Meet, meet and meet, the last few weeks all we've done is meet you and try to help you better. Your views shape us and those plenty views needed a To-Do List, which is right here. We are grateful for each of your contributions and hope to have more of these exciting sessions soon again.

Quick event meets-

• New York CISO Platform Breakfast Meetup (15th August)
• San Francisco CISO Platform Breakfast Meetup (14th August)
• Los Angeles CISO Platform Breakfast Meetup (11th August)
• LasVegas CISO Platform Breakfast Meetup (6th August)
• Mumbai - CISO Platform Breakfast Meetup (24th July)
• Delhi-CISO Platform Breakfast Meetup (25th July)
• CISO Handbook Meet up on DLP & Data Security" and "Advanced Cyber Security Threat Protection(13th August) [*sponsored websense]
• Bali CISO Platform Meetup (4th September)

CISOs were very enthusiastic and shared their views on various aspects like their current obstacles etc. Below are the best of all this discussion at a glance.

Topics CISOs are Interested in:

1. Corporate espionage
2. Business and security alignment-sensitizing
3. Board level communication
4. Template to derisk-cya
5. Acceptable risk communication and sign off
6. Evaluation checklist
7. Handling audit and auditors- jwt
8. Handling consultants - satish
9. Latest tools and technologies-comparison
10. Taxonomy
11. Mobile security-hacking
12. Live - Demo of products,hackers and social engineering
13. Masking of phone
14. Csr for ciso
15. Open source tools repository
16. Work life balance
17. Forensics- case studies of frauds
18. Utilities security - electricity
19. How do I protect my computer phone?
20. How to do mssp business in usa?
21. Governance for cloud vendors- sla
22. Thought leadership in appsec
23. Cost optimization for security
24. Not getting logs from the vendor
25. Controlling internet bandwidth
26. Erp security
27. Securing retail supply chain
28. Connecting small office - securing
29. How to get appliance testing? Best practices: what should I do before I get an appliance into my network?
30. New tech to protect cloud
31. Data security for eprocurement:
32. Erp customization security
33. Third party coding or vendor risk
34. Vendor locked! - code changes and security
35. Cyber defense- setting tolerance
36. Mobile security enterprise framework:
37. Legal framework universally acceptable for security
38. Minimum requirements from government
39. Knowing your cyber liabilities
40. Cyber assurance for security
41. Innovations in security
42. Negotiating licenses and contracts
43. Moderated discussions: focused topics

Ideas of Engagement:

1. Sharing content on website
2. Weekly, monthly, weekly checklist for ciso
3. Selling security- case studies
4. Art of living or meditation
5. Topic for month-ask the community
6. Certification-checklist
7. Subject matter expert -breakfast
8. Open source appsec testing tools
9. Government level compliance or checklists for data on cloud for other vendors
10. Meetup.com and linked.in
11. Any of your customers (BYOC), invitation
12. At somebody's office
13. Museum or interesting place
14. Fs-isac (heads)
15. Bill sieglien - breakfast (ciso executive network)
16. Breakfast club (pay money)
17. Get intro for isac and bill (kispert)
18. Kispert- top 100 ciso email (draft)
19. Only CISO
20. First 90 days for a CISO
21. Maslows law
22. Paul martin
23. Securosis
24. John orison- tim tech
25. Chin lady (2)
26. Dlp, ids,
27. Invite for cp annual summit
28. Email- invite, advisory
29. sujeet and garrett (advisors+invite to speak+send meeting notes+invite to join)

Feedback on CISO Platform Index(CPI):

1. When is the rating done? How recent is the product?
2. Ciso satisfaction index
3. Version and date of purchase

Key notes on content ( uncategorized )-

1. How well am I doing as a CISO?
2. 90 days plan to get started
3. Cmm model for security
4. Lonely ciso: 1 man shop
5. Security on a shoestring

red- either removed or in wrong category

This is the second compilation of Best Of Defcon 22 at a glance. The following Links will link you to the respective complete PPT. 

Important Note:

• All presentations are courtesy Defcon and is presented as-is without any modification
• Some of the descriptions below are taken from Defcon website (www.defcon.org)
• You need to Sign in/Sign up to view the presentations. (It's free)

Hacking US (and UK, Australia, France, etc.) traffic control systems

The traffic signals seem easy to mess with, even when we realize the results can be miserable. This speaker has found out some major devices used by the Traffic signals in various cities and countries(Washington DC, Seattle, New York, San Francisco, Los Angeles,UK,Australia,France etc.), hacked them, found vulnerabilities and how they can be exploited. Learn it from the scratch (with testing demos) in this talk.

Click here to view ppt.

Don't DDoS Me Bro: Practical DDoS Defense

DDOS might have been a nightmare recently and you felt its wave recently multiple times including evernote! How to defend and what to do when DDOSed is exactly what this talk tells. It also allows your defence to be kept low budget with the tools and techniques and how to analyze.

Click here to view ppt.

Protecting SCADA from the Ground Up

From electricity to water distribution ICS(Industrial Control Systems) and SCADA is everywhere. Their internet association increases and thus their protection is crucial. This talk tells us how to best protect these infrastructures by getting into the system, understanding how it works and where it goes wrong.

Click here to view ppt.

Optical Surgery: Implanting a DropCam

DropCam users may want to know, any malicious software can be installed on it and someone might just be tapping into your video stream. Dropcam is a cloud based wifi video monitoring service allowing you to be connected from anywhere. This talk demonstrates complete takeover of your Dropcam and manipulation from the brain. Your tracker can see you, hear you and probably much more.

Click here to view ppt.

Client-Side HTTP Cookie Security: Attack and Defense

HTTP cookies, everyone has many. But how do they help or harm. This talk explores the popular browser cookie storing mechanisms, how they can get stolen and of course how you can prevent it happening. Your cookie might just have given away your worthy special character passwords or someone by-passed your 2-factor authentication?

Click here to view ppt.

Acquire Current User Hashes without Admin Privileges

User level access doesn't exist after this talk. Any such user can now have the admin privileges! How? Its there in this talk, the new technique. The design flaw in Windows SSPI implementation proves to be fatal.

Click here to view ppt.

VoIP Wars: Attack of the Cisco Phones

Using Cisco VoIP Solutions? They may be vulnerable to attacks like VLAN attacks, SIP trust hacking, Bypassing authentication and authorisation, Call spoofing, Eavesdropping and many more. This talk covers some of the basic hacks including brute force attacks, Skinny and SIP signalling attacks, 0day bypass technique for call spoofing and billing bypass etc.

Click here to view ppt.

Detecting and Defending Against A Surveillance State

Not too many days while we were thinking "Are we being spied on by the state?". This talk will allow us to find out whether we are being spied on and detect the hardware bug,firmware etc. doing so.

Click here to view ppt.

Check your Fingerprints: Cloning the Strong Set

A GPG focussed session with all the facts to not be broken. The very fact that even fingerprints may not render you safe, learning the widely used GPG Ui is broken, the key server not using SSL breaks MITM and DNS can be eye-openers. If you use GPG, this talk is a must for you!

Click here to view ppt.

Abusing Software Defined Networks

SDN(Software Defined Networking) is known to have potentials to make a great difference in the internet world. However, its present implementations are highly vulnerable for attacks like protocol weaknesses which could lead to information leak, MITM, DOS attacks etc. This talk runs through the weaknesses and their protection.

Click here to view ppt.

Mass Scanning the Internet: Tips,Tricks,Results

A working knowledge of nmap and this talk will teach you how to scan the internet.Thinking of -'Devices vulnerable to heartbleed or D-Link router vulnerability?'. From the ISP needed to the friendly tools and how to avoid the mess. The vast sea of undiscovered knowledge can now be ripped whether for fun or precaution is yours to choose.

Click here to view ppt.

POS Attacking the Traveling Salesman

Targeting the international passengers, POS can give some useful information like name, picture, flight number, destination, seat number etc. Even though it is not exploiting the commercial POS details like credit card credentials, this information can be exploited to gain unauthorised access to airport data and many more ways. This talk focuses on the transport(airlines) POS.

Click here to view ppt.

Dropping Docs on Darknets: How People got Caught

Tor? Looking for obfuscating your traffic source? Some tried and still failed cases in this talk will rip the reasons for getting caught and how you can prevent so happening. 

Click here to view ppt.

Practical Foxhunting 101

Finding out the wireless emitters(Foxhunting) in the current environment can be a tad easy, that too with no special device. This talk will tell you how from Antennas, Radios, Visualizing softwares everything.

Click here to view ppt.

From Raxacoricofallapatorius With Love: Case Studies in Insider Threats

This talk unfolds the story of insider threats- their potential signs, what inspires them and how to be aware. It will lead you through interesting examples of honey pots, encryption etc.

Click here to view ppt.

RF Penetration Testing, Your Air Stinks

Security professionals normally use few effective RF tools, procedures and tactics while conducting repeatable RF penetration tests. From finding out the RF in the environment to identifying the vulnerabilities and then exploiting them has been methodically stated in this talk. It also recommends software and hardware, so newbies can be comfortable.

Click here to view ppt.

>>Don't Miss "Part 1" of this Blog: Click here to read more !

Information Security function had to be aligned to Risk Management function to provide independence by separating Infosec Governance and Infosec operations responsibilities. Enhancement in the policy was focused on the wider and strategic modifications, faster adoption of emerging technologies and empowering all stakeholders.

(Read more:  Top 5 Big Data Vulnerability Classes)

Key learning:

1. While defining policy, objective was also to remove subjectivity
2. Enable empowerment to businesses to define and own ‘risk’ enabling productivity and efficiency in decision making.
3. Define “Risk Control Self Assessment” wherever possible with templates and checklist, supported by appropriate guidelines.
4. Provide focus on employee empowerment with increased responsibility and at the same time ensure technology tools are on constant vigilance to prevent unintentional or intentional incidents. 
5. Keep balance between empowerment and security.
6. Along with empowerment define measurement metrics - “Key Risk Indicators”, “Key Performance Indicators” which would help us to measure security levels of all Business Units uniformly and integrate risk score with business risk.
7. Define modular SOA (Statement of Applicability) for each business unit to ensure their respective regulator’s requirements are met and business units are flexible to add/modify/delete any controls to meet their obligations to security requirements.
8. Define separate security governance and security operations to build objectivity in the system where custodians of data are no longer controllers of data, yet enablers of data sharing.
9. Define revised policy to be technology agnostic, business addressing along with technology, regulatory requirements and adheres to key industry standards
10. Define Integrated information security policy as a part of business process along with increased involvement of business user through RCSA (Risk Control Self Assessment) and build transparency and self awareness about risk level.
11. Define accountability for each individual’s own actions and performance metric.
12. Define strong monitoring system for end user activity as well as network access perspective.
13. Consider BYOD and Cloud as a market trend towards mobility and flexibility while defining Policy
14. Establish strong security management framework for managing new technology developments. 

Establish GRC (Governance, Risk and Compliance) framework to build visibility and better governance.

-With Anuprita Daga,CISO and Umesh Parshetye,IT Strategist, Reliance Capital Ltd. on 14 Things to Consider While Defining a GRC Framework

(Read more:  Cyber Safety in Cars and Medical Devices)

Defcon 22, the largest conference for hackers with 15,000 attendees saw some of the most interesting researches in the field of security and hacking. From hundreds of talks, we have handpicked the top presentations which are relevant for security managers and leaders.

Important Note:

• All presentations are courtesy Defcon and is presented as-is without any modification
• Some of the descriptions below are taken from Defcon website (www.defcon.org)
• You need to Sign in/Sign up to view the presentations. (It's free)

Elevator Hacking: From the Pit to the Penthouse

Elevators have played a key role from hackers to pen testers. An in-depth of how elevators work, allowing a greater understanding of the system and how sometimes the unexplored features can leave serious threat exposure. 

Click here to view ppt.

Weaponizing your Pets: The War Kitteh and the Denial of Service Dog

A walk through how the tracking works for your cat and dog. Thus, creation of war kitteh and service dog. The presentation takes you through every step and tells exactly what works and doesn't. For example- 'Cats are very tough to work with'.

Click here to view ppt.

One Man Shop:Building an effective security program all by yourself

Learning the process from "Step 1" to an effective security program in a cost effective and resource constrained manner. It is  based on real world experiences and introduces multi-year approach to methodologies, techniques, and tools.

Click here to view ppt.

Instrumenting Point-of-Sale Malware

Encourages the adoption of better practices in the publication and demonstration of malware analyses. It proposes borrowing the concept of “executable research” by supplementing our written analysis with material designed to illustrate our analysis using the malware itself. This helps analysts for in-depth research. It also talks about taking a step beyond traditional sandboxes to implement bespoke virtual environments and scripted instrumentation with commentary can supplement written reports so that makes the malware analysis more sound and useful to others.

Click here to view ppt.

Burner Phone DDOS 2 dollars a day : 70 Calls a Minute

Research DDOS on phone! Model for proof-of-concept SCH-U365 QUALCOMM prepaid Verizon phone. A custom firmware written can convert it into a DOS system allowing spam call that number 70 times a min. till battery dies and automatic phonebook number receival using speaker. Use of evasion methods including PRL list hopping.

Click here to view ppt.

Bypass Firewalls, Application White Lists, Secure Remote Desktops under 20seconds

"Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation." 2 developments are offered- The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver).

Click here to view ppt.

The Dangers of Insecure Home Automation Deployment

A dissection of reverse engineering of the KNX/IP home automation protocol; a description of the deployment flaws; blueprints on how to create an Ipad Trojan to send commands outside the hotel; and, of course, solutions to avoid all these pitfall in future deployments.

Click here to view ppt.

Touring the Darkside of the Internet. An Introduction to Tor, Darknets, and Bitcoin

An introductory level talk covering basics of Tor, Darknets, Darknet Market places, and Bitcoin. Some recommendations to help make the use of TOR, Bitcoin, and Marketplaces more secure. 

Click here to view ppt.

A Journey to Protect Points-of-Sale

Learn how points-of-sale get compromised from both retailer’s and software-vendor’s perspective. Know how some concepts work while some don't.

Click here to view ppt.

Attacking the Internet of Things Using Time

Internet of Things devices being slow and resource constrained are easy target to network-based timing attacks, allowing brute-forcing of credentials. This talk explores the working of timing attacks, their optimization and how to tackle various  parameters of exploitation. 

Click here to view ppt.

From ROOT to Special: Pwning IBM Mainframes

1.1 million transactions are run through mainframes every second worldwide. Yet the mainframe security is negligent enough. This presentation tears open the mainframe security, it visits the root, exploits it within present tools and uses it to develop new tools.

Click here to view ppt.

Am I Being Spied On? Low-tech Ways Of Detecting High-tech Surveillance

There's that eerie feeling when someone spies on us.Stop that! This will teach you several low-tech ways that you can detect even high-tech surveillance. Topics cover- surveillance cameras, physical surveillance, detecting active and passive bugs, devices implanted inside computers, tablets, and cell phones.

Click here to view ppt.

Cyber-hijacking Airplanes: Truth or Fiction?

This presentation examines the in depth mechanisms of an airplane to justify the claims of cyber-hijacking airplanes. It assumes no prior knowledge thus beginning from fundamentals to leaving a better understanding of ADS-B, ADS-A, ACARS, GPS, transponders, collision avoidance systems, autopilots, and avionics networking and communications. Several important aircraft technologies have been examined. 

Click here to view ppt.

Hacking 911: Adventures in Disruption, Destruction & Death

Emergency medical services (EMS) are what we today trust on to safeguard the lives of our beloved. But the tide of time and technology has left them 20 years behind time and obsolete. The security of such critical devices have not been critically watched. This talk will tell you how it can crash.  

Click here to view ppt.

>>Don't Miss "Part 2" of this Blog: Click here to read more !

'Development of enterprise level Information Security Policies, Procedures and Standards' was an initiative to ensure we have an enterprise wide policy, procedures and standards for ensuring smooth Governance & Compliance of Information Security practices. The standards based on industry benchmark such as CIS, NSA, NIST helps an enterprise to configure, implement, manage and monitor the robust Infrastructure and best security practices through business approved policies and procedures. Through this project, we are coming up with policies, procedures and technical control standards that enable streamlining and strengthening the implementation of Operating Systems, Databases, MS Office / Exchange environments, Server Infrastructures, Network/Firewalls Infrastructure, Virtual machines, Remote Access, Mobile Technologies, Secure file/data transfers, Encryption, Access management, Incident Management, Business Continuity Management etc.

( Read more: Security Technology Implementation Report- Annual CISO Survey )

Checklist for Technology/Vendor/Solution Evaluation:

•Ensure company is registered/subscribing to one or more industry standard/benchmark. Eg. Center of Internet Security (CIS), National Institute of Standards and Technology (NIST), National Security Agency (NSA) etc.

•Ensure an Information Security Policy Framework is in place that describes the company strategy to have

• Information Security Policies
• General security controls those are applicable across enterprise
• Technical control areas those are applicable across the enterprise
• Processes and Procedures required for adopting some of the technologies/standards

• Understand the current enterprise implementations, documentations, policies, procedures and other artifacts in place 

 The infrastructure –

• Types/Kinds of servers
• Different OS’s implemented
• Network/Firewall solutions in place
• Databases being used
• Virtualization strategy
• Data Loss Prevention controls/tools in place
• End-point’s being used
• Strategies for desktops/laptop/mobile device encryptions
• Incident Management in place
• Access and authentication management in place
• Business Continuity / Disaster Recovery Management

• Define the team structure involved in policy development, review, testing, approvals etc. E.g.

• Identify/register/subscribe to industry standard benchmark providers
• Identify the authors/contributors and policy developers within the organization or hire an expert agency to develop the policy framework/policies etc
• Identify the SMEs (Subject Matter Experts) who would be involved in reviewing all of the documents being developed
• Identify the SMEs and technical teams who would be involved in thoroughly testing all of the controls/policies being documented
• Identify the business approvals. Ensure right stakeholders are involved in approving different sets of documentations mentioned above

( Read more:   How Should a CISO choose the right Anti-Malware Technology? )

Key Learning: Do's and Don’ts

• Ensure information security strategy/program in place
• Ensure Information security policy framework is in place
• Ensure registration/subscription to industry standard practices and benchmarks.
• Ensure every policy/procedure/control/standard document is thoroughly reviewed and approved by SME’s
• Ensure every control in these documented is tested to fit the business requirements and security practices/strategies of the company
• Avoid the temptation of covering the entire universe in the policies, procedures, controls and standards. The industry benchmarks/standards generally cover the entire gambit of the topic and it is key to understand what is relevant to business and the security strategy of the company and implement only that much as a policy or a standard.

- With Mahesh Sonavane,SunGard Global Technology on How To Evaluate Compliance Solutions ClickToTweet

What are your evaluation parameters for GRC Solutions. Share your views in comments below or write your article here

With most enterprises now conducting business on the Web, it has become more crucial than ever that the experience is rich and responsive. Often these two goals conflict. How do you ensure a robust, interactive experience without sacrificing page-loading speed? How is it that some of your competitors are able to deliver dynamic content and rich Internet applications (RIAs) and still have sub-second load times? The answer comes in two parts: best practices for you (addressed in this report), and best practices for your application development colleagues (addressed in part two of this series). 

>>Download the Complimentary Forrester Report

What's in the report?

• Impatience Is Your No. 1 Competitor
• Web Performance Best Demonstrated Practices
• Best Practice No. 1: Measure Early And Often
• Best Practice No. 2: Cache Smart And Cache Often
• Best Practice No. 3: Architect For Scale Out
• Best Practice No. 4: Partner With Application
• Development Professionals
• Forrester’s Web Performance Next Practices
• Web Performance Optimization Never Stops,
• But The Infrastructure Might
• Identifying Your Challenges
• Case Studies
• Supplemental

What are your best practices for a super fast website? Share your views with us in the comments below.

( Read more:  Annual Survey on Cloud Adoption Status Across Industry Verticals )

This is a Sponsored Report by Akamai

Vulnerability Management System was implemented as a practice within the Organization across the Global Business Unit (India, Middle East & Africa). The implementation included Vulnerability Assessment and Remediation. The assessment is made based on Severity Levels (Actual & Potential) obtained through vulnerability scanning of all devices connected to Internet, Intranet & Service Network. Evaluation of Weighted Intrusion Rate (WIR) through a formula gave values which are required to be kept below a pre-decided threshold value for each of these network. These values provided the vulnerability status for the region and thus also formed the KPI for this assessment. The project was covered over a period of three months after an elaborate testing and assessment. This implementation improved the efficiency of security team in terms of reduction in time, efforts and cost. Formation of a Vulnerability Monitoring Team made the practice more effective in terms of reduction in time taken for remediation of vulnerabilities.

(Read more:  Can your SMART TV get hacked?)

Checklist for Vendor Evaluation:

It has been invariably experienced that no single vendor provides solutions for all components that can support a vulnerability management system. Therefore, it is necessary that prior deciding on a tool the capabilities and shortcomings are well understood. A sample checklist that can help during evaluation is as follows:

• Asset Management: The capabilities and limitations of the technology to provide asset inventory database or extend the support for additional fields or ability to integrate with other asset management repositories
• Versatility: Ability of the technology to operate against series of Windows OS, diverse platforms, applications and devices
• Ability to Aggregate: The product must be inter-operable with other security technologies including Internet Security Systems E.g. IIS Scanner, MS MBSA, Nessus, Foundstone, Retina, BindView etc. In other words the product should be able to aggregate vulnerability data from multiple and dissimilar sources
• Vulnerability references: The technology should be able to identify source of information and comply with Common Vulnerabilities and Exposures (CVE)
• Ranking: The tool should be able to rank/ prioritize remediation efforts
• Enforcement of Policy: The product should be capable to designate the identified remediation at different enforcement levels i.e. from mandatory (needed) to forbidden (acceptable risk) through an interface which is centralized and policy-driven.
• Management of remediation groups: The tool should permit grouping of systems in order to manage remediation and control accesses to devices
• Remediation: The product should be able to tackle vulnerabilities induced by a system misconfiguration and vulnerabilities occurred due to inappropriate patches. E.g. Deploying changes to the OS or applications such as disabling/removing accounts (i.e. accounts with no password or no password expiration), disabling and removing unnecessary services etc, deploying patches on OS or applications, ability to harden services for NetBIOS, anonymous FTP, hosts.equiv etc
• Integration Capability: The ability of product to include or integrate existing patch management tools
• Maintain distributed patch repository: The product capability to load balance and distribute the bandwidth associated for patch distribution to repositories installed in various strategic locations
• Patch Installation Failure Info: The tool should be able to report if a patch installation has been unsuccessful/ needs re-installation
• System of Workflow: The product should be able to follow a workflow system that must assign and track issues. It should be able to assign tickets based on defined ruled sets (e.g. vulnerability, owner, asset classification etc) automatically. It should be able to interface with other products like Remedy, HP Service Desk etc, which are common corporate workflow products
• Usability: The tool should be able to participate actively in the network services with minimal or no impact to business operations with an instinctive user interface
• Report Generation: The tool should be able to generate reports determining remediation success rate and trending remediation efforts. The reports generated must be in detail and customizable
• Appliances: It must be known whether the tool is based on software or appliances. A software based solution is affordable and may be able to operate on existing hardware thus reducing the upfront capital expenditures while appliance based solution provide performance and reliability advantages
• Deployment of Agents: The application’s deployment of agents and its capability to leverage existing agents on the system. Capability of simultaneously deploy these agents on group of assets, to reduce deployment constraints.
  
  ( Read more:  How to choose your Security / Penetration Testing Vendor? )
• Standard Configuration: Availability of a predefined security configuration template to assess the technology as in some cases defined templates support regulatory requirements like SOX, HIPAA, ISO/ IEC 27000 series.
• Vulnerability Research Team: The vendor must have own vulnerability research team and he should be an active participant within security community via identification and release of security vulnerabilities. The vendor must practice responsible disclosure. The vendor must release checks for vulnerabilities that he has discovered prior to OEM remediating it. Methodology adopted by vendor to respond on vulnerabilities of own products
• Frequency of vulnerability updates releases: Frequency of release of vulnerability updates by vendor and its distribution. The distribution mechanism must leverage industry recognized security communication protocols

- With Murli Menon,Atos on How To Evaluate Vulnerability Management System Vendors ClickToTweet

Do share your views on vulnerability management tools in comments below. 

>>Download the Complimentary Forrester Report

Why Read This Report

Over the past decade, infrastructure and operations (I&O) teams have focused large amounts of resources on making their customer-facing websites blazingly fast because website experience had a direct correlation to customer satisfaction and revenue. The introduction of cloud, visualization, and mobility has expanded the number of types of revenue-producing applications, which means that I&O teams need to optimize a much broader set of user experiences. The new business environment has narrowed the period between change; data, users, and applications are in constant motion; personal and business resources are no longer separate; and now there are mobile, web, traditional, and hybrid applications traversing the network. Thus, providing a network that can handle all of these elements is extremely complex. This report focuses on the networking technologies available to meet this challenge — principally application delivery controllers (ADCs), content delivery networks (CDNs), front-end optimizers (FEOs), load balancing, security services, and wide area network (WAN) optimization — and the best ways to deploy them to optimize the user experience.

Key Learnings-

• Moving Beyond Blazing-Fast websites
• Business acceleration solutions Optimizing User experiences

• Pitfalls To avoid In Combining acceleration Technologies

>>Download the Complimentary Forrester Report

"A network architecture that focuses on monitoring, controlling, and optimizing the quality of user experience."

Fig - Application Acceleration Technologies Merging Into Business Acceleration Services

>>Download the Complimentary Forrester Report

What are your ways to enhance customer experience along with great security coverage? Share your views with us in comments below.

As per our IT Security Audit report of Ernst and Young, We have to protect our network for misuse of the Internet and we required proper analyzer to analyze our network, they also guide us for the Implementation of BYOD policy in the company and Protection of ERP thru Dual authentication. We have to protect our ERP application by using SSL VPN for remote location also. Our top management interested to protect our network in a proper way and reduced some bandwidth cost.

( Read more: Security Technology Implementation Report- Annual CISO Survey )

Checklist for Evaluation:

So after proper evaluation, we decided that we have to go to Cyberoam 300ING.

• We have compared following device and done the proper comparison. We have compared Fortigate 300C with Fortigate 100 Analyzer, Cyberoam 300ING and Checkpoint 4800 NGTP.
• As the price of checkpoint and maintenance cost are very high and this is not in our budget, so we have decided that we go for Fortigate or Cyberoam. Our team has done POC in a proper way for all devices and decided the same.
• Cyberoam has an edge with Fortigate related to UTM. Fortigate 300C doesn’t have analyzer. For Analyzer we have to go for Fortigate 100C analyzer. Due to that our cost is going to increase.
• After thorough discussion, we have decided to go for Cyberoam 300ING at HO and Cyberoam 15ING at Worli and Malad Site for creation of VPN and applying the company policy.
• We have implemented required blocking in this, and implemented BYOD policy in our company. Blocking of resigned employee ID is done on the same day, refreshing the WIFI password in a week’s time is done. WIFI Password sharing is very limited etc.
• We have activated SSL VPN in our Firewall for remote location ERP users.
• We have activated our ERP as whenever user login in the ERP, ERP checks the users name and password in ERP server as well as in the Active Directory. If anyone is not matched, user not able to login in our ERP. Due to that we have increased extra level of security in our ERP application.

( Read more:  Hardware Trojans: Sneak Peek into the Future )

Some Do's and Don'ts:

Whenever you planned a project, we can evaluate in a proper way. Take your own time for POC and other activity. Also aware the TOP management in a proper way. Employee awareness about IT Security is the key to success for the protection of our network.

-With Chitranjan Kesari,Omkar Realtors & Developers on How To Evaluate Network Security Vendor ClickToTweet

What is your strategy to evaluate a Network Security Vendor? Share your views in the comments below.

E-Procurement Portal has been set up for providing state-of-the-art e-Procurement services in India to Govt. Departments, Public Sector Organisations and Large Private Sector Enterprises. This e-procurement portal comprehensively addresses almost every nuance of the formal Public Procurement process having ‘Legal’, ‘Security’ and ‘Transparency’ related significance.

( Read more:  CISO Guide for Denial-of-Service (DoS) Security )

Key Learning: Dos and Don’ts:

Functionality of E-Procurement application includes -- Multi-stage, Multi-envelope Sealed-Bidding (including two-stage tendering process as per CVC Guidelines. The system offers added functionality of e-Reverse Auction, e-Forward Auction, and e-Catalog system, integrated with the core sealed-bid e-Procurement system.

To incorporate such unmatched ‘Security’ and ‘Transparency’ related features, this application uses ‘Symmetric Pass-Phrase’ for bid-encryption (i.e. bid-sealing), as distinct from using Public-Key (i.e. PKI) of TOE officer for bid encryption. While PKI is excellent for electronic/ digital signatures, its use for data-encryption (i.e. bid encryption in the context of e-procurement) is quite useful.

Dos:

• Planning must include quality analysis and it also includes making checklist for having secure environment.
• Reporting and analysis on Key Security Incident  
• Reporting and analyzing on Risk Assessment and remediation activities

Don’ts:

• Don’t micro manage.
• Don’t design too much in details.

Opportunities and Challenges:

As this application is fully compliant with – IT Act 2000; CVC Guidelines on e-procurement (especially CVC Circular No. 18/04/2010 dated 26th April 2010); the e-Procurement Integrity Matrix of Transparency International India (TII); Government of India’s e-Procurement Guidelines issued in August 2011 by STQC, Department of IT, Ministry of Communications & IT, Government of India; and ‘Recommendations for Encryption Policy’ u/s 84A of the IT (Amendment) Act, 2008 by the Data Security Council of India (DSCI), regarding ‘Data Encryption’ (i.e. bid encryption in the context of e-procurement), getting a secure environment has always remains a priority and along with all this learning keeping the system running presents both opportunities and challenges.

( Read more:  Annual Survey on Cloud Adoption Status Across Industry Verticals )

Dos

• Educate on the existence and implications of Information Security policy and standards on their initiatives.
• IT personal – Reinforce their roles and responsibilities pertaining to Information Security.
• All Employees – Establish on their responsibilities to protect systems and Information Assets
• Non Employees – Establishing clarity on their responsible as they position to customer confidential data.
• Adopting mechanism for Safeguarding your Customer Confidential Information.
• Documentation.

Don'ts

• Don’t Use Insufficient Support
• Don’t subscribe to non-business service with your business critical.

-With Dinesh Kumar Chawla, Telecommunications Consultants India Ltd., on How To Evaluate An E-Procurement Portal ClickToTweet

What are your takes on E-Procurement? Share your views with us in the comments below.

When we started this project of Secure Wireless LAN implementation in our organization, the key considering while evaluation that the solution must be robust, stable and highly secured so as to avoid security hassles and wireless threats.

Most companies go to great lengths to keep unauthorized users off their networks, but Wi-Fi access points can provide hackers with a convenient way in. That's because Wi-Fi signals are often broadcast for outside network - an enticing invitation for hackers.

Since many companies allow or even actively encourage employees to connect to the network using their own mobile devices - tablets and smartphones as well as laptops - it's not practical for most companies to switch off Wi-Fi access.

We have finalized Wireless LAN solution for us which is based on the below mentioned points which are absolutely necessary for having a matured WLAN access set up.

• High security – WLAN facility will have different kind of users with different kind of access role. This naturally calls in for a system which can identify the variation among the users and provide a seamless connectivity and great user application experience. Having such kind of networks which has various kinds of users, it is an outmost necessity that the security engulfs the whole networking infrastructure right from the user to the core of the network. The implemented solution provides multiple layers of security to protect access to the wireless network, the data transmitted on the wireless network and the wireless users and infrastructure.
• Reliability – The wireless LAN has a major part in it which is invisible and can’t be traced very easily if there is some problem in it. The RF part in WLAN is the most difficult part to manage and make it work flawlessly. Implemented solution has technology called Adaptive Radio Management which allows the organisation to forget the worries of managing the RF and does it all automatically.
• Scalability – WLAN systems are extremely scalable and Flexible. The features and the functionalities that the system supports are embedded in the base OS of the controller and hence all the features are available throughout the range of the controllers. The Access Point support in the controllers are highly scalable and can start from as low as 4 and can go up to 2048 on a single controller platform.
• Central Management – Considering large campus and is a constantly changing environment. A centralized solution which integrates its capabilities in a centralized controller makes it very easy for an enterprise to start small and broaden a deployment to support all kinds of Wireless Clients, mobile voice or general purpose business applications—email, Internet, server access and guest access — to increase the productivity of the mobile guests and internal employees while also provides a single point of configuration, troubleshooting, and security monitoring.
• Ease of Implementation - The Aruba system is designed to be plug-and-play in most environments requiring no parameters to be configured individually in any equipment. The AP is having a plug and play kind of deployment flexibility and is connected to an existing Ethernet infrastructure. The controller has both the L2 and the L3 functionalities and can be spread over the existing network. The link from the Outdoor APs can be over UTP or Fibre.

Note: Motive of this project is to Provide secure Wireless LAN.

( Read more:  APT Secrets that Vendors Don't Tell )

Key Learning Dos and Don'ts :

• Security planning as per the environment is very crucial and important.
• It is very important for proper planning and handshaking for multisite setup and with centralized controller
• A reliable and manageable network infrastructure is essential.
• The ongoing management and maintenance of the access points and related equipment should be given serious consideration from the outset.
• Site surveys can be carried out in proper to avoid any issue post implementation.
• Wireless networks involve a lot more wires than the name would suggest.
• Deployment of a wireless network does not necessarily lead to an increase in administration costs
• What are your tips to evaluate Secure Wireless Networks? Share your views in the comments below.

-With Daljit Singh Sodhi, Aviva India Life Insurance, tells us the Dos and Don'ts of Secure Wireless Networks ClickToTweet

What are your tips to secure wireless networks? Share your views in the comments below.

Agriculture Insurance Company of India Ltd. (AIC) provides crop insurance coverage to 2.4 crore farmers annually, 86% of whom belong to the small and marginal category. To balance the twin challenge of crop insurance business, viz. reaching the remotest farmer at minimum service cost, AIC has developed a web-based, integrated, 360-degree IT Systems Solution Project titled "ANNAPOORNA", envisioned as an enabler for streamlining the business processes of the Company and an automator of the operational and administrative functions.

The Project encompasses 11 Application-baskets, ranging from the core Business Operations to Research & Development, Financial Management, Marketing Management, Human Resources Management, Knowledge Management & Portal, Legal Management, etc. to the Business Intelligence & Dashboard.

(Read more: How to choose your Security / Penetration Testing Vendor?)

Checklist for Evaluation:

Marking is given on a scale of 1 to 5, with minimum tolerance level individually at 2 and collective average at 4.

Below is the checklist used to evaluate ERP Project "ANNAPOORNA"

-With Avinanda Ghosh, Agriculture Insurance Company Of India Ltd., on How To Evaluate An ERP Project ClickToTweet

Do you use same parameters for your ERP project? Share your views in the comments below

I am highly excited to tell you the most exciting event and all the buzz of Annual Summit is back ! 
Further more I am more excited because now is the time when we will receive your innovation, those billions of papers and the most exciting hacks of this year. 

Click here for more information on Call For Speakers

Below I will share a few details that could help you submit your papers-

Step 1 - Choose Your Speaking Slot

We believe in sharing knowledge which is short, great and impactful. We don't believe in restricting oneself from thoughts and sharing them, thus your talk will win the speaking slot most apt to your needs.

• "Best of the World" .. This series shall invite the top speakers and security researchers across the world who made significant contribution in the field of security in recent past.
• Turbo Sessions .. This session aims at sharing knowledge in 18 minutes including new Insights and live Demos.
• Real life Case Study .. This series encourages the Top CISOs to speak on how they implemented their most successful projects. Learning from their practical hands on insights is targeted.
• CISO Decision Tools/Frameworks .. Here tools/frameworks are presented to help a CISO in better and structured decision making.

Step 2 - Choose The Domain Of Your Talk

You are the best judge of which domain you are most proficient, where you have new learning, which area you are confident about. One great way to decide between multiple options can be to choose a domain you love to listen to talks or even one that can be most helpful for information security officers.

Step 4 - Create An Awesome Topic

For this, previous year topics can always be very helpful in understanding both your best area of communication and the audience expectations. Here are a few-

• Most Recent Attack Vectors Which a CISO Must Know
• Analysis of Hackers Landscape in Asia and Middle - East
• Analytics Driven Security
• ERP Security: Attack Vectors and Defense
• Lessons Learnt from the Anti-Terrorist Squad of India
• Securing Mobile Banking
• Global Best Practices to Defend Against Targeted Attacks
• Latest Attacks Vectors and Threats on Aircrafts and Unmanned Arial Vehicles
• Attacks on Smart TVs and Connected Smart Devices
• Hunting Botnets: Detecting Indicators of Compromise
• click here for entire list

Step 5 - Create Your Session Abstract

Your paper is always awesome, no doubt on that. However it's always handy to know what is expected to maximize the success. Our Review Board will consist of highly experienced information security experts from all over the world. They just love geeky security and innovative technology. So, quickly write down your papers and send it to us.

Quick Tips On Content Selection -

• Short and Precise .. The best communication is the sentence which is unambiguous, short and impactful. We look for similar content which
  appeal to human senses and is easy to understand.
• Out Of The Box .. Content has no end. Yet the edge above is thought by very few. We like to encourage human nature of innovation, creativity
  and discovery. Such is why we are Humans not Apes!
• Helpful .. Mostly sharing knowledge has a common goal of helping the infosec peers. We encourage your ideas that help the security community
  in solving a problem.
• Trending .. Even though trending topics get the maximum competition, they also get a few more slots. These topics equip a CISO with current technologies and vulnerabilities. They are a few favorites to our audience.
• Experience .. Time has been by far the best teacher. No one denies that. So, your experience can count a lot. Tell us the experience that is
  unique to you and also awesome. Our CISOs would lend an eager ear to that.
• Technical Details .. It is highly probable your audience has the fundamentals or basics of a subject grasped. We therefore advice you to deliver your speech at an advanced level where it can be most appropriate for information security officers. For example, if you are talking about
  Denial-Of-Service, you may assume your audience understands the difference between DOS and DDOS and also understands most popular software mechanisms available. Our security conference cherishes more detail from its Speakers.

Step 6 - You Did It, Sit back and Relax

Great, You're done! Our review board will review the content and get back to you via mail. 

P.S. - We are unable to alot speaking slot to everyone right now. We hope it's possible in future. For now our review board selects the speakers as mentioned above.  

Step 7 - Declined? Ask Why

Incase we could not accept your paper this year, we are very sorry for that. However, you must know 'Why?' . Please mail us at pritha.aash@cisoplatform.com to know what went wrong. There is no reason why you should be disheartened, it is the constraints of time that bind us. We might take sometime to revert back but we will definitely do.Start afresh, keep amendments in mind and submit your proposal the year after-because most speakers get accepted eventually and we'd hate to miss you.

Step 7 - Accepted? Know Our Speaker Benefits

CISO Platform is proud to have you with us. Your comfort is our sole responsibility , your contributions will be well rewarded. 

• Complimentary Pass .. Complimentary pass to speakers
• Address great audience .. Address the largest gathering of senior security executives
• Grow your network .. Make your networking many folds in a day @Annual Summit
• Showcase your profile .. Your Profile will be showcased on our website and who doesn't know the worth of 'Ted Talkers' today?
• Travel & Accommodation .. Your travel and accommodation shall be solely our responsibility. However we will need prior confirmation so your stay is most enjoyable.

For any queries mail to pritha.aash@cisoplatform.com

Keep The Last Date In Mind Or Mobile

Keep forgetting? Great, the good news is it's absolutely normal and the other is there's a Google Calendar/Mobile Reminders. We hate to give dates, it's just the billions of exciting paper need to be reviewed way before the event.

Please fill in your nominations prior to last date as post that no submissions will be accepted.

You can submit proposals by filling up the Call for Papers here: 

Call for Papers opens: 1st July, 2014

Call for Papers closes: 1st August, 2014

Click to Submit Your Papers and Fill The Form

*We strongly suggest that you submit your papers early as the window will close early if sufficient quality papers have been received.

Important Links

For all Speakers, 2013 click here

For submitting your paper, 2014 click here

More about Call For Speaker, 2014 click here

More about Annual Summit, 2014 click here

Have you made your paper submissions? Tell us what you'd like to hear at CISO Platform Annual Summit, 2014 in the comments below or create your discussion.

These days’ web applications are under siege. Commercially motivated Hackers, bots, and fraudsters are attacking around the clock, attempting to steal data, disrupt access, and commit fraud which today’s next generation firewall, IPS and other network security product are unable to safeguard. So in order to prevent breaches and downtime against web attacks, DDoS, site scraping and fraud we have introduced cost effective, in the cloud, Security as a Service (SaaS) based Web Application Firewall Service. The Solution is deployed in a reverse proxy mode so one just needs to route web traffic through Application Firewall which will mitigate web attacks & threats in real time and send out clean traffic back to web server.

( Read more:  Can your SMART TV get hacked? )

Check-list for Vendor Evaluation:

1. Deployment Architecture & Mode of Operation

• Active/Inline, Passive, Bridge, Router, Reverse Proxy etc.
• How the SSL traffic is processed & offloading done, whether it terminates SSL connections, passively decrypts traffic etc.
• What Authentication method used to validate users/customers
• High Availability, Redundancy & Scalability
• Protect Multiple Website Behind Single IP

2.  Connection Handling & Traffic Processing

• How the traffic is blocked – Drop Packet, TCP Reset etc.
• HTTP versions,  Encoding & File transfer Support
• Any other protocol support
• Response Filtering

3.  Detection Technique

• Normalization technique used
• Negative Security Models
• Positive Security Models
• Minimal False Positives
• Signature/Rule Database
• How frequently Database is updated
• Is APIs available to customize or extend vendor’s detection functionality
• Virtual Patching
• Fraud Detection
• Business Logic Attacks

( Read more: Security Technology Implementation Report- Annual CISO Survey )

4.  Protection Technique

• Brute Force Attacks
• Cookie based Attacks
• Session or Denial of Service Attacks
• Hidden Form field Protection
• Cryptographic URL & Parameter Protection
• Reputation-Based Service
• External Intelligence Feed, threat landscape etc.
• Protection against Application DDoS
• Protection against OWASP Top 10

5.  Logging

• Which commonly used logs are supported
• Log Forwarding to Syslog or SIEM
• Unique transaction IDs are included with every log message
• Log Export facility
• Event logs and notification via Email, SMS, Syslog support, SNMP Trap etc.
• Log Retention
• Sanitization or Masking Critical Data from the logs

6.  Reporting

• Reporting Format Supported
• On Demand report generation, automation & scheduling
• Report Customization
• Report distribution methods available
• Customized Block Page Display Message
• Compliance Reports

7. Management

• GUI – Web Based
• Multi-Tenancy, RBAC & Secure Administration
• Centralized Dashboard, Alerts & Reporting
• Support of External APIs
• Integration with existing infrastructure
• Integration with Vulnerability Scanner, SIEM, DLP etc.
• Configuration Management & Backup
• Automatic signature update and Install
• Profile Learning
• Policy Management, Export/Import, Roll back mechanism,
• WAF Security

8.  Performance

• HTTP level performance
• HTTP level performance with SSL enabled
• Maximum  number of concurrent connections
• Performance under Load
• Fail-Safe & Pass through when device fails

( Read more:  Hardware Trojans: Sneak Peek into the Future )

9. Support

• 24*7*365 Support Available
• Quality of technical support
• Support presence in local City, Country etc.
• Direct Support or Partner
• SLA, TAT, Escalation Matrix etc.

10.  Cost

• Initial cost
• Setup & Implementation Cost
• Recurring subscription costs
• Patch Update & Upgrade Cost
• Any other hidden cost

11.  Vendor Reputation

• Market share, Turnover, Profitability
• Any certification like ICSA Labs etc.
• Enable PCI 6.6 compliance requirement
• Listed by any IT research company like Gartner, Forrester, IDC etc.
• Customer Base
• Any customer implementation similar to your line of business

-With Yadavendra Awasthi, Netmagic Solutions Pvt. Ltd., on How To Evaluate a WAF(Web Application Firewall) Vendor ClickToTweet

What are your quick tips to evaluate WAF vendors? Share with us in the comments below or write your own article here 

PCI DSS – Stringent but Exhilarating to Implement (Project PCI DSS Implementation & Certification)

PCI DSS stand for Payment Card Industry Data Security Standard is a robust, comprehensive, technology driven, transparent, explicit standard to enhanced security controls around payment card and related account data by ensuring the safe handling of card holder information at every step thereby reduce payment card frauds via its exposures.

PCI certification is a capability mandated for an organization that store, process, view, transmit critical card holder information and the organization should comply with all applicable requirements specified by PCI standard based on business, scoping and risk assessment outcome without any deviation that is what make this standard more reliable and effective.

The standard has 6 control objectives, 12 requirements and 204 sub requirements against which validation of compliance is performed annually based on scope applicability by QSA and compliance status is issued which includes – Attestation of Compliance (AOC), Report of Compliance (ROC) supported by Certification of Compliance (COC) by QSA.

The key mantra to achieve the compliance (report) without any hindrance is hidden in effective business understanding, scoping, risk assessment, pre assessment (assess) which in turn help to plan the activities seamlessly by aligning requirements with suitable technologies and processes (remediate), is applicable for new implementation as well as project under maintenance.  

In spite of having stringent requirements, I found this standard is COOL for implementation and maintenance due to clear directions which in turn boost the security effortlessly by ensuring the actual security at all level (physical security, environmental security, personnel security, fraud control  mechanism, IT & data security, data privacy, managed & monitored business environment) thereby leading to compliance. 

(Read more:  Top 5 Big Data Vulnerability Classes)

Key to Success

1. Clear business understanding and proper scoping
2. Dipstick risk assessment & stringent pre assessment followed by immediate effective remediation
3. Effective alignment of technologies, processes with requirements
4. Proper scoping of IT assets considering primary, secondary processing site including data center sites, if you have separate one
5. Monitored and requirement based privileges access
6. Treat it as yearly program with do or die concept without pushing the activities for next year for improvement
7. Identifying and engaging proper QSA, ASV & other service providers with the capability to address your queries and needs in time
8. Controlled and monitored environment
9. Effective record maintenance including agreements and AMC’s
10. Build the sustenance capability

Key Learning: Dos and Don’ts

Dos

1. Do have an annual time bound program based on assess, remediate, report concept with proper governance lead by a senior empowered manager with adequate domain expertise including sound technical, managerial, strategic, analytical, negotiating and influencing skills
2. Do build the capability among major stake holding team for implementation and sustenance by providing adequate role based training which majorly include – Risk, Security, IT, HR, Facility, Audit and End-users
3. Do appoint a knowledge QSA or conduct self-assessment using applicable version of SAQ
4. Do treat pre assessment and VA PT outcome with serious note and remediate ASAP
5. Do ensure in time achievement of all milestones without any fail
6. Do aim on achieving security while implementing or remediating, you will automatically land in to compliance
7. Do ensure proper scope coverage considering the end to end requirements related to governance, business operations, statutory & regulatory requirements, security & compliance operations, IT security & operation, data security & privacy, personnel security & fraud controls, physical & environmental security.
8. Do consider current technology, process and practices in place and fix the gap if any to achieve the compliance with ease in cost effective fashion

Don’ts

1. Do not mistake this as project or simple technical implementation, this is a collaborative program
2. Do not aim to achieve compliance by compromising security, it may leads to major pain
3. Do not do the self-assessment unless you have clear understanding of requirements
4. Do not opt for long time frame for implementation / remediation, it may leads towards more non compliance
5. Do not go for risk acceptance supported by compensatory controls except truly unavoidable business need
6. Do not keep the VA PT actionable open considering that you a quarter time frame. Remediate the outcome of following ASAP - 4 quarter internal VA, wireless VA & rogue detection, ASV and annual Internal & External PT.
7. Do not do a risk assessment for the sake of compliance
8. Do not adopt a new technology or practice unless required  

-With Lopa Mudra Basu, SLK Global on the Dos And Don'ts Of PCI DSS ClickToTweet

Are there other aspects or Dos and Don'ts you consider for PCI DSS ? Share your views with us in the comments below.

(Read more:  Cyber Safety in Cars and Medical Devices)

For many organizations the success or failure of IT initiatives is predicated on the selection of the appropriate technology vendor. Despite the critical nature of this process, many organizations underestimate the time and effort it takes to make a well-informed decision. This article is my personal experience & learning while doing complete IT projects in Pay Point India is meant to serve as a guide to help you understand and think through the critical steps in the vendor selection process.

( Watch more : South Asia's Cyber Security Landscape after the Snowden Revelations )

APPENDIX B: CREATING A WEIGHTED VENDOR EVALUATION MATRIX

It is important to keep yourself objective when going through the vendor evaluation process. It is easy to get swayed by an impressive product demonstration or an eloquent sales representative. In order to avoid falling into this trap, we often use a weighted matrix to rank vendors. Below is an example of how to structure your own vendor evaluation matrix.

SAMPLE WEIGHTED MATRIX : (for 3 Vendor evaluation )

A spreadsheet program is a great tool for plotting your evaluation matrix. When developing the matrix, you will need to make decisions regarding the following:

• How important is each of the dimensions to your organization? For instance, if support hours are critical, you may
  assign it 10 points instead of 4.

• How do the scores relate to each other? For instance, if you are evaluating three vendors it is usually good to score
  using a 3 point scale or a multiple of a 3 point scale. The vendor who performs best in this category would get a 3 and the worst performer would get a 1. If two vendors are equal on a given dimension, then give them the same score. If the dimension is a very important one, you may make it worth 12 points with the top vendor getting 12, the second getting 8, and the last one getting 4.

• What is a substantive difference in scores? If you are evaluating on a 100 point scale and you get a final list of three
  vendors all within a score range of 51 to 59, then there may not be a substantive difference between them. Take a deeper look at the relative strengths and weaknesses of each vendor before making a final decision.

Do not add any elements to your weighted scores that are worth more than 25% of the total points on the matrix. These dimensions should be looked at side by side with the weighted scores. The two most common elements we normally do not include in our weighting are PRICE and TIMEFRAME. Including elements such as these in the matrix would really skew the results, so it works better to consider them independently.

YOUR END RESULT should be something like the following:

- With Sachin Lokhande, Pay Point India Network Ltd on How To Evaluate A Vendor in IT Projects ClickToTweet

Which above steps will be the most helpful for your organizations ? Share your thoughts with us below in the comments or Write your article here

The Data Leak Prevention Project was rolled out in Lanco Infratech Ltd

• To protect its proprietary assets and business data against any loss or leakage
• To meet regulatory requirements as per the segment of industry.
• To increase awareness amongst the employees by publishing the incidents and policy violation cases across the group
• To help in establishing evidences of intentional breaches to initiate disciplinary cases.

(Read more:  Top 5 Application Security Technology Trends)
  

Check-list for Evaluation:

Policy Definition

• Policy Wizard to enable predefined policy templates based on Geography and Industry
• Ability to define policy owners for each policy
• Policy should allow administrators to run different external command for different policy violations
• Ability to enforce fingerprint policies when the endpoint is disconnected from corporate network
• Ability to allow administrators to define applications or application groups that can have access to sensitive data

Database Fingerprinting

• Fingerprint databases using ODBC or equivalent protocol
• Ability to create multiple rules which correlates different fields within a database with options for different threshold for different rules
• Fingerprint specific tables from a database
• Fingerprint specific fields from a table

Directory/file fingerprinting

• Ability to ignore information(Organization boiler plates, confidentiality Notice etc) from fingerprinting in files
• Ability to schedule the task for ignoring information from fingerprinting

Discovery

• Options to provide agentless discovery on databases, file servers, SharePoint portal exchange mailboxes etc
• Ability to control the bandwidth used for discovery
• Ability to maintain the original file access time stamps while performing the discovery

Destination Awareness over Web

• Create policies based on URL categories
• Real Time User Identification

(Read more:  5 easy ways to build your personal brand !)

SSL Decryption

• Ability to natively decrypt SSL sessions and inspect content sent over SSL(HTTPS).
• Hardware required for SSL decryption
• Unified Management

Custom pattern creation

• Ability to create custom patterns based on organization/data owner needs

Notification

• Options to send different notification templates for different policies
• Notification to the policy owner should be possible in the policy by adding the email address of the policy owner
• Options to notify administrators, policy owners, senders and sender's manager

Management & Reporting

• Options to view incidents by setting different filters
• Options to report sensitive information sent to multiple recipients in a single mail as a single incident

Workflow management

• Ability to quarantine sensitive emails and notify the sender's manager, policy owner and give them permissions to release the email from the system if its approved or required by business.
• Ability to escalate an incident to a person who is defined in the workflow process
• Ability to integrate automatically with DRM and encryption software
• Ability to not allow incident managers or administrators to delete an incident

Deployment Options

• Capabilities to integrate with ISA proxy by installing an agent on ISA
• Options for SSL Decryption to monitor leaks over HTTPS
• Options to monitor printing on Network printers
• Options to monitor internal mail traffic

Hardware required

• Number of hardware required to deploy DLP at HOV
• Additional hardware for SSL Decryption

Support Capabilities

• 24x7 support
• Trained partners
• Training

-With KK Chaudhary, Lanco Infratech Ltd on How To Evaluate a DLP Vendor ClickToTweet

What are some other factors you use to evaluate a DLP solution vendor ? Share your thoughts in the comments below.

(Read more:  How the Heartbleed bug was found by Antti Karjalainen - discoverer ...)

What I found interesting in this report, was the numbers on increasing DDOS attacks. Recent DOS & DDOS attacks on EverNote and Feedly have left us thinking. EverNote once got to know how dependent we humans are on them. It was assumed that such traffic attack was meant to be for some grudge, yet the threats are changing. Even though it leaves credentials and sensitive data intact, it creates huge loss of enterprise reputation and customer base. The position must change though.

( Read more:  CISO Guide for Denial-of-Service (DoS) Security )

>>Download the full report for more information

Growing Cyber Crime Loss

>>Download the full report for more information

Major Trends-

• SQL injection – According to Veracode,

30% of all data breaches are due to SQL injection. 

This type of attack exploits Web applications that do not properly sanitize user inputs and tricks them into running database code that returns more data than they otherwise would have.

• Account-checker – Public-facing Web sites and applications often require users to log in to access parts or all of the application. Because users often use passwords that are easy to guess, or share passwords across multiple accounts,hackers can create scripts that make repeated login attempts in order to deduce the login credentials and compromise an account.

>>Download the full report for more information

Report Contents -

• The Changing Threat Landscape
• Common Approaches to Security
• The Akamai Intelligent Platform
• Introducing Kona Site Defender
• Integrating Into The Security Ecosystem
• Why Akamai
   

This is a Sponsored Report by Akamai

What are your views on the Rising DDOS attacks and loss due to Cyber Crime ? Share your thoughts in the comments section below or discuss here.