Aujas Blog

Addressing Phishing Risk


Phishing and Social Engineering have been a growing concern. The latest Phishing Activity Trends Report of Q4 2009 from Anti- Phishing Working Group (APWG) shows alarming figures of increasing sophisticated phishing attacks. As per the report, the financial services industry has again topped in all targeted sectors in Q4.

Anti-Phishing Working Group (APWG) Chairman Dave Jevans said, “Spear‐phishing and whalephishing, where targeted individuals inside of corporations, or of high net worth, appeared to be increasing. Phishers and malware attackers are sending emails to individuals in a highly targeted fashion, attempting to gain access to corporate online banking systems, corporate VPN networks, and other online resources.”

Consider this scenario: An organization has perimeter security configured. Multiple detective controls like IDS, IPS, firewall etc. are deployed. Still the employee gets an email with embedded link which points to a malicious website. Once dragged to this website; unwitting employee is exposed to an array of risk.

One such risk could be like crimeware (which is designed with the intent of collecting information of the enduser to steal credentials) or malware is downloaded and installed on the local system without user’s consent. Once installed, it may allow scammers to compromise other network systems, steal sensitive information, create backdoors inside the corporate networks etc. Another significant risk is where the website attempts to sway the recipient to reveal personal information or credentials of online corporate applications. This kind of mails is often pictured as coming from trusted source like HR or IT department, outsourcing partners etc. and makes usage of legitimate layout, graphics, links and content etc. to look like original website.

Most times, it is very difficult to determine the source  of the phishing attacks because a well orchestrated phishing attack understands the weak links in People, Process and Technology inside an organization in order to carry out successful attack. Most worrying, there are no quick, witching tools which can help you mitigate phishing risks overnight. Then how would you address the Phishing Risk?

Organizations can adapt the Deming Cycle [Plan-Do-Check-Act] to best counter phishing attacks and it would improvise over period of a time. Steps to follow -

  1. Understand the current level of preparedness of employees and define a strategy to address this gap [Plan]

  2. Implement policies, procedures and incident response plan to guide employees  on “How to identify phish websites“ and “What to do” when Phishing attacks actually occur [Do]

  3. Conduct drills periodically to check readiness of the employees on phishing attacks and determine who are vulnerable [Check]

  4. Provide  awareness training to vulnerable users and also regularly update employees on new threats and techniques used by Phishers by possible means of communication  [Act]


In summary the message is very clear; the key to protect oneself is continuous education and awareness. Organizations should start working towards employee education for its better cure.

Is your organization ready to fight against Phishing Risks?

 del.icio.us  Stumbleupon  Technorati  Digg 

Security by the Wall

Organizations have started to invest heavily in technology to help them scale their business. People are now aware of security issues that they are going to face and want to take preventive steps.

I recently had an interesting experience on my interaction with a prospect.I was there at the prospects place to understand and explain to them about managing and improving security. As we started the conversation, I realized the basic misconception about improving their security.

Read the excerpts from our conversation,

Mr.X: Ah well we need a firewall.
Mr.X: Ah well we need a firewall.
Mr.X: Well we want more security. We have couple of internet facing applications and creating more DMZ you see.
Me: But as per your network diagram you already have a firewall protecting your perimeter.
Mr. X: Yes, that is there, but we want to replace that coz it is no more supported version and want to add a few more.
Me: We will have to do a review of your network before we can exactly determine how many firewalls you will need.
Mr. X: Ah well you see time is a factor and I want this to happen quickly before our auditors come next month. I need to show them something. We will share with you the network diagram, and why don’t you have a look and recommend us by end of day.
Me: Yeah sure we will try to do that. But security is not always about adding devices to your network. You also need to periodically review your servers, firewalls, network devices and applications to ensure that they don’t have vulnerabilities that could be exploited by a potential hacker. Also it is a fact that 90% of the vulnerabilities are now discovered at the application level.
Mr.X: Well for the time being we are looking at firewalls maybe you can recommend,……(after a pause and deep thought) IDS.

The point that I want to make is; adding perimeter security devices alone will not help improve security. And why replace a device which is working just perfectly fine unless you have performance issues with the device or want to utilize the features offered by the newer versions. The other advantage that you have in retaining the old device is that all the vulnerabilities in that device are already exposed and you have patches/solutions/workarounds readily available to fix those vulnerabilities. Attackers will not continue to find loopholes in the older devices rather spend time to find loop holes in the newer devices. It is safer to be around with a known enemy than trying to befriend an unknown one.

In order to manage risks effectively you need to constantly review your policies, risk management methodology, systems and applications. This will ensure that the dynamics of the day-to-day business does not leave loop holes open for an intruder to just walk-in to your systems or network.

 del.icio.us  Stumbleupon  Technorati  Digg 

Aujas completes 2 years of successful operations



It gives us immense pleasure to inform you that Aujas successfully completes its second year of operations in February 2010.

The last 2 years have been a very interesting journey for us in a challenging economic environment marked by several ups and downs. Despite these circumstances, Aujas has managed to grow consistently.

A quick look back at the past 2 years highlights our commitment and focus to the Information Risk Management domain. Today we have grown to 55 employees with 70 customers from across 9 countries delivering over 100 projects with an active presence in 3 continents. We have added new services, repositioned our existing services and strengthened our team.

It is gratifying that our customers have seen immense value in what we have delivered and most customers have come back to us, reaffirming their trust in us.

As we commence our third year, we will add more services to our Information Risk services portfolio and continue to our Information Risk services portfolio and continue our expnasion into international markets.

We would like to thank our customers, employees, partners, management team, Board and Advisory Board members for their continued support in scaling Aujas.

Warm Regards,
M Srinivas Rao
Co-Founder & CEO

 del.icio.us  Stumbleupon  Technorati  Digg 

Aujas @ CIO Year Ahead | 2010

We are just back from the “CIO – The Year Ahead” event organized by IDG Media. The event is a premier forward looking annual event for CIO’s in India. We had about ~ 90 CIO’s & IT Heads there to examine technology trends for the coming year.

The last CIO event was held at Singapore, but this time it was held in India - at the beautiful locale of Royal Palms, Bangalore. A very nice place and add to it the beautiful Bangalore weather. Maybe that explained the high turnout for the event by senior folks from the IT industry?

The keynote session was from Mr. B. S. Nagesh, MD of Shoppers Stop. It was probably the best presentation of the event. He spoke more from his heart than his head – challenging the present CIO’s on their next role in the organization.

As with all events there were a lot of sessions from industry folks and large technology companies - some good, some not so good. The recurrent theme was around SAAS, Cloud computing and virtualization. Reality or too much hype?

Aujas was one of the knowledge partners for the Security session. Sameer Shelke, co-founder & COO talked about “IT Risk Management – As the Economy Revives”.



He spoke about how organizations, when the economy revives, will start investing in
new markets, employee growth and productivity.  But along with planning for growth, companies need to seriously look at the key Information Risk as we plan for more growth. If this down-turn hopefully taught us anything, it would be to look at Risk a little more critically.

You can find a copy of his presentation online at http://www.aujas.com/presentations.html. Feel free to download the same and if you need any more information do drop a mail at contact@aujas.com.

It was a great event. Some of the discussions around lunch and dinner were obviously more interesting than some of the presentations on the stage. Thanks to all the CIO’s for making it an interesting event. Thanks also to IDG Media team from organizing a great event. We look forward to the next event.

 del.icio.us  Stumbleupon  Technorati  Digg 

The Long Tail of Security

Background

“The Long Tail" is a concept put forth by Chris Anderson which described the niche strategy of businesses, such as Amazon.com or Netflix, which sell a large number of unique items, each in relatively small quantities. Anderson elaborated the Long Tail concept in his book The Long Tail: Why the Future of Business Is Selling Less of More.

Anderson argued that products that are in low demand or have low sales volume can collectively make up a market share that rivals or exceeds the relatively few current bestsellers and blockbusters, if the store  or distribution channel is large enough. Research showed that a significant portion of Amazon.com's sales come from obscure books that are not available in brick-and-mortar stores. The Long Tail is a potential market and, as the examples illustrate, the distribution and sales channel opportunities created by the Internet often enable businesses to tap that market successfully.

Application to Security

In the Risk management or security world we focus on the “head” which are the common or major risks we face or hear that others faced. Needless to say all our protection efforts & postures are deployed to protect against the “head risks” and rightly so. E.g. when we decide to put up some applications or services on the Internet, we ensure we protect the application against risks such as the OWASP top 10 vulnerabilities, malwares, infrastructure security etc. Content security aspects such as spam filtering, antivirus etc. become “head risks” when we talk of email systems.

Time and again we get faced with risks which lie in the “long tail” which we haven’t thought of or heard of. E.g. Terrorists hacked into the home WiFi network of Keith Heywood in Mumbai and sent out an email about their impending attack minutes before 19 explosions killed 49 and wounded more than 200 people in Ahmedabad. Since then WiFi access point security has got attention all across, with the Mumbai Police now planning to test open WiFi access points across the city and would issue notices & citations to the users found using open WiFi access points. Suddenly WiFi access point security has moved from the “long tail” to the “head” with everyone taking about it and taking appropriate protection measures.

The question which challenges us is would we face a situation where it’s said that “We got attacked more using vulnerabilities today, which were not exploited at all till yesterday than those which were exploited till yesterday”. Like what Amazon said about the Long tail.
Sounds complex isn’t it; well, we are already facing this issue, “How do we protect ourselves against those seemly obscure risks which suddenly might become important?”.

The answer is not simple and its implementation is possibly more difficult. What is required is a comprehensive Risk management framework which would help us identify our assets, its weaknesses, the probability of attacks and hence the risk. We should also consider the current security posture we have and then the residual risk. What is critical is that this framework needs to be “live” and “in use” all the time, doing it once won’t help. This should be part of normal business function which would help us identify new or modified risks all the time

We can never say we are 100% safe and protected, what we owe to ourselves and our business is doing all we can to protect our information technology assets.

 del.icio.us  Stumbleupon  Technorati  Digg 

Our Psychology and Security: The way we think

Annual Conference of ISACA (Information Systems Audit and Control Association), Mumbai Chapter was held at ITC Grand Maratha on 4th-6th September 2009. The theme for this year was “Success in the Challenging Times: Securing the Unsecured – Assurance beyond Audit.”

The conference featured executives from several leading public and private organizations for panel discussions and presentations. Sameer Shelke, co-founder & COO, represented Aujas and delivered a presentation on Our Psychology & Security: The Way We Think" at the annual conference.

 

In his talk Sameer stressed on the thought process of people in dealing with IT risks.He drew an analogy with various reactions to the H1N1 epidemic, specifically of people and media to this “risk”.  

 

The presentation highlighted the top 6 security weaknesses the companies have and the reasons for the same. His examples sent a clear message that people should correct and change their behavioral aspect to improve the IT risk and security posture of the respective organizations they work for.

The industry patrons applauded Sameer for his remarkable and meaningful presentation. “Sameer’s presentation was practically related with out of the box approach”, said Richard DeSouza, Head Operational Risk of Reliance Life Insurance Limited

To download a copy of Sameer’s presentation please click on http://www.aujas.com/presentations.html 

 del.icio.us  Stumbleupon  Technorati  Digg 

Aujas achieves Indian Computer Emergency Response Team’s (CERT-IN) Empanelment

We are pleased to announce that Aujas has achieved the Indian Computer Emergency Response Team’s (CERT-In) empanelment as an IT Security Audit Organization. This empanelment comes across as another milestone in our journey to build a global company out of India and we are proud to have achieved this within 18 months of our operations.

Indian Computer Emergency Response Team CERT-In (www.cert-in.org.in) is a national initiative to tackle any emerging challenges in the area of Information security and country level security risks and vulnerabilities. CERT-In is coordinated by Department of Information technology, Ministry of communications and Information Technology, Government of India in cooperation with several agencies in the government academia and industry.

CERT-In Empanelment process:

CERT-In empanelment is a tough process and involves various procedures such as providing information, methodologies, case studies, skills and profiles. It also includes a 2 stage qualifying test – an offline and online test to assess applications both in the offline and web environment. The selection process includes various challenges from identifying, exploiting and reporting vulnerabilities. The report will be reviewed by a panel of Security experts and then the empanelment is awarded.

 

For more details about the empanelment, visit: http://www.aujas.com/press_cert.html

We are happy to be amongst the list of emplaned organizations and look forward to working with various government and PSU entities

Regards

Team Aujas

 del.icio.us  Stumbleupon  Technorati  Digg 

IT Amendment Act, 2008- An act to amend the IT Act 2000

The Information Technology (Amendment) Act, 2008 an act to amend the IT Act 2000 received the assent of the President on 5th February 2009. Several legal & security experts are in the process of analyzing the contents and possible impacts of the amendments. The objective of this note is to try and study the possible implications and impacts on Indian companies. This note is not intended to be a comprehensive analysis of the amendments, but only certain key points which could impact Indian Companies.

  1. Data Protection

The IT Act 2000 did not have any specific reference to Data Protection, the closet being a provision to treat data vandalism as an offence. The Government introduced a separate bill called “Personal Data Protection Act 2006” which his pending in the Parliament and is likely to lapse. The ITA 2008 has introduced two sections which address Data Protection aspects to an extent, which gives rise to certain key considerations for the sector.

The sections under consideration are:

  • Section 43A: Compensation for failure to protect data
  • Section 72A: Punishment for disclosure of information in breach of lawful contract

  • Section 43A states
  • Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected. 

    By way of explanation: “Body corporate means Indian companies”

    “Reasonable security practices mean a mutual contract between the customer and service provider OR as per the specified law. In absence of both then as specified by the Central Government”

    Hence it would be important for Indian companies to seriously look at SLA’s and agreements which have been signed with clients to understand the data protection implications. The same goes for understanding the applicable laws.

    A major modification is that this clause doesn’t mention the compensation limit of Rs. 1 Crore which was there as part of section 43 of the ITA 2000. This implies that there is no upper limit for damages that can be claimed. This essentially is “unlimited liability” for Indian companies, which could cause serious business implications.

    Section 72A:

    Under this section disclosure without consent exposes a person including an "intermediary" to three years improsonment of fine upto Rs. Five lacs or both.This section uses the term “personal information” and not “sensitive personal information” as in section 43A. Hence it could apply to any information which is obtained in order to deliver services. Hence in some ways broadens the definition of information.

    2. Information Preservation

    Across the amendments there are several references to “service providers” or “intermediaries”, which in some form would apply to all Indian companies.

    e.g. Section 67C: Preservation and Retention of information by intermediaries.

    Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe”. Any intermediary who intentionally or knowingly contravenes the provisions shall be punished with an imprisonment for a term which may extend to 3 years and shall also be liable to fine.

    The notifications on time for preservation etc. are not yet released. However since this is a “cognizable” offence any police inspector can start investigations against the CEO of a company.

    Apart from the two aspects discussed in this note, there are other areas which could also be considerations for E.g.

    Sec 69: Power to issue directions for interception or monitoring or decryption of any information through any computer resource.

    Sec 69B: Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security.etc.

    In summary, IT Risk management and response needs to be looked at by all companies for various reasons including customer assurance, compliance, customer regulations, protection of information assets etc. The ITA 2008 amendments provide us with few additional factors for considerations which could have significant impact on business. Information technology regulations and laws would only get more stringent and defined; hence it’s imperative for organizations to be aware and prepared.

     del.icio.us  Stumbleupon  Technorati  Digg 

    It’s raining in Cloud?

    Today’s recessionis pushing the business to move to cloud which can convert the CapEx cost toOpEx cost. Here is a glimpse of latest security news from Google Docs.

    “We’ve identified and fixed a bug where a very small percentage of usersshared some of their documents inadvertently.”

    “We’re sorry for the trouble this has caused. We understand our users’concerns (in fact, we were affected by this bug ourselves) and we’re treatingthis very seriously.”

    This is a serious threat to privacy and trust. Think about abusiness confidential document shared with a competitor? Who will takeownership of the losses incurred?  The issueindicates how dangerous cloud can be. 

    Security is the biggest factor that prevents organizations fromadopting cloud, but this did not stop the companies from building products thatare less secured. Google’s issue is very simple fundamental design issue. Tounderstand it lets see the three fundamental security design patterns.

    •   Single Access Point

    • Authenticationand Authorization Point

    • User-Role-Privilege

    The Single Access Point pattern was implemented but the second and third patterns have been buggy that allowed people to view all the documents. As always security is an afterthought. The lack of security awareness  and not following Secure SDLC will cause havoc in cloud computing business.

    The only solution would be to bring in security standards, audits and publically present this information. It's really raining out there in cloud just an umbrella cannot help.

     del.icio.us  Stumbleupon  Technorati  Digg 

    Is it time for Security Analytics

    Few weeks ago, as part of the DSCI Bangalore Chapter (http://www.dsci.in) one of the Business Leader presented his security concerns of his organizations. When asked what is the one problem that security professionals need to address, he said, the information about people behavioral aspects in terms of security. How does one gather and share the information ? How does one do background checks on the people. He felt and I agree that people are the weakest link and if there is a way to figure out the behavioral patterns than that would help control security incidence.

    Cut to last week I attended Emtech 2009 (http://www.emtechindia.in/) a premier technology conference in India. Lot of interesting technologies from Biofuel to stem cell to Nano. One of the interesting and relevant technology demos that I saw was implementation of Analytics, data mining and predictive algorithms to publicly available data on internet say terrorists. For example it is now well known fact that many organizations act as front of terrorist organizations and they are well masqueraded in terms hierarchies of valid and invalid organizations. Individuals working in these organizations may be connected to banned organization. The data is then organized by links and layers and one can do a search on any organization to see if they are connected by any remote link to terrorist organization. 

    So what do you think is it time for security analytics in personnel space ? or there would privacy issues in this ?

     del.icio.us  Stumbleupon  Technorati  Digg 

    Blog Software