A new report by Threat Stack and ESG (Environmental, Social Governance) raises major security concerns about the increasing public cloud environments and containers. The report reveals a notable gap in security and compliance readiness across the rapidly growing cloud-container environs.
The report discloses some significant facts as:
- 60 percent of organizations regard security and compliance a hindrance to winning new business associates.
- 57 percent of those surveyed complained of significant delays in the sales cycle blaming troubles created to meet customer security requirements.
- 31 percent of those surveyed said they were unable to cope with the growing cloud and container environments. As a result, 62 percent said they’re aiming for greater visibility into their public cloud workloads.
- 40 percent of the respondents conveyed that in the next 12 months, they will have hybrid environments, which is an increase from the current 12 percent. Meanwhile, 45 percent of organizations plan on starting to test or deploy containerized environs, which is above the current 42 percent of those who already do.
- 94 percent of respondents believe containers give negative security implications for their organizations.
As the market democratizes, companies are adopting more complex technical solutions that were earlier reserved for only software giants.
This, experts believe, has led to the creation of an opening for external as well internal threats as security teams catch up on the cloud, containers, etc.
Sam Bisbee, Threat Stack CSO feels, “Containers originally focused on resource isolation, offering system building blocks to address specific operational needs that could be coupled with security solutions – they were not supposed to be a replacement for VMs, which is how most teams treat them”.
To curb the rising cyber fraud in digital transactions, a high level meeting has proposed the imposition of a token ‘security fee’ on digital payments in India.
The meeting, focused on measures to make digital transactions safer, was held on 13 September. Chaired by Home Minister Rajnath Singh, it was attended by officers from the MeITY, Home Ministry, Department of Financial Services, Department of Telecom, Reserve Bank of India and Intelligence Bureau. All major stakeholders were present to discuss and propose ways for the same.
Prasanto K. Roy, Nasscom Internet Council Head, expressed that every digital transaction could be aimed at starting a fund for creating better infrastructure to secure digital transactions.
“A special fund could help develop security infrastructure, hire experts and secure online transactions, though a cess on digital transactions isn’t the best way of doing it,” he told ThePrint. He further said that there was a need for the Ministry of Finance and the Ministry of Electronics and Information Technology (MeitY) to make digital transactions cheaper and secure.
An official from the Ministry said on condition of anonymity, “It was also discussed that an Act needs to be in place for regularizing digital payments, which will be looked after by the Finance Ministry, and to how fix the responsibilities of agencies”.
The action came after the official figures were disclosed that indicate that cases related to e-wallets and e-payments (that were reported to banks) jumped from 13,083 cases in 2014-15 to 16,468 cases in 2015-16.
Mostly, online frauds occur when people share their passwords, 3 D secure pins, ATM pins, etc. Hence there is a need to educate people about it. “A standard procedure for all e-wallets needs to be in place as right now anyone can make a wallet just by downloading the app. The KYC norms need to be strengthened for safer transactions,” the official from the Home Ministry said.
Further, the Ministry recommended undertaking a digital transaction education campaign and creation of dedicated cyber-forensics lab. Also, training for police personnel and forensic officers needs to be in place so that they can tackle cyber fraud cases.
“As of now we do not have the manpower or expertise to deal with cyber fraud cases, which is going to be challenging…we need to be prepared,” the Home Ministry official said.
The Intelligence Bureau proposed the Indian Government ensure the introduction of necessary software that is able to detect attempts at cyber fraud. Accordingly, the software would be incorporated by payment gateways so that customers can be alerted about suspicious activity.
“There needs to be a machinery to detect out-of-bound transactions and the pattern of violations in cyber fraud cases. The machinery should be able to figure if the transaction is fraudulent by looking at its pattern and send alerts,” Nasscom’s Roy said to The Print.
The civilization has always been interested on protection, let it be primitive or sophisticated present ages. Human Life or property or business, our thoughts revolves on safeguarding the same.
With the advancement with technology, we are getting more engaged with internet and in effect data security is becoming more critical worldwide. Information security is a well-known consideration globally. We are regularly facing attacks, frauds, security breaches, confidentiality issues, information misuse, piracy, sniffing and leakage of data across the domain.
During my last visit to Bangladesh (During 14th to 18th March, 2016) , Bangladesh bank fraudulent activities came to my notice. Bangladesh got into the news for all the wrong reasons. The situation enforced the banks to take corrective actions in line of Cyber Security. We thought of spreading awareness on the domain in Bangldeash through our initiative “Infocon”.
In line with Bangladesh Bank attack, the mandates came to all Banks to cover Information Security and Cyber Security risk/threats in order to secure public money and confidential/critical information.
The Cyber Security Governance and risks assessment are to be enforced across the employees of the organization. There should be preparations for Assessment of technological difficulties and emergency management procedures. The same may be achieved through third party assessment, skill development on security for all Employees.
Information Security should be continuously monitored through Operation Centres 24×7 basis.
PCI-DSS compliance is to be adopted with two-factor authentication systems for Chip-n-Pin based cards. Logs should be collected, maintained, co-related and maintained for all critical assets in order to have proactive measures.
Besides there are needs for ISO 27001:2013, ISO 20000:2011, ISO 9001:2015 standards. Apart from these Risk Assessment Framework based on the industry de-facto standard NIST Controls and FISMA Law/Compliance/ Cobit framework.
People are looking as protecting against malware, ransomware, APT etc
In effect various providers, OEMs positioned their product/solutions to the financial sector potential clients. But different product/solutions on same domain created lots of confusions, dilemma in the customer mind before going for conclusion. Before “Infocom Bangladesh 2016” event is narrated, I will try to explain some of the burning topics on Secuirty which are not only critical for Bangladesh, but across the globe.
Now a days threats are multifold. Every day we are discovering new lines of threats. Ransomware is one of the latest in the bucket. Ransomware is turning out to be one of the most virulent and potentially heart-breaking malware infections to become a victim of. If you are unfortunate enough to accidentally download this type of malicious code — whether through phishing attacks or illegitimate downloads and compromised websites — the malware locks your screen, encrypts your files and attempts to exhort a fee before giving you the cryptographic key required to get your files back. There are many strains of ransomware including CryptoWall, CryptoLocker, CoinVault and Bitcryptor. This malware is nasty enough, however the prediction is that new generations will increase in sophistication — including stealth tactics, the silent encryption of data — on both systems and backups — and potentially the use of kernel components to encrypt files on the fly.
An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defence, manufacturing and the financial industry. An APT attacker often uses spear fishing, a type of social engineering, to gain access to the network through legitimate means. Once access has been achieved, the attacker establishes a back door.
The next step is to gather valid user credentials (especially administrative ones) and move laterally across the network, installing more back doors. The back doors allow the attacker to install bogus utilities and create a “ghost infrastructure” for distributing malware that remains hidden in plain sight.
PCI-DSS stands for Payment Card Industry Data Security Standard
PCI DSS and related security standards are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Participating organizations include merchants, payment card issuing banks, processors, developers and other vendors.
There are three ongoing steps for adhering to the PCI DSS:
- Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
- Remediate — fixing vulnerabilities and not storing cardholder data unless you need it.
Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.
PCI Data Security Standard – High Level Overview
|Build and Maintain a Secure Network and Systems||Install and maintain a firewall configuration to protect cardholder data|
|Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||Protect stored cardholder data|
|Encrypt transmission of cardholder data across open, public network|
|Maintain a Vulnerability Management Program (VAPT)||Protect all systems against malware and regularly update anti-virus software or programs|
|Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||Restrict access to cardholder data by business need to know|
|Identify and authenticate access to system components|
|Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||Track and monitor all access to network resources and cardholder data|
|Regularly test security systems and processes|
|Maintain an Information Security Policy||Maintain a policy that addresses information security for all personnel|
Web Application Firewall,Sometimes, in orders to comply with PCI-DSS, some components are essential to implementation as a part of remediation:
- Web Content Filtering,
- Endpoint Security,
- HIPS (Host Based Intrusion Prevention),
- Security Information and Event Management (SIEM),
- Vulnerability Assessment and Penetration Testing Tools (VAPT),
- Data Leakage Protection (DLP),
- File Integrity Monitoring,
- End point Encryption,
- Privilege User monitoring,
- Identity Management (IDM) etc.
ISMS is Information Security Management System and the latest standard is ISO 27001:2013. It is essential to protect company data, not only to protect the future of your systems, but also to protect customer information, that has been entrusted to you. This requires a holistic approach covering price, IT Security, physical security and staff policy & procedures. ISO 27001 is the formal standard against which organizations seek independent certification of all their Information Security Management Systems.
IS0 27001 helps to protect against
- Customer Information leakage
- Virus & hacker attacks
- Incompatible software conflicts
- Failure to back up systems
- Loss or theft of unencrypted backups
- Internal security breaches
- Loss of information resulting from staff turnover
- System downtimeISMS
Ideal Coverage should include:
- ISMS Scope Definitions
- ISO 27001 ” Gap “Analysis Assessments
- Performing an assessment of your existing ISMS
- Information Security Policy and Procedure Development
- Information Security Risk Assessments
- ISMS Manual Development
- ISO 27001 ISMS Implementation Support
- Security Improvement Plans
- Incident Management Plans
- ISMS & Internal Audits
- Management Reviews
- Pre-certification Audits and support
- Post Certification Audits Corrective Action Support
- ISMS Trainings for Management & Employee
- Integration of ISMS with COBIT, COSO, ITIL/ISO 20000 etc
Vulnerability assessments and penetration testing (pen tests for short) are processed to identify threats and Vulnerabilities in the IT landscape using valuable tools, that can benefit any information security program and they are both integral components of a Management process.
A vulnerability assessment is the process of identifying and quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.
Vulnerability Assessments Follow These General Steps
- Catalog assets and resources in a system
- Assign quantifiable value and importance to the resources
- Identify the security vulnerabilities or potential threats to each resource
- Mitigate or eliminate the most serious vulnerabilities for the most valuable resources
A penetration test simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization. Using many tools and techniques, the penetration tester (ethical hacker) attempts to exploit critical systems and gain access to sensitive data.
Depending on the scope, a pen test can expand beyond the network to include social engineering attacks or physical security tests. Also, there are two primary types of pen tests: “white box”, which uses vulnerability assessment and other pre-disclosed information, and “black box”, which is performed with very little knowledge of the target systems and it is left to the tester to perform their own reconnaissance.
Penetration Testing Follow These General Steps
- Determination of scope
- Targeted information gathering or reconnaissance
- Exploit attempts for access and escalation
- Sensitive data collection testing
- Clean up and final reporting
With the increase of usage for Social, Mobile apps, Cloud, Big Data, IoT (more precisely SMAC – Social, Mobility, Analytics and Cloud), we are approaching towards a danger zone. Hope you have heard of Jeep Cherokee incident where hackers can take control of a connected car and lead you to death as well.
Prime Infoserv LLP being a domain expert in the category, wanted to spread the awareness on Information Security and “Infocon Bangladesh 2016” took birth. The idea was to empower Enterprises with better wisdom with knowledge for doing proper diligence, understanding the actual need to cover-up the concerns.
The event took place on 16-04-2016 (Saturday) with the audience from major banks. Speakers took sessions on various aspects of cyber security and risks. The knowledge sharing was OEM agnostic in order to spread more awareness so that people can be more empowered to take decision beyond OEM/System Integrator Influence. The sessions were fully interactive like Q&A, discussions with concern areas and off course encouragement with surprise gifts.
Event had kicked off with lunch, followed by discussions on the burning topics as mentioned above.
The attendees were awarded with Trend Micro endorsed certificate.
More details of the events can be fetched from below links:
Infocon is not just an event, rather a process to build eco system surrounding the topic. We intent to create forums where domain experts and attendees can exchange thoughts even after events. There will be follow-up awareness sessions. There are serious thoughts to publish a Book covering pain points and resolutions to spread the awareness.
This retrospection will bring our smile back in order to have peace and fulfilment with wisdom.
We will have follow-up event in Bangladesh. Upcoming events are being planned in Kolkata, Bhutan, London, Africa and Mauritius.
Stay tuned for our upcoming initiatives under the brand “Infocon”.
May 12, 2017 is one of the most dreadful days of the year for cyber experts and its stakeholders. About 150 countries across the globe suffered a cyber-attack, affecting 200,000 computers.
It was the infamous “WannaCry” ransomware in which hackers locked people out of their computers, demanding a ransom of $300 in bitcoins. Medical care became inaccessible and factories were shut down for more than 2 days to minimize loss of confidential and further damage.
Here goes a brief on one of the most dangerous ransomware attacks in the Cyber-verse:
What is “WannaCry”?
“WannaCry” appears to have utilized a flaw in Microsoft’s software, discovered by the National Security Agency, which was quickly leaked by hackers. The malicious code that relied on the victims opening a zip file emailed to them, spread rapidly across networks locking away files one by one. From then on, the programme used Microsoft’s flaw to thrive.
Microsoft had released a security update which addressed the vulnerability in the sixteen year old Windows XP operating system, in March 2017. This update was exploited by the hackers to trigger the massive ransomware attack.
Who got affected?
Several computer networks worldwide were affected, including Telefonica as well as other major organizations in Spain. The British National Health Service (NHS), too, was forced to cancel scheduled patients.
FedEx, Deutsche Bahn, the Russian Interior Ministry and Russian telecom MegaFon were barred from normal operating services. According to Quartz the three bitcoin wallets used in the attack received just under 300 payments totalling a sum of 48.8635565 bitcoins, which is the equivalent of about $101,000.
What is a ransomware attack?
The term ‘ransomware’ appeared in 2005 in the US with the first notable biggest threats to security. While cyber experts maintain it to be 2005, the history of ransomware goes back to 1989.
According to Becker’s Hospital Review, the earliest ransomware attack occurred in 1989, targeting the healthcare industry. Tracing the same, the healthcare industry still remains a top target for such attacks even after twenty eight years.
Ransomware is a cyber-attack wherein hackers gain control over a computer system and block access to it until the demanded ransom is paid. Hackers get control of systems by downloading a type of malicious software onto a device within the network. This is usually done by getting a victim to click on download link by mistake. The link is normally attached with an email, which once opened, encrypts the hard drive. Once the software gets into the victim’s computer, it enables the hackers to launch an attack that locks all files it can find within that network.
The recent ‘WannaCry’, also known as Wanna Decryptor is a ransomware programme that locks all the available data in the system leaving the user with only instructions on what to do next and the Wanna Decryptor programme itself.
When the software is opened, it tells the users that the files on their computer have been encrypted. It then gives them a few days to pay up, warning that their files will otherwise be deleted. It generally gives them instructions to pay in Bitcoin, providing the Bitcoin address for it to be sent to.
What is the way out?
Larger organizations should ideally follow the guidelines provided by concerned institutions:
- Apply the latest Microsoft security patches for this particular flaw.
- Ensure all outgoing and incoming emails are scanned for malicious attachments.
- Ensure anti-virus programmes are up to date and conducting regular scans.
- Backup all key data and information.
- Organize education programmes on malware so employees can identify scams, malicious links or emails that may contain hazardous viruses.
- Run “penetration tests” against your network’s security at least once a year.
Many experts even suggested restoring all files from a backup. If that isn’t possible, there are tools that can decrypt and recover some information.