Security Articles

NERC CIP Compliance: North American Electric Reliability Corporation Critical Infrastructure Protection Compliance

For electrical utilities that are keen on maintaining strong cyber security standards across their enterprise and substations, NERC Critical Infrastructure Protection (CIP) Compliance would mean necessary cyber resilience. NERC Reliability Standards define the reliability requirements for planning and operating the North American bulk power system and are developed using a results based approach that focuses on performance, risk management, and entity capabilities.
NERC's jurisdiction includes users, owners, and operators of the bulk power system, which serves more than 334 million people. NERC Standards CIP-001 through CIP-011 provide a Cyber Security Framework for the identification and protection of critical Cyber Assets to support reliable operation of the bulk electric system (BES). Listed below are the NERC CIP domains and objectives for infrastructure protection. Compliance to each of the domain will strengthen the security posture.

Information Security and Risk Management

Gone are the days when security was less important area for organizations. But with immense growth in various attacking and fraud techniques, organizational security has become the major concern. Now days companies are spending millions of dollars each year to keep their environment secure. Still no environment can be 100% secure, as intruders too are trying the latest hacking and attack methods. This is the reason why information security area is booming up and companies are ready to pay huge money to enterprise security services providers.

How important is ISO 27001 Compliance (ISMS Implementation) to an organization

When we talk about ISO 27001 compliance (ISMS Implementation), the general thought which everyone get is that it is the responsibility of the CISO or CXO of the organization to put things in place. They feel that security team of an organization needs to own up the implementation and are responsible & accountable for getting the organization certified. Though Information security team plays the front ending role of putting perspective in place, one needs to understand that ISMS Implementation is more of a top management driven initiative and it's a top down approach. Unless the management intends to put security in place through policy, procedures, standards and guidelines it cannot be advocated across and driven by the information security team to achieve this compliance.

Good Software Gone Rouge!!!

I wanted to record something on my personal laptop and Camstudio, a popular open source screen recording tool which is released under GPL license popped instantly in my mind.
I had used this software many years ago and it was a pretty good screen recorder. Plus, I prefer open source over freeware because in case of former you can at least assume that the open source community would monitor and contribute to close any vulnerability in the software. In case of freeware you don't know what is inside.
I don't install software without verifying few things like its license, does it have any vulnerability, does it spread any malware and is it still being developed (End of life)?
The moment I visited the Camstudio website the first thing I noticed was that the latest version of the installer available was from October 19, 2013. The old version did raise an alarm because old version means lots of unpatched vulnerabilities.

Are you generating the right business value out of DLP implementation?

Data is the most valuable asset to any organization .Organizations today is investing millions of dollars to safeguard sensitive and confidential data in order to avoid cost associated with data breach.
DLP solution has been one of the major areas of investment for many organizations to protect sensitive data from unauthorized access or exposure. There are many ways to quantify the business value of DLP investment. Some organizations may calculate it with the rate of reduction in frequency of occurrence of data breach incidents post DLP implementation while others may calculate it in terms of cost associated per data breach or loss in brand and shareholder value as result of non compliance.
But one has to also understand whether DLP investment has generated the right business value without impacting the overall operational efficiency and business productivity.

Admin Privilege: To give or not to give

"Blessed are those who have privileges", Alice muttered while raising several tickets and request for change (RFC). She and her team consisting of 10 members had just started working on a new project and wanted to install several software, configure them, make some changes in registry, set environment variables etc. This meant a mammoth task of taking several approvals & maybe follow ups with her company's already overburdened IT support team.
To maintain security and comply with regulatory and compliance requirements her company followed the principle of least privilege (POLP) and provided a locked down environment to its employees.
Alice knew she could save time and effort if her team could just get administrative privilege. She raised a request to get the same.

Data deletion vs Data retention

The world is learning new lessons from the December attacks on Sony Pictures. One of these lessons is learning the importance of data deletion in information security. The Sony Pictures attack highlights the risks involved due to lack of such policy. Bruce Schneier calls this the risk of exposure in his blog.
The malware based attack not only caused data breach but also left the company feeling embarassed due to leaked old emails and documents. While effective security controls could have prevented the attacks, a data deletion policy would have saved the company from embarassment and possible future litigations.
So why are organizations not implementing data deletion policy?

SECURING CYBERSPACE - A New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts

On 13th Jan 2015 President Barack Obama announced the SECURING CYBERSPACE - A New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts. It proposes 3 measures to help strength the cyber security as brought out in the succeeding paragraphs.
Enabling Cybersecurity Information Sharing: The first measure Obama is proposing would encourage companies to share cyber threat information with the Department of Homeland Security cybersecurity center, which would swiftly pass it on to other government agencies and industry groups voluntarily formed to share such material. Companies would get targeted liability protection for doing so, the White House said, as long as they took steps to protect consumers personal information.

Secure SHA an Enhanced Hashing Mechanism

In recent times, though most applications emphasize its users on keeping strong passwords through stringent password policies, these strong passwords would be effective if and only if they are maintained securely at the back-end. In simpler words we can say, it is of no use having your precious valuables deposited in a bank locker that has no proper security measures to safeguard it for you. Have we ever wondered are our passwords stored securely at the back-end? It is not only an end user's responsibility to use strong passwords, but also the application's responsibility to securely safeguard user's strong passwords.
Though most of us know that the simplest and a safe way of securely storing passwords at the back-end  is by means of Hashing (a one-way crypto operation of transforming the clear text password to a fixed-length cipher text with the help of standards-based hashing algorithms say, SHA-1), there are also few drawbacks associated with this mechanism.

Sandbox aware Malware

As the Internet is becoming an important part of everyday life, Internet users face increasing security threats posed by malware. Malware is defined as malicious software or code, that when enters in to a computer system does things/changes that are harmful and unwanted to the legitimate user. The harmful activities can be corrupting and deleting the files on the computer, stealing the personal and financial information, making the computer services slow and unavailable, stealing proprietary or intellectual property information and at a larger scale destroying computers and computer networks. Some of the examples of the malware include viruses, worms, Trojans, back doors, root kits, key loggers, spyware,  ransomware, adware, Crimeware etc.


Subscribe to RSS - Security Articles