This is a great Man In the Browser Attack webinar(15 min), hosted by CISO Platform and briefly points out the Risks and also Recommends Some Fixes. It is presented by the CTO at Iviz. MiTB being particularly important for banking and finance Industry.

What will you learn?

- Learn why MiTB attacks pose a high risk to online banking and why is it hard to detect
- How Man In The Browser' Attack Bypasses Banks' Two-Factor Authentication Systems
- How one can mitigate the risks of MiTB attacks

Watch the 15min Power Webinar:

(Read more:  My Key Learning While Implementing Database Security)

View Presentation/PPT:

(Read more:  Database Security Vendor Evaluation Guide)

Quick Glance:

Attack Scenarios-

• Classic 'Man In The Middle' -Involves attacker between victim client & server, prevention->Encryption eg.SSL
• Compromised host to gain full access of client system, prevention->Multi factor Authentication eg.Biometric
• 'MiTB'- Deadly combination of above two, prevention->Above 2 measures fail here

Reasons of Danger-

• Can Read- Identity,Bank Password & Balance,Credit & Debit card numbers, Session keys
• Can Modify- Details of Transaction
• Can change password- you can get locked out!
• Bypasses all sort of multi-factor authentication like captcha

How to Protect as End-user-

• Strong passwords- not effective
• Basic security awareness, updated OS & browser, separate system for online banking- maybe effective
• Updated Antivirus/Antimalware- sometimes helps
• Hardened Browser in USB- Moderate security
• Use online banking with banks who have countermeasure- High security 

Mitigation Strategy for Bank-

• Provide hardened browser in USB with authentication mechanism eg. token
• OTP Token with signature
• Before transaction, Confirm transaction details with OTP
• Fraud Detection on basis of client behavior or transaction type & amount( less effective )

(Read more: How effective is your SIEM Implementation?)

2014 has been a great year at CISO Platform. We had around 1500 new senior executives joining the platform and published 120 new articles on security. Here are some of the best ones from 2014.

Top Security Checklists & Guides:

 

SIEM Tools: Implementation Guide and Vendor Evaluation Checklist

A CISO Guide to Privilege Identity & Access Management(PIM) Implementation

Checklist to Evaluate A Cloud Based WAF Vendor

Checklist to Evaluate a DLP Provider

Checklist: How to choose between different types of Application Security Testing Technologies?

CISO Guide for Denial-of-Service (DoS) Security

Action List Before Adopting a Cloud Technology

Technology/Solution Guide for Single Sign-On

Under the hood of Top 4 BYOD Security Technologies: Pros & Cons

 

 

Top Security Video:

 

5 Major Types Of Hardware Attacks You Need To Know

A Sprint To Protect Point-of-Sale

How the Heartbleed bug was found by Antti Karjalainen - discoverer of Heartbleed

Cyber Safety in Cars and Medical Devices

Hardware Trojans: Sneak Peek into the Future

Can your SMART TV get hacked?

 

 

 

Top Security Presentations:

 

Bypass Firewalls, Application White Lists, Secure Remote Desktops in 20sec

Check your Fingerprints: Cloning the Strong Set

One-Man Shop: How to Build a Functional Security Program with Limited Resources

Cyber-hijacking Airplanes

Attacking the Internet of Things

Abusing Software Defined Networks

VoIP Wars: Attack of the Cisco Phones

Client Side HTTP Cookie Security

Hacking Traffic Control Systems

 

 

Personal Development:

 

How to write a great article in less than 30 mins

5 easy ways to build your personal brand !

Top Security Articles: 5 Key Benefits of Source Code Analysis Shellshock Bug: A Quick Primer Top Talks from Defcon - The Largest Hacker Conference ( Part 2 ) Top Talks from Defcon - The Largest Hacker Conference ( Part 1 ) Top 5 Big Data Vulnerability Classes 5 Security Trends from Defcon 2014 - The Largest Hacker Conference

How effective is your SIEM Implementation?

7 Key Lessons from the LinkedIn Breach How to choose your Security / Penetration Testing Vendor? Technologies in Penetration Testing, What to choose ? APT Secrets that Vendors Don't Tell How MIT website got hacked despite having any vulnerability ?

Top Survey Reports:

Security Technology Implementation Report: Annual CISO Survey

 

Contrary to the common man belief that 'Windows is very insecure', Microsoft has been very proactive in security. Apple iOS has a great deal of security too, it is described in its building from scratch in the iOS security document. Here are the few points I found great for mention. Here's a small video which has the debate on.

Watch video[9 min]:

(Read more:  Top 5 Big Data Vulnerability Classes)

Microsoft(Windows)

• Have made great changes in terms of security eg. Security Development Lifecycle (SDL), considered Industry model
• Bluepill attack ineffective in Windows 8 - due to installation of an empty hypervisor and alert on other hypervisor installation
• Windows 8 x64 also removed backward support for documents-caused as source for bugs
• UEFI, an alternative for BIOS which overcomes certain BIOS limitations eg.prevents Bootkit attacks
• Secure Boot verifies Windows OS is not compromised
• Pwn2Own (hacker competition) - Lately Windows has been the hardest to compromise
• Windows is doing great at preventing zero-day attacks& verifying kernel modifications

Apple(iOS)

• Jail breaking has become very difficult
• Admin rights reserved, so attackers cannot exploit privilege escalations
• Admin rights reserved is also a great step for enterprise security as Apple security expert can be trusted more than any common user
• Isolation of applications- apps are signed,verified and sandboxed
• Secure Boot Chain - allows iOS to run on validates Apple devices
• Secure Enclave(A7 or later Aseries) - allows data integration even if Kernel is compromised
• UID(unique ID) & GID(group ID)-i.e. encryption AES 256 keys fused in application processor, not allowing any software/firmware to read it directly
• Keychain Data Protection
• FIPS 140-2, iOS 8 cryptographic modules (U.S. compliance validation) that will validate integrity of Apple apps and third party apps properly using iOS cryptography services.

*  We have mentioned a few, this is a suggestive list not binding, there are various other features.

What are best security specs in your favorite mobile OS- Windows or iOS ?

(Read more:  Cyber Safety in Cars and Medical Devices)

Watch Video:

(Read more:  Under the hood of Top 4 BYOD Security Technologies: Pros & Cons)

Ants and Elephants in the CISO's Office by Paul Rain

I will show how ISO 9001 and ISO 27001 can be used together to deliver business value and demonstrate to executive management and key stakeholders that you are exercising due diligence in protecting your organisation's information assets. The talk will briefly discuss the requirements of the two standards and show how ISO 27001 and ISO 9001 can be used to address both the tactical challenges of information security (the ants) as well as the strategic challenges of delivering business value (the elephants).

View PPT:

(Read more: Hardware Trojans: Sneak Peek into the Future)

Watch Talk:

(Read more:  5 Best Practices to secure your Big Data Implementation)

BadUSB — On accessories that turn evil by Karsten Nohl

Karsten Nohl is a cryptographer and security researcher

This talk introduces a new form of malware that operates from controller chips inside USB devices. Peripherals can be reprogrammed in order to take control of a computer, exfiltrate data, or spy on the user. We demonstrate a full system compromise from USB and a self-replicating USB virus not detectable with current defenses.

View PPT:

(Read more:  7 Key Lessons from the LinkedIn Breach)

Here is an interesting webinar on the 'Insecurities of Security Products'. More often we consider the security vulnerabilities in products apart from security products. It is ironic how a product devised to provide security can also make you more susceptible to compromise. How-So will be demonstrated through a few examples.

3 Industry experts had joined us in this webinar-

• Stuart McClure, Ex-CTO at McAfee & Lead author of 'Hacking Exposed'
• Bikash Barai, CEO, iVIZ Security
• Gary Golomb, Senior Researcher, Cylance

*Note the webinar was conducted in 2013, thus the information related to persons are as per the webinar timing.

(Read more: Checklist to Evaluate IT Project Vendors)

What you will Learn:

How security products can be exploited
Vulnerability trends in security products over last decade
Vulnerability statistics of Major Security Vendors /Products
Classes of Vulnerabilities in Security Products and comparative analysis

Watch Webinar Video (Scroll Down For Slides) :

(Read more:  Checklist to Evaluate a DLP Provider)

A Quick Glimpse of the Webinar Topics Covered: 

Examples of Security Products with Vulnerabilities

• Eg. Symantec & Trend Email Appliance
• Microsoft Auto-Update Hijacked
• Pre-Boot Authentication Attacks
• Vulnerabilities in Anti-Virus,VPN
  (Presented at Blackhat, vulnerabilities may have been patched now)

Report/Study

• Key Findings
• Vulnerability Trends in 'All Products' & 'Security Products'
• Vulnerability by 'Product Types' 2012
• Vulnerabilities by Vendors
• Vulnerabilities in Security Products
• Comparative Analysis- Weaknesses: 'Security Products' Vs 'All Products'

The Comparative Analysis reveals an interesting insight, security products are least vulnerable to 'SQL Injections' while highly vulnerable to 'Access Control','Input Validation' etc issues compared to all other products.

View Presentation

Watch Video:

5 Real ways to destroy business by breaking SAP Applications

Do you know where all the critical data of your company is stored? Is it possible for attacker to commit sabotage or espionage against your company by breaking into just one of your business critical systems? And if so - what kind of systems could be under attack? Is it easy to break them? Is it a myth that SAP systems could be accessed only internally? Time has come not only to answer all of these questions. This time the real examples of different attacks on Enterprise Business application systems will be shown, based on eight-year research experience in that field. First of all we will cover all possible business risks related to each end every type of systems such as ERP, SRM, HR, Business Intelligence, PLM’s and Industry solutions so that every high level executive will get the full understanding of what could happen. After that, we will show examples of how easy is it to do such critical actions in different systems by exploiting vulnerabilities and misconfigurations from more business-related - such as Abusing SRM systems - to win the bid, for example. From frauds in HR system and salary-increasing to more technical things, such as drilling into corporate network via SAP Portal or delivering backdoors, which look like official updates via SAP Router. Our presentation will be the first to show real threats for business during those attacks with demo of the most interesting ones, and a guide to avoid them from EAS-SEC.

(Read more:  Top 5 Application Security Technology Trends)

View PPT:

(Read more:  How the Heartbleed bug was found by Antti Karjalainen - discoverer ...)

So you are breeched? Okay, cool off and get a hand on the most useful tools. Why? Because now all you need to do is find out what's out in the open and what not. Then you can decide how bad the breech is and also if you get good evidence, you have a chance to win. Moreover, once your customers can be alerted of the exact loss, mostly the loss is not as brutal.

We'll stick to the main focus areas we described for skill sets in IR teams. 

Note: 

1. Tools are platform dependent eg. OS dependent i.e. Windows vs Linux
2. Most of the list will be free or open source or both
3. High coverage of windows tools, less for other OS(eg. Linux, Mac)
4. Most free softwares declare download at own risk, careful check is recommended

(Read more:  Can your SMART TV get hacked?)

Major Areas Of Focus:

• Incidence Response
• Computer Forensics
• Network Security
• Secure Architecture

Incidence response tools:

First Responder's Evidence Disk ( FRED )

Knoppix STD

Windows FE ( Microsoft-free)

Coroner's Toolkit-for UNIX

MasterKey-LINUX

Pro Discover-paid basic,forensic & IR editions (ARCGroup)

Oxygen Forensic Suite (passware)

Helix( free,pro,enterprise,live versions)

Forensic Toolkit ( FTK ) or international version by Access Data

Forensic Bridges (Tableau/Guidance s/w)

First Response ( Mandiant )

Investigator Workstation & Lab ( nuix-paid )

Windows Forensic Toolchest or WFT-paid version (FoolMoon)

Computer forensics tools:

Memory & Imaging tools-

DumpIT

Guymager

Volafox-for Mac OS X

P2 explorer-free,pro paid versions ( Paraben )

FTK Imager- also for Mac OS ( Access data )

Tableau Imager (Tableau)

OSFClone & OSFMount (Passmark s/w)

Encase Forensic Imager( Guidance s/w )

RedLine (by Mandiant)

Live Ram Capturer (Belkasoft)

Disk2VHD ( Microsoft )

USB Block Writer ( DSi )

EvidenceMover (nuix  )

Carving-

PhotoRec

Mft PictureBox

Ghiro Digital Image Forensics

Defraser

File system-

HMFT

INDXParse

AnalyzeMFT

File Signature-

HeXbrowser

File Signature

(Read more:  How to choose your Security / Penetration Testing Vendor?)

Analysis-

PDF Stream Dumper

OSForensics

SleuthKit

RegRipper

ShellBags Analysis

Digital Forensics Framework (DFF)

SANS Investigative Forensic Toolkit (SIFT)

Metadata & Passwords-

Pwdump7

Ophcrack

NTPWEdit

Ntpasswd

Cain & Abel

Encryption Analyser-free,2paid versions (passware)

InsidePro

Lophtcrack

EWF Metaeditor (4discovery)

Hashes-

HashMyFiles (Nirsoft)

Network security tools:

Network traffic-

Wireshark

Nmap

Security Onion

WinDump

NetworkMiner (NetreSec)

RSA Security Analytics freeware (RSA)

NFAT (Xplico)

Retina (Beyond Trust)

Email-

MAIL Viewer (MiTec)

Kernel OST Viewer or Kernel Outlook PST Viewer ( Kernel )

Email Migration, Email Recovery solutions (Kernel)

MBox Viewer-free,pro paid versions (Systools)

(Read more: Shellshock Bug: A Quick Primer)

Secure architecture tools: (includes testing tools)

Mantra- Windows,Linux,Mac (Owasp)

MetaSploit-attack simulator (Rapid7)

This is more an approach to building the architecture at the start. Apart from that, you ma use any analysis tool to keep a check. However tools will be temporary and an insecure architecture will increase your security debt.

references

http://windowsir.blogspot.in/p/foss-tools.html

http://www.e-fense.com/products.php

https://forensiccontrol.com/resources/free-software/

http://www.gfi.com/blog/18-free-security-tools-for-sysadmins/

http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-khoo.pdf

Forensic book-Johnson 111

each product link

To add-top 10 free tools for pentest/audit http://www.security-audit.com/penetration-testing-tools/

Mobile tools will be covered separately since this is a lot already! Do you use other tools, share with us in comments below

Team Modules/Organization-

• IR Management
• IR Core Team
• IR Secondary Team
• IR Communication Team
• Technical Assessment & Forensics Team
• Technical Support Team
• IR Support Team

(Read more:  My Key Learning While Implementing Database Security)

Working of Org Chart-

• IR Management- Highest level of Management in Incident Response Organization. Oversees Incident Scenario as a whole and consider threat reports, preventive measures and ROI timely.
• IR Core Team- IR Experts track incidents and directly report to IR Management. Responsible for setting up effective Security Infrastructure.
• Communication team- (consists of Public Relations Officer & Contact Lead) Coordinates with IR Core Team for communicating to the masses like employees,customers etc. Communication team help desk should report incidents to IR Technical Assessment Team.
• IR Technical assessment & Forensics team- Tracks all incidents and reports to IR Core Team members. Reports incidents to IR Core team.
• Technical Support Team or IR Support Team- Reports to Technical Assessment Team. Provides supportive measures based on earlier solved incidents only. New nature of incidents may need to be escalated.
• Secondary IR Team(HR,Legal,Training)- Reports to and Coordinates with IR Core Team members and may work as team during incident handling. Responsible for IR resources, training and skills, along with security awareness in common employees and customers. 

(Read more: How effective is your SIEM Implementation?)

ref-

CSIRT Team pg 23   http://www.sans.org/reading-room/whitepapers/incident/creating-managing-incident-response-team-large-company-1821

http://resources.sei.cmu.edu/asset_files/Handbook/2003_002_001_14099.pdf

http://www.sans.org/reading-room/whitepapers/incident/implementing-computer-incident-response-team-smaller-limited-resource-organizational-settin-1065

https://technet.microsoft.com/en-us/library/cc700825.aspx

http://www.sans.org/reading-room/whitepapers/incident/computer-incident-response-team-641

Incidence Resp. & Forensics-Johnson 111

From a recent webinar, I gathered the very notably important parts into organized sub-parts. This is the first part wherein the major hardware threats and my insights on them are described. Below is the exact portion of the webinar discussing the hardware threats.

Part 1: Major Hardware Attacks

(Read more:  Under the hood of Top 4 BYOD Security Technologies: Pros & Cons)

Major Types of Harware Attacks:

1.VMX - Virtual machine Extensions(Instructions on processors with x86 virtualization)

Virtualizations offer 2 levels-

(a.) higher performance & more cost effective  eg.Intel

(b.) greater isolation & higher costs eg.IBM

Most of us will use 'a.' vs 'b.' not knowing the underlying threats for the reduced isolation.

2.Bluepill - 

A rootkit designed for x86 virtualization. It creates a thin hypervisor/VMM and running the remaining machine virtually. It's almost undetectable, however there was a controversy on this. Hardware assisted virtualization can help malicious software, thus hardware architecture is prime here.

3.Extreme Privilege Escalation

This was demonstrated with modern windows8. Exploitation of platform firmware UEFI using new API (windows 8). Privilege escalation from ring3 to ring0, most privileged level-almost directly communicates with the hardware resources.

4.Stepping p3wns

This attack used resource(printer here) firmware update, that by passes the anti virus at the computer as it's not windows malicious. However when the task is received at printer side, the firmware gets updated to the malicious one. This exploitation enables infecting IP phones etc. which can be a huge concern in 'BYOD' times.

5.Shadow walker(TLB Splitting)

Misuse x86 hardware to hide malware from OS and anti-virus. Infact, even code modifications could not be detected by anti-virus. The flaw-difference between reading the memory and executing it.

(Read more: Hardware Trojans: Sneak Peek into the Future)

For the full-webinar and presentation slide click here

What do you think are the major hardware threats a CISO has to face in practice? Please share in comments below

Watch Video: (Webinar) OS Security & Latest Attack Vectors

(Read more:  Top 5 Big Data Vulnerability Classes)

Quick Glimpse-

A fairly technical content, highlighting the major interesting hardware threats, main intentions behind attacks, the trust coefficient in places of misplaced trust, the 'less is more' philosophy application and also some tips for infosec selling.

The talk gives us an idea on the architectural front as to the most vulnerable areas and where caution is prime.

View Presentation/PPT:

(Read more:  Cyber Safety in Cars and Medical Devices)

What are the major OS threats that concern you as a CISO? Tell us in comments below.

A concise primer to Forensics for a beginner or a security expert- an insight into actual solution achieved through Forensics. The problem states a PGP message intercepted by an RAT and needs to be decrypted without the actual key? The process is briefly defined by the expert himself and takes us through a Forensic lab without the pain ofcourse. 

Part1 :Forensics Video Recording

(Read more:  Annual Survey on Cloud Adoption Status Across Industry Verticals)

Part 2 :Forensics Video recording

(Read more:  Annual Survey on Security Budget Analysis Across Industry Verticals)

Presentation/PPT for reference:

(Read more: Security Technology Implementation Report- Annual CISO Survey)

Let us know how helpful you found this short insight to Forensics? You may  comment below or write an article(on forensics/anything helpful for the infosec community) Click here to write

CISO Platform Annual Summit @ Mumbai, last week saw over 250+ attendees for over 2 days making the the spirit of knowledge sharing and learning a huge success in the Information Security Executives of India. Here are the highlights of the awesome keynotes, electrocuting Turbo sessions and some great knowledge boost training sessions.

(Read more:  Under the hood of Top 4 BYOD Security Technologies: Pros & Cons)

Top Turbo Talks

After several requests for training sessions, this time we did it. For all with an eye for detail, took back a bag full of operational knowledge and in-depth insights.

• How the Heartbleed bug was found?

  Antti Karjalainen discoverer of Heartbleed 

• BadUSB — On accessories that turn evil

  Karsten Nohl is a cryptographer and security researcher

• Bitcoin Transaction Malleability - An Insight

  Daniel Chechik

• 5 Real ways to destroy business by breaking SAP Applications

  Alexander Polyakov ( The father of ERPScan )

• A journey to protect POS

  Nir Valtman Discoverer of Point-of-Sale Vulnerabilities

• Intrinsic Leadership

  Deb Maes Neuro-Linguistic Master Practitioner & Trainer

• Cyber Safety in Cars and Medical Devices

  Beau Woods - Creator of IOT Security Framework

• The notorious 9 in Cloud Security

  Moshe Ferber

• More Shadow Walker- The Progression Of TLB-Splitting On X86

  Jacob Torrey - Discoverer of TLB-Splitting on x86

• Ants and Elephants in the CISO's Office

  Paul Raines - CISO, United Nations Development Program

• Embedding risk assessment into your project workstream

  Michael Calderin - Security Officer, Bupa Global Latin America

• Application Security Best Practices

  Yuval Idan

• Cyber Threat Alliance – Actionable Threat Intelligence

  Derek Manky

(Read more: Hardware Trojans: Sneak Peek into the Future)

Top Training Sessions

After several requests for training sessions, this time we did it. For all with an eye for detail, took back a bag full of operational knowledge and in-depth insights.

• Defending Online Attacks on Cloud Instances

  Nir Valtman ( Discoverer of Point-of-Sale Vulnerabilities ) & Moshe Ferber ( Cloud Security Entreprenuer ) 

• Building an Incident Management Program

  Paul Raines ( CISO @UNDP,ex-OPCW )

• Fuzz Testing Techniques for Discovering Zero Days

  Antti Karjalainen ( discoverer of Heartbleed ) 

• Implementing SAP security

  Alexander Polyakov ( The father of ERPScan )

• Practical Forensics- Tools and Techniques

  Sachin Deodhar

• Mobile Security

  Devesh Bhatt(Prominent Security Researcher) & Nutan Kumar

• Spooky Threats and Selling Infosec

  Jacob Torrey - Discoverer of TLB-Splitting on x86

• Implementation Guide for Big Data and Machine Learning

  Sayan Pathak (Microsoft)

• Building a Threat Intelligence Organization: Tools,Techniques,Processes and Team Structure

  Derek Manky

(Read more:  BYOD Security: From Defining the Requirements to Choosing a Vendor)

More Turbo Sessions

• Machine Learning in Information Security

  Arnab Chattapadhayay

• Using Security Information & Analytics - As Actionable Intelligence

  Ahmed Qurram Baig

• Operational Vulnerability Management Essentials using Open Source Tools

  Vikram Mehta

• OSINT:Tools and Techniques for Open Source Threat Intelligence

  Sachin Deodhar

• Zero day Vulnerability disclosure in Big Data (Hadoop )

  Jitendra Singh Chauhan 

Top Panel Discussions

Exploring and sharing the viewpoints in predefined security topics by the topmost CISOs allowed the community to grow together and leap forward into the future of security.

• Managing the “Board” from CISO Perspective

  (Paul Raines, Bikash Barai, Nadir Bhalwani, Amit Pradhan, Venkatesh Subramaniam)

• Prioritization, Dashboard and Metrics

  (Burgess Cooper, Rajiv Nandwani, Fal Ghancha, Sunil Mehta, Michael Calderin)

• Managing Third party Vendor Risks

  (Arnab Chattopadhyay, Moshe Ferber, Pravesh Sharma, Ranjeet Mishra, Sirish Dandekar, Durga Dube, Jacob Torrey)

• Learning from Failures

  (KS Narayanan, Nir Valtman, Beau Woods, Dhananjay Rokde, Mahesh Sonavane, Sudarshan Singh)

• Future of CISO-Planning the career roadmap

  (Bikash Barai, Yuvnesh Modi, Amal Saha, ID Ganeshan, Arindam Roy, Deb Maes)

Top Round Table Discussions

Round Tables are more informal and aim at dissecting a particular security topic/concern etc.

• Surviving data stealing security advanced attacks
• Changing role of CISO-Staying ahead of threats in an era of constant change
• Application Security as a business enabler
• Managing DDOS-Practical tools and technologies
• What's inside your software? Managing third party application security risk

(Read more: Hardware Trojans: Sneak Peek into the Future)

To find exclusive capture of the event - Click here

To protect sensitive/critical data available on users’ laptops we implemented a remote backup solution that can back up the important files and folders on the users’ laptop to a remote server. The main purpose was to safeguard the sensitive/critical information against the accidental loss/damage/ corruption and ensure its availability as and when required, by making an additional copy on a remote server kept at a secured location. Organization’s Need is cost effective solution, on demand or scheduled basis backup, data in motion should be encrypted during backup, backup using both internal and external network, simple and easy to use solution for backup of sensitive/critical information in laptops and data should be stored in encrypted format in secure mode, accessible only by the intended authorized user. We evaluated various backup solutions, both commercial and open source. Commercial backup tools being beyond our approved budget, we evaluated other solutions with no compromise on features and security parameters. We selected deployment of backup solution as hybrid consisting of various tools and technologies (open source as well as commercial).

(Read more:  Technology/Solution Guide for Single Sign-On)

Key Learning From the Project:

Functional

• Files with the latest time stamp should be stored on backup site
• Backup can be done in the incremental form after first full backup
• Data search feature should be available among the backed up data
• User can schedule the backup and run the manual backup on demand
• Backup for mail clients like outlook should be done in incremental form
• Basic compression of data should take place before executing the backup
• Backup should use both internal as well as external network (Intranet and Internet)
• Data restoration should be possible on a new machine in case of stolen/crashed laptop
• The backup software should support multiple OS like Windows, Linux, MacOS
• User can backup the custom files and folders to backup site with option to filter non-desirable files.
• Backup site destination may be company datacenter or cloud storage (like Amazon S3 or Google Drive )
• Data restoration may be possible on same machine from which the backup was initiated by choosing previous successful backup jobs

Security

• Type of encryption on wire (256 or higher bits, SSL/AES etc.)
• User shouldn’t have direct access to the data at backup location
• Only specific type of encrypted file format should be allowed in backup
• Type of encryption on destination data in rest (256 or higher bits, SSL/AES etc.)
• Audit trails should be maintained for the data restore activity from the Backup Server
• Data should not be visible/recoverable by the system administrator at the backup site
• Restoration activity at the machine other than ones originally used for backup should be possible only with IT support Intervention.

Licensing

• Licensing should be perpetual
• Licensing shouldn’t be per user or per machine

(Read more:  Action List Before Adopting a Cloud Technology)

After evaluating various open source and commercial tool following Tools and Technologies were selected for deployment which met our objective.

• Open source backup software for all laptops
• Commercial Secure FTP Server for windows as backup destination
• NAT and DNS for automatic internal and external switching between route selection (Intranet or Internet)

Limitations

• Open files are skipped during the execution of the Backup jobs
• User configured password for the Backup job is non-recoverable
• No central console available for backup job activities at users’ laptops.

- With Rohit Kachroo, CISO, Indiabulls Group on 'Safeguarding Critical Data & Strong Backup'

(Read more: CISO Guide for Denial-of-Service (DoS) Security)

This project mainly aims to have an enterprise wide ITAM (IT Asset Management) Systems and endpoint protection and also to maintain the hardware and software inventory. It also brought in centralized IT management and control mechanisms for polices enforcement, monitoring and reporting to present a complete picture of endpoint status of the organization.

(Read more:  Database Security Vendor Evaluation Guide)

Key Learning From the Project:

• Involvement of OEM’s – Involvement of OEM's is a critical success factor. The optimal and continued performance of the product is heavily dependent on project planning and final design, for which OEM’s can provide the best possible advice and implementation.
• Migration to new technologies/vendor/product - Formulation of plan and strategy for smooth transition with minimal impact to business performance and transparent to end-users. 
• Standard Policies and Customized configuration – Need to implement policies with pre-defined base level and continuous fine tuning and review in line with business requirement.
• Development of Test-bed infrastructure to evaluate the critical patches/release/version/upgrades before rolling out. 
• 24x7 premium support with OEM - To deal with exigencies in minimal time mainly in case of Anti Virus.
• Review of Policies - Periodic review of policies effectiveness, daily reporting and monitoring to avail maximum advantage and realize all the capabilities of product in most efficient manner.
• All nodes to cover - Necessarily implement updates/fixes/upgrade at all nodes to reduce unknown vulnerabilities in the organizational environment.

-With S Ramasamy, Executive Director (Information System), Indian Oil Corporation Ltd. on '7 Tips A CISO Should Know To Implement Endpoint Protection & IT Asset Management'

(Read more: How effective is your SIEM Implementation?)

Kotak Mahindra Bank has initiated the DLP implementation across all business units in a phased manner and the implementation was started 6 months ago with critical business units. The solution monitors all channels, viz. Internet, Email and End point.

1. Proper strategy and planning are vital for successful DLP implementation.

2. Get management support for the Project. Identify the critical business units considered for DLP implementation.

3. Get the data classification in place which provides a substantial idea on the critical data assets (sensitive data) that needs to be protected.

4. Ensure that the Incident Monitoring and Management process is in place.

5. Start Small: Probably start monitoring two to three business units and get the incident management process and workflows in place. (It would be good if OU structure in Active Directory is aligned with Business Units)

6. Grow Carefully. Be sure you’re measuring not only what DLP Control wants you to measure, but that you’re also measuring how effective the solution is overall for your organization. Are you catching tons of false positives and few true positives? Do you have ways of measuring false negatives?

7. Periodic reviews is very crucial to identify the false positives/negatives and trending the alerts that are being thrown by the tool.

-With Agnelo Dsouza,CISO,Kotak Mahindra Bank on '7 Tips to DLP Implementation'

Read more:  My Key Learning While Implementing Database Security

If not all, we can point out the various major policies that can help you kick-off. For easy reading we've cut the details, here's the checklist:

AUP - Acceptable Use Policy or Fair Use Policy defines the ways/restrictions of using the Organisation's IT resources

Privacy

Version control

Communications

Reporting 

Backup

(Read more:  5 Best Practices to secure your Big Data Implementation)

Basic Contents of policy-

State the Management's commitments

Why is the policy made, what are the goals

Where does the policy apply and the exceptions

Probable security incidents

Glossary of the information security terms precisely defining the meaning

Clearly state the who,how and why of Incidence reporting, so whenever a breech is detected, minimum time in wasted in communication

A chart/organized data to distinguish the sensitivity of any such incident

Clear demarcation of roles and responsibilities along with ethical practices 

--------------

CSIRT Policies and Standards
Policies are documented principles adopted by the management team.
The policies of an organization should be clearly understood by the entire
workforce and the knowledge of the incident response policy will allow the
CSIRT to act on their responsibilities.
i) Incident Response Policy
Building an incident response policy involves several objectives.
First, an Incident Response Policy cannot be enforced unless it has
management approval. Endorsement by management is critical. Without this
approval the team will be destined to encounter business road bocks that will
hinder a timely incident response. In some cases, it may not even be allowed.
Second, the policy must be clear. Any employee should be able to
easily understand what the policy is about. If a non-technology oriented
employee is confused by the policy, then the policy should be rewritten.

Third, the policy must be to the point A long winded policy will either be
a bad policy or one that would include sections that should be in a procedure
document instead.
Forth, the policy must be usable and implementable. Avoid statements
that sound appropriate but will be open to interpretation. At the same time,
the policy should not include objectives that the CSIRT will not be able to
execute due to business processes or corporate culture.
Once the policy as been created, it is important to make regular checks
against its effect on the workforce. When changes occur in the business
direction or new technology systems are implemented, update the policy to
match the new processes.
ii) Incident Response Standards and Procedures

(Read more:  7 Key Lessons from the LinkedIn Breach)

A successful CSIRT is a team that has documented standards and
procedures. Standards should be written from how the CSIRT will begin its
investigations and report the findings to standards written for how the CSIRT
will be trained and what authority the members will be granted.
A good standard will define when the CSIRT will contain and clean up
incidents and when the team will watch and gather information for litigation.
Having good recovery procedures are essential. It is very rare to find a
CSIRT member that has mastered every operating system and application in

your environment. Having procedures to follow on how to correctly down and
restore a system can help prevent time consuming efforts and alleviate some
of the stress of the incident.
These written procedures will aide the CSIRT in formalizing how
investigations are carried out, how evidence is handled, what organizations
are notified at what times, how post mortem reporting is conducted, how
malicious software is to be eradicated and how to perform a recovery of a
information system.
iii) Code of Conduct
The code of conduct policy for the CSIRT is a set of rules outlining how
a team member will behave in a way that supports the goals of the incident
response team and the mission statement of the company. The code of
conduct will be used when no other policy or procedure applies. It should
reflect the natural behavior of a professional incident handler. An example of
a CSIRT code of conduct policy was written by the original manager of the
CERT,1
Rich Pethia.

-----------

policy-

http://www.comptechdoc.org/independent/security/policies/security-policies.html

pwd policy,remote access,internt cnntn,approved app,BYOD policy,

Note:

Try to make a crisp, precise note book/digital copy with images and videos for quick and fun interactive sessions. Try to remove all thick policy manuals that most people won't read. Our main aim is 

ref;

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

We heavily rely on references while taking a decision on adoption of a new technology or a product. However, there is no dedicated analysis of product leadership purely based on customer recommendation. From CISO Platform technology Analyst team, we are happy to announce the concept note for CISO Index which shall rate products purely based on CISO recommendation.

Why do we need a CISO/Customer recommendation based product/technology rating framework?

1. CISOs or the users can provide the most meaningful verdict for a product
2. With the whole world getting social, community recommendation should play bigger role in decision making
3. Currently there is no globally acknowledged framework solely based on CISO/Customer recommendation

To exercise your vote and provide your rating: Click here 

Proposed "CISO Platform Index"

The CISO Platform Index shall use a transparent methodology to compare the players in software, hardware, or services market so that the CISOs can make well-informed decisions. The CISO Platform Index offers two indices to compare:

1. CISO Perception Index (CPI) - Index developed based on the perception of CISOs about the vendor /Product on different evaluation metrics. i.e. by CISOs who have not used the product but have studied about it.
2. CISO Recommendation Index (CRI) - Index developed based on the recommendation by CISOs who used the vendor product on different evaluation metrics.

CISO Platform shall map the participating vendors into a map with two axes being CPI and CRI. After such analysis, we shall publish the following for various technology verticals (e.g. Data Security, Application Security Testing etc)

(Read more:  5 Best Practices to secure your Big Data Implementation)

Enterprise Segment

1. CISO Platform Champions: High CRI and High CPI
2. CISO Platform Challengers: One of the indices (CRI or CPI) is High and the other is moderate

SMB Segment

1. CISO Platform Champions: High CRI and High CPI
2. CISO Platform Challengers: One of the indices (CRI or CPI) is High and the other is moderate

To exercise your vote and provide your rating: Click here 

CISO Platform Index Methodology

The following steps will be executed for evaluating the vendors-:

Step 1- Collection of CRI Data: The Customers/Users of a product shall be requested to rate each product on a scale of 1 to 7 for the following parameters.

1. Overall Rating
2. Features
3. ROI/Price
4. Ease of Implementation
5. Support

Sample Likert Scale:

Step 2- Collection of CPI Data : The CISOs/Security Professionals shall be requested to rate a product of on a scale of 1 to 7 on how they perceive the product (overall rating). We will not ask granular information like that of CRI.

Step 3- Analysis of the Data:

• CPI Calculation for each Product: The Mean likert score for each vendor collected from participants who haven’t used vendor product but are aware of its pros and cons will be known as CPI (CISO Perception Index).
• CRI Calculation for each product: The Weighted Mean likert score for each vendor collected from participants who have a current/prior usage experience of the vendor product will be known as CRI (CISO Recommendation Index). We shall have the following weight age: Features (30%), Price/ROI (30%), Ease of Implementation (20%) and Support (20%)

Vendors shall be encouraged to come up with more references of their customers as this will help in analyzing them with more confidence. Also, we will be providing additional confidence rating to the vendors based on the number of references they provide. Any product with less than the cut-off number (10 references) for recommendation shall be eliminated from the analysis.

(Read more:   How Should a CISO choose the right Anti-Malware Technology?)

Mathematical Analysis

1. We will plot the graph for representing CRI vs. CPI.
2. We have defined a cut-off score of 4 (Neither satisfied nor dissatisfied) out of 7 (Extremely Satisfied) on likert scale for CPI and CRI.
3. The vendors which are scoring above the cut-off in CPI and CRI will be divided between the following two quadrants based on their CRI/CPI score-:

• Champions ( Those lying in the top-rightmost quadrant in the CPI vs. CRI graph)
• Challengers (Those lying in the bottom-rightmost quadrant in the CPI vs. CRI graph)

To exercise your vote and provide your rating: Click here  

Click here to view the discussion forum OR provide your feedback .

Rakshit Dhamija, CISO iGATE, sent us the beautiful graphics with "CISO Opinion matters". We simply loved it and decided to share it below.

To exercise your vote and provide your rating: Click here 

More:  Want to become a speaker and address the security community?  Click here    

We heavily rely on references while taking a decision on adoption of a new technology or a product. However, there is no dedicated analysis of product leadership purely based on customer recommendation. From CISO Platform technology Analyst team, we are happy to announce the concept note for CISO Index which shall rate products purely based on CISO satisfaction.

Why do we need a CISO/User satisfaction based product/technology rating framework?

1. CISOs or the users can provide the most meaningful verdict for a product
2. With the whole world getting social, community recommendation should play bigger role in decision making
3. Currently there is no globally acknowledged framework solely based on CISO/User Satisfaction

To exercise your vote and provide your rating: Click here 

Proposed "CISO Platform Index"

The CISO Platform Index shall use a transparent methodology to compare the players in software, hardware, or services market so that the CISOs can make well-informed decisions.

1. CISO Platform Index (CPI) - Index developed based on User Satisfaction Survey by CISOs who used the vendor product on different evaluation metrics.

CISO Platform Index Methodology

The following steps will be executed for evaluating the vendors :

Step 1- Collection of CPI Data: The Customers/Users of a product shall be requested to rate each product on a scale of 1 to 10 for the following parameters.

1. Overall Rating
2. Features
3. ROI/Price
4. Ease of Implementation
5. Support

Step 2- Analysis of the Data:

• CPI Calculation for each product: The Weighted Mean score for each vendor collected from participants who have a current/prior usage experience of the vendor product will be known as CPI (CISO Platform Index).
  
  We shall have the following weight age:

1. Features (30%),
2. Price/ROI (30%),
3. Ease of Implementation (20%)
4. Support (20%)

*Note: The Mean shall be achieved using various statistical tools eg. clustering techniques to rule out bad data 

Vendors shall be encouraged to come up with more references of their customers as this will help in analyzing them with more confidence. Also, we will be providing additional confidence rating to the vendors based on the number of references they provide. Any product with less than the cut-off number (10 references) for recommendation shall be eliminated from the analysis.

(Read more:   How Should a CISO choose the right Anti-Malware Technology?)

Mathematical Analysis

1. We have defined a cut-off score of 7.5 mean on CISO Platform Index
2. The vendors which are scoring above the cut-off in CPI will be featured in the CPI report

CPI Report

The first draft shall be presented at the CISO Platform Annual Summit, 2014. It will formally be published in January.

To exercise your vote and provide your rating: Click here  

Click here to view the discussion forum OR provide your feedback .

Based on OS

Windows tools:

Specific Tools:

1. Log Parser - 
2. EnCase -
3. ILook(LEO Only) -
4. Paraben -
5. ProDiscover -
6. TCPView -
7. AccessData -
8. COFEE(LEO Only) -
9. WinHex
10. X-Way Forensics/WinHex Pro
11. FileControl-DD etc.
12. Wireshark-Ethereal(packet sniffer)
13. Dsniff-Dug Song

(Read more:  Top 5 Big Data Vulnerability Classes)

Websites & Tools

1. Sysinternals.com
2. Foundstone.com

UNIX:

1. Grep
2. Nmap
3. DEFT-Linux Distribution
4. Can Opener-Abbott systems
5. BlackLight-Blackbag
6. Expert Witness-ASR Data
7. coroner's tool kit( pcat,ils,icat,File,unrm,Lazarus)
8. TCTUtils(bcat,blockcalc,fls,find_file,find_inode,Istat,mac_merge)
9. Autopsy Forensic Browser

Based on Functionality

Imaging tools:

1. FTK Imager
2. Encase Professional
3. Symantec Norton Ghost
4. Power Quest - drive image, drive copy
5. Freeware 'dd' utility
6. Fastbloc (Encase)
7. AVCDEF(Vogon)
8. Caveat

Logs:

1. Event logs(system,security,application,router)
2. specific application log(IIS,SQL Server..)

Memory Collection

1. Dumping event logs(dumpevt.exe,dumpevt.pl)

2. DumpIt

3. Volatility

4. Mandiant RedLine
5. HBGary Responder CE

(Read more:  Cyber Safety in Cars and Medical Devices)

String:

1. Strings.exe
2. Finfo.pl

network tools:

1. WireShark(free tool)

2. NetworkMiner

3. Netwitness Investigator

4. Network Appliance Forensic Toolkit (NAFT)

Carving:

1. PhotoRec
2. Scalpel
3. ParseRS/RipRS

Image Mounting:

1. OSFMount
2. ImDisk
3. FTK Imager
4. vhdtool
5. raw2vmdk
6. LiveView
7. VirtualBox

File system:

1. analyzeMFT
2. INDXParse
3. PDF Tools from Didier Stevens 
4. PDFStreamDumper
5. SWF Mastah

Registry:

1. RegRipper
2. Shellbag Forensics

(Read more:  How to write a great article in less than 30 mins)

password recovery:

1. Ntpwedit
2. Ntpasswd
3. pwdump7
4. SAMInside
5. OphCrack
6. L0phtcrack

based:

Individual Tools

1. Sysinternals Suite

Script Based Tools

1. First Responder's Evidence Disk (FRED)
2. Microsoft COFEE
3. Windows Forensic Toolchest (WFT)
4. RAPIER

Agent Based Tools

1. GRR
2. Mandiant First Response

Note:http://www.forensicswiki.org/wiki/Incident_Response

• Keeping a list of comprehensive tools for the organizational infrastructure and training your team on using them can prove to be very helpful at the time of incidence.
• It is also very important to validate the list of tools is comprehensive and capable of providing coverage to major security areas.
• Maintaining it a form of ROM (eg. CD) is preferable, so they don't get infected in any form. 

Others:

• evidence-dd,mount
• acqusition & reconnaisance-grave-robber,ils,ils2mac,fls-m
• analysis-timelining,AFB,lazarus
• recovery-icat,urnm

References:

http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-khoo.pdf

http://oreilly.com/catalog/incidentres/chapter/ch07.html

http://windowsir.blogspot.in/p/foss-tools.html

http://www.forensicswiki.org/wiki/Incident_Response