Security Articles

Classifying vulnerabilities into specific types

Classifying vulnerabilities

If anybody asks you to classify vulnerabilities the first thing that comes to mind is to mark them as High, Medium, and Low. At least that is what the majority of security engineers would respond as an answer.
Recently while responding to an RFP we came across an interesting section of RFP where it asked for our process to identify new classes of vulnerability. As our vulnerability assessment and penetration testing service is a combination of automated with manual verification techniques, we had to think of ways to bring this simple but tactical ask in our response.

Impact of DDoS attacks on Banking Industry

Impact of DDoS attacks on Banking Industry

In my recent interactions with various senior level executives of Banks, I realised that one common threat which is bothering the Banking Industry is the distributed denial of service attacks (DDoS) and Banks are struggling to come up with a strategy / solution to check this. It has to be noted that no two DDoS attacks are similar in nature and they can probably last from a few minutes/ hours to several days. The attackers can be individuals, organized groups or any one for that matter.

Example of true L3 level support

Recently, one of our ESRM associate Thrinath Thunuguntla has shown a commendable performance by solving a critical cloud connectivity issue and has been nominated as the winner of TCS On The Spot Award. He has set an example of providing true L3 level support to the customer.
Connectivity issues were reported in migration of services to Cloud. There was a requirement to enable two-way SSL authentication between REST on PLM and Enterprise side IBM Data Power. Client was able to enable one way SSL and requested assistance from ESRM team to establish the connectivity using two-way SSL. Click here to know the background of this issue and the complete solution provided.
Also, sharing some appreciation notes which he received.

GRC Part 1: Informed Decision Making

Governance, Risk and Compliance can be a challenging area for CIOs and CISOs to navigate. With the board of directors and C-suite as key stakeholders, the ability to deliver results through the complex GRC environment is now more critical than ever.
What has your GRC done for you lately?
Let's look at an example of a typical month for the CIO and CISO. Due to publicity of recent data breaches in the industry, you are scheduled to deliver an Information Security update at the next Audit Committee meeting.
1. The annual IT security risk assessment is complete and the results have been presented. The external risk consultants worked with internal teams to identify risks and weaknesses. You have captured the high points for the Audit Committee presentation.
2. You plan to make sure the enterprise risk register is up-to-date with findings, remembering to check in with the SOX and PCI teams. What is the status of PCI 3.0 readiness?

Access Management - Analysis of some available solutions

The emergence of technologies like cloud, social, mobility, IoT and identity federation have added complex business needs and problem of giving secure, convenient access to users from access management (AM) point of view today. With increase in threat landscape, need to be always connected and requirement to govern and manage access, organizations continue to adopt either custom developed solutions, open source or commercial proprietary solutions based on access management objectives.

Read the complete report on the analysis done by us on some available open source and commercial proprietary access management solutions.

Cloud Security is still scary... you know why?

Traditionally you would know whom to fire when your system is hacked or data is stolen, but can you do the same in the era of cloud technology? Cloud technology is ubiquitous, and with the various controls being put in place to ensure security, the destination of secure cloud is still far from reached. The business of yours is being controlled by technology, process and people whom you have no clue of. One of the biggest and simplest fear of cloud is not being able to see through it or inside it. Some may argue if the cloud is not see through, and it being Opaque ensures security, but it's not true. In the current security world understanding the nuances of this PPT triad (people, process and technology) who manage the information is more necessary, to ensure the confidence through the transparency they provide and still being unbreakable.

Reporting Cyber Risk to the Board

Today, it has been accepted that Cyber Security is not just an IT risk but something which impacts the enterprise as a whole. This is now getting reflected in the importance accorded to issues related to cyber security within the enterprise.
The board members are also aware that Cyber Risk Oversight is now an important addition to the long list of their duties. However in NACD's latest survey of more than 1000 public-company directors, only 13% of respondents said they were very satisfied with the quality of information they receive from management on cyber-risk and related IT risks and less than 2% reported high satisfaction with the amount of information provided by management on those topics.
This leaves a staggering 85% of the board members not satisfied with the level of reporting. Clearly an area of improvement which needs to be addressed on priority.

NERC CIP Compliance: North American Electric Reliability Corporation Critical Infrastructure Protection Compliance

For electrical utilities that are keen on maintaining strong cyber security standards across their enterprise and substations, NERC Critical Infrastructure Protection (CIP) Compliance would mean necessary cyber resilience. NERC Reliability Standards define the reliability requirements for planning and operating the North American bulk power system and are developed using a results based approach that focuses on performance, risk management, and entity capabilities.
NERC's jurisdiction includes users, owners, and operators of the bulk power system, which serves more than 334 million people. NERC Standards CIP-001 through CIP-011 provide a Cyber Security Framework for the identification and protection of critical Cyber Assets to support reliable operation of the bulk electric system (BES). Listed below are the NERC CIP domains and objectives for infrastructure protection. Compliance to each of the domain will strengthen the security posture.

Information Security and Risk Management

Gone are the days when security was less important area for organizations. But with immense growth in various attacking and fraud techniques, organizational security has become the major concern. Now days companies are spending millions of dollars each year to keep their environment secure. Still no environment can be 100% secure, as intruders too are trying the latest hacking and attack methods. This is the reason why information security area is booming up and companies are ready to pay huge money to enterprise security services providers.

How important is ISO 27001 Compliance (ISMS Implementation) to an organization

When we talk about ISO 27001 compliance (ISMS Implementation), the general thought which everyone get is that it is the responsibility of the CISO or CXO of the organization to put things in place. They feel that security team of an organization needs to own up the implementation and are responsible & accountable for getting the organization certified. Though Information security team plays the front ending role of putting perspective in place, one needs to understand that ISMS Implementation is more of a top management driven initiative and it's a top down approach. Unless the management intends to put security in place through policy, procedures, standards and guidelines it cannot be advocated across and driven by the information security team to achieve this compliance.


Subscribe to RSS - Security Articles