With increasing number of people in India going online every year, the risk of cybercrime hovers above. The rise of smaller organizations and their less or no protection of data also leads to maximum cases of security breach.
In the first six months of 2017, India saw one incident of cybercrime per 10 minutes. These include ransomware attacks to minor phishing rackets. The Indian Computer Emergency Response Team reported 27,482 cases between January and June.
Phishing, scanning, probing, viruses, defacements, site intrusions and denial-of-service were the most reported incidents. Ransomware attacks are gaining pace in India.
1.71L crimes have been reported in the last 3.5 years.
The RBI has also issued warnings about bitcoins, the preferred mode of payment for attackers.
Here is a list of the most remembered security breaches in India last year:
- Mirai botnet malware: A botnet malware named Mirai took over the Internet targeting home router users and other IoT based devices. The malware affected 2.5 million IoT devices; it’s not clear how many systems were affected in India. CERT—In had also issued an advisory regarding the attack back in October 2016.
- WannaCry: Ransomware WannaCry swept the world in May. CERT-In immediately put out an advisory notice. Few instances of the ransomware were reported to have hit banks in India, and some businesses in Tamil Nadu and Gujarat as well during the first wave of the attack. Railwaire users were also most affected by the ransomware.
- Petya: India was also on the top 10 list of countries to be hit by Petya ransomware attacks, with the country faring worst among other Asia Pacific (APAC) countries, cyber security firm Symantec said in a blog postlast month. Globally, India took the 7th spot with less than 20 organisations being affected as per the Symantec’s analysis.
- Data breaches: Zomato said in May that it was affected by a data breach which led to details of 7.7 million users being stolen. The leaked information, listed for sale on a Darknet market. The company was, however, able to contact the hacker and take down the data. Reliance Jio was also affected by a data breach this month; a website called magicapk.com went up last month, allowing anyone to search for personal details of Jio customers. However, this also was taken down after the site went viral.
The biggest story of 2016 is undoubtedly the alarming rise of cyber crime. A look at global IT industries explains that we’re facing a lack of efficient professionals. According to the Cyber Security Ventures ‘Cyber Security Jobs Report’, there were 1 million cyber security job openings in 2016. The number is expected to grow to 1.5 million by 2019.
Against the backdrop, the scenario of India’s cyber security industry is no exception. A quick glance at one of the most notable security breaches in the country shows:
1) Cyber criminals breached the country’s largest government site – the Indian Railways Catering and Tourism Corporation (IRCTC) website, stealing around 10 million records from the server of the e-ticketing portal.
2) A cyber criminal by the name ‘Faisal’ allegedly breached the website of Canara Bank, defacing it by inserting a malicious page and blocking some of its payment services.
3) Fraudsters broke into the email account of Binny Bansal, CEO of Flipkart, sending two emails to the Chief Financial Officer (CFO) demanding a sum of $80,000.
Further look at similar incidents show that majority of these attacks happened in the e-commerce and banking sectors. The reason for this is found to be a high value of personally identifiable information )PII) in these industries.
According to ‘M-Trends 2016, Asia-Pacific Edition’ by Mandiant Consulting, Indian organizations are more susceptible to data breaches. Poor investments in high-end security solutions are to blame, as experts say. This must sound caution to smaller and bigger organizations both.
In the wake of this, the Indian government has started to invest money in recruiting cyber security experts. Partnerships with top international security firms have also been registered. The recent Memorandum of Understanding (MoU) between the national cyber security agencies of India and the U.K. is a step in the direction. The exchange of technical information on cyber attacks, security incidents and solutions will benefit both countries in fighting cyber crime together.
If you’re a small business organization, there is absolutely no reason for you to neglect cyber security. Not spending on security or relying on outdated software to protect your data – both are equally bad ideas.
Here are a few ways you should undertake to prevent damage to the reputation of your business repute:
Backups: Cyber attackers and hackers never leave an opportunity to take your data “hostage” and demand a ransom before releasing that data. Hence, small organizations must practice backing up data in the cloud or a hybrid data centre.
Update IT Systems: As malicious attacks are evermore wreaking havoc in the cyber-verse, it is essential for organizations to protect their business data at all costs. A top to bottom evaluation with an emphasis on vulnerabilities is important. Key assets like information about property, confidential personal data, etc. must be guarded against.
Cyber security education: In any data-security effort, any individual can intentionally or not become a “weak-link”. More often, an employee nursing grudge against the organization may compromise security. To avoid such incidences, smaller organizations can always undertake a rigorous cyber security education program.
Proper planning: Included in the data-security education program should be procedures teaching employees how to react in the event of unauthorized intrusions, example, phishing or malware attempts. A detailed incident response plan that redirects to helpdesks or IT teams can have a significant impact.
Mobile device security: A lot of times employees in small organizations use their mobile devices for work and work-related communication. The thought of data passage through unsecured channels is nightmarish enough for organizations to establish policies like – (i) Categorizing and restricting the types of information that can be shared or accessed through these devices, (ii) Enforcing network access control wherein employees can access your business’s VPN and email in a reliable manner, (iii) Determining whether mobile devices provided by the business can be taken off-site.
As our monies, ideas, emotions flow through the digital infrastructure, our money (Money is the top trending item in India nowadays – black, white, banked, un-banked, cash, digital and so on) is essentially data. Britons found out an equation no less profound that E= mc*c that time is money. Today, time is not only money but data is money.
Money is needed by all as a medium of exchange because unlike a tree we cannot stand in a place and do all biological activities, including reproduction. It was once sea-shell,then metal diced, then paper printed and now a pattern of bits.
Money has no intrinsic value but our collective belief and trust on it. Civilization’s march has seen changes in the intrinsic aspect of money but the faith that money is backed by collective faith has remained unchanged.
Photo Legend : Infoconglobal Chairman Mr. Sushobhan Mukherjee felicitating the musicians of Surma Dohar
The rich and poor alike need money. The rich fear that their money may be stolen, confiscated, de-monetized or they may not be able to possess ( legally or illegally) the money in the future. The poor fear the same with the added irritation that rich have more money than what they have. This tension appears to be eternal as Nature Herself seems to be aiding it.
Since money is changing its material carrier from metal, paper to bits and codes in binary, the question rich and poor both ask is : how secure is my money in its storage and in its flow ?
In Wild West movies, we used to see ambushing a train carrying currency or gold. The “outlaws” were heroes in a sense that they absorbed the rich-poor tension and had a Robin Hood aura. Since rich are always lesser in number than poor, democracy must channelize this real, deep-rooted, intense and ever-present feeling to its own advantage, i.e. to have the greatest number of faithfuls. We are finding a Wild West type of heroes emerging in our times when money’s storage and flow are both in the form of codes and information strings.
This new species is called Hackers. One speaker in Infocon told that a brilliant young man in Banglore while being interviewed told that he was interested to become a hacker, work for few years and retire with millions. He is is not wrong in his judgement. If a train full of billion dollars worth of money moves in a dangerous terrain and a mercenary says that at 10% commission, he guarantees safety, the business makes perfect sense and the “owner” of the train will happily oblige.
If a poor man now finds that he needs to travel in the same route and if he pays a small “protection money” for the store and the flow, he will also oblige.
The power now lies not in muscle and feat of arms but in the domain of mathematics, statistics, programming, cryptography. One cannot point a gun to a cryptogram and ask it to tell its secret.
History has proved again and again that super-excellence of such skills cannot be trained or ordered by amazon.com. These kind of skills appear in extremely unlikely places. Hence a very rich man’s store and flow of money is threatened by the inner workings within the head of a young man in some classroom and in an unknown and obscure school.
The poor must protect themselves being careful and aware. The must educate themselves. For the rich, the same prescription will not be enough. They are too visible and they will be attacked institutionally. They must think in the future. They must contain and remain a benefactor to those “unknown enemies”. In plainer English, they must see the social contract in a different manner.
Infocon 2016 Team
Infocon 2016 has been a very successful event and great learnings. Here is the photo essay of the Event
Winter in Kolkata has different flairs like charming weather, sweets prepared from “Nolen Gur”, Circus, Picnic, Hopping between Zoo-Museum-Science City-Nicco Park, Different Fairs-Exhibitions-Summits. With the emerging problems of Global Warming, Kolkata is not far behind to experience diminishing winter along with other fading glories.
The charms of life, spirits of soulmates, passion of humanities are still stands ahead with any of the advanced city across the globe.
This November 18, 2016, Kolkata proved it once again. The winter in Kolkata adds a new feather in her cap through a mega Infosec Summit called “Infocon Kolkata 2016” at CII-Suresh Neotia Centre of Excellence, Saltlake.
Infocon Global is essentially an idea which has manifested itself through deliberations, practice, my running day to day business operation as CEO of Prime Infoserv LLP and interactions with clients, competition, colleagues and peers.
The more we converge towards an increasingly connected world, information keeps on flooding between anything to everything and then of course information security becomes a point of concern. People start panicking and common sense takes back-seat. But there is a solution to every problem and counter measures to defend, protect and launch offensive attack do exist as well. But the mechanism, process and knowledge are in silos and in effect are not meaningfully available as a whole. Different and piece-meal, adhoc and fragmented measures are being projected as solutions resulting in people becoming more anxious, confused and decision making culminates into dilemma.
“Infocon Global” is being envisioned as a platform to address the burning concerns in the community. The idea is to engage different stake holders including partners, customers, manufacturers, policy makers, academicians, regulators, end-users to cross pollinate and create unbiased and true wisdom through awareness and sharing of best practices. Infocon2016 today is a continuation of this search for collaborative wisdom. Prior to that, two similar events were organized on this theme by us – one in Bangladesh and the other in the United Kingdom, again in a collaborative model.
“Infocon Kolkata 2016” is more like a milestone in a relay race because the issue is truly global and will affect not only us but our next generation. In an information intensive society, all the components of the society will be impacted by any cyber-attack or security breach. In order to have as much harmony and totality, we have brought experts and organizations related to Technology, Process and People Consulting, Law Enforcement, Financial institution, Policy Making, Data Handling, Cyber Law, Policing and so on. What is interesting to observe is that all these diverse fields of society find mutual overlap just like Internet is going to overlap all the areas of our lives and we call this Internet of things.
The event was inaugurated by the Chief Guest, Shri H K Kusumakar Additional CP IV, Kolkata Police alongwith Swami Vedatitananda, Ramakrishna Mission Shilpamandira, Belur Math; Mr.Nirupam Chaudhari, Regional Head – Nasscom , Mr. Manjit Nayek, Additional Director – STPI Kolkata Centre., Mr Hemant Chhabria, Member of COMPASS, Founder of justvideos.
The first session after inauguration was by Mr Sukhminder Singh Sidana, National Manager- Government & Public Sector Business, Sonicwall on “How to Protect Your Organization from Ransomware”, a burning topic in today’s world.
The number of successful cyber-attacks continues to increase, threatening financial and personal security worldwide and cyber forensics is undergoing a paradigm shift. Mr. Jayanta Parial, Principal Engineer, CDAC. Conducted the next session on “Cyber Forensic needs and current Scenarios”.
Next session was covered by Mr. Joydeep Bhattacharya, Chief Operating Officer at TCG Digital Solutions Private Limited. The audience was stunned with the relevance and depth of the topic “Creating Real World Simulation for Training and Network Resiliency”.
Further deliberation was for Data Centre Securities through a panel discussion. The panel was led by Mr. Shyamal Bhattacharya, CEO of Technoplace Consultants. The eminent panellists were Mr. Siddhartha Chakraborty, Officer-in-Charge, Cyber Police Station, Kolkata Police; Mr. Suketu Vichhivora, Vice President – Sales and Solution, Nxtra Data, Mr.Saibal Sarkar, NIC and Mr. Vivek Gupta, DGM and CISO in Allahabad Bank.
The last session before the lunch was from Mr Kanchan Mallick, Regional Manager at Trend Micro for Eastern India, Bangladesh, Bhutan & Nepal. His insights on targeted attacks were major takeaways for the audience.
The lunch was designed with authentic Bengali touch of winter season. The peas kochuri, chana dal, diamond fish fry, cauliflower roast, dhoka curry, Dahi Fish, Mutton, Chatni, Gulab Jamun, Ras malai , Ice-cream all were bundled with personal touch and traditional bengal’s aroma and taste.
Post lunch, the summit had witnessed the launch of our journal and mouthpiece on Information security named Infoquest. Infoquest is a journal with broad-spectrum treatment of the theme of Information security with interdisciplinary stakeholders. Infoquest captures in the lens of words the kaleidoscopic perspective on the theme with contributions from a wide group of authors in India and abroad. Infoquest was formally launched by Sri Syed Waquar Raza, IPS, SS(Spl), CID, West Bengal alongwith Editor-in-Chief, Mr Pritam Bhattacharya, Mr. Kamal Agarwal, Chairman, Eastern Regional Product Council-Nasscom and me as chairman of Infocon Global. We were overwhelmed by the contributions we received when we launched our Call for Papers. Infoquest is planned to be a quarterly journal and we hope it shall continue to receive your patronage and co-operation.
Our next session was a workshop on “Real Time Information Security Issues Handling as per Best Practices Worldwide”. It was conducted by Mr.Pritam Bhattacharyya, Founder and Chief Wordsmith, Wordsmith Communication and Mr.Kaushik Bhattacharyya, Business Strategy Consultant. The workshop was designed to derive solutions of real life problems with the audience inputs and expert panel validation. This was clear cut distinctive differentiation of other conferences in order to have audience engagement in a better way.
Mr. Koushik Nath, VP Systems Engineering India- & SAARC, Cisco Systems, had conducted the next session on “Advanced Security Threat Analysis”.was instrumental with his audio-visual presentations and unmatched style to hypnotize the audience.
Next session was meant for the Ground Reality in Cyber Crime by the people who handles those in their professional life every day, This was presented by CID – Cyber Crime Technical Expert Team.
The session further was orchestrated by Mr. Ravindra NR, Sr. General Manager, IT & ITES, BSI. The topic “Cloud Security” was relevantly new for the audience, but was truly an eye opener in present emerging trends.
Next was a panel discussion on the topic – Latest Cyber Security Threats and Mitigation Strategies. The panel was moderated by Mr. Arun Agarwal, Chairman and Managing Director, Ebizindia Consulting with eminent panellists Mr. Sandeep Sengupta, MD – ISOAH; Mr. Rajarshi Banerjee,Technical Lead, Cyber Crime, CID; Mr. Angsuman Pal, STF, Kolkata Police andKarmakar, Mozilla Reps and Mentor . The session revealed key take aways on today’s always connected generation.
The final session of the day was on Large Enterprise Strategy of Information Security Handling, presented by Mr.Abhijit Chatterjee, CIO, Karam Chand Thapar Group. It was like hearing from horse’s mouth to understand the real strategies taken in real life situation.
Further we had moved from Information Security to some soul-warming music through the musical performance by a Bengali folk band – Surma Dohar, led by Joyshankar.
In between the music, we had recognized significant contribution in different spheres like best three articles in our journal, ICT Promotion, Cyber Law, Cyber Crime, IT strategy and consulting, Data Science and Analytics, video as new media, cloud communication, Business Intelligent Architecture and Bengali folk music. We further acknowledged the contribution of our core team and volunteers. Without them such a mega summit could not be seamlessly organized.
Information security industry really has no frontiers. The current and emerging problems not only need global collaboration but it will need a huge workforce with a certain identifiable skill set. In its objective to build awareness, disseminating ideas and training younger generation, Infoconglobal has already become a pioneer in a global theme from Bengal.
Infocon Kolkata 2016 is just a beginning. We hope to see all of you once again on 24th November 2017 at Kolkata where we shall walk again with Kolkata and you.
Photo albums are visible in two sources : Source 1 and Source 2
How much information security is enough security ?
Infocon is an initiative by Prime Infoserv, Kolkata and Wordsmith has been a collaborator in the initiative. Any contemporary CXO who is not concerned with the theme and confusion called Information Security is either non-existent or soon will face bankruptcy judge.
Billions are lost by private and public institutions worldwide through loopholes in securing information. Information is literally money. If you are a financial institution and if your customer database is compromised, then the fall-out can be seriously embarrassing to catastrophic.
The Problem of Mr. K, a CIO of the castle called Kolkata
Mr. K is a CIO of a large healthcare company in Kolkata. His 60% life was spent without internet and when his career is at the matured peak, he finds that he needs to reckon with information security. His CEO has instructed him to “do something”. What he should do ?
In case of an enterprise, any “doing” needs management time, money and attention (follow-up). More important, no vendor appears to be able to answer the question : “How much information security is good security ? “How much I should spend, considering the solutions are correct ?”
Mr. K, found to his great confusion that he is not able to get these “figures”.
In a autumn morning in Kolkata, post-Durga Puja last year, I and Sushobhan, CEO of Prime met Mr. K in his East Calcutta office, overlooking the wetlands of Calcutta that appear to be merging with the Sunderbans. Mr. K narrated his predicament, especially the most important one – “How much money and resource he should ask for approval ? ” from his top management to implement the solution selected. The problem with the solution was its very nature : the solution is directly connected to the threat – real, perceived, imagined or enmeshed in the business interest of the information security vendor.
The Mathematical Model
In other words, we need an analytic framework backed up by the cold, austere and objective mathematical perspective other than paranoia, vendor interest, disaster porn, technical jargon, hardware and software vendor with their exotic offerings lined up in the form of priests of some esoteric cult.
There is a mathematical model called Gordon-Leob model that does exactly that. It uses mathematical tools like probability, confidence interval, distribution to produce a mathematically verifiable statement
After the coffee, I and Sushobhan told Mr. K that he should spend no more than 37% of the amount X, where X is calculated by
X = Cost * Maximum probable vulnerability * Impact Constant * Quantified Risk
Mr. K was delighted. He is now at least dealing with arithmetic, not anxiety-metric.
In due course, we did find out X for his organization by using a 4 step method which is basically a combination of police work + detective work. In the first step, we did a vulnerability analysis and logged all known risks, in the 2nd step, we had assigned some metric to those risks in consultation with the company. In the 3rd step, we calculated the probabilities of such events, in the final step, we tabulated the impact and then estimated X.
Since then, we have been working in this area with clients in India, Bangladesh, UK and everywhere we found one common aspect : lack of awareness. Then the idea of Infocon was born.
Infocon 2016 is happening on 18th November – a platform for sharing our confusion, triumph, fear, best practices and combining our torches in a same direction to create a path in the literal jungle of information which not only has exotic fruits, flowers and scenes but ferocious enemies.
There are four fundamental types of risk in the order of our vulnerability
I. Known Known – We know what are the risks and how we are placed relative to that risk. (For example – exposure to cold air in early November air in Kolkata, the time of change of seasons. This is the time, we thought is also the best time from another angle to hold Infocon Conference on Information Security – because this is also the time when we get the maiden winter sweets of Kolkata)
II. Known Unknown : We know that we do not fully know fully the risks. (Downloading a free software from an arbitrary website)
III. Known Unknown ++ : We know that we do not know anything at all about the risk involved. (Providing sensitive banking information over phone to a caller who says he is a bank employee)
IV.Unknown Unknown : The most dangerous risk. We do not know that we do not know. This is the risk zone that causes greatest harm and damage. It is in this area that all kinds of risks germinate, mutate and manifest. We just see the consequences and then comes a re-action.
The last class of risk with relation to Information Security cannot be mitigated by any hardware box, AI+ software because by definition we do not know that this exists.
Awareness and reporting in a trusted ecosystem can only fish out the “unknown unknown beast” as soon as it manifests so that the damage is minimum.
There is no 100% and permanent information security. There is no permanent bandobost or Permanent Settlement as one British Governor General Conrnwallis started in Kolkata/Bengal in eighteenth century for harvested land of Bengal.
The settlement neither proved a settlement, not permanent.
Information harvesting needs another model of security.
The civilization has always been interested on protection, let it be primitive or sophisticated present ages. Human Life or property or business, our thoughts revolves on safeguarding the same.
With the advancement with technology, we are getting more engaged with internet and in effect data security is becoming more critical worldwide. Information security is a well-known consideration globally. We are regularly facing attacks, frauds, security breaches, confidentiality issues, information misuse, piracy, sniffing and leakage of data across the domain.
During my last visit to Bangladesh (During 14th to 18th March, 2016) , Bangladesh bank fraudulent activities came to my notice. Bangladesh got into the news for all the wrong reasons. The situation enforced the banks to take corrective actions in line of Cyber Security. We thought of spreading awareness on the domain in Bangldeash through our initiative “Infocon”.
In line with Bangladesh Bank attack, the mandates came to all Banks to cover Information Security and Cyber Security risk/threats in order to secure public money and confidential/critical information.
The Cyber Security Governance and risks assessment are to be enforced across the employees of the organization. There should be preparations for Assessment of technological difficulties and emergency management procedures. The same may be achieved through third party assessment, skill development on security for all Employees.
Information Security should be continuously monitored through Operation Centres 24×7 basis.
PCI-DSS compliance is to be adopted with two-factor authentication systems for Chip-n-Pin based cards. Logs should be collected, maintained, co-related and maintained for all critical assets in order to have proactive measures.
Besides there are needs for ISO 27001:2013, ISO 20000:2011, ISO 9001:2015 standards. Apart from these Risk Assessment Framework based on the industry de-facto standard NIST Controls and FISMA Law/Compliance/ Cobit framework.
People are looking as protecting against malware, ransomware, APT etc
In effect various providers, OEMs positioned their product/solutions to the financial sector potential clients. But different product/solutions on same domain created lots of confusions, dilemma in the customer mind before going for conclusion. Before “Infocom Bangladesh 2016” event is narrated, I will try to explain some of the burning topics on Secuirty which are not only critical for Bangladesh, but across the globe.
Now a days threats are multifold. Every day we are discovering new lines of threats. Ransomware is one of the latest in the bucket. Ransomware is turning out to be one of the most virulent and potentially heart-breaking malware infections to become a victim of. If you are unfortunate enough to accidentally download this type of malicious code — whether through phishing attacks or illegitimate downloads and compromised websites — the malware locks your screen, encrypts your files and attempts to exhort a fee before giving you the cryptographic key required to get your files back. There are many strains of ransomware including CryptoWall, CryptoLocker, CoinVault and Bitcryptor. This malware is nasty enough, however the prediction is that new generations will increase in sophistication — including stealth tactics, the silent encryption of data — on both systems and backups — and potentially the use of kernel components to encrypt files on the fly.
An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defence, manufacturing and the financial industry. An APT attacker often uses spear fishing, a type of social engineering, to gain access to the network through legitimate means. Once access has been achieved, the attacker establishes a back door.
The next step is to gather valid user credentials (especially administrative ones) and move laterally across the network, installing more back doors. The back doors allow the attacker to install bogus utilities and create a “ghost infrastructure” for distributing malware that remains hidden in plain sight.
PCI-DSS stands for Payment Card Industry Data Security Standard
PCI DSS and related security standards are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Participating organizations include merchants, payment card issuing banks, processors, developers and other vendors.
There are three ongoing steps for adhering to the PCI DSS:
- Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
- Remediate — fixing vulnerabilities and not storing cardholder data unless you need it.
Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.
PCI Data Security Standard – High Level Overview
|Build and Maintain a Secure Network and Systems||Install and maintain a firewall configuration to protect cardholder data|
|Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||Protect stored cardholder data|
|Encrypt transmission of cardholder data across open, public network|
|Maintain a Vulnerability Management Program (VAPT)||Protect all systems against malware and regularly update anti-virus software or programs|
|Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||Restrict access to cardholder data by business need to know|
|Identify and authenticate access to system components|
|Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||Track and monitor all access to network resources and cardholder data|
|Regularly test security systems and processes|
|Maintain an Information Security Policy||Maintain a policy that addresses information security for all personnel|
Web Application Firewall,Sometimes, in orders to comply with PCI-DSS, some components are essential to implementation as a part of remediation:
- Web Content Filtering,
- Endpoint Security,
- HIPS (Host Based Intrusion Prevention),
- Security Information and Event Management (SIEM),
- Vulnerability Assessment and Penetration Testing Tools (VAPT),
- Data Leakage Protection (DLP),
- File Integrity Monitoring,
- End point Encryption,
- Privilege User monitoring,
- Identity Management (IDM) etc.
ISMS is Information Security Management System and the latest standard is ISO 27001:2013. It is essential to protect company data, not only to protect the future of your systems, but also to protect customer information, that has been entrusted to you. This requires a holistic approach covering price, IT Security, physical security and staff policy & procedures. ISO 27001 is the formal standard against which organizations seek independent certification of all their Information Security Management Systems.
IS0 27001 helps to protect against
- Customer Information leakage
- Virus & hacker attacks
- Incompatible software conflicts
- Failure to back up systems
- Loss or theft of unencrypted backups
- Internal security breaches
- Loss of information resulting from staff turnover
- System downtimeISMS
Ideal Coverage should include:
- ISMS Scope Definitions
- ISO 27001 ” Gap “Analysis Assessments
- Performing an assessment of your existing ISMS
- Information Security Policy and Procedure Development
- Information Security Risk Assessments
- ISMS Manual Development
- ISO 27001 ISMS Implementation Support
- Security Improvement Plans
- Incident Management Plans
- ISMS & Internal Audits
- Management Reviews
- Pre-certification Audits and support
- Post Certification Audits Corrective Action Support
- ISMS Trainings for Management & Employee
- Integration of ISMS with COBIT, COSO, ITIL/ISO 20000 etc
Vulnerability assessments and penetration testing (pen tests for short) are processed to identify threats and Vulnerabilities in the IT landscape using valuable tools, that can benefit any information security program and they are both integral components of a Management process.
A vulnerability assessment is the process of identifying and quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.
Vulnerability Assessments Follow These General Steps
- Catalog assets and resources in a system
- Assign quantifiable value and importance to the resources
- Identify the security vulnerabilities or potential threats to each resource
- Mitigate or eliminate the most serious vulnerabilities for the most valuable resources
A penetration test simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization. Using many tools and techniques, the penetration tester (ethical hacker) attempts to exploit critical systems and gain access to sensitive data.
Depending on the scope, a pen test can expand beyond the network to include social engineering attacks or physical security tests. Also, there are two primary types of pen tests: “white box”, which uses vulnerability assessment and other pre-disclosed information, and “black box”, which is performed with very little knowledge of the target systems and it is left to the tester to perform their own reconnaissance.
Penetration Testing Follow These General Steps
- Determination of scope
- Targeted information gathering or reconnaissance
- Exploit attempts for access and escalation
- Sensitive data collection testing
- Clean up and final reporting
With the increase of usage for Social, Mobile apps, Cloud, Big Data, IoT (more precisely SMAC – Social, Mobility, Analytics and Cloud), we are approaching towards a danger zone. Hope you have heard of Jeep Cherokee incident where hackers can take control of a connected car and lead you to death as well.
Prime Infoserv LLP being a domain expert in the category, wanted to spread the awareness on Information Security and “Infocon Bangladesh 2016” took birth. The idea was to empower Enterprises with better wisdom with knowledge for doing proper diligence, understanding the actual need to cover-up the concerns.
The event took place on 16-04-2016 (Saturday) with the audience from major banks. Speakers took sessions on various aspects of cyber security and risks. The knowledge sharing was OEM agnostic in order to spread more awareness so that people can be more empowered to take decision beyond OEM/System Integrator Influence. The sessions were fully interactive like Q&A, discussions with concern areas and off course encouragement with surprise gifts.
Event had kicked off with lunch, followed by discussions on the burning topics as mentioned above.
The attendees were awarded with Trend Micro endorsed certificate.
More details of the events can be fetched from below links:
Infocon is not just an event, rather a process to build eco system surrounding the topic. We intent to create forums where domain experts and attendees can exchange thoughts even after events. There will be follow-up awareness sessions. There are serious thoughts to publish a Book covering pain points and resolutions to spread the awareness.
This retrospection will bring our smile back in order to have peace and fulfilment with wisdom.
We will have follow-up event in Bangladesh. Upcoming events are being planned in Kolkata, Bhutan, London, Africa and Mauritius.
Stay tuned for our upcoming initiatives under the brand “Infocon”.