Security Articles

Enterprise Vulnerability Management Framework - Part 1

Enterprise Vulnerability Management Framework

The earth has been trembling for a while now, the great Himalayan quake has left the Nepalese dazed and razed. In India we have been rumbling for weeks now, we are all scared of the unknown. None can predict the timing of an earthquake.

My professional service line is equally unpredictable. I work in the area of software security yet I cannot predict a breach. I can map an organization with vulnerable-seismic zones and can quantify the severity of a breach (a la Richter scale) yet I cannot predict the exact timing of a breach.

Like in an earthquake as the great tectonic plates move and collide, the vulnerabilities also connive to move in groups and expose an oceanic trench for the prying hacker waiting with his fishing rod for a prized catch. Vulnerability management often misplaced in the shoes of a vulnerability assessment is not adequate to secure organizations.

Commjacking - The latest trending Cyber Threat

Commjacking ÔÇô The latest trending Cyber Threat

In the era of ever increasing connected society through WiFi and Cellular network, there is recent cyber threat making a round named “Commjacking”. It basically hijacks the communication between the device and WiFi/Cellular network the device is connected to. By hijacking the communication, attackers are able to eavesdrop on dialogues, intercept data exchange to and from the device and manipulate the data, or the device itself.
We usually assume that a wireless signal used by mobile computing device is trusted source of Internet access, however the criminal minds have started to abuse that trust by setting up fake wireless network using commjacking technique for nefarious use. This is happening due to the easy affordability of interception techniques available as open source kits amounting few dollars. Once a mobile device connects to this “hotspot honeypot”, attacker can start stealing the data including emails and financial transactions.

Insider Threat - A cyber security risk that cannot be outsourced

Insider Threat - A cyber security risk that cannot be outsourced

Today, are Boards concerned about the risk from Insiders to their business due to cyber-attack? Boards often ignore the risk due enterprise’s own employees. Who are these troublesome employees? Cyber insiders come from any part of the business. Recent study indicate 36 per cent of the worst security breaches are caused by unintentional human error and 10% are intentional misuse of systems by own employee.  This is not a trivial problem. Insider risk is not a risk that can be outsourced or cannot be solved only by technical solutions.

The Cyber Insiders are of three types:

Formats for Low Level Network Data

Low level network data

In the world of security, it is important to understand how various tools exchange information. This knowledge helps in extending the solutions or creating valuable add-ons. This post describes some formats developed to represent data collected by security monitoring systems at the network level. Many of them have not been formally standardized and further analysis is generally required to extract useful (i.e., actionable) information.

Cyber Security Insurance

Cyber Security Insurance

Cyber Security Insurance
Data security is any organization's top concern. Investments are made by organizations to secure their Business Applications, IT Systems and underlying network to avoid data breaches and keep their own and customer's data private and secure.
Organizations are also investing in buying insurance cover to protect them from cyber threats. Cyber insurance has been offered by insurance companies for some time now, and effectively used to mitigate risk under transfer of risk. However not may security professionals are aware of this and rarely offer this as a mitigating control to their customers.
Cyber security insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.
Cyber security insurance policies offered by leading insurance providers:
First Party Protection

Common mistakes in PCI Implementation

PCI-DSS compliance standard has been around for more than 10 years now. The standard has evolved over the years and as compared to the first version released, the current version has tried to make the requirements clear for both the merchant and the service provider. Unlike the previous iterations, PCI version 3.0 and 3.1 have brought in 24 evolving requirements (new) because of the evolution in technology and the way IT is managed.
There is clear rise in larger portions of IT being outsourced and with the evolution of the cloud; the organizations may not own any infrastructure at all. Hence it becomes really important that the organization has a clear understanding and agreement of control ownership with all its service providers who store or process cardholder data.

Classifying vulnerabilities into specific types

Classifying vulnerabilities

If anybody asks you to classify vulnerabilities the first thing that comes to mind is to mark them as High, Medium, and Low. At least that is what the majority of security engineers would respond as an answer.
Recently while responding to an RFP we came across an interesting section of RFP where it asked for our process to identify new classes of vulnerability. As our vulnerability assessment and penetration testing service is a combination of automated with manual verification techniques, we had to think of ways to bring this simple but tactical ask in our response.

Impact of DDoS attacks on Banking Industry

Impact of DDoS attacks on Banking Industry

In my recent interactions with various senior level executives of Banks, I realised that one common threat which is bothering the Banking Industry is the distributed denial of service attacks (DDoS) and Banks are struggling to come up with a strategy / solution to check this. It has to be noted that no two DDoS attacks are similar in nature and they can probably last from a few minutes/ hours to several days. The attackers can be individuals, organized groups or any one for that matter.

Example of true L3 level support

Recently, one of our ESRM associate Thrinath Thunuguntla has shown a commendable performance by solving a critical cloud connectivity issue and has been nominated as the winner of TCS On The Spot Award. He has set an example of providing true L3 level support to the customer.
Connectivity issues were reported in migration of services to Cloud. There was a requirement to enable two-way SSL authentication between REST on PLM and Enterprise side IBM Data Power. Client was able to enable one way SSL and requested assistance from ESRM team to establish the connectivity using two-way SSL. Click here to know the background of this issue and the complete solution provided.
Also, sharing some appreciation notes which he received.

GRC Part 1: Informed Decision Making

Governance, Risk and Compliance can be a challenging area for CIOs and CISOs to navigate. With the board of directors and C-suite as key stakeholders, the ability to deliver results through the complex GRC environment is now more critical than ever.
What has your GRC done for you lately?
Let's look at an example of a typical month for the CIO and CISO. Due to publicity of recent data breaches in the industry, you are scheduled to deliver an Information Security update at the next Audit Committee meeting.
1. The annual IT security risk assessment is complete and the results have been presented. The external risk consultants worked with internal teams to identify risks and weaknesses. You have captured the high points for the Audit Committee presentation.
2. You plan to make sure the enterprise risk register is up-to-date with findings, remembering to check in with the SOX and PCI teams. What is the status of PCI 3.0 readiness?


Subscribe to RSS - Security Articles