Below are Top 6 Reasons Why Data Loss Prevention/ Data Leakage Prvention (DLP) Fails:

• Lack of business/key-stakeholders involvement: Failure to include key stakeholders (Including Business and C-level executives) while defining requirements and formulating DLP policy make implementation harder. A clear 'Data Loss Prevention policy' from the management and Board clearly sets-up the expectations, allocate needful resources and comes up with a plan for its governance.

• Ineffective data classification methods: Failure to identify the right data to be protected. Undermining certain data can lead to the exposure of sensitive information while overwhelming amount of protected data can bring down the system and network performance. Conducting risk assessment on data, data-owners and data custodians is very crucial for the success of any DLP implementation.

• Improperly configured content scanning module: Failure in defining right use cases and processes related to sensitive information may lead to ineffective controls which can open doors for an attacker to get his hands on the sensitive information
  
  ( Read more: Bad USB Defense Strategies )

• Excessive False positives: Overly strict rule-set, policies can lead to an overwhelming amount of false positives and reporting. This can drastically bring down employee productivity and results in unnecessary workload for IT security team

• Loosely Integrated Data Loss Prevention modules: A complete DLP implementation will have network protection modules, Host protection modules and storage modules tightly integrated and centrally managed. Loosely Integrated DLP modules will create a lot of management overhead and may lead to ineffective monitoring.

• Failure in periodic monitoring of changes in organization IT Infrastructure, Business units and processes: This can render previous DLP controls ineffective. The changes must be taken into account to fine tune DLP modules from time to time in order for the DLP solution to deliver its value
  
  ( Read more:  Top IT Security Conferences In The World )

More:  Join the community of 3000+ Chief Information Security Officers.  Click here 

Cloud services, being cost effective, scalable and agile are growing at a slow but steady pace in India. For years enterprises and the security  community have debated over its maturity and the readiness for its adoption . Major concerns such as security and confidentiality of data have marred its large scale adoption for many decades. Surprisingly, the cloud delivery model is being used to deliver a growing number of security-critical tasks. Irrespective of all the concerns, Cloud Services is an inevitable choice in today's dynamic environment.

According to the Enterprise Cloud Adoption Survey by the Everest Group, over 56% enterprises consider cloud as a strategic differentiator and about 58% of enterprises spend upwards of 10% of their IT budget on cloud services.  The inherent ability to increase operational efficiency  is accelerating the demand for more such services.  Today Cloud Services are broadly offered in three medium popularly known as IAAS(Infrastructure as a Service) , PAAS ( Platform as a Service) & SAAS(Software as a Service ).

In India, According to "2015 Top markets report on Cloud computing" by international trade administration " over 250 million Indians today use web connected devices, which generally rely on cloud services for applications and other functionality. As Internet access, e-commerce, mobile device usage, and business adoption continue to expand, the growth in cloud-related spending in India should outpace that in the rest of the world" . Research firm Gartner believes that by 2018 public cloud spending in India will reach nearly $2 billion, from $638 million in 2014. Other estimates are similarly upbeat, IDC predicts $3.5 billion will be spent on cloud services in total in India by 2016 – growth of over 400 percent from the 2012 level. Finally, Forrester expects the software-as-a-service (SaaS) market in particular to roughly double in value between 2014 and 2020, when it will be worth $1.2 billion.

Despite optimistic predictions and overwhelming market potential, however, a variety of challenges have held India’s back in realizing its cloud potential even as adoption continues growing. Some of the  most critical and current problem is the country’s Internet infrastructure (i.e., bandwidth constraints and fiber optic weaknesses) and the inconsistency of its power supply in some areas. Other key concerns that are preventing organizations, especially public sectors  is regarding  security of their confidential data. IT regulations in India have been very strict and requires that the organization must store their data locally(In India), As many cloud providers have their data centers located outside India, the current scenario discourages firms to adopt for cloud services.

Fortunately, the government is aware of these challenges, and its ambitious Digital India program aims to address some of the infrastructural and policy weaknesses, though it remains to be seen if this will lead to significant improvements.

Do you need a DLP? Here's a small list to check if your organization actually needs a DLP Solution:

• If your organization wants to protect itself against negative exposures and fines associated with data breaches?
• If your organization wants to comply with the various regulatory requirements and data protection laws?
• If you want to protect your organisation sensitive data against insider attack?
• If you want to find out where your organisation sensitive data is being stored?
• If you want to find out who is accessing your organisation sensitive data?
• If you want to find out where your organisation sensitive data is being sent?
• If your company has subscribed to cloud services and you are uncertain about the level of protection for your company’s sensitive data?
• If your organisation is associated with third party service providers who manage appliactions, systems and network and you want to monitor them?
• If you want to centrally govern the entire lifecycle of sensitive data in your organisation?
• If you want to optimize the incident response process in case of any data breach?

Is Your Organization Thinking Of Adopting DLP? Here is a  small checklist you may like to check to tick off before you start the adoption:

• Your organization have developed appropriate policy to govern the use of DLP solution?
  
  To draw true value from any DLP deployment an organisation must first come up with a DLP specific policy to start with. The policy should clearly talk about the goals and objectives of DLP deployment, identify and allocate resources for it and talk about the roles and responsibilities of stakeholders for effective governance of the same
   

• You have defined the data to be protected?
  
  It is very important to know what is to be protected. You have to be very meticulous in defining what constitute sensitive data. You can look at the regulatory requirement that your organisation must comply with or/and refer to the various Industry standards to find out.
  
  

• You have done comprehensive risk assessment to identify the applications, people, processes, systems and protocols that deals with the sensitive data?
  
  Once you have defined what is to be protected, next step is to find out who to protect it from? And how to protect it? Risk assessment can help you answer these questions.  Identify all the key applications that processes that data, the system on which it resides, the network devices through it passes, the protocols that is uses, the people who uses it etc.
  
  

•  You have designed workflow to handle policy violations and data breaches?
  
  Incidence response workflow must be designed to tackle any data breaches. Flow-chart can be developed identifying steps to take to isolate the incident, people to notify immediately, and methods for the preservation of evidence for forensics. The entire process must be tested for its applicability
  
  

• Your organisation has clearly defined roles and responsibilities for each employee, including privileged users?
  
  Clearly define the roles and responsibility for each employee. Identifying who is the owner of data? Who is the custodian of data? Who is the user of data? The answer to these questions will help you in assigning privileges to users on data.

• Ability to discover sensitive data across all platforms:

A DLP solution should be able to discover sensitive data across applications, storage towers, systems and devices. It should have inbuilt rules to identify sensitive data as required by various regulatory requirements


• Ability to do deep content and context analysis for Encrypted/Password protected content:

Apart from applying content analysis techniques, such as database fingerprinting, partial document matching, regular expressions etc., on normal documents good DLP solution must also have access to centralized key/password management tool to scan the encrypted file types.


• Ability to identify sensitive information in graphical documents and image files:

This feature helps organizations to prevent data breaches via screen-shots, print screen functionality and other tools which convert document into graphic files. The solution must have optical character recognition feature to scan file for any sensitive content.


• Ability to scan for sensitive data in archival tools and documents embedded inside another document:

A DLP tool should be able to monitor data transfer in zipped format as well such as .zip/rar/.7z/.tar etc.


• Ability to identify sensitive content in all languages:

A malicious insider (esp. privileged users) can employ this technique to leak any sensitive data by simply translating the data into another language. A good DLP solution must be able to identify and prevent such actions


• Ability to protect data both on and off the corporate network:

After BYOD trend people are bringing various mobiles devices to workplace. Sensitive data on those mobile devices are frequently leaving the companies secure network. In this scenario a good DLP solution must have Mobile device management capabilities and must ensure that data is protected both on and off the network


• Ability to log the actions of privileged users:

Most of the data breaches today are happening due to the abuse of privileged accounts. A DLP solution must be able to audit the use of privileged accounts and logs all the actions in an encrypted and digitally signed file.


• Integration with Directory services, Mail servers, and other security tools:

Integration with Active Directory, SIEM tools, IAM, IPS, Databases, Mail servers and proxies are critical to enhance the effectiveness of any DLP solution


• Supports for MAC and Linux platforms:

Should provide support for MAC and Linux systems.

• Supports centralized deployment and incident response workflow:

A Centralized management will ensure effective monitoring of all the DLP components from a single user interface. It also supports centralized policy creation, generating reports and managing incident response in case of any breach.

Implementing DLP? Here's a quick overview of Top 5 Reasons for DLP Implementation Failures-

• Ineffective data classification methods:
  
  Failure to identify the right data to be protected. Undermining certain data can lead to the exposure of sensitive information while overwhelming amount of protected data can bring down the system and network performance.
  
  
• Improperly configured content scanning module:
  
  Failure in defining right use cases and processes related to sensitive information may lead to ineffective controls which can open doors for an attacker to get his hands on the sensitive information
  
  
• Excessive False positives:
  
  Overly strict rule-set, policies can lead to an overwhelming amount of false positives and reporting. This can drastically bring down employee productivity and results in unnecessary workload for IT security team
  
  
• Loosely Integrated DLP modules:
  
  A complete DLP implementation will have network protection modules, Host protection modules and storage modules tightly integrated and centrally managed. Loosely Integrated DLP modules will create a lot of management overhead and may lead to ineffective monitoring.
  
• Failure in periodic monitoring of changes in organization IT Infrastructure, Business units and processes:
  
  This can render previous DLP controls ineffective. The changes must be taken into account to fine tune DLP modules from time to time in order for the DLP solution to deliver its value

CISO Platform recognizes World's Top 100 IT Security Influencers who have/are impacting the information security industry's in various ways. This list includes top researchers, industry experts, leading entrepreneurs, a must follow for infosec industry. The list will be declared in 4 parts each with 25 Top Influencers, this is the first part.

Kevin Mitnick

@kevinmitnick

Kevin is often known as The World's Most Famous Hacker. He is the author of several books in the field of security and actively writes and tweets on security. He runs Mitnick Security Consulting, LLC that helps test a company's security strengths, weaknesses, and potential loopholes. He is active in various companies as board member as well as adviser. Kevin also helps consumers from students to retirees, learn how to protect their information.

Stefan Esser

@i0n1c

He is best known as the 'PHP Security Guy' in the security community. He was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. Following year he founded the project named 'Hardened-PHP' which aimed at developing a more secure version of PHP, known as Hardened-PHP, which evolved as the Suhosin PHP Security System.

Eugene Kaspersky

@e_kaspersky

Eugene Kaspersky is an IT Security expert, CEO and co-founder of Kaspersky Lab. He was voted the World’s Most Powerful Security Exec by SYS-CON Media in 2011, awarded an Honorary Doctorate of Science from Plymouth University in 2012, and named one of Foreign Policy Magazine’s 2012 Top Global Thinkers for his contribution to IT Security Awareness' as mentioned on the Kaspersky website.

Want To Share it with your Friends?

Click to share Facebook, Twitter, LinkedIn, Google+

Ramy Raoof

@RamyRaoof

Ramy Raoof is a technologist and digital security researcher who engages with human rights initiatives, NGOs, journalists, lawyers, youth groups, university students and CSOs on various topics. In the course of his work, he provided and developed digital security plans and strategies for NGOs and media personnel, urgent support and interventions in cases of confiscation and raiding offices, support on publishing sensitive materials, secure systems for managing information about sexual violence and torture survivors, and developed operational plans for human rights emergency response teams.

Brian Krebs

@briankrebs

Brian Krebs is a journalist & investigative reporter. Krebs is the author of KrebsOnSecurity.com, a daily blog on computer security and cybercrime. He is also known for interviewing hacker 0x80. On March 14, 2013, he became one of the first journalists to become a victim of Swatting.

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

Mikko Hypponen

@mikko

Mikko Hypponen is the Chief Research Officer at F-Secure since 1991. He actively speaks at various security conferences including Black Hat,RSA etc. His TED Talk is one of the most viewed computer security talks in the world. He played significant role in research on virus and computer worms like Blaster & Sobig Computer. He actively writes and tweets on IT Security.

Bruce Schneier

@schneierblog

Bruce Schneier is an internationally renowned security technologist. He has been called "Security Guru" by The Economist. He is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a board member of the Electronic Frontier Foundation(EFF) and the Chief Technology Officer at Resilient Systems. Bruce has authored several well known IT Security books and also made significant contribution in IT Security research.

Dr. Eric Cole

@drericcole

Dr. Eric Cole is an industry-recognized security expert with over 20 years of hands-on experience who has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. Dr. Cole has a master's degree in computer science from NYIT and a Doctorate from Pace University. He has authored several books like Hackers Beware, Hiding in Plain Site, Network Security Bible, Insider Threat. He is an inventor who has filed over 20 patent applications. He is also a member of the Commission on Cyber Security for the 44th President. Dr. Cole is founder of Secure Anchor Consulting in which he provides state of the art security services and expert witness work. He is a SANS faculty fellow and course author.

Want To Share it with your Friends?

Click to share Facebook, Twitter, LinkedIn, Google+

Charlie Miller

@0xcharlie

Charlie Miller is currently an engineer in Uber post his role in Twitter.Interestingly he was a computer hacker for National Security Agency for 5 years. He has a Phd in Mathematics from University of Notre Dame.He is a four time winner of the Pwn2Own competition. He has discovered plenty vulnerabilities with Apple products. He had found a hack for both the iphone and android when they were released first.

Christopher Soghoian

@csoghoian

Christopher is a privacy researcher and activist who currently serves as the principal technologist at American Civil Liberties Union. His research has revealed various surveillance techniques used by law enforcing authorities in the US. He has also co-created Do Not Track privacy anti-tracking mechanism which have been used by major browsers. Earlier he has worked for FTC's Division of Privacy and Identity Protection which included investigating Facebook, Twitter, MySpace, Netflix etc. He deals into the thin line between Digital Privacy Rights and Government Surveillance.

( Read More: 5 Tips To Evaluate Your Readiness Before Implementing Data Loss Prevention (DLP) Solution )

Dan Kaminsky

@dakami

Dan Kaminsky has been a noted security researcher for over a decade, and has spent his career advising Fortune 500 companies such as Cisco, Avaya, and Microsoft.Dan is best known for his work finding a critical flaw in the Internet's Domain Name System (DNS), and for leading what became the largest synchronized fix to the Internet's infrastructure of all time. Dan is presently developing systems to reduce the cost and complexity of securing critical infrastructure, as mentioned on Dan Kaminsky's Blog.

Graham Cluley

@gcluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been part of the information security industry since early 1990s. He is one of the world's leading experts in viruses and spam .He has also written regular columns on information security for IT Week, Computer Weekly, VNUNet etc. while he continues his super exciting blog grahamcluley.com .

Dave Kennedy

@HackingDave

David Kennedy is Founder of TrustedSec, LLC and Co-Founder and CTO of Binary Defense Systems (BDS). He was also one of the founding members of the “Penetration Testing Execution Standard (PTES)“. He is the creator of several widely popular open-source tools including “The Social-Engineer Toolkit” (SET) and more. He is also co-author of the "Metasploit: The penetration testers guide". Before he plunged into the private sector, he worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.

Want To Share it with your Friends?

Click to share Facebook, Twitter, LinkedIn, Google+

Paul Asadoorian

@securityweekly

He is currently the product strategist at Tenable Network Security. Previously he was the founder & CEO at Security Weekly. He is the host of PaulDotCom Security Weekly (http://pauldotcom.com) which is a weekly podcast discussing all things IT security including interviews with some of the top security professionals. He is also the co-author of Ultimate WRT54G Hacking, a book dedicated to embedded device hacking and wireless technology as sourced from his RSA speaker profile.

Alan Woodward

@ProfWoodward

His specialities include Computer & Network Security, Cryptography & Steganography, Computer Forensics & Signal Processing. While he serves the security industry he keeps close connect with academia and research. He is the Professor in the Computer Science Department of Faculty of Engineering and Physical Sciences at the University of Surrey. His achievements have resulted in him being elected as a Fellow of various institutions including the British Computer Society, Institute of Physics and Royal Statistical Society.

( Read More: Comprehensive Salary Guide For Cyber Security Professionals: First Time Ever In India )

Matthew Green

@matthew_d_green

Matthew is a cryptographer & professor at Johns Hopkins University who has designed & analyzed various crytographic systems used in payment systems, wireless networks etc.Recently his work focuses on developing privacy-preserving cryptographic protocols for implementing anonymous electronic cash and identification. Additionally, he has been working on new automation techniques to assist in the design and deployment of advanced cryptographic protocols as sourced from the University Profile.

Timothy Brown 

Timothy is the Executive Director Security at Dell. Previously he was the CTO at CSID and much earlier CTO at Symantec. He has multiple patents on Dynamic Endpoint Compliance Policy, Data Leakage Prevention etc. His expertise includes identity management, GRC, Antivirus, intrusion detection, encryption, security event management, cloud security, forensics and managed security services.

Joshua Corman

@joshcorman

Joshua Corman is currently the CTO for Sonatype, the software company that enables developers to rapidly build secure software. He co-founded Rugged Software and IamTheCavalry, to promote new security approaches in response to the world’s increasing dependence on digital infrastructure. He is a well known security strategist in the information security industry. His unique approach to security, in the context of human factors, adversary motivations and social impact, has helped position him as one of the most trusted names in security.

Want To Share it with your Friends?

Click to share Facebook, Twitter, LinkedIn, Google+

Dave Lewis

@gattaca

Dave is currently the Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast. Dave also serves on the (ISC)2 Board of Directors. He has worked for a defense contractor as a security consultant to clients such as the FBI, US Navy, US Department of Defense & many others. He is a Forbes contributor and a CSO Online writer.

Katie Moussouris

@k8em0

Katie Moussouris is the Chief Policy Officer for HackerOne. She has earlier worked on initiatives such as Microsoft's bounty programs, BlueHat content chair, security researcher outreach, Vulnerability Disclosure Policies & Microsoft Vulnerability Research. She is also a subject matter expert for the US National Body of the International Standards Organization (ISO). She is an ex-hacker, ex-Linux developer. She has received the 2011 Executive Women's Forum Women of Influence Award in the category of One to Watch.

( Read more: Security Metrics and Dashboard for the CEO / Board )

Richard Bejtlich

@taosecurity

Richard Bejtlich is Chief Security Strategist at FireEye. Formerly, he was Mandiant's Chief Security Officer. Earlier he was Director of Incident Response for General Electric, where he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). He is also an advisor to Threat Stack, Sqrrl, and Critical Stack who is pursuing a Doctor of Philosophy in War Studies at King's College London. Richard is a graduate from Harvard University & the United States Air Force Academy. His has authored several books and actively blogs as well as tweets.

Simon Crosby

@simoncrosby

Simon Crosby is Co–founder and CTO at Bromium. He was founder and CTO of XenSource, which was later acquired by Citrix. Following this he served as CTO of the Virtualization and Management Division at Citrix. Previously, Crosby was a Principal Engineer at Intel, where he led strategic research in distributed autonomic computing, platform security & trust. He was also the Founder of CPlane Inc., a network optimization software vendor. Prior to CPlane he was a tenured faculty member at the University of Cambridge, UK, where he led research on network performance & control & multimedia operating systems.

Runa A.Sandvik 

@runasand

Runa A. Sandvik is a privacy & security researcher who helps media organizations improve their security posture. She works at the intersection of technology, law and policy. She also teaches digital security to journalists & was a teacher at Folkeuniversitetet during 2008. Runa is also a technical advisor at the Freedom of the Press Foundation & a member of the review board for Black Hat Europe.

Want To Share it with your Friends?

Click to share Facebook, Twitter, LinkedIn, Google+

Andy Ellis

@CSOANDY

Andy Ellis is Akamai's Chief Security Officer (CSO). He is responsible for overseeing the security architecture and compliance of the company's massive, globally distributed network & is the patentholder of Akamai's SSL acceleration network, as well as many other critical technologies related to Akamai's Cloud Security Solutions. An MIT graduate, recipient of the CSO Magazine Compass Award & many more accolades.

Alex Stamos

@alexstamos

Alex Stamos is the CISO of Facebook currently, previously he was the CISO at Yahoo. He was the co-founder of iSEC Partners and founder of Artemis Internet. He is a noted expert in Internet infrastructure, cloud computing and mobile security. He is a frequent speaker at conferences such as Black Hat, DEF CON, Amazon ZonCon, Microsoft Blue Hat, FS-ISAC and Infragard. He holds a BSEE from the University of California, Berkeley. He is also a part of the reviewing board at Black Hat.He personally blogs at unhandled.com.

*Profile details have been sourced from various online resources such as LinkedIn,Twitter & others. In case of any queries you may address a mail to contact@cisoplatform.com to resolve it.

More:  Join the community of 3000+ Chief Information Security Officers.  Click here

Keynote Turbo Talks

Protecting SCADA environments

Daniel Lakier, CTO & President at SeeGee Technologies

This talk will take you through the fundamentals followed by the advanced levels of SCADA. What is SCADA, Why do we need to care, What are the Risks & Challenges,Operational Practical ( IT challenges), Why the traditional answer isn't enough. According to Daniel, The best answer today is Stealth Networking and next generation two factor authentication.

Network Machine Learning and the Security Industry: Past, Present, And Future

Bob (Robert H) Klein, Black Hat 2015 Speaker

Lessons learnt from recent Cyber-attacks on SAP systems

Alexander Polyakov 

This talk will take you through the past attacks on SAP systems in history and 10 lessons learnt from it. 

Since for a long time, almost no real attacks on SAP and Oracle ERP systems were known to the public, it gave CISOs a false sense of security. While the number of breaches in less critical applications was increasing rapidly, and so was the awareness, only a small group of professionals were aware of attacks on business applications. The most popular example of such fraud was to create a fake vendor and a payment order for this vendor and then to approve it. According to the Association of Certified Fraud Examiners, losses from internal fraud constitute 7% of profit on average. To prevent those types of attacks, the segregation of duties concept was created. ERP security isn’t limited to SoD. The issue of unauthorized access to system and user accounts via vulnerabilities now matters. Moreover, the increasing number of SAP vulnerabilities in ERP systems (from 100 in 2007 to 3500 in 2015 only in SAP) makes these issues more critical than ever. But what’s more important, in 2012 we saw a first sight of cyber-attack via SAP Vulnerabilities. Our predictions proved accurate and by now we have witnessed a number of examples from Anonymous attacks on Greek Ministry of Finance via SAP to the attest breach of US Investigation Services (a largest subcontractor of OPM) that led to company’s bankruptcy. In this talk, take a look at the history of ERP attacks and learn 10 lessons how to avoid them.

Building Immune Systems For Our Enterprises: Detecting Emerging Threats in real Time

Dave Palmer, Director of Technology, Darktrace

This talk will take you through a new perspective to realize how the math evolves to detect and emerge from the threats. Learn the algorithms behind, statistics, probability, the techniques, its evolution and how it can create the immune system for your organization.

United Nation's program to help developing nations in IT Security

Paul Raines - CISO, United Nations Development Programme

Cybersecurity assistance for developing nations. This talk will highlight a new initiative within the United Nations Development Programme (UNDP) to provide cybersecurity assistance to the governments of developing nations to help protect their critical national infrastructure and digital economies. UNDP uses its own experienced, award winning cybersecurity team instead of hiring expensive, outside consultants. Thus, UNDP can deliver services to its clients at less cost, less overhead and with the hands-on experience of a team of world recognised experts. The services to be provided include cybersecurity training, risk assessment, incident response training and exercises, training in business continuity/disaster recovery and preparation for ISO 27001 certification.

Sessions

Forensics & Incident Response Essentials 

Sachin 

This workshop session will help you to peek into the fundamentals of Incident Response,       Incident Response Stages: Preparation, Identification, Containment, Eradication, Recovery & Memory Forensics in Incident Response. This can be attended as hands on 2 day training. To know more Click here

Network Forensic Tools & Techniques 

Tamaghna Basu

This talk will explore an Introduction to network forensics, The Basic protocol analysis, Forensic analysis network/web/malware, Basic packet analysis challenges. This can be attended as hands on 2 day training. To know more Click here

Application Security Workshop - IAST, RASP, Real Time Polymorphism

Nilanjan De & Jitendra Chauhan

This talk will explore Understanding IAST/RASP,Realtime Polymorphism.

Some areas covered under IAST/RASP would be Web Security Evolution, Marketing view of RASP and IAST, Science Behind RASP and IAST, Way Forward.

Some areas covered under Realtime Polymorphism would be Polymorphism, Automated attacks, Threat model and attack vectors, Reference Polymorphism, Field Polymorphism., advantages, Limitations.

A brief demonstration and behavior of the  technologies will leave you awed, a much appreciated session in the past.

Threat Intelligence Workshop

Bikash Barai

This talk will explore the Key components i.e. (People, Process and Technology), Threat Intelligence Maturity model, Threat Collection & Analysis eg. OSINT, Integrating Actionable Intelligence,Technology and Vendor Landscape. Find frameworks and checklists to build on for your next threat intelligence project!

Legal Workshop

This talk will explore the legalities you need to know, the key priorities and things to keep in mind. Explore with some common mistakes and get info on the go to resources!

Cloud Access Security Brokers Workshop

Ravi Mishra

This talk will explore the Technology Taxonomy for Cloud Security, Key components of cloud security architecture, Blue print to build your cloud security program & Basics of Cloud Security Access Brokers. Find frameworks and checklists to build on for your next CASB implementation project!

Security Analytics and SOC up-gradation workshop

This talk will explore from fundamentals to advanced of Security Analytics from how to use it to its requirement in your organization. For a recent implementation, this can garner you some tips and also some good connect to useful resource.

DDOS Workshop

This talk will explore from fundamentals to advanced of DDOS from how to use it to its requirement in your organization. For a recent implementation, this can garner you some tips and also some good connect to useful resource.

Security Metrics and Dashboard Workshop

Bikash Barai

This talk will explore the Challenges & Gaps, Board Meeting Goals, Metrics-Measuring Security, Dashboard-Calculate & Show $ Lost,  Measures- What If Breached?,  Tools for Benchmarking your organization’s security,  How to Involve The Board & Educate Them. Access Basic Template Find frameworks and checklists to build on for your next threat intelligence project!

Identity & Access Management Workshop

Manjula Sridhar

This talk will explore the Challenges & Gaps, Fundamentals, PIM as an aspect of IAM, Tools and techniques, taxonomy and vendor mapping for IAM, Need assessment and evaluation checklists. Access Basic Template Find frameworks and checklists to build on for your next threat intelligence project!

IT GRC Workshop

Ravi Mishra

This talk will explore Key Components and Architecture for GRC,  How to Jumpstart your GRC program with freely available tools and content,Overview of Free Tools that you can use today,  Complete Vendor and Technology Taxonomy,  Customer Satisfaction based Rating of vendors along with Analysts opinion, Checklist to evaluate a GRC Vendor, CISOs who implemented GRC to share their real life experiences. Find frameworks and checklists to build on for your next CASB implementation project!

Security Architecture Workshop

Arnab Chakraborty & Bikash Barai

This talk will explore various challenges, techniques and fundamentals for implementing a secure architecture. Learn it from scratch and find some ready made, go to material. Find frameworks and checklists to build on for your next threat intelligence project!

WarGame Sessions

Successful Implementation of Incident Response Program

Building Security Dashboard and Metrics for Your Enterprise

Building Security Maturity Model for Banks

Successful Implementation of SIEM Program

Successful Implementation of IT GRC Program

Successful Implementation of IAM Program

Workshop Sessions

The changing world of SCADA and how to secure it

Daniel Lakier, CTO & President at SeeGee Technologies

This workshop session will take you through major questions like What is SCADA/PCD* and why is it so insecure ? Why should we care and what are the risks of not securing it ? What are the operational challenges and why is it so hard to secure ? What are some strategies to mitigate operations vs IT conflict? How to decide the best course of action( Logic its always the same ) i.e. if you have a proprietary 15 year old operating system (obviously you can't put Anti virus on it even if it would void the manufacturers guarantee/warranty.) ? The forgotten pieces and how best to manage associated risk ? Traditional PCD security and why the changing world has rendered most of the existing answers mute ? The next best thing to a solution ?

>> Register Now!

Defeating Machine Learning: Malware Detection Deep Dive

Bob (Robert H) Klein, Black Hat 2015 Speaker

Implementing SAP security in 5 steps case-study

Alexander Polyakov 

This workshop session will help you to learn: How to start SAP Security Project from scratch, Practical steps for securing SAP against top 9 EAS-SEC risks, Optimal approach to start SOD project with minimum costs, Main issues in ABAP code and first steps to analyze them  Practical steps for forensic investigation and log analysis of SAP Platform. 

>> Register Now!

Security Governance for the Cloud

Paul Raines - CISO, United Nations Development Programme

This talk will explore what types of due diligence governance actions an organisation should take when managing one or multiple cloud service providers. Topics to be covered include contractual provisions, security policies, audits, security service level agreements and security authentication/authorisation.

Key Learning on What standards should be used in evaluating cloud providers? What contractual clauses should you insist on with cloud providers? If your organisation uses several cloud providers, how do you ensure standard levels of service? Once the contract is signed, what due diligence should you undertake to ensure continued compliance?

Forensics & Incident Response Essentials

Sachin 

This workshop session will help you to peek into the fundamentals of Incident Response,       Incident Response Stages: Preparation, Identification, Containment, Eradication, Recovery & Memory Forensics in Incident Response. This can be attended as hands on 2 day training. To know more Click here

Network Forensic Tools & Techniques Workshop

Tamaghna Basu

This talk will explore an Introduction to network forensics, The Basic protocol analysis, Forensic analysis network/web/malware, Basic packet analysis challenges. This can be attended as hands on 2 day training. To know more Click here

>> Register Now!

Application Security Workshop - IAST, RASP, Real Time Polymorphism

Nilanjan De & Jitendra Chauhan

This talk will explore Understanding IAST/RASP,Realtime Polymorphism.

Some areas covered under IAST/RASP would be Web Security Evolution, Marketing view of RASP and IAST, Science Behind RASP and IAST, Way Forward.

Some areas covered under Realtime Polymorphism would be Polymorphism, Automated attacks, Threat model and attack vectors, Reference Polymorphism, Field Polymorphism., advantages, Limitations.

A brief demonstration and behavior of the  technologies will leave you awed, a much appreciated session in the past.

Threat Intelligence Workshop

Bikash Barai

This talk will explore the Key components i.e. (People, Process and Technology), Threat Intelligence Maturity model, Threat Collection & Analysis eg. OSINT, Integrating Actionable Intelligence,Technology and Vendor Landscape. Find frameworks and checklists to build on for your next threat intelligence project!

>> Register Now!

Cloud Access Security Broker Workshop

Ravi Mishra

This talk will explore the Technology Taxonomy for Cloud Security, Key components of cloud security architecture, Blue print to build your cloud security program & Basics of Cloud Security Access Brokers. Find frameworks and checklists to build on for your next CASB implementation project!

Security Analytics Workshop

Bikash Barai

This talk will explore the various aspects of Security Analytics with respect to business requirements and implementation.

Keynote Turbo Talks

Protecting SCADA environments

Daniel Lakier, CTO & President at SeeGee Technologies

This talk will take you through the fundamentals followed by the advanced levels of SCADA. What is SCADA, Why do we need to care, What are the Risks & Challenges,Operational Practical ( IT challenges), Why the traditional answer isn't enough. According to Daniel, The best answer today is Stealth Networking and next generation two factor authentication.

>> Register Now!

Network Machine Learning and the Security Industry: Past, Present, And Future

Bob (Robert H) Klein, Black Hat 2015 Speaker

Lessons learnt from recent Cyber-attacks on SAP systems

Alexander Polyakov 

This talk will take you through the past attacks on SAP systems in history and 10 lessons learnt from it. 

Since for a long time, almost no real attacks on SAP and Oracle ERP systems were known to the public, it gave CISOs a false sense of security. While the number of breaches in less critical applications was increasing rapidly, and so was the awareness, only a small group of professionals were aware of attacks on business applications. The most popular example of such fraud was to create a fake vendor and a payment order for this vendor and then to approve it. According to the Association of Certified Fraud Examiners, losses from internal fraud constitute 7% of profit on average. To prevent those types of attacks, the segregation of duties concept was created. ERP security isn’t limited to SoD. The issue of unauthorized access to system and user accounts via vulnerabilities now matters. Moreover, the increasing number of SAP vulnerabilities in ERP systems (from 100 in 2007 to 3500 in 2015 only in SAP) makes these issues more critical than ever. But what’s more important, in 2012 we saw a first sight of cyber-attack via SAP Vulnerabilities. Our predictions proved accurate and by now we have witnessed a number of examples from Anonymous attacks on Greek Ministry of Finance via SAP to the attest breach of US Investigation Services (a largest subcontractor of OPM) that led to company’s bankruptcy. In this talk, take a look at the history of ERP attacks and learn 10 lessons how to avoid them.

>> Register Now!

Building Immune Systems For Our Enterprises: Detecting Emerging Threats in real Time

Dave Palmer, Director of Technology, Darktrace

This talk will take you through a new perspective to realize how the math evolves to detect and emerge from the threats. Learn the algorithms behind, statistics, probability, the techniques, its evolution and how it can create the immune system for your organization.

United Nation's program to help developing nations in IT Security

Paul Raines - CISO, United Nations Development Programme

Cybersecurity assistance for developing nations. This talk will highlight a new initiative within the United Nations Development Programme (UNDP) to provide cybersecurity assistance to the governments of developing nations to help protect their critical national infrastructure and digital economies. UNDP uses its own experienced, award winning cybersecurity team instead of hiring expensive, outside consultants. Thus, UNDP can deliver services to its clients at less cost, less overhead and with the hands-on experience of a team of world recognised experts. The services to be provided include cybersecurity training, risk assessment, incident response training and exercises, training in business continuity/disaster recovery and preparation for ISO 27001 certification.

>> Register Now!

With overwhelming response for Defcon 22 Top Talks, we decided to present Defcon 23 again. Let us know which were your favorite talks?

Important Note:

All presentations are courtesy Defcon and is presented as-is without any modification
Some of the descriptions below are taken from Defcon website (www.defcon.org)
You need to Sign in/Sign up to view the presentations. (It's free)

With overwhelming response for Defcon 22 Top Talks, we decided to present Defcon 23 again. Let us know which were your favorite talks?

Important Note:

All presentations are courtesy Defcon and is presented as-is without any modification
Some of the descriptions below are taken from Defcon website (www.defcon.org)
You need to Sign in/Sign up to view the presentations. (It's free)

Bruce-Potter-Hackers-Guide-to-Risk

Measuring risk in two words, assessing, managing and measuring risk. This can be a guide for security researchers to measure risk in day to day life.

Colin-O'Flynn-Dont-Whisper-My-Chips

The nature of this talk was hands-on. It presents to you how weak security in embedded hardware systems are. More surprising all of the hacks could be done with open source tools.

Craig-Young-How-To-Train-Your-RFID-Hacking-Tools

Learn how to use the tools, how to develop new firmware etc. with examples. It includes architecture of Proxmark3.

Damon-Small-Beyond-the-Scan

Getting into the depths of Vulnerability Assessment, this presentation will highlight the importance of VA for security in an organization.

Daniel-Crowley-Damon-Smith-Bugged-Files

Files communicate to Endpoints when opened eg. microsoft word, PDF. This ability can have an interesting perspective in terms of security concerns. It delves into possible scenarios of exploit.

Dennis-Maldonado-Are-we-really-safe-bypassing-access-control-systems

Maybe your access control systems are accessed by some one else. That being said, here's the talk that demonstrated the walk through access control systems like a breeze. Maybe our dependence on them needs a thought.

Eric-Van-Albert-Zack-Banks-Looping-Surveillance-Cameras Through Live Editing Of Network Streams

Remember the CCTV in the movies looping the same incidents again and again. That's exactly what happens here and best we learnt how it happens. Better still, it is possible to modify this to level of high sophistication.

Etienne-Martineau-Inter-VM-Data-Exfiltration

It states multi-core covert channel between co-located VMs are real. From fundamentals of cache line encoding to techniques & challenges-know it all.

Gerard-Laygui-Forensic-Artifacts-Pass-The-Hash-Attack

A useful guide for system admins to help understand the extent of devastation of the attack and some fundamentals to help if the forensic expert isn't around.

Grant-Bugher-Obtaining-and-Detecting-Domain-Persistence

If a windows domain is hacked into with domain administrator privileges, this talk explains how to detect this incident and rule it out.

Ian-Latter-Remote-Access-the-APT

This focuses on new TGXf technique, which can allow data transfer by by-passing present security measures like Perimeter or End Point Security.

Joshua-Drake-Stagefright-Scary-Code-in-the-Heart-of-Android

Android vulnerabilities- speaker explains reaching Stagefright Multimedia Framework and various other vulnerabilities.

Joshua-Smith-High-Def-Fuzzing-Exploitation-Over-HDMI-CEC

Justin-Engler-Secure-Messaging-For-Normal-People-W

Ken-Westin-Confessions-of-a-Cyberstalker

Lance-Buttars-Nemus-Hacking-SQL-Injection-for-Remote-Code-Execution-on-a-LAMP-UPDATED

Lin-Huang-Qing-Yang-GPS-Spoofing

Marte-L0ge-I-will-Tell-you-your-Lock-Pattern-UPDATED

Michael-Robinson-Knocking-My-Neighbors-Kids-Drone-Offline-UPDATED

The CISO(Chief Information Security Officer) is a C-Level position, responsible to align security to business goals and to secure information assets of the company. The C-Level position has changed and evolved so much, we see the ‘CISO’ as a union of CRO,CIO etc.  and the sole person responsible for the company’s security.

We have identified 5 major segments of a CISO's Role, namely Understanding the Organization's Business Strategy, Understanding the IT Infrastructure & Building a Security Architecture Optimized for it, Creating Optimal Risk Management & Disaster Recovery Plan, Managing the Insider Threats & Training Programmes and Maintaining all systems with respect to Compliance and Regulations. Each of the CISO Role Segments have been described briefly below along with the major pointers under them.

CISO Role Segments-

1. Organization’s Business Strategy
2. IT Infrastructure, Security Architecture & Assets
3. Optimal Risk management & Disaster Recovery Plan
4. Managing Inside Threats (training & awareness)
5. Compliance & regulations

( Read More: How To Respond To A Breach During First 24 Hours )

Role1: Organization’s Business Strategy

Understanding the Business Plan & Strategy is key to align security to it. Security should not become a hindrance, if it is necessary it should be discussed to optimize the strategy and find a solution. A CISO should participate in discussions to take the Business point into consideration.

• Partnerships & Acquisitions to enhance the company’s security standing
• Cloud platform Adoption for Productivity Benefit Vs Low Cost
  
  
  • Integration & Strategy
  • Compliance Requirements
  • Architecture
  • CASB partners & strategy
  • SLA
  • Policy
  • Vendor Risk
  • Security Monitoring modes eg. Testing
• BYOD Platform to create a employee friendly environment and minimizing the risks
  
  
  • Access Controls
  • Secure VPNs
  • Policies & Guidelines
  • Monitoring lost devices & Remote swipe
  • Vendor Risk
• ROSI for security strategy to create optimal plan with available budget
  
  
  • Security Budget
  • Highest ROSI
  • Security Standing of company
• Vendor Risk Management
  
  
  • Third Party Apps
  • Service Providers
  • Public/Private/hybrid Cloud

Role2:  IT Infrastructure, Security Architecture & Assets

Understanding the present IT Infrastructure and the greatest assets should enable a CISO to create an optimal security strategy, a chief component of a CISO's role.  A well-planned security architecture implementation addresses issues at the root level and can go a long way.

• Application Security eg. WAF, Secure coding etc.
• Encryption Technology Adoption
• Vulnerability management
• Network Security eg. monitoring, packet filtering, segmentation, firewall , IPS & IDS etc.
• Identity & Access Control eg. SSO, 2FA, Role based access etc.
• Cloud Integration
• Disaster recovery
• Compliance & Regulations
• Threat Prevention
• Data Loss Prevention
• Incident Management & Forensics eg. IR plan, Response time, First 24 hours etc.
• Sensitive Data Storage eg. Data discovery, Data classification, policies etc.
• Monitoring eg. Detailed logs, log management etc.

Role3: Optimal Risk management & Disaster Recovery Plan

This segment finds overlap with security architecture, however due to its importance we have mentioned it separately. A CISO's role is often to build and oversee the security architecture from the scratch, post which Risk Management and Disaster Recovery are the major components.

• Risk Management Strategy
• Architecture implementations
• Points of anomaly capture
• Infrastructure support for disaster
• Contact personals- Legal, Audit Advisors etc.
• IR Plan
• Asset priority
• Prevention plans
• Forensic support

Role4: Managing Inside Threats (Training & Awareness)

Controlling the access, data leak and preventing accidental organization risk comes under this category. Raising awareness in all employees & customers handling any sensitive data or using any organization asset is a primary part of it. Training and awareness indirectly helps a CISO carry out his role and responsibility.

• Training & Awareness programs
• Measuring progress in employees & customers
• Test attacks
• Monitoring Policy Violations Or Access Escalations
• Security courses & certifications
• Policy violation penalty

Role5: Compliance & regulations

This is relatively complex but mandatory control in the organization with plenty of regulations and updates making it difficult to keep track. Frameworks to maintain and regulate compliance have been made and make life easier. A CISO's role in the field of compliance can be overwhelming due to new regulations & updates from time to time.

Popular Compliance list-

• PCI DSS
• HIPAA & HITECH
• Sarbanes-Oxley
• FISMA

( Read More: Free Resources For Kickstarting Your IT GRC Program )

References-

https://www.rsaconference.com/writable/presentations/file_upload/cxo-w04-don_t-get-left-in-the-dust-how-to-evolve-from-ciso-to-ciro.pdf

http://rafeeqrehman.com/?attachment_id=576

What Is Bad USB?

The phenomenon of using the USB for malicious intent can be termed as Bad USB. USB Thumb Drives are the last considerations of malicious intent. However, if manipulated, they can takeover almost everything.

Some interesting demonstrations have been done at Black Hat conference by 2 highly regarded security researchers.

( Listen To Karsten's Talk: Bad USB On Accessories That Turn Evil )

Possible Ways To Mitigate Bad USB Threats

• Whitelisting USB devices
• Block Critical Device Classes, Block USB Completely
• Scan Peripheral Firmware For Malware
• Use Code Signing For Firmware Updates
• Disable Firmware Updates In Hardware

Limitations In Bad USB Mitigation Strategies

• Whitelisting USB devices
  • Unique Serial No. may not be available in some USBs
  • Operating Systems don't support any USB Whitelisting
• Block Critical Device Classes, Block USB Completely
  • Ease Of Use will override
  • USB usability is highly reduced if basic classes are blocked
    (Basic classes can be used for compromise)
• Scan Peripheral Firmware For Malware
  • Very challenging, Malicious firmwares can spoof a legitimate one
• Use Code Signing For Firmware Updates
  • Unauthorized updates still have a high chance eg. implementation error
  • Challenges in implementing secure cryptography on microcontrollers
  • Challenges in implementing for all devices
• Disable Firmware Updates In Hardware
  • Most effective, however this may be available only for new devices

Threat

• Present Security Solutions cannot detect malicious intent of USB
• It can be used for spying,data theft,data tampering,almost anything-it can take control etc.
• Security has to be built in before commercializing the product-no response yet on that!
• Post Derbycon Hacker Conference 2 researchers have made some attack codes public-this puts millions of us at risk

( Read More: Top IT Security Conferences In The World )

References

1. Extracts have been taken from 'Bad USB On Accessories That Turn Evil' Talk by Karsten Nohl during Annual Summit, 2014. Click Here For Full Talk

2.http://securityaffairs.co/wordpress/27211/hacking/hackers-can-exploit-usb-devices-trigger-undetectable-attacks.html

3.http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

4.http://www.zdnet.com/article/badusb-big-bad-usb-security-problems-ahead/

The intent of using IT Governance Risk Compliance (IT GRC) tools and capabilities is to report and manage IT Risks. We will study the critical platform capabilities for IT GRC Tools.

Critical Platform Capabilities In IT GRC Solution

• IT Risk Management
• IT Asset Management
• Policy Management
• Social Media Risk Management
• IT Vendor Risk Management
• 3rd party Vendor Integrations
• Incident tracking & management
• Customizable Reports and Dashboards
• Customizable Workflows
• Security Monitoring & Overview
• Disaster Recovery & Business continuity management
• IT GRC Elements Mapping / Cross Mapping and Interlinks between modules
• Integration with Enterprise IT – SSO (with RBAC), DBMS, HRMS etc.
• Survey creation & distribution (with or without access to GRC platform)
• Pre-packaged content (Policies, Controls, Procedures, Risk Register, Metrics (KRIs, Security etc.) Assessment Questionnaire etc.)
• Integration with Cloud and BYOD

The major areas under consideration should be the IT Risk Mapping, Ability To Track Risk and Estimate it, Presenting of the data in Dashboard/Reports.

( Read More: Free Resources For Kickstarting Your IT-GRC Program )

Few Questions to assess an IT GRC Vendor

• Do they have Proof Of Concept support? Timeline?
• What are the added costs?
• Scope of expansion of IT GRC Product? Can the vendor support expand into Enterprise and Legal GRC?
• What is the feedback of real users? Ask your colleagues
• What are the supported OS,Cloud and Mobile?
• What are the liabilities they entail? Have the contract well checked for adverse situations. 

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

Reference

1. Extracts have been taken from IT GRC Workshop, Decision Summit, Delhi 2015 by Ravi Mishra

Governance, Risk and Compliance is sometimes a managerial step or a mandatory step to adhere with regulations & maintain compliant systems. It widely helps in Risk Management.

Some of the major components of IT GRC are:

1. IT Policy Management
2. IT Risk Management
3. Compliance Management
4. Threat & Vulnerability Management
5. Vendor Risk Management
6. Incident Management

1. IT Policy Management

An administrative method to simplify management by defining and enabling rules(policies) for various apprehensive situations. This is done keeping in mind the organization's goals & belief

• Policy Life Cycle Management
• Policy Creation
• Establish Linkages
• Alerts & Notification
• Manage Exceptions
• Metrics & Dashboard Reporting

2. IT Risk Management

This includes all risk associated with owning IT assets. In larger scales, for an organization, all the data stored is part of this.

• Risk Identification
• Risk Assessment Scheduling
• Aggregate Data
• Risk Assessment & Evaluation
• Issue / Action Tracking
• Metrics & Dashboard Reporting

( Read More: Checklist: Skillset required for an Incident Management Person )

3. IT Compliance Management

A proper framework in place can save money, time and energy. The framework should be set up once and your organization should be compliant while it should be able to notify on the new compliance requirements and licenses

• Regulatory Alerts, Rule Mapping
• Federation
• Surveys, Assessment
• Testing
• Certification & Filing
• Issue / Action Tracking
• Metrics & Dashboard Reporting

4. Threat & Vulnerability Management

This is a continuous process to manage all the assets owned by the organization. Prioritization is key as it directly estimates loss.

• Create Asset Repository
• Prioritize Assets
• Threat & Vulnerability Assessment
• Analysis & Prioritization
• Closed Loop Issue Management
• Metrics & Dashboard Reporting

5. Vendor Risk Management

This refers to all third party vendor risk. Vendor selection should be preceded by checking their risk scenario.

• Vendor Information Management
• Vendor Risk Assessment
• Vendor Compliance Management
• Closed Loop Remediation
• Metrics & Dashboard Reporting

6. Incident Management

This is constant monitoring, tracking analysis and reporting to make sure incidents are at bay. In case there is a breach, policies should be in place to tackle them.

• Aggregate & Track Incidents
• Incident & Issue Analysis
• Integrate with 3rd Party Solutions
• Resource Management & Collaboration
• Closed Loop Monitoring
• Metrics & Dashboard Reporting

( Read More: Critical Platform Capabilities For IT GRC Solution )

Reference-

1.Extracts have been taken from IT GRC Workshop, Decision Summit, Delhi 2015 by Ravi Mishra

2.http://whatis.techtarget.com/definition/policy-based-management

3.http://www.techopedia.com/definition/25836/it-risk-management

Free/Opensource Tools -

• IT GRC Asset Management
  Some functions can be used for technical controls to policy enforcement
  OTRS http://www.otrs.com/en/
  Redmine http://www.redmine.org/
  Mantis http://www.mantisbt.org/
• IT GRC Risk Management-
  GLPI http://www.glpi-project.org/spip.php
• IT GRC integration with cloud
  GRC Stack from Cloud Security Alliance https://cloudsecurityalliance.org/research/grc-stack/
• IT GRC Process Management
  Pack from Microsoft - http://www.microsoft.com/en-in/download/details.aspx

( Read More: Checklist To Evaluate SIEM Vendors )

More Free Tools:

• The Open Risk & Compliance Framework and Tool - http://www.somap.org/orico/default.html
• OpenFISMA - http://openfisma.org/ (FISMA, NIST RMF)
• Binary Risk Analysis - http://binary.protect.io/app/index.html
• PTA Professional Edition Risk Assessment tool (partially free) - http://www.ptatechnologies.com/

Content Resources

• Common Controls Hub (UCF) - https://commoncontrolshub.com/ (Limited Free, Paid Content)
• Cloud Security Alliance –Consensus Assessments Initiative Questionnaire (CAIQ) https://downloads.cloudsecurityalliance.org/initiatives/cai/caiq-v3.0.1.zip
• Center for Internet Security (CIS) - https://benchmarks.cisecurity.org/
• CIS Security Metrics - https://benchmarks.cisecurity.org/downloads/browse/?category=metrics
• Policy Templates from SANS - https://www.sans.org/security-resources/policies/
• Unified Compliance Framework – http://unifiedcompliance.com/- Through GRC vendors
• Shared Assessments – SIG Questionnaire - https://sharedassessments.org/
• HITRUST CSF (Healthcare) - https://hitrustalliance.net/
• Information Shield (Security Policies) - http://www.informationshield.com

( Read More: Bad USB Defense Strategies )

Reference-

1.Extracts have been taken from IT GRC Workshop, Decision Summit, Delhi 2015 by Ravi Mishra

2.http://searchcompliance.techtarget.com/tip/The-free-GRC-tools-every-compliance-professional-should-know-about

To select the best IT GRC tools/solution for you, you need a checklist of all Use Cases for your organization. Prioritization of that followed by weighing the implementation ease can help you choose the best IT GRC solution. Here are few Use Cases to help.

Some IT GRC Use Cases:

Information Security

• Threat & Vulnerability mgm
• Establishing ISMS
• Configuration of Compliance to Security Baseline
• Security Intelligence
• Integration: CMDB,VA,SIEM,DLP etc.
• Content: MITRE,NIST,CIS etc.

Risk

• Implementing Risk Frameworks- ISO,NIST,COBIT,FAIR
• Integrated Risk mgm-Security, IT Operation, BCM
• Standardizing Risk Calculations & Analysis
• Vendor/3rd Party Risk Assessments
• Risk Analytics
• Content-SIG,CAIQ

Compliance

• Policy mgm-Defining,Acceptance,Training etc.
• Regulations-PCI,FDIC,NERC,HIPAA
• Linking Policies to Control Objectives
• Harmonized Controls
• Control Monitoring & Testing
• IT Audits
• Content-UCF

Incident Handling

• Issue mgm & remediation
• Incident mgm
• Remediation Workflow
• Notifications & Escalations
• Integration with Security Incidents & Help Desk

Reference-

1. Extracts have been taken from IT GRC Session Decision Summit, 2015 by Ravi Mishra

Reference

1.Incident Response by Leighton R. Johnson

General

When did we do our last data inventory check?

Secure Development 

Do we follow secure SDLC? Is security looked into from the scratch?

What is the cycle of application testing?

What are the most major security vulnerabilities/flaws existing and what how can we implement them?

Where does our organization's security stand compared to our competitors? Benchmarking!

Security Program-How to Measure, Monitor? What is Response Time, Response Plan, Disaster Recovery Plan?

What are the Training programs and plans? How can we measure its effectiveness?

Cloud Security-

What kind of data can be accessed over our clouds and how are they segregated in terms of access?

How do we monitor and detect malicious/unauthorized activities over our cloud platforms?

How are the cloud data accesses managed?

How are the vendor risks associated with cloud handled?

Network Security-

How secure are our networks? What is protected and unprotected over it?

Can we track any unusual activity, if not which are the ones? How sensitive are the remaining?

Can it prevent data leaks, document loss and detect the exact activity and user of the activity?

Do we have security policies in place for incidents and how aware are the employees of the policies?

*check for some network threat reports

3) How Does Our Cybersecurity Program Apply Industry Standards and Best Practices?

4) How Many and What Types of Cyber Incidents Do We Detect In a Normal Week? What is the Threshold for Notifying Our Executive Leadership?

https://www.trustwave.com/Resources/Trustwave-Blog/10-Questions-for-Your-CISO/

http://www.cioupdate.com/research/article.php/3923086/The-Top-10-Security-Questions-Your-CEO-Should-Ask.htm

https://www.skyhighnetworks.com/cloud-security-blog/dont-get-snowdened-5-questions-every-ceo-should-ask-their-cio-ciso/

http://www.cso.com.au/article/571432/ten-things-every-ceo-should-ask-about-security-their-organisation/

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

---------------------------------------------------------------------------------------

1. Do you understand our wider business strategy?
2. Have you aligned our cyber security approach to our organizational strategy?
3. What are the gaps?
4. How are you evolving our cyber security approach to match the changing risk landscape?

http://www.ey.com/GL/en/Services/Advisory/Cyber-security---Steps-you-should-take-now

---------------------------------------------------

1. Are you documenting your relationships with third-party vendors and are third party vendors being required to incorporate security controls?

2. Do we have an in-depth, comprehensive and relevant policies and procedures documentation to encourage company-wide buy in, support and increased awareness?

3. Should a security incident occur, do we have a team in place to assist at all levels?

4. What security training is or should be offered for all employees?

5. How are you protecting our organization from threats to our systems and facilities?

6. Is there a risk management group that gathers regularly to discuss physical and local security issues?

7. Is there an inventory of all IT assets? Is there a schedule for the decommissioning of old systems?

8. Is security built into our IT and application development lifecycles?

9. How is our wireless network structured?

10. What security investments should we consider? Are we an early adopter or is this a widespread practice?

https://www.trustwave.com/Resources/Trustwave-Blog/10-Questions-for-Your-CISO/

------------------------------------------------------

1. Who is accountable for protecting our critical information? 

2. How do we define our key security objectives to ensure they remain relevant?

3. How do we evaluate the effectiveness of our security program?

4. How do we monitor our systems and prevent breaches?

5. What is our plan for responding to a security breach?

6. How do we train employees to view security as their responsibility?

7. How do we take advantage of cloud computing and still protect our information assets?

8. Are we spending our money on the right things?

9. How can we ensure that we comply with regulatory requirements and industry standards in the most cost-effective, efficient manner?

10. How do we meet expectations regarding data privacy?

http://www.cioupdate.com/research/article.php/3923086/The-Top-10-Security-Questions-Your-CEO-Should-Ask.htm

----------------------------------------------------------

1. Can we identify unusual user or network activity to cloud services

2. Can we track who accesses what cloud-hosted data and when?

3. How are we protecting against insider attacks at the cloud service providers?

4. How do we know unprotected sensitive data is not leaving the corporate network?

5. Can we reduce surface area of attack by limiting access based on device and geography?

https://www.skyhighnetworks.com/cloud-security-blog/dont-get-snowdened-5-questions-every-ceo-should-ask-their-cio-ciso/

-------------------------------------------------

1. When did we last do a data inventory?

2. Can you give me the what, where, who, and why for all our data assets?

3. How are we protecting the systems that store our sensitive data?

4. How is the efficacy of our security systems being measured?

5. Can you show me your risk assessment for our various data assets?

6. Can you show me any security or network reports?

7. Do we have an incident response and disaster recovery plan?

8. Have all our employees received security awareness training?

9. Do we have a software and hardware asset lifecycle?

10. Who’s ultimately accountable for your organisation’s information security?

http://www.cso.com.au/article/571432/ten-things-every-ceo-should-ask-about-security-their-organisation/

--------------------------------------

1) How Is Our Executive Leadership Informed About the Current Level and Business Impact of Cyber Risks to Our Company?

2) What Is the Current Level and Business Impact of Cyber Risks to Our Company? What Is Our Plan to Address Identified Risks?

3) How Does Our Cybersecurity Program Apply Industry Standards and Best Practices?

4) How Many and What Types of Cyber Incidents Do We Detect In a Normal Week? What is the Threshold for Notifying Our Executive Leadership?

5) How Comprehensive Is Our Cyber Incident Response Plan? How Often Is It Tested?

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

Incident Response is pretty much the same, however the first few hours can be vital and only high priority actions can save the situation. Since this is a Security Breach, it is of highest priority and must be treated at highest escalation level.

Checklist To Respond To A Security Breach (first 24 hours)

1. Contain/Isolate Data Loss

Containment is a fundamental step to Incident Response to limit the loss to a minimum by barring the Attacks. Do whatever it takes like isolate the system, bring it down (if necessary), check the status of other critical systems. Isolate the affected assets and try to resume operations asap.

2. Quickly assess the business impact

Assess the impact immediately. This is critical while reporting to the stake holder as well as create an appropriate strategy for response.

3. Notify the Incident Response Team & Forensic Team

Since it is of highest escalation level, the Incident Response Team must be immediately notified. Following steps will be taken with their advice.

( Read more: Security Metrics and Dashboard for the CEO / Board )

4. Notify legal advisory team & communication team

Advisory Team includes the Legal, Auditing Teams who can advise on how to recover best and the legal complications. All actions taken, including that of forensic team must be consulted with the Advisory Team.

Communication Team will communicate with the external world-employees,media,customers etc. about the Security Breach only if deemed necessary. Alerting employees can help reduce chaos and uninformed customer interactions.

5. Guard the Incident site for forensic proof protection

Documenting the scenario as it is found is absolute necessary. Systems must run as during the incident discovery, no change of state should take place. Also, outsiders including other employees must be prevented from entering the area. Only authorized persons (Forensic Experts/Incident Response Team) must be allowed. First few minutes can be critical to preserve data to track attacks eg. Volatile data.

6. Document and Interview People, Log Review

Document all details of Response Efforts and Breach Discovery. Also, retrieve data as much as possible from the resources available by interviewing the people concerned. Often Network admins and engineers might have a few anomalies to point out.

Logs are the second resource. Detailed review to check for all anomalies like unauthorized access can be a great indicator of scope of damage, assets involved etc.

7. Notify Customers if necessary

In case the data loss is customer data and sensitive in nature eg. Personally Identifiable Information, the customers must be informed in allocated time. This should be only after consulting Directors, Legal Advisers etc.

8. Notify the CEO if it is a critical breach

In case the data loss is customer data and sensitive in nature eg. Personally Identifiable Information, the CEO should be informed. Make sure to also put together a quick note on how the organization is planning to respond to the breach including the current impact and future impact on business. 

( Read more: Security Technology Implementation Report- Annual CISO Survey )

Post 24 Hours: Ask yourself..

• Has complete recovery happened?
  
• Why did the breach happen?
  
• What are the preventive measures for future?
  
• Are all the customers safe now?
  
• What are the current drawbacks in your Incident Response?

More:  Join the community of 3000+ Chief Information Security Officers.  Click here

Download A Detailed Incident Management Plan :

This is a community contribution. You can download the detailed Incident Management Plan ? You can download it here