popular languages
  
  
• Smartphones- diagnosis of infections, heart attacks etc.
  Your health monitoring device will be the smartphone, it will diagnose your mental health, your heart and all others. Processes will also be automated for quick notifications to the doctors and ambulance alert
  
  
• Intel Edison
  An SD Card size can fit in the whole of your bulky computer. Believed to be targeted towards developers.
  
  
• Form 1 3D Printer
  A design prototype is easier than ever, a quick 3D prototype with the Form1 is amazing.
  
  
• Eye Tribe & Leap Motion
  Both the above small devices are quick at recognizing hand motion and eye motion which are then actionable. Scroll the page or browse the web with your eyes or hands without touching the screen

With the amazing Techs comes a challenge, the Information Security world will take a leap light years forward, prediction can be key.

The next Leap(26th leap) Second will be on 30 June,2015. The last one was on 30 June,2012.

What Is It?

Earth's rotation is slowing down around it's own axis, so we need to Leap a few seconds to catch up. Occasionally seconds are added to UTC to compensate for its drift from the Solar Mean Time or UT1. UTC (Coordinated Universal Time) is followed universally which approximates to UT1.

Who Will Be Impacted?

Anyone who relies on modern computing devices for their services and have strict time dependencies on it may be affected.

How Will You Be Impacted?

The 25th Leap reported plenty technology failures where the leap was not smooth. To avoid this, proper planning is required. Exact time for Leap is at GMT 23:59:59 on 30th June,2015.

The adding of a second to the Computer Systems gets complex. In systems, it may happen to report the earlier second '60' or may double show earlier second '59', this can create chaos and overprocessing CPUs.

Some Impact In 2012:

• Delayed flights, manual check-in had to be conducted
• System crashes were reported even by Reddit, LinkedIn etc. last year.

How To Deal?

• Leap Smear-  It adds fractions of seconds from time to time during the preceding year instead of a single leap. Google takes this approach.
• Check for instruction on your software partner websites and create a checklist of action items for smooth transition
• If you of devices using PTP (Precision Time Protocol), there could be time manipulation,check with the providers
• It is noted UNIX Systems are highly susceptible, check for fixes
• Let your clocks go Out-Of-Sync. It's a serious option, US takes it. This can have a huge impact if it were to follow thereon as we might never have clocks in sync again.

Some Sites Guiding Fixes:

Cisco Products-

http://www.cisco.com/web/about/doing_business/leap-second.html#~ProductInformation

Linux Platforms -

https://access.redhat.com/articles/15145

Windows Platform-

https://support.microsoft.com/en-us/kb/909614

https://technet.microsoft.com/en-us/library/cc773013

Apple Platform-

https://developer.apple.com/library/ios/documentation/System/Conceptual/ManPages_iPhoneOS/man3/time2posix.3.html

Next Steps-The International Telecommunications Union will vote in November for abandoning the Leap Second. What are you views on this?

Top Security Worskshops

IT GRC Workshop Session

• Key Components and Architecture for GRC
• How to Jumpstart your GRC program with freely available tools and content
• Overview of Free Tools that you can use today
• Complete Vendor and Technology Taxonomy
• Customer Satisfaction based Rating of vendors along with Analysts opinion
• Checklist to evaluate a GRC Vendor
• CISOs who implemented GRC to share their real life experiences

Threat Intelligence Workshop

• Key components (People, Process and Technology)
• Threat Intelligence Maturity model
• Threat Collection & Analysis eg. OSINT
• Integrating Actionable Intelligence
• Technology and Vendor Landscape

Identity & Access Management Workshop

• Key Components And Architecture Of IAM
• Example Reference Architecture In An Industry (Telecom & Financial Industry)
• Complete Vendor and Technology Taxonomy
• Customer Satisfaction based Rating of vendors along with Analysts opinion
• Checklist to evaluate a IAM Vendor

Content Security(Web & Email) Workshop

Data Loss Prevention Workshop

• DLP Drivers
• Types of DLP Solutions
• Complete Vendor and Technology Taxonomy
• Customer Satisfaction based Rating of vendors along with Analysts opinion
• Checklist to evaluate a DLP Vendor
• Key Learning from CISOs

Cloud Security & Cloud Access Security Brokers Workshop

• Technology Taxonomy for Cloud Security
• Key components of cloud security architecture
• Blue print to build your cloud security program
• Basics of Cloud Security Access Brokers

Key Advancement in Application Security

• New Technologies like IAST,RASP
• Vendor and Technology Taxonomy
• Customer Satisfaction based Rating of vendors along with Analysts opinion

Top Talks

• BSIMM: Key Learning from 100+ Enterprises on Building a Software Security Program

• Critical Security controls while implementing SDN

• Future of networking technologies – an incremental change or a disruptive

• Using Predictive Analytics & Behavioural Economics for security decision making

• Data Classification – The key ingredient for information security
  

Top CISO Security Checklist Presentation

• IOT Adoption Checklist

• IPV6 Adoption Checklist

• Checklist For Evaluating A UTM Vendor
  

• Enterprise Risk Management Checklist

• IRM Vendor Selection Checklist

• How To Utilize Full Power Of OSSEC And OSSIM

• Checklist On Data Classification, Policy Formulation, Identification of Key words

• Choosing MDM Vendor To Suit Requirements

• Vendor Selection Framework For Integrating Threat Intelligence With SIEM

• Checklist to choose a Mobile Device Management Solution

Launch CISO Platform Index

Index developed based on User Satisfaction Survey by CISOs who used the vendor product on different evaluation metrics. To know more click here

Example domains covered (partial list)-

• Content Security (Web & Email)
• DOS/DDOS Security
• Identity & Access management
• IT Governance, Risk & Compliance
• Application Security (Testing)
• Security Analytics/SIEM

Launch Taxonomy (Complete Vendor Landscape)

Get a holistic view of the major players in the security domains and the coverage each of them have to offer.

Partial Domains List to be covered

• Content Security (Web & Email)
• DOS/DDOS Security
• Identity & Access management
• IT Governance, Risk & Compliance
• Application Security (Testing)
• Security Analytics/SIEM
• Cloud Security (CASB)
• Threat Intelligence

Launch Technology Evaluation Checklist

A Comprehensive checklist to save you months of effort before floating an RFP everytime! Read More

Partial list of domains covered-

• Checklist To Evaluate Content Security (Web & Email) Technology
• Checklist To Evaluate DOS/DDOS Security Technology
• Checklist To Evaluate Identity & Access Management Technology
• Checklist To Evaluate IT Governance, Risk & Compliance Technology
• Checklist To Evaluate Application Security (Testing) Technology

Top Panel Discussions

• Wargame Simulation: We are breached- What next?

• Managing Identity And Access In The Cloud & IOT: What Do We Need To Do Differently?

• Selecting And Implementing The Right Risk Management Framework

• Learning From Trenches: Moving To New Compliances PCI 3.0, ISO 27001:2013 And More..

• What Worked And Did Not While Implementing Your Content Security Program?

• Is Your DLP Really Working? How To Make It Work?

• CISO Reporting Dashboard For The Board/CEO

• Creating A Blueprint For Cloud Security In Your Organization

• Beyond SIEM:Blueprint For Building Advanced Enterprise SOC

Round Tables / War Gaming & Strategy Simulation Exercise

• Using Metrics to Manage the Risks & Application Security Investments

• Creating your software security strategy using BSIMM

• Strategy Roadmap For ERM

• Hit By DDOS- What Next?

• Dealing With Malware Attack

Top Technical Training

• Cyber Forensics & Incident Response Training Cyber Course

• Network Forensics & Practical Packet Analysis

• Application Security Testing & Web Hacking

For More Details On Trainings click here

A simple 4-step model to information security

1. Maintaining & Monitoring IT resource/asset integrity 
2. Preparing & Limiting damage/loss in the course of attack
3. Proper Access control/Authentication & Authorization
4. Secure Data Communication

Top 10 steps to mitigation

1. Application Whitelisting
2. Training & Awareness
3. Proper Admin Privilege control & monitoring
4. Anti-Virus File Recommendations for Cloud interactions
5. Use of HIPSi.e.Host Intrusion Prevention System Rules
6. Configure secure host baseline
7. Web-Domain i.e. DNS Trusted Ratings
8. Updated systems always
9. Secure Architecture planning & revise
10. Incident Log review and monitoring process setup

Courtesy: https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_Top10IAMitigationStrategies_Web.pdf

We had a long and nice week at RSA Conference 2015 in San Franciso. Some of you might have missed the event or missed some of the good talks even though you were there. so we have handpicked the best of RSA  just for you.

Important Note:

• All presentations are courtesy RSA and is presented as-is without any modification
• Some of the descriptions below are taken from RSA website (www.rsaconference.com)
• You need to Sign in/Sign up to view the detailed presentations. (It's free). You can also access all the presentations on the official website of RSA conference for free.

( Read more : Hottest Buzzword Trend Analysis from RSA Conference 2015- San Francisco )

Cyber Security Operations Center for Critical Infrastructure Protection

Critical Infrastructure elements are mostly major business assets, a sudden emergency without preparation is often not the right way. It can be planned, how is in the slide. Click here to view ppt

Threat Intelligence Is Like Three Day Potty Training

Along with 3 main elements being People, Process & Technology, learn the maturity model and its application. Click here to view ppt

Security Metrics That Your Board Actually Cares About

This is a question to all CISOs/CIOs, here's you answer or at least a base you can build on. Click here to view ppt

Don't Get Left In The Dust How To Evolve From CISO To CIRO

The security world is changing, so are the roles. From CISO to CIRO, the transition and its application find all. Click here to view ppt

Achieving Defendable Architectures Via Threat Driven Methodologies

The threat driven approach is a combination of threat analysis and intelligence, here go through the details. Click here to view ppt

Making Threat Intelligence Actionable with STIX

Find out the ways to implement threat intelligence in practice. Click here to view ppt

( Read more : 5 Security Trends from Defcon 2014 - The Largest Hacker Conference )

Implementing An Automated Incident Response Architecture

Have you not dreamt of a day when the issues didn't wake you up? It's time for automating the Incident Response! Click here to view ppt

Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain

Trace out the major areas of APT level entry and configure your SDNs to disrupt them. Click here to view ppt

Rapid Threat Modeling Techniques

DFD & STRIDE Techniques-how effective they are? Issues, customization & analysis tools are explained. Click here to view ppt

Westjets Security Architecture Made Simple: We Finally Got It Right

Cracking the Westjets Security Architecture in a simple way. Click here to view ppt

How To Avoid The Top Ten Software Security Flaws

What are the Top 10 Flaws and how you can not make it-all are given as a crisp brief

Click here to view ppt

Tools Of The Hardware Hacking Trade

Firmware to Chip-set, a hacker's mind is unwind while discovering the right tools for hardware hacks

Click here to view ppt

Cryptography Keynote Panel: Shamir, Rivest, Diffie et al

Panel discusses the latest advances in cryptography

More:  Want to be a infosec community contributor? Click here 

(Source-RSA 2015,USA)

(Source-RSA 2015,USA)

(Source-RSA 2015,USA)