Addressing Phishing Risk
Anti-Phishing Working Group (APWG) Chairman Dave Jevans said, “Spear‐phishing and whale‐phishing, where targeted individuals inside of corporations, or of high net worth, appeared to be increasing. Phishers and malware attackers are sending emails to individuals in a highly targeted fashion, attempting to gain access to corporate online banking systems, corporate VPN networks, and other online resources.” Understand the current level of preparedness of employees and define a strategy to address this gap [Plan] Implement policies, procedures and incident response plan to guide employees on “How to identify phish websites“ and “What to do” when Phishing attacks actually occur [Do] Conduct drills periodically to check readiness of the employees on phishing attacks and determine who are vulnerable [Check] Provide awareness training to vulnerable users and also regularly update employees on new threats and techniques used by Phishers by possible means of communication [Act] In summary the message is very clear; the key to protect oneself is continuous education and awareness. Organizations should start working towards employee education for its better cure.
Phishing and Social Engineering have been a growing concern. The latest Phishing Activity Trends Report of Q4 2009 from Anti- Phishing Working Group (APWG) shows alarming figures of increasing sophisticated phishing attacks. As per the report, the financial services industry has again topped in all targeted sectors in Q4.
Consider this scenario: An organization has perimeter security configured. Multiple detective controls like IDS, IPS, firewall etc. are deployed. Still the employee gets an email with embedded link which points to a malicious website. Once dragged to this website; unwitting employee is exposed to an array of risk.
One such risk could be like crimeware (which is designed with the intent of collecting information of the end‐user to steal credentials) or malware is downloaded and installed on the local system without user’s consent. Once installed, it may allow scammers to compromise other network systems, steal sensitive information, create backdoors inside the corporate networks etc. Another significant risk is where the website attempts to sway the recipient to reveal personal information or credentials of online corporate applications. This kind of mails is often pictured as coming from trusted source like HR or IT department, outsourcing partners etc. and makes usage of legitimate layout, graphics, links and content etc. to look like original website.
Most times, it is very difficult to determine the source of the phishing attacks because a well orchestrated phishing attack understands the weak links in People, Process and Technology inside an organization in order to carry out successful attack. Most worrying, there are no quick, witching tools which can help you mitigate phishing risks overnight. Then how would you address the Phishing Risk?
Organizations can adapt the Deming Cycle [Plan-Do-Check-Act] to best counter phishing attacks and it would improvise over period of a time. Steps to follow -
Is your organization ready to fight against Phishing Risks?
Security by the Wall
Read the excerpts from our conversation,
Mr.X: Ah well we need a firewall.
Mr.X: Well we want more security. We have couple of internet facing applications and creating more DMZ you see.
Me: But as per your network diagram you already have a firewall protecting your perimeter.
Mr. X: Yes, that is there, but we want to replace that coz it is no more supported version and want to add a few more.
Me: We will have to do a review of your network before we can exactly determine how many firewalls you will need.
Mr. X: Ah well you see time is a factor and I want this to happen quickly before our auditors come next month. I need to show them something. We will share with you the network diagram, and why don’t you have a look and recommend us by end of day.
Me: Yeah sure we will try to do that. But security is not always about adding devices to your network. You also need to periodically review your servers, firewalls, network devices and applications to ensure that they don’t have vulnerabilities that could be exploited by a potential hacker. Also it is a fact that 90% of the vulnerabilities are now discovered at the application level.
Mr.X: Well for the time being we are looking at firewalls maybe you can recommend,……(after a pause and deep thought) IDS.
Aujas completes 2 years of successful operations
It gives us immense pleasure to inform you that Aujas successfully completes its second year of operations in February 2010.
The last 2 years have been a very interesting journey for us in a challenging economic environment marked by several ups and downs. Despite these circumstances, Aujas has managed to grow consistently.
A quick look back at the past 2 years highlights our commitment and focus to the Information Risk Management domain. Today we have grown to 55 employees with 70 customers from across 9 countries delivering over 100 projects with an active presence in 3 continents. We have added new services, repositioned our existing services and strengthened our team.
As we commence our third year, we will add more services to our Information Risk services portfolio and continue to our Information Risk services portfolio and continue our expnasion into international markets.
We would like to thank our customers, employees, partners, management team, Board and Advisory Board members for their continued support in scaling Aujas.
Warm Regards,
M Srinivas Rao
Co-Founder & CEO
Aujas @ CIO Year Ahead | 2010
We are just back from the “CIO – The Year Ahead” event organized by IDG Media. The event is a premier forward looking annual event for CIO’s in India. We had about ~ 90 CIO’s & IT Heads there to examine technology trends for the coming year.
The last CIO event was held at Singapore, but this time it was held in India - at the beautiful locale of Royal Palms, Bangalore. A very nice place and add to it the beautiful Bangalore weather. Maybe that explained the high turnout for the event by senior folks from the IT industry?
The keynote session was from Mr. B. S. Nagesh, MD of Shoppers Stop. It was probably the best presentation of the event. He spoke more from his heart than his head – challenging the present CIO’s on their next role in the organization.
As with all events there were a lot of sessions from industry folks and large technology companies - some good, some not so good. The recurrent theme was around SAAS, Cloud computing and virtualization. Reality or too much hype?
Aujas was one of the knowledge partners for the Security session. Sameer Shelke, co-founder & COO talked about “IT Risk Management – As the Economy Revives”.
He spoke about how organizations, when the economy revives, will start investing in new markets, employee growth and productivity. But along with planning for growth, companies need to seriously look at the key Information Risk as we plan for more growth. If this down-turn hopefully taught us anything, it would be to look at Risk a little more critically.
You can find a copy of his presentation online at http://www.aujas.com/presentations.html. Feel free to download the same and if you need any more information do drop a mail at contact@aujas.com.
It was a great event. Some of the discussions around lunch and dinner were obviously more interesting than some of the presentations on the stage. Thanks to all the CIO’s for making it an interesting event. Thanks also to IDG Media team from organizing a great event. We look forward to the next event.
The Long Tail of Security
Background
Application to Security
We can never say we are 100% safe and protected, what we owe to ourselves and our business is doing all we can to protect our information technology assets.
Our Psychology and Security: The way we think
Annual Conference of ISACA (Information Systems Audit and Control Association), Mumbai Chapter was held at ITC Grand Maratha on 4th-6th September 2009. The theme for this year was “Success in the Challenging Times: Securing the Unsecured – Assurance beyond Audit.”
The conference featured executives from several leading public and private organizations for panel discussions and presentations. Sameer Shelke, co-founder & COO, represented Aujas and delivered a presentation on “Our Psychology & Security: The Way We Think" at the annual conference.
In his talk Sameer stressed on the thought process of people in dealing with IT risks.He drew an analogy with various reactions to the H1N1 epidemic, specifically of people and media to this “risk”.
The industry patrons applauded Sameer for his remarkable and meaningful presentation. “Sameer’s presentation was practically related with out of the box approach”, said Richard DeSouza, Head Operational Risk of Reliance Life Insurance Limited
To download a copy of Sameer’s presentation please click on http://www.aujas.com/presentations.html
Aujas achieves Indian Computer Emergency Response Team’s (CERT-IN) Empanelment
Indian Computer Emergency Response Team CERT-In (www.cert-in.org.in) is a national initiative to tackle any emerging challenges in the area of Information security and country level security risks and vulnerabilities. CERT-In is coordinated by Department of Information technology, Ministry of communications and Information Technology, Government of India in cooperation with several agencies in the government academia and industry.
CERT-In Empanelment process:
CERT-In empanelment is a tough process and involves various procedures such as providing information, methodologies, case studies, skills and profiles. It also includes a 2 stage qualifying test – an offline and online test to assess applications both in the offline and web environment. The selection process includes various challenges from identifying, exploiting and reporting vulnerabilities. The report will be reviewed by a panel of Security experts and then the empanelment is awarded.
For more details about the empanelment, visit: http://www.aujas.com/press_cert.html
We are happy to be amongst the list of emplaned organizations and look forward to working with various government and PSU entities
Regards
Team Aujas
IT Amendment Act, 2008- An act to amend the IT Act 2000
The Information Technology (Amendment) Act, 2008 an act to amend the IT Act 2000 received the assent of the President on 5th February 2009. Several legal & security experts are in the process of analyzing the contents and possible impacts of the amendments. The objective of this note is to try and study the possible implications and impacts on Indian companies. This note is not intended to be a comprehensive analysis of the amendments, but only certain key points which could impact Indian Companies.
- Data Protection
The IT Act 2000 did not have any specific reference to Data Protection, the closet being a provision to treat data vandalism as an offence. The Government introduced a separate bill called “Personal Data Protection Act 2006” which his pending in the Parliament and is likely to lapse. The ITA 2008 has introduced two sections which address Data Protection aspects to an extent, which gives rise to certain key considerations for the sector.
The sections under consideration are:
- Section 43A: Compensation for failure to protect data
- Section 72A: Punishment for disclosure of information in breach of lawful contract
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.
By way of explanation: “Body corporate means Indian companies”
“Reasonable security practices mean a mutual contract between the customer and service provider OR as per the specified law. In absence of both then as specified by the Central Government”
Hence it would be important for Indian companies to seriously look at SLA’s and agreements which have been signed with clients to understand the data protection implications. The same goes for understanding the applicable laws.
A major modification is that this clause doesn’t mention the compensation limit of Rs. 1 Crore which was there as part of section 43 of the ITA 2000. This implies that there is no upper limit for damages that can be claimed. This essentially is “unlimited liability” for Indian companies, which could cause serious business implications.
Section 72A:
Under this section disclosure without consent exposes a person including an "intermediary" to three years improsonment of fine upto Rs. Five lacs or both.This section uses the term “personal information” and not “sensitive personal information” as in section 43A. Hence it could apply to any information which is obtained in order to deliver services. Hence in some ways broadens the definition of information.
2. Information Preservation
e.g. Section 67C: Preservation and Retention of information by intermediaries.
Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe”. Any intermediary who intentionally or knowingly contravenes the provisions shall be punished with an imprisonment for a term which may extend to 3 years and shall also be liable to fine.
The notifications on time for preservation etc. are not yet released. However since this is a “cognizable” offence any police inspector can start investigations against the CEO of a company.
Apart from the two aspects discussed in this note, there are other areas which could also be considerations for E.g.
Sec 69: Power to issue directions for interception or monitoring or decryption of any information through any computer resource.
Sec 69B: Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security.etc.
In summary, IT Risk management and response needs to be looked at by all companies for various reasons including customer assurance, compliance, customer regulations, protection of information assets etc. The ITA 2008 amendments provide us with few additional factors for considerations which could have significant impact on business. Information technology regulations and laws would only get more stringent and defined; hence it’s imperative for organizations to be aware and prepared.
It’s raining in Cloud?
Today’s recessionis pushing the business to move to cloud which can convert the CapEx cost toOpEx cost. Here is a glimpse of latest security news from Google Docs.
“We’ve identified and fixed a bug where a very small percentage of usersshared some of their documents inadvertently.”
“We’re sorry for the trouble this has caused. We understand our users’concerns (in fact, we were affected by this bug ourselves) and we’re treatingthis very seriously.”
This is a serious threat to privacy and trust. Think about abusiness confidential document shared with a competitor? Who will takeownership of the losses incurred? The issueindicates how dangerous cloud can be.
Security is the biggest factor that prevents organizations fromadopting cloud, but this did not stop the companies from building products thatare less secured. Google’s issue is very simple fundamental design issue. Tounderstand it lets see the three fundamental security design patterns.
- Single Access Point
- Authenticationand Authorization Point
- User-Role-Privilege
The Single Access Point pattern was implemented but the second and third patterns have been buggy that allowed people to view all the documents. As always security is an afterthought. The lack of security awareness and not following Secure SDLC will cause havoc in cloud computing business.
The only solution would be to bring in security standards, audits and publically present this information. It's really raining out there in cloud just an umbrella cannot help.
Is it time for Security Analytics
Few weeks ago, as part of the DSCI Bangalore Chapter (http://www.dsci.in) one of the Business Leader presented his security concerns of his organizations. When asked what is the one problem that security professionals need to address, he said, the information about people behavioral aspects in terms of security. How does one gather and share the information ? How does one do background checks on the people. He felt and I agree that people are the weakest link and if there is a way to figure out the behavioral patterns than that would help control security incidence.
Cut to last week I attended Emtech 2009 (http://www.emtechindia.in/) a premier technology conference in India. Lot of interesting technologies from Biofuel to stem cell to Nano. One of the interesting and relevant technology demos that I saw was implementation of Analytics, data mining and predictive algorithms to publicly available data on internet say terrorists. For example it is now well known fact that many organizations act as front of terrorist organizations and they are well masqueraded in terms hierarchies of valid and invalid organizations. Individuals working in these organizations may be connected to banned organization. The data is then organized by links and layers and one can do a search on any organization to see if they are connected by any remote link to terrorist organization.
So what do you think is it time for security analytics in personnel space ? or there would privacy issues in this ?
