Author Archives: admin

Amazon EC2 Failures Are a Wakeup Call for Cloud Customers

May 3, 2011 11:04 am Leave a Comment

Early in the morning of April 21, Amazon’s EC2 data center in Virginia crashed, bringing down with it several popular websites, small businesses and social networking providers.

The strange fact is that the outage still ensures that the 99.55% availability as defined in the SLA (Service Level Agreement) is not breached. Let us put aside the other aspects and focus on Cloud services and the new generation of programmers and business who use these services. Though the SLA leads to quite an interesting debate, we will leave that to the legal experts.

More often than not, when we discuss building applications in the Cloud, the basic assumption is that of 24×7 service availability. While Cloud service providers strive to live up to this expectation, the onus of designing a system resilient to failures is on the application architects.  On the other hand, SLA driven approaches are very reactive in nature. In pure sense, SLA’s are just a means of trust between the user and the service provider. The fact is that SLA’s can never repay for losses. It is up to an Architect and CIO to build systems that tolerates such risks (Cloud system failures, connectivity failures, SLA’s, etc).

With Cloud infrastructure, we end up building traditional systems that are so tightly coupled and hosted without taking advantages of the availability factor. These shortcomings maybe part and parcel of software world where functionality takes precedence over all other aspects, but such tolerance cannot be expected in the Cloud paradigm. A failure on part of the Cloud service provider will bring down the business and getting back the data becomes a nightmare when all the affected businesses are trying to do the same.

Accommodating and managing these factors are the business risks, which need to be identified. Businesses that do not envision these risks are sure to suffer large scale losses. The truth is that building such resilient systems is not very complex task. The basics of all software principles have remained same whether they are built for Cloud or enterprise-owned hardware. Mitigating as many risks as possible requires that several basic designs and business decisions be made – while considering the software provider – such as:

  • Loosely couple the application
  • Make sure the application follows “Separation of Concerns”
  • Distribute the applications
  • Backup application & user data
  • Setup DR sites with a different Cloud service provider

These decisions involve software that follows these basic designs and business decision managers who identify various service providers to mitigate such risks. Cloud service will enforce a thinking among the business managers that availability should not and cannot be taken for granted.

These failures will not stop the adoption to Cloud but will make the customers aware of the potential risks and mitigation plans. The Cloud failure will have serious impact on the CTO/ CIO and the operations head. In a non-Cloud model, a CIO’s role has been noted as very limited. The interaction of the CIO with a CTO in the everyday business is much less. These two executives need to work more closely to protect the business and reduce risk.

The best practices for the Cloud application builders are:

  • Build Cloud applications, not applications in the Cloud
  • Design fault tolerant systems, wherein nothing fails
  • Design for scalability
  • Loosely couple application stacks (IOC)
  • Design for dynamism
  • Design distributed
  • Build security into every component

The best practices are necessary for all the architects who build Cloud applications. Do not simply port a traditional application to the Cloud. They are architecturally different and will not take advantage of the underlying services – and most often – will result in failure.

Remember “Everything fails, all the time.” It is time to think and manage risks and not let the SLA stare at you when you are losing business. Be proactive; build Cloud-friendly applications.

The new world on Cloud looks more promising than ever. However, failures can make us realize that functionality without proper foundation and thought process can have serious repercussions. It is essential for every business to review their risks and redefine their new perimeter in the Cloud.

Filed Under: Cloud Security, Vulnerability Management

Phishers Target Social Media, Are you the Victim?

April 15, 2011 2:00 pm Leave a Comment

Social Media has been the buzz word recently. While I am writing this post, there are more than 500 million active users accessing Facebook and 50% of active users log on to Facebook at least once a day from their office, home , coffee-shop , school, or while on the move. Today most of the organizations have active presence over Linked In, Facebook or Twitter. Social Media has emerged as an effective marketing tool to engage with mass audience. As Natalie Petouhoff, Senior Researcher with Forrester Research Inc said, “Social media isn’t a choice anymore – it’s a business transformation tool”.

The advent of new means of communication opens new channels for scammers to conduct social engineering attacks. Scammers have started using the Social Media as the prominent way to retrieve vital information from the users. They also make usage of specific social networking malwares for financial gains. Message or web links coming from immediate connections over Facebook or Twitter make users believe that they are genuine and nothing wrong clicking them. Scammers leverage on this fact and exploit human parameters like greed, trust, fear and curiosity etc. to conduct wide variety of phishing attacks. As per the latest Anti-Phishing Q2 2010 Report, there is definite rise observed in social networking phishing attacks. As the statistics illustrate, the attacks were accounted for nearly 3 percent of reported attacks in Q2 which was almost negligible in Q1 of 2010.

Any current hyped political situation, news stories, videos or mishaps are good enough to make the user click on the link and redirect to the desired (malicious) website.  The message is defined to pull your curiosity or it is made strong enough to create sympathy towards tragedy affected people. It is very unlikely that you have not seen these kinds of messages on your wall or twitter box-

“Did you see how will u look like in 20 years from now? lol: http://bit.ly/gbdhuD

“They need your help, Pls donate http://ntbnking.lnkd.it/jpn/donation

“Hey, I am your old college mate! Just joined your company, Why not reconnect? – http://biz.ty/23424

“I bumped into some of your old friends the other day; they wanted me to send you this – http://facebooklink

 The above websites could be asking for your net-banking credentials for donation to affected people, sensitive information about your organization or any other personal information which is valuable to scammers. By clicking on this link, malware / virus get downloaded on your systems and the system gets compromised. Many a times, scammers target one social networking site user account, compromise it using script and the same script gets propagated to his / her friends’ accounts. These are better known as self-replicating malwares which make usage of application vulnerabilities like Invalidated redirects, click jacking, and cross site request forgery etc. to spread across multiple user accounts. For mobile users, it becomes even worse as it is not easy to verify authenticity of URLs.

I am sure you will agree that it is not easy to stop usage of social media completely even though there are definite risks involved. The organizations need to look beyond traditional technology controls as the continuous education and awareness is the only solution to fight against phishing attacks.

An organization can take following steps to fight against phishing attacks:

  1. Establish a social media strategy. Clearly document and enforce what is allowed / not allowed to discuss and disclose in social networking sites
  2. Conduct social media awareness programs which should include the rewards and risk of social media. It should also cover how to identify phish websites and differentiate between original and fraudulent website

As an employee, following best practices can be adopted to evade becoming prey of phishing attacks

  1. Never click on a link or a bookmark which is associated with financial transactions or asking for any sensitive information; instead always have a practice to manually type URL in the address bar.
  2. Do not click on links which ask to download ActiveX or software on your system as they could be Trojan / malware which later becomes the control center to remotely control your and other systems inside the network.
  3. Ensure that the site is authentic and using secure layer (https) before providing any sensitive information about self or your organization.
  4. Report suspected links to internal security team as well as particular social networking sites so that they can work with the hosting provider to bring down the phish website

Both, the organization and its employees have to play their part to fight against phishing risks over Social Media.

Filed Under: Social Engineering

Curbing Access Risk: Role Based Access Governance

October 13, 2010 10:55 am 1 Comment

Access risk until now was viewed as an intrinsic risk to which organizations could do little to prevent, but my recent findings made me realize that there is more to it than that it meets the eye. Access risk is defined as, “risks related to unauthorized or inappropriate access”. The Verizon Business 2010 research report reveals importance of curbing insider access risks and highlights that the percentage of breaches that involved insiders increased 26% over the previous year (48%)

While access risk continues to be a challenge, Organizations can curb this by taking few preventive measures as viewed by many industry experts.

  • Policy Enforcement: Can a person deliberately perform dreadful act if she/he has just right access?Excerpts from Wikipedia: “With the concept of Segregation of Duties, business critical duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function”. This gives me confidence that chances of single person being a threat go down drastically if access policy is defined and enforced properly.

  • Certification: Let us assume that, at one point of time every person in the organization has just the right access to resources needed to perform their work; can this status be maintained in current business scenario where delegation of task is a day to day phenomenon? Probably not, because managing changes in user access across the organization, like granting entitlements, revoking access, permission setting for a new role, is complicated for many organizations. Periodic review of entitlements not only provides insight of who is having what access, but also helps fine tune access policy. Policy is tuned so that fewer exceptions happen in the system in future

  • Role Lifecycle Management:In large organizations entitlements can go in tens of thousands, quarterly or biannually certification of entitlements could give managers nightmare. Number of roles in an organization would be much lesser than entitlements, defining roles and clubbing entitlements to business roles make more sense. Certifying roles rather than entitlements is less time consuming.

  • Violation Report: Having a dashboard with application specific reports like orphan account in a system and roles violating separation of duties will empower application owners to view and remediate policy violations.

To counter access risk, organizations need to reassess their processes to assign system resources and privileges to users, and adopt a complementary solution that addresses end-to-end access certification process across the organization.

Access Governance Platform has emerged as a solution which covers above mentioned preventive measures. With an Access Governance Platform organizations can more efficiently tackle access risk through a process that automates manual tasks and enforces responsibility. The platform provides the auditable evidence of compliance and creates an effective process for access delivery across the organization.

Access governance platform collects data from various sources like a central directory server, identity and access system, applications, files and folders, etc. Collected raw data is transformed through aggregation and correlation to make it concise.

The diagram below shows data and processes in an access governance platform.

An access governance platform provides dashboard for various categories of users (user, supervisor, admin, auditor etc.) and interface to perform certification, send reminder, change certification plan, define policy, raise request for access/resource, and take action on policy violations. In a nutshell, an access governance platform:

  • Automates the validation of user entitlements and roles, certification, monitoring, reporting and remediation
  • Gives enterprise-wide insight into user access and determines if the access is appropriate and compliant with policies
  • Facilitates complete lifecycle management for roles: Creation (using bottom up role mining), validation and enhancement.
  • Allows automation of managing access requests and changes

However, with a large volume of access change requests on a daily basis, can an access governance platform keep pace with the needs of the business and compliance? Current products in market provide flexibility to adopt centralized yet local deployment architecture. Organization may not be mature enough to leverage the entire functionality at one go. For example: To start with organizations may choose to deploy only compliance part for some applications, later deployment can be extended to cover other applications and role management aspects. Deployment approach and participation of users define success of an access governance solution deployment.

I would like to hear your thoughts!

Filed Under: Identity and Access

Addressing Phishing Risk

May 31, 2010 5:46 am Leave a Comment


Phishing and Social Engineering have been a growing concern. The latest Phishing Activity Trends Report of Q4 2009 from Anti- Phishing Working Group (APWG) shows alarming figures of increasing sophisticated phishing attacks. As per the report, the financial services industry has again topped in all targeted sectors in Q4.

Anti-Phishing Working Group (APWG) Chairman Dave Jevans said, “Spear‐phishing and whalephishing, where targeted individuals inside of corporations, or of high net worth, appeared to be increasing. Phishers and malware attackers are sending emails to individuals in a highly targeted fashion, attempting to gain access to corporate online banking systems, corporate VPN networks, and other online resources.”

Consider this scenario: An organization has perimeter security configured. Multiple detective controls like IDS, IPS, firewall etc. are deployed. Still the employee gets an email with embedded link which points to a malicious website. Once dragged to this website; unwitting employee is exposed to an array of risk.

One such risk could be like crimeware (which is designed with the intent of collecting information of the enduser to steal credentials) or malware is downloaded and installed on the local system without user’s consent. Once installed, it may allow scammers to compromise other network systems, steal sensitive information, create backdoors inside the corporate networks etc. Another significant risk is where the website attempts to sway the recipient to reveal personal information or credentials of online corporate applications. This kind of mails is often pictured as coming from trusted source like HR or IT department, outsourcing partners etc. and makes usage of legitimate layout, graphics, links and content etc. to look like original website.

Most times, it is very difficult to determine the source  of the phishing attacks because a well orchestrated phishing attack understands the weak links in People, Process and Technology inside an organization in order to carry out successful attack. Most worrying, there are no quick, witching tools which can help you mitigate phishing risks overnight. Then how would you address the Phishing Risk?

Organizations can adapt the Deming Cycle [Plan-Do-Check-Act] to best counter phishing attacks and it would improvise over period of a time. Steps to follow -

  1. Understand the current level of preparedness of employees and define a strategy to address this gap [Plan]

  2. Implement policies, procedures and incident response plan to guide employees  on “How to identify phish websites“ and “What to do” when Phishing attacks actually occur [Do]

  3. Conduct drills periodically to check readiness of the employees on phishing attacks and determine who are vulnerable [Check]

  4. Provide  awareness training to vulnerable users and also regularly update employees on new threats and techniques used by Phishers by possible means of communication  [Act]


In summary the message is very clear; the key to protect oneself is continuous education and awareness. Organizations should start working towards employee education for its better cure.

Is your organization ready to fight against Phishing Risks?

Filed Under: Risk management

Security by the Wall

March 9, 2010 9:01 am Leave a Comment
Organizations have started to invest heavily in technology to help them scale their business. People are now aware of security issues that they are going to face and want to take preventive steps.


I recently had an interesting experience on my interaction with a prospect.I was there at the prospects place to understand and explain to them about managing and improving security. As we started the conversation, I realized the basic misconception about improving their security.


Read the excerpts from our conversation,

Mr.X: Ah well we need a firewall.

Mr.X: Ah well we need a firewall.

Mr.X: Well we want more security. We have couple of internet facing applications and creating more DMZ you see.

Me: But as per your network diagram you already have a firewall protecting your perimeter.

Mr. X: Yes, that is there, but we want to replace that coz it is no more supported version and want to add a few more.

Me: We will have to do a review of your network before we can exactly determine how many firewalls you will need.

Mr. X: Ah well you see time is a factor and I want this to happen quickly before our auditors come next month. I need to show them something. We will share with you the network diagram, and why don’t you have a look and recommend us by end of day.

Me: Yeah sure we will try to do that. But security is not always about adding devices to your network. You also need to periodically review your servers, firewalls, network devices and applications to ensure that they don’t have vulnerabilities that could be exploited by a potential hacker. Also it is a fact that 90% of the vulnerabilities are now discovered at the application level.

Mr.X: Well for the time being we are looking at firewalls maybe you can recommend,……(after a pause and deep thought) IDS.



The point that I want to make is; adding perimeter security devices alone will not help improve security. And why replace a device which is working just perfectly fine unless you have performance issues with the device or want to utilize the features offered by the newer versions. The other advantage that you have in retaining the old device is that all the vulnerabilities in that device are already exposed and you have patches/solutions/workarounds readily available to fix those vulnerabilities. Attackers will not continue to find loopholes in the older devices rather spend time to find loop holes in the newer devices. It is safer to be around with a known enemy than trying to befriend an unknown one.



In order to manage risks effectively you need to constantly review your policies, risk management methodology, systems and applications. This will ensure that the dynamics of the day-to-day business does not leave loop holes open for an intruder to just walk-in to your systems or network.

Filed Under: Article

Aujas completes 2 years of successful operations

February 10, 2010 9:19 am Leave a Comment

It gives us immense pleasure to inform you that Aujas successfully completes its second year of operations in February 2010.

The last 2 years have been a very interesting journey for us in a challenging economic environment marked by several ups and downs. Despite these circumstances, Aujas has managed to grow consistently.

A quick look back at the past 2 years highlights our commitment and focus to the Information Risk Management domain. Today we have grown to 55 employees with 70 customers from across 9 countries delivering over 100 projects with an active presence in 3 continents. We have added new services, repositioned our existing services and strengthened our team.

It is gratifying that our customers have seen immense value in what we have delivered and most customers have come back to us, reaffirming their trust in us.

As we commence our third year, we will add more services to our Information Risk services portfolio and continue to our Information Risk services portfolio and continue our expnasion into international markets.

We would like to thank our customers, employees, partners, management team, Board and Advisory Board members for their continued support in scaling Aujas.

Warm Regards,
M Srinivas Rao
Co-Founder & CEO

Filed Under: Announcement

Aujas @ CIO Year Ahead | 2010

December 16, 2009 6:18 am 1 Comment

We are just back from the “CIO – The Year Ahead” event organized by IDG Media. The event is a premier forward looking annual event for CIO’s in India. We had about ~ 90 CIO’s & IT Heads there to examine technology trends for the coming year.

The last CIO event was held at Singapore, but this time it was held in India – at the beautiful locale of Royal Palms, Bangalore. A very nice place and add to it the beautiful Bangalore weather. Maybe that explained the high turnout for the event by senior folks from the IT industry?

The keynote session was from Mr. B. S. Nagesh, MD of Shoppers Stop. It was probably the best presentation of the event. He spoke more from his heart than his head – challenging the present CIO’s on their next role in the organization.

As with all events there were a lot of sessions from industry folks and large technology companies – some good, some not so good. The recurrent theme was around SAAS, Cloud computing and virtualization. Reality or too much hype?

Aujas was one of the knowledge partners for the Security session. Sameer Shelke, co-founder & COO talked about “IT Risk Management – As the Economy Revives”.

He spoke about how organizations, when the economy revives, will start investing in new markets, employee growth and productivity.  But along with planning for growth, companies need to seriously look at the key Information Risk as we plan for more growth. If this down-turn hopefully taught us anything, it would be to look at Risk a little more critically.

You can find a copy of his presentation online at http://www.aujas.com/presentations.html. Feel free to download the same and if you need any more information do drop a mail at contact@aujas.com.

It was a great event. Some of the discussions around lunch and dinner were obviously more interesting than some of the presentations on the stage. Thanks to all the CIO’s for making it an interesting event. Thanks also to IDG Media team from organizing a great event. We look forward to the next event.

Filed Under: Events and Premieres

The Long Tail of Security

October 26, 2009 11:50 am Leave a Comment

Background

“The Long Tail” is a concept put forth by Chris Anderson which described the niche strategy of businesses, such as Amazon.com or Netflix, which sell a large number of unique items, each in relatively small quantities. Anderson elaborated the Long Tail concept in his book The Long Tail: Why the Future of Business Is Selling Less of More.



Anderson argued that products that are in low demand or have low sales volume can collectively make up a market share that rivals or exceeds the relatively few current bestsellers and blockbusters, if the store  or distribution channel is large enough. Research showed that a significant portion of Amazon.com’s sales come from obscure books that are not available in brick-and-mortar stores. The Long Tail is a potential market and, as the examples illustrate, the distribution and sales channel opportunities created by the Internet often enable businesses to tap that market successfully.



Application to Security

In the Risk management or security world we focus on the “head” which are the common or major risks we face or hear that others faced. Needless to say all our protection efforts & postures are deployed to protect against the “head risks” and rightly so. E.g. when we decide to put up some applications or services on the Internet, we ensure we protect the application against risks such as the OWASP top 10 vulnerabilities, malwares, infrastructure security etc. Content security aspects such as spam filtering, antivirus etc. become “head risks” when we talk of email systems.


Time and again we get faced with risks which lie in the “long tail” which we haven’t thought of or heard of. E.g. Terrorists hacked into the home WiFi network of Keith Heywood in Mumbai and sent out an email about their impending attack minutes before 19 explosions killed 49 and wounded more than 200 people in Ahmedabad. Since then WiFi access point security has got attention all across, with the Mumbai Police now planning to test open WiFi access points across the city and would issue notices & citations to the users found using open WiFi access points. Suddenly WiFi access point security has moved from the “long tail” to the “head” with everyone taking about it and taking appropriate protection measures.


The question which challenges us is would we face a situation where it’s said that “We got attacked more using vulnerabilities today, which were not exploited at all till yesterday than those which were exploited till yesterday”. Like what Amazon said about the Long tail.


Sounds complex isn’t it; well, we are already facing this issue, “How do we protect ourselves against those seemly obscure risks which suddenly might become important?”.

The answer is not simple and its implementation is possibly more difficult. What is required is a comprehensive Risk management framework which would help us identify our assets, its weaknesses, the probability of attacks and hence the risk. We should also consider the current security posture we have and then the residual risk. What is critical is that this framework needs to be “live” and “in use” all the time, doing it once won’t help. This should be part of normal business function which would help us identify new or modified risks all the time




We can never say we are 100% safe and protected, what we owe to ourselves and our business is doing all we can to protect our information technology assets.


Filed Under: Article

Our Psychology and Security: The way we think

September 29, 2009 6:43 am Leave a Comment

Annual Conference of ISACA (Information Systems Audit and Control Association), Mumbai Chapter was held at ITC Grand Maratha on 4th-6th September 2009. The theme for this year was “Success in the Challenging Times: Securing the Unsecured – Assurance beyond Audit.”

The conference featured executives from several leading public and private organizations for panel discussions and presentations. Sameer Shelke, co-founder & COO, represented Aujas and delivered a presentation on Our Psychology & Security: The Way We Thinkat the annual conference.

 

In his talk Sameer stressed on the thought process of people in dealing with IT risks.He drew an analogy with various reactions to the H1N1 epidemic, specifically of people and media to this “risk”.  

 

The presentation highlighted the top 6 security weaknesses the companies have and the reasons for the same. His examples sent a clear message that people should correct and change their behavioral aspect to improve the IT risk and security posture of the respective organizations they work for.

The industry patrons applauded Sameer for his remarkable and meaningful presentation. “Sameer’s presentation was practically related with out of the box approach”, said Richard DeSouza, Head Operational Risk of Reliance Life Insurance Limited

To download a copy of Sameer’s presentation please click on http://www.aujas.com/presentations.html 

Filed Under: Article

Aujas achieves Indian Computer Emergency Response Team’s (CERT-IN) Empanelment

August 17, 2009 11:20 am Leave a Comment

We are pleased to announce that Aujas has achieved the Indian Computer Emergency Response Team’s (CERT-In) empanelment as an IT Security Audit Organization. This empanelment comes across as another milestone in our journey to build a global company out of India and we are proud to have achieved this within 18 months of our operations.

Indian Computer Emergency Response Team CERT-In (www.cert-in.org.in) is a national initiative to tackle any emerging challenges in the area of Information security and country level security risks and vulnerabilities. CERT-In is coordinated by Department of Information technology, Ministry of communications and Information Technology, Government of India in cooperation with several agencies in the government academia and industry.

CERT-In Empanelment process:

CERT-In empanelment is a tough process and involves various procedures such as providing information, methodologies, case studies, skills and profiles. It also includes a 2 stage qualifying test – an offline and online test to assess applications both in the offline and web environment. The selection process includes various challenges from identifying, exploiting and reporting vulnerabilities. The report will be reviewed by a panel of Security experts and then the empanelment is awarded.

 

For more details about the empanelment, visit: http://www.aujas.com/press_cert.html

We are happy to be amongst the list of emplaned organizations and look forward to working with various government and PSU entities

Regards

Team Aujas

Filed Under: Announcement
1 2 3