Watch Video:

5 Real ways to destroy business by breaking SAP Applications

Do you know where all the critical data of your company is stored? Is it possible for attacker to commit sabotage or espionage against your company by breaking into just one of your business critical systems? And if so - what kind of systems could be under attack? Is it easy to break them? Is it a myth that SAP systems could be accessed only internally? Time has come not only to answer all of these questions. This time the real examples of different attacks on Enterprise Business application systems will be shown, based on eight-year research experience in that field. First of all we will cover all possible business risks related to each end every type of systems such as ERP, SRM, HR, Business Intelligence, PLM’s and Industry solutions so that every high level executive will get the full understanding of what could happen. After that, we will show examples of how easy is it to do such critical actions in different systems by exploiting vulnerabilities and misconfigurations from more business-related - such as Abusing SRM systems - to win the bid, for example. From frauds in HR system and salary-increasing to more technical things, such as drilling into corporate network via SAP Portal or delivering backdoors, which look like official updates via SAP Router. Our presentation will be the first to show real threats for business during those attacks with demo of the most interesting ones, and a guide to avoid them from EAS-SEC.

(Read more:  Top 5 Application Security Technology Trends)

View PPT:

(Read more:  How the Heartbleed bug was found by Antti Karjalainen - discoverer ...)

So you are breeched? Okay, cool off and get a hand on the most useful tools. Why? Because now all you need to do is find out what's out in the open and what not. Then you can decide how bad the breech is and also if you get good evidence, you have a chance to win. Moreover, once your customers can be alerted of the exact loss, mostly the loss is not as brutal.

We'll stick to the main focus areas we described for skill sets in IR teams. 

Note: 

1. Tools are platform dependent eg. OS dependent i.e. Windows vs Linux
2. Most of the list will be free or open source or both
3. High coverage of windows tools, less for other OS(eg. Linux, Mac)
4. Most free softwares declare download at own risk, careful check is recommended

(Read more:  Can your SMART TV get hacked?)

Major Areas Of Focus:

• Incidence Response
• Computer Forensics
• Network Security
• Secure Architecture

Incidence response tools:

First Responder's Evidence Disk ( FRED )

Knoppix STD

Windows FE ( Microsoft-free)

Coroner's Toolkit-for UNIX

MasterKey-LINUX

Pro Discover-paid basic,forensic & IR editions (ARCGroup)

Oxygen Forensic Suite (passware)

Helix( free,pro,enterprise,live versions)

Forensic Toolkit ( FTK ) or international version by Access Data

Forensic Bridges (Tableau/Guidance s/w)

First Response ( Mandiant )

Investigator Workstation & Lab ( nuix-paid )

Windows Forensic Toolchest or WFT-paid version (FoolMoon)

Computer forensics tools:

Memory & Imaging tools-

DumpIT

Guymager

Volafox-for Mac OS X

P2 explorer-free,pro paid versions ( Paraben )

FTK Imager- also for Mac OS ( Access data )

Tableau Imager (Tableau)

OSFClone & OSFMount (Passmark s/w)

Encase Forensic Imager( Guidance s/w )

RedLine (by Mandiant)

Live Ram Capturer (Belkasoft)

Disk2VHD ( Microsoft )

USB Block Writer ( DSi )

EvidenceMover (nuix  )

Carving-

PhotoRec

Mft PictureBox

Ghiro Digital Image Forensics

Defraser

File system-

HMFT

INDXParse

AnalyzeMFT

File Signature-

HeXbrowser

File Signature

(Read more:  How to choose your Security / Penetration Testing Vendor?)

Analysis-

PDF Stream Dumper

OSForensics

SleuthKit

RegRipper

ShellBags Analysis

Digital Forensics Framework (DFF)

SANS Investigative Forensic Toolkit (SIFT)

Metadata & Passwords-

Pwdump7

Ophcrack

NTPWEdit

Ntpasswd

Cain & Abel

Encryption Analyser-free,2paid versions (passware)

InsidePro

Lophtcrack

EWF Metaeditor (4discovery)

Hashes-

HashMyFiles (Nirsoft)

Network security tools:

Network traffic-

Wireshark

Nmap

Security Onion

WinDump

NetworkMiner (NetreSec)

RSA Security Analytics freeware (RSA)

NFAT (Xplico)

Retina (Beyond Trust)

Email-

MAIL Viewer (MiTec)

Kernel OST Viewer or Kernel Outlook PST Viewer ( Kernel )

Email Migration, Email Recovery solutions (Kernel)

MBox Viewer-free,pro paid versions (Systools)

(Read more: Shellshock Bug: A Quick Primer)

Secure architecture tools: (includes testing tools)

Mantra- Windows,Linux,Mac (Owasp)

MetaSploit-attack simulator (Rapid7)

This is more an approach to building the architecture at the start. Apart from that, you ma use any analysis tool to keep a check. However tools will be temporary and an insecure architecture will increase your security debt.

references

http://windowsir.blogspot.in/p/foss-tools.html

http://www.e-fense.com/products.php

https://forensiccontrol.com/resources/free-software/

http://www.gfi.com/blog/18-free-security-tools-for-sysadmins/

http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-khoo.pdf

Forensic book-Johnson 111

each product link

To add-top 10 free tools for pentest/audit http://www.security-audit.com/penetration-testing-tools/

Mobile tools will be covered separately since this is a lot already! Do you use other tools, share with us in comments below

Team Modules/Organization-

• IR Management
• IR Core Team
• IR Secondary Team
• IR Communication Team
• Technical Assessment & Forensics Team
• Technical Support Team
• IR Support Team

(Read more:  My Key Learning While Implementing Database Security)

Working of Org Chart-

• IR Management- Highest level of Management in Incident Response Organization. Oversees Incident Scenario as a whole and consider threat reports, preventive measures and ROI timely.
• IR Core Team- IR Experts track incidents and directly report to IR Management. Responsible for setting up effective Security Infrastructure.
• Communication team- (consists of Public Relations Officer & Contact Lead) Coordinates with IR Core Team for communicating to the masses like employees,customers etc. Communication team help desk should report incidents to IR Technical Assessment Team.
• IR Technical assessment & Forensics team- Tracks all incidents and reports to IR Core Team members. Reports incidents to IR Core team.
• Technical Support Team or IR Support Team- Reports to Technical Assessment Team. Provides supportive measures based on earlier solved incidents only. New nature of incidents may need to be escalated.
• Secondary IR Team(HR,Legal,Training)- Reports to and Coordinates with IR Core Team members and may work as team during incident handling. Responsible for IR resources, training and skills, along with security awareness in common employees and customers. 

(Read more: How effective is your SIEM Implementation?)

ref-

CSIRT Team pg 23   http://www.sans.org/reading-room/whitepapers/incident/creating-managing-incident-response-team-large-company-1821

http://resources.sei.cmu.edu/asset_files/Handbook/2003_002_001_14099.pdf

http://www.sans.org/reading-room/whitepapers/incident/implementing-computer-incident-response-team-smaller-limited-resource-organizational-settin-1065

https://technet.microsoft.com/en-us/library/cc700825.aspx

http://www.sans.org/reading-room/whitepapers/incident/computer-incident-response-team-641

Incidence Resp. & Forensics-Johnson 111

From a recent webinar, I gathered the very notably important parts into organized sub-parts. This is the first part wherein the major hardware threats and my insights on them are described. Below is the exact portion of the webinar discussing the hardware threats.

Part 1: Major Hardware Attacks

(Read more:  Under the hood of Top 4 BYOD Security Technologies: Pros & Cons)

Major Types of Harware Attacks:

1.VMX - Virtual machine Extensions(Instructions on processors with x86 virtualization)

Virtualizations offer 2 levels-

(a.) higher performance & more cost effective  eg.Intel

(b.) greater isolation & higher costs eg.IBM

Most of us will use 'a.' vs 'b.' not knowing the underlying threats for the reduced isolation.

2.Bluepill - 

A rootkit designed for x86 virtualization. It creates a thin hypervisor/VMM and running the remaining machine virtually. It's almost undetectable, however there was a controversy on this. Hardware assisted virtualization can help malicious software, thus hardware architecture is prime here.

3.Extreme Privilege Escalation

This was demonstrated with modern windows8. Exploitation of platform firmware UEFI using new API (windows 8). Privilege escalation from ring3 to ring0, most privileged level-almost directly communicates with the hardware resources.

4.Stepping p3wns

This attack used resource(printer here) firmware update, that by passes the anti virus at the computer as it's not windows malicious. However when the task is received at printer side, the firmware gets updated to the malicious one. This exploitation enables infecting IP phones etc. which can be a huge concern in 'BYOD' times.

5.Shadow walker(TLB Splitting)

Misuse x86 hardware to hide malware from OS and anti-virus. Infact, even code modifications could not be detected by anti-virus. The flaw-difference between reading the memory and executing it.

(Read more: Hardware Trojans: Sneak Peek into the Future)

For the full-webinar and presentation slide click here

What do you think are the major hardware threats a CISO has to face in practice? Please share in comments below

Watch Video: (Webinar) OS Security & Latest Attack Vectors

(Read more:  Top 5 Big Data Vulnerability Classes)

Quick Glimpse-

A fairly technical content, highlighting the major interesting hardware threats, main intentions behind attacks, the trust coefficient in places of misplaced trust, the 'less is more' philosophy application and also some tips for infosec selling.

The talk gives us an idea on the architectural front as to the most vulnerable areas and where caution is prime.

View Presentation/PPT:

(Read more:  Cyber Safety in Cars and Medical Devices)

What are the major OS threats that concern you as a CISO? Tell us in comments below.

A concise primer to Forensics for a beginner or a security expert- an insight into actual solution achieved through Forensics. The problem states a PGP message intercepted by an RAT and needs to be decrypted without the actual key? The process is briefly defined by the expert himself and takes us through a Forensic lab without the pain ofcourse. 

Part1 :Forensics Video Recording

(Read more:  Annual Survey on Cloud Adoption Status Across Industry Verticals)

Part 2 :Forensics Video recording

(Read more:  Annual Survey on Security Budget Analysis Across Industry Verticals)

Presentation/PPT for reference:

(Read more: Security Technology Implementation Report- Annual CISO Survey)

Let us know how helpful you found this short insight to Forensics? You may  comment below or write an article(on forensics/anything helpful for the infosec community) Click here to write

CISO Platform Annual Summit @ Mumbai, last week saw over 250+ attendees for over 2 days making the the spirit of knowledge sharing and learning a huge success in the Information Security Executives of India. Here are the highlights of the awesome keynotes, electrocuting Turbo sessions and some great knowledge boost training sessions.

(Read more:  Under the hood of Top 4 BYOD Security Technologies: Pros & Cons)

Top Turbo Talks

After several requests for training sessions, this time we did it. For all with an eye for detail, took back a bag full of operational knowledge and in-depth insights.

• How the Heartbleed bug was found?

  Antti Karjalainen discoverer of Heartbleed 

• BadUSB — On accessories that turn evil

  Karsten Nohl is a cryptographer and security researcher

• Bitcoin Transaction Malleability - An Insight

  Daniel Chechik

• 5 Real ways to destroy business by breaking SAP Applications

  Alexander Polyakov ( The father of ERPScan )

• A journey to protect POS

  Nir Valtman Discoverer of Point-of-Sale Vulnerabilities

• Intrinsic Leadership

  Deb Maes Neuro-Linguistic Master Practitioner & Trainer

• Cyber Safety in Cars and Medical Devices

  Beau Woods - Creator of IOT Security Framework

• The notorious 9 in Cloud Security

  Moshe Ferber

• More Shadow Walker- The Progression Of TLB-Splitting On X86

  Jacob Torrey - Discoverer of TLB-Splitting on x86

• Ants and Elephants in the CISO's Office

  Paul Raines - CISO, United Nations Development Program

• Embedding risk assessment into your project workstream

  Michael Calderin - Security Officer, Bupa Global Latin America

• Application Security Best Practices

  Yuval Idan

• Cyber Threat Alliance – Actionable Threat Intelligence

  Derek Manky

(Read more: Hardware Trojans: Sneak Peek into the Future)

Top Training Sessions

After several requests for training sessions, this time we did it. For all with an eye for detail, took back a bag full of operational knowledge and in-depth insights.

• Defending Online Attacks on Cloud Instances

  Nir Valtman ( Discoverer of Point-of-Sale Vulnerabilities ) & Moshe Ferber ( Cloud Security Entreprenuer ) 

• Building an Incident Management Program

  Paul Raines ( CISO @UNDP,ex-OPCW )

• Fuzz Testing Techniques for Discovering Zero Days

  Antti Karjalainen ( discoverer of Heartbleed ) 

• Implementing SAP security

  Alexander Polyakov ( The father of ERPScan )

• Practical Forensics- Tools and Techniques

  Sachin Deodhar

• Mobile Security

  Devesh Bhatt(Prominent Security Researcher) & Nutan Kumar

• Spooky Threats and Selling Infosec

  Jacob Torrey - Discoverer of TLB-Splitting on x86

• Implementation Guide for Big Data and Machine Learning

  Sayan Pathak (Microsoft)

• Building a Threat Intelligence Organization: Tools,Techniques,Processes and Team Structure

  Derek Manky

(Read more:  BYOD Security: From Defining the Requirements to Choosing a Vendor)

More Turbo Sessions

• Machine Learning in Information Security

  Arnab Chattapadhayay

• Using Security Information & Analytics - As Actionable Intelligence

  Ahmed Qurram Baig

• Operational Vulnerability Management Essentials using Open Source Tools

  Vikram Mehta

• OSINT:Tools and Techniques for Open Source Threat Intelligence

  Sachin Deodhar

• Zero day Vulnerability disclosure in Big Data (Hadoop )

  Jitendra Singh Chauhan 

Top Panel Discussions

Exploring and sharing the viewpoints in predefined security topics by the topmost CISOs allowed the community to grow together and leap forward into the future of security.

• Managing the “Board” from CISO Perspective

  (Paul Raines, Bikash Barai, Nadir Bhalwani, Amit Pradhan, Venkatesh Subramaniam)

• Prioritization, Dashboard and Metrics

  (Burgess Cooper, Rajiv Nandwani, Fal Ghancha, Sunil Mehta, Michael Calderin)

• Managing Third party Vendor Risks

  (Arnab Chattopadhyay, Moshe Ferber, Pravesh Sharma, Ranjeet Mishra, Sirish Dandekar, Durga Dube, Jacob Torrey)

• Learning from Failures

  (KS Narayanan, Nir Valtman, Beau Woods, Dhananjay Rokde, Mahesh Sonavane, Sudarshan Singh)

• Future of CISO-Planning the career roadmap

  (Bikash Barai, Yuvnesh Modi, Amal Saha, ID Ganeshan, Arindam Roy, Deb Maes)

Top Round Table Discussions

Round Tables are more informal and aim at dissecting a particular security topic/concern etc.

• Surviving data stealing security advanced attacks
• Changing role of CISO-Staying ahead of threats in an era of constant change
• Application Security as a business enabler
• Managing DDOS-Practical tools and technologies
• What's inside your software? Managing third party application security risk

(Read more: Hardware Trojans: Sneak Peek into the Future)

To find exclusive capture of the event - Click here

To protect sensitive/critical data available on users’ laptops we implemented a remote backup solution that can back up the important files and folders on the users’ laptop to a remote server. The main purpose was to safeguard the sensitive/critical information against the accidental loss/damage/ corruption and ensure its availability as and when required, by making an additional copy on a remote server kept at a secured location. Organization’s Need is cost effective solution, on demand or scheduled basis backup, data in motion should be encrypted during backup, backup using both internal and external network, simple and easy to use solution for backup of sensitive/critical information in laptops and data should be stored in encrypted format in secure mode, accessible only by the intended authorized user. We evaluated various backup solutions, both commercial and open source. Commercial backup tools being beyond our approved budget, we evaluated other solutions with no compromise on features and security parameters. We selected deployment of backup solution as hybrid consisting of various tools and technologies (open source as well as commercial).

(Read more:  Technology/Solution Guide for Single Sign-On)

Key Learning From the Project:

Functional

• Files with the latest time stamp should be stored on backup site
• Backup can be done in the incremental form after first full backup
• Data search feature should be available among the backed up data
• User can schedule the backup and run the manual backup on demand
• Backup for mail clients like outlook should be done in incremental form
• Basic compression of data should take place before executing the backup
• Backup should use both internal as well as external network (Intranet and Internet)
• Data restoration should be possible on a new machine in case of stolen/crashed laptop
• The backup software should support multiple OS like Windows, Linux, MacOS
• User can backup the custom files and folders to backup site with option to filter non-desirable files.
• Backup site destination may be company datacenter or cloud storage (like Amazon S3 or Google Drive )
• Data restoration may be possible on same machine from which the backup was initiated by choosing previous successful backup jobs

Security

• Type of encryption on wire (256 or higher bits, SSL/AES etc.)
• User shouldn’t have direct access to the data at backup location
• Only specific type of encrypted file format should be allowed in backup
• Type of encryption on destination data in rest (256 or higher bits, SSL/AES etc.)
• Audit trails should be maintained for the data restore activity from the Backup Server
• Data should not be visible/recoverable by the system administrator at the backup site
• Restoration activity at the machine other than ones originally used for backup should be possible only with IT support Intervention.

Licensing

• Licensing should be perpetual
• Licensing shouldn’t be per user or per machine

(Read more:  Action List Before Adopting a Cloud Technology)

After evaluating various open source and commercial tool following Tools and Technologies were selected for deployment which met our objective.

• Open source backup software for all laptops
• Commercial Secure FTP Server for windows as backup destination
• NAT and DNS for automatic internal and external switching between route selection (Intranet or Internet)

Limitations

• Open files are skipped during the execution of the Backup jobs
• User configured password for the Backup job is non-recoverable
• No central console available for backup job activities at users’ laptops.

- With Rohit Kachroo, CISO, Indiabulls Group on 'Safeguarding Critical Data & Strong Backup'

(Read more: CISO Guide for Denial-of-Service (DoS) Security)

This project mainly aims to have an enterprise wide ITAM (IT Asset Management) Systems and endpoint protection and also to maintain the hardware and software inventory. It also brought in centralized IT management and control mechanisms for polices enforcement, monitoring and reporting to present a complete picture of endpoint status of the organization.

(Read more:  Database Security Vendor Evaluation Guide)

Key Learning From the Project:

• Involvement of OEM’s – Involvement of OEM's is a critical success factor. The optimal and continued performance of the product is heavily dependent on project planning and final design, for which OEM’s can provide the best possible advice and implementation.
• Migration to new technologies/vendor/product - Formulation of plan and strategy for smooth transition with minimal impact to business performance and transparent to end-users. 
• Standard Policies and Customized configuration – Need to implement policies with pre-defined base level and continuous fine tuning and review in line with business requirement.
• Development of Test-bed infrastructure to evaluate the critical patches/release/version/upgrades before rolling out. 
• 24x7 premium support with OEM - To deal with exigencies in minimal time mainly in case of Anti Virus.
• Review of Policies - Periodic review of policies effectiveness, daily reporting and monitoring to avail maximum advantage and realize all the capabilities of product in most efficient manner.
• All nodes to cover - Necessarily implement updates/fixes/upgrade at all nodes to reduce unknown vulnerabilities in the organizational environment.

-With S Ramasamy, Executive Director (Information System), Indian Oil Corporation Ltd. on '7 Tips A CISO Should Know To Implement Endpoint Protection & IT Asset Management'

(Read more: How effective is your SIEM Implementation?)

Kotak Mahindra Bank has initiated the DLP implementation across all business units in a phased manner and the implementation was started 6 months ago with critical business units. The solution monitors all channels, viz. Internet, Email and End point.

1. Proper strategy and planning are vital for successful DLP implementation.

2. Get management support for the Project. Identify the critical business units considered for DLP implementation.

3. Get the data classification in place which provides a substantial idea on the critical data assets (sensitive data) that needs to be protected.

4. Ensure that the Incident Monitoring and Management process is in place.

5. Start Small: Probably start monitoring two to three business units and get the incident management process and workflows in place. (It would be good if OU structure in Active Directory is aligned with Business Units)

6. Grow Carefully. Be sure you’re measuring not only what DLP Control wants you to measure, but that you’re also measuring how effective the solution is overall for your organization. Are you catching tons of false positives and few true positives? Do you have ways of measuring false negatives?

7. Periodic reviews is very crucial to identify the false positives/negatives and trending the alerts that are being thrown by the tool.

-With Agnelo Dsouza,CISO,Kotak Mahindra Bank on '7 Tips to DLP Implementation'

Read more:  My Key Learning While Implementing Database Security

If not all, we can point out the various major policies that can help you kick-off. For easy reading we've cut the details, here's the checklist:

AUP - Acceptable Use Policy or Fair Use Policy defines the ways/restrictions of using the Organisation's IT resources

Privacy

Version control

Communications

Reporting 

Backup

(Read more:  5 Best Practices to secure your Big Data Implementation)

Basic Contents of policy-

State the Management's commitments

Why is the policy made, what are the goals

Where does the policy apply and the exceptions

Probable security incidents

Glossary of the information security terms precisely defining the meaning

Clearly state the who,how and why of Incidence reporting, so whenever a breech is detected, minimum time in wasted in communication

A chart/organized data to distinguish the sensitivity of any such incident

Clear demarcation of roles and responsibilities along with ethical practices 

--------------

CSIRT Policies and Standards
Policies are documented principles adopted by the management team.
The policies of an organization should be clearly understood by the entire
workforce and the knowledge of the incident response policy will allow the
CSIRT to act on their responsibilities.
i) Incident Response Policy
Building an incident response policy involves several objectives.
First, an Incident Response Policy cannot be enforced unless it has
management approval. Endorsement by management is critical. Without this
approval the team will be destined to encounter business road bocks that will
hinder a timely incident response. In some cases, it may not even be allowed.
Second, the policy must be clear. Any employee should be able to
easily understand what the policy is about. If a non-technology oriented
employee is confused by the policy, then the policy should be rewritten.

Third, the policy must be to the point A long winded policy will either be
a bad policy or one that would include sections that should be in a procedure
document instead.
Forth, the policy must be usable and implementable. Avoid statements
that sound appropriate but will be open to interpretation. At the same time,
the policy should not include objectives that the CSIRT will not be able to
execute due to business processes or corporate culture.
Once the policy as been created, it is important to make regular checks
against its effect on the workforce. When changes occur in the business
direction or new technology systems are implemented, update the policy to
match the new processes.
ii) Incident Response Standards and Procedures

(Read more:  7 Key Lessons from the LinkedIn Breach)

A successful CSIRT is a team that has documented standards and
procedures. Standards should be written from how the CSIRT will begin its
investigations and report the findings to standards written for how the CSIRT
will be trained and what authority the members will be granted.
A good standard will define when the CSIRT will contain and clean up
incidents and when the team will watch and gather information for litigation.
Having good recovery procedures are essential. It is very rare to find a
CSIRT member that has mastered every operating system and application in

your environment. Having procedures to follow on how to correctly down and
restore a system can help prevent time consuming efforts and alleviate some
of the stress of the incident.
These written procedures will aide the CSIRT in formalizing how
investigations are carried out, how evidence is handled, what organizations
are notified at what times, how post mortem reporting is conducted, how
malicious software is to be eradicated and how to perform a recovery of a
information system.
iii) Code of Conduct
The code of conduct policy for the CSIRT is a set of rules outlining how
a team member will behave in a way that supports the goals of the incident
response team and the mission statement of the company. The code of
conduct will be used when no other policy or procedure applies. It should
reflect the natural behavior of a professional incident handler. An example of
a CSIRT code of conduct policy was written by the original manager of the
CERT,1
Rich Pethia.

-----------

policy-

http://www.comptechdoc.org/independent/security/policies/security-policies.html

pwd policy,remote access,internt cnntn,approved app,BYOD policy,

Note:

Try to make a crisp, precise note book/digital copy with images and videos for quick and fun interactive sessions. Try to remove all thick policy manuals that most people won't read. Our main aim is 

ref;

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

We heavily rely on references while taking a decision on adoption of a new technology or a product. However, there is no dedicated analysis of product leadership purely based on customer recommendation. From CISO Platform technology Analyst team, we are happy to announce the concept note for CISO Index which shall rate products purely based on CISO recommendation.

Why do we need a CISO/Customer recommendation based product/technology rating framework?

1. CISOs or the users can provide the most meaningful verdict for a product
2. With the whole world getting social, community recommendation should play bigger role in decision making
3. Currently there is no globally acknowledged framework solely based on CISO/Customer recommendation

To exercise your vote and provide your rating: Click here 

Proposed "CISO Platform Index"

The CISO Platform Index shall use a transparent methodology to compare the players in software, hardware, or services market so that the CISOs can make well-informed decisions. The CISO Platform Index offers two indices to compare:

1. CISO Perception Index (CPI) - Index developed based on the perception of CISOs about the vendor /Product on different evaluation metrics. i.e. by CISOs who have not used the product but have studied about it.
2. CISO Recommendation Index (CRI) - Index developed based on the recommendation by CISOs who used the vendor product on different evaluation metrics.

CISO Platform shall map the participating vendors into a map with two axes being CPI and CRI. After such analysis, we shall publish the following for various technology verticals (e.g. Data Security, Application Security Testing etc)

(Read more:  5 Best Practices to secure your Big Data Implementation)

Enterprise Segment

1. CISO Platform Champions: High CRI and High CPI
2. CISO Platform Challengers: One of the indices (CRI or CPI) is High and the other is moderate

SMB Segment

1. CISO Platform Champions: High CRI and High CPI
2. CISO Platform Challengers: One of the indices (CRI or CPI) is High and the other is moderate

To exercise your vote and provide your rating: Click here 

CISO Platform Index Methodology

The following steps will be executed for evaluating the vendors-:

Step 1- Collection of CRI Data: The Customers/Users of a product shall be requested to rate each product on a scale of 1 to 7 for the following parameters.

1. Overall Rating
2. Features
3. ROI/Price
4. Ease of Implementation
5. Support

Sample Likert Scale:

Step 2- Collection of CPI Data : The CISOs/Security Professionals shall be requested to rate a product of on a scale of 1 to 7 on how they perceive the product (overall rating). We will not ask granular information like that of CRI.

Step 3- Analysis of the Data:

• CPI Calculation for each Product: The Mean likert score for each vendor collected from participants who haven’t used vendor product but are aware of its pros and cons will be known as CPI (CISO Perception Index).
• CRI Calculation for each product: The Weighted Mean likert score for each vendor collected from participants who have a current/prior usage experience of the vendor product will be known as CRI (CISO Recommendation Index). We shall have the following weight age: Features (30%), Price/ROI (30%), Ease of Implementation (20%) and Support (20%)

Vendors shall be encouraged to come up with more references of their customers as this will help in analyzing them with more confidence. Also, we will be providing additional confidence rating to the vendors based on the number of references they provide. Any product with less than the cut-off number (10 references) for recommendation shall be eliminated from the analysis.

(Read more:   How Should a CISO choose the right Anti-Malware Technology?)

Mathematical Analysis

1. We will plot the graph for representing CRI vs. CPI.
2. We have defined a cut-off score of 4 (Neither satisfied nor dissatisfied) out of 7 (Extremely Satisfied) on likert scale for CPI and CRI.
3. The vendors which are scoring above the cut-off in CPI and CRI will be divided between the following two quadrants based on their CRI/CPI score-:

• Champions ( Those lying in the top-rightmost quadrant in the CPI vs. CRI graph)
• Challengers (Those lying in the bottom-rightmost quadrant in the CPI vs. CRI graph)

To exercise your vote and provide your rating: Click here  

Click here to view the discussion forum OR provide your feedback .

Rakshit Dhamija, CISO iGATE, sent us the beautiful graphics with "CISO Opinion matters". We simply loved it and decided to share it below.

To exercise your vote and provide your rating: Click here 

More:  Want to become a speaker and address the security community?  Click here    

We heavily rely on references while taking a decision on adoption of a new technology or a product. However, there is no dedicated analysis of product leadership purely based on customer recommendation. From CISO Platform technology Analyst team, we are happy to announce the concept note for CISO Index which shall rate products purely based on CISO satisfaction.

Why do we need a CISO/User satisfaction based product/technology rating framework?

1. CISOs or the users can provide the most meaningful verdict for a product
2. With the whole world getting social, community recommendation should play bigger role in decision making
3. Currently there is no globally acknowledged framework solely based on CISO/User Satisfaction

To exercise your vote and provide your rating: Click here 

Proposed "CISO Platform Index"

The CISO Platform Index shall use a transparent methodology to compare the players in software, hardware, or services market so that the CISOs can make well-informed decisions.

1. CISO Platform Index (CPI) - Index developed based on User Satisfaction Survey by CISOs who used the vendor product on different evaluation metrics.

CISO Platform Index Methodology

The following steps will be executed for evaluating the vendors :

Step 1- Collection of CPI Data: The Customers/Users of a product shall be requested to rate each product on a scale of 1 to 10 for the following parameters.

1. Overall Rating
2. Features
3. ROI/Price
4. Ease of Implementation
5. Support

Step 2- Analysis of the Data:

• CPI Calculation for each product: The Weighted Mean score for each vendor collected from participants who have a current/prior usage experience of the vendor product will be known as CPI (CISO Platform Index).
  
  We shall have the following weight age:

1. Features (30%),
2. Price/ROI (30%),
3. Ease of Implementation (20%)
4. Support (20%)

*Note: The Mean shall be achieved using various statistical tools eg. clustering techniques to rule out bad data 

Vendors shall be encouraged to come up with more references of their customers as this will help in analyzing them with more confidence. Also, we will be providing additional confidence rating to the vendors based on the number of references they provide. Any product with less than the cut-off number (10 references) for recommendation shall be eliminated from the analysis.

(Read more:   How Should a CISO choose the right Anti-Malware Technology?)

Mathematical Analysis

1. We have defined a cut-off score of 7.5 mean on CISO Platform Index
2. The vendors which are scoring above the cut-off in CPI will be featured in the CPI report

CPI Report

The first draft shall be presented at the CISO Platform Annual Summit, 2014. It will formally be published in January.

To exercise your vote and provide your rating: Click here  

Click here to view the discussion forum OR provide your feedback .

Based on OS

Windows tools:

Specific Tools:

1. Log Parser - 
2. EnCase -
3. ILook(LEO Only) -
4. Paraben -
5. ProDiscover -
6. TCPView -
7. AccessData -
8. COFEE(LEO Only) -
9. WinHex
10. X-Way Forensics/WinHex Pro
11. FileControl-DD etc.
12. Wireshark-Ethereal(packet sniffer)
13. Dsniff-Dug Song

(Read more:  Top 5 Big Data Vulnerability Classes)

Websites & Tools

1. Sysinternals.com
2. Foundstone.com

UNIX:

1. Grep
2. Nmap
3. DEFT-Linux Distribution
4. Can Opener-Abbott systems
5. BlackLight-Blackbag
6. Expert Witness-ASR Data
7. coroner's tool kit( pcat,ils,icat,File,unrm,Lazarus)
8. TCTUtils(bcat,blockcalc,fls,find_file,find_inode,Istat,mac_merge)
9. Autopsy Forensic Browser

Based on Functionality

Imaging tools:

1. FTK Imager
2. Encase Professional
3. Symantec Norton Ghost
4. Power Quest - drive image, drive copy
5. Freeware 'dd' utility
6. Fastbloc (Encase)
7. AVCDEF(Vogon)
8. Caveat

Logs:

1. Event logs(system,security,application,router)
2. specific application log(IIS,SQL Server..)

Memory Collection

1. Dumping event logs(dumpevt.exe,dumpevt.pl)

2. DumpIt

3. Volatility

4. Mandiant RedLine
5. HBGary Responder CE

(Read more:  Cyber Safety in Cars and Medical Devices)

String:

1. Strings.exe
2. Finfo.pl

network tools:

1. WireShark(free tool)

2. NetworkMiner

3. Netwitness Investigator

4. Network Appliance Forensic Toolkit (NAFT)

Carving:

1. PhotoRec
2. Scalpel
3. ParseRS/RipRS

Image Mounting:

1. OSFMount
2. ImDisk
3. FTK Imager
4. vhdtool
5. raw2vmdk
6. LiveView
7. VirtualBox

File system:

1. analyzeMFT
2. INDXParse
3. PDF Tools from Didier Stevens 
4. PDFStreamDumper
5. SWF Mastah

Registry:

1. RegRipper
2. Shellbag Forensics

(Read more:  How to write a great article in less than 30 mins)

password recovery:

1. Ntpwedit
2. Ntpasswd
3. pwdump7
4. SAMInside
5. OphCrack
6. L0phtcrack

based:

Individual Tools

1. Sysinternals Suite

Script Based Tools

1. First Responder's Evidence Disk (FRED)
2. Microsoft COFEE
3. Windows Forensic Toolchest (WFT)
4. RAPIER

Agent Based Tools

1. GRR
2. Mandiant First Response

Note:http://www.forensicswiki.org/wiki/Incident_Response

• Keeping a list of comprehensive tools for the organizational infrastructure and training your team on using them can prove to be very helpful at the time of incidence.
• It is also very important to validate the list of tools is comprehensive and capable of providing coverage to major security areas.
• Maintaining it a form of ROM (eg. CD) is preferable, so they don't get infected in any form. 

Others:

• evidence-dd,mount
• acqusition & reconnaisance-grave-robber,ils,ils2mac,fls-m
• analysis-timelining,AFB,lazarus
• recovery-icat,urnm

References:

http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-khoo.pdf

http://oreilly.com/catalog/incidentres/chapter/ch07.html

http://windowsir.blogspot.in/p/foss-tools.html

http://www.forensicswiki.org/wiki/Incident_Response

Technical Skills:

Fundamental Concepts and Internet

1. Knowledge of Fundamental Security Concepts(eg. authentication,integrity,access control,privacy)
2. Identifying Risks,Threats(data,information,computers and networks)
3. Knows how the Internet Works(history and infrastructure)
4. Basic understanding of all security domains, products available and their working principle (IDS/IPS,DLP,MDM,ATP...)
5. Basics of social engineering tactics

(Read more: Checklist to Evaluate IT Project Vendors)

Network security

1. In-depth knowledge of network protocols and vulnerabilities( MIM, spoofing)
2. In-depth knowledge of network infrastructure and its working
3. Basics of network configurations and working(firewalls,routing techniques, packets in motion..)
4. Basics of Public Data Networks

Transport Layer

1. Understanding Email protocols(SMTP,MIME...)

Coding and OS

1. Recognize malicious code( general Viruses, Trojans)
2. Aware of secure coding practices
3. Preferably has some practice with coding languages( C,Java,Perl,Awk,Shell..)
4. Understanding the security vulnerabilities of the host system and network
5. Basics of security vulnerabilities in common Operating Systems(UNIX,WINDOWS,LINUX...)
6. Knows Use of Digital Signatures and Hash Algorithms

Encryptions

1. Aware of latest hacks,vulnerabilities along with attack methodologies
2. Understanding Basics of Encryption types used by the Organization

Expertise

1. Expert understanding of internet technologies ( DNSSEC,IPv6,VoIP,ATM etc.)
2. Expertise in analyzingg huge databases, log audit trails and able to identify threat trends and frequency
3. Preferably an idea of basic tools used(cmd.exe,PsLoggedOn,netstat,Fport etc. )
4. Aware of robots/automated vulnerabilities( web crawling and sql injection..)
5. Simulation of incidents and hands on training will give practical sense and confidence

*Apart from the above requirements, it is best to have a  highly technical person for each technical front, they may have team members less competent whom they can mentor. 

(Read more:  How the Heartbleed bug was found by Antti Karjalainen - discoverer ...)

Personal Skills:

1. Management abilities
2. Stress Handling
3. Impromptu action
4. Reasoning abilities
5. Process defining
6. Communication skills
7. Team worker 

Note:

• Domain experts of certain fields can be a good choice like- applications, network, mail and database.
• Consider outsourcing this effort to a consultancy which results in lower costs as you don't need a team waiting for incidents to take place, rather treat only when affected. However, this must be preceded by references and study.
• A Legal Advisor can be of umpteen help, in assisting of gathering information, recommendations and remediation when an incident/breech takes places

References: http://ptgmedia.pearsoncmg.com/images/1578702569/samplechapter/1578702569.pdf

https://msisac.cisecurity.org/resources/guides/documents/Incident-Response-Guide.pdf (has warning)

http://www.cert.org/incident-management/csirt-development/csirt-staffing.cfm

http://www.bankinfosecurity.in/incident-response-5-critical-skills-a-4214/op-1

http://books.google.co.in/books?id=lPEgnnKWpmYC&pg=PA14&lpg=PA14&dq=skills+required+for+incident+response+personnel&source=bl&ots=gYCcMcKYYo&sig=J7_Lslvwq48PPnF39Bckjtvp9do&hl=en&sa=X&ei=MIgZVMaFL8iwuAS_rYCYDw&ved=0CEMQ6AEwBQ#v=snippet&q=technical%20skills&f=false

Stages of Incident Response-

1. method 1

2. method 2

Method1(7-steps)

1. Preparation
2. Identification
   categories based on incident type
3. Containment
4. Investigation
5. Iradication
6. Recovery
7. Follow up

Method2(4-steps)

1. Preparation
2. Detection and Analysis
3. Containment, Eradication and Recovery
4. Post-Incident Activity

--------

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

The incident response plan should include the following elements:
 Mission
 Strategies and goals
 Senior management approval
 Organizational approach to incident response
 How the incident response team will communicate with the rest of the organization and with other
organizations
 Metrics for measuring the incident response capability and its effectiveness
 Roadmap for maturing the incident response capability
 How the program fits into the overall organization

Procedure elements

Sharing information with outside parties

the media

law enforcement

incident handling talk to other outside parties -ISP,s/w vendors,

--

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

Handling an incidence rspons

preparation

detection and analysis

containment,eradication, recovery

postincident activity

incident handling chk

recommendtn

-----

http://technet.microsoft.com/en-us/library/cc700825.aspx

To instigate a successful incident response plan, you should:

• Make an initial assessment.

• Communicate the incident.

• Contain the damage and minimize the risk.

• Identify the type and severity of the compromise.

• Protect evidence.

• Notify external agencies if appropriate.

• Recover systems.

• Compile and organize incident documentation.

• Assess incident damage and cost.

• Review the response and update policies.

---------

http://www.sans.org/reading-room/whitepapers/incident/creating-managing-incident-response-team-large-company-1821

Primary Phases of the CSIRT .....................................................................................16
a) Identification................................................................................................................16
i) Triage Role ................................................................................................................17
ii) Identification Tasks................................................................................................17
b) Containment................................................................................................................19
c) Eradication...................................................................................................................20
d) Recovery ......................................................................................................................21
e) Lessons Learned..........

---------

Other sources-

http://ptgmedia.pearsoncmg.com/images/1578702569/samplechapter/1578702569.pdf (stages)
https://msisac.cisecurity.org/resources/guides/documents/Incident-Response-Guide.pdf (has warning) [useful url)

http://books.google.co.in/books?id=lPEgnnKWpmYC&pg=PA14&lpg=PA14&dq=skills+required+for+incident+response+personnel&source=bl&ots=gYCcMcKYYo&sig=J7_Lslvwq48PPnF39Bckjtvp9do&hl=en&sa=X&ei=MIgZVMaFL8iwuAS_rYCYDw&ved=0CEMQ6AEwBQ#v=snippet&q=technical%20skills&f=false

Current Project Synopsis:

• Responsible for Information Security of next generation mobile and fixed broadband networks (LTE/WiFi/FTTx) with All-IP networks over a cloud based framework for B2C/B2B markets connecting 200 Million 4G LTE, 50 Million Wifi/FTTx subscribers in top 800 cities of India
• Jio’s seamless 4G services using FDD-LTE on 1800 MHz and TDD-LTE on 2300 MHz through an integrated ecosystem, aims to provide unparalleled high quality access to innovative and empowering digital content, applications and services.

According to Verizon 2013 data breach report, 84% of exploits & 69% of data exfiltration happens in less than an hour so it’s very critical to have situational awareness i.e. visibility into activities occurring around the enterprise. Proper deployment of next generation SIEM (Security Information & Event Management) tools helps to detect attacks sooner and as a result react more nimbly.

SIEM solutions provide enterprises with network security intelligence and real-time monitoring for network devices, systems, and applications. Using SIEM solutions, IT administrators can mitigate sophisticated cyber attacks, identify the root cause of security incidents, monitor user activity, thwart data breaches and most importantly, meet regulatory compliance requirements.

Most organization think that SIEM solutions have a steep learning curve and are expensive, complex and hard to deploy. Here are few SIEM deployment guidelines and factors you need to consider while evaluating an SIEM Tool. The right SIEM solution is one that can be easily deployed, is cost-effective and meets all your IT security needs with a single tool.

(Read more: Checklist to Evaluate A Cloud Based WAF Vendor)

SIEM Deployment Guidelines

1. Know what is important to security

• Security Events
• Network Flows
• Server & Application Logs
• Database Activity
• Application Contents

2. Know what is important to compliance

• Identity Content
• Classification of data
• Access to data
• Usage of data

Checklist for SIEM Solution Evaluation

1. Log Collection

• EPS (events per second) rate at which your IT infrastructure sends events should match with your SIEM tool
• Should be able to collect logs from heterogeneous sources (Windows, Unix/Linux, Applications, Database, Network Devices ,Firewalls, IPS, IDS)
• Capability of agent-less and agent based log collection method

2. Real Time Event Correlations

• Proactively dealing with threats based on log search, rules and alerts. Correlation boosts network security by processing millions of events simultaneously to detect anomalous events on the networks

3. Log Retention

• Capability to easily retrieve and analyze log data
• Should automatically archive all log data from systems, devices and applications to a centralized repository.

4. IT Compliance Reports

• Out of box regulatory compliance of PCI DSS, ISO 27001, SOX, HIPAA etc

5. User Activity Monitoring

• Out of box user activity monitoring, privileged user monitoring, audit reporting, Know which user performed the action, what was the result of the action. Source & destination address of the systems /devices used.

6. File Integrity Monitoring

• Capability to monitor business critical files & folders. 
• Capture details of when files were created, accessed, viewed, deleted, modified, renamed etc.,

7. Log Forensics

• Capability to track down a intruder or event activity using log search capability

8. Dashboards

• Capability to take timely actions & right decisions during network / system anomalies

9. Global Threat Intelligence Feeds

• Capability to get latest global threat intelligence feeds & carrier grade threat intelligence so as to proactively manage threats. Collaboration among organizations to enhance security 
• Precise solutions for compromised systems and networks

10. Big Data Analytics

• Capability to forecast threats using big data, Accurate analysis of structured as well as unstructured data
• Constant intelligence gathering to strengthen security

-With Binu Chacko, Head of iSoc(Security Operations Center) & Digital Forensics, Reliance Jio Infocomm on 'SIEM Tools: Implementation Guide and Vendor Evaluation Checklist'

(Read more: Checklist for PCI DSS Implementation & Certification)

About Project

The scope of the project encompassing Business Units, Support Functions, 200+ Processes and 8500+ employees. The project was an outcome of the data pilferage risk envisaged in terms of sensitive customer information and financial data. The risk assessment took inputs from various avenues such as internal audits, external audits, risk event, control committees conducted with the Top Management, business requirement were driven by the customer expectations.

The overall Project approach:

• Risk Assessment
• Management By-in
• Business Alignment
• Budgeting
• Product Selection / Proof of Concept
• Solution Deployment and Operations

(Read more:  Annual Survey on Cloud Adoption Status Across Industry Verticals)

Checklist to consider in Evaluating and implementing DLP solution

Identify Critical Business Information

• Right scoping to cover all the critical business processes
• Defined roles and responsibility matrix
• Identification of the sensitive information 
• Laying down the notification and reporting requirements

Policy Definition and Finalization

• Defining and documenting the policy statements.
• Configuring the tool with the policy statements.
• Establish the protocol for the policy violations and related logging.
• Mapped the internet access and external email access with the role profiles to ensure that the access is strictly
• as per business need.

DLP Incident Management Process and Consequence Management

• The incidents review by the appropriate Incident Managers.
• Incident analysis to determine Legitimate use of business information
• Identify wrong business processes
• Add new processes to address data loss risks
• Policy fine tuning recommendations to be identified

Policy Fine Tuning

• Based on the findings from earlier exercise, policies needs to be fine-tuned
• Policy fine tuning reduces unwanted incidents
• Helps organizations to transform the DLP tool for monitoring to block mode
• Actionable Auditing and Policy fine tuning would be a continuous process

Continuous monitoring and Management Reporting Framework

• Establish a mechanism to feed in the learning to ensure mature program in place

-With Dhirendra Kumar, Head BCM and Information Security, Barclays Shared Services on 'Data Leakage Protection (DLP) via email gateway and Regulated Internet access'

(Read more: Security Technology Implementation Report- Annual CISO Survey)

The project scope is to perform a security assessment of the current environment of MBE including the major business processes, operating functions, organizational units and information systems and a thorough evaluation of the configuration and design of the existing network and systems infrastructure and main servers. Based on the assessment, need to define and implement the desired Information security architecture which protects the information base and aligns with the business processes.

Project execution milestones:

1. Study the existing Setup and Develop AS-IS document and Critical Success Factors
2. Analyze the AS-IS Study and design the TO-BE environment
3. Procure required Hardware and Software and implement for Test Environment
4. Analyze the TO-BE environment and realize the achievements based on Critical Success Factor
5. Conference room Pilot setup and demonstration
6. Project Go Live and monitor the environment. Reconfigure for betterment and performance issue
7. Project Roll-over to all sites

(Read more:  My Key Learning While Implementing Database Security)

[AS-IS] critical security elements:

• Sensitivity of information assets and their threats
• Security strategy, program and management system in place including policies and procedures
• User identity and logical accesses management (identification and authentication mechanisms, procedures for creating, modifying and deleting systems / application accounts and profiles, and account naming conventions);
• Security administration and monitoring
• User awareness, Password Change & Reset procedure
• Password policy (syntax rules, expiration, password history etc.)
• Security controls in Applications/Systems Development & Change processes
• Information and user Classification
• Backup Media Handling and Management
• Physical and environmental security
• Host, application, network and systems and database security
• Workstation and End User Computing Security measures
• Perimeter and remote access security
• Business continuity and contingency planning

[TO-BE] critical security elements:

• Conducted interviews with key staff and decision makers
• Organized workshops during which high level impact assessment was performed, general policy requirements was discussed and strategy was finalized
• Discussed, modified and defined information security management structure, security policy and development process
• Identified and evaluated current policies and standards
• Mapped overall security policy requirements to current security policies
• Performed gap analysis to identify where new policies are required and where existing policies and standards are no longer valid
• Provided recommendations and training regarding the methodology to be used in future to maintain the security policy in a dynamic environment

(Read more: How effective is your SIEM Implementation?)

Solution implemented: 

MBE’s total information base is segregated into broader perspective i.e. Engineering Database, Commercial Data Management, Project Management, Document Management and Mailing System.

While designing, Security aspects considered:

• Network security
• Host and database security
• Internet systems and services
• Intranet systems and services
• E-mail and messaging services
• Web browsing services
• Portal services and systems
• FTP services
• Remote access services
• Intrusion Detection System through Firewall
• Security Monitoring, logging and Management systems
• Security filters and controls on the network boundaries
• Wireless networks [BYOD was not considered because except Mail, no application is available on mobile devices]
• Identification / Authentication mechanisms for Network, Applications and Systems [Single Sign-on applicable for partial application only]
• User identity and, Logical access Management (procedures for creating, modifying and deleting systems / applications accounts and profile, password procedures and policy implementation)
• Backup Media Handling and Management
• Workstation and End User Computing Security
• Physical and environmental security
• Any other Internet or non-Internet based area

Based on the security aspects mentioned above, following activities were performed

• Reconfigured network, system, application and information requirements (including authentication, authorization, integrity and confidentiality)
• Reconfigured / implemented non functional requirements (including performance, capacity, redundancy)
• Designed and implemented architecture model (including Identity management, Access control, information flow controls, network segregation and zoning, naming and IP numbering schemes / strategy, credential repository, auditing, etc).
• Designed and implemented system monitoring and management architecture

Control Mechanism:

• Inventory of Authorized and Unauthorized Devices: Restrict use of unauthorized devices
• Inventory of Authorized and Unauthorized Software: Restrict implementation & use of unauthorized software
• Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• Continuous Vulnerability Assessment and Remediation
• Malware Defenses
• Application Software Security
• Wireless Device Control
• Data Recovery Capability
• Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Limitation and Control of Network Ports, Protocols, and Services
• Controlled Use of Administrative Privileges
• Maintenance, Monitoring, and Analysis of Audit Logs
• Data Loss Prevention [ Implemented but withdrawn recently because of its performance issue]
• Incident Response and Management
• Secure Network Engineering

The hit rate of attack vectors has come down drastically. Around 78% of attack volume is decreased.

(Read more:  Database Security Vendor Evaluation Guide)

Learning:

The lessons we had learnt, are enlisted below for reader’s future reference.

A. Identification of Information Type and Security requirements for each type of Information. The main objective is to have a classification of Information and originating source. This will give us clear guidelines to implement a solution.

B. Knowledge gathering: We have two major sources from where we can gather information and enrich our knowledge from Libraries/Internet and vendors.

C. Product Evaluation: The most important part is to evaluate a product. There are so many products available in the market but selecting a product which one will suite better and economically viable, is a challenge. POC is not only the solution because POC took place with a test environment which may not cover all types of issues. Points to consider:
a. Well defined RFQ in place
b. Product Manufacturing detail and their R & D roadmap shall be analyzed
c. Gap analysis of Product shall be furnished
d. Work-around for the gaps shall be demonstrated by the vendors
e. Scope of Customization shall be available
f. Supports of product including Customization shall be available
g. Availability of Technical Staff
h. Cost of Ownership including recurring cost, if any, shall be minimized
i. Scope for Version Upgrade shall be available and shall not override the customization portion
j. Past performance of Product and support shall be reviewed
k. POC with maximum data shall be evaluated to ensure performance issue
[It was observed that after installing one DLP (End Point) with very minimum rules, we observe that the performance become shows stopper (installed only800+ users). It was so bad that the operation of each PC got stacked. We observe that file sharing also stopped within a network, Network bandwidth badly chocked. POC was done for 300+ users where it was working fine].

D. Vendor Evaluation: A good quality product may fail to perform if not implemented or configured properly. Implementation partner or vendor plays a major role in this area. Points to consider:
a. On-time delivery
b. Quality of Technical Stuff / Implementer
c. Product functionality and performance
d. Cost of Ownership
e. Facility and Technology
f. Responsiveness to Customer needs
g. Professionalism of salespersons
h. Quality of relationships with vendor
i. Local presence 

-With Pulak Tarafder, A V P (IT), McNally Bharat Engineering Ltd. on Assessing and analyzing Information Security Infrastructure

Achieved Solution Benefits

To mitigate risk

• Prevent access breaches through privileged accounts
• Monitor activities carried out by privileged users
• Enforce accountability for use of generic privileged accounts
• Enforce granular access restrictions as required by user roles
• Limit privileges of admin accounts
• Maintain complete audit trail of privileged activities (i.e Audit Logs / Screen Recording of every session )

(Read more:  Under the hood of Top 4 BYOD Security Technologies: Pros & Cons)

To improve efficiency

• Reduce management overhead of maintaining large number of passwords using password fault
• Single Sign On (SSO) – for Servers/Databases/Network Elements/URL’s/Thick Clients
• Securely extend access to remote vendors ( i.e OTP Based , Time based access )
• Audit Logs / Screen Recording of every session
• Authorization Workflow
• Central Reporting & Alerting ( SMS & Email alerts )

To ensure compliance

• Comply to regulations and standards ( SOD principle , IS0 27001 Reports )
• Meet password policy compliance requirements

Solution Evaluation Checklist must focus on functionality, security, vendor profile, integration, ease of implementation and total cost of ownership. Here is a complete comparison of Iraje, CA Control Minder & Arcos and the comparison parameters.

-With Saurabh Kaushik, Head - IT Security, Lupin Group on Privilege Identity & Access Management (PIM) Implementation

(Read more: Hardware Trojans: Sneak Peek into the Future)