pritha's Posts (591)

Sort by

How To Evaluate Network Security Vendor

As per our IT Security Audit report of Ernst and Young, We have to protect our network for misuse of the Internet and we required proper analyzer to analyze our network, they also guide us for the Implementation of BYOD policy in the company and Protection of ERP thru Dual authentication. We have to protect our ERP application by using SSL VPN for remote location also. Our top management interested to protect our network in a proper way and reduced some bandwidth cost.

( Read more: Security Technology Implementation Report- Annual CISO Survey )

Checklist for Evaluation:

So after proper evaluation, we decided that we have to go to Cyberoam 300ING.

  • We have compared following device and done the proper comparison. We have compared Fortigate 300C with Fortigate 100 Analyzer, Cyberoam 300ING and Checkpoint 4800 NGTP.
  • As the price of checkpoint and maintenance cost are very high and this is not in our budget, so we have decided that we go for Fortigate or Cyberoam. Our team has done POC in a proper way for all devices and decided the same.
  • Cyberoam has an edge with Fortigate related to UTM. Fortigate 300C doesn’t have analyzer. For Analyzer we have to go for Fortigate 100C analyzer. Due to that our cost is going to increase.
  • After thorough discussion, we have decided to go for Cyberoam 300ING at HO and Cyberoam 15ING at Worli and Malad Site for creation of VPN and applying the company policy.
  • We have implemented required blocking in this, and implemented BYOD policy in our company. Blocking of resigned employee ID is done on the same day, refreshing the WIFI password in a week’s time is done. WIFI Password sharing is very limited etc.
  • We have activated SSL VPN in our Firewall for remote location ERP users.
  • We have activated our ERP as whenever user login in the ERP, ERP checks the users name and password in ERP server as well as in the Active Directory. If anyone is not matched, user not able to login in our ERP. Due to that we have increased extra level of security in our ERP application.

( Read more:  Hardware Trojans: Sneak Peek into the Future )

Some Do's and Don'ts:

Whenever you planned a project, we can evaluate in a proper way. Take your own time for POC and other activity. Also aware the TOP management in a proper way. Employee awareness about IT Security is the key to success for the protection of our network.

-With Chitranjan Kesari,Omkar Realtors & Developers on How To Evaluate Network Security Vendor ClickToTweet

What is your strategy to evaluate a Network Security Vendor? Share your views in the comments below.

Read more…

Checklist for E-Procurement Portal

E-Procurement Portal has been set up for providing state-of-the-art e-Procurement services in India to Govt. Departments, Public Sector Organisations and Large Private Sector Enterprises. This e-procurement portal comprehensively addresses almost every nuance of the formal Public Procurement process having ‘Legal’, ‘Security’ and ‘Transparency’ related significance.

( Read more:  CISO Guide for Denial-of-Service (DoS) Security )

 

Key Learning: Dos and Don’ts:

Functionality of E-Procurement application includes -- Multi-stage, Multi-envelope Sealed-Bidding (including two-stage tendering process as per CVC Guidelines. The system offers added functionality of e-Reverse Auction, e-Forward Auction, and e-Catalog system, integrated with the core sealed-bid e-Procurement system.

To incorporate such unmatched ‘Security’ and ‘Transparency’ related features, this application uses ‘Symmetric Pass-Phrase’ for bid-encryption (i.e. bid-sealing), as distinct from using Public-Key (i.e. PKI) of TOE officer for bid encryption. While PKI is excellent for electronic/ digital signatures, its use for data-encryption (i.e. bid encryption in the context of e-procurement) is quite useful.

Dos:

  • Planning must include quality analysis and it also includes making checklist for having secure environment.
  • Reporting and analysis on Key Security Incident  
  • Reporting and analyzing on Risk Assessment and remediation activities


Don’ts:

  • Don’t micro manage.
  • Don’t design too much in details.

Opportunities and Challenges:

As this application is fully compliant with – IT Act 2000; CVC Guidelines on e-procurement (especially CVC Circular No. 18/04/2010 dated 26th April 2010); the e-Procurement Integrity Matrix of Transparency International India (TII); Government of India’s e-Procurement Guidelines issued in August 2011 by STQC, Department of IT, Ministry of Communications & IT, Government of India; and ‘Recommendations for Encryption Policy’ u/s 84A of the IT (Amendment) Act, 2008 by the Data Security Council of India (DSCI), regarding ‘Data Encryption’ (i.e. bid encryption in the context of e-procurement), getting a secure environment has always remains a priority and along with all this learning keeping the system running presents both opportunities and challenges.

( Read more:  Annual Survey on Cloud Adoption Status Across Industry Verticals )

Dos

  • Educate on the existence and implications of Information Security policy and standards on their initiatives.
  • IT personal – Reinforce their roles and responsibilities pertaining to Information Security.
  • All Employees – Establish on their responsibilities to protect systems and Information Assets
  • Non Employees – Establishing clarity on their responsible as they position to customer confidential data.
  • Adopting mechanism for Safeguarding your Customer Confidential Information.
  • Documentation.

Don'ts

  • Don’t Use Insufficient Support
  • Don’t subscribe to non-business service with your business critical.

-With Dinesh Kumar Chawla, Telecommunications Consultants India Ltd., on How To Evaluate An E-Procurement Portal ClickToTweet

What are your takes on E-Procurement? Share your views with us in the comments below.

Read more…

When we started this project of Secure Wireless LAN implementation in our organization, the key considering while evaluation that the solution must be robust, stable and highly secured so as to avoid security hassles and wireless threats.

Most companies go to great lengths to keep unauthorized users off their networks, but Wi-Fi access points can provide hackers with a convenient way in. That's because Wi-Fi signals are often broadcast for outside network - an enticing invitation for hackers.

Since many companies allow or even actively encourage employees to connect to the network using their own mobile devices - tablets and smartphones as well as laptops - it's not practical for most companies to switch off Wi-Fi access.

We have finalized Wireless LAN solution for us which is based on the below mentioned points which are absolutely necessary for having a matured WLAN access set up.

  • High security – WLAN facility will have different kind of users with different kind of access role. This naturally calls in for a system which can identify the variation among the users and provide a seamless connectivity and great user application experience. Having such kind of networks which has various kinds of users, it is an outmost necessity that the security engulfs the whole networking infrastructure right from the user to the core of the network. The implemented solution provides multiple layers of security to protect access to the wireless network, the data transmitted on the wireless network and the wireless users and infrastructure.
  • Reliability – The wireless LAN has a major part in it which is invisible and can’t be traced very easily if there is some problem in it. The RF part in WLAN is the most difficult part to manage and make it work flawlessly. Implemented solution has technology called Adaptive Radio Management which allows the organisation to forget the worries of managing the RF and does it all automatically.
  • Scalability – WLAN systems are extremely scalable and Flexible. The features and the functionalities that the system supports are embedded in the base OS of the controller and hence all the features are available throughout the range of the controllers. The Access Point support in the controllers are highly scalable and can start from as low as 4 and can go up to 2048 on a single controller platform.
  • Central Management – Considering large campus and is a constantly changing environment. A centralized solution which integrates its capabilities in a centralized controller makes it very easy for an enterprise to start small and broaden a deployment to support all kinds of Wireless Clients, mobile voice or general purpose business applications—email, Internet, server access and guest access — to increase the productivity of the mobile guests and internal employees while also provides a single point of configuration, troubleshooting, and security monitoring.
  • Ease of Implementation - The Aruba system is designed to be plug-and-play in most environments requiring no parameters to be configured individually in any equipment. The AP is having a plug and play kind of deployment flexibility and is connected to an existing Ethernet infrastructure. The controller has both the L2 and the L3 functionalities and can be spread over the existing network. The link from the Outdoor APs can be over UTP or Fibre.

Note: Motive of this project is to Provide secure Wireless LAN.

( Read more:  APT Secrets that Vendors Don't Tell )

 

Key Learning Dos and Don'ts :

  • Security planning as per the environment is very crucial and important.
  • It is very important for proper planning and handshaking for multisite setup and with centralized controller
  • A reliable and manageable network infrastructure is essential.
  • The ongoing management and maintenance of the access points and related equipment should be given serious consideration from the outset.
  • Site surveys can be carried out in proper to avoid any issue post implementation.
  • Wireless networks involve a lot more wires than the name would suggest.
  • Deployment of a wireless network does not necessarily lead to an increase in administration costs
  • What are your tips to evaluate Secure Wireless Networks? Share your views in the comments below.

14cfu4o.png

-With Daljit Singh Sodhi, Aviva India Life Insurance, tells us the Dos and Don'ts of Secure Wireless Networks ClickToTweet

What are your tips to secure wireless networks? Share your views in the comments below.

Read more…

How To Evaluate An ERP Project

Agriculture Insurance Company of India Ltd. (AIC) provides crop insurance coverage to 2.4 crore farmers annually, 86% of whom belong to the small and marginal category. To balance the twin challenge of crop insurance business, viz. reaching the remotest farmer at minimum service cost, AIC has developed a web-based, integrated, 360-degree IT Systems Solution Project titled "ANNAPOORNA", envisioned as an enabler for streamlining the business processes of the Company and an automator of the operational and administrative functions.

The Project encompasses 11 Application-baskets, ranging from the core Business Operations to Research & Development, Financial Management, Marketing Management, Human Resources Management, Knowledge Management & Portal, Legal Management, etc. to the Business Intelligence & Dashboard.

(Read more: How to choose your Security / Penetration Testing Vendor?)

Checklist for Evaluation:

Marking is given on a scale of 1 to 5, with minimum tolerance level individually at 2 and collective average at 4.

Below is the checklist used to evaluate ERP Project "ANNAPOORNA"

4tpkdv.png

-With Avinanda Ghosh, Agriculture Insurance Company Of India Ltd., on How To Evaluate An ERP Project ClickToTweet

Do you use same parameters for your ERP project? Share your views in the comments below

Read more…

I am highly excited to tell you the most exciting event and all the buzz of Annual Summit is back ! 
Further more I am more excited because now is the time when we will receive your innovation, those billions of papers and the most exciting hacks of this year. 

8669800859?profile=original

Click here for more information on Call For Speakers

Below I will share a few details that could help you submit your papers-

Step 1 - Choose Your Speaking Slot

We believe in sharing knowledge which is short, great and impactful. We don't believe in restricting oneself from thoughts and sharing them, thus your talk will win the speaking slot most apt to your needs.

  • "Best of the World" .. This series shall invite the top speakers and security researchers across the world who made significant contribution in the field of security in recent past.
  • Turbo Sessions .. This session aims at sharing knowledge in 18 minutes including new Insights and live Demos.
  • Real life Case Study .. This series encourages the Top CISOs to speak on how they implemented their most successful projects. Learning from their practical hands on insights is targeted.
  • CISO Decision Tools/Frameworks .. Here tools/frameworks are presented to help a CISO in better and structured decision making.

Step 2 - Choose The Domain Of Your Talk

You are the best judge of which domain you are most proficient, where you have new learning, which area you are confident about. One great way to decide between multiple options can be to choose a domain you love to listen to talks or even one that can be most helpful for information security officers.

  • Technology
  1. APT Security
  2. Cloud Security
  3. DDOS Security
  4. Data Security/DLP
  5. Mobile/BYOD Security
  6. Forensics and Emergency Response
  7. Application Security/Man in the Browser
  8. Cyber Warfare, Critical Infrastructure and Homeland Security

  • Security Management
  1. Cost Control
  2. Risk Management
  3. Vendor Management
  4. Governance Risk and Compliance
  5. Managing the CEO/CIO/Board expectations
  6. Reference Architecture, Check lists and Decision Frameworks

  • Personal Development
  1. Leadership
  2. Career Growth
  3. Entrepreneurship
  4. Stress Management
  5. Personal Effectiveness
  6. Work-Life Balance/Happiness

Step 4 - Create An Awesome Topic

For this, previous year topics can always be very helpful in understanding both your best area of communication and the audience expectations. Here are a few-

  • Most Recent Attack Vectors Which a CISO Must Know
  • Analysis of Hackers Landscape in Asia and Middle - East
  • Analytics Driven Security
  • ERP Security: Attack Vectors and Defense
  • Lessons Learnt from the Anti-Terrorist Squad of India
  • Securing Mobile Banking
  • Global Best Practices to Defend Against Targeted Attacks
  • Latest Attacks Vectors and Threats on Aircrafts and Unmanned Arial Vehicles
  • Attacks on Smart TVs and Connected Smart Devices
  • Hunting Botnets: Detecting Indicators of Compromise
  • click here for entire list

Step 5 - Create Your Session Abstract

Your paper is always awesome, no doubt on that. However it's always handy to know what is expected to maximize the success. Our Review Board will consist of highly experienced information security experts from all over the world. They just love geeky security and innovative technology. So, quickly write down your papers and send it to us.

Quick Tips On Content Selection -

  • Short and Precise .. The best communication is the sentence which is unambiguous, short and impactful. We look for similar content which
    appeal to human senses and is easy to understand.
  • Out Of The Box .. Content has no end. Yet the edge above is thought by very few. We like to encourage human nature of innovation, creativity
    and discovery. Such is why we are Humans not Apes!
  • Helpful .. Mostly sharing knowledge has a common goal of helping the infosec peers. We encourage your ideas that help the security community
    in solving a problem.
  • Trending .. Even though trending topics get the maximum competition, they also get a few more slots. These topics equip a CISO with current technologies and vulnerabilities. They are a few favorites to our audience.
  • Experience .. Time has been by far the best teacher. No one denies that. So, your experience can count a lot. Tell us the experience that is
    unique to you and also awesome. Our CISOs would lend an eager ear to that.
  • Technical Details .. It is highly probable your audience has the fundamentals or basics of a subject grasped. We therefore advice you to deliver your speech at an advanced level where it can be most appropriate for information security officers. For example, if you are talking about
    Denial-Of-Service, you may assume your audience understands the difference between DOS and DDOS and also understands most popular software mechanisms available. Our security conference cherishes more detail from its Speakers.

Step 6 - You Did It, Sit back and Relax

Great, You're done! Our review board will review the content and get back to you via mail. 

P.S. - We are unable to alot speaking slot to everyone right now. We hope it's possible in future. For now our review board selects the speakers as mentioned above.  

Step 7 - Declined? Ask Why

Incase we could not accept your paper this year, we are very sorry for that. However, you must know 'Why?' . Please mail us at pritha.aash@cisoplatform.com to know what went wrong. There is no reason why you should be disheartened, it is the constraints of time that bind us. We might take sometime to revert back but we will definitely do.Start afresh, keep amendments in mind and submit your proposal the year after-because most speakers get accepted eventually and we'd hate to miss you.

Step 7 - Accepted? Know Our Speaker Benefits

CISO Platform is proud to have you with us. Your comfort is our sole responsibility , your contributions will be well rewarded. 

  • Complimentary Pass .. Complimentary pass to speakers
  • Address great audience .. Address the largest gathering of senior security executives
  • Grow your network .. Make your networking many folds in a day @Annual Summit
  • Showcase your profile .. Your Profile will be showcased on our website and who doesn't know the worth of 'Ted Talkers' today?
  • Travel & Accommodation .. Your travel and accommodation shall be solely our responsibility. However we will need prior confirmation so your stay is most enjoyable.

For any queries mail to pritha.aash@cisoplatform.com

Keep The Last Date In Mind Or Mobile

Keep forgetting? Great, the good news is it's absolutely normal and the other is there's a Google Calendar/Mobile Reminders. We hate to give dates, it's just the billions of exciting paper need to be reviewed way before the event.

Please fill in your nominations prior to last date as post that no submissions will be accepted.

You can submit proposals by filling up the Call for Papers here: 

Call for Papers opens: 1st July, 2014

Call for Papers closes: 1st August, 2014

Click to Submit Your Papers and Fill The Form

*We strongly suggest that you submit your papers early as the window will close early if sufficient quality papers have been received.

Important Links

For all Speakers, 2013 click here

For submitting your paper, 2014 click here

More about Call For Speaker, 2014 click here

More about Annual Summit, 2014 click here

Have you made your paper submissions? Tell us what you'd like to hear at CISO Platform Annual Summit, 2014 in the comments below or create your discussion.

Read more…

Checklist to Evaluate A Cloud Based WAF Vendor

These days’ web applications are under siege. Commercially motivated Hackers, bots, and fraudsters are attacking around the clock, attempting to steal data, disrupt access, and commit fraud which today’s next generation firewall, IPS and other network security product are unable to safeguard. So in order to prevent breaches and downtime against web attacks, DDoS, site scraping and fraud we have introduced cost effective, in the cloud, Security as a Service (SaaS) based Web Application Firewall Service. The Solution is deployed in a reverse proxy mode so one just needs to route web traffic through Application Firewall which will mitigate web attacks & threats in real time and send out clean traffic back to web server.

( Read more:  Can your SMART TV get hacked? )

Check-list for Vendor Evaluation:

1. Deployment Architecture & Mode of Operation

  • Active/Inline, Passive, Bridge, Router, Reverse Proxy etc.
  • How the SSL traffic is processed & offloading done, whether it terminates SSL connections, passively decrypts traffic etc.
  • What Authentication method used to validate users/customers
  • High Availability, Redundancy & Scalability
  • Protect Multiple Website Behind Single IP

 

2.  Connection Handling & Traffic Processing

  • How the traffic is blocked – Drop Packet, TCP Reset etc.
  • HTTP versions,  Encoding & File transfer Support
  • Any other protocol support
  • Response Filtering

 

3.  Detection Technique

  • Normalization technique used
  • Negative Security Models
  • Positive Security Models
  • Minimal False Positives
  • Signature/Rule Database
  • How frequently Database is updated
  • Is APIs available to customize or extend vendor’s detection functionality
  • Virtual Patching
  • Fraud Detection
  • Business Logic Attacks

( Read more: Security Technology Implementation Report- Annual CISO Survey )

4.  Protection Technique

  • Brute Force Attacks
  • Cookie based Attacks
  • Session or Denial of Service Attacks
  • Hidden Form field Protection
  • Cryptographic URL & Parameter Protection
  • Reputation-Based Service
  • External Intelligence Feed, threat landscape etc.
  • Protection against Application DDoS
  • Protection against OWASP Top 10

 

5.  Logging

  • Which commonly used logs are supported
  • Log Forwarding to Syslog or SIEM
  • Unique transaction IDs are included with every log message
  • Log Export facility
  • Event logs and notification via Email, SMS, Syslog support, SNMP Trap etc.
  • Log Retention
  • Sanitization or Masking Critical Data from the logs

 

6.  Reporting

  • Reporting Format Supported
  • On Demand report generation, automation & scheduling
  • Report Customization
  • Report distribution methods available
  • Customized Block Page Display Message
  • Compliance Reports

 

7. Management

  • GUI – Web Based
  • Multi-Tenancy, RBAC & Secure Administration
  • Centralized Dashboard, Alerts & Reporting
  • Support of External APIs
  • Integration with existing infrastructure
  • Integration with Vulnerability Scanner, SIEM, DLP etc.
  • Configuration Management & Backup
  • Automatic signature update and Install
  • Profile Learning
  • Policy Management, Export/Import, Roll back mechanism,
  • WAF Security

 

8.  Performance

  • HTTP level performance
  • HTTP level performance with SSL enabled
  • Maximum  number of concurrent connections
  • Performance under Load
  • Fail-Safe & Pass through when device fails

( Read more:  Hardware Trojans: Sneak Peek into the Future )

9. Support

  • 24*7*365 Support Available
  • Quality of technical support
  • Support presence in local City, Country etc.
  • Direct Support or Partner
  • SLA, TAT, Escalation Matrix etc.

 

10.  Cost

  • Initial cost
  • Setup & Implementation Cost
  • Recurring subscription costs
  • Patch Update & Upgrade Cost
  • Any other hidden cost

 

11.  Vendor Reputation

  • Market share, Turnover, Profitability
  • Any certification like ICSA Labs etc.
  • Enable PCI 6.6 compliance requirement
  • Listed by any IT research company like Gartner, Forrester, IDC etc.
  • Customer Base
  • Any customer implementation similar to your line of business

 

-With Yadavendra Awasthi, Netmagic Solutions Pvt. Ltd., on How To Evaluate a WAF(Web Application Firewall) Vendor ClickToTweet

What are your quick tips to evaluate WAF vendors? Share with us in the comments below or write your own article here 

Read more…

PCI DSS – Stringent but Exhilarating to Implement (Project PCI DSS Implementation & Certification)

PCI DSS stand for Payment Card Industry Data Security Standard is a robust, comprehensive, technology driven, transparent, explicit standard to enhanced security controls around payment card and related account data by ensuring the safe handling of card holder information at every step thereby reduce payment card frauds via its exposures.

PCI certification is a capability mandated for an organization that store, process, view, transmit critical card holder information and the organization should comply with all applicable requirements specified by PCI standard based on business, scoping and risk assessment outcome without any deviation that is what make this standard more reliable and effective.

The standard has 6 control objectives, 12 requirements and 204 sub requirements against which validation of compliance is performed annually based on scope applicability by QSA and compliance status is issued which includes – Attestation of Compliance (AOC), Report of Compliance (ROC) supported by Certification of Compliance (COC) by QSA.

The key mantra to achieve the compliance (report) without any hindrance is hidden in effective business understanding, scoping, risk assessment, pre assessment (assess) which in turn help to plan the activities seamlessly by aligning requirements with suitable technologies and processes (remediate), is applicable for new implementation as well as project under maintenance.  

In spite of having stringent requirements, I found this standard is COOL for implementation and maintenance due to clear directions which in turn boost the security effortlessly by ensuring the actual security at all level (physical security, environmental security, personnel security, fraud control  mechanism, IT & data security, data privacy, managed & monitored business environment) thereby leading to compliance. 

 

(Read more:  Top 5 Big Data Vulnerability Classes)

Key to Success

  1. Clear business understanding and proper scoping
  2. Dipstick risk assessment & stringent pre assessment followed by immediate effective remediation
  3. Effective alignment of technologies, processes with requirements
  4. Proper scoping of IT assets considering primary, secondary processing site including data center sites, if you have separate one
  5. Monitored and requirement based privileges access
  6. Treat it as yearly program with do or die concept without pushing the activities for next year for improvement
  7. Identifying and engaging proper QSA, ASV & other service providers with the capability to address your queries and needs in time
  8. Controlled and monitored environment
  9. Effective record maintenance including agreements and AMC’s
  10. Build the sustenance capability

 

Key Learning: Dos and Don’ts

Dos

  1. Do have an annual time bound program based on assess, remediate, report concept with proper governance lead by a senior empowered manager with adequate domain expertise including sound technical, managerial, strategic, analytical, negotiating and influencing skills
  2. Do build the capability among major stake holding team for implementation and sustenance by providing adequate role based training which majorly include – Risk, Security, IT, HR, Facility, Audit and End-users
  3. Do appoint a knowledge QSA or conduct self-assessment using applicable version of SAQ
  4. Do treat pre assessment and VA PT outcome with serious note and remediate ASAP
  5. Do ensure in time achievement of all milestones without any fail
  6. Do aim on achieving security while implementing or remediating, you will automatically land in to compliance
  7. Do ensure proper scope coverage considering the end to end requirements related to governance, business operations, statutory & regulatory requirements, security & compliance operations, IT security & operation, data security & privacy, personnel security & fraud controls, physical & environmental security.
  8. Do consider current technology, process and practices in place and fix the gap if any to achieve the compliance with ease in cost effective fashion

 

Don’ts

  1. Do not mistake this as project or simple technical implementation, this is a collaborative program
  2. Do not aim to achieve compliance by compromising security, it may leads to major pain
  3. Do not do the self-assessment unless you have clear understanding of requirements
  4. Do not opt for long time frame for implementation / remediation, it may leads towards more non compliance
  5. Do not go for risk acceptance supported by compensatory controls except truly unavoidable business need
  6. Do not keep the VA PT actionable open considering that you a quarter time frame. Remediate the outcome of following ASAP - 4 quarter internal VA, wireless VA & rogue detection, ASV and annual Internal & External PT.
  7. Do not do a risk assessment for the sake of compliance
  8. Do not adopt a new technology or practice unless required  

-With Lopa Mudra Basu, SLK Global on the Dos And Don'ts Of PCI DSS ClickToTweet

Are there other aspects or Dos and Don'ts you consider for PCI DSS ? Share your views with us in the comments below.

(Read more:  Cyber Safety in Cars and Medical Devices)

Read more…

30l06ra.jpgFor many organizations the success or failure of IT initiatives is predicated on the selection of the appropriate technology vendor. Despite the critical nature of this process, many organizations underestimate the time and effort it takes to make a well-informed decision. This article is my personal experience & learning while doing complete IT projects in Pay Point India is meant to serve as a guide to help you understand and think through the critical steps in the vendor selection process.

As you read this, please keep in mind that as an organization goes through the vendor selection process it is not uncommon for other business processes or organizational needs to be revealed. It is important to remember that technology projects are often not just about the technology, but rather the health and effectiveness of the entire organization. This learning experience focuses on the process of selecting a vendor, and assumes that other important organizational change management issues are being addressed in concert to support this process.

( Read more: Security Technology Implementation Report- Annual CISO Survey )

 

Seven Step Model

  • ASSESS FEASIBILITY - Is this viable for my organization?
  • GATHER REQUIREMENTS - What does my organization need?
  • RESEARCH & REFINE OPTIONS - What solutions/vendors might fit my needs?
  • EVALUATE VENDORS - What is the best fit for my organization’s needs?
  • SELECT & ENGAGE VENDOR - Is this a reasonable price and contract?
  • MANAGE IMPLEMENTATION - Has the vendor delivered on its promises?
  • SUPPORT & MAINTENANCE - How will we maintain the solution and support it?

 

STEP 1:   ASSESSING FEASIBILITY

Organizational Readiness - Consider important elements to project success such as getting buy-in from staff and overcoming technology fears and resistance to change.

Budgeting - Ensure that you have the appropriate budget level to successfully execute on the project. Make sure that your budget can withstand reasonable variances from original estimates. Technology projects have varying degrees of  financial risk based on the complexity of the project. At a minimum, your project budget should be able to withstand a 15% variance.

Staff Availability - Most technology projects require a significant investment of time by your organization’s staff. Your staff will be involved in many stages of the process, such as requirements gathering, training, testing, and disruptions during deployment. You will also need to designate a project advocate from your staff to manage the vendor relationship and internal resources associated with the project. Before embarking on any large technology project, ensure that your organization can free up time from the appropriate staff members to make this project successful.

Sustainability - Ensure that you have the proper resources in place to sustain the technology at the conclusion of the project. This could include budgeting for ongoing support, hiring a technology manager, or giving ownership of maintenance to a staff member.

Return on Investment (ROI) - Is the project worth the investment? Will it allow you to serve your constituents better or serve more of them? Will it improve your operations and/or lower costs?

Arriving at a Decision - After careful review of the aforementioned factors, you are now ready to make a decision. Most organizations will have a clear “go” or “no-go” decision. If the limiting factor is budget or staff availability you may decide to opt for a “go-later” decision.

OUTCOME: “GO”, “NO GO”, “GO LATER” DECISION

STEP 2:   GATHER REQUIREMENTS

Review Business Strategy - Identify the business goals you hope to accomplish with this technology project.

Ensure Alignment - Make sure that the application of technology will be an enabling factor and will not create a disruptive influence on the organization.

Process Mapping - Document critical business processes that your organization performs. This understanding will be critical for a vendor to understand how its solution should be implemented at your organization.

Process Re-engineering - Technology implementation often provides an opportunity to change the way certain business tasks are managed at your organization. Consider this element and make a determination if it would be valu-able to include.

Requirements Analysis - Identify critical requirements (such as number of users, current technologies in use, need for remote access, training, etc.) that you will need as a part of your technology solution.

Prioritization of requirements - Prioritize your list of requirements and determine which ones are essential and which ones are “nice to have” but not required for success.

Environmental assessment - If your project involves environmental or physical location factors, make sure a thorough assessment is conducted and that all findings are well documented. 

Technical assessment - Document your current technology and catalog all areas that may interface with your new solution.

OUTCOME: REQUIREMENTS DOCUMENT/REQUEST FOR PROPOSAL

( Read more:  Top 5 Application Security Technology Trends )

STEP 3:   RESEARCH & REFINE OPTIONS

Buy/Blend/Build - Most technology solutions can be categorized into one of three areas: Buy an off-the-shelf solution, Build a custom solution, or Blend a solution by combining an off-the-shelf product with some customization.

Establish Evaluation Criteria - Develop a set of criteria on which you would like to evaluate your prospective vendors. Appendix A has an example of some common criteria used in evaluations.

Conduct Research - Use the resources at your disposal to learn more about existing products or solutions that could meet your needs. Discuss your project objectives with related organizations, trusted advisors, and technology consultants.

Define Targeted List - Based on your requirements and your research into solutions, create a short list of vendors who may be able to meet your requirements. The size of your short list of vendors should correlate to variability in proposed solutions and project complexity. For instance, for a small defined project a short list of 3 vendors may be appropriate. For large complex projects with many different approaches, you may consider a list as large as 8 vendors. Make sure that you keep your short list of vendors to a manageable scale.

Send RFP - Send the vendors your requirements information and ask them to submit a proposal. Typically requirements are sent in the form of a Request for Proposal (RFP) document.

OUTCOME: TARGETED LIST OF VENDORS/SOLUTIONS TO PURSUE

 

STEP 4:   EVALUATE VENDORS

Evaluation Matrix - Develop an evaluation matrix (see Appendix B) to help you objectively evaluate each vendor’s proposal and product demonstration.

Proposals - Each invited vendor should respond to your RFP with a written proposal. Carefully evaluate each proposal and encode the proposal information into your evaluation matrix.

Product Demonstrations - Many vendors will request an in-person or web-based opportunity (a “demo”) to show-case the capabilities of your solution. Demos are a valuable way to get more information and also evaluate intangible aspects of a vendor.

Reference Checks - Don’t forget to check the vendor’s references as a part of your evaluation process. Consider site visits if you are making a large investment.

OUTCOMES: VENDOR PROPOSALS, VENDOR DEMOS, WEIGHTED VENDOR MATRIX

STEP 5:   SELECT & ENGAGE VENDOR

Primary and Secondary Options - At the conclusion of your evaluation process, you will need to identify a primary option (your winner) and some secondary alternatives.

Negotiations - Do not burn the bridges with secondary option vendors as they will serve as a valuable resource in the negotiation process. While you are in the negotiation process, keep in mind your secondary options as they serve as your best alternative if your negotiation falls through. Make sure that the final deal you strike with your preferred vendor is at least as favorable as your secondary options. 

Contracting - Identify a clear set of objectives, deliverables, timeframes, and budgets for your project with the vendor. Make sure these are clearly written in the terms of the contract.

OUTCOME: FINAL VENDOR SELECTED & CONTRACTED

( Watch more : Attacks on Smart TV and Connected Smart Devices )

STEP 6:   MANAGE IMPLEMENTATION

Dedicate Project Manager - Your organization should dedicate one or more staff to oversee the solution implementation .These staff should have regular checkpoints with the vendor to ensure that delivery matches expectations.

Ensure Timely Delivery - Vendors often juggle many clients at once and as such it is important for your organization to keep track of deliverable dates and ensure that the vendor is meeting them. Be conscious of your deadlines and deliverables to your vendor so they can make their target delivery dates. Keep an eye out for contract terms that apply additional fees for late delivery of necessary project materials from you to the vendor.

Ensure On-Budget Delivery - If your organization negotiates a Time & Materials (T&M) contract with vendor, then it will become imperative to track hours spent and budgeted hours remaining on a project. Without careful consideration of these elements, project costs could spiral out of control.

Manage Scope - The greatest area of risk for most technology projects is in controlling project scope. Once an organization begins to see the possibility of technology, they often attempt to do too much in the initial development and launch of the solution. If this is the case, consider your project with the vendor a “Phase 1 deployment” and try to push back on new additions until a future phase. If a new addition is essential to a project, then you should clearly define it in an addendum to the scope of work and negotiate the price with the vendor.

Manage Expectations - Manage the expectations of all parties involved in the implementation support. Be sure to provide realistic timeframes and advance warning of any variances in budgets and timeframes.

OUTCOME: ON TIME & ON BUDGET DELIVERY OF EXPECTED SOLUTION

 

STEP 7:   SUPPORT & MAINTENANCE

Resources: Ensure that the appropriate resources are dedicated to support the technology on an ongoing basis. Your support and maintenance plan could include some or all of the following:

  • Support Hours/Contract
  • Hiring of tech resources to manage it
  • Assignment of staff member to take ownership
  • Patches & Maintenance
  • Ongoing Training


Upgrades: If the technology solution becomes mission critical, plan an upgrade path for it. Technology tends to change dramatically every 3 years and should never be considered a one-time investment.

OUTCOME: STABLE & EFFICIENT TECHNOLOGY SOLUTION THAT EMPOWERS THE ORGANIZATION

 

CONSIDER EXTERNAL FACTORS

The framework proposed in this paper assumes that your organization is operating in a completely neutral framework and has great latitude in making a decision. Our experience of working through this process with many clients indicates that this is often not the case. Most vendor selection efforts are often influenced by external factors such as foundation recommendations, group purchasing decisions, or donations/discounts discovered through board contacts. Consider these external factors in your assessment phase. The presence of these external factors does not mean that you should forgo the vendor selection process; however, it can mean considering your options in a different light.

These external factors can sometimes lead to significant benefits such as discounts with vendors, financial support, leveraging existing research on vendors, implementation experience, and technical support. The equation you should take into consideration is whether the cumulative benefits outweigh the costs of potentially selecting a less optimal vendor.

Is your organization being asked to use a vendor that really doesn't match your needs? If such a case does
arise, the vendor evaluation matrix can become a huge asset for your organization. Conduct the evaluation
using the externally recommended vendor as a baseline and see where your options fall. You can then present the evaluation matrix to your funders or board members to make an argument for or against a specific
course of action.

( Read more:  5 easy ways to build your personal brand ! )

APPENDIX A: DIMENSIONS OF EVALUATION FOR VENDORS

The following list contains typical dimensions along which vendors can be evaluated. While comprehensive, the list is not exhaustive and you should consider adding your own dimensions to the evaluation criteria.

FEATURES

■   Essential Features

■   Cool to Have Features

■ (Add Requirements Criteria)

 

VENDOR STABILITY

■   Vendor Size

■   Vendor Financials

■   Years in Business

■   Number of Clients

■   Size of Tech Team

■   References

■   Future Direction - Roadmap

 

TECHNOLOGY ELEMENTS

■   Usability/Ease of Use

■   User Interface/Visuals

■   Flexibility

■   Extensible? Customizable?

■   Compatibility

■   Security

■   Backups

■   Virus Protection

 

GENERAL IMPRESSIONS

■   Positives

■   Risks

■   Friendliness

■   Responsiveness

■   Experience/Skill Level

■   Actual Project Team

 

PRODUCT STABILITY

■   Performance Levels

■   Uptime Percentage

■   Last Downtime

■   Duration of Downtime

■   Load/Capacity


TIMEFRAME FOR DEPLOYMENT

■   Phase 1

■   Phase 2

■   Additional phases (if any)

■   Project Completion

■   Training

 

COSTS

■   One-Time (Setup, Configuration, Development)

■   Ongoing (Maintenance, Licensing)

■   Add-Ons

■   Hardware/Software

■   Training

■   Support

■   Data Migration

■   Fixed or Variable

■   TCO = Total Cost of Ownership

 

TRAINING & SUPPORT

■   Support Availability

■   Support Coverage Hours

■   Support Response Time

■   Training Plan

■   Online Help Resources

■   Availability of Support Talent

■   Documentation

 

OTHER CONSIDERATIONS

■   Hosted Externally/ASP

■   Additional Equipment

■   Platform Considerations

■   Locked In to Vendor Solution?

■   Implementation Plan

■   Data Migration

 

SECURITY & BACKUPS

■   Backup Policies

■   Recovery Procedures

■   Virus Protection

■   Data Security

■   Application Security

■   Hardware Security

( Watch more : South Asia's Cyber Security Landscape after the Snowden Revelations )

APPENDIX B: CREATING A WEIGHTED VENDOR EVALUATION MATRIX

It is important to keep yourself objective when going through the vendor evaluation process. It is easy to get swayed by an impressive product demonstration or an eloquent sales representative. In order to avoid falling into this trap, we often use a weighted matrix to rank vendors. Below is an example of how to structure your own vendor evaluation matrix.

 

SAMPLE WEIGHTED MATRIX : (for 3 Vendor evaluation )

29fcaad.jpg

 

A spreadsheet program is a great tool for plotting your evaluation matrix. When developing the matrix, you will need to make decisions regarding the following:

 

  • How important is each of the dimensions to your organization? For instance, if support hours are critical, you may
    assign it 10 points instead of 4.

 

  • How do the scores relate to each other? For instance, if you are evaluating three vendors it is usually good to score
    using a 3 point scale or a multiple of a 3 point scale. The vendor who performs best in this category would get a 3 and the worst performer would get a 1. If two vendors are equal on a given dimension, then give them the same score. If the dimension is a very important one, you may make it worth 12 points with the top vendor getting 12, the second getting 8, and the last one getting 4.

 

  • What is a substantive difference in scores? If you are evaluating on a 100 point scale and you get a final list of three
    vendors all within a score range of 51 to 59, then there may not be a substantive difference between them. Take a deeper look at the relative strengths and weaknesses of each vendor before making a final decision.

 

Do not add any elements to your weighted scores that are worth more than 25% of the total points on the matrix. These dimensions should be looked at side by side with the weighted scores. The two most common elements we normally do not include in our weighting are PRICE and TIMEFRAME. Including elements such as these in the matrix would really skew the results, so it works better to consider them independently.

 

YOUR END RESULT should be something like the following:

 2vx3cy1.jpg

- With Sachin Lokhande, Pay Point India Network Ltd on How To Evaluate A Vendor in IT Projects ClickToTweet

Which above steps will be the most helpful for your organizations ? Share your thoughts with us below in the comments or Write your article here

Read more…

Checklist to Evaluate a DLP Provider

The Data Leak Prevention Project was rolled out in Lanco Infratech Ltd

  • To protect its proprietary assets and business data against any loss or leakage
  • To meet regulatory requirements as per the segment of industry.
  • To increase awareness amongst the employees by publishing the incidents and policy violation cases across the group
  • To help in establishing evidences of intentional breaches to initiate disciplinary cases.

(Read more:  Top 5 Application Security Technology Trends)
  

Check-list for Evaluation:

Policy Definition

  • Policy Wizard to enable predefined policy templates based on Geography and Industry
  • Ability to define policy owners for each policy
  • Policy should allow administrators to run different external command for different policy violations
  • Ability to enforce fingerprint policies when the endpoint is disconnected from corporate network
  • Ability to allow administrators to define applications or application groups that can have access to sensitive data

 

Database Fingerprinting

  • Fingerprint databases using ODBC or equivalent protocol
  • Ability to create multiple rules which correlates different fields within a database with options for different threshold for different rules
  • Fingerprint specific tables from a database
  • Fingerprint specific fields from a table

Directory/file fingerprinting

  • Ability to ignore information(Organization boiler plates, confidentiality Notice etc) from fingerprinting in files
  • Ability to schedule the task for ignoring information from fingerprinting

Discovery

  • Options to provide agentless discovery on databases, file servers, SharePoint portal exchange mailboxes etc
  • Ability to control the bandwidth used for discovery
  • Ability to maintain the original file access time stamps while performing the discovery

Destination Awareness over Web

  • Create policies based on URL categories
  • Real Time User Identification

(Read more:  5 easy ways to build your personal brand !)

SSL Decryption

  • Ability to natively decrypt SSL sessions and inspect content sent over SSL(HTTPS).
  • Hardware required for SSL decryption
  • Unified Management

Custom pattern creation

  • Ability to create custom patterns based on organization/data owner needs

Notification

  • Options to send different notification templates for different policies
  • Notification to the policy owner should be possible in the policy by adding the email address of the policy owner
  • Options to notify administrators, policy owners, senders and sender's manager

Management & Reporting

  • Options to view incidents by setting different filters
  • Options to report sensitive information sent to multiple recipients in a single mail as a single incident

 

Workflow management

  • Ability to quarantine sensitive emails and notify the sender's manager, policy owner and give them permissions to release the email from the system if its approved or required by business.
  • Ability to escalate an incident to a person who is defined in the workflow process
  • Ability to integrate automatically with DRM and encryption software
  • Ability to not allow incident managers or administrators to delete an incident

Deployment Options

  • Capabilities to integrate with ISA proxy by installing an agent on ISA
  • Options for SSL Decryption to monitor leaks over HTTPS
  • Options to monitor printing on Network printers
  • Options to monitor internal mail traffic

 

Hardware required

  • Number of hardware required to deploy DLP at HOV
  • Additional hardware for SSL Decryption

 

Support Capabilities

  • 24x7 support
  • Trained partners
  • Training

-With KK Chaudhary, Lanco Infratech Ltd on How To Evaluate a DLP Vendor ClickToTweet

What are some other factors you use to evaluate a DLP solution vendor ? Share your thoughts in the comments below.

(Read more:  How the Heartbleed bug was found by Antti Karjalainen - discoverer ...)

Read more…

ohk3sz.png?width=686

What I found interesting in this report, was the numbers on increasing DDOS attacks. Recent DOS & DDOS attacks on EverNote and Feedly have left us thinking. EverNote once got to know how dependent we humans are on them. It was assumed that such traffic attack was meant to be for some grudge, yet the threats are changing. Even though it leaves credentials and sensitive data intact, it creates huge loss of enterprise reputation and customer base. The position must change though.

Read more:  CISO Guide for Denial-of-Service (DoS) Security )

>>Download the full report for more information

Growing Cyber Crime Loss

2echtw9.png?width=687

>>Download the full report for more information

Major Trends-

SQL injection – According to Veracode,

Tweet: 30% of all data breaches are due to SQL injection.... http://ctt.ec/hu937+ @CISOPlatform30% of all data breaches are due to SQL injection. Tweet: 30% of all data breaches are due to SQL injection.... http://ctt.ec/hu937+ @CISOPlatform

This type of attack exploits Web applications that do not properly sanitize user inputs and tricks them into running database code that returns more data than they otherwise would have.


Account-checker – Public-facing Web sites and applications often require users to log in to access parts or all of the application. Because users often use passwords that are easy to guess, or share passwords across multiple accounts,hackers can create scripts that make repeated login attempts in order to deduce the login credentials and compromise an account.

5frogj.png?width=686

>>Download the full report for more information

Report Contents -

  • The Changing Threat Landscape
  • Common Approaches to Security
  • The Akamai Intelligent Platform
  • Introducing Kona Site Defender
  • Integrating Into The Security Ecosystem
  • Why Akamai
     

This is a Sponsored Report by Akamai

8669797887?profile=original

What are your views on the Rising DDOS attacks and loss due to Cyber Crime ? Share your thoughts in the comments section below or discuss here.

Read more…

24470x2.png?width=549

 

Did You Know Applications with Highest Malware Activity are in Unknown-UDP ?Tweet this tweet-graphic-1.png

>>Click here to Download How Unknown UDP Hosts Most Malware


Analyzing Application Threat Landscape Today-

  • 94% of all vulnerability exploit logs we observed were found in only 10 applications tweet
  • 99% of all malware logs were found in UDP; majority of which were generated by a single threat  tweet
  • 34% of all applications (539) we observed can use SSL in some manner. tweet

So, Today's Cyber Crime is hitting the Applications for Victims, How ? 

( Read more:  5 Best Practices to secure your Big Data Implementation )

>>Click here for How To Address Heartbleed In Your Organization


Top Surprising findings(Global + Regional) on your Application Malware

  • How to Address the Heartbleed Risk in your organization? Heartbleed Risk not limited to Big Giants like Google,Dropbox ! Tweet ittweet-graphic-1.png?width=33

  • UDP  is The Secret Malware Hiding Place of Choice ?
  • False or Fact : ' High Volume Usage = High Volume Threat Activity? '
  • What % of Business and Security Risk Exposure from Common Sharing applications ?
  • How Your Smoke Loader Botnet is Working ?
  • How Brute Force Attacks Target Business Applications and Services ?
  • How Many Applications on Your Network Actually Use SSL?

( Read more:  How to write a great article in less than 30 mins )

>>Click here to Download Report & More Surprising Findings

Do you think Heartbleed is a big threat to all enterprises and not just giants like Google? If so, how? Share your views with us on the comments below.

Read more…

How to Build Your Professional Brand?

10944935100?profile=RESIZE_400x

 

Fundamentally we associate branding with bragging ,thus embarrassment. Rather branding is what others think of you, a response to the stimulus you provide. Adityanath Jha(CEO Crayon Pictures, Former Global Head of Branding at infosys) shows a completely different aspect of branding from scratch.

 

 

 

 

Key Learning, Video and PPT

  • Branding is not bragging, Branding is What Others Think Of You
  • Branding is a function of professional, personal and behavioral attributes
  • Branding is the response to the stimulus you provide
  • 3 questions for a Brand Perception
     
    1. What do you do?
    2. How do you do it? 
    3. What do you stand for? 
    Tweet: <a href=Tweet It

  • Your brand strength is directly proportional to respect earned and awareness gained
  • Learn the secrets to creating thoughts in 2 Minutes- 'The Maggi Funda'  Tweet: The Maggi Funda- 2 Minute http://ctt.ec/08w4M+ #CISOPlatform @CISOPlatformTweet It

 

 (More:  Join the community of 1400+ Chief Information Security Officers.  Click here )

 

VIEW the complete ppt here.

 

>> Liked the ppt? Then click here to share this on google+.

(Read more:  5 Best Practices to secure your Big Data Implementation)

 

 

WATCH the complete video here.

>>Liked the video? Then Click Here to share this on Linkedin

(Read more:  5 easy ways to build your personal brand !)

 

What factors do you consider for your brand building ? Share your thoughts with us in the comments below.

Read more…

Security Trends in Europe

 

Relevant Security Trends and CISO Challenges in Europe by Don Lee, nRuns Germany

WATCH the complete ppt here.

>> Liked the ppt? Then click here to share this on google+.

(Read more:)

WATCH the complete video here.

>>Liked the video? Then Click Here to share this on Linkedin

(Read more:)

Today's Security Key Concerns-

  • CISO Challenges
  • Environmental factors
  • Loss of control over most of IT
  • Need for Rising to the Challenge
  • Everything you know about security changes

CISO Challenges

  • Innovative
  • Faster
  • Flexible/More responsive to customers
  • Cost efficient
  • Secure/compliant
  • High Data Protection and Security Awareness
  • Direction towards Cyber -nationalism
  • Increasing threats and targets
  • High level of Data Protection & Security Awareness
  • Direction Towards Cyber-nationalism
  • Increasing Threats and Targets
  • Roster of technologies and vendors who are trying to rise to the challenge
  • Traditional security models are strained

We don't control most of IT

  • Socialization and collaboration
  • Mobilization
  • Consumerization
  • Virtualization 
  • Cloudification
  • Industrialization of Hackers
  • Nationalization of Hackers

Need for Rising to the Challenge

  • Compliance
  • Risk Analysis
  • Protection and Defense
  • Incident Response
  • Identity management
  • Secure communication and Collaboration
  • Mobile Device Management
  • Dealing with Social Media
  • Cloud Security Standards
  • Industry 4.0 Security
  • Cost effective security

The conventional ways have ceased, learning and teaching has a new meaning and execution is dependent on both of these. Understanding and be partnering with businesses can be a wise move.

Read more…

This exclusive brief from Enterprise Strategy Group (ESG) outlines 4 key strategies for reducing the risk of advanced, targeted threats with next-generation security.

What will you learn in the paper:

  • How the malware threat landscape is becoming more dangerous
  • Why existing defenses cannot provide adequate protection alone
  • What investments organizations are making in new processes and technologies to help the address the risks associated with APTs

>>Click here for Complete Checklist & Detailed Report

Hint: Sandboxing alone won't give you the control to take down APTs from your network.

8669799300?profile=original

Read More: Hardware Trojans: Sneak Peek into the Future )

Fear Facts-

  • The malware threat landscape is becoming more dangerous.
  • Existing defenses cannot provide adequate protection alone.
  • Enterprise organizations are willing to invest in new processes and technologies to help them address the risks associated with modern malware.

>>Click here for Complete Checklist & Detailed Report

Read more…

Hardware Trojans: Sneak Peek into the Future

2f03n0y.jpg

We are safe, checking our software's for fallacy, for hacker's tricks. However we never think that the machine we run could be malicious itself. Their could be havoc if so happened, Prof. Indranil Sengupta(IIT-kgp) enlightens us about such threat and future research scope on Hardware Trojans. 

 VIEW the complete ppt here.

>> Liked the ppt? Then click here to share this on google+.

 
(
Read more:  Database Security Vendor Evaluation Guide)


WATCH the complete video here.

>> Liked the video? Then Click Here to share this on Linkedin


( Watch more : Latest Attacks Vectors and Threats on Aircrafts and Unmanned Arial Vehicles )

Excerpt from the talk

Malicious modification of the circuitry of an IC(Integrated Circuit)

  • Modifications can take place pre or post manufacturing
  • Inserted by intelligent adversary
  • Extremely small hardware overhead
  • Difficult to detect
  • IC malfunctions in field

Do they exist?

  • No concrete proof yet
  • Tampering masks in fab is highly complex
  • Reverse engineering a single IC can take months

Why worry?

  • Numerous suspected military and commercial cases(since 1976)
  • Reverse engineering in ICs is believed to be practiced in well reputed companies(like IBM)
  • Highly sophisticated commercial softwares are available for reverse engineering
  • Tampering at design stage is highly tempting and feasible


( Read more:  My Key Learning While Implementing Database Security 
)

Serious Implications

  • Military compromise
  • Civilian Infrastructure compromise( like power grid, transportation etc.)
  • Communication System massacre
  • Loss of human life and property
  • Monetary loss of billion dollars

( Read More: Firewall Checklist - Top 10 Things Your Next Firewall Must Do!)

Some direct malfunctioning

  • “Hardware Trojans could turn microchips into timebombs” (P. Marks, NS, Jul. 2009) tweet this
  • “Towards Countering the Rise of the Silicon Trojan” (DSTO, Australian Govt., Dec. 2008)
  • “Cracking Security Codes: Does it Matter?” (C. Tartette, IEEE Spectrum, Feb. 2010)

Why is Trojan Detection so Challenging?

  • Design overhead for Invasive methods
  • Infinite instances,Low controllability and observability for logic-testing methods
  • Large process variation,small trojan detection for side channel analysis

What are your views on 'Hardware Trojans' ? Are they really a pressing threat or not ? Share your views in the comments below.

Read more…

Can you prevent APT using NextGen Firewall?

Cybercrime and espionage have cost companies over $500 BillionTweet: Cybercrime and espionage have cost companies over $500 Billion #CISOPlatform @CISOPlatform [link] <a href=http://ctt.ec/12Ga3+" width="33" height="30" />in lost IP and untold lost jobs and productivity. The term ‘Advanced Persistent Threat’ was originally used by US Air Force security analysts to describe a particular actor behind a series of attacks. The term has evolved into a broader meaning, now encompassing the actor, the tools, and the process used to launch long-term campaigns. Unlike the ‘smash and grab’ approach used by Hacktivists, or the opportunistic ‘spray and pray’ approach used by low level or solo actors, APTs stem from well-funded, well organized adversaries, often backed by nation-state actors with long-term strategic goals.

>>Download Whitepaper on Controlling APT using Next-Gen Firewall

3 Distinguishing attributes of APT:

  • Custom Tool and Payload
  • Patient and Strategic
  • Fatal Motive

What is Click Fraud?

Companies who advertise on the internet can get better ad placement by paying the host of their ad every time a user clicks on it. Click fraud schemes use automated methods of repeatedly clicking on a given advertisement to boost the revenues of the hosting site artificially. Click fraud is one of many ways that cyber-criminals can monetize their efforts.

>>Download Whitepaper on Controlling APT using Next-Gen Firewall

Most Famous APTs:

  • APT1 - Compromise Chinese Military Activity 
  • Flame - Circulated in Middle Eastern Countries
  • Operation Shady Rat- 2006 to 2011 McAfee
  • Stuxnet - used to sabotage Iran's Nuclear program

Socially Engineered Attacks:

Here’s an exercise you can try at home: Google yourself or friend. Follow the links to Facebook, LinkedIn, YouTube or other personal sites. Look for connected family, friends, personal interests, recent travels, or employer information.With what you find, would you be able to impersonate someone well enough to get a known associate of that person to trust (and click) an emailed link? Some of the most notorious and impactful APTs have begun just this way. Socially
engineered attacks make use of publicly available information to snare users, often through spear-phishing emails.

>>Download Whitepaper on Controlling APT using Next-Gen Firewall

What are your views on the most notorious APTs? Share your views in the comments section below.

Read more…

4th Top 100 CISO Awards, 2014 Highlights

The 4th year of “Top 100 CISO Award” @ Agra, last week saw over 120 CISOs for over 3 days making the grand celebration a huge success and the biggest ever Awards for the Information Security Executives of India. Here are the highlights of the grand event having some very great keynotes, fascinating Turbo sessions and some of most fascinating international entertainment. Post event activities and your humble feedback has kept us on the toes. Before time tides away, we could ensemble some Most Wanted Moments 2014 Highlights:

6prbcm.png?width=357

Top Keynotes 
  • Role of a CISO: Creating  self evaluation metrics - Felix Mohan
  • How to build your professional brand: A guide for CISO - Adityanath Jha (CEO-Crayon Pictures, Former Global Head of Branding- Infosys)
  • Security Trends and Landscape in Europe- Don Lee (MD- nRuns)
  • Sneak Peak into the future: A glimpse into the top security researches in the top global academia - Professor Indranil Sengupta, IIT Kharagpur
jzvdeg.png?width=300Top Turbo Sessions 
  • Believe it or not: Recent Security discoveries that shook the world
  • Inside the world of Elliptic Key Cryptography
  • How the sound of your CPU can reveal your cryptographic key: The amazing world of side channel attacks
  • Under the Hood: Strategies and Tactics used by NSA
  • Myths and Realities: APT and Truth
  • Into a malware for 180 days: Deep into a malware
  • Hacking Internet of Things: Cars, Aircrafts, UAV, TV and more
  • Silent SMS: How I know where you were yesterday night?

 And lot more..

Entertainment:
  • Laser Man: Fascinating laser show which will take you to the world of science fiction
  • UV Dance Performance: Intriguing performers who stormed "India got talent" shall enthrall you with their magical performance
  • International artists performing world renowned Can-can dance from Paris opo4ud.png?width=350
  • Flamenco from Spain

 And lot more..

Spouse Program:

'2014' will remain memorable as your better half both enriched and vitalized the Top 100 CISO Awards. We were overjoyed to take for a spousy-tour for Agra cultural visit and shopping:

  • Kalakriti - Culture of Agra at a glance
  • Akbar International- Making of Marble Artifacts and their history
  • Sadar Bazaar- A delight for shoppers from Agra shoes to Panchhi petha
  • WhatsApp Group (Spouse Special) - 'CISOPlatformSpouseConnect'

Sunrise at Taj:

Taj Mahal, one of the 7 wonders of the World(wikipedia link to taj mahal) looks surprisingly different not just from every angle but also from day to night. 

  • Sunrise at Taj Mahal with spouse
  • Panchhi petha, a cultural remembrance 

Sachin Tendulkar:(link to tendulkar campaign)

  • Some lucky CISOs got a chance to meet the batting legend, Sachin Tendulkar
  • Some CISOs awarded with signed Sachin mini bats

Read more…

Checklist For Selecting Firewall Vendor

How should CISO define the requirement for solutions related to the Firewall domain?

  •  To ascertain total throughput required. The requirement be finalized keeping in view the current traffic as well  as expected increase in volumes over at least next 3-5 years.
  •  To ascertain what is the throughput required for individual interface.
  •  How many interfaces are required in the firewall.
  •  Do we require additional modules (IPS, anti spoofing etc). If yes then what are those.
  •  Any technological constraint or specific requirement

( Read more:  Database Security Vendor Evaluation Guide )

What are the key parameters based on which CISO would choose a vendor for the same?

  • Vendor should have prior experience in supply,installation and maintenance of information security devices. The projects should have been of comparable size. Number of successful deployments should be considered.
  • Vendor should be authorized partners of the OEM of the equipment to be supplied.
  • Previous record of supply and maintenance/ business dealings should be unblemished and of having successfully supplied and deployed information security equipment
  • Should have qualified staff on roles for support for supplied equipment. These staff should hold the certifications on the product from the OEM.
  • Licensing and free requirements are crystallized on various factors like throughputs, components, applications, sites etc.

( Read more:  Technology/Solution Guide for Single Sign-On )

Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist

  • Proposed solution should not be nearing end of life / end of sale / end of support currently. Residual life to be at least 5 years
  • Life road map of system should ensure that the solution is covered under support for period of at least 5 years from date of purchase / installation by OEM
  • What is the support structure of vendor and how will the support be provided (on-site, off-site, remote, session logs and audit)
  • How the updates / patches be made available (online and regular updates are preferable / fixed frequency)
  • What is the SLA (with specific reference to Uptime Assurance, Turn Around Time)
  • What is the level of engagement with OEM for the supply (It should be supply and support)
  • Responsibilities of the OEM towards the purchaser (for supply, installation and maintenance)
  • What if the front ending of the existing vendor ends abruptly, whether OEM provides an alternative and of what quality/ assurance.

( Watch more : Attacks on Smart TV and Connected Smart Devices )

Top mistakes to avoid while selecting a vendor?

  • Solution should not be nearing its end of life / end of support
  • There should be no ambiguity regarding the terms and conditions of services
  • Tenure of engagement of services of the vendor should be amply clear and accepted in writing by both the parties
  • Verification of the documents submitted by vendors should be done from original source or alternate source before selection
  • Price discovery should be done where ever possible.

-Sunil Soni, CISO, Asstt. General Manager, Punjab National Bank tells CISO Platform about Selecting Firewall Vendors

( More:  Want to share your insights? Click here to write an article at CISO Platform )

Read more…

Top Steps During Implementation Of A Firewall Project

  • Clearly defined requirements such as type of firewall, architecture, performance requirements, compliance requirement, sizing, reporting, and minimum specifications are important for identifying suitable solution
  •  Once right products are shortlisted, proof of concept or environment simulation will help finalize the product that is best fit to specific needs
  • Final preparation such as firewall architecture design, hardening, its placement, dependencies on other network and security equipment and policy rules are essential before starting with its implementation

( Read more:  My Key Learning While Implementing Database Security )

 

Top Implementation Mistakes Or Learning While Implementing A Firewall Project

  •  Improper capacity planning and incorrect zoning affects overall performance and quality of service
  •  In depth testing prior to purchase of such solutions would eliminate surprises at the of implementation
  •  Proper configuration of policies rules, audit and monitoring parameters helps get best out of such devices
  •  Handing over process and detail knowledge transfer to operations team is important for proficient sustenance

Top Challenges Faced During Implementation

  •  Error in policy rules, policy rule conflicts or order of policies may make some systems or  applications inaccessible
  •  Improper design of zoning and configuration may expose critical vulnerabilities
  •  Incorporating support for various applications needing dynamic ports

( Watch more : 3 causes of stress which we are unaware of ! )

Top Parameters Based On Which Success Of A Project Should Be Measured  (specifically related to the above Domain)

  •  Below are the top parameters based on which the success of a project should be measured
  •  Firewall rule set works as per requirements
  • Seamless & secure access to applications and compatibility across intra zones
  • Performance during pick and normal usage
  • Logging & data management as per organization compliance requirements
  • Vulnerability assessment and penetration testing giving positive results
  • Beside firewall policies, configuration of right security alerts, Incident Handling, Change Management, Firewall logs and auditing processes are also a key parameters for success of such implementations

-Samir Dani , Dy. General Manager-IT at Suzlon Energy Ltd tells us about Top Steps and Learning in Firewall Projects

( More: Want to become a speaker and address the security community?  Click here )

Read more…

Top steps during the Implementation of a DRM project-Points to consider for the implementation of a project:

  •  Ensure the security and document management with centralized storage. Design using open source architecture, as much as possible
  • Search of correct version/revision, managing project wise folders to be automated & simplified
  • Centralized data to ensure timely backup and secure intellectual property
  • Single point of document and project handling
  • Easy to audit
  • Security and IP protection
  • Delivery of real-time and correct version of document to all concerned cross functional area

( Read more:  BYOD Security: From Defining the Requirements to Choosing a Vendor )

Top Implementation Mistakes, Challenges or Learning while implementing DRM projects

Time & again the challenge is in distributing the correct version of document to other functions like, Finance, Manufacturing, Marketing etc. in a secured mode. Real time availability of the correct document is also a challenge along with securing the intellectual property.

To address the challenges and keeping the Intellectual property in a central location to secure “PARA-VIRTUALIZATION” is conceived with an idea of managing the vast amount of data being processed with the ability to give users the right to manage their documents and create and to track the movement of documents supported by generation of notifications upon such actions being undertaken. This can envisage with the ability to give users the right to manage their documents and create a workflow to track the movement of documents and the respective notifications upon such actions being undertaken. This solution can fully address the security of IP, Increase in productivity, decreased spending, and customer satisfaction.

In any industry, securing Intellectual property and document management is at the top most priority. These documents are very close to business growth. At the same time, making them available real-time with correct set is also important.

By adopting the customized solution, we will be able to achieve this. Though there are many ready-made packages available, considering the cost and complexity, we need to design our own system based on our needs to reach the satisfaction.Walk a thin line between walking ahead and with users to convince them to go the new way. The Importance of Self-belief.

Technology may be still in a nascent stage. I realize that we need some time to understand and get accustomed to the technology before we promise the management an ROI. We also need to run trials. It is important for CISOs to convince themselves before convincing others, especially about an initiative which is bound to bring change. With the promising results of the trial run, management will get convinced that this equation will work. But our battle is only half done.

( Watch more : 5 Implications of HTML 5 on Security )

Running Alone...The Next Challenge is user resistance. “The real test comes with end-user adaptability. Solutions to technical problems are available. But the trust people put in you and your solution cannot be bought, it needs to be earned!” It was up to IT to make end users understand that new-way would ensure business continuity and faster performance. “It may take a lot to ensure that stakeholders knew that we are actually trying to find a better solution. We need to test the response time of the solution using stop watches to compare. And users will buy it.”

Getting Vendor Support... If handling users is tough, convincing vendors is tougher. Finally we end up having a better
understanding with our partner and support. 

In hindsight, what would you have done differently?

Top Down approach..! Bring the confidence within Top Management Team and get the instructions flow from top. That would have been easier to enforce the users to adopt the new technology to secure the INFORMATION.

-Sharat M.Airani, Chief-IT (Systems & Security) , Ex-Forbes Marshall tells us about DRM(Digital Rights Management) and his Learning during Implementation of DRM project.
( More:  Join the community of 1400+ Chief Information Security Officers.  Click here ) 

Read more…