Security by the Wall
Organizations have started to invest heavily in technology to help them scale their business. People are now aware of security issues that they are going to face and want to take preventive steps.
I recently had an interesting experience on my interaction with a prospect.I was there at the prospects place to understand and explain to them about managing and improving security. As we started the conversation, I realized the basic misconception about improving their security.
Read the excerpts from our conversation,
Mr.X: Ah well we need a firewall.
Mr.X: Ah well we need a firewall.
Mr.X: Well we want more security. We have couple of internet facing applications and creating more DMZ you see.
Me: But as per your network diagram you already have a firewall protecting your perimeter.
Mr. X: Yes, that is there, but we want to replace that coz it is no more supported version and want to add a few more.
Me: We will have to do a review of your network before we can exactly determine how many firewalls you will need.
Mr. X: Ah well you see time is a factor and I want this to happen quickly before our auditors come next month. I need to show them something. We will share with you the network diagram, and why don’t you have a look and recommend us by end of day.
Me: Yeah sure we will try to do that. But security is not always about adding devices to your network. You also need to periodically review your servers, firewalls, network devices and applications to ensure that they don’t have vulnerabilities that could be exploited by a potential hacker. Also it is a fact that 90% of the vulnerabilities are now discovered at the application level.
Mr.X: Well for the time being we are looking at firewalls maybe you can recommend,……(after a pause and deep thought) IDS.
The point that I want to make is; adding perimeter security devices alone will not help improve security. And why replace a device which is working just perfectly fine unless you have performance issues with the device or want to utilize the features offered by the newer versions. The other advantage that you have in retaining the old device is that all the vulnerabilities in that device are already exposed and you have patches/solutions/workarounds readily available to fix those vulnerabilities. Attackers will not continue to find loopholes in the older devices rather spend time to find loop holes in the newer devices. It is safer to be around with a known enemy than trying to befriend an unknown one.
In order to manage risks effectively you need to constantly review your policies, risk management methodology, systems and applications. This will ensure that the dynamics of the day-to-day business does not leave loop holes open for an intruder to just walk-in to your systems or network.
Aujas completes 2 years of successful operations
It gives us immense pleasure to inform you that Aujas successfully completes its second year of operations in February 2010.
The last 2 years have been a very interesting journey for us in a challenging economic environment marked by several ups and downs. Despite these circumstances, Aujas has managed to grow consistently.
A quick look back at the past 2 years highlights our commitment and focus to the Information Risk Management domain. Today we have grown to 55 employees with 70 customers from across 9 countries delivering over 100 projects with an active presence in 3 continents. We have added new services, repositioned our existing services and strengthened our team.
As we commence our third year, we will add more services to our Information Risk services portfolio and continue to our Information Risk services portfolio and continue our expnasion into international markets.
We would like to thank our customers, employees, partners, management team, Board and Advisory Board members for their continued support in scaling Aujas.
Warm Regards,
M Srinivas Rao
Co-Founder & CEO
Aujas @ CIO Year Ahead | 2010
We are just back from the “CIO – The Year Ahead” event organized by IDG Media. The event is a premier forward looking annual event for CIO’s in India. We had about ~ 90 CIO’s & IT Heads there to examine technology trends for the coming year.
The last CIO event was held at Singapore, but this time it was held in India - at the beautiful locale of Royal Palms, Bangalore. A very nice place and add to it the beautiful Bangalore weather. Maybe that explained the high turnout for the event by senior folks from the IT industry?
The keynote session was from Mr. B. S. Nagesh, MD of Shoppers Stop. It was probably the best presentation of the event. He spoke more from his heart than his head – challenging the present CIO’s on their next role in the organization.
As with all events there were a lot of sessions from industry folks and large technology companies - some good, some not so good. The recurrent theme was around SAAS, Cloud computing and virtualization. Reality or too much hype?
Aujas was one of the knowledge partners for the Security session. Sameer Shelke, co-founder & COO talked about “IT Risk Management – As the Economy Revives”.
He spoke about how organizations, when the economy revives, will start investing in new markets, employee growth and productivity. But along with planning for growth, companies need to seriously look at the key Information Risk as we plan for more growth. If this down-turn hopefully taught us anything, it would be to look at Risk a little more critically.
You can find a copy of his presentation online at http://www.aujas.com/presentations.html. Feel free to download the same and if you need any more information do drop a mail at contact@aujas.com.
It was a great event. Some of the discussions around lunch and dinner were obviously more interesting than some of the presentations on the stage. Thanks to all the CIO’s for making it an interesting event. Thanks also to IDG Media team from organizing a great event. We look forward to the next event.
Our Psychology and Security: The way we think
Annual Conference of ISACA (Information Systems Audit and Control Association), Mumbai Chapter was held at ITC Grand Maratha on 4th-6th September 2009. The theme for this year was “Success in the Challenging Times: Securing the Unsecured – Assurance beyond Audit.”
The conference featured executives from several leading public and private organizations for panel discussions and presentations. Sameer Shelke, co-founder & COO, represented Aujas and delivered a presentation on “Our Psychology & Security: The Way We Think" at the annual conference.
In his talk Sameer stressed on the thought process of people in dealing with IT risks.He drew an analogy with various reactions to the H1N1 epidemic, specifically of people and media to this “risk”.
The presentation highlighted the top 6 security weaknesses the companies have and the reasons for the same. His examples sent a clear message that people should correct and change their behavioral aspect to improve the IT risk and security posture of the respective organizations they work for.
The industry patrons applauded Sameer for his remarkable and meaningful presentation. “Sameer’s presentation was practically related with out of the box approach”, said Richard DeSouza, Head Operational Risk of Reliance Life Insurance Limited
To download a copy of Sameer’s presentation please click on http://www.aujas.com/presentations.html
Aujas achieves Indian Computer Emergency Response Team’s (CERT-IN) Empanelment
We are pleased to announce that Aujas has achieved the Indian Computer Emergency Response Team’s (CERT-In) empanelment as an IT Security Audit Organization. This empanelment comes across as another milestone in our journey to build a global company out of India and we are proud to have achieved this within 18 months of our operations.
Indian Computer Emergency Response Team CERT-In (www.
CERT-In Empanelment process:
CERT-In empanelment is a tough process and involves various procedures such as providing information, methodologies, case studies, skills and profiles. It also includes a 2 stage qualifying test – an offline and online test to assess applications both in the offline and web environment. The selection process includes various challenges from identifying, exploiting and reporting vulnerabilities. The report will be reviewed by a panel of Security experts and then the empanelment is awarded.
For more details about the empanelment, visit: http://www.aujas.com/press_cert.html
We are happy to be amongst the list of emplaned organizations and look forward to working with various government and PSU entities
Regards
Team Aujas
IT Amendment Act, 2008- An act to amend the IT Act 2000
The Information Technology (Amendment) Act, 2008 an act to amend the IT Act 2000 received the assent of the President on 5th February 2009. Several legal & security experts are in the process of analyzing the contents and possible impacts of the amendments. The objective of this note is to try and study the possible implications and impacts on Indian companies. This note is not intended to be a comprehensive analysis of the amendments, but only certain key points which could impact Indian Companies.
- Data Protection
The IT Act 2000 did not have any specific reference to Data Protection, the closet being a provision to treat data vandalism as an offence. The Government introduced a separate bill called “Personal Data Protection Act 2006” which his pending in the Parliament and is likely to lapse. The ITA 2008 has introduced two sections which address Data Protection aspects to an extent, which gives rise to certain key considerations for the sector.
The sections under consideration are:
- Section 43A: Compensation for failure to protect data
- Section 72A: Punishment for disclosure of information in breach of lawful contract
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.
By way of explanation: “Body corporate means Indian companies”
“Reasonable security practices mean a mutual contract between the customer and service provider OR as per the specified law. In absence of both then as specified by the Central Government”
Hence it would be important for Indian companies to seriously look at SLA’s and agreements which have been signed with clients to understand the data protection implications. The same goes for understanding the applicable laws.
A major modification is that this clause doesn’t mention the compensation limit of Rs. 1 Crore which was there as part of section 43 of the ITA 2000. This implies that there is no upper limit for damages that can be claimed. This essentially is “unlimited liability” for Indian companies, which could cause serious business implications.
Section 72A:
Under this section disclosure without consent exposes a person including an "intermediary" to three years improsonment of fine upto Rs. Five lacs or both.
This section uses the term “personal information” and not “sensitive personal information” as in section 43A. Hence it could apply to any information which is obtained in order to deliver services. Hence in some ways broadens the definition of information.
2. Information Preservation
e.g. Section 67C: Preservation and Retention of information by intermediaries.
Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe”. Any intermediary who intentionally or knowingly contravenes the provisions shall be punished with an imprisonment for a term which may extend to 3 years and shall also be liable to fine.
The notifications on time for preservation etc. are not yet released. However since this is a “cognizable” offence any police inspector can start investigations against the CEO of a company.
Apart from the two aspects discussed in this note, there are other areas which could also be considerations for E.g.
Sec 69: Power to issue directions for interception or monitoring or decryption of any information through any computer resource.
Sec 69B: Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security.etc.
In summary, IT Risk management and response needs to be looked at by all companies for various reasons including customer assurance, compliance, customer regulations, protection of information assets etc. The ITA 2008 amendments provide us with few additional factors for considerations which could have significant impact on business. Information technology regulations and laws would only get more stringent and defined; hence it’s imperative for organizations to be aware and prepared.
It’s raining in Cloud?
Today’s recessionis pushing the business to move to cloud which can convert the CapEx cost toOpEx cost. Here is a glimpse of latest security news from Google Docs.
“We’ve identified and fixed a bug where a very small percentage of usersshared some of their documents inadvertently.”
“We’re sorry for the trouble this has caused. We understand our users’concerns (in fact, we were affected by this bug ourselves) and we’re treatingthis very seriously.”
This is a serious threat to privacy and trust. Think about abusiness confidential document shared with a competitor? Who will takeownership of the losses incurred? The issueindicates how dangerous cloud can be.
Security is the biggest factor that prevents organizations fromadopting cloud, but this did not stop the companies from building products thatare less secured. Google’s issue is very simple fundamental design issue. Tounderstand it lets see the three fundamental security design patterns.
- Single Access Point
- Authenticationand Authorization Point
- User-Role-Privilege
The Single Access Point pattern was implemented but the second and third patterns have been buggy that allowed people to view all the documents. As always security is an afterthought. The lack of security awareness and not following Secure SDLC will cause havoc in cloud computing business.
The only solution would be to bring in security standards, audits and publically present this information. It's really raining out there in cloud just an umbrella cannot help.
Is it time for Security Analytics
Few weeks ago, as part of the DSCI Bangalore Chapter (http://www.dsci.in) one of the Business Leader presented his security concerns of his organizations. When asked what is the one problem that security professionals need to address, he said, the information about people behavioral aspects in terms of security. How does one gather and share the information ? How does one do background checks on the people. He felt and I agree that people are the weakest link and if there is a way to figure out the behavioral patterns than that would help control security incidence.
Cut to last week I attended Emtech 2009 (http://www.emtechindia.in/) a premier technology conference in India. Lot of interesting technologies from Biofuel to stem cell to Nano. One of the interesting and relevant technology demos that I saw was implementation of Analytics, data mining and predictive algorithms to publicly available data on internet say terrorists. For example it is now well known fact that many organizations act as front of terrorist organizations and they are well masqueraded in terms hierarchies of valid and invalid organizations. Individuals working in these organizations may be connected to banned organization. The data is then organized by links and layers and one can do a search on any organization to see if they are connected by any remote link to terrorist organization.
So what do you think is it time for security analytics in personnel space ? or there would privacy issues in this ?
Dr.C S Rao joins Aujas Advisory Board
We are pleased to announce the joining of Dr.C S Rao on the Aujas advisory board. The existing Advisory board includes Mr.Lalit Sawhney, Mr.M S Rangaraj, Mr.Charbel Bachaalani, Mr.M Chandrasekaran and Dr Rao would be the latest addition to it.
As part of Aujas advisory board, Dr.C S Rao would guide Aujas on the Telecom Security domain. Telecom security is considered as one of the fastest growing Security domain given the increasing ubiquity and complexity of converged networks and dependence on telecom infrastructure to run business operations.
Dr. C. S. Rao is an industry veteran with a career experience of over 25 years spanning Telecom, R&D and technology, in the management functions and currently he is the Managing Director at Intel and also the spear heads the Wimax Program 2008 initiative at Intel. His career spans successful stints with large blue chip companies like British Telecom (India), Lucent India as the Managing Director and Tellabs India as President and CEO. He was also among the core team of founders at CDOT and currently is the Chairman of the WIMAX forum, India Chapter.
Some of his career highlights include, pioneering the concept of 21st century NW for BT India, the first ever nationwide MDN network launch in India and played a significant role in the first ever ISDN in India in 1989. He was also responsible for the roll out of the first largest CDMA Network in India for 30 million subscribers at Reliance telecom. He established $2b (Rs 8000 crore) Telecom Network Infrastructure in India through Tellabs (USA), LUCENT(USA) and BT(USA).
His career includes various accolades towards his contributions which include the Business leadership award from ASSOCHAM, NRDC award from the President of India, Innovation, Leadership and Achievement award from Tellabs and Lucent USA.
For more details about the Advisory board please check our webpage http://www.aujas.com/advisory_team.html
We welcome him on our Advisory board and wish him all the best in our journey together.
Srinivas Rao
Chief Executive Officer
Applications Downloads – Are they from trusted websites?
Most organizations today have allowed employees to download software from websites, and has become a routine with most. Generally it’s the admin or the user who downloads the software’s and installs them, failing to verify the authenticity of the website, from which it is being downloaded; even the experienced administrators fail to do so.
As you all know it’s easy to create a binary for open source software’s as the code is readily available. But there are also ways to alter a binary file without the code. A binary file could be altered to perform various other tasks. In windows a good win32 programmer can easily hijack the code. In theory the data and other sensitive information can be easily stolen. Even your antivirus can not detect this kind of attack.
Take example of a sample attack for win32 program:
Open any win32 application with a debugger. These debuggers have sophisticated ways to identify the system calls. It’s a no brainer for a windows programmer to identify the system calls and add break point to trace the exact location. Using this tool, we can exactly decide where we need to hijack to accomplish a certain task.
Once decided the place to hack, we need to decide where to place the hack code inside the binary. As per windows PE format the binary is organized as sections whose size is the multiple of file alignment value. So there is a high chance that we can always find some free space inside the segments to place our hack code. Use the Portable Executable (PE) identification tools to see the segments.
Open the EXE in hex editor, a powerful one like Hiew and change the API call that we identified to jump to a free location where we would write our new functionality. At the end, the function jumps back to the original location to continue the execution of the program. You can also call an external file to accomplish more work.
Either open source or binaries are susceptible to the same attacks. It’s always advised to download software from a trusted site and also make it a practice to download and verify the checksums of the software from an official website.
Build security in your organization: From process to application…
